Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report winhost.exe

Overview

General Information

Sample Name:winhost.exe
Analysis ID:459164
MD5:fcf0f4b709606c50ce6157c044d10b9d
SHA1:bb101a1b8357d52f8f7970d3f5f43bc25392bfeb
SHA256:6169c9d6694e0263c7bc80e1409fea8e46188f08914095d91f3ad03a2d29fd08
Infos:

Most interesting Screenshot:

Detection

Score:64
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Contains functionality to detect virtual machines (IN, VMware)
Contains functionality to infect the boot sector
Tries to evade analysis by execution special instruction which cause usermode exception
Tries to harvest and steal browser information (history, passwords, etc)
Contains functionality for read data from the clipboard
Contains functionality to communicate with device drivers
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to simulate mouse events
Detected potential crypto function
Found potential string decryption / allocating functions
Installs a raw input device (often for capturing keystrokes)
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • winhost.exe (PID: 7056 cmdline: 'C:\Users\user\Desktop\winhost.exe' MD5: FCF0F4B709606C50CE6157C044D10B9D)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Multi AV Scanner detection for submitted fileShow sources
Source: winhost.exeVirustotal: Detection: 21%Perma Link
Source: winhost.exeReversingLabs: Detection: 28%
Source: winhost.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: winhost.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: C:\Qt\GiveMeMoney\Release\winhost.pdb source: winhost.exe
Source: C:\Users\user\Desktop\winhost.exeCode function: 0_2_001E3E60 SHGetValueW,SHGetFolderPathW,PathAppendW,PathAppendW,PathAppendW,PathAppendW,PathFileExistsW,GetFileAttributesW,SHGetFolderPathW,PathAppendW,PathAppendW,PathAppendW,PathAppendW,SHGetFolderPathW,PathAppendW,PathAppendW,PathAppendW,PathAppendW,PathAppendW,PathFileExistsW,GetFileAttributesW,GetCurrentDirectoryW,SetCurrentDirectoryW,FindFirstFileW,FindNextFileW,SetCurrentDirectoryW,lstrcpyW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,FindNextFileW,PathFileExistsW,0_2_001E3E60
Source: C:\Users\user\Desktop\winhost.exeCode function: 0_2_003060B0 SHGetFolderPathW,SHGetFolderPathW,PathAppendW,PathAppendW,PathFileExistsW,PathFileExistsW,SHGetFolderPathW,PathAppendW,PathFileExistsW,lstrcpyW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,PathAppendW,PathAppendW,PathFileExistsW,lstrcpyW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,FindNextFileW,PathAppendW,FindNextFileW,0_2_003060B0
Source: global trafficTCP traffic: 192.168.2.4:49734 -> 47.111.207.85:443
Source: global trafficTCP traffic: 192.168.2.4:49737 -> 47.111.207.82:443
Source: C:\Users\user\Desktop\winhost.exeCode function: 0_2_0032E280 InternetCrackUrlW,GetLastError,InternetOpenW,InternetConnectW,HttpOpenRequestW,HttpAddRequestHeadersW,HttpAddRequestHeadersA,InternetQueryOptionW,InternetSetOptionW,InternetSetOptionW,InternetSetOptionW,InternetSetOptionW,InternetSetOptionW,InternetSetOptionW,InternetSetOptionW,InternetSetOptionW,InternetSetOptionW,HttpSendRequestW,GetLastError,InternetQueryOptionW,InternetSetOptionW,WaitForSingleObject,HttpQueryInfoW,InternetOpenW,InternetOpenUrlW,HttpQueryInfoW,GetDesktopWindow,InternetErrorDlg,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,HttpQueryInfoW,GetLastError,InternetReadFile,SetEvent,WaitForSingleObject,InternetCloseHandle,InternetCloseHandle,HttpQueryInfoA,HttpQueryInfoA,HttpQueryInfoA,GetLastError,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,0_2_0032E280
Source: unknownDNS traffic detected: queries for: static.scp.btoo3.com
Source: winhost.exeString found in binary or memory: http://127.0.0.1/%s
Source: winhost.exeString found in binary or memory: http://fontello.com
Source: winhost.exeString found in binary or memory: http://profile.se.360.cn/proxyerr.php
Source: winhost.exeString found in binary or memory: http://profile.se.360.cn/proxyerr.phpCheck
Source: winhost.exe, 00000000.00000003.669053547.00000000035F2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
Source: winhost.exe, 00000000.00000002.669554418.0000000000AEE000.00000004.00000001.sdmpString found in binary or memory: https://clients2.google.com/service/update2/crx
Source: winhost.exe, 00000000.00000002.669554418.0000000000AEE000.00000004.00000001.sdmpString found in binary or memory: https://docs.google.com/
Source: winhost.exe, 00000000.00000002.669554418.0000000000AEE000.00000004.00000001.sdmpString found in binary or memory: https://drive.google.com/
Source: winhost.exe, 00000000.00000002.669734114.0000000000E67000.00000004.00000020.sdmp, winhost.exe, 00000000.00000002.669792761.0000000000EC4000.00000004.00000020.sdmpString found in binary or memory: https://picssl.xunmzone.com/
Source: winhost.exe, 00000000.00000002.669734114.0000000000E67000.00000004.00000020.sdmpString found in binary or memory: https://picssl.xunmzone.com/AppData
Source: winhost.exe, 00000000.00000003.658064538.0000000000ED7000.00000004.00000001.sdmpString found in binary or memory: https://picssl.xunmzone.com/pic/v3.png
Source: winhost.exe, 00000000.00000002.669763422.0000000000E9A000.00000004.00000020.sdmpString found in binary or memory: https://picssl.xunmzone.com/pic/v3.pngK
Source: winhost.exe, 00000000.00000002.669818189.0000000000ED7000.00000004.00000020.sdmpString found in binary or memory: https://picssl.xunmzone.com/pic/v3.pngNJ
Source: winhost.exe, 00000000.00000002.669818189.0000000000ED7000.00000004.00000020.sdmpString found in binary or memory: https://picssl.xunmzone.com/pic/v3.pngZJ
Source: winhost.exe, 00000000.00000002.669734114.0000000000E67000.00000004.00000020.sdmpString found in binary or memory: https://picssl.xunmzone.com/pic/v3.pngm32
Source: winhost.exe, 00000000.00000002.669734114.0000000000E67000.00000004.00000020.sdmpString found in binary or memory: https://picssl.xunmzone.com/pic/v3.pngp.btoo3.com
Source: winhost.exe, 00000000.00000002.669734114.0000000000E67000.00000004.00000020.sdmpString found in binary or memory: https://picssl.xunmzone.com/pic/v3.pngq
Source: winhost.exe, 00000000.00000002.669734114.0000000000E67000.00000004.00000020.sdmpString found in binary or memory: https://picssl.xunmzone.com/pic/v3.pngx
Source: winhost.exe, 00000000.00000002.669792761.0000000000EC4000.00000004.00000020.sdmpString found in binary or memory: https://picssl.xunmzone.com/r
Source: winhost.exe, 00000000.00000002.669844237.0000000000EF5000.00000004.00000020.sdmpString found in binary or memory: https://picssl.xunmzone.com/ver
Source: winhost.exe, 00000000.00000002.669734114.0000000000E67000.00000004.00000020.sdmpString found in binary or memory: https://picssl.xunmzone.com/xunmzone.com/cal
Source: winhost.exe, 00000000.00000002.669792761.0000000000EC4000.00000004.00000020.sdmpString found in binary or memory: https://static.scp.btoo3.com/
Source: winhost.exe, 00000000.00000002.669844237.0000000000EF5000.00000004.00000020.sdmpString found in binary or memory: https://static.scp.btoo3.com/F
Source: winhost.exe, 00000000.00000002.669734114.0000000000E67000.00000004.00000020.sdmpString found in binary or memory: https://static.scp.btoo3.com/c/v3.png
Source: winhost.exe, 00000000.00000002.669734114.0000000000E67000.00000004.00000020.sdmpString found in binary or memory: https://static.scp.btoo3.com/icrosoft
Source: winhost.exe, 00000000.00000002.669734114.0000000000E67000.00000004.00000020.sdmpString found in binary or memory: https://static.scp.btoo3.com/stic.html
Source: winhost.exe, 00000000.00000003.658064538.0000000000ED7000.00000004.00000001.sdmpString found in binary or memory: https://static.scp.btoo3.com/stic.htmlC_%
Source: winhost.exe, 00000000.00000002.669734114.0000000000E67000.00000004.00000020.sdmpString found in binary or memory: https://static.scp.btoo3.com/stic.htmlY
Source: winhost.exe, 00000000.00000002.669818189.0000000000ED7000.00000004.00000020.sdmpString found in binary or memory: https://static.scp.btoo3.com/stic.htmlt_
Source: winhost.exe, 00000000.00000002.669734114.0000000000E67000.00000004.00000020.sdmpString found in binary or memory: https://static.scp.btoo3.com/stic.htmlxE
Source: winhost.exe, 00000000.00000002.669734114.0000000000E67000.00000004.00000020.sdmpString found in binary or memory: https://static.scp.btoo3.com/v3/bg.png
Source: winhost.exe, 00000000.00000002.669734114.0000000000E67000.00000004.00000020.sdmpString found in binary or memory: https://static.scp.btoo3.com/x
Source: winhost.exe, 00000000.00000002.669734114.0000000000E67000.00000004.00000020.sdmpString found in binary or memory: https://watson.telemete.com/
Source: winhost.exe, 00000000.00000002.669554418.0000000000AEE000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/
Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49748 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443
Source: C:\Users\user\Desktop\winhost.exeCode function: 0_2_001FD150 PathFileExistsW,OpenClipboard,EmptyClipboard,CloseClipboard,MapVirtualKeyW,MapVirtualKeyW,SendInput,SendInput,MapVirtualKeyW,SendInput,MapVirtualKeyW,SendInput,MapVirtualKeyW,SendInput,MapVirtualKeyW,SendInput,MapVirtualKeyW,SendInput,MapVirtualKeyW,SendInput,MapVirtualKeyW,SendInput,MapVirtualKeyW,SendInput,MapVirtualKeyW,SendInput,PostMessageW,PostMessageW,0_2_001FD150
Source: winhost.exe, 00000000.00000002.669437430.0000000000394000.00000002.00020000.sdmpBinary or memory string: RegisterRawInputDevices
Source: C:\Users\user\Desktop\winhost.exeCode function: 0_2_003271F0: CreateFileW,DeviceIoControl,FindCloseChangeNotification,0_2_003271F0
Source: C:\Users\user\Desktop\winhost.exeCode function: 0_2_0030B1C00_2_0030B1C0
Source: C:\Users\user\Desktop\winhost.exeCode function: 0_2_0032E2800_2_0032E280
Source: C:\Users\user\Desktop\winhost.exeCode function: 0_2_001E3E600_2_001E3E60
Source: C:\Users\user\Desktop\winhost.exeCode function: 0_2_0032F0D00_2_0032F0D0
Source: C:\Users\user\Desktop\winhost.exeCode function: 0_2_003701960_2_00370196
Source: C:\Users\user\Desktop\winhost.exeCode function: 0_2_003242400_2_00324240
Source: C:\Users\user\Desktop\winhost.exeCode function: 0_2_0033D3800_2_0033D380
Source: C:\Users\user\Desktop\winhost.exeCode function: 0_2_003574290_2_00357429
Source: C:\Users\user\Desktop\winhost.exeCode function: 0_2_003185500_2_00318550
Source: C:\Users\user\Desktop\winhost.exeCode function: 0_2_002BF5E00_2_002BF5E0
Source: C:\Users\user\Desktop\winhost.exeCode function: 0_2_003305D00_2_003305D0
Source: C:\Users\user\Desktop\winhost.exeCode function: 0_2_003436200_2_00343620
Source: C:\Users\user\Desktop\winhost.exeCode function: 0_2_003386100_2_00338610
Source: C:\Users\user\Desktop\winhost.exeCode function: 0_2_003576580_2_00357658
Source: C:\Users\user\Desktop\winhost.exeCode function: 0_2_003268A00_2_003268A0
Source: C:\Users\user\Desktop\winhost.exeCode function: 0_2_003578870_2_00357887
Source: C:\Users\user\Desktop\winhost.exeCode function: 0_2_0036D9F20_2_0036D9F2
Source: C:\Users\user\Desktop\winhost.exeCode function: 0_2_0033F9D00_2_0033F9D0
Source: C:\Users\user\Desktop\winhost.exeCode function: String function: 00330BE0 appears 32 times
Source: winhost.exe, 00000000.00000003.658137511.0000000000EF5000.00000004.00000001.sdmpBinary or memory string: OriginalFilename vs winhost.exe
Source: winhost.exe, 00000000.00000002.669437430.0000000000394000.00000002.00020000.sdmpBinary or memory string: 3Check failed: data_.get(). c:\qt\givememoney\base\file_version_info_win.cc\VarFileInfo\TranslationCompanyNameCompanyShortNameInternalNameProductNameProductShortNameCommentsLegalCopyrightProductVersionFileDescriptionLegalTrademarksPrivateBuildFileVersionOriginalFilenameSpecialBuildLastChangeOfficial Build\StringFileInfo\%04x%04x\%ls vs winhost.exe
Source: winhost.exe, 00000000.00000002.670383856.0000000004050000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemswsock.dll.muij% vs winhost.exe
Source: winhost.exeBinary or memory string: WCheck failed: data_.get(). c:\qt\givememoney\base\file_version_info_win.cc\VarFileInfo\TranslationCompanyNameCompanyShortNameInternalNameProductNameProductShortNameCommentsLegalCopyrightProductVersionFileDescriptionLegalTrademarksPrivateBuildFileVersionOriginalFilenameSpecialBuildLastChangeOfficial Build\StringFileInfo\%04x%04x\%ls vs winhost.exe
Source: winhost.exeBinary or memory string: OriginalFilename vs winhost.exe
Source: winhost.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: classification engineClassification label: mal64.spyw.evad.winEXE@1/2@2/2
Source: C:\Users\user\Desktop\winhost.exeCode function: 0_2_0030D9F0 CoInitialize,CoCreateInstance,GetWindowLongW,SetWindowLongW,0_2_0030D9F0
Source: C:\Users\user\Desktop\winhost.exeFile created: C:\Users\user\Desktop\uuJump to behavior
Source: C:\Users\user\Desktop\winhost.exeMutant created: \Sessions\1\BaseNamedObjects\B0E87BF8-A8DC-4160-B331-54EBDD0DEE93
Source: winhost.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\winhost.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\winhost.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\Desktop\winhost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\winhost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: winhost.exeVirustotal: Detection: 21%
Source: winhost.exeReversingLabs: Detection: 28%
Source: winhost.exeString found in binary or memory: debug-on-start
Source: winhost.exeString found in binary or memory: ^--debug-on-startdisable-breakpadenable-dcheckfull-memory-crash-reportnoerrdialogstest-child-processvvmodulewait-for-debuggertrace-to-consolec:\qt\givememoney\base\at_exit.cc
Source: C:\Users\user\Desktop\winhost.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D105A4D4-344C-48EB-9866-EE378D90658B}\InProcServer32Jump to behavior
Source: winhost.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
Source: winhost.exeStatic file information: File size 2256384 > 1048576
Source: winhost.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x1d2200
Source: winhost.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: winhost.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: winhost.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: winhost.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: winhost.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: winhost.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: winhost.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: winhost.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\Qt\GiveMeMoney\Release\winhost.pdb source: winhost.exe
Source: winhost.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: winhost.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: winhost.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: winhost.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: winhost.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: C:\Users\user\Desktop\winhost.exeCode function: 0_2_001F0400 push ecx; mov dword ptr [esp], 43160000h0_2_001F0560
Source: C:\Users\user\Desktop\winhost.exeCode function: 0_2_001F0400 push ecx; mov dword ptr [esp], 43160000h0_2_001F0648
Source: C:\Users\user\Desktop\winhost.exeCode function: 0_2_001F0400 push ecx; mov dword ptr [esp], 42900000h0_2_001F06ED

Persistence and Installation Behavior:

barindex
Contains functionality to infect the boot sectorShow sources
Source: C:\Users\user\Desktop\winhost.exeCode function: CreateFileW,DeviceIoControl,FindCloseChangeNotification, \\.\PhysicalDrive%d0_2_00327730
Source: C:\Users\user\Desktop\winhost.exeCode function: CreateFileW,DeviceIoControl,FindCloseChangeNotification,CloseHandle, \\.\PhysicalDrive%d0_2_00326FE0
Source: C:\Users\user\Desktop\winhost.exeCode function: CreateFileW,DeviceIoControl,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d0_2_003274A0

Boot Survival:

barindex
Contains functionality to infect the boot sectorShow sources
Source: C:\Users\user\Desktop\winhost.exeCode function: CreateFileW,DeviceIoControl,FindCloseChangeNotification, \\.\PhysicalDrive%d0_2_00327730
Source: C:\Users\user\Desktop\winhost.exeCode function: CreateFileW,DeviceIoControl,FindCloseChangeNotification,CloseHandle, \\.\PhysicalDrive%d0_2_00326FE0
Source: C:\Users\user\Desktop\winhost.exeCode function: CreateFileW,DeviceIoControl,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d0_2_003274A0
Source: C:\Users\user\Desktop\winhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\winhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\winhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Contains functionality to detect virtual machines (IN, VMware)Show sources
Source: C:\Users\user\Desktop\winhost.exeCode function: 0_2_0030C820 in eax, dx0_2_0030C820
Tries to evade analysis by execution special instruction which cause usermode exceptionShow sources
Source: C:\Users\user\Desktop\winhost.exeSpecial instruction interceptor: First address: 000000000030C7B9 instructions 0F3F070B85DB0F9445E75BEB388B45 caused by: Unknown instruction #UD exception
Source: C:\Users\user\Desktop\winhost.exeFile opened: PhysicalDrive0Jump to behavior
Source: C:\Users\user\Desktop\winhost.exeCode function: 0_2_001E3E60 SHGetValueW,SHGetFolderPathW,PathAppendW,PathAppendW,PathAppendW,PathAppendW,PathFileExistsW,GetFileAttributesW,SHGetFolderPathW,PathAppendW,PathAppendW,PathAppendW,PathAppendW,SHGetFolderPathW,PathAppendW,PathAppendW,PathAppendW,PathAppendW,PathAppendW,PathFileExistsW,GetFileAttributesW,GetCurrentDirectoryW,SetCurrentDirectoryW,FindFirstFileW,FindNextFileW,SetCurrentDirectoryW,lstrcpyW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,FindNextFileW,PathFileExistsW,0_2_001E3E60
Source: C:\Users\user\Desktop\winhost.exeCode function: 0_2_003060B0 SHGetFolderPathW,SHGetFolderPathW,PathAppendW,PathAppendW,PathFileExistsW,PathFileExistsW,SHGetFolderPathW,PathAppendW,PathFileExistsW,lstrcpyW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,PathAppendW,PathAppendW,PathFileExistsW,lstrcpyW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,FindNextFileW,PathAppendW,FindNextFileW,0_2_003060B0
Source: winhost.exe, 00000000.00000003.658137511.0000000000EF5000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAWonic
Source: winhost.exe, 00000000.00000003.658137511.0000000000EF5000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
Source: C:\Users\user\Desktop\winhost.exeCode function: 0_2_0035E2B2 mov eax, dword ptr fs:[00000030h]0_2_0035E2B2
Source: C:\Users\user\Desktop\winhost.exeCode function: 0_2_001FC4C0 KillTimer,mouse_event,GetTickCount,OpenClipboard,EmptyClipboard,CloseClipboard,MapVirtualKeyW,MapVirtualKeyW,SendInput,SendInput,MapVirtualKeyW,SendInput,MapVirtualKeyW,SendInput,MapVirtualKeyW,SendInput,MapVirtualKeyW,SendInput,MapVirtualKeyW,SendInput,MapVirtualKeyW,SendInput,MapVirtualKeyW,SendInput,MapVirtualKeyW,SendInput,MapVirtualKeyW,SendInput,PostMessageW,0_2_001FC4C0
Source: C:\Users\user\Desktop\winhost.exeCode function: GetLocaleInfoW,0_2_0036C0DD
Source: C:\Users\user\Desktop\winhost.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_0036C206
Source: C:\Users\user\Desktop\winhost.exeCode function: GetLocaleInfoW,0_2_0036C30D
Source: C:\Users\user\Desktop\winhost.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_0036C3DA
Source: C:\Users\user\Desktop\winhost.exeCode function: GetLocaleInfoW,0_2_0036640D
Source: C:\Users\user\Desktop\winhost.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\winhost.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\winhost.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\winhost.exeCode function: 0_2_0031B12A GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_0031B12A
Source: C:\Users\user\Desktop\winhost.exeCode function: 0_2_00325460 GetCurrentProcess,GetModuleHandleW,GetProcAddress,GetVersionExW,GetNativeSystemInfo,GetModuleHandleW,GetProcAddress,0_2_00325460

Stealing of Sensitive Information:

barindex
Tries to harvest and steal browser information (history, passwords, etc)Show sources
Source: C:\Users\user\Desktop\winhost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Secure PreferencesJump to behavior

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsCommand and Scripting Interpreter2Bootkit1Path InterceptionMasquerading1OS Credential Dumping1System Time Discovery1Remote ServicesInput Capture11Exfiltration Over Other Network MediumEncrypted Channel12Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion11Input Capture11Security Software Discovery111Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothIngress Tool Transfer1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Deobfuscate/Decode Files or Information1Security Account ManagerVirtualization/Sandbox Evasion11SMB/Windows Admin SharesData from Local System1Automated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information2NTDSRemote System Discovery1Distributed Component Object ModelClipboard Data1Scheduled TransferApplication Layer Protocol2SIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptBootkit1LSA SecretsFile and Directory Discovery2SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain CredentialsSystem Information Discovery133VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
winhost.exe22%VirustotalBrowse
winhost.exe9%MetadefenderBrowse
winhost.exe29%ReversingLabsWin32.Trojan.FlySvr

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

SourceDetectionScannerLabelLink
picssl.xunmzone.com0%VirustotalBrowse
static.scp.btoo3.com0%VirustotalBrowse

URLs

SourceDetectionScannerLabelLink
https://static.scp.btoo3.com/stic.htmlt_0%Avira URL Cloudsafe
https://picssl.xunmzone.com/pic/v3.pngK0%Avira URL Cloudsafe
https://picssl.xunmzone.com/pic/v3.pngZJ0%Avira URL Cloudsafe
https://picssl.xunmzone.com/pic/v3.png0%Avira URL Cloudsafe
https://static.scp.btoo3.com/stic.htmlC_%0%Avira URL Cloudsafe
https://static.scp.btoo3.com/stic.html0%Avira URL Cloudsafe
https://static.scp.btoo3.com/F0%Avira URL Cloudsafe
https://picssl.xunmzone.com/AppData0%Avira URL Cloudsafe
https://picssl.xunmzone.com/pic/v3.pngx0%Avira URL Cloudsafe
https://picssl.xunmzone.com/xunmzone.com/cal0%Avira URL Cloudsafe
https://static.scp.btoo3.com/stic.htmlY0%Avira URL Cloudsafe
https://watson.telemete.com/0%Avira URL Cloudsafe
https://picssl.xunmzone.com/pic/v3.pngNJ0%Avira URL Cloudsafe
https://static.scp.btoo3.com/icrosoft0%Avira URL Cloudsafe
http://www.founder.com.cn/cn0%URL Reputationsafe
https://picssl.xunmzone.com/pic/v3.pngq0%Avira URL Cloudsafe
https://static.scp.btoo3.com/0%Avira URL Cloudsafe
https://static.scp.btoo3.com/x0%Avira URL Cloudsafe
https://picssl.xunmzone.com/0%Avira URL Cloudsafe
http://127.0.0.1/%s0%Avira URL Cloudsafe
https://static.scp.btoo3.com/c/v3.png0%Avira URL Cloudsafe
https://picssl.xunmzone.com/ver0%Avira URL Cloudsafe
https://picssl.xunmzone.com/pic/v3.pngp.btoo3.com0%Avira URL Cloudsafe
https://picssl.xunmzone.com/pic/v3.pngm320%Avira URL Cloudsafe
https://static.scp.btoo3.com/v3/bg.png0%Avira URL Cloudsafe
https://picssl.xunmzone.com/r0%Avira URL Cloudsafe
https://static.scp.btoo3.com/stic.htmlxE0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
picssl.xunmzone.com
47.111.207.82
truefalseunknown
static.scp.btoo3.com
47.111.207.85
truefalseunknown

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
https://static.scp.btoo3.com/stic.htmlt_winhost.exe, 00000000.00000002.669818189.0000000000ED7000.00000004.00000020.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://picssl.xunmzone.com/pic/v3.pngKwinhost.exe, 00000000.00000002.669763422.0000000000E9A000.00000004.00000020.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://picssl.xunmzone.com/pic/v3.pngZJwinhost.exe, 00000000.00000002.669818189.0000000000ED7000.00000004.00000020.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://picssl.xunmzone.com/pic/v3.pngwinhost.exe, 00000000.00000003.658064538.0000000000ED7000.00000004.00000001.sdmpfalse
  • Avira URL Cloud: safe
unknown
http://fontello.comwinhost.exefalse
    		high
    https://static.scp.btoo3.com/stic.htmlC_%winhost.exe, 00000000.00000003.658064538.0000000000ED7000.00000004.00000001.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    https://static.scp.btoo3.com/stic.htmlwinhost.exe, 00000000.00000002.669734114.0000000000E67000.00000004.00000020.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    https://static.scp.btoo3.com/Fwinhost.exe, 00000000.00000002.669844237.0000000000EF5000.00000004.00000020.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    https://picssl.xunmzone.com/AppDatawinhost.exe, 00000000.00000002.669734114.0000000000E67000.00000004.00000020.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    https://picssl.xunmzone.com/pic/v3.pngxwinhost.exe, 00000000.00000002.669734114.0000000000E67000.00000004.00000020.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    https://picssl.xunmzone.com/xunmzone.com/calwinhost.exe, 00000000.00000002.669734114.0000000000E67000.00000004.00000020.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    https://static.scp.btoo3.com/stic.htmlYwinhost.exe, 00000000.00000002.669734114.0000000000E67000.00000004.00000020.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    http://profile.se.360.cn/proxyerr.phpwinhost.exefalse
      		high
      https://docs.google.com/winhost.exe, 00000000.00000002.669554418.0000000000AEE000.00000004.00000001.sdmpfalse
        		high
        https://watson.telemete.com/winhost.exe, 00000000.00000002.669734114.0000000000E67000.00000004.00000020.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://picssl.xunmzone.com/pic/v3.pngNJwinhost.exe, 00000000.00000002.669818189.0000000000ED7000.00000004.00000020.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://static.scp.btoo3.com/icrosoftwinhost.exe, 00000000.00000002.669734114.0000000000E67000.00000004.00000020.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://www.founder.com.cn/cnwinhost.exe, 00000000.00000003.669053547.00000000035F2000.00000004.00000001.sdmpfalse
        • URL Reputation: safe
        		unknown
        https://picssl.xunmzone.com/pic/v3.pngqwinhost.exe, 00000000.00000002.669734114.0000000000E67000.00000004.00000020.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://static.scp.btoo3.com/winhost.exe, 00000000.00000002.669792761.0000000000EC4000.00000004.00000020.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://static.scp.btoo3.com/xwinhost.exe, 00000000.00000002.669734114.0000000000E67000.00000004.00000020.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://picssl.xunmzone.com/winhost.exe, 00000000.00000002.669734114.0000000000E67000.00000004.00000020.sdmp, winhost.exe, 00000000.00000002.669792761.0000000000EC4000.00000004.00000020.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://127.0.0.1/%swinhost.exefalse
        • Avira URL Cloud: safe
        		unknown
        https://static.scp.btoo3.com/c/v3.pngwinhost.exe, 00000000.00000002.669734114.0000000000E67000.00000004.00000020.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://drive.google.com/winhost.exe, 00000000.00000002.669554418.0000000000AEE000.00000004.00000001.sdmpfalse
          		high
          https://picssl.xunmzone.com/verwinhost.exe, 00000000.00000002.669844237.0000000000EF5000.00000004.00000020.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://picssl.xunmzone.com/pic/v3.pngp.btoo3.comwinhost.exe, 00000000.00000002.669734114.0000000000E67000.00000004.00000020.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://profile.se.360.cn/proxyerr.phpCheckwinhost.exefalse
            		high
            https://picssl.xunmzone.com/pic/v3.pngm32winhost.exe, 00000000.00000002.669734114.0000000000E67000.00000004.00000020.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://static.scp.btoo3.com/v3/bg.pngwinhost.exe, 00000000.00000002.669734114.0000000000E67000.00000004.00000020.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://www.google.com/winhost.exe, 00000000.00000002.669554418.0000000000AEE000.00000004.00000001.sdmpfalse
              		high
              https://picssl.xunmzone.com/rwinhost.exe, 00000000.00000002.669792761.0000000000EC4000.00000004.00000020.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://static.scp.btoo3.com/stic.htmlxEwinhost.exe, 00000000.00000002.669734114.0000000000E67000.00000004.00000020.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://clients2.google.com/service/update2/crxwinhost.exe, 00000000.00000002.669554418.0000000000AEE000.00000004.00000001.sdmpfalse
                		high

                Contacted IPs

                • No. of IPs < 25%
                • 25% < No. of IPs < 50%
                • 50% < No. of IPs < 75%
                • 75% < No. of IPs

                Public

                IPDomainCountryFlagASNASN NameMalicious
                47.111.207.82
                		picssl.xunmzone.comChina
                		37963CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtdfalse
                47.111.207.85
                		static.scp.btoo3.comChina
                		37963CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtdfalse

                General Information

                Joe Sandbox Version:33.0.0 White Diamond
                Analysis ID:459164
                Start date:04.08.2021
                Start time:11:00:06
                Joe Sandbox Product:CloudBasic
                Overall analysis duration:0h 4m 10s
                Hypervisor based Inspection enabled:false
                Report type:full
                Sample file name:winhost.exe
                Cookbook file name:default.jbs
                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                Number of analysed new started processes analysed:2
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • HCA enabled
                • EGA enabled
                • HDC enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Detection:MAL
                Classification:mal64.spyw.evad.winEXE@1/2@2/2
                EGA Information:
                • Successful, ratio: 100%
                HDC Information:Failed
                HCA Information:
                • Successful, ratio: 64%
                • Number of executed functions: 78
                • Number of non-executed functions: 77
                Cookbook Comments:
                • Adjust boot time
                • Enable AMSI
                • Found application associated with file extension: .exe
                • Stop behavior analysis, all processes terminated
                Warnings:
                Show All
                • Exclude process from analysis (whitelisted): svchost.exe
                • Excluded IPs from analysis (whitelisted): 52.114.76.35, 104.43.139.144, 20.189.173.20
                • Excluded domains from analysis (whitelisted): skypedataprdcolneu03.cloudapp.net, blobcollector.events.data.trafficmanager.net, onedsblobprdwus15.westus.cloudapp.azure.com, browser.events.data.trafficmanager.net, skypedataprdcolcus16.cloudapp.net, watson.telemetry.microsoft.com, browser.pipe.aria.microsoft.com
                • Report size getting too big, too many NtOpenKeyEx calls found.
                • Report size getting too big, too many NtQueryValueKey calls found.

                Simulations

                Behavior and APIs

                TimeTypeDescription
                11:00:55API Interceptor5x Sleep call for process: winhost.exe modified

                Joe Sandbox View / Context

                IPs

                No context

                Domains

                No context

                ASN

                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtdrCr0tVxmK3Get hashmaliciousBrowse
                • 119.23.55.28
                sTcU2w5mZYGet hashmaliciousBrowse
                • 8.186.115.143
                niKcsf1qRyGet hashmaliciousBrowse
                • 112.74.42.15
                3etkq3iOPQGet hashmaliciousBrowse
                • 182.94.212.107
                peach.arm7Get hashmaliciousBrowse
                • 120.55.82.92
                gji54VjOlPGet hashmaliciousBrowse
                • 112.125.213.168
                NqS5Kl0fD1.exeGet hashmaliciousBrowse
                • 47.111.28.81
                mmY2tjq2Pe.exeGet hashmaliciousBrowse
                • 47.111.28.81
                9Id75kh8Og.exeGet hashmaliciousBrowse
                • 47.96.15.92
                urKffbunX5Get hashmaliciousBrowse
                • 8.173.175.221
                EWTqmooWJiGet hashmaliciousBrowse
                • 8.152.201.84
                uGf1521l6SGet hashmaliciousBrowse
                • 47.97.60.76
                uiInKzkLQxGet hashmaliciousBrowse
                • 112.124.68.114
                NQrs7jd2jxGet hashmaliciousBrowse
                • 8.136.60.75
                557IyF5NeEGet hashmaliciousBrowse
                • 8.138.200.189
                dTeFpeVR7VGet hashmaliciousBrowse
                • 42.120.69.24
                K2pnt8OlReGet hashmaliciousBrowse
                • 8.138.48.143
                vhTZ5hgW6jGet hashmaliciousBrowse
                • 121.197.201.64
                FTFGYpE43OGet hashmaliciousBrowse
                • 8.175.178.15
                0wagQPl5blGet hashmaliciousBrowse
                • 8.137.69.115
                CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtdrCr0tVxmK3Get hashmaliciousBrowse
                • 119.23.55.28
                sTcU2w5mZYGet hashmaliciousBrowse
                • 8.186.115.143
                niKcsf1qRyGet hashmaliciousBrowse
                • 112.74.42.15
                3etkq3iOPQGet hashmaliciousBrowse
                • 182.94.212.107
                peach.arm7Get hashmaliciousBrowse
                • 120.55.82.92
                gji54VjOlPGet hashmaliciousBrowse
                • 112.125.213.168
                NqS5Kl0fD1.exeGet hashmaliciousBrowse
                • 47.111.28.81
                mmY2tjq2Pe.exeGet hashmaliciousBrowse
                • 47.111.28.81
                9Id75kh8Og.exeGet hashmaliciousBrowse
                • 47.96.15.92
                urKffbunX5Get hashmaliciousBrowse
                • 8.173.175.221
                EWTqmooWJiGet hashmaliciousBrowse
                • 8.152.201.84
                uGf1521l6SGet hashmaliciousBrowse
                • 47.97.60.76
                uiInKzkLQxGet hashmaliciousBrowse
                • 112.124.68.114
                NQrs7jd2jxGet hashmaliciousBrowse
                • 8.136.60.75
                557IyF5NeEGet hashmaliciousBrowse
                • 8.138.200.189
                dTeFpeVR7VGet hashmaliciousBrowse
                • 42.120.69.24
                K2pnt8OlReGet hashmaliciousBrowse
                • 8.138.48.143
                vhTZ5hgW6jGet hashmaliciousBrowse
                • 121.197.201.64
                FTFGYpE43OGet hashmaliciousBrowse
                • 8.175.178.15
                0wagQPl5blGet hashmaliciousBrowse
                • 8.137.69.115

                JA3 Fingerprints

                No context

                Dropped Files

                No context

                Created / dropped Files

                C:\Users\user\AppData\Roaming\Osa\c
                Process:C:\Users\user\Desktop\winhost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):880
                Entropy (8bit):5.572742462599468
                Encrypted:false
                SSDEEP:24:m6NJjRkVuFRkVuFRkVPzg1kVPzKeH+kVPzi7q:hNdff08gLVGe
                MD5:AC05AE81D7767A7B01AA20BD894E052A
                SHA1:464918A74A585A01BCF6FD353C0C0CE1EFB9D345
                SHA-256:70E406B3B2223694333ACEAC0510EDB24EF5A6AB0C728C52749183DD365DECEB
                SHA-512:D7E94F49F4E8DAC33B0061B2725AC55CD422D14563F3F7790DAAE032DB90675F295ACBC60B9699306166B07738BDC5A7DAD9DFFBAFCA809E471A0C3DC4D23CBB
                Malicious:false
                Reputation:low
                Preview: RHBDT1BrYTJ1SWhKZ2p5cktTMlAvUT09bDB2UittSVNuRVNDOUxNektJNjJYN2k3d3FOMXBzWFY4Ym5yU3hvQm51NmdOYlduSU5GOHN3S0VlMWxyeFpZem1nVEpqanRubUxjZkJPbWlYalNyVXc9PQ==bDB2UittSVNuRVNDOUxNektJNjJYN2k3d3FOMXBzWFY4Ym5yU3hvQm51NTdIUGdXaWJ1aUhPaUt6Wm5oNEwyeS9uaFE5RWFXZmcrVk5QOEJQbjJpYmc9PQ==bDB2UittSVNuRVNDOUxNektJNjJYN2k3d3FOMXBzWFY4Ym5yU3hvQm51NTdIUGdXaWJ1aUhPaUt6Wm5oNEwyeS9uaFE5RWFXZmcrVk5QOEJQbjJpYmc9PQ==bDB2UittSVNuRVNDOUxNektJNjJYN2k3d3FOMXBzWFY4Ym5yU3hvQm51NTdIUGdXaWJ1aUhPaUt6Wm5oNEwyeTNRMUd3dUs2c1JUenRHR0dLSGkwdzFpdXFWVWdzZ0JITlQzdnhNeHpwT009bDB2UittSVNuRVNDOUxNektJNjJYN2k3d3FOMXBzWFY4Ym5yU3hvQm51NTdIUGdXaWJ1aUhPaUt6Wm5oNEwyeTNRMUd3dUs2c1JUenRHR0dLSGkwd3pXdGtRVVVWdzhMTjZBWkVCMGgreVYxUFJxRFFwUzE2em5LQUEwdzVGNUc=bDB2UittSVNuRVNDOUxNektJNjJYN2k3d3FOMXBzWFY4Ym5yU3hvQm51NTdIUGdXaWJ1aUhPaUt6Wm5oNEwyeTNRMUd3dUs2c1JUenRHR0dLSGkwdzRWeWdpbllEZFMvOHROTFE0bU1tUnl5Sis2aHZtMlFoM3Evbi9HTVlkTnc=
                C:\Users\user\Desktop\uu
                Process:C:\Users\user\Desktop\winhost.exe
                File Type:ASCII text, with no line terminators
                Category:dropped
                Size (bytes):108
                Entropy (8bit):5.551060942271384
                Encrypted:false
                SSDEEP:3:iEgIshsQXc/oCoOyNgBAKywUYPANK1zsTmkXgwYn:iEgIs6CcXykvyAANK1zsTmkX1Y
                MD5:12B5A707240C4EB17E09A0DF82B1E8DB
                SHA1:3FC9502C04FCDF7373E20C5940C362A2DA7DDB9A
                SHA-256:F5DCA188C1E0AAEB4789B16328D4FEA226B58B17D3B089FDAF1DDAF89DE01B84
                SHA-512:57C10F932A13E307BB454D091357D17F96204C63354FBF6F110ADE25CAA7F33490FBF556277EC73493BB2EE12BA97EF64294EEB84FA6C4D9F88F2C2947B863E0
                Malicious:false
                Reputation:low
                Preview: vmnaEUXaIkpOk/aI5r907EZoWx7uxajDsFwmOJjDLpnE7FAqxr0/KqYKiPHkWhEGGe/bwyRB1QDB87ZQeh/MM+9HatKHuvZKuU81S9CTeEU=

                Static File Info

                General

                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                Entropy (8bit):6.311591849713371
                TrID:
                • Win32 Executable (generic) a (10002005/4) 99.96%
                • Generic Win/DOS Executable (2004/3) 0.02%
                • DOS Executable Generic (2002/1) 0.02%
                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                File name:winhost.exe
                File size:2256384
                MD5:fcf0f4b709606c50ce6157c044d10b9d
                SHA1:bb101a1b8357d52f8f7970d3f5f43bc25392bfeb
                SHA256:6169c9d6694e0263c7bc80e1409fea8e46188f08914095d91f3ad03a2d29fd08
                SHA512:386791473c36aa63caeec06ca3625b44dbc1bcf45b6ab7691f3dfdd5c5878d483f3ad56c57dccde7270129241bbefd02d81ae65a09bdda2b4bb1cc0c5c28f5a8
                SSDEEP:24576:LUk6yom8kcK2XztnuO2Q3faj+VB6xkfio9sWlUNYVyB8ksId1DCviJ:6xPkcK2Xztq+g2FuN58ks36J
                File Content Preview:MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$.........(@.aF..aF..aF.]....aF.4....aF.4...1aF.4....aF...B..aF...C..aF...C..aF...B..aF...E..aF.]....aF.]....aF.]....aF..aG.9`F...O..aF

                File Icon

                Icon Hash:00828e8e8686b000

                Static PE Info

                General

                Entrypoint:0x55aa9d
                Entrypoint Section:.text
                Digitally signed:false
                Imagebase:0x400000
                Subsystem:windows gui
                Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                DLL Characteristics:TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                Time Stamp:0x5FCF35D3 [Tue Dec 8 08:14:11 2020 UTC]
                TLS Callbacks:0x582eb0
                CLR (.Net) Version:
                OS Version Major:6
                OS Version Minor:0
                File Version Major:6
                File Version Minor:0
                Subsystem Version Major:6
                Subsystem Version Minor:0
                Import Hash:60fd4f63c7daf9f307e9aab3ac58a7e8

                Entrypoint Preview

                Instruction
                call 00007F9570C63DBAh
                jmp 00007F9570C6355Fh
                push ebp
                mov ebp, esp
                push 00000000h
                call dword ptr [005D409Ch]
                push dword ptr [ebp+08h]
                call dword ptr [005D40A0h]
                push C0000409h
                call dword ptr [005D4098h]
                push eax
                call dword ptr [005D4074h]
                pop ebp
                ret
                push ebp
                mov ebp, esp
                sub esp, 00000324h
                push 00000017h
                call 00007F9570CD17ADh
                test eax, eax
                je 00007F9570C636E7h
                push 00000002h
                pop ecx
                int 29h
                mov dword ptr [006035B0h], eax
                mov dword ptr [006035ACh], ecx
                mov dword ptr [006035A8h], edx
                mov dword ptr [006035A4h], ebx
                mov dword ptr [006035A0h], esi
                mov dword ptr [0060359Ch], edi
                mov word ptr [006035C8h], ss
                mov word ptr [006035BCh], cs
                mov word ptr [00603598h], ds
                mov word ptr [00603594h], es
                mov word ptr [00603590h], fs
                mov word ptr [0060358Ch], gs
                pushfd
                pop dword ptr [006035C0h]
                mov eax, dword ptr [ebp+00h]
                mov dword ptr [006035B4h], eax
                mov eax, dword ptr [ebp+04h]
                mov dword ptr [006035B8h], eax
                lea eax, dword ptr [ebp+08h]
                mov dword ptr [006035C4h], eax
                mov eax, dword ptr [ebp-00000324h]
                mov dword ptr [00603500h], 00010001h

                Data Directories

                NameVirtual AddressVirtual Size Is in Section
                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_IMPORT0x1f98f00x12c.rdata
                IMAGE_DIRECTORY_ENTRY_RESOURCE0x20c0000x14568.rsrc
                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                IMAGE_DIRECTORY_ENTRY_BASERELOC0x2210000x10e90.reloc
                IMAGE_DIRECTORY_ENTRY_DEBUG0x1ed5b00x70.rdata
                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                IMAGE_DIRECTORY_ENTRY_TLS0x1ed6c00x18.rdata
                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x1ed6200x40.rdata
                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_IAT0x1d40000x5d0.rdata
                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                Sections

                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                .text0x10000x1d20970x1d2200False0.334815068551data6.10378651378IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                .rdata0x1d40000x27ba40x27c00False0.449851365959data5.41416041177IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                .data0x1fc0000xfa680x7600False0.172768802966DOS executable (block device driver\277DN\346@\273)3.64521339483IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                .rsrc0x20c0000x145680x14600False0.905207534509data7.80257652691IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                .reloc0x2210000x10e900x11000False0.664967256434data6.72836143913IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                Resources

                NameRVASizeTypeLanguageCountry
                PNG0x20edd80x31aPNG image data, 40 x 40, 8-bit/color RGBA, non-interlacedEnglishUnited States
                PNG0x20f0f80x72dPNG image data, 240 x 135, 8-bit colormap, non-interlacedEnglishUnited States
                PNG0x20f8280x5dfPNG image data, 160 x 90, 8-bit colormap, non-interlacedEnglishUnited States
                PNG0x20fe080x4e3PNG image data, 160 x 90, 8-bit colormap, non-interlacedEnglishUnited States
                PNG0x2102f00xceePNG image data, 240 x 135, 8-bit colormap, non-interlacedEnglishUnited States
                PNG0x210fe00x874PNG image data, 160 x 90, 8-bit colormap, non-interlacedEnglishUnited States
                PNG0x2118580x766PNG image data, 160 x 90, 8-bit colormap, non-interlacedEnglishUnited States
                PNG0x211fc00x37b8PNG image data, 240 x 135, 8-bit colormap, non-interlacedEnglishUnited States
                PNG0x2157780x1fc0PNG image data, 160 x 90, 8-bit colormap, non-interlacedEnglishUnited States
                PNG0x2177380x20e0PNG image data, 160 x 90, 8-bit colormap, non-interlacedEnglishUnited States
                PNG0x2198180x5b9PNG image data, 152 x 112, 8-bit colormap, non-interlacedEnglishUnited States
                PNG0x219dd80x890PNG image data, 152 x 112, 8-bit colormap, non-interlacedEnglishUnited States
                PNG0x21a6680x21ecPNG image data, 152 x 112, 8-bit colormap, non-interlacedEnglishUnited States
                PNG0x21c8580x37cPNG image data, 152 x 112, 8-bit colormap, non-interlacedEnglishUnited States
                PNG0x21cbd80x38bPNG image data, 240 x 135, 8-bit colormap, non-interlacedEnglishUnited States
                PNG0x21cf680x5ccPNG image data, 160 x 90, 8-bit colormap, non-interlacedEnglishUnited States
                PNG0x21d5380x7b1PNG image data, 160 x 90, 8-bit colormap, non-interlacedEnglishUnited States
                PNG0x21dcf00x209aPNG image data, 160 x 90, 8-bit colormap, non-interlacedEnglishUnited States
                RT_DIALOG0x20c4e00x168data
                RT_RCDATA0x20c8880x12d4TrueType Font data, 11 tables, 1st "GSUB", 18 names, Macintosh, EnglishUnited States
                RT_RCDATA0x20db600x1274TrueType Font data, 11 tables, 1st "GSUB", 18 names, Macintosh, EnglishUnited States
                RT_VERSION0x20c6480x23cdataEnglishUnited States
                RT_MANIFEST0x21fd900x7d8XML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminatorsEnglishUnited States

                Imports

                DLLImport
                KERNEL32.dllGlobalLock, GlobalUnlock, GetTempPathW, WaitForSingleObject, LocalFree, GetProcAddress, HeapReAlloc, HeapSize, WritePrivateProfileStringW, GetPrivateProfileStringW, FreeResource, TerminateProcess, OpenProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, K32GetProcessImageFileNameW, GetPriorityClass, IsDebuggerPresent, IsProcessorFeaturePresent, GetCurrentProcess, SetUnhandledExceptionFilter, UnhandledExceptionFilter, GetModuleHandleW, FindResourceW, SizeofResource, LockResource, LoadResource, InitializeCriticalSection, GetModuleFileNameW, LeaveCriticalSection, EnterCriticalSection, lstrcmpW, lstrcpyW, FindNextFileW, FindFirstFileW, SetCurrentDirectoryW, GetCurrentDirectoryW, GetFileAttributesW, DecodePointer, QueryDepthSList, InterlockedPopEntrySList, ReleaseSemaphore, VirtualFree, GlobalAlloc, VirtualAlloc, GetThreadTimes, UnregisterWait, SetThreadAffinityMask, GetProcessAffinityMask, GetNumaHighestNodeNumber, DeleteTimerQueueTimer, ChangeTimerQueueTimer, CreateTimerQueueTimer, GetLogicalProcessorInformation, GetThreadPriority, SignalObjectAndWait, CreateTimerQueue, WriteConsoleW, SetEnvironmentVariableA, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineA, GetOEMCP, IsValidCodePage, GetTimeZoneInformation, ReadConsoleW, EnumSystemLocalesW, GetUserDefaultLCID, IsValidLocale, GetFileType, SetStdHandle, GetConsoleMode, GetConsoleCP, GetACP, GetStdHandle, ExitProcess, FreeLibraryAndExitThread, ExitThread, GetProcessHeap, GetTickCount, GetCommandLineW, RaiseException, CreateEventW, CreateProcessW, CreateMutexW, Sleep, MulDiv, HeapFree, HeapAlloc, MoveFileW, DeleteFileW, VirtualProtect, DeleteCriticalSection, InitializeCriticalSectionEx, GetLastError, CloseHandle, FindFirstFileExW, LoadLibraryExW, FreeLibrary, InterlockedFlushSList, InterlockedPushEntrySList, RtlUnwind, RegisterWaitForSingleObject, WaitForSingleObjectEx, ResetEvent, UnregisterWaitEx, SetThreadPriority, FindClose, SetFilePointerEx, FlushFileBuffers, FileTimeToSystemTime, SystemTimeToTzSpecificLocalTime, GetUserDefaultLangID, ReleaseMutex, OutputDebugStringA, SystemTimeToFileTime, IsBadWritePtr, IsBadReadPtr, CreateWaitableTimerW, WaitForMultipleObjects, CancelWaitableTimer, SetWaitableTimer, SetFileTime, SetFilePointer, SetEndOfFile, GetDiskFreeSpaceExW, ExpandEnvironmentStringsW, SuspendThread, TerminateThread, CreateThread, CopyFileW, WriteFile, RemoveDirectoryW, ReadFile, GetTempFileNameW, GetFileAttributesExW, CreateDirectoryW, lstrcmpA, DeviceIoControl, CreateFileW, LoadLibraryW, GetModuleHandleA, GetVersionExW, OutputDebugStringW, SetEvent, InitializeCriticalSectionAndSpinCount, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, GetCPInfo, GetLocaleInfoW, LCMapStringW, InitializeSListHead, CompareStringW, TlsFree, TlsSetValue, TlsGetValue, TlsAlloc, SetLastError, GetNativeSystemInfo, GetCurrentThread, SwitchToThread, DuplicateHandle, GetStringTypeW, MultiByteToWideChar, GetModuleHandleExW, QueueUserWorkItem, EncodePointer, TryEnterCriticalSection, WideCharToMultiByte, FormatMessageW, GetStartupInfoW
                USER32.dllDeferWindowPos, EndDeferWindowPos, SetClipboardData, GetFocus, IsClipboardFormatAvailable, GetClipboardData, SendMessageTimeoutW, GetSystemMetrics, GetAncestor, SendInput, MapVirtualKeyW, GetLastActivePopup, GetTopWindow, GetWindow, GetDesktopWindow, EndDialog, GetMessageW, DispatchMessageW, TranslateMessage, SetWindowLongW, GetWindowLongW, CreateWindowExW, SendMessageW, PostMessageW, GetWindowTextW, SetWindowPos, GetWindowRect, ScreenToClient, BeginPaint, CloseClipboard, GetDC, PostQuitMessage, ReleaseDC, UpdateWindow, ShowWindow, IsWindowVisible, SetTimer, KillTimer, GetParent, GetDlgItem, MessageBoxW, OpenClipboard, GetWindowThreadProcessId, IsWindow, GetClassNameW, GetMonitorInfoW, DefWindowProcW, LoadCursorW, RegisterClassExW, EnumDisplayMonitors, BeginDeferWindowPos, DialogBoxParamW, GetCursorPos, SetCursor, GetRawInputData, mouse_event, UpdateLayeredWindow, FindWindowW, LoadIconW, RegisterClassW, GetForegroundWindow, SetLayeredWindowAttributes, GetLastInputInfo, EmptyClipboard, SetForegroundWindow, GetWindowDC, RegisterRawInputDevices, GetShellWindow, EndPaint, MonitorFromWindow, EnumWindows, SystemParametersInfoW
                GDI32.dllDeleteObject, GetObjectW, GetStockObject, DeleteDC, BitBlt, CreateCompatibleDC, CreateCompatibleBitmap, CreateSolidBrush, SelectObject, CreateFontIndirectW, GetDeviceCaps
                ADVAPI32.dllRegCloseKey, RegQueryValueExW, RegOpenKeyExW, RegEnumKeyExW, RegCreateKeyExW
                SHELL32.dllSHCreateDirectoryExW, SHGetFolderPathW, SHFileOperationW, ShellExecuteExW, CommandLineToArgvW, ShellExecuteW, SHGetSpecialFolderPathW
                ole32.dllCoUninitialize, CoCreateGuid, CreateStreamOnHGlobal, CoCreateInstance, CoInitialize
                SHLWAPI.dllPathGetDriveNumberW, PathFileExistsW, SHGetValueW, PathAppendW, SHSetValueW, SHDeleteValueW, StrStrIW, SHGetValueA, SHSetValueA
                gdiplus.dllGdipAlloc, GdipDeleteBrush, GdipCreateSolidFill, GdipCreatePen1, GdipDeletePen, GdipCreateStringFormat, GdipDeleteStringFormat, GdipCreatePath, GdipDeletePath, GdipResetPath, GdipAddPathString, GdipCreateFromHDC, GdipDeleteGraphics, GdipReleaseDC, GdipSetTextRenderingHint, GdipFree, GdipSetSmoothingMode, GdipSetPixelOffsetMode, GdipDrawRectangleI, GdipGraphicsClear, GdipDrawString, GdipDrawImagePointRectI, GdipGetPathWorldBounds, GdipGetFontCollectionFamilyCount, GdipGetFontCollectionFamilyList, GdipCloneFontFamily, GdipNewPrivateFontCollection, GdipDeletePrivateFontCollection, GdipPrivateAddFontFile, GdipPrivateAddMemoryFont, GdipCreateFontFamilyFromName, GdipDeleteFontFamily, GdipCreateFont, GdipDeleteFont, GdipCreateHBITMAPFromBitmap, GdiplusStartup, GdiplusShutdown, GdipDisposeImage, GdipSetInterpolationMode, GdipCreateBitmapFromStream, GdipCloneImage
                VERSION.dllGetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
                WTSAPI32.dllWTSRegisterSessionNotification
                POWRPROF.dllPowerReadACValueIndex, PowerReadDCValueIndex, PowerGetActiveScheme
                NETAPI32.dllNetbios
                WININET.dllInternetCrackUrlW, InternetOpenW, InternetCloseHandle, InternetOpenUrlW, InternetReadFile, InternetQueryOptionW, InternetSetOptionW, HttpOpenRequestW, HttpAddRequestHeadersA, InternetConnectW, HttpSendRequestW, HttpQueryInfoA, HttpQueryInfoW, InternetErrorDlg, InternetReadFileExA, InternetWriteFile, InternetSetOptionA, InternetGetLastResponseInfoW, InternetSetStatusCallbackW, FtpOpenFileW, FtpCommandW, FtpGetFileSize, HttpSendRequestExW, HttpEndRequestW, HttpAddRequestHeadersW
                WINMM.dlltimeGetTime

                Version Infos

                DescriptionData
                LegalCopyrightCopyright (C) 2019
                InternalName
                FileVersion5.2.2.2
                CompanyName
                ProductName
                ProductVersion5.2.2.2
                FileDescription
                OriginalFilename
                Translation0x0409 0x04b0

                Possible Origin

                Language of compilation systemCountry where language is spokenMap
                EnglishUnited States

                Network Behavior

                Network Port Distribution

                TCP Packets

                TimestampSource PortDest PortSource IPDest IP
                Aug 4, 2021 11:00:56.344932079 CEST49734443192.168.2.447.111.207.85
                Aug 4, 2021 11:00:56.348329067 CEST49735443192.168.2.447.111.207.85
                Aug 4, 2021 11:00:56.430186987 CEST49737443192.168.2.447.111.207.82
                Aug 4, 2021 11:00:56.430368900 CEST49738443192.168.2.447.111.207.82
                Aug 4, 2021 11:00:59.352907896 CEST49734443192.168.2.447.111.207.85
                Aug 4, 2021 11:00:59.352942944 CEST49735443192.168.2.447.111.207.85
                Aug 4, 2021 11:00:59.431102991 CEST49737443192.168.2.447.111.207.82
                Aug 4, 2021 11:00:59.431106091 CEST49738443192.168.2.447.111.207.82
                Aug 4, 2021 11:01:00.430435896 CEST49742443192.168.2.447.111.207.85
                Aug 4, 2021 11:01:03.415906906 CEST49742443192.168.2.447.111.207.85
                Aug 4, 2021 11:01:04.434081078 CEST49748443192.168.2.447.111.207.82

                UDP Packets

                TimestampSource PortDest PortSource IPDest IP
                Aug 4, 2021 11:00:49.806888103 CEST5802853192.168.2.48.8.8.8
                Aug 4, 2021 11:00:49.835550070 CEST53580288.8.8.8192.168.2.4
                Aug 4, 2021 11:00:50.177292109 CEST5309753192.168.2.48.8.8.8
                Aug 4, 2021 11:00:50.209837914 CEST53530978.8.8.8192.168.2.4
                Aug 4, 2021 11:00:51.063666105 CEST4925753192.168.2.48.8.8.8
                Aug 4, 2021 11:00:51.100745916 CEST53492578.8.8.8192.168.2.4
                Aug 4, 2021 11:00:52.476656914 CEST6238953192.168.2.48.8.8.8
                Aug 4, 2021 11:00:52.510797024 CEST53623898.8.8.8192.168.2.4
                Aug 4, 2021 11:00:53.843600988 CEST4991053192.168.2.48.8.8.8
                Aug 4, 2021 11:00:53.870711088 CEST53499108.8.8.8192.168.2.4
                Aug 4, 2021 11:00:54.621578932 CEST5585453192.168.2.48.8.8.8
                Aug 4, 2021 11:00:54.650405884 CEST53558548.8.8.8192.168.2.4
                Aug 4, 2021 11:00:55.959737062 CEST6454953192.168.2.48.8.8.8
                Aug 4, 2021 11:00:55.960536003 CEST6315353192.168.2.48.8.8.8
                Aug 4, 2021 11:00:56.295855999 CEST53645498.8.8.8192.168.2.4
                Aug 4, 2021 11:00:56.358196020 CEST5299153192.168.2.48.8.8.8
                Aug 4, 2021 11:00:56.383375883 CEST53529918.8.8.8192.168.2.4
                Aug 4, 2021 11:00:56.427577019 CEST53631538.8.8.8192.168.2.4
                Aug 4, 2021 11:00:57.426990986 CEST5370053192.168.2.48.8.8.8
                Aug 4, 2021 11:00:57.453129053 CEST53537008.8.8.8192.168.2.4
                Aug 4, 2021 11:00:58.480881929 CEST5172653192.168.2.48.8.8.8
                Aug 4, 2021 11:00:58.508363962 CEST53517268.8.8.8192.168.2.4
                Aug 4, 2021 11:00:59.553214073 CEST5679453192.168.2.48.8.8.8
                Aug 4, 2021 11:00:59.581866026 CEST53567948.8.8.8192.168.2.4
                Aug 4, 2021 11:01:00.608194113 CEST5653453192.168.2.48.8.8.8
                Aug 4, 2021 11:01:00.633081913 CEST53565348.8.8.8192.168.2.4
                Aug 4, 2021 11:01:01.666240931 CEST5662753192.168.2.48.8.8.8
                Aug 4, 2021 11:01:01.698685884 CEST53566278.8.8.8192.168.2.4
                Aug 4, 2021 11:01:02.475800037 CEST5662153192.168.2.48.8.8.8
                Aug 4, 2021 11:01:02.500792027 CEST53566218.8.8.8192.168.2.4
                Aug 4, 2021 11:01:03.513886929 CEST6311653192.168.2.48.8.8.8
                Aug 4, 2021 11:01:03.541677952 CEST53631168.8.8.8192.168.2.4
                Aug 4, 2021 11:01:04.317537069 CEST6407853192.168.2.48.8.8.8
                Aug 4, 2021 11:01:04.346360922 CEST53640788.8.8.8192.168.2.4
                Aug 4, 2021 11:01:06.166809082 CEST6480153192.168.2.48.8.8.8
                Aug 4, 2021 11:01:06.201558113 CEST53648018.8.8.8192.168.2.4
                Aug 4, 2021 11:01:07.287503004 CEST6172153192.168.2.48.8.8.8
                Aug 4, 2021 11:01:07.315426111 CEST53617218.8.8.8192.168.2.4
                Aug 4, 2021 11:01:08.164916992 CEST5125553192.168.2.48.8.8.8
                Aug 4, 2021 11:01:08.199187994 CEST53512558.8.8.8192.168.2.4
                Aug 4, 2021 11:01:13.013803005 CEST6152253192.168.2.48.8.8.8
                Aug 4, 2021 11:01:13.054764032 CEST53615228.8.8.8192.168.2.4

                DNS Queries

                TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                Aug 4, 2021 11:00:55.959737062 CEST192.168.2.48.8.8.80xb67cStandard query (0)static.scp.btoo3.comA (IP address)IN (0x0001)
                Aug 4, 2021 11:00:55.960536003 CEST192.168.2.48.8.8.80x17ecStandard query (0)picssl.xunmzone.comA (IP address)IN (0x0001)

                DNS Answers

                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                Aug 4, 2021 11:00:56.295855999 CEST8.8.8.8192.168.2.40xb67cNo error (0)static.scp.btoo3.com47.111.207.85A (IP address)IN (0x0001)
                Aug 4, 2021 11:00:56.427577019 CEST8.8.8.8192.168.2.40x17ecNo error (0)picssl.xunmzone.com47.111.207.82A (IP address)IN (0x0001)

                Code Manipulations

                Statistics

                CPU Usage

                Click to jump to process

                Memory Usage

                Click to jump to process

                High Level Behavior Distribution

                Click to dive into process behavior distribution

                System Behavior

                Analysis Process: winhost.exe PID: 7056 Parent PID: 5912

                General

                Start time:11:00:54
                Start date:04/08/2021
                Path:C:\Users\user\Desktop\winhost.exe
                Wow64 process (32bit):true
                Commandline:'C:\Users\user\Desktop\winhost.exe'
                Imagebase:0x1c0000
                File size:2256384 bytes
                MD5 hash:FCF0F4B709606C50CE6157C044D10B9D
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:low

                Chronological Activities

                Disassembly

                Code Analysis

                Reset < >

                  Analysis Process: winhost.exe PID: 7056 Parent PID: 5912 winhost.exeCOMMON

                  Execution Graph

                  Execution Coverage:12.2%
                  Dynamic/Decrypted Code Coverage:0%
                  Signature Coverage:11.8%
                  Total number of Nodes:1969
                  Total number of Limit Nodes:54

                  Graph

                  execution_graph 26896 306e70 26897 306e87 26896->26897 26900 306eb1 SimpleUString::operator= 26897->26900 26901 306efb 26897->26901 26899 306ee0 SimpleUString::operator= 27209 32d9c0 26900->27209 26972 1e07b0 26901->26972 26903 306f9d 26983 3288e0 26903->26983 26905 306fb5 26906 31a14d make_shared Concurrency::cancel_current_task 26905->26906 26908 306fec 26905->26908 26907 306fcc 26906->26907 27217 1dcc20 26907->27217 26909 307042 SimpleUString::operator= 26908->26909 26912 307941 26908->26912 27010 30b9a0 26909->27010 26915 307993 26912->26915 26916 30798a WaitForSingleObject 26912->26916 26916->26915 26917 307082 27065 30c650 26917->27065 26922 3070e9 SimpleUString::operator= 26923 31a14d make_shared Concurrency::cancel_current_task 26922->26923 26924 3070f0 SystemParametersInfoW 26923->26924 26925 307114 SimpleUString::operator= 26924->26925 26926 31a14d make_shared Concurrency::cancel_current_task 26925->26926 26927 30711b SystemParametersInfoW 26926->26927 27079 31a13f 26927->27079 26929 307139 SHGetSpecialFolderPathW SHGetSpecialFolderPathW 26930 307186 26929->26930 26930->26930 27081 1da610 26930->27081 26932 3071a8 27092 1da770 26932->27092 26934 3071be 26935 1da610 SimpleUString::operator= 2 API calls 26934->26935 26936 307206 26935->26936 26937 1da770 2 API calls 26936->26937 26938 30721c 26937->26938 26939 1da610 SimpleUString::operator= 2 API calls 26938->26939 26940 307274 SHGetValueW 26939->26940 26941 3072aa 26940->26941 26946 307336 26940->26946 26942 1da610 SimpleUString::operator= 2 API calls 26941->26942 26944 3072d5 26942->26944 26945 1da610 SimpleUString::operator= 2 API calls 26944->26945 26947 3072ff 26945->26947 27097 30d050 26946->27097 26948 1da610 SimpleUString::operator= 2 API calls 26947->26948 26949 307327 26948->26949 27286 30c8d0 5 API calls 3 library calls 26949->27286 26951 30746a SimpleUString::operator= 26951->26951 26952 1e07b0 std::_XGetLastError 2 API calls 26951->26952 26953 30758c 26952->26953 27142 32b8d0 26953->27142 26956 3075a9 SimpleUString::operator= 27152 1df620 26956->27152 26957 307612 27160 1df4b0 26957->27160 26959 307628 27165 30b530 26959->27165 26962 1e07b0 std::_XGetLastError 2 API calls 26963 307659 SimpleUString::operator= 26962->26963 27287 1da2e0 26963->27287 26965 3076de 27295 32eee0 26965->27295 26967 30770d SimpleUString::operator= 27298 1dd620 26967->27298 26969 3077cd SimpleUString::operator= 27315 31a12e 26969->27315 26971 30793b 26974 1e07f4 26972->26974 26976 1e07ce SimpleUString::operator= 26972->26976 26977 1e086d 26974->26977 26978 1e0848 26974->26978 26980 1e0859 _Yarn 26974->26980 26976->26903 26977->26980 26981 31a14d make_shared Concurrency::cancel_current_task 26977->26981 26979 31a14d make_shared Concurrency::cancel_current_task 26978->26979 26979->26980 26982 1e08c0 SimpleUString::operator= 26980->26982 27321 1db8a0 __CxxThrowException SimpleUString::operator= 26980->27321 26981->26980 26982->26903 26984 34ae60 26983->26984 26985 32891e SHGetValueW 26984->26985 26986 3289be 26985->26986 26987 32894f 26985->26987 26988 3289d1 GetModuleFileNameW 26986->26988 26989 1da610 SimpleUString::operator= 2 API calls 26987->26989 26990 3289f0 26988->26990 26991 328bbb 26988->26991 26996 328992 26989->26996 26994 1da610 SimpleUString::operator= 2 API calls 26990->26994 26992 1e07b0 std::_XGetLastError 2 API calls 26991->26992 26993 328bda 26992->26993 26995 31a12e __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 2 API calls 26993->26995 26997 328a3a 26994->26997 26998 328be7 26995->26998 27000 31a12e __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 2 API calls 26996->27000 27322 3239d0 26997->27322 26998->26905 27001 3289ba 27000->27001 27001->26905 27002 328a4c 27004 328a81 _Yarn 27002->27004 27327 1da900 Concurrency::cancel_current_task make_shared 27002->27327 27005 1da610 SimpleUString::operator= 2 API calls 27004->27005 27006 328b3d SHSetValueW 27005->27006 27007 328b84 27006->27007 27008 31a12e __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 2 API calls 27007->27008 27009 328bb7 27008->27009 27009->26905 27011 30b9f3 27010->27011 27012 30bedb 27010->27012 27014 30ba06 SHGetFolderPathW PathAppendW PathAppendW PathFileExistsW 27011->27014 27013 1df620 std::_XGetLastError Concurrency::cancel_current_task 27012->27013 27048 30bcd9 SimpleUString::operator= 27013->27048 27015 30ba53 27014->27015 27016 30ba99 PathFileExistsW 27014->27016 27020 30ba65 SHGetFolderPathW PathAppendW PathAppendW 27015->27020 27018 30baaa 27016->27018 27035 30bdd5 SimpleUString::operator= 27016->27035 27017 31a12e __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 2 API calls 27019 307072 27017->27019 27021 1e07b0 std::_XGetLastError 2 API calls 27018->27021 27049 328cc0 27019->27049 27020->27016 27022 30bad7 27021->27022 27025 1da610 SimpleUString::operator= 2 API calls 27022->27025 27024 30beb0 27027 1e07b0 std::_XGetLastError 2 API calls 27024->27027 27026 30bb26 27025->27026 27028 3239d0 2 API calls 27026->27028 27027->27012 27029 30bb46 27028->27029 27329 32f750 27029->27329 27031 30bb64 27032 1e07b0 std::_XGetLastError 2 API calls 27031->27032 27031->27035 27033 30bbcc 27032->27033 27349 32c2c0 4 API calls 2 library calls 27033->27349 27353 325eb0 27035->27353 27036 30bc09 27036->27035 27350 32b120 27036->27350 27039 30bc5c 27385 1df520 27039->27385 27041 1dd620 5 API calls 27041->27035 27043 1df620 std::_XGetLastError Concurrency::cancel_current_task 27047 30bc79 SimpleUString::operator= 27043->27047 27044 30bd71 SimpleUString::operator= 27044->27041 27045 1dd620 5 API calls 27045->27048 27046 30bf05 27047->27045 27047->27046 27048->27017 27050 1da610 SimpleUString::operator= 2 API calls 27049->27050 27051 328d06 27050->27051 27052 328d19 GetModuleFileNameW 27051->27052 27053 328e62 27052->27053 27054 328d38 27052->27054 27056 31a12e __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 2 API calls 27053->27056 27055 1da610 SimpleUString::operator= 2 API calls 27054->27055 27057 328d83 27055->27057 27058 328eae 27056->27058 27059 3239d0 2 API calls 27057->27059 27058->26917 27060 328d95 27059->27060 27710 33b760 27060->27710 27062 328dac 27063 31a12e __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 2 API calls 27062->27063 27064 328e5e 27063->27064 27064->26917 27066 1e07b0 std::_XGetLastError 2 API calls 27065->27066 27067 30c6aa 27066->27067 27068 31a14d make_shared Concurrency::cancel_current_task 27067->27068 27070 30c6de SimpleUString::operator= 27067->27070 27069 30c6c1 27068->27069 27071 1dcc20 215 API calls 27069->27071 27072 30c769 27070->27072 27073 31a12e __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 2 API calls 27070->27073 27071->27070 27074 3070b0 27073->27074 27075 31a14d 27074->27075 27077 31a152 27075->27077 27076 3070c5 SystemParametersInfoW 27076->26922 27077->27076 27078 31a178 Concurrency::cancel_current_task 27077->27078 27080 31a14a 27079->27080 27080->26929 27082 1da65c 27081->27082 27083 1da631 SimpleUString::operator= 27081->27083 27086 1da6b2 27082->27086 27087 1da6e2 27082->27087 27090 1da6d0 _Yarn 27082->27090 27083->26932 27088 31a14d make_shared Concurrency::cancel_current_task 27086->27088 27089 31a14d make_shared Concurrency::cancel_current_task 27087->27089 27087->27090 27088->27090 27089->27090 27091 1da73d SimpleUString::operator= 27090->27091 27722 1db8a0 __CxxThrowException SimpleUString::operator= 27090->27722 27091->26932 27093 1da7bd 27092->27093 27096 1da785 SimpleUString::operator= 27092->27096 27723 1db460 Concurrency::cancel_current_task __CxxThrowException _Yarn SimpleUString::operator= make_shared 27093->27723 27095 1da7d0 27095->26934 27096->26934 27098 31a14d make_shared Concurrency::cancel_current_task 27097->27098 27099 30d0db PowerGetActiveScheme 27098->27099 27100 30d0f4 PowerReadACValueIndex 27099->27100 27101 30d208 LocalFree 27099->27101 27103 30d124 PowerReadDCValueIndex 27100->27103 27102 1e07b0 std::_XGetLastError 2 API calls 27101->27102 27104 30d23d 27102->27104 27107 30d156 PowerReadACValueIndex 27103->27107 27110 30d2a3 27104->27110 27112 1e07b0 std::_XGetLastError 2 API calls 27104->27112 27108 30d1a5 PowerReadDCValueIndex 27107->27108 27111 30d1e4 27108->27111 27113 1df440 3 API calls 27110->27113 27111->27101 27112->27110 27114 30d2be 27113->27114 27115 1df4b0 std::_XGetLastError 3 API calls 27114->27115 27117 30d2fc SimpleUString::operator= 27115->27117 27116 30d790 27117->27116 27118 30d3c4 27117->27118 27119 1e07b0 std::_XGetLastError 2 API calls 27117->27119 27120 1df440 3 API calls 27118->27120 27119->27118 27121 30d3df 27120->27121 27122 1df4b0 std::_XGetLastError 3 API calls 27121->27122 27123 30d417 SimpleUString::operator= 27122->27123 27124 30d4e1 27123->27124 27125 1e07b0 std::_XGetLastError 2 API calls 27123->27125 27126 1df440 3 API calls 27124->27126 27125->27124 27127 30d4fc 27126->27127 27128 1df4b0 std::_XGetLastError 3 API calls 27127->27128 27130 30d534 SimpleUString::operator= 27128->27130 27129 30d604 27132 1df440 3 API calls 27129->27132 27130->27129 27131 1e07b0 std::_XGetLastError 2 API calls 27130->27131 27131->27129 27133 30d61f 27132->27133 27134 1df4b0 std::_XGetLastError 3 API calls 27133->27134 27135 30d657 SimpleUString::operator= 27134->27135 27136 30d727 27135->27136 27137 1e07b0 std::_XGetLastError 2 API calls 27135->27137 27138 1df4b0 std::_XGetLastError 3 API calls 27136->27138 27137->27136 27140 30d740 SimpleUString::operator= 27138->27140 27139 31a12e __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 2 API calls 27141 30d789 27139->27141 27140->27139 27141->26951 27724 32b490 27142->27724 27145 1e07b0 std::_XGetLastError 2 API calls 27146 32b922 27145->27146 27740 1e08f0 27146->27740 27148 31a12e __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 2 API calls 27150 32b9b4 27148->27150 27149 32b947 SimpleUString::operator= 27149->27148 27151 32b9ba 27149->27151 27150->26956 27153 1df646 27152->27153 27154 1df64d 27153->27154 27155 1df6a6 27153->27155 27156 1df683 27153->27156 27154->26957 27158 31a14d make_shared Concurrency::cancel_current_task 27155->27158 27159 1df694 _Yarn 27155->27159 27157 31a14d make_shared Concurrency::cancel_current_task 27156->27157 27157->27159 27158->27159 27159->26957 27161 1df4c3 27160->27161 27162 1e1280 std::_XGetLastError 3 API calls 27161->27162 27164 1df4d6 SimpleUString::operator= 27161->27164 27163 1df511 27162->27163 27163->26959 27164->26959 27166 1e07b0 std::_XGetLastError 2 API calls 27165->27166 27167 30b5a4 27166->27167 27168 30b65f SHGetValueW 27167->27168 27169 1e07b0 std::_XGetLastError 2 API calls 27167->27169 27170 30b699 27168->27170 27171 30b5e4 SimpleUString::operator= 27169->27171 27173 1e07b0 std::_XGetLastError 2 API calls 27170->27173 27183 30b6ee SimpleUString::operator= 27170->27183 27171->27168 27181 30b980 27171->27181 27171->27183 27172 30b74f 27175 1df440 3 API calls 27172->27175 27176 30b6d3 27173->27176 27174 1e07b0 std::_XGetLastError 2 API calls 27174->27172 27177 30b75b 27175->27177 27753 1ddd30 27176->27753 27178 328cc0 10 API calls 27177->27178 27179 30b764 27178->27179 27182 1df4b0 std::_XGetLastError 3 API calls 27179->27182 27184 30b787 SimpleUString::operator= 27182->27184 27183->27172 27183->27174 27185 1df440 3 API calls 27184->27185 27186 30b7e9 27185->27186 27187 1df440 3 API calls 27186->27187 27188 30b802 27187->27188 27189 1df440 3 API calls 27188->27189 27190 30b80e 27189->27190 27191 1df4b0 std::_XGetLastError 3 API calls 27190->27191 27193 30b829 SimpleUString::operator= 27191->27193 27192 1df440 3 API calls 27194 30b86d 27192->27194 27193->27192 27758 30b1c0 27194->27758 27196 30b875 27197 1df4b0 std::_XGetLastError 3 API calls 27196->27197 27198 30b895 SimpleUString::operator= 27197->27198 27199 1df440 3 API calls 27198->27199 27200 30b8f7 27199->27200 27201 1df440 3 API calls 27200->27201 27202 30b903 GetModuleHandleW GetProcAddress 27201->27202 27203 30b93e 27202->27203 27204 30b92e GetNativeSystemInfo 27202->27204 27205 1df440 3 API calls 27203->27205 27204->27203 27206 30b960 27205->27206 27207 31a12e __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 2 API calls 27206->27207 27208 307635 27207->27208 27208->26962 27208->26963 27210 32d9d1 SetEvent 27209->27210 27216 32da24 SimpleUString::operator= 27209->27216 27211 32d9e2 WaitForSingleObject 27210->27211 27212 32d9f3 27211->27212 27213 32d9f9 27211->27213 27212->27211 27212->27213 27214 32da00 SuspendThread TerminateThread 27213->27214 27215 32da14 CloseHandle 27213->27215 27214->27215 27215->27216 27216->26899 27218 1da610 SimpleUString::operator= 2 API calls 27217->27218 27219 1dcc79 27218->27219 28136 31c257 Concurrency::details::create_stl_critical_section 27219->28136 27221 1dcc92 28137 31c257 Concurrency::details::create_stl_critical_section 27221->28137 27223 1dcc9d 28138 35a49a 27223->28138 27225 1dccad 27226 325eb0 46 API calls 27225->27226 27227 1dccd3 27226->27227 27228 1e07b0 std::_XGetLastError 2 API calls 27227->27228 27229 1dcd1c 27228->27229 27230 1dcd33 SHGetFolderPathW PathAppendW PathFileExistsW 27229->27230 27231 1dcd75 GetFileAttributesW 27230->27231 27232 1dcd86 SHCreateDirectoryExW 27230->27232 27231->27232 27233 1dcd97 PathFileExistsW 27231->27233 27232->27233 27234 1dcdb9 27233->27234 27235 1dcda8 GetFileAttributesW 27233->27235 27238 1dcdcc SHGetFolderPathW PathAppendW PathFileExistsW 27234->27238 27235->27234 27236 1dce29 PathAppendW 27235->27236 27237 1dce44 27236->27237 27237->27237 27241 1da610 SimpleUString::operator= 2 API calls 27237->27241 27239 1dce18 SHCreateDirectoryExW 27238->27239 27240 1dce07 GetFileAttributesW 27238->27240 27239->27236 27240->27236 27240->27239 27242 1dce62 PathFileExistsW 27241->27242 27243 1dce73 GetFileAttributesW 27242->27243 27246 1dce93 _Yarn 27242->27246 27244 1dce84 27243->27244 27243->27246 27244->27246 27245 1dcf28 27247 31a14d make_shared Concurrency::cancel_current_task 27245->27247 27251 1dd2a1 SimpleUString::operator= 27245->27251 27246->27245 27253 1dcecb SHFileOperationW 27246->27253 27248 1dcf37 27247->27248 28141 320b60 27248->28141 27249 31a12e __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 2 API calls 27252 1dd2f0 27249->27252 27251->27249 27252->26908 27253->27245 27256 1dcf5f 27257 1dcf7c SHGetValueW 27256->27257 27258 1dcfc1 27257->27258 27258->27258 27259 1e07b0 std::_XGetLastError 2 API calls 27258->27259 27260 1dd02a 27259->27260 28198 31c278 mtx_do_lock 27260->28198 27262 1dd040 27263 1dd380 23 API calls 27262->27263 27264 1dd06c __Mtx_unlock 27263->27264 27265 1dd0b6 SimpleUString::operator= 27264->27265 27269 1dd2f4 27264->27269 27266 1e07b0 std::_XGetLastError 2 API calls 27265->27266 27267 1dd0ed 27266->27267 28199 31c278 mtx_do_lock 27267->28199 27270 1dd364 27269->27270 27272 31a14d make_shared Concurrency::cancel_current_task 27269->27272 27270->26908 27271 1dd0f7 27273 1dd380 23 API calls 27271->27273 27274 1dd344 27272->27274 27278 1dd124 SimpleUString::operator= __Mtx_unlock 27273->27278 27275 1dcc20 198 API calls 27274->27275 27275->27270 27276 1e07b0 std::_XGetLastError 2 API calls 27277 1dd1a5 27276->27277 27279 3288e0 8 API calls 27277->27279 27278->27276 27280 1dd1b5 27279->27280 28200 31c278 mtx_do_lock 27280->28200 27282 1dd1c5 27283 1dd380 23 API calls 27282->27283 27284 1dd1f1 SimpleUString::operator= __Mtx_unlock 27283->27284 27285 1dd380 23 API calls 27284->27285 27285->27251 27286->26946 27288 1da306 27287->27288 27289 1da30d 27288->27289 27290 1da345 27288->27290 27291 1da375 27288->27291 27289->26965 27292 31a14d make_shared Concurrency::cancel_current_task 27290->27292 27293 31a14d make_shared Concurrency::cancel_current_task 27291->27293 27294 1da363 _Yarn 27291->27294 27292->27294 27293->27294 27294->26965 27296 32e280 196 API calls 27295->27296 27297 32eee6 27296->27297 27297->26967 27301 1dd62e SimpleUString::operator= 27298->27301 27299 1df620 std::_XGetLastError Concurrency::cancel_current_task 27300 1ddac9 27299->27300 27302 1df620 std::_XGetLastError Concurrency::cancel_current_task 27300->27302 27301->27299 27303 1dda52 SimpleUString::operator= 27301->27303 27306 1ddaed SimpleUString::operator= 27302->27306 27303->26969 27304 1ddb55 SimpleUString::operator= 27305 31a12e __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 2 API calls 27304->27305 27307 1ddb79 27305->27307 27306->27304 27308 1ddb7f 27306->27308 27307->26969 27309 1e07b0 std::_XGetLastError 2 API calls 27308->27309 27310 1ddbfa 27309->27310 28286 32d000 IsProcessorFeaturePresent ___raise_securityfailure Concurrency::cancel_current_task __CxxThrowException __CxxThrowException 27310->28286 27312 31a12e __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 2 API calls 27314 1ddcba 27312->27314 27313 1ddc32 SimpleUString::operator= 27313->27312 27314->26969 27316 31a137 27315->27316 27317 31a139 IsProcessorFeaturePresent 27315->27317 27316->26971 27319 31aae3 27317->27319 27320 31aae8 ___raise_securityfailure 27317->27320 27319->27320 27320->26971 27323 1da2e0 Concurrency::cancel_current_task 27322->27323 27325 3239de 27323->27325 27324 3239ff 27324->27002 27325->27324 27328 325080 __CxxThrowException SimpleUString::operator= 27325->27328 27327->27004 27328->27324 27330 32f75d 27329->27330 27331 32f973 27330->27331 27389 32cbe0 27330->27389 27332 31a12e __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 2 API calls 27331->27332 27334 32f981 27332->27334 27334->27031 27336 32f79a 27396 35b52c 27336->27396 27338 32f952 27407 35a552 27338->27407 27340 32f95d 27342 31a12e __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 2 API calls 27340->27342 27341 35b52c __fread_nolock 19 API calls 27348 32f7af _Yarn SimpleUString::operator= 27341->27348 27343 32f96f 27342->27343 27343->27031 27344 32f985 27415 1db8a0 __CxxThrowException SimpleUString::operator= 27344->27415 27348->27338 27348->27341 27348->27344 27399 1e0bf0 27348->27399 27349->27036 27505 32b150 27350->27505 27354 325ebd 27353->27354 27355 3260b3 27354->27355 27357 325ee0 27354->27357 27356 31a12e __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 2 API calls 27355->27356 27358 3260c1 27356->27358 27359 325ee6 27357->27359 27360 325f59 27357->27360 27358->27024 27361 325f0d SHGetValueA 27359->27361 27646 326fe0 27360->27646 27361->27360 27363 325f3e 27361->27363 27363->27360 27365 32609e 27363->27365 27364 325f77 27369 325fb4 27364->27369 27661 3271f0 27364->27661 27368 31a12e __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 2 API calls 27365->27368 27370 3260af 27368->27370 27681 326250 27369->27681 27370->27024 27372 325f9b 27372->27369 27374 325fa2 27372->27374 27704 3274a0 6 API calls __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 27374->27704 27375 326001 27379 326013 27375->27379 27705 3260d0 8 API calls __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 27375->27705 27377 325fad 27377->27369 27706 326540 15 API calls __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 27379->27706 27381 326087 27381->27365 27382 326095 27381->27382 27707 3278b0 SHSetValueA 27382->27707 27384 32609b 27384->27365 27386 1df52d 27385->27386 27387 1df542 27385->27387 27388 1e07b0 std::_XGetLastError 2 API calls 27386->27388 27387->27043 27388->27387 27390 32cc10 27389->27390 27390->27390 27391 1e07b0 std::_XGetLastError 2 API calls 27390->27391 27395 32cc23 SimpleUString::operator= 27391->27395 27392 31a12e __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 2 API calls 27394 32ccdc 27392->27394 27393 32cce0 27394->27331 27394->27336 27395->27392 27395->27393 27416 35b549 27396->27416 27398 35b544 27398->27348 27400 1e0bfe 27399->27400 27401 1e0c25 27399->27401 27402 31a14d make_shared Concurrency::cancel_current_task 27400->27402 27403 1e0c36 27401->27403 27404 31a14d make_shared Concurrency::cancel_current_task 27401->27404 27406 1e0c0f SimpleUString::operator= 27402->27406 27403->27348 27405 1e0c2f 27404->27405 27405->27348 27406->27348 27408 35a55e 27407->27408 27413 35a56f 27408->27413 27472 35b7c7 EnterCriticalSection 27408->27472 27410 35a5a0 27473 35a4dc 27410->27473 27412 35a5ab 27481 35a5c8 LeaveCriticalSection __fread_nolock 27412->27481 27413->27340 27417 35b555 27416->27417 27421 35b568 27417->27421 27424 35b7c7 EnterCriticalSection 27417->27424 27419 35b59f 27425 35b360 27419->27425 27421->27398 27422 35b5b6 27429 35b5d4 LeaveCriticalSection __fread_nolock 27422->27429 27424->27419 27426 35b372 __fread_nolock 27425->27426 27427 35b37f 27425->27427 27426->27427 27430 367ca2 27426->27430 27427->27422 27429->27421 27431 367cb4 27430->27431 27432 367ccc 27430->27432 27431->27426 27432->27431 27435 367d65 __fread_nolock 27432->27435 27446 367d8b 27432->27446 27460 364d40 27432->27460 27434 367dbe 27464 364d06 27434->27464 27437 367f86 27435->27437 27440 367f29 GetConsoleMode 27435->27440 27435->27446 27439 367f8a ReadFile 27437->27439 27438 367dc7 27441 364d06 _free 2 API calls 27438->27441 27443 367fa4 27439->27443 27444 367ffe GetLastError 27439->27444 27440->27437 27445 367f3a 27440->27445 27442 367dce 27441->27442 27442->27446 27469 36768a SetFilePointerEx GetLastError __dosmaperr __fread_nolock 27442->27469 27443->27444 27448 367f7b 27443->27448 27444->27446 27447 368022 27444->27447 27445->27439 27449 367f40 ReadConsoleW 27445->27449 27453 364d06 _free 2 API calls 27446->27453 27447->27446 27451 367f62 __dosmaperr 27447->27451 27448->27446 27454 367fe0 27448->27454 27455 367fc9 27448->27455 27449->27448 27452 367f5c GetLastError 27449->27452 27451->27446 27452->27451 27453->27431 27454->27446 27457 367ff7 27454->27457 27470 3679bc 7 API calls __fread_nolock 27455->27470 27471 3677fc SetFilePointerEx GetLastError __dosmaperr ReadFile __fread_nolock 27457->27471 27459 367ffc 27459->27446 27462 364d7c 27460->27462 27463 364d4e std::_Locinfo::_Locinfo_dtor 27460->27463 27461 364d69 RtlAllocateHeap 27461->27462 27461->27463 27462->27434 27463->27461 27463->27462 27465 364d11 RtlFreeHeap 27464->27465 27468 364d3a 27464->27468 27466 364d26 27465->27466 27465->27468 27467 364d2c GetLastError 27466->27467 27467->27468 27468->27438 27469->27435 27470->27446 27471->27459 27472->27410 27474 35a4fe 27473->27474 27475 35a4e9 27473->27475 27474->27475 27482 35a9a7 27474->27482 27475->27412 27477 35a512 __fread_nolock 27486 36697b 27477->27486 27479 35a526 27479->27475 27480 364d06 _free 2 API calls 27479->27480 27480->27475 27481->27413 27483 35a9bf __fread_nolock 27482->27483 27485 35a9bb 27482->27485 27483->27485 27490 36346a 19 API calls 27483->27490 27485->27477 27487 36699f 27486->27487 27489 36698a 27486->27489 27487->27489 27491 366953 27487->27491 27489->27479 27490->27485 27494 3668d1 27491->27494 27493 366977 27493->27489 27495 3668dd 27494->27495 27497 366918 27495->27497 27498 3669fa 27495->27498 27497->27493 27500 366a0a 27498->27500 27499 366a10 27502 366a84 __dosmaperr 27499->27502 27503 366a90 27499->27503 27500->27499 27501 366a4e FindCloseChangeNotification 27500->27501 27501->27499 27504 366a5a GetLastError 27501->27504 27502->27503 27503->27497 27504->27499 27507 32b1b2 27505->27507 27506 1df620 std::_XGetLastError Concurrency::cancel_current_task 27508 32b27c 27506->27508 27507->27506 27522 32c490 27508->27522 27510 32b285 27511 31a14d make_shared Concurrency::cancel_current_task 27510->27511 27512 32b2c8 27511->27512 27513 32b2fe 27512->27513 27514 31a14d make_shared Concurrency::cancel_current_task 27512->27514 27530 32aa90 27513->27530 27516 32b2d8 27514->27516 27538 3130c0 27516->27538 27518 32b314 SimpleUString::operator= 27519 31a12e __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 2 API calls 27518->27519 27520 32b447 27518->27520 27521 30bc4b 27519->27521 27521->27039 27521->27044 27542 31c716 27522->27542 27525 31c716 2 API calls 27526 32c5a0 27525->27526 27529 32c5c6 SimpleUString::operator= 27526->27529 27546 1da8f0 __CxxThrowException 27526->27546 27529->27510 27531 32aaab 27530->27531 27548 311a10 27531->27548 27533 32ab1d 27553 313860 27533->27553 27535 32ab3f 27536 311a10 4 API calls 27535->27536 27537 32abae 27536->27537 27537->27518 27539 313153 27538->27539 27575 312920 27539->27575 27541 313162 27541->27513 27543 31c733 27542->27543 27544 31c723 27542->27544 27547 31c58a Concurrency::cancel_current_task __CxxThrowException 27543->27547 27544->27525 27544->27526 27547->27544 27549 31a14d make_shared Concurrency::cancel_current_task 27548->27549 27550 311a46 27549->27550 27552 311aa9 27550->27552 27565 311ff0 27550->27565 27552->27533 27554 3138d7 27553->27554 27555 31392b 27554->27555 27557 3138db 27554->27557 27571 1df5e0 27555->27571 27559 31a12e __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 2 API calls 27557->27559 27558 313938 27561 313948 __CxxThrowException 27558->27561 27560 313925 27559->27560 27560->27535 27562 31399c 27561->27562 27563 31a12e __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 2 API calls 27562->27563 27564 3139b7 27563->27564 27564->27535 27566 312000 27565->27566 27567 312033 27566->27567 27568 389769 EnterCriticalSection LeaveCriticalSection 27566->27568 27570 31202d 27566->27570 27569 31203b __CxxThrowException 27567->27569 27568->27566 27570->27552 27572 1df600 27571->27572 27572->27572 27573 1e07b0 std::_XGetLastError 2 API calls 27572->27573 27574 1df612 27573->27574 27574->27558 27576 312963 27575->27576 27577 312968 27576->27577 27578 31298f 27576->27578 27615 312750 __CxxThrowException EnterCriticalSection LeaveCriticalSection 27577->27615 27580 1df5e0 2 API calls 27578->27580 27582 31299c 27580->27582 27581 312977 27581->27541 27583 3129af __CxxThrowException 27582->27583 27584 312a17 27583->27584 27585 3129ee 27583->27585 27586 1df5e0 2 API calls 27584->27586 27585->27541 27587 312a24 27586->27587 27604 312060 27587->27604 27589 312a37 __CxxThrowException 27590 312e40 27589->27590 27597 312a8d 27589->27597 27591 1df5e0 2 API calls 27590->27591 27592 312e4d 27591->27592 27593 312060 6 API calls 27592->27593 27595 312e60 __CxxThrowException 27593->27595 27594 31a12e __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 2 API calls 27596 312e3a 27594->27596 27596->27541 27599 312af2 27597->27599 27616 312750 __CxxThrowException EnterCriticalSection LeaveCriticalSection 27597->27616 27598 311ff0 3 API calls 27601 312d19 _Yarn 27598->27601 27599->27598 27599->27601 27603 312ddd 27599->27603 27617 312750 __CxxThrowException EnterCriticalSection LeaveCriticalSection 27601->27617 27603->27594 27618 1e14b0 27604->27618 27606 3120c8 27607 1df4b0 std::_XGetLastError 3 API calls 27606->27607 27608 3120d1 27607->27608 27628 1df440 27608->27628 27610 3120de 27611 1df620 std::_XGetLastError Concurrency::cancel_current_task 27610->27611 27613 312103 27611->27613 27612 31212f SimpleUString::operator= 27612->27589 27613->27612 27614 311ff0 3 API calls 27613->27614 27614->27612 27615->27581 27616->27599 27617->27603 27619 1e14cb 27618->27619 27627 1e15bb _Yarn SimpleUString::operator= 27618->27627 27622 1e153c 27619->27622 27623 1e1566 27619->27623 27625 1e154d _Yarn 27619->27625 27619->27627 27624 31a14d make_shared Concurrency::cancel_current_task 27622->27624 27623->27625 27626 31a14d make_shared Concurrency::cancel_current_task 27623->27626 27624->27625 27625->27627 27633 1db8a0 __CxxThrowException SimpleUString::operator= 27625->27633 27626->27625 27627->27606 27629 1df450 27628->27629 27629->27629 27632 1df467 SimpleUString::operator= 27629->27632 27634 1e1280 27629->27634 27631 1df4a2 27631->27610 27632->27610 27635 1e13ce 27634->27635 27637 1e12ab 27634->27637 27645 1db8a0 __CxxThrowException SimpleUString::operator= 27635->27645 27638 1e131c 27637->27638 27639 1e12f2 27637->27639 27642 31a14d make_shared Concurrency::cancel_current_task 27638->27642 27643 1e1303 _Yarn 27638->27643 27640 31a14d make_shared Concurrency::cancel_current_task 27639->27640 27640->27643 27641 1e13d8 ___std_exception_copy 27641->27631 27642->27643 27643->27641 27644 1e138c _Yarn SimpleUString::operator= 27643->27644 27644->27631 27647 3271d3 27646->27647 27648 327004 27646->27648 27649 31a12e __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 2 API calls 27647->27649 27648->27647 27650 32700e 27648->27650 27651 3271df 27649->27651 27652 327037 CreateFileW 27650->27652 27655 3271c0 27650->27655 27656 3271a5 CloseHandle 27650->27656 27660 327173 27650->27660 27708 337a20 DeviceIoControl 27650->27708 27651->27364 27652->27650 27653 327061 DeviceIoControl 27652->27653 27653->27650 27654 3270a3 FindCloseChangeNotification 27653->27654 27654->27650 27657 31a12e __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 2 API calls 27655->27657 27656->27650 27656->27655 27658 3271cf 27657->27658 27658->27364 27660->27656 27668 327224 27661->27668 27662 32723b CreateFileW 27662->27668 27663 327488 27664 31a12e __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 2 API calls 27663->27664 27666 325f89 27664->27666 27665 327293 DeviceIoControl 27665->27668 27666->27369 27669 327730 27666->27669 27667 327466 FindCloseChangeNotification 27667->27668 27668->27662 27668->27663 27668->27665 27668->27667 27670 32773d 27669->27670 27671 327892 27670->27671 27680 327762 27670->27680 27672 31a12e __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 2 API calls 27671->27672 27673 32789e 27672->27673 27673->27372 27674 327787 CreateFileW 27674->27680 27675 32787f 27676 31a12e __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 2 API calls 27675->27676 27678 32788e 27676->27678 27677 3277e9 DeviceIoControl 27679 32786a FindCloseChangeNotification 27677->27679 27677->27680 27678->27372 27679->27675 27679->27680 27680->27674 27680->27675 27680->27677 27680->27679 27682 326276 27681->27682 27683 32652e 27681->27683 27682->27683 27686 32628f RegOpenKeyExW 27682->27686 27684 31a12e __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 2 API calls 27683->27684 27685 32653c 27684->27685 27685->27375 27687 326503 27686->27687 27688 3262b7 RegEnumKeyExW 27686->27688 27687->27683 27689 32650a 27687->27689 27690 3264ee RegCloseKey 27688->27690 27691 3262ec 27688->27691 27695 31a12e __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 2 API calls 27689->27695 27690->27687 27692 3262f0 RegOpenKeyExW 27691->27692 27693 326312 RegQueryValueExW 27692->27693 27694 3264bc RegEnumKeyExW 27692->27694 27696 3264b0 RegCloseKey 27693->27696 27698 326356 27693->27698 27694->27690 27694->27692 27697 32652a 27695->27697 27696->27694 27697->27375 27698->27696 27699 326382 CreateFileW 27698->27699 27701 326442 FindCloseChangeNotification 27698->27701 27703 326453 lstrcmpA 27698->27703 27709 327a20 IsProcessorFeaturePresent ___raise_securityfailure __cftof RaiseException DecodePointer 27698->27709 27699->27698 27700 3263ac DeviceIoControl 27699->27700 27700->27698 27700->27701 27701->27698 27703->27698 27704->27377 27705->27379 27706->27381 27707->27384 27708->27650 27709->27698 27711 33b772 27710->27711 27712 33b774 GetFileVersionInfoSizeW 27710->27712 27711->27712 27713 33b848 27712->27713 27714 33b788 __Getctype 27712->27714 27713->27062 27714->27713 27715 33b79d GetFileVersionInfoW 27714->27715 27715->27713 27716 33b7b0 VerQueryValueW 27715->27716 27716->27713 27717 33b7ce 27716->27717 27717->27713 27718 31a14d make_shared Concurrency::cancel_current_task 27717->27718 27721 33b7db 27718->27721 27719 33b83d 27719->27062 27720 33b818 VerQueryValueW 27720->27062 27721->27719 27721->27720 27723->27095 27725 32b4f8 27724->27725 27726 31a14d make_shared Concurrency::cancel_current_task 27725->27726 27727 32b615 27726->27727 27728 32b64e 27727->27728 27729 31a14d make_shared Concurrency::cancel_current_task 27727->27729 27730 32aa90 8 API calls 27728->27730 27732 32b625 27729->27732 27731 32b661 27730->27731 27745 32c3a0 27731->27745 27733 3130c0 11 API calls 27732->27733 27733->27728 27736 1df520 2 API calls 27737 32b6b2 27736->27737 27738 31a12e __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 2 API calls 27737->27738 27739 32b714 27738->27739 27739->27145 27741 1e0935 27740->27741 27744 1e0908 SimpleUString::operator= 27740->27744 27742 1e1280 std::_XGetLastError 3 API calls 27741->27742 27743 1e0948 27742->27743 27743->27149 27744->27149 27746 31c716 2 API calls 27745->27746 27747 32c3ec 27746->27747 27748 31c716 2 API calls 27747->27748 27749 32c40a SimpleUString::operator= 27747->27749 27748->27749 27750 31a12e __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 2 API calls 27749->27750 27751 32c480 27749->27751 27752 32b6a0 27750->27752 27752->27736 27793 31c278 mtx_do_lock 27753->27793 27755 1ddd41 27794 1dd380 27755->27794 27757 1ddd66 __Mtx_unlock 27757->27183 27838 3092b0 27758->27838 27762 30b21b 27868 309690 27762->27868 27766 30b276 27898 309e60 27766->27898 27770 30b2cc 27928 309a70 27770->27928 27774 30b322 27958 30a240 27774->27958 27778 30b378 27988 30a620 27778->27988 27782 30b3ce 28018 30aa00 27782->28018 27786 30b424 28048 30ade0 27786->28048 27790 30b47a 27791 1da610 SimpleUString::operator= 2 API calls 27790->27791 27792 30b4db 27791->27792 27792->27196 27793->27755 27814 329820 27794->27814 27796 1dd3e8 27797 1e07b0 std::_XGetLastError 2 API calls 27796->27797 27798 1dd40c 27797->27798 27818 32b460 27798->27818 27800 1dd437 SimpleUString::operator= 27801 1e07b0 std::_XGetLastError 2 API calls 27800->27801 27808 1dd609 27800->27808 27802 1dd4c4 27801->27802 27803 32c3a0 4 API calls 27802->27803 27804 1dd4f2 27803->27804 27805 3239d0 2 API calls 27804->27805 27806 1dd501 27805->27806 27821 32cd10 27806->27821 27809 1dd51a SimpleUString::operator= 27809->27808 27810 1dd620 5 API calls 27809->27810 27812 1dd579 SimpleUString::operator= 27810->27812 27811 31a12e __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 2 API calls 27813 1dd602 27811->27813 27812->27808 27812->27811 27813->27757 27815 329839 27814->27815 27816 1e14b0 2 API calls 27815->27816 27817 32984a 27816->27817 27817->27796 27819 32b490 12 API calls 27818->27819 27820 32b481 27819->27820 27820->27800 27822 32cd1f CreateFileW 27821->27822 27823 32cd1d 27821->27823 27824 32cd43 27822->27824 27825 32cd88 27822->27825 27823->27822 27831 32c5f0 27824->27831 27827 32c5f0 12 API calls 27825->27827 27828 32cd9b 27827->27828 27828->27809 27829 32cd71 WriteFile 27829->27825 27830 32cd4b 27830->27825 27830->27829 27832 32c65b 27831->27832 27833 32c602 27831->27833 27832->27830 27833->27832 27834 32c619 FindCloseChangeNotification 27833->27834 27834->27832 27835 32c628 27834->27835 27837 3361b0 11 API calls 3 library calls 27835->27837 27837->27832 28078 3309d0 27838->28078 27840 30944b 27841 1da610 SimpleUString::operator= 2 API calls 27840->27841 27845 30946b 27841->27845 27842 30933a 27842->27840 27843 3093cf PathFileExistsW 27842->27843 27846 309381 27842->27846 28101 1da090 Concurrency::cancel_current_task __CxxThrowException __CxxThrowException SimpleUString::operator= 27842->28101 27843->27840 27848 3093e5 27843->27848 27850 31a12e __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 2 API calls 27845->27850 27846->27843 27847 3093ac 27846->27847 28102 1da090 Concurrency::cancel_current_task __CxxThrowException __CxxThrowException SimpleUString::operator= 27847->28102 27848->27845 27851 309493 27850->27851 27851->27762 27853 3094a0 27851->27853 27852 3093be 27852->27843 27854 3309d0 17 API calls 27853->27854 27855 30952a 27854->27855 27856 30963b 27855->27856 27858 3095bf PathFileExistsW 27855->27858 27860 309571 27855->27860 28106 1da090 Concurrency::cancel_current_task __CxxThrowException __CxxThrowException SimpleUString::operator= 27855->28106 27857 1da610 SimpleUString::operator= 2 API calls 27856->27857 27859 30965b 27857->27859 27858->27856 27865 3095d5 27858->27865 27864 31a12e __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 2 API calls 27859->27864 27860->27858 27862 30959c 27860->27862 28107 1da090 Concurrency::cancel_current_task __CxxThrowException __CxxThrowException SimpleUString::operator= 27862->28107 27866 309683 27864->27866 27865->27859 27866->27762 27867 3095ae 27867->27858 27869 3309d0 17 API calls 27868->27869 27872 30971a 27869->27872 27870 30982b 27871 1da610 SimpleUString::operator= 2 API calls 27870->27871 27875 30984b 27871->27875 27872->27870 27873 3097af PathFileExistsW 27872->27873 27876 309761 27872->27876 28108 1da090 Concurrency::cancel_current_task __CxxThrowException __CxxThrowException SimpleUString::operator= 27872->28108 27873->27870 27878 3097c5 27873->27878 27880 31a12e __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 2 API calls 27875->27880 27876->27873 27877 30978c 27876->27877 28109 1da090 Concurrency::cancel_current_task __CxxThrowException __CxxThrowException SimpleUString::operator= 27877->28109 27878->27875 27881 309873 27880->27881 27881->27766 27883 309880 27881->27883 27882 30979e 27882->27873 27884 3309d0 17 API calls 27883->27884 27887 30990a 27884->27887 27885 309a1b 27886 1da610 SimpleUString::operator= 2 API calls 27885->27886 27889 309a3b 27886->27889 27887->27885 27888 30999f PathFileExistsW 27887->27888 27891 309951 27887->27891 28110 1da090 Concurrency::cancel_current_task __CxxThrowException __CxxThrowException SimpleUString::operator= 27887->28110 27888->27885 27895 3099b5 27888->27895 27894 31a12e __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 2 API calls 27889->27894 27891->27888 27892 30997c 27891->27892 28111 1da090 Concurrency::cancel_current_task __CxxThrowException __CxxThrowException SimpleUString::operator= 27892->28111 27896 309a63 27894->27896 27895->27889 27896->27766 27897 30998e 27897->27888 27899 3309d0 17 API calls 27898->27899 27902 309eea 27899->27902 27900 309ffb 27901 1da610 SimpleUString::operator= 2 API calls 27900->27901 27903 30a01b 27901->27903 27902->27900 27904 309f7f PathFileExistsW 27902->27904 27906 309f31 27902->27906 28112 1da090 Concurrency::cancel_current_task __CxxThrowException __CxxThrowException SimpleUString::operator= 27902->28112 27910 31a12e __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 2 API calls 27903->27910 27904->27900 27907 309f95 27904->27907 27906->27904 27908 309f5c 27906->27908 27907->27903 28113 1da090 Concurrency::cancel_current_task __CxxThrowException __CxxThrowException SimpleUString::operator= 27908->28113 27911 30a043 27910->27911 27911->27770 27913 30a050 27911->27913 27912 309f6e 27912->27904 27914 3309d0 17 API calls 27913->27914 27917 30a0da 27914->27917 27915 30a1eb 27916 1da610 SimpleUString::operator= 2 API calls 27915->27916 27920 30a20b 27916->27920 27917->27915 27918 30a16f PathFileExistsW 27917->27918 27919 30a121 27917->27919 28114 1da090 Concurrency::cancel_current_task __CxxThrowException __CxxThrowException SimpleUString::operator= 27917->28114 27918->27915 27925 30a185 27918->27925 27919->27918 27922 30a14c 27919->27922 27924 31a12e __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 2 API calls 27920->27924 28115 1da090 Concurrency::cancel_current_task __CxxThrowException __CxxThrowException SimpleUString::operator= 27922->28115 27926 30a233 27924->27926 27925->27920 27926->27770 27927 30a15e 27927->27918 27929 3309d0 17 API calls 27928->27929 27932 309afa 27929->27932 27930 309c0b 27931 1da610 SimpleUString::operator= 2 API calls 27930->27931 27934 309c2b 27931->27934 27932->27930 27933 309b8f PathFileExistsW 27932->27933 27937 309b41 27932->27937 28116 1da090 Concurrency::cancel_current_task __CxxThrowException __CxxThrowException SimpleUString::operator= 27932->28116 27933->27930 27940 309ba5 27933->27940 27939 31a12e __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 2 API calls 27934->27939 27936 309b6c 28117 1da090 Concurrency::cancel_current_task __CxxThrowException __CxxThrowException SimpleUString::operator= 27936->28117 27937->27933 27937->27936 27941 309c53 27939->27941 27940->27934 27941->27774 27943 309c60 27941->27943 27942 309b7e 27942->27933 27944 3309d0 17 API calls 27943->27944 27947 309cea 27944->27947 27945 309dfb 27946 1da610 SimpleUString::operator= 2 API calls 27945->27946 27951 309e1b 27946->27951 27947->27945 27948 309d7f PathFileExistsW 27947->27948 27949 309d31 27947->27949 28118 1da090 Concurrency::cancel_current_task __CxxThrowException __CxxThrowException SimpleUString::operator= 27947->28118 27948->27945 27953 309d95 27948->27953 27949->27948 27952 309d5c 27949->27952 27955 31a12e __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 2 API calls 27951->27955 28119 1da090 Concurrency::cancel_current_task __CxxThrowException __CxxThrowException SimpleUString::operator= 27952->28119 27953->27951 27956 309e43 27955->27956 27956->27774 27957 309d6e 27957->27948 27959 3309d0 17 API calls 27958->27959 27963 30a2ca 27959->27963 27960 30a3db 27961 1da610 SimpleUString::operator= 2 API calls 27960->27961 27962 30a3fb 27961->27962 27970 31a12e __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 2 API calls 27962->27970 27963->27960 27964 30a35f PathFileExistsW 27963->27964 27965 30a311 27963->27965 28120 1da090 Concurrency::cancel_current_task __CxxThrowException __CxxThrowException SimpleUString::operator= 27963->28120 27964->27960 27968 30a375 27964->27968 27965->27964 27967 30a33c 27965->27967 28121 1da090 Concurrency::cancel_current_task __CxxThrowException __CxxThrowException SimpleUString::operator= 27967->28121 27968->27962 27971 30a423 27970->27971 27971->27778 27973 30a430 27971->27973 27972 30a34e 27972->27964 27974 3309d0 17 API calls 27973->27974 27977 30a4ba 27974->27977 27975 30a5cb 27976 1da610 SimpleUString::operator= 2 API calls 27975->27976 27980 30a5eb 27976->27980 27977->27975 27978 30a54f PathFileExistsW 27977->27978 27986 30a501 27977->27986 28122 1da090 Concurrency::cancel_current_task __CxxThrowException __CxxThrowException SimpleUString::operator= 27977->28122 27978->27975 27979 30a565 27978->27979 27979->27980 27984 31a12e __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 2 API calls 27980->27984 27982 30a52c 28123 1da090 Concurrency::cancel_current_task __CxxThrowException __CxxThrowException SimpleUString::operator= 27982->28123 27985 30a613 27984->27985 27985->27778 27986->27978 27986->27982 27987 30a53e 27987->27978 27989 3309d0 17 API calls 27988->27989 27992 30a6aa 27989->27992 27990 30a7bb 27991 1da610 SimpleUString::operator= 2 API calls 27990->27991 27995 30a7db 27991->27995 27992->27990 27993 30a73f PathFileExistsW 27992->27993 27996 30a6f1 27992->27996 28124 1da090 Concurrency::cancel_current_task __CxxThrowException __CxxThrowException SimpleUString::operator= 27992->28124 27993->27990 27998 30a755 27993->27998 28000 31a12e __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 2 API calls 27995->28000 27996->27993 27997 30a71c 27996->27997 28125 1da090 Concurrency::cancel_current_task __CxxThrowException __CxxThrowException SimpleUString::operator= 27997->28125 27998->27995 28001 30a803 28000->28001 28001->27782 28003 30a810 28001->28003 28002 30a72e 28002->27993 28004 3309d0 17 API calls 28003->28004 28007 30a89a 28004->28007 28005 30a9ab 28006 1da610 SimpleUString::operator= 2 API calls 28005->28006 28011 30a9cb 28006->28011 28007->28005 28008 30a92f PathFileExistsW 28007->28008 28009 30a8e1 28007->28009 28126 1da090 Concurrency::cancel_current_task __CxxThrowException __CxxThrowException SimpleUString::operator= 28007->28126 28008->28005 28013 30a945 28008->28013 28009->28008 28012 30a90c 28009->28012 28015 31a12e __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 2 API calls 28011->28015 28127 1da090 Concurrency::cancel_current_task __CxxThrowException __CxxThrowException SimpleUString::operator= 28012->28127 28013->28011 28016 30a9f3 28015->28016 28016->27782 28017 30a91e 28017->28008 28019 3309d0 17 API calls 28018->28019 28022 30aa8a 28019->28022 28020 30ab9b 28021 1da610 SimpleUString::operator= 2 API calls 28020->28021 28025 30abbb 28021->28025 28022->28020 28023 30ab1f PathFileExistsW 28022->28023 28024 30aad1 28022->28024 28128 1da090 Concurrency::cancel_current_task __CxxThrowException __CxxThrowException SimpleUString::operator= 28022->28128 28023->28020 28028 30ab35 28023->28028 28024->28023 28027 30aafc 28024->28027 28030 31a12e __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 2 API calls 28025->28030 28129 1da090 Concurrency::cancel_current_task __CxxThrowException __CxxThrowException SimpleUString::operator= 28027->28129 28028->28025 28031 30abe3 28030->28031 28031->27786 28033 30abf0 28031->28033 28032 30ab0e 28032->28023 28034 3309d0 17 API calls 28033->28034 28037 30ac7a 28034->28037 28035 30ad8b 28036 1da610 SimpleUString::operator= 2 API calls 28035->28036 28040 30adab 28036->28040 28037->28035 28038 30ad0f PathFileExistsW 28037->28038 28041 30acc1 28037->28041 28130 1da090 Concurrency::cancel_current_task __CxxThrowException __CxxThrowException SimpleUString::operator= 28037->28130 28038->28035 28043 30ad25 28038->28043 28045 31a12e __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 2 API calls 28040->28045 28041->28038 28042 30acec 28041->28042 28131 1da090 Concurrency::cancel_current_task __CxxThrowException __CxxThrowException SimpleUString::operator= 28042->28131 28043->28040 28046 30add3 28045->28046 28046->27786 28047 30acfe 28047->28038 28049 3309d0 17 API calls 28048->28049 28052 30ae6a 28049->28052 28050 30af7b 28051 1da610 SimpleUString::operator= 2 API calls 28050->28051 28055 30af9b 28051->28055 28052->28050 28053 30aeff PathFileExistsW 28052->28053 28054 30aeb1 28052->28054 28132 1da090 Concurrency::cancel_current_task __CxxThrowException __CxxThrowException SimpleUString::operator= 28052->28132 28053->28050 28060 30af15 28053->28060 28054->28053 28057 30aedc 28054->28057 28059 31a12e __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 2 API calls 28055->28059 28133 1da090 Concurrency::cancel_current_task __CxxThrowException __CxxThrowException SimpleUString::operator= 28057->28133 28061 30afc3 28059->28061 28060->28055 28061->27790 28063 30afd0 28061->28063 28062 30aeee 28062->28053 28064 3309d0 17 API calls 28063->28064 28067 30b05a 28064->28067 28065 30b16b 28066 1da610 SimpleUString::operator= 2 API calls 28065->28066 28070 30b18b 28066->28070 28067->28065 28068 30b0ef PathFileExistsW 28067->28068 28071 30b0a1 28067->28071 28134 1da090 Concurrency::cancel_current_task __CxxThrowException __CxxThrowException SimpleUString::operator= 28067->28134 28068->28065 28074 30b105 28068->28074 28073 31a12e __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 2 API calls 28070->28073 28071->28068 28072 30b0cc 28071->28072 28135 1da090 Concurrency::cancel_current_task __CxxThrowException __CxxThrowException SimpleUString::operator= 28072->28135 28076 30b1b3 28073->28076 28074->28070 28076->27790 28077 30b0de 28077->28068 28079 3309f0 28078->28079 28099 330b46 28078->28099 28098 330aa8 28079->28098 28100 330a00 28079->28100 28080 330b92 28105 3361b0 11 API calls 3 library calls 28080->28105 28081 330a9e 28081->27842 28083 330a5a 28089 330a61 CloseHandle 28083->28089 28090 330a6f 28083->28090 28084 330a4f 28103 3361b0 11 API calls 3 library calls 28084->28103 28085 330b02 28092 330b17 28085->28092 28093 330b09 CloseHandle 28085->28093 28086 330af7 28104 3361b0 11 API calls 3 library calls 28086->28104 28087 330b9d 28087->27842 28089->28090 28094 330a82 RegCreateKeyExW 28090->28094 28095 330a75 RegCloseKey 28090->28095 28096 330b2a RegOpenKeyExW 28092->28096 28097 330b1d RegCloseKey 28092->28097 28093->28092 28094->28081 28095->28094 28096->27842 28097->28096 28098->28085 28098->28086 28099->28080 28099->28081 28100->28083 28100->28084 28101->27846 28102->27852 28103->28083 28104->28085 28105->28087 28106->27860 28107->27867 28108->27876 28109->27882 28110->27891 28111->27897 28112->27906 28113->27912 28114->27919 28115->27927 28116->27937 28117->27942 28118->27949 28119->27957 28120->27965 28121->27972 28122->27986 28123->27987 28124->27996 28125->28002 28126->28009 28127->28017 28128->28024 28129->28032 28130->28041 28131->28047 28132->28054 28133->28062 28134->28071 28135->28077 28136->27221 28137->27223 28201 35a41b 28138->28201 28140 35a4b7 28140->27225 28142 31a14d make_shared Concurrency::cancel_current_task 28141->28142 28143 1dcf51 28142->28143 28144 1de710 28143->28144 28145 1e07b0 std::_XGetLastError 2 API calls 28144->28145 28146 1de76c 28145->28146 28147 3288e0 8 API calls 28146->28147 28148 1de77c 28147->28148 28149 1de7c8 SimpleUString::operator= 28148->28149 28153 1def13 28148->28153 28150 30b9a0 100 API calls 28149->28150 28151 1de7f8 28150->28151 28152 328cc0 10 API calls 28151->28152 28156 1de808 28152->28156 28154 1e07b0 std::_XGetLastError 2 API calls 28153->28154 28179 1df307 SimpleUString::operator= 28153->28179 28157 1defbe 28154->28157 28155 1df35c 28158 31a12e __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 2 API calls 28155->28158 28160 1de863 SHGetValueW 28156->28160 28161 32b150 13 API calls 28157->28161 28159 1df376 28158->28159 28159->27256 28162 1de8a2 28160->28162 28168 1de8e4 SimpleUString::operator= 28160->28168 28163 1deffb 28161->28163 28166 1da610 SimpleUString::operator= 2 API calls 28162->28166 28212 32d000 IsProcessorFeaturePresent ___raise_securityfailure Concurrency::cancel_current_task __CxxThrowException __CxxThrowException 28163->28212 28164 1e07b0 std::_XGetLastError 2 API calls 28167 1de9ca 28164->28167 28166->28168 28169 1e07b0 std::_XGetLastError 2 API calls 28167->28169 28168->28164 28170 1deaaf 28169->28170 28172 32b8d0 12 API calls 28170->28172 28171 1df038 28173 1e07b0 std::_XGetLastError 2 API calls 28171->28173 28181 1df12b SimpleUString::operator= 28171->28181 28175 1deacc SimpleUString::operator= 28172->28175 28173->28181 28174 1e07b0 std::_XGetLastError 2 API calls 28177 1deb52 28174->28177 28175->28174 28176 1dd620 5 API calls 28176->28179 28178 1e1280 std::_XGetLastError 3 API calls 28177->28178 28180 1deb86 SimpleUString::operator= 28177->28180 28178->28180 28179->28155 28197 32d9c0 5 API calls 28179->28197 28182 31a14d make_shared Concurrency::cancel_current_task 28180->28182 28181->28176 28184 1df37c 28181->28184 28183 1debd4 28182->28183 28206 32d880 28183->28206 28184->27256 28186 1debf7 28187 30b530 55 API calls 28186->28187 28188 1dec0a 28187->28188 28189 1e07b0 std::_XGetLastError 2 API calls 28188->28189 28190 1dec28 SimpleUString::operator= 28188->28190 28189->28190 28211 32ddd0 CreateThread 28190->28211 28192 1dd620 5 API calls 28194 1ded6e SimpleUString::operator= 28192->28194 28193 1decb9 SimpleUString::operator= 28193->28192 28195 31a12e __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 2 API calls 28194->28195 28196 1def0f 28195->28196 28196->27256 28197->28155 28198->27262 28199->27271 28200->27282 28202 35a43e 28201->28202 28204 35a42a __alldvrm 28201->28204 28202->28204 28205 366477 8 API calls 2 library calls 28202->28205 28204->28140 28205->28204 28207 31a14d make_shared Concurrency::cancel_current_task 28206->28207 28208 32d8e8 28207->28208 28209 31a14d make_shared Concurrency::cancel_current_task 28208->28209 28210 32d90e CreateEventW 28209->28210 28210->28186 28211->28193 28213 32e280 28211->28213 28212->28171 28217 32e28d 28213->28217 28214 32e3ba 28215 31a12e __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 2 API calls 28214->28215 28216 32e3ca 28215->28216 28217->28214 28218 32e39b InternetCrackUrlW 28217->28218 28219 32e3d0 28218->28219 28220 32e3b4 GetLastError 28218->28220 28219->28214 28221 32e3db InternetOpenW 28219->28221 28220->28214 28223 32e428 InternetConnectW 28221->28223 28233 32e41e 28221->28233 28243 32e456 _Yarn SimpleUString::operator= 28223->28243 28247 32ea99 28223->28247 28224 32edff 28225 31a12e __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 2 API calls 28224->28225 28227 32ee0e 28225->28227 28226 32e571 HttpOpenRequestW 28229 32edba 28226->28229 28226->28243 28228 32ec58 InternetCloseHandle 28228->28229 28230 32edd2 28229->28230 28231 32edcf InternetCloseHandle 28229->28231 28230->28233 28234 32eddc InternetCloseHandle 28230->28234 28231->28230 28232 32f0a0 IsProcessorFeaturePresent ___raise_securityfailure 28232->28243 28233->28224 28283 1de710 153 API calls 28233->28283 28234->28233 28236 32e64a HttpAddRequestHeadersW 28236->28243 28237 32e780 InternetQueryOptionW InternetSetOptionW 28238 32e7da 7 API calls 28237->28238 28237->28243 28238->28243 28239 32e715 HttpAddRequestHeadersA 28239->28243 28240 1e0bf0 Concurrency::cancel_current_task 28240->28243 28241 32e85c HttpSendRequestW 28244 32e8d7 WaitForSingleObject 28241->28244 28245 32e87b GetLastError 28241->28245 28242 32ee28 28243->28226 28243->28232 28243->28236 28243->28237 28243->28239 28243->28240 28243->28241 28243->28242 28284 32d000 IsProcessorFeaturePresent ___raise_securityfailure Concurrency::cancel_current_task __CxxThrowException __CxxThrowException 28243->28284 28244->28247 28252 32e8ea 28244->28252 28245->28244 28246 32e888 InternetQueryOptionW InternetSetOptionW 28245->28246 28246->28237 28246->28244 28247->28228 28247->28229 28248 32ecc8 28249 32ecdb HttpQueryInfoA 28248->28249 28251 32ed10 28249->28251 28250 32e905 HttpQueryInfoW 28250->28252 28251->28251 28255 1e07b0 std::_XGetLastError 2 API calls 28251->28255 28252->28247 28252->28248 28252->28250 28253 32eaa0 HttpQueryInfoW 28252->28253 28258 32e980 InternetOpenW 28252->28258 28254 32ead4 GetLastError 28253->28254 28256 32eabd 28253->28256 28254->28256 28257 32ed29 28255->28257 28259 31a14d make_shared Concurrency::cancel_current_task 28256->28259 28262 32ed3c HttpQueryInfoA 28257->28262 28258->28247 28260 32e9a1 InternetOpenUrlW 28258->28260 28261 32eaf7 28259->28261 28273 32e9c2 28260->28273 28285 32d480 Concurrency::cancel_current_task std::_XGetLastError make_shared 28261->28285 28264 32ed67 28262->28264 28264->28264 28268 1e07b0 std::_XGetLastError 2 API calls 28264->28268 28265 32ea50 InternetCloseHandle 28267 32ea5d InternetCloseHandle InternetCloseHandle 28265->28267 28282 32ea93 28265->28282 28266 32e9d5 HttpQueryInfoW 28266->28273 28269 32ea83 InternetCloseHandle 28267->28269 28270 32ea86 28267->28270 28268->28247 28269->28270 28270->28223 28271 32ea41 InternetCloseHandle 28271->28273 28272 32eb26 28272->28272 28278 32eb6f _Yarn 28272->28278 28273->28260 28273->28265 28273->28266 28273->28271 28274 32ea1c GetDesktopWindow InternetErrorDlg 28273->28274 28274->28271 28275 32eba3 InternetReadFile 28276 32ec66 28275->28276 28275->28278 28277 32ed8b GetLastError 28276->28277 28281 32ec3b 28276->28281 28277->28247 28277->28282 28278->28275 28279 32ec0a SetEvent 28278->28279 28280 32ec19 WaitForSingleObject 28278->28280 28278->28281 28279->28280 28280->28278 28280->28282 28281->28248 28282->28247 28283->28224 28284->28243 28285->28272 28286->27313 28796 325460 GetCurrentProcess GetModuleHandleW GetProcAddress 28797 3254ac 28796->28797 28798 3254ff GetVersionExW 28797->28798 28799 325545 28798->28799 28800 32552f GetNativeSystemInfo 28798->28800 28808 3255fa 28799->28808 28811 32554e 28799->28811 28802 3256d2 28800->28802 28803 325767 GetModuleHandleW GetProcAddress 28802->28803 28807 325717 28802->28807 28805 325797 28803->28805 28804 325678 28821 3361b0 11 API calls 3 library calls 28804->28821 28805->28807 28809 31a12e __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 2 API calls 28807->28809 28808->28800 28808->28804 28810 3257ce 28809->28810 28811->28800 28818 325210 28 API calls 3 library calls 28811->28818 28813 3255a8 28813->28800 28814 3255af 28813->28814 28819 336010 18 API calls SimpleUString::operator= 28814->28819 28816 3255c7 28820 3361b0 11 API calls 3 library calls 28816->28820 28818->28813 28819->28816 28820->28800 28821->28800 28822 360e61 28823 360e6d 28822->28823 28825 360e7b 28823->28825 28826 36d669 28823->28826 28827 36d5e4 28826->28827 28828 36d60c 28827->28828 28830 372705 28827->28830 28828->28825 28833 371e02 28830->28833 28832 372720 28832->28828 28834 371e0e 28833->28834 28836 371e1c 28834->28836 28837 3723dc 28834->28837 28836->28832 28838 3723f9 __wsopen_s 28837->28838 28839 37240e 28838->28839 28858 37211b CreateFileW 28838->28858 28839->28836 28841 372502 GetFileType 28843 37250d GetLastError __dosmaperr CloseHandle 28841->28843 28846 372554 28841->28846 28842 3724d7 GetLastError __dosmaperr 28842->28839 28843->28839 28856 372544 28843->28856 28844 372485 28844->28841 28844->28842 28859 37211b CreateFileW 28844->28859 28849 3725c1 28846->28849 28860 37232c 17 API calls __fread_nolock 28846->28860 28847 3724ca 28847->28841 28847->28842 28850 3725ee 28849->28850 28851 3725ff 28849->28851 28852 3669fa __wsopen_s 3 API calls 28850->28852 28851->28839 28853 37267d CloseHandle 28851->28853 28852->28839 28861 37211b CreateFileW 28853->28861 28855 3726a8 28855->28856 28857 3726b2 GetLastError __dosmaperr 28855->28857 28856->28839 28857->28856 28858->28844 28859->28847 28860->28849 28861->28855 28902 1e2240 28903 1e227e SimpleUString::operator= Concurrency::details::_Release_chore 28902->28903 28904 31a12e __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 2 API calls 28903->28904 28905 1e22ac 28904->28905 28773 311040 28775 311066 28773->28775 28776 3110b0 28775->28776 28779 310e90 28775->28779 28777 31a12e __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 2 API calls 28776->28777 28778 3110e7 28777->28778 28781 310ec2 28779->28781 28780 310f8c 28782 31a12e __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 2 API calls 28780->28782 28781->28780 28784 310fa2 28781->28784 28788 313860 5 API calls 28781->28788 28789 310810 28781->28789 28783 310f9c 28782->28783 28783->28775 28785 31a12e __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 2 API calls 28784->28785 28786 310fb5 28785->28786 28786->28775 28788->28781 28790 310843 28789->28790 28791 310861 28789->28791 28790->28781 28795 30f740 ___std_exception_copy Concurrency::cancel_current_task __CxxThrowException std::_XGetLastError SimpleUString::operator= 28791->28795 28793 310878 __CxxThrowException 28794 31089e 28793->28794 28794->28781 28795->28793 28516 33f4b0 28517 33f4d1 28516->28517 28518 33f4fb 28516->28518 28520 31a12e __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 2 API calls 28517->28520 28532 340370 28518->28532 28521 33f4f5 28520->28521 28522 31a12e __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 2 API calls 28524 33f806 28522->28524 28523 31a14d make_shared Concurrency::cancel_current_task 28529 33f502 28523->28529 28526 1e07b0 std::_XGetLastError 2 API calls 28526->28529 28527 340370 11 API calls 28527->28529 28529->28523 28529->28526 28529->28527 28530 33f7d7 28529->28530 28537 33fc70 28529->28537 28561 33f9d0 12 API calls __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 28529->28561 28562 33ef40 28529->28562 28530->28522 28536 340387 28532->28536 28533 3403d1 28569 3361b0 11 API calls 3 library calls 28533->28569 28534 3403dc 28534->28529 28536->28533 28536->28534 28538 33fc91 28537->28538 28539 33fcb0 28537->28539 28541 31a12e __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 2 API calls 28538->28541 28540 33fd62 28539->28540 28543 31a14d make_shared Concurrency::cancel_current_task 28539->28543 28542 1e07b0 std::_XGetLastError 2 API calls 28540->28542 28544 33fcaa 28541->28544 28545 33fd89 28542->28545 28546 33fd3a 28543->28546 28544->28529 28547 33ef40 12 API calls 28545->28547 28546->28540 28549 1e07b0 std::_XGetLastError 2 API calls 28546->28549 28548 33fd94 28547->28548 28550 33fdbb SimpleUString::operator= 28548->28550 28552 33fdd6 28548->28552 28549->28540 28551 31a12e __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 2 API calls 28550->28551 28553 33fdd0 28551->28553 28554 31a14d make_shared Concurrency::cancel_current_task 28552->28554 28553->28529 28555 33fe01 28554->28555 28557 33fe16 SimpleUString::operator= 28555->28557 28570 324f80 28555->28570 28558 31a12e __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 2 API calls 28557->28558 28560 33fe71 28557->28560 28559 33fe6d 28558->28559 28559->28529 28561->28529 28568 33ef57 28562->28568 28563 33efa8 28566 1e08f0 3 API calls 28563->28566 28564 33ef9d 28577 3361b0 11 API calls 3 library calls 28564->28577 28567 33efc1 28566->28567 28567->28529 28568->28563 28568->28564 28569->28534 28571 324fb5 28570->28571 28574 324f9c SimpleUString::operator= 28570->28574 28572 1e07b0 std::_XGetLastError 2 API calls 28571->28572 28572->28574 28573 31a12e __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 2 API calls 28575 325071 28573->28575 28574->28573 28576 325077 28574->28576 28575->28557 28577->28563 28578 1d4a90 28579 34ae60 28578->28579 28580 1d4ae0 RegOpenKeyExW 28579->28580 28581 1d4b57 RegQueryValueExW 28580->28581 28582 1d4b20 RegOpenKeyExW 28580->28582 28583 1d4b7b 28581->28583 28582->28581 28582->28583 28587 1da610 SimpleUString::operator= 2 API calls 28583->28587 28591 1d4c10 28583->28591 28584 1d4c41 RegOpenKeyExW 28585 1d4c9f 28584->28585 28586 1d4c7b RegQueryValueExW 28584->28586 28589 1d4d47 28585->28589 28593 1d4cde 28585->28593 28586->28585 28588 1d4bd2 PathFileExistsW 28587->28588 28590 1d4bea 28588->28590 28588->28591 28592 1d4d64 RegOpenKeyExW 28589->28592 28590->28591 28594 1da610 SimpleUString::operator= 2 API calls 28590->28594 28591->28584 28595 1d4d9e RegQueryValueExW 28592->28595 28596 1d4dc2 28592->28596 28597 1da610 SimpleUString::operator= 2 API calls 28593->28597 28594->28591 28595->28596 28599 1d4e63 28596->28599 28604 1d4e01 28596->28604 28598 1d4cf5 PathFileExistsW 28597->28598 28600 1d4d0d 28598->28600 28601 1d4d33 28598->28601 28602 31a12e __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 2 API calls 28599->28602 28600->28601 28605 1da610 SimpleUString::operator= 2 API calls 28600->28605 28601->28589 28603 1d4e7d 28602->28603 28606 1da610 SimpleUString::operator= 2 API calls 28604->28606 28605->28601 28607 1d4e18 PathFileExistsW 28606->28607 28608 1d4e56 28607->28608 28609 1d4e30 28607->28609 28608->28599 28609->28608 28610 1da610 SimpleUString::operator= 2 API calls 28609->28610 28610->28608 28513 32ccf0 28514 32ccfe GetFileAttributesW 28513->28514 28515 32ccfc 28513->28515 28515->28514 28862 1d66c0 28863 34ae60 28862->28863 28864 1d6718 RegOpenKeyExW 28863->28864 28865 1d6746 RegQueryValueExW 28864->28865 28866 1d6775 28864->28866 28865->28866 28867 1d692e 28866->28867 28868 1da610 SimpleUString::operator= 2 API calls 28866->28868 28872 31a12e __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 2 API calls 28867->28872 28869 1d67d2 28868->28869 28870 1da610 SimpleUString::operator= 2 API calls 28869->28870 28871 1d6804 28870->28871 28873 1da610 SimpleUString::operator= 2 API calls 28871->28873 28874 1d695a 28872->28874 28875 1d6837 28873->28875 28877 1d68b5 28875->28877 28882 1da470 Concurrency::cancel_current_task __CxxThrowException __CxxThrowException _Yarn SimpleUString::operator= 28875->28882 28878 1d68cf PathFileExistsW 28877->28878 28879 1d68ee 28878->28879 28880 1d6914 28878->28880 28879->28880 28881 1da610 SimpleUString::operator= 2 API calls 28879->28881 28880->28867 28881->28880 28882->28875 28906 1ec500 28907 1ec58f 28906->28907 28908 1ec5c2 28907->28908 28922 1dc860 28907->28922 28910 31a14d make_shared Concurrency::cancel_current_task 28908->28910 28911 1ec5f1 28910->28911 28937 31b684 __EH_prolog3 28911->28937 28913 1ec608 28946 31c2c8 26 API calls 28913->28946 28915 1ec703 28916 1ec78f 28915->28916 28919 1ec70e 28915->28919 28917 1dc860 27 API calls 28916->28917 28918 1ec7b3 28917->28918 28947 1ed9a0 5 API calls 6 library calls 28919->28947 28921 1ec737 28923 1dc87a 28922->28923 28924 1dc882 28922->28924 28925 1dc892 28923->28925 28926 1dc889 __CxxThrowException 28923->28926 28924->28908 28948 1dc430 28925->28948 28926->28925 28928 1dc8ba 28929 1dc8c8 __CxxThrowException 28928->28929 28930 1dc8e0 28929->28930 28931 1dc860 25 API calls 28930->28931 28932 1dc955 28931->28932 28933 31a14d make_shared Concurrency::cancel_current_task 28932->28933 28934 1dc95c 28933->28934 28935 31b684 std::locale::_Init 23 API calls 28934->28935 28936 1dc976 28935->28936 28936->28908 28960 31b42d 28937->28960 28939 31b69b 28940 31b6b6 _Yarn 28939->28940 28964 31b7f0 28939->28964 28971 31b485 LeaveCriticalSection std::_Lockit::~_Lockit 28940->28971 28943 31b6ae 28967 31b813 28943->28967 28945 31b70c 28945->28913 28946->28915 28947->28921 28951 31c53a 28948->28951 28950 1dc447 _Atexit 28950->28928 28954 31f93e 28951->28954 28955 31c54d 28954->28955 28956 31f968 28954->28956 28955->28950 28956->28955 28957 31f9c0 SetLastError 28956->28957 28958 31f985 SwitchToThread 28956->28958 28959 31f99e 28956->28959 28957->28955 28958->28956 28959->28955 28959->28957 28961 31b441 28960->28961 28962 31b43c 28960->28962 28961->28939 28972 3605b0 EnterCriticalSection std::_Lockit::_Lockit 28962->28972 28965 31a14d make_shared Concurrency::cancel_current_task 28964->28965 28966 31b7fb std::locale::_Locimp::_Locimp 28965->28966 28966->28943 28968 31b830 28967->28968 28969 31b81f 28967->28969 28968->28940 28973 31f125 28969->28973 28971->28945 28972->28961 28974 31f135 RtlEncodePointer 28973->28974 28976 360f44 _Atexit 28973->28976 28974->28968 28974->28976 28975 360f54 28978 360f5e IsProcessorFeaturePresent 28975->28978 28980 360f69 28975->28980 28976->28975 28985 36a089 19 API calls 3 library calls 28976->28985 28978->28980 28982 35e3ce 28980->28982 28986 35e199 28982->28986 28985->28975 28987 35e1a5 _Atexit 28986->28987 28988 35e1ac 28987->28988 28989 35e1be 28987->28989 29025 35e2f3 GetModuleHandleW 28988->29025 29010 360551 EnterCriticalSection 28989->29010 28992 35e1b1 28992->28989 29026 35e337 GetModuleHandleExW 28992->29026 28993 35e263 29014 35e2a3 28993->29014 28997 35e23a 29001 35e252 28997->29001 29034 35f126 28997->29034 28999 35e280 29017 35e2b2 28999->29017 29000 35e2ac 29038 389599 IsProcessorFeaturePresent ___raise_securityfailure __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 29000->29038 29006 35f126 _Atexit 2 API calls 29001->29006 29006->28993 29007 35e1c5 29007->28993 29007->28997 29011 35eeac 29007->29011 29010->29007 29039 35ebe5 29011->29039 29055 360599 LeaveCriticalSection 29014->29055 29016 35e27c 29016->28999 29016->29000 29018 366814 _Atexit 7 API calls 29017->29018 29019 35e2bc 29018->29019 29020 35e2e0 29019->29020 29021 35e2c0 GetPEB 29019->29021 29023 35e337 _Atexit 5 API calls 29020->29023 29021->29020 29022 35e2d0 GetCurrentProcess TerminateProcess 29021->29022 29022->29020 29024 35e2e8 ExitProcess 29023->29024 29025->28992 29027 35e384 29026->29027 29028 35e361 GetProcAddress 29026->29028 29030 35e393 29027->29030 29031 35e38a FreeLibrary 29027->29031 29029 35e376 29028->29029 29029->29027 29032 31a12e __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 2 API calls 29030->29032 29031->29030 29033 35e1bd 29032->29033 29033->28989 29036 35f155 29034->29036 29035 31a12e __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 2 API calls 29037 35f17e 29035->29037 29036->29035 29037->29001 29042 35eb94 29039->29042 29041 35ec09 29041->28997 29043 35eba0 29042->29043 29048 360551 EnterCriticalSection 29043->29048 29045 35ebae 29049 35ec35 29045->29049 29047 35ebbb 29047->29041 29048->29045 29052 35ec5d 29049->29052 29053 35ec55 29049->29053 29050 31a12e __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 2 API calls 29051 35ed51 29050->29051 29051->29047 29052->29053 29054 364d06 _free 2 API calls 29052->29054 29053->29050 29054->29053 29055->29016 28611 1ea570 28612 1ea5b8 28611->28612 28613 1ea681 28611->28613 28627 1e3e60 28612->28627 28716 31b37d __CxxThrowException Concurrency::cancel_current_task 28613->28716 28615 1ea5bd 28715 31c278 mtx_do_lock 28615->28715 28616 1ea686 28717 31d7ca 28616->28717 28618 1ea5d7 28618->28616 28625 1ea5f9 __Mtx_unlock 28618->28625 28620 1ea699 28721 1e3550 8 API calls 28620->28721 28622 1ea6ad 28623 31a12e __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 2 API calls 28624 1ea643 28623->28624 28625->28623 28628 1e3e88 28627->28628 28629 1e3e71 28627->28629 28628->28615 28629->28628 28630 31d7ca __CxxThrowException 28629->28630 28631 1e3ea4 28630->28631 28632 1e3edf SHGetValueW 28631->28632 28633 31a14d make_shared Concurrency::cancel_current_task 28632->28633 28634 1e3f56 28633->28634 28635 320b60 Concurrency::cancel_current_task 28634->28635 28664 1e3f6f 28635->28664 28636 1e57c9 28637 1e07b0 std::_XGetLastError 2 API calls 28636->28637 28708 1e5d21 SimpleUString::operator= 28636->28708 28638 1e5819 28637->28638 28641 329820 2 API calls 28638->28641 28642 1e5839 28638->28642 28639 31a12e __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 2 API calls 28640 1e5da2 28639->28640 28640->28615 28641->28642 28644 1e07b0 std::_XGetLastError 2 API calls 28642->28644 28643 1da2e0 Concurrency::cancel_current_task 28643->28664 28645 1e5897 28644->28645 28647 30b9a0 100 API calls 28645->28647 28646 31a14d make_shared Concurrency::cancel_current_task 28646->28664 28648 1e58c3 28647->28648 28650 3288e0 8 API calls 28648->28650 28649 1e07b0 Concurrency::cancel_current_task __CxxThrowException std::_XGetLastError 28649->28664 28651 1e58e1 28650->28651 28652 31a14d make_shared Concurrency::cancel_current_task 28651->28652 28656 1e591b 28651->28656 28653 1e58f8 28652->28653 28655 1dcc20 215 API calls 28653->28655 28654 1e44e2 PathFileExistsW 28658 1e4505 GetFileAttributesW 28654->28658 28714 1e412c SimpleUString::operator= 28654->28714 28655->28656 28662 1e5da9 28656->28662 28670 1e599f SimpleUString::operator= 28656->28670 28657 1e413f 6 API calls 28659 1e41ec GetFileAttributesW 28657->28659 28657->28714 28660 1e4528 GetCurrentDirectoryW SetCurrentDirectoryW FindFirstFileW 28658->28660 28658->28714 28659->28714 28660->28714 28661 1e439d 6 API calls 28661->28664 28724 1da8f0 __CxxThrowException 28662->28724 28663 3215e0 11 API calls 28663->28714 28664->28636 28664->28643 28664->28646 28664->28649 28664->28654 28664->28661 28664->28664 28664->28714 28665 1e4277 SHGetFolderPathW PathAppendW PathAppendW PathAppendW PathAppendW 28665->28714 28666 1e474e SetCurrentDirectoryW 28669 1da610 SimpleUString::operator= 2 API calls 28666->28669 28667 1e5db3 28667->28615 28668 1e4677 FindNextFileW 28668->28714 28669->28714 28670->28667 28675 1e07b0 std::_XGetLastError 2 API calls 28670->28675 28672 1da610 Concurrency::cancel_current_task __CxxThrowException SimpleUString::operator= 28672->28714 28673 3239d0 Concurrency::cancel_current_task __CxxThrowException 28673->28714 28674 1df3d0 Concurrency::cancel_current_task __CxxThrowException __CxxThrowException 28674->28714 28676 1e5aa6 28675->28676 28678 32b8d0 12 API calls 28676->28678 28677 1da210 Concurrency::cancel_current_task __CxxThrowException 28677->28714 28681 1e5ac3 SimpleUString::operator= 28678->28681 28679 1df4b0 std::_XGetLastError 3 API calls 28679->28714 28680 1df620 std::_XGetLastError Concurrency::cancel_current_task 28682 1e5b2c 28680->28682 28681->28680 28683 1df4b0 std::_XGetLastError 3 API calls 28682->28683 28684 1e5b42 28683->28684 28686 30b530 55 API calls 28684->28686 28685 1df440 3 API calls 28685->28668 28688 1e5b4f 28686->28688 28687 1dcc20 215 API calls 28687->28714 28692 1e07b0 std::_XGetLastError 2 API calls 28688->28692 28695 1e5b72 SimpleUString::operator= 28688->28695 28689 31a14d Concurrency::cancel_current_task make_shared 28689->28714 28690 1e07b0 Concurrency::cancel_current_task __CxxThrowException std::_XGetLastError 28690->28714 28691 1e4ae6 lstrcpyW 28691->28714 28692->28695 28693 321600 11 API calls 28693->28714 28694 1e4b19 FindFirstFileW 28694->28714 28696 1da2e0 Concurrency::cancel_current_task 28695->28696 28701 1e5c18 28696->28701 28697 1e4b42 lstrcmpW 28698 1e4b58 lstrcmpW 28697->28698 28699 1e4ee2 FindNextFileW 28697->28699 28698->28699 28698->28714 28699->28697 28699->28714 28700 322930 27 API calls 28700->28714 28702 32eee0 196 API calls 28701->28702 28705 1e5c50 SimpleUString::operator= 28702->28705 28703 1da290 Concurrency::cancel_current_task __CxxThrowException 28703->28714 28706 1dd620 5 API calls 28705->28706 28706->28708 28707 1e4fa9 PathFileExistsW 28707->28714 28708->28639 28709 32f750 40 API calls 28709->28714 28710 1da090 Concurrency::cancel_current_task __CxxThrowException __CxxThrowException 28710->28714 28711 1da2e0 Concurrency::cancel_current_task 28711->28714 28712 32c3a0 IsProcessorFeaturePresent ___raise_securityfailure Concurrency::cancel_current_task __CxxThrowException 28712->28714 28714->28654 28714->28657 28714->28662 28714->28663 28714->28664 28714->28665 28714->28666 28714->28668 28714->28672 28714->28673 28714->28674 28714->28677 28714->28679 28714->28685 28714->28687 28714->28689 28714->28690 28714->28691 28714->28693 28714->28694 28714->28697 28714->28699 28714->28700 28714->28703 28714->28707 28714->28709 28714->28710 28714->28711 28714->28712 28722 32f670 12 API calls 28714->28722 28723 30d7c0 12 API calls 2 library calls 28714->28723 28715->28618 28725 31d74d 28717->28725 28719 31d7e0 __CxxThrowException 28720 31d7f7 28719->28720 28720->28620 28721->28622 28722->28714 28723->28714 28726 31d761 28725->28726 28726->28719 28883 1d7bc0 28884 1d7be3 28883->28884 28885 1d7d65 28884->28885 28886 1d7c04 28884->28886 28887 1d7d6a RegOpenKeyExW 28885->28887 28888 1d7c09 RegOpenKeyExW 28886->28888 28889 1d7dcc 28887->28889 28890 1d7da4 RegQueryValueExW 28887->28890 28891 1d7c43 RegQueryValueExW 28888->28891 28894 1d7c6b 28888->28894 28892 1d7dda 28889->28892 28898 1d7cc2 28889->28898 28890->28889 28891->28894 28896 1da610 SimpleUString::operator= 2 API calls 28892->28896 28893 31a12e __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 2 API calls 28895 1d7d5f 28893->28895 28897 1da610 SimpleUString::operator= 2 API calls 28894->28897 28894->28898 28899 1d7e22 28896->28899 28897->28898 28898->28893 28900 31a12e __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 2 API calls 28899->28900 28901 1d7e74 28900->28901 29056 1fa7c0 29057 1fa7fd 29056->29057 29058 1fad35 6 API calls 29056->29058 29059 1fa9fc 29057->29059 29060 1fa808 29057->29060 29062 1fadb9 29058->29062 29071 1fadc0 29058->29071 29061 1da610 SimpleUString::operator= 2 API calls 29059->29061 29063 1fb0bf 29060->29063 29064 1fa927 29060->29064 29065 1fa821 29060->29065 29066 1faa0d 29061->29066 29187 1fa3b0 6 API calls __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 29062->29187 29068 31a12e __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 2 API calls 29063->29068 29073 1fa9bd 29064->29073 29074 1fa934 29064->29074 29069 1fa8e8 29065->29069 29091 1fa827 29065->29091 29070 1da610 SimpleUString::operator= 2 API calls 29066->29070 29072 1fb0d9 29068->29072 29076 1fa909 29069->29076 29077 1fa8f1 MessageBoxW 29069->29077 29078 1faa30 29070->29078 29071->29062 29079 1fa9de 29073->29079 29080 1fa9c6 MessageBoxW 29073->29080 29081 1fa97e 29074->29081 29082 1fa939 29074->29082 29075 1fa876 29075->29082 29102 1fa88a 29075->29102 29086 1da290 2 API calls 29076->29086 29077->29063 29085 1da610 SimpleUString::operator= 2 API calls 29078->29085 29087 1da290 2 API calls 29079->29087 29080->29063 29083 1fa99f 29081->29083 29084 1fa987 MessageBoxW 29081->29084 29082->29063 29088 1fa94b GdiplusShutdown 29082->29088 29089 1fa971 EndDialog 29082->29089 29093 1da290 2 API calls 29083->29093 29084->29063 29094 1faa66 29085->29094 29095 1fa918 29086->29095 29096 1fa9ed 29087->29096 29098 1fa964 SimpleUString::operator= 29088->29098 29089->29063 29090 1fae14 29188 1fa3b0 6 API calls __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 29090->29188 29091->29075 29091->29082 29104 1fa84e MessageBoxW 29091->29104 29099 1fa9ae 29093->29099 29164 308850 SHGetSpecialFolderPathW 29094->29164 29183 1fa450 14 API calls 2 library calls 29095->29183 29185 1fa450 14 API calls 2 library calls 29096->29185 29098->29089 29184 1fa450 14 API calls 2 library calls 29099->29184 29178 1da290 29102->29178 29103 1fa91f 29103->29063 29104->29063 29107 1fa86a 29104->29107 29110 1da210 2 API calls 29107->29110 29110->29075 29111 1fae7e 29189 1fa3b0 6 API calls __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 29111->29189 29113 1fa8ae 29115 1da210 2 API calls 29113->29115 29114 1faa7d 29117 1da610 SimpleUString::operator= 2 API calls 29114->29117 29118 1fa8cf GetParent PostMessageW 29115->29118 29116 1faee5 29119 1faf23 29116->29119 29121 1faf54 29116->29121 29122 1faad4 29117->29122 29118->29082 29190 1fa3b0 6 API calls __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 29119->29190 29120 1fb0a5 EndPaint GdipDeleteGraphics 29120->29063 29124 1fafba 29121->29124 29125 1faf89 29121->29125 29186 308710 7 API calls 2 library calls 29122->29186 29126 1fb021 29124->29126 29130 1faff3 29124->29130 29191 1fa3b0 6 API calls __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 29125->29191 29126->29120 29193 1fa3b0 6 API calls __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 29126->29193 29129 1faf34 GetDlgItem 29129->29120 29138 1faf4a 29129->29138 29192 1fa3b0 6 API calls __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 29130->29192 29131 1faf9a GetDlgItem 29131->29120 29131->29138 29132 1faae8 29139 1fab25 29132->29139 29141 1da610 SimpleUString::operator= 2 API calls 29132->29141 29135 1fb004 GetDlgItem 29135->29120 29135->29138 29136 1fb067 GetDlgItem 29136->29120 29136->29138 29137 1da290 2 API calls 29140 1fb086 SendMessageW 29137->29140 29138->29137 29143 1fab48 29139->29143 29144 1fab37 EndDialog 29139->29144 29194 1da3f0 29140->29194 29141->29139 29145 1fab8f SetWindowPos GetDlgItem 29143->29145 29148 31a14d make_shared Concurrency::cancel_current_task 29143->29148 29144->29063 29146 1fabbc SetWindowPos 29145->29146 29147 1fabd4 GetDlgItem 29145->29147 29146->29147 29149 1fabe3 SetWindowPos SendMessageW 29147->29149 29150 1fac60 GetDlgItem 29147->29150 29151 1fab58 GdiplusStartup 29148->29151 29149->29150 29152 1fac0e 6 API calls 29149->29152 29153 1fac6c SetWindowPos 29150->29153 29154 1fac84 GetDlgItem 29150->29154 29151->29145 29152->29150 29153->29154 29155 1faca5 GetDlgItem 29154->29155 29156 1fac90 SetWindowPos 29154->29156 29157 1facc9 GetDlgItem 29155->29157 29158 1facb1 SetWindowPos 29155->29158 29156->29155 29159 1faced GetDlgItem 29157->29159 29160 1facd5 SetWindowPos 29157->29160 29158->29157 29161 1fad0b GetDlgItem 29159->29161 29162 1facf6 SetWindowPos 29159->29162 29160->29159 29161->29063 29163 1fad1b SetWindowPos 29161->29163 29162->29161 29163->29063 29165 3088d5 29164->29165 29165->29165 29166 1da610 SimpleUString::operator= 2 API calls 29165->29166 29167 3088f7 29166->29167 29168 1da770 2 API calls 29167->29168 29169 308910 SHCreateDirectoryExW 29168->29169 29170 1da770 2 API calls 29169->29170 29171 308941 29170->29171 29172 308980 GetPrivateProfileStringW 29171->29172 29173 3089c2 29172->29173 29173->29173 29174 1da610 SimpleUString::operator= 2 API calls 29173->29174 29175 3089de SimpleUString::operator= 29174->29175 29176 31a12e __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 2 API calls 29175->29176 29177 308a65 29176->29177 29177->29114 29179 1da2b2 29178->29179 29180 1da610 SimpleUString::operator= 2 API calls 29179->29180 29181 1da2ca 29180->29181 29182 308710 7 API calls 2 library calls 29181->29182 29182->29113 29183->29103 29184->29103 29185->29103 29186->29132 29187->29090 29188->29111 29189->29116 29190->29129 29191->29131 29192->29135 29193->29136 29195 1da3fb SimpleUString::operator= 29194->29195 29195->29120 28287 3059d0 28290 305a0c 28287->28290 28288 31a12e __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 2 API calls 28289 305bf2 28288->28289 28310 305bd0 SimpleUString::operator= 28290->28310 28356 1df3d0 Concurrency::cancel_current_task __CxxThrowException __CxxThrowException std::_XGetLastError 28290->28356 28292 305ab4 28357 1df3d0 Concurrency::cancel_current_task __CxxThrowException __CxxThrowException std::_XGetLastError 28292->28357 28294 305ad3 28358 1df3d0 Concurrency::cancel_current_task __CxxThrowException __CxxThrowException std::_XGetLastError 28294->28358 28296 305aef 28297 1e07b0 std::_XGetLastError 2 API calls 28296->28297 28298 305b01 28297->28298 28299 1df440 3 API calls 28298->28299 28300 305b0d 28299->28300 28301 1df4b0 std::_XGetLastError 3 API calls 28300->28301 28302 305b18 28301->28302 28303 1df440 3 API calls 28302->28303 28304 305b24 28303->28304 28305 1df4b0 std::_XGetLastError 3 API calls 28304->28305 28306 305b2f 28305->28306 28307 1df440 3 API calls 28306->28307 28308 305b3b 28307->28308 28309 1df4b0 std::_XGetLastError 3 API calls 28308->28309 28311 305b46 SimpleUString::operator= 28309->28311 28310->28288 28311->28310 28314 305bf8 28311->28314 28312 31a12e __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 2 API calls 28313 306074 28312->28313 28315 1df620 std::_XGetLastError Concurrency::cancel_current_task 28314->28315 28320 305f9a SimpleUString::operator= 28314->28320 28316 305c7a 28315->28316 28359 30c230 28316->28359 28318 305c85 28319 30607a 28318->28319 28318->28320 28321 1e07b0 std::_XGetLastError 2 API calls 28318->28321 28320->28312 28322 305cfe 28321->28322 28376 32c2c0 4 API calls 2 library calls 28322->28376 28324 305d24 28324->28320 28325 1e07b0 std::_XGetLastError 2 API calls 28324->28325 28326 305df0 28325->28326 28377 1df3d0 Concurrency::cancel_current_task __CxxThrowException __CxxThrowException std::_XGetLastError 28326->28377 28328 305e05 28329 1df4b0 std::_XGetLastError 3 API calls 28328->28329 28331 305e12 SimpleUString::operator= 28329->28331 28331->28319 28378 306830 28331->28378 28332 305e54 28333 1df4b0 std::_XGetLastError 3 API calls 28332->28333 28334 305e5d 28333->28334 28408 1df3d0 Concurrency::cancel_current_task __CxxThrowException __CxxThrowException std::_XGetLastError 28334->28408 28336 305e73 28337 1df4b0 std::_XGetLastError 3 API calls 28336->28337 28339 305e80 SimpleUString::operator= 28337->28339 28338 306830 53 API calls 28340 305ec2 28338->28340 28339->28338 28341 1df4b0 std::_XGetLastError 3 API calls 28340->28341 28342 305ecb 28341->28342 28409 1df3d0 Concurrency::cancel_current_task __CxxThrowException __CxxThrowException std::_XGetLastError 28342->28409 28344 305ee1 28345 1df4b0 std::_XGetLastError 3 API calls 28344->28345 28347 305eee SimpleUString::operator= 28345->28347 28346 306830 53 API calls 28348 305f30 28346->28348 28347->28346 28349 1df4b0 std::_XGetLastError 3 API calls 28348->28349 28350 305f39 28349->28350 28410 1df3d0 Concurrency::cancel_current_task __CxxThrowException __CxxThrowException std::_XGetLastError 28350->28410 28352 305f4a 28353 1df4b0 std::_XGetLastError 3 API calls 28352->28353 28355 305f57 SimpleUString::operator= 28353->28355 28354 1df520 2 API calls 28354->28320 28355->28354 28356->28292 28357->28294 28358->28296 28360 30c392 28359->28360 28372 30c2a1 SimpleUString::operator= 28359->28372 28361 30c47b 28360->28361 28363 30c3b5 28360->28363 28368 30c3e3 SimpleUString::operator= 28360->28368 28413 1da8f0 __CxxThrowException 28361->28413 28362 30c45e SimpleUString::operator= 28362->28318 28366 1e07b0 std::_XGetLastError 2 API calls 28363->28366 28365 1e07b0 std::_XGetLastError 2 API calls 28365->28372 28367 30c3d3 28366->28367 28367->28368 28412 30e100 Concurrency::cancel_current_task __CxxThrowException SimpleUString::operator= make_shared 28367->28412 28368->28362 28371 35a49a 8 API calls 28368->28371 28373 30c4ae 28371->28373 28372->28360 28372->28361 28372->28365 28372->28368 28411 30e100 Concurrency::cancel_current_task __CxxThrowException SimpleUString::operator= make_shared 28372->28411 28374 31a12e __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 2 API calls 28373->28374 28375 30c543 28374->28375 28375->28318 28376->28324 28377->28328 28379 306853 28378->28379 28380 30685e 28378->28380 28379->28332 28381 306863 SHGetFolderPathW 28380->28381 28382 1da610 SimpleUString::operator= 2 API calls 28381->28382 28383 3068e8 28382->28383 28384 1da610 SimpleUString::operator= 2 API calls 28383->28384 28385 306916 28384->28385 28386 1da610 SimpleUString::operator= 2 API calls 28385->28386 28387 306962 28386->28387 28388 3239d0 2 API calls 28387->28388 28389 306978 28388->28389 28390 1da2e0 Concurrency::cancel_current_task 28389->28390 28391 3069ba 28390->28391 28414 306b20 28391->28414 28393 306a0c 28394 306b20 32 API calls 28393->28394 28395 306a18 28394->28395 28396 306b20 32 API calls 28395->28396 28397 306a24 PathFileExistsW 28396->28397 28398 306a47 28397->28398 28399 306adb SHDeleteValueW 28397->28399 28401 309690 19 API calls 28398->28401 28400 306af0 28399->28400 28403 31a12e __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 2 API calls 28400->28403 28402 306a52 28401->28402 28404 309880 19 API calls 28402->28404 28406 306a67 28402->28406 28405 306b14 28403->28405 28404->28406 28405->28332 28406->28399 28407 306aa4 SHSetValueW 28406->28407 28407->28400 28408->28336 28409->28344 28410->28352 28411->28372 28412->28368 28415 31a14d make_shared Concurrency::cancel_current_task 28414->28415 28416 306b7f 28415->28416 28426 1f0110 28416->28426 28420 306bcc SimpleUString::operator= __Mtx_unlock 28439 1f0260 28420->28439 28422 306c1f 28423 31a12e __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 2 API calls 28422->28423 28425 306c45 SimpleUString::operator= __ExceptionPtr::__ExceptionPtr 28422->28425 28424 306c3c 28423->28424 28424->28393 28425->28393 28427 1f0145 __Cnd_init 28426->28427 28444 31c225 28427->28444 28429 1f0178 28448 31c278 mtx_do_lock 28429->28448 28431 1f01a7 28432 31a12e __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 2 API calls 28431->28432 28433 1f01d0 28432->28433 28434 1f01e0 28433->28434 28450 31dc37 28434->28450 28436 1f01f4 28437 1f0236 28436->28437 28453 31d2c1 7 API calls std::_Rethrow_future_exception 28436->28453 28437->28420 28440 1f027a 28439->28440 28441 1f0270 std::_Throw_Cpp_error 28439->28441 28512 31db9e FindCloseChangeNotification 28440->28512 28441->28440 28443 1f0284 28443->28422 28445 31c239 __Getctype 28444->28445 28446 31c241 28445->28446 28449 31c257 Concurrency::details::create_stl_critical_section 28445->28449 28446->28429 28448->28431 28449->28446 28454 35dd87 28450->28454 28452 31dc52 28452->28436 28453->28436 28455 35dda8 28454->28455 28457 35dd94 28454->28457 28456 35ddbd CreateThread 28455->28456 28455->28457 28456->28457 28458 35dddc GetLastError __dosmaperr 28456->28458 28459 35dc33 28456->28459 28457->28452 28458->28457 28460 35dc3f _Atexit 28459->28460 28461 35dc46 GetLastError ExitThread 28460->28461 28462 35dc53 28460->28462 28473 366814 28462->28473 28465 35dc6e 28480 1f0240 28465->28480 28474 36682f 28473->28474 28475 366839 28473->28475 28477 31a12e __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 2 API calls 28474->28477 28487 3660ba 5 API calls 2 library calls 28475->28487 28478 35dc63 28477->28478 28478->28465 28486 366747 7 API calls 2 library calls 28478->28486 28479 366850 28479->28474 28488 306cf0 28480->28488 28481 1f024a 28483 35de0c 28481->28483 28503 35dce7 28483->28503 28485 35de19 28486->28465 28487->28479 28494 31c278 mtx_do_lock 28488->28494 28490 306d73 SystemParametersInfoW 28495 31d2d6 28490->28495 28492 306d2f __Mtx_unlock __Cnd_signal 28492->28490 28493 306d89 SimpleUString::operator= 28493->28481 28494->28492 28496 31d2e8 __Cnd_register_at_thread_exit 28495->28496 28499 31db54 GetCurrentProcess GetCurrentThread GetCurrentProcess DuplicateHandle 28496->28499 28498 31d2ed __Cnd_do_broadcast_at_thread_exit __Mtx_unlock __Cnd_broadcast 28498->28493 28500 31db82 FindCloseChangeNotification 28499->28500 28501 31db8d 28499->28501 28502 31db91 GetCurrentThreadId 28500->28502 28501->28502 28502->28498 28505 35dcf2 28503->28505 28504 35dcf6 ExitThread 28505->28504 28508 35dd14 28505->28508 28511 366799 7 API calls 2 library calls 28505->28511 28507 35dd27 28507->28504 28510 35dd33 FreeLibraryAndExitThread 28507->28510 28508->28507 28509 35dd20 CloseHandle 28508->28509 28509->28507 28511->28508 28512->28443 28727 1ee3f0 28728 1ee42a 28727->28728 28751 1ee5f3 28727->28751 28730 31a14d make_shared Concurrency::cancel_current_task 28728->28730 28729 31a12e __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 2 API calls 28731 1ee612 28729->28731 28732 1ee431 28730->28732 28733 1ee44d InitializeCriticalSection 28732->28733 28752 1ef740 28733->28752 28737 1ee4ac 28738 1ee4ba GetModuleFileNameW 28737->28738 28739 1ee500 28738->28739 28739->28739 28740 1da610 SimpleUString::operator= 2 API calls 28739->28740 28741 1ee522 28740->28741 28742 3239d0 2 API calls 28741->28742 28743 1ee538 28742->28743 28758 1da210 28743->28758 28745 1ee545 28746 1da610 SimpleUString::operator= 2 API calls 28745->28746 28747 1ee58e 28746->28747 28748 1da210 2 API calls 28747->28748 28749 1ee5c7 28748->28749 28762 1ee730 28749->28762 28751->28729 28753 31a14d make_shared Concurrency::cancel_current_task 28752->28753 28754 1ee485 28753->28754 28755 1ef250 28754->28755 28756 31a14d make_shared Concurrency::cancel_current_task 28755->28756 28757 1ef257 28756->28757 28757->28737 28759 1da21d 28758->28759 28760 1da232 28758->28760 28761 1da610 SimpleUString::operator= 2 API calls 28759->28761 28760->28745 28761->28760 28763 32f750 40 API calls 28762->28763 28764 1ee786 28763->28764 28765 1e07b0 std::_XGetLastError 2 API calls 28764->28765 28767 1eea3d SimpleUString::operator= 28764->28767 28771 1ee846 SimpleUString::operator= 28765->28771 28766 31a12e __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 2 API calls 28768 1eeaeb 28766->28768 28767->28766 28769 1eeaef 28767->28769 28768->28751 28770 1e07b0 Concurrency::cancel_current_task __CxxThrowException std::_XGetLastError 28770->28771 28771->28767 28771->28769 28771->28770 28772 1da610 SimpleUString::operator= 2 API calls 28771->28772 28772->28771

                  Executed Functions

                  Function 0032E280, Relevance: 86.6, APIs: 43, Strings: 6, Instructions: 816networksynchronizationfileCOMMON
                  Download Yara Rule
                  APIs
                  • InternetCrackUrlW.WININET(?,?,00000000,0000003C), ref: 0032E3AA
                  • GetLastError.KERNEL32 ref: 0032E3B4
                  • InternetOpenW.WININET(003A8C5C,00000000,00000000,00000000,00000000), ref: 0032E40C
                  • InternetConnectW.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 0032E440
                  • HttpOpenRequestW.WININET(00000000,?,?,HTTP/1.0,00000000,00000000,800C8200,00000000), ref: 0032E589
                  • HttpAddRequestHeadersW.WININET(00000000,?,000000FF,A0000000), ref: 0032E659
                  • HttpAddRequestHeadersA.WININET(?,?,000000FF,20000000), ref: 0032E72A
                  • InternetQueryOptionW.WININET(00000000,0000001F,00000000), ref: 0032E7AC
                  • InternetSetOptionW.WININET(00000000,0000001F,00003180,00000004), ref: 0032E7CE
                  • InternetSetOptionW.WININET(?,00000002,00003180,00000004), ref: 0032E7F2
                  • InternetSetOptionW.WININET(?,00000005,00003180,00000004), ref: 0032E800
                  • InternetSetOptionW.WININET(?,00000006,00003180,00000004), ref: 0032E80E
                  • InternetSetOptionW.WININET(?,00000007,00003180,00000004), ref: 0032E81C
                  • InternetSetOptionW.WININET(?,00000008,00003180,00000004), ref: 0032E82A
                  • InternetSetOptionW.WININET(?,0000000B,00003180,00000004), ref: 0032E838
                  • InternetSetOptionW.WININET(?,00000006,00003180,00000004), ref: 0032E846
                  • HttpSendRequestW.WININET(00000000,?,?,?,?), ref: 0032E86F
                  • GetLastError.KERNEL32(?,?,?), ref: 0032E87B
                  • InternetQueryOptionW.WININET(?,0000001F,?,00000004), ref: 0032E8A3
                  • InternetSetOptionW.WININET(?,0000001F,00000100,00000004), ref: 0032E8BF
                  • WaitForSingleObject.KERNEL32(?,00000000,?,?,?), ref: 0032E8DC
                  • HttpQueryInfoW.WININET(00000000,00000013,?,00000100,00000000), ref: 0032E932
                  • InternetOpenW.WININET(003A8C5C,00000000,00000000,00000000,00000000), ref: 0032E991
                  • InternetOpenUrlW.WININET(00000000,http://profile.se.360.cn/proxyerr.php,00000000,00000000,84000000,00000000), ref: 0032E9B2
                  • HttpQueryInfoW.WININET(00000000,00000013,?,00000100,00000000), ref: 0032E9F5
                  • GetDesktopWindow.USER32 ref: 0032EA26
                  • InternetErrorDlg.WININET(00000000), ref: 0032EA2D
                  • InternetCloseHandle.WININET(00000000), ref: 0032EA42
                  • InternetCloseHandle.WININET(00000000), ref: 0032EA57
                  • InternetCloseHandle.WININET(?), ref: 0032EA64
                  • InternetCloseHandle.WININET(?), ref: 0032EA6D
                  • InternetCloseHandle.WININET(?), ref: 0032EA84
                  • HttpQueryInfoW.WININET(00000000,00000005,?,00000100,00000000), ref: 0032EAB3
                  • GetLastError.KERNEL32 ref: 0032EAD4
                  • InternetReadFile.WININET(00000000,?,00002000,00000000), ref: 0032EBC4
                  • SetEvent.KERNEL32(?), ref: 0032EC13
                  • WaitForSingleObject.KERNEL32(?,00000000), ref: 0032EC24
                  • InternetCloseHandle.WININET(?), ref: 0032EC5F
                  • HttpQueryInfoA.WININET(00000000,80000016,?,?,00000000), ref: 0032ED04
                  • HttpQueryInfoA.WININET(00000000,00000016,?,00001000,00000000), ref: 0032ED5C
                  • GetLastError.KERNEL32 ref: 0032ED96
                  • InternetCloseHandle.WININET(?), ref: 0032EDD0
                  • InternetCloseHandle.WININET(?), ref: 0032EDDD
                  Strings
                  • Accept: */*User-Agent: %s, xrefs: 0032E5E9
                  • Accept: */*User-Agent: Mozilla / 5.0 (Windows NT 10.0; WOW64) AppleWebKit / 537.36 (KHTML, like Gecko) Chrome / 55.0.2883.87 Saf, xrefs: 0032E63C
                  • GET, xrefs: 0032E536
                  • HTTP/1.0, xrefs: 0032E578
                  • http://profile.se.360.cn/proxyerr.php, xrefs: 0032E9AC
                  • <, xrefs: 0032E366
                  Memory Dump Source
                  • Source File: 00000000.00000002.669225094.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true
                  • Associated: 00000000.00000002.669218827.00000000001C0000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669437430.0000000000394000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669462546.00000000003BC000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669470292.00000000003C1000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669476147.00000000003C3000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669480865.00000000003C6000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669487575.00000000003CC000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1c0000_winhost.jbxd
                  Similarity
                  • API ID: Internet$Option$Http$CloseHandle$Query$ErrorInfo$LastOpenRequest$HeadersObjectSingleWait$ConnectCrackDesktopEventFileReadSendWindow
                  • String ID: <$Accept: */*User-Agent: %s$Accept: */*User-Agent: Mozilla / 5.0 (Windows NT 10.0; WOW64) AppleWebKit / 537.36 (KHTML, like Gecko) Chrome / 55.0.2883.87 Saf$GET$HTTP/1.0$http://profile.se.360.cn/proxyerr.php
                  • API String ID: 1923508826-435462306
                  • Opcode ID: 4e48d90f06b85e663b24c39e9f2118b11cff6d71327f339181c5ecd2ce3cfaab
                  • Instruction ID: 462145c055045d690047fc7033f65aab54a0650e6cae80f667f0b4dbc2b0afa6
                  • Opcode Fuzzy Hash: 4e48d90f06b85e663b24c39e9f2118b11cff6d71327f339181c5ecd2ce3cfaab
                  • Instruction Fuzzy Hash: 7C62C4719002299BEB21DF25DC46BADB7FAFF44700F148295F509A7281DB72AE94CF50
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 001E3E60, Relevance: 73.7, APIs: 32, Strings: 9, Instructions: 1975filestringCOMMON
                  Download Yara Rule
                  APIs
                  • SHGetValueW.SHLWAPI(80000001,Software\Microsoft\Windows\CurrentVersion\Uninstall\HYLite,003AB900,?,?,?), ref: 001E3F47
                  • SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,?,?,003A8F14,00000000,00000000), ref: 001E4151
                  • PathAppendW.SHLWAPI(?,003C816C,?,003A8F14,00000000,00000000), ref: 001E4172
                  • PathAppendW.SHLWAPI(?,003C80DC,?,003A8F14,00000000,00000000), ref: 001E4193
                  • PathAppendW.SHLWAPI(?,003C80F4,?,003A8F14,00000000,00000000), ref: 001E41B4
                  • PathAppendW.SHLWAPI(?,003C8124,?,003A8F14,00000000,00000000), ref: 001E41D5
                  • PathFileExistsW.SHLWAPI(?,?,003A8F14,00000000,00000000), ref: 001E41E2
                  • GetFileAttributesW.KERNEL32(?,?,003A8F14,00000000,00000000), ref: 001E41F3
                  • SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000001,?,?,?,?,?,003A8F14,00000000,00000000), ref: 001E4289
                  • PathAppendW.SHLWAPI(?,003C816C,?,?,?,?,003A8F14,00000000,00000000), ref: 001E42AA
                  • PathAppendW.SHLWAPI(?,003C80DC,?,?,?,?,003A8F14,00000000,00000000), ref: 001E42CB
                  • PathAppendW.SHLWAPI(?,003C80F4,?,?,?,?,003A8F14,00000000,00000000), ref: 001E42EC
                  • PathAppendW.SHLWAPI(?,003C8124,?,?,?,?,003A8F14,00000000,00000000), ref: 001E430D
                  • SHGetFolderPathW.SHELL32(00000000,0000001C,00000000,00000000,?,?,003A8F14,00000000,00000000), ref: 001E43AF
                  • PathAppendW.SHLWAPI(?,003C8184,?,003A8F14,00000000,00000000), ref: 001E43D0
                  • PathAppendW.SHLWAPI(?,003C819C,?,003A8F14,00000000,00000000), ref: 001E43F1
                  • PathAppendW.SHLWAPI(?,003C80DC,?,003A8F14,00000000,00000000), ref: 001E4412
                  • PathAppendW.SHLWAPI(?,003C80F4,?,003A8F14,00000000,00000000), ref: 001E4433
                  • PathAppendW.SHLWAPI(?,003C8124,?,003A8F14,00000000,00000000), ref: 001E4454
                  • PathFileExistsW.SHLWAPI(?,003A8F14,00000000), ref: 001E44F7
                  • GetFileAttributesW.KERNEL32(?), ref: 001E451A
                  • GetCurrentDirectoryW.KERNEL32(00000104,?), ref: 001E4534
                  • SetCurrentDirectoryW.KERNEL32(?), ref: 001E454F
                  • FindFirstFileW.KERNEL32(*.*,?), ref: 001E4561
                  • FindNextFileW.KERNEL32(00000000,00000010), ref: 001E467F
                  • SetCurrentDirectoryW.KERNEL32(?), ref: 001E4755
                  • lstrcpyW.KERNEL32(?,00000000), ref: 001E4AEE
                  • FindFirstFileW.KERNEL32(?,?), ref: 001E4B27
                  • lstrcmpW.KERNEL32(?,003A8CAC), ref: 001E4B4E
                  • lstrcmpW.KERNEL32(?,003A8CB0), ref: 001E4B64
                  • FindNextFileW.KERNEL32(?,?), ref: 001E4EEF
                  • PathFileExistsW.SHLWAPI(?,?,?,?,00000000,?,?), ref: 001E4FBE
                    • Part of subcall function 001DCC20: __Mtx_init_in_situ.LIBCPMT ref: 001DCC8D
                    • Part of subcall function 001DCC20: __Mtx_init_in_situ.LIBCPMT ref: 001DCC98
                    • Part of subcall function 001DCC20: SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,?,?,?,?,?,?,?,?,?,?,003A8C5C,00000000), ref: 001DCD45
                    • Part of subcall function 001DCC20: PathAppendW.SHLWAPI(?,Osa,?,?,?,?,?,?,?,?,?,003A8C5C,00000000,CB28B7D0), ref: 001DCD57
                    • Part of subcall function 001DCC20: PathFileExistsW.SHLWAPI(?,?,?,?,?,?,?,?,?,?,003A8C5C,00000000,CB28B7D0), ref: 001DCD6B
                    • Part of subcall function 001DCC20: GetFileAttributesW.KERNEL32(?,?,?,?,?,?,?,?,?,?,003A8C5C,00000000,CB28B7D0), ref: 001DCD7C
                    • Part of subcall function 001DCC20: SHCreateDirectoryExW.SHELL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,003A8C5C,00000000,CB28B7D0), ref: 001DCD91
                    • Part of subcall function 0030B9A0: SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,?,?), ref: 0030BA18
                    • Part of subcall function 0030B9A0: PathAppendW.SHLWAPI(?,Sap), ref: 0030BA30
                    • Part of subcall function 0030B9A0: PathAppendW.SHLWAPI(?,003ACA00), ref: 0030BA3E
                    • Part of subcall function 0030B9A0: PathFileExistsW.SHLWAPI(?), ref: 0030BA4D
                    • Part of subcall function 0030B9A0: SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000001,?), ref: 0030BA77
                    • Part of subcall function 0030B9A0: PathAppendW.SHLWAPI(?,Sap), ref: 0030BA89
                    • Part of subcall function 0030B9A0: PathAppendW.SHLWAPI(?,003ACA00), ref: 0030BA97
                    • Part of subcall function 0030B9A0: PathFileExistsW.SHLWAPI(?), ref: 0030BAA0
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.669225094.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true
                  • Associated: 00000000.00000002.669218827.00000000001C0000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669437430.0000000000394000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669462546.00000000003BC000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669470292.00000000003C1000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669476147.00000000003C3000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669480865.00000000003C6000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669487575.00000000003CC000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1c0000_winhost.jbxd
                  Similarity
                  • API ID: Path$Append$File$ExistsFolder$DirectoryFind$AttributesCurrent$FirstMtx_init_in_situNextlstrcmp$CreateValuelstrcpy
                  • String ID: *.*$Software\Microsoft\Windows\CurrentVersion\Uninstall\HYLite$exdi$exditc$exgb$exgbtc$exit$exittc$x
                  • API String ID: 4169263872-2749957429
                  • Opcode ID: 9111de1a186f51b130fdaff42df283b0b777848d76cc2817e60b2ca3949fa865
                  • Instruction ID: 5da2e9b8804a4fd3e7ddb2a74f7b3fec8e8dcc380297f9ee548d88a0e425f230
                  • Opcode Fuzzy Hash: 9111de1a186f51b130fdaff42df283b0b777848d76cc2817e60b2ca3949fa865
                  • Instruction Fuzzy Hash: E2030131A006A8DBDB29DB24CC45BDEB7B9AF16304F4481D9E04AA7681DB746FC4CF52
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00325460, Relevance: 26.5, APIs: 7, Strings: 8, Instructions: 241libraryloaderCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 1090 325460-3254aa GetCurrentProcess GetModuleHandleW GetProcAddress 1091 3254d2-32552d call 34ae60 GetVersionExW 1090->1091 1092 3254ac-3254be 1090->1092 1098 325545-325548 1091->1098 1099 32552f-325531 1091->1099 1096 3254c0-3254c5 1092->1096 1097 3254c7-3254cf 1092->1097 1096->1091 1097->1091 1102 3255fa-3255fd 1098->1102 1103 32554e-325553 1098->1103 1100 325537-325540 1099->1100 1101 32568a 1099->1101 1106 32568c-3256d0 GetNativeSystemInfo 1100->1106 1101->1106 1104 3255ff-325605 1102->1104 1105 32562d-325630 1102->1105 1107 3255f0-3255f5 1103->1107 1108 325559-32555c 1103->1108 1109 325607-32560c 1104->1109 1110 32560e-325614 1104->1110 1105->1101 1111 325632-32563a call 336c70 1105->1111 1112 3256d2-3256d5 1106->1112 1113 3256ee 1106->1113 1107->1106 1114 325562-325565 1108->1114 1115 3255e6-3255eb 1108->1115 1109->1106 1118 325616-32561b 1110->1118 1119 32561d-32562b 1110->1119 1131 325673-325676 1111->1131 1132 32563c-325644 call 336720 1111->1132 1121 3256d7-3256da 1112->1121 1122 3256e5-3256ec 1112->1122 1123 3256f5-325710 1113->1123 1116 325567-32556f call 336c70 1114->1116 1117 3255dc-3255e1 1114->1117 1115->1106 1135 3255d2-3255d7 1116->1135 1136 325571-325579 call 336720 1116->1136 1117->1106 1118->1106 1119->1106 1121->1123 1128 3256dc-3256e3 1121->1128 1122->1123 1124 325712-325715 1123->1124 1125 325767-3257a1 GetModuleHandleW GetProcAddress 1123->1125 1124->1125 1129 325717-32571a 1124->1129 1134 3257b8 1125->1134 1146 3257a3-3257aa 1125->1146 1128->1123 1133 325720-325729 1129->1133 1129->1134 1137 325683-325688 1131->1137 1138 325678-32567e call 3361b0 1131->1138 1132->1131 1155 325646-32566e call 335fc0 call 31ff10 1132->1155 1142 325755-325758 1133->1142 1143 32572b-32572f 1133->1143 1141 3257ba 1134->1141 1135->1106 1136->1135 1158 32557b-32558e 1136->1158 1137->1106 1138->1137 1148 3257bd-3257d1 call 31a12e 1141->1148 1142->1134 1152 32575a-325765 1142->1152 1149 325731-325735 1143->1149 1150 32573e-325748 1143->1150 1146->1134 1153 3257b1-3257b6 1146->1153 1154 325737-32573c 1146->1154 1149->1150 1149->1154 1159 32574a-32574c 1150->1159 1160 32574e-325753 1150->1160 1152->1141 1153->1141 1154->1141 1155->1131 1158->1135 1163 325590-3255ad call 325210 1158->1163 1159->1148 1160->1148 1163->1135 1168 3255af-3255cd call 336010 call 3361b0 1163->1168 1168->1135
                  APIs
                  • GetCurrentProcess.KERNEL32(?,ios_base::failbit set,00000000), ref: 00325489
                  • GetModuleHandleW.KERNEL32(kernel32.dll,IsWow64Process), ref: 0032549B
                  • GetProcAddress.KERNEL32(00000000), ref: 003254A2
                  • GetVersionExW.KERNEL32(0000011C), ref: 00325509
                  • GetNativeSystemInfo.KERNEL32(?), ref: 003256BE
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.669225094.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true
                  • Associated: 00000000.00000002.669218827.00000000001C0000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669437430.0000000000394000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669462546.00000000003BC000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669470292.00000000003C1000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669476147.00000000003C3000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669480865.00000000003C6000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669487575.00000000003CC000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1c0000_winhost.jbxd
                  Similarity
                  • API ID: AddressCurrentHandleInfoModuleNativeProcProcessSystemVersion
                  • String ID: Check failed: false. $GetProductInfo$IsWow64Process$_Z2$c:\qt\givememoney\base\win\windows_version.cc$ios_base::failbit set$kernel32.dll$minor == 3
                  • API String ID: 1167739923-3154217376
                  • Opcode ID: f298d8931d7b06cc42208b44e84e820f6289cfebbc0cf9602513807a36545337
                  • Instruction ID: 68386894752a263d912d87c0bfa8ef2614064deae731bef2994c92f5d2e834b3
                  • Opcode Fuzzy Hash: f298d8931d7b06cc42208b44e84e820f6289cfebbc0cf9602513807a36545337
                  • Instruction Fuzzy Hash: EA91D170A41A28DFDB329F68EC457EAB7B8EB19300F51449AE546D7680DB34DF848F41
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003271F0, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 178fileCOMMON
                  Download Yara Rule
                  APIs
                  • CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000000,00000000,?,?,?,CB28B7D0), ref: 00327254
                  • DeviceIoControl.KERNEL32(00000000,0004D008,?,0000003C,?,0000022D,?,00000000), ref: 00327305
                  • FindCloseChangeNotification.KERNEL32(?,?,?,?,?,?,?,CB28B7D0), ref: 0032746C
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.669225094.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true
                  • Associated: 00000000.00000002.669218827.00000000001C0000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669437430.0000000000394000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669462546.00000000003BC000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669470292.00000000003C1000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669476147.00000000003C3000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669480865.00000000003C6000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669487575.00000000003CC000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1c0000_winhost.jbxd
                  Similarity
                  • API ID: ChangeCloseControlCreateDeviceFileFindNotification
                  • String ID: SCSIDISK$\\.\Scsi%d:
                  • API String ID: 1020254441-2176293039
                  • Opcode ID: ee73689df2cc464193f63f3968151bcaa261e2e64c2ae4d8f7cbaa7eccbbdea3
                  • Instruction ID: 00dbcd4d566cd4dd27df6be140ac4efd5a13c45e3f4a91e42b58b57ea827bfcf
                  • Opcode Fuzzy Hash: ee73689df2cc464193f63f3968151bcaa261e2e64c2ae4d8f7cbaa7eccbbdea3
                  • Instruction Fuzzy Hash: 3E71C630A002299AEB22DF24DC45B9977F8FF45704F1582D9E948E7181DB71AF84CF80
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00326FE0, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 148fileCOMMON
                  Download Yara Rule
                  APIs
                  • CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000000,00000000,?,?,?,CB28B7D0), ref: 00327050
                  • DeviceIoControl.KERNEL32(00000000,00074080,00000000,00000000,?,00000018,?,00000000), ref: 00327099
                  • FindCloseChangeNotification.KERNEL32(00000000,?,?,?,CB28B7D0), ref: 003270A4
                  • CloseHandle.KERNEL32(00000000,?,?,?,CB28B7D0), ref: 003271A6
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.669225094.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true
                  • Associated: 00000000.00000002.669218827.00000000001C0000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669437430.0000000000394000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669462546.00000000003BC000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669470292.00000000003C1000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669476147.00000000003C3000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669480865.00000000003C6000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669487575.00000000003CC000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1c0000_winhost.jbxd
                  Similarity
                  • API ID: Close$ChangeControlCreateDeviceFileFindHandleNotification
                  • String ID: \\.\PhysicalDrive%d
                  • API String ID: 795878117-2935326385
                  • Opcode ID: 6c018854a85cbfb280894158cb94aa2b0be66be4cda4a682f943c93c23ac38a8
                  • Instruction ID: 2426d144a61abad7abd593edfd781039e8335d4a88d0e390125d70bf38764e63
                  • Opcode Fuzzy Hash: 6c018854a85cbfb280894158cb94aa2b0be66be4cda4a682f943c93c23ac38a8
                  • Instruction Fuzzy Hash: 0A510831D403689AEB21DF249C46BE97779FF95304F0143D5F50CAA182EB71ABE48B10
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00327730, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 107fileCOMMON
                  Download Yara Rule
                  APIs
                  • CreateFileW.KERNEL32(?,00000000,00000003,00000000,00000003,00000000,00000000), ref: 0032779D
                  • DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00002710,?,00000000), ref: 00327810
                  • FindCloseChangeNotification.KERNEL32(00000000,?,?,00002710), ref: 0032786B
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.669225094.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true
                  • Associated: 00000000.00000002.669218827.00000000001C0000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669437430.0000000000394000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669462546.00000000003BC000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669470292.00000000003C1000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669476147.00000000003C3000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669480865.00000000003C6000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669487575.00000000003CC000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1c0000_winhost.jbxd
                  Similarity
                  • API ID: ChangeCloseControlCreateDeviceFileFindNotification
                  • String ID: \\.\PhysicalDrive%d
                  • API String ID: 1020254441-2935326385
                  • Opcode ID: 2c6e93a0071061f1813cf37bd69265c3869932710a5e9d30dcc23f325ac5f2c1
                  • Instruction ID: 4fe44763a0e2813b9d9af407434b90c18cc87625d4987cd286754ca68b01a6ec
                  • Opcode Fuzzy Hash: 2c6e93a0071061f1813cf37bd69265c3869932710a5e9d30dcc23f325ac5f2c1
                  • Instruction Fuzzy Hash: FF318571A4022CBAEB21DB64DC8AFAE77BCEB04701F5041A6B908EA1D0D7709F848F51
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0035E2B2, Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • GetCurrentProcess.KERNEL32(00000000,?,0035E288,00000000,003B7EA8,0000000C,0035E3DF,00000000,00000002,00000000), ref: 0035E2D3
                  • TerminateProcess.KERNEL32(00000000,?,0035E288,00000000,003B7EA8,0000000C,0035E3DF,00000000,00000002,00000000), ref: 0035E2DA
                  • ExitProcess.KERNEL32 ref: 0035E2EC
                  Memory Dump Source
                  • Source File: 00000000.00000002.669225094.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true
                  • Associated: 00000000.00000002.669218827.00000000001C0000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669437430.0000000000394000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669462546.00000000003BC000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669470292.00000000003C1000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669476147.00000000003C3000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669480865.00000000003C6000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669487575.00000000003CC000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1c0000_winhost.jbxd
                  Similarity
                  • API ID: Process$CurrentExitTerminate
                  • String ID:
                  • API String ID: 1703294689-0
                  • Opcode ID: 43a3360331e8c36e593c4c4b70cd51b141fc9e530fa40141e5f17ee961fee3a5
                  • Instruction ID: a3c25e2ef11d7cfbaee47ad9d8209f64f2bf5efbb1bf05e54a4af46159dcb7cb
                  • Opcode Fuzzy Hash: 43a3360331e8c36e593c4c4b70cd51b141fc9e530fa40141e5f17ee961fee3a5
                  • Instruction Fuzzy Hash: 65E0B632010548ABCF176F64DE0AE997F6DEB44782F014815FD098B232CB36EE87CA95
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0030B1C0, Relevance: 1.5, Strings: 1, Instructions: 249COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.669225094.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true
                  • Associated: 00000000.00000002.669218827.00000000001C0000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669437430.0000000000394000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669462546.00000000003BC000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669470292.00000000003C1000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669476147.00000000003C3000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669480865.00000000003C6000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669487575.00000000003CC000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1c0000_winhost.jbxd
                  Similarity
                  • API ID: ExistsFilePath
                  • String ID: %d%d%d%d%d%d%d%d
                  • API String ID: 1174141254-2312385079
                  • Opcode ID: c4bd98f4fb6eb5b6059125ca57fa9823b3c41b4af4a6821d8a4eda2046edd72e
                  • Instruction ID: 9ef6e38100af8606775bb59880ac2d004a17374803784865acb20fd63f858af9
                  • Opcode Fuzzy Hash: c4bd98f4fb6eb5b6059125ca57fa9823b3c41b4af4a6821d8a4eda2046edd72e
                  • Instruction Fuzzy Hash: 69B12270C123189EDB09DFA4C8A57EEFB78BF14314F5406AED8162B2D2DBB45A84CB51
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 001F4B10, Relevance: 90.0, APIs: 35, Strings: 16, Instructions: 702COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 0 1f4b10-1f5286 call 388e00 EnumWindows call 1f2760 8 1f5288-1f5294 0->8 9 1f52b0-1f52cd call 31a12e 0->9 10 1f52a6-1f52ad call 31a13f 8->10 11 1f5296-1f52a4 8->11 10->9 11->10 14 1f5300-1f5374 call 353dc9 CoInitialize call 325ae0 11->14 21 1f537d-1f5393 call 30c820 14->21 22 1f5376-1f5378 14->22 21->22 29 1f5395-1f53b4 21->29 23 1f55fe-1f561b call 31a12e 22->23 30 1f53b7-1f53c0 29->30 30->30 31 1f53c2-1f5456 call 1da610 30->31 35 1f55ef 31->35 36 1f562a-1f65c3 call 34ae60 SHGetValueW call 34ae60 GetModuleFileNameW CreateMutexW GetLastError 31->36 37 1f55f1-1f55fc call 1da3f0 35->37 36->35 49 1f65c9-1f6680 CreateEventW call 1dd310 call 1e07b0 call 1dd310 call 322340 36->49 37->23 59 1f69fb-1f6b97 LoadIconW LoadCursorW CreateSolidBrush LoadIconW RegisterClassExW GetDC EnumDisplayMonitors ReleaseDC CreateWindowExW GetWindowLongW SetWindowLongW GetWindowLongW SetWindowLongW SetLayeredWindowAttributes SetWindowPos 49->59 60 1f6686-1f68ea call 1e07b0 call 1dd310 call 1ddcd0 call 31a14d SystemParametersInfoW call 31a13f SHGetSpecialFolderPathW * 2 call 1da290 call 1da770 call 1da290 call 1da770 call 34ae60 call 1da290 SHGetValueW 49->60 59->35 61 1f6b9d-1f6bc4 ShowWindow KiUserCallbackDispatcher GetMessageW 59->61 90 1f69da-1f69f6 call 1da3f0 * 3 60->90 91 1f68f0-1f6916 60->91 63 1f6bf9-1f6c05 CoUninitialize 61->63 64 1f6bc6-1f6bcc 61->64 63->37 66 1f6bd0-1f6bf7 TranslateMessage DispatchMessageW GetMessageW 64->66 66->63 66->66 90->59 91->90 94 1f691c-1f69d4 call 31a14d call 1f0110 call 1f01e0 call 31c29d call 31c1e1 call 31d238 call 1f0260 91->94 94->90 115 1f6c14-1f7342 call 35a3df call 35a49a call 1da610 call 1e07b0 call 1ddb90 call 32cfc0 * 3 call 34ae60 SHGetValueW call 1df620 * 3 call 1f4b10 94->115
                  APIs
                  • EnumWindows.USER32(0030CD60,?), ref: 001F4B6B
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.669225094.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true
                  • Associated: 00000000.00000002.669218827.00000000001C0000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669437430.0000000000394000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669462546.00000000003BC000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669470292.00000000003C1000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669476147.00000000003C3000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669480865.00000000003C6000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669487575.00000000003CC000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1c0000_winhost.jbxd
                  Similarity
                  • API ID: EnumWindows
                  • String ID: 7C3963A7-4322-449C-883D-532FED82A905$B0E87BF8-A8DC-4160-B331-54EBDD0DEE93$Control Panel\Desktop$DisplayIcon$SCRNSAVE.EXE$ScreenSaver$Software\Microsoft\Windows\CurrentVersion\Run$Software\Microsoft\Windows\CurrentVersion\Uninstall\HYLite$WSR$\HYLite\$\ScreenSaver\$data$srtime$status$usst$x
                  • API String ID: 1129996299-4100730688
                  • Opcode ID: ab72c7643593b7dd22e05b3dab67df5065172e791ae2b9dfba2224a612782f7f
                  • Instruction ID: 888655b89e441fdec6dac7e181f4655ce76a871c263b5f0990a0d417fae855c6
                  • Opcode Fuzzy Hash: ab72c7643593b7dd22e05b3dab67df5065172e791ae2b9dfba2224a612782f7f
                  • Instruction Fuzzy Hash: E452BF71A00228AFEB21DF64DC45FEEB7B9FB54300F10429AE509A7281DB756E85CF91
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 001DCC20, Relevance: 46.0, APIs: 22, Strings: 4, Instructions: 513COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 928 1dcc20-1dccfa call 1da610 call 31c257 * 2 call 35a49a call 34ae60 call 325eb0 941 1dcd00-1dcd05 928->941 941->941 942 1dcd07-1dcd73 call 1e07b0 call 34ae60 SHGetFolderPathW PathAppendW PathFileExistsW 941->942 947 1dcd75-1dcd84 GetFileAttributesW 942->947 948 1dcd86-1dcd91 SHCreateDirectoryExW 942->948 947->948 949 1dcd97-1dcda6 PathFileExistsW 947->949 948->949 950 1dcdb9-1dce05 call 34ae60 SHGetFolderPathW PathAppendW PathFileExistsW 949->950 951 1dcda8-1dcdb7 GetFileAttributesW 949->951 957 1dce18-1dce23 SHCreateDirectoryExW 950->957 958 1dce07-1dce16 GetFileAttributesW 950->958 951->950 952 1dce29-1dce41 PathAppendW 951->952 954 1dce44-1dce4d 952->954 954->954 956 1dce4f-1dce71 call 1da610 PathFileExistsW 954->956 961 1dce93 956->961 962 1dce73-1dce82 GetFileAttributesW 956->962 957->952 958->952 958->957 964 1dce95-1dce99 961->964 962->961 963 1dce84-1dce91 call 1ddee0 962->963 963->964 966 1dce9f-1dcf26 call 34ae60 call 34b0d0 SHFileOperationW 964->966 967 1dcf28-1dcf2a 964->967 969 1dcf30-1dcfbf call 31a14d call 320b60 call 1de710 call 34ae60 SHGetValueW 966->969 968 1dd2a1-1dd2aa 967->968 967->969 972 1dd2ac-1dd2bb 968->972 973 1dd2d7-1dd2f3 call 31a12e 968->973 991 1dcffd-1dd045 call 1e07b0 call 31c278 969->991 992 1dcfc1-1dcfcf 969->992 976 1dd2cd-1dd2d4 call 31a13f 972->976 977 1dd2bd-1dd2cb 972->977 976->973 977->976 1001 1dd047-1dd04d call 31be39 991->1001 1002 1dd050-1dd077 call 322c40 call 1dd380 call 31c29d 991->1002 993 1dcfd2-1dcfdb 992->993 993->993 996 1dcfdd-1dcffa call 328750 993->996 996->991 1001->1002 1011 1dd079-1dd07f call 31be39 1002->1011 1012 1dd082-1dd08f 1002->1012 1011->1012 1013 1dd091-1dd0a0 1012->1013 1014 1dd0c0-1dd0fc call 1e07b0 call 31c278 1012->1014 1016 1dd0b6-1dd0bd call 31a13f 1013->1016 1017 1dd0a2-1dd0b0 1013->1017 1028 1dd0fe-1dd104 call 31be39 1014->1028 1029 1dd107-1dd12f call 322c90 call 1dd380 call 31c29d 1014->1029 1016->1014 1017->1016 1020 1dd2f4-1dd33b call 353dc9 1017->1020 1032 1dd33d-1dd35f call 31a14d call 34ae60 call 1dcc20 1020->1032 1033 1dd369-1dd378 1020->1033 1028->1029 1047 1dd13a-1dd147 1029->1047 1048 1dd131-1dd137 call 31be39 1029->1048 1046 1dd364 1032->1046 1046->1033 1050 1dd149-1dd158 1047->1050 1051 1dd178-1dd1ca call 1e07b0 call 3288e0 call 31c278 1047->1051 1048->1047 1053 1dd16e-1dd175 call 31a13f 1050->1053 1054 1dd15a-1dd168 1050->1054 1063 1dd1cc-1dd1d2 call 31be39 1051->1063 1064 1dd1d5-1dd1fc call 322c90 call 1dd380 call 31c29d 1051->1064 1053->1051 1054->1053 1063->1064 1073 1dd1fe-1dd204 call 31be39 1064->1073 1074 1dd207-1dd214 1064->1074 1073->1074 1076 1dd245-1dd26d 1074->1076 1077 1dd216-1dd225 1074->1077 1081 1dd26f-1dd27e 1076->1081 1082 1dd29a-1dd29c call 1dd380 1076->1082 1079 1dd23b-1dd242 call 31a13f 1077->1079 1080 1dd227-1dd235 1077->1080 1079->1076 1080->1079 1084 1dd290-1dd297 call 31a13f 1081->1084 1085 1dd280-1dd28e 1081->1085 1082->968 1084->1082 1085->1084
                  APIs
                  • __Mtx_init_in_situ.LIBCPMT ref: 001DCC8D
                    • Part of subcall function 0031C257: Concurrency::details::create_stl_critical_section.LIBCPMT ref: 0031C262
                  • __Mtx_init_in_situ.LIBCPMT ref: 001DCC98
                    • Part of subcall function 00325EB0: SHGetValueA.SHLWAPI(80000001,Software\Microsoft\Windows\CurrentVersion\Uninstall\HYJiang,mid,?,?,?,CB28B7D0), ref: 00325F34
                  • SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,?,?,?,?,?,?,?,?,?,?,003A8C5C,00000000), ref: 001DCD45
                  • PathAppendW.SHLWAPI(?,Osa,?,?,?,?,?,?,?,?,?,003A8C5C,00000000,CB28B7D0), ref: 001DCD57
                  • PathFileExistsW.SHLWAPI(?,?,?,?,?,?,?,?,?,?,003A8C5C,00000000,CB28B7D0), ref: 001DCD6B
                  • GetFileAttributesW.KERNEL32(?,?,?,?,?,?,?,?,?,?,003A8C5C,00000000,CB28B7D0), ref: 001DCD7C
                  • SHCreateDirectoryExW.SHELL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,003A8C5C,00000000,CB28B7D0), ref: 001DCD91
                  • PathFileExistsW.SHLWAPI(?,?,?,?,?,?,?,?,?,?,003A8C5C,00000000,CB28B7D0), ref: 001DCD9E
                  • GetFileAttributesW.KERNEL32(?,?,?,?,?,?,?,?,?,?,003A8C5C,00000000,CB28B7D0), ref: 001DCDAF
                  • SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000001,?,?,?,?,?,?,?), ref: 001DCDDE
                  • PathAppendW.SHLWAPI(?,Osa,?,?,?,?,?,?,?,?,?,?,?,?,003A8C5C,00000000), ref: 001DCDF0
                  • PathFileExistsW.SHLWAPI(?,?,?,?,?,?,?,?,?,?,?,?,?,003A8C5C,00000000,CB28B7D0), ref: 001DCDFD
                  • GetFileAttributesW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,003A8C5C,00000000,CB28B7D0), ref: 001DCE0E
                  • SHCreateDirectoryExW.SHELL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,003A8C5C), ref: 001DCE23
                  • PathAppendW.SHLWAPI(?,003A8F98,?,?,?,?,?,?,?,?,?,?,?,?,003A8C5C,00000000), ref: 001DCE35
                  • PathFileExistsW.SHLWAPI(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,003A8C5C), ref: 001DCE69
                  • GetFileAttributesW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,003A8C5C,00000000,CB28B7D0), ref: 001DCE7A
                  • SHFileOperationW.SHELL32(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 001DCF20
                  • SHGetValueW.SHLWAPI(80000001,Software\Microsoft\Windows\CurrentVersion\WSR,InstallDateOur,00000001,?,00000800,?,?,?,?,?,?,?,?,?,?), ref: 001DCFB7
                  • __Mtx_unlock.LIBCPMT ref: 001DD06D
                  • __Mtx_unlock.LIBCPMT ref: 001DD125
                    • Part of subcall function 001DDEE0: std::locale::_Init.LIBCPMT ref: 001DE066
                    • Part of subcall function 0031C278: mtx_do_lock.LIBCPMT ref: 0031C280
                  • __Mtx_unlock.LIBCPMT ref: 001DD1F2
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.669225094.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true
                  • Associated: 00000000.00000002.669218827.00000000001C0000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669437430.0000000000394000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669462546.00000000003BC000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669470292.00000000003C1000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669476147.00000000003C3000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669480865.00000000003C6000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669487575.00000000003CC000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1c0000_winhost.jbxd
                  Similarity
                  • API ID: FilePath$AttributesExists$AppendMtx_unlock$CreateDirectoryFolderMtx_init_in_situValue$Concurrency::details::create_stl_critical_sectionInitOperationmtx_do_lockstd::locale::_
                  • String ID: InstallDateOur$Osa$Software\Microsoft\Windows\CurrentVersion\WSR$x
                  • API String ID: 3892235256-380400929
                  • Opcode ID: 6efb807093b9d24cc0e870c960bc8dc6d6d3d83ebce47771e11eb854e26ec57a
                  • Instruction ID: de7e24275b974cc711237145e4e5760f15f720725f009037f1b557f5fe52786e
                  • Opcode Fuzzy Hash: 6efb807093b9d24cc0e870c960bc8dc6d6d3d83ebce47771e11eb854e26ec57a
                  • Instruction Fuzzy Hash: 4712F771940218ABDF25DBA4DC49BDEB7B9AF14300F0045DBE409AB281EB75AB85CF61
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00326250, Relevance: 26.5, APIs: 11, Strings: 4, Instructions: 221registryfilestringCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 1172 326250-326270 1173 326276-32627b 1172->1173 1174 32652e-32653f call 31a12e 1172->1174 1173->1174 1175 326281-3262b1 call 34ae60 RegOpenKeyExW 1173->1175 1180 326503-326508 1175->1180 1181 3262b7-3262e6 RegEnumKeyExW 1175->1181 1180->1174 1182 32650a-32652d call 3279a0 call 31a12e 1180->1182 1183 3264ee-326500 RegCloseKey 1181->1183 1184 3262ec 1181->1184 1183->1180 1186 3262f0-32630c RegOpenKeyExW 1184->1186 1188 326312-326350 RegQueryValueExW 1186->1188 1189 3264bc-3264e8 RegEnumKeyExW 1186->1189 1191 3264b0-3264b6 RegCloseKey 1188->1191 1192 326356-3263a6 call 34ae60 call 327aa0 CreateFileW 1188->1192 1189->1183 1189->1186 1191->1189 1198 3264aa 1192->1198 1199 3263ac-3263ed DeviceIoControl 1192->1199 1198->1191 1200 326442-32644b FindCloseChangeNotification 1199->1200 1201 3263ef-3263f5 1199->1201 1203 3264a4 1200->1203 1204 32644d-326451 1200->1204 1201->1200 1202 3263f7-32643d call 327a20 1201->1202 1202->1200 1203->1198 1206 326453-326466 lstrcmpA 1204->1206 1207 326468-32647a 1204->1207 1206->1203 1206->1207 1209 326480-326488 1207->1209 1210 32648a-32648f 1209->1210 1211 326499-3264a1 1209->1211 1210->1211 1212 326491-326497 1210->1212 1211->1203 1212->1209 1212->1211
                  APIs
                  • RegOpenKeyExW.KERNEL32(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards,00000000,00000008,?,?,?,CB28B7D0), ref: 003262AD
                  • RegEnumKeyExW.KERNEL32 ref: 003262E2
                  • RegOpenKeyExW.KERNEL32(?,?,00000000,00000001,?,?,?,CB28B7D0), ref: 00326308
                  • RegQueryValueExW.KERNEL32(?,ServiceName,00000000,00000001,?,?,?,?,CB28B7D0), ref: 00326348
                  • CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000000,00000000,?,?,?,?,?,?,?,?,?), ref: 0032639B
                  • DeviceIoControl.KERNEL32(00000000,00170002,01010101,00000004,?,00000104,?,00000000), ref: 003263E5
                  • FindCloseChangeNotification.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,CB28B7D0), ref: 00326443
                  • lstrcmpA.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,CB28B7D0), ref: 0032645E
                  • RegCloseKey.ADVAPI32(?,?,?,CB28B7D0), ref: 003264B6
                  • RegEnumKeyExW.KERNEL32 ref: 003264E4
                  • RegCloseKey.ADVAPI32(?,?,?,CB28B7D0), ref: 003264F4
                  Strings
                  • ServiceName, xrefs: 0032633D
                  • \\.\%s, xrefs: 0032636C
                  • %02X%02X%02X%02X%02X%02X, xrefs: 00326427
                  • SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards, xrefs: 003262A3
                  Memory Dump Source
                  • Source File: 00000000.00000002.669225094.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true
                  • Associated: 00000000.00000002.669218827.00000000001C0000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669437430.0000000000394000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669462546.00000000003BC000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669470292.00000000003C1000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669476147.00000000003C3000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669480865.00000000003C6000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669487575.00000000003CC000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1c0000_winhost.jbxd
                  Similarity
                  • API ID: Close$EnumOpen$ChangeControlCreateDeviceFileFindNotificationQueryValuelstrcmp
                  • String ID: %02X%02X%02X%02X%02X%02X$SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards$ServiceName$\\.\%s
                  • API String ID: 3304030313-836394687
                  • Opcode ID: a65233ac7f86ca38ed7bec127d5f8d025c5b3dc013352ce23f60063aab6dc2eb
                  • Instruction ID: 2588f368c3cb10e93c2d0df488fc311e9730880d24d18d8eb414205dcc436e47
                  • Opcode Fuzzy Hash: a65233ac7f86ca38ed7bec127d5f8d025c5b3dc013352ce23f60063aab6dc2eb
                  • Instruction Fuzzy Hash: EE818271944229ABEF22DB51DC42FEAB7BCEF04704F0541E6F948A7180DB75AE858F60
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00306E70, Relevance: 21.7, APIs: 7, Strings: 5, Instructions: 744synchronizationCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 1213 306e70-306e90 call 1da3f0 1216 306e92-306e9f 1213->1216 1217 306ebd-306ee4 call 32d9c0 1213->1217 1218 306ea1-306eaf 1216->1218 1219 306eb3-306eba call 31a13f 1216->1219 1225 306ef4-306ef8 1217->1225 1226 306ee6-306ef1 call 31a13f 1217->1226 1222 306eb1 1218->1222 1223 306efb-306fc3 call 353dc9 call 34ae60 call 1e07b0 call 3288e0 1218->1223 1219->1217 1222->1219 1238 306ff5-30701b call 1dda80 1223->1238 1239 306fc5-306ff0 call 31a14d call 34ae60 call 1dcc20 1223->1239 1226->1225 1245 30704c-307183 call 30b9a0 call 328cc0 call 32cfc0 call 1da3f0 call 30c650 call 31a14d SystemParametersInfoW call 31a13f call 31a14d SystemParametersInfoW call 31a13f call 31a14d SystemParametersInfoW call 31a13f SHGetSpecialFolderPathW * 2 1238->1245 1246 30701d-30702c 1238->1246 1239->1238 1281 307186-30718f 1245->1281 1248 307042-307049 call 31a13f 1246->1248 1249 30702e-30703c 1246->1249 1248->1245 1249->1248 1252 307941-307988 call 353dc9 1249->1252 1262 307993 1252->1262 1263 30798a-30798d WaitForSingleObject 1252->1263 1263->1262 1281->1281 1282 307191-3071e1 call 1da610 call 1da770 1281->1282 1287 3071e4-3071ed 1282->1287 1287->1287 1288 3071ef-3072a4 call 1da610 call 1da770 call 34ae60 call 1da610 SHGetValueW 1287->1288 1297 307339-30733b 1288->1297 1298 3072aa-3072b0 1288->1298 1299 307341-307349 1297->1299 1300 307455 1297->1300 1301 3072b3-3072bc 1298->1301 1302 307357-30735a 1299->1302 1303 30734b-307351 1299->1303 1305 30745f-307470 call 30d050 1300->1305 1301->1301 1304 3072be-307336 call 1da610 * 3 call 30c8d0 1301->1304 1306 30736b-30739d 1302->1306 1307 30735c-307366 1302->1307 1303->1300 1303->1302 1304->1297 1319 307472 1305->1319 1320 307474-307507 call 308630 1305->1320 1310 3073cd-3073f3 1306->1310 1311 30739f-3073a3 1306->1311 1307->1305 1317 3073f5-3073f7 1310->1317 1318 30741f-307432 call 1fb1c0 1310->1318 1314 3073a5-3073ab 1311->1314 1315 3073b8-3073c2 1311->1315 1322 3073c7 1314->1322 1323 3073ad-3073b6 1314->1323 1315->1305 1325 307413-30741d 1317->1325 1326 3073f9 1317->1326 1318->1305 1332 307434-307447 call 1fb1c0 1318->1332 1319->1320 1335 307538-30756d call 329b60 1320->1335 1336 307509-307518 1320->1336 1322->1310 1323->1314 1323->1315 1325->1305 1330 307400-307406 1326->1330 1330->1318 1334 307408-307411 1330->1334 1332->1305 1347 307449-307453 1332->1347 1334->1325 1334->1330 1348 307570-307575 1335->1348 1337 30751a-307528 1336->1337 1338 30752e-307535 call 31a13f 1336->1338 1337->1338 1338->1335 1347->1305 1348->1348 1349 307577-3075b6 call 1e07b0 call 32b8d0 1348->1349 1354 3075e7-307644 call 1df620 call 1df4b0 call 30b530 1349->1354 1355 3075b8-3075c7 1349->1355 1366 307646-30764c 1354->1366 1367 307659-307666 1354->1367 1357 3075c9-3075d7 1355->1357 1358 3075dd-3075e4 call 31a13f 1355->1358 1357->1358 1358->1354 1368 307650-307654 call 1e07b0 1366->1368 1369 30764e 1366->1369 1370 307697-3076b5 call 32dbe0 1367->1370 1371 307668-307677 1367->1371 1368->1367 1369->1368 1377 3076ba-307721 call 32eec0 call 32eed0 call 1da2e0 call 32ee30 call 32eee0 call 1da3f0 1370->1377 1374 307679-307687 1371->1374 1375 30768d-307694 call 31a13f 1371->1375 1374->1375 1375->1370 1391 307752-307776 1377->1391 1392 307723-307732 1377->1392 1395 3077a7-3077f7 call 1dd620 call 1da3f0 * 3 1391->1395 1396 307778-307787 1391->1396 1393 307734-307742 1392->1393 1394 307748-30774f call 31a13f 1392->1394 1393->1394 1394->1391 1411 307828-30784c 1395->1411 1412 3077f9-307808 1395->1412 1398 307789-307797 1396->1398 1399 30779d-3077a4 call 31a13f 1396->1399 1398->1399 1399->1395 1415 30787d-3078a1 1411->1415 1416 30784e-30785d 1411->1416 1413 30780a-307818 1412->1413 1414 30781e-307825 call 31a13f 1412->1414 1413->1414 1414->1411 1417 3078d2-3078f6 1415->1417 1418 3078a3-3078b2 1415->1418 1420 307873-30787a call 31a13f 1416->1420 1421 30785f-30786d 1416->1421 1424 307923-30793e call 31a12e 1417->1424 1425 3078f8-307907 1417->1425 1422 3078b4-3078c2 1418->1422 1423 3078c8-3078cf call 31a13f 1418->1423 1420->1415 1421->1420 1422->1423 1423->1417 1430 307919-307920 call 31a13f 1425->1430 1431 307909-307917 1425->1431 1430->1424 1431->1430
                  APIs
                  • SystemParametersInfoW.USER32 ref: 003070DD
                  • SystemParametersInfoW.USER32 ref: 00307102
                  • SystemParametersInfoW.USER32 ref: 0030712D
                  • SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001C,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0030714F
                  • SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001C,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0030715E
                  • SHGetValueW.SHLWAPI(80000001,Control Panel\Desktop,SCRNSAVE.EXE,00000001,?,0000020A,003A8C5C,00000000,00000010,?,?), ref: 0030729C
                  • WaitForSingleObject.KERNEL32(?,000000FF,?,003079A0,?,003C7F5C,00000000,00000002,?,?,?,003C7F8C,?,00000000,?,?), ref: 0030798D
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.669225094.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true
                  • Associated: 00000000.00000002.669218827.00000000001C0000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669437430.0000000000394000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669462546.00000000003BC000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669470292.00000000003C1000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669476147.00000000003C3000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669480865.00000000003C6000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669487575.00000000003CC000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1c0000_winhost.jbxd
                  Similarity
                  • API ID: InfoParametersSystem$FolderPathSpecial$ObjectSingleValueWait
                  • String ID: Control Panel\Desktop$SCRNSAVE.EXE$\HYLite\$\ScreenSaver\$x
                  • API String ID: 500235438-538041694
                  • Opcode ID: 05c20ccefa894fff94060621d857511cbf6f6c98e6bea81422d6ee16a4a74b96
                  • Instruction ID: 91d06e64f829d3f6f69df2f09e5d13a98da8ea9d3de23141fdef69b1d839204c
                  • Opcode Fuzzy Hash: 05c20ccefa894fff94060621d857511cbf6f6c98e6bea81422d6ee16a4a74b96
                  • Instruction Fuzzy Hash: D952F271A122189BEB26DB24CC95BDEBB75AF45304F5041D8E409AB2C2DB71AFC4CF52
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 001D4A90, Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 249registryCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 1437 1d4a90-1d4b1e call 34ae60 RegOpenKeyExW 1440 1d4b57-1d4b79 RegQueryValueExW 1437->1440 1441 1d4b20-1d4b55 RegOpenKeyExW 1437->1441 1442 1d4b7b-1d4b83 1440->1442 1441->1440 1441->1442 1443 1d4b89-1d4baf 1442->1443 1444 1d4c24-1d4c79 call 34ae60 RegOpenKeyExW 1442->1444 1446 1d4bb0-1d4bb9 1443->1446 1449 1d4c9f-1d4ca7 1444->1449 1450 1d4c7b-1d4c9d RegQueryValueExW 1444->1450 1446->1446 1448 1d4bbb-1d4be8 call 1da610 PathFileExistsW 1446->1448 1455 1d4bea-1d4bf2 1448->1455 1456 1d4c12-1d4c1f call 1da3f0 1448->1456 1453 1d4cad-1d4cd0 1449->1453 1454 1d4d47-1d4d9c call 34ae60 RegOpenKeyExW 1449->1454 1450->1449 1458 1d4cd3-1d4cdc 1453->1458 1465 1d4d9e-1d4dc0 RegQueryValueExW 1454->1465 1466 1d4dc2-1d4dca 1454->1466 1459 1d4bf4-1d4c0b call 1da610 1455->1459 1460 1d4c10 1455->1460 1456->1444 1458->1458 1463 1d4cde-1d4d0b call 1da610 PathFileExistsW 1458->1463 1459->1460 1460->1456 1471 1d4d0d-1d4d15 1463->1471 1472 1d4d35-1d4d42 call 1da3f0 1463->1472 1465->1466 1469 1d4dd0-1d4df3 1466->1469 1470 1d4e63-1d4e80 call 31a12e 1466->1470 1474 1d4df6-1d4dff 1469->1474 1475 1d4d17-1d4d2e call 1da610 1471->1475 1476 1d4d33 1471->1476 1472->1454 1474->1474 1479 1d4e01-1d4e2e call 1da610 PathFileExistsW 1474->1479 1475->1476 1476->1472 1483 1d4e58-1d4e5e call 1da3f0 1479->1483 1484 1d4e30-1d4e38 1479->1484 1483->1470 1485 1d4e3a-1d4e51 call 1da610 1484->1485 1486 1d4e56 1484->1486 1485->1486 1486->1483
                  APIs
                  • RegOpenKeyExW.KERNEL32(80000002,003C837C,00000000,00020019,00000000), ref: 001D4B0A
                  • RegOpenKeyExW.ADVAPI32(80000001,003C837C,00000000,00020019,00000000), ref: 001D4B47
                  • RegQueryValueExW.KERNEL32(00000000,Path,00000000,00000000,?,?), ref: 001D4B79
                  • PathFileExistsW.SHLWAPI(00000000,00000000,-00000002), ref: 001D4BE0
                  • RegOpenKeyExW.KERNEL32(80000001,003C8394,00000000,00020019,00000000), ref: 001D4C6B
                  • RegQueryValueExW.ADVAPI32(00000000,InstallLocation,00000000,00000000,?,00000104), ref: 001D4C9D
                  • PathFileExistsW.SHLWAPI(00000000,00000000,-00000002), ref: 001D4D03
                  • RegOpenKeyExW.KERNEL32(80000001,003C83AC,00000000,00020019,00000000), ref: 001D4D8E
                  • RegQueryValueExW.ADVAPI32(00000000,InstallLocation,00000000,00000000,?,00000104), ref: 001D4DC0
                  • PathFileExistsW.SHLWAPI(00000000,00000000,-00000002), ref: 001D4E26
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.669225094.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true
                  • Associated: 00000000.00000002.669218827.00000000001C0000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669437430.0000000000394000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669462546.00000000003BC000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669470292.00000000003C1000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669476147.00000000003C3000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669480865.00000000003C6000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669487575.00000000003CC000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1c0000_winhost.jbxd
                  Similarity
                  • API ID: Open$ExistsFilePathQueryValue
                  • String ID: InstallLocation$Path
                  • API String ID: 2114160250-647125406
                  • Opcode ID: 41712259d0e2230df153ac51626eea9dc0bf7798c11620c5ae43a8c4f320b149
                  • Instruction ID: d42ef534f7a6d69c5c467e7263cb8d36076bf38d68755c73c584a204edd651b1
                  • Opcode Fuzzy Hash: 41712259d0e2230df153ac51626eea9dc0bf7798c11620c5ae43a8c4f320b149
                  • Instruction Fuzzy Hash: E0A16C75A00218EBEB25DF54CD49FEAB7BAFB54704F400199E509A7280EB72AE94CF50
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003309D0, Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 156registryCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 1489 3309d0-3309ea 1490 3309f0-3309fa call 336c70 1489->1490 1491 330b46-330b4e call 336c70 1489->1491 1498 330a00-330a03 1490->1498 1499 330aa8-330aab 1490->1499 1496 330b50-330b58 call 336720 1491->1496 1497 330b89-330b8c 1491->1497 1496->1497 1515 330b5a-330b5d 1496->1515 1503 330b92-330ba4 call 3361b0 1497->1503 1504 330a9e-330aa5 1497->1504 1501 330a47 1498->1501 1502 330a05-330a10 call 336720 1498->1502 1505 330aef 1499->1505 1506 330aad-330ab8 call 336720 1499->1506 1507 330a4a-330a4d 1501->1507 1502->1507 1526 330a12-330a15 1502->1526 1509 330af2-330af5 1505->1509 1506->1509 1529 330aba-330abd 1506->1529 1513 330a5a-330a5f 1507->1513 1514 330a4f-330a55 call 3361b0 1507->1514 1516 330b02-330b07 1509->1516 1517 330af7-330afd call 3361b0 1509->1517 1522 330a61-330a68 CloseHandle 1513->1522 1523 330a6f-330a73 1513->1523 1514->1513 1515->1497 1524 330b5f-330b84 call 335fc0 call 31ff10 1515->1524 1527 330b17-330b1b 1516->1527 1528 330b09-330b10 CloseHandle 1516->1528 1517->1516 1522->1523 1533 330a82-330a9d RegCreateKeyExW 1523->1533 1534 330a75-330a7c RegCloseKey 1523->1534 1524->1497 1535 330a17-330a19 1526->1535 1536 330a1b-330a45 call 335fc0 call 31ff10 1526->1536 1537 330b2a-330b43 RegOpenKeyExW 1527->1537 1538 330b1d-330b24 RegCloseKey 1527->1538 1528->1527 1530 330ac3-330aed call 335fc0 call 31ff10 1529->1530 1531 330abf-330ac1 1529->1531 1530->1509 1531->1509 1531->1530 1533->1504 1534->1533 1535->1507 1535->1536 1536->1507 1538->1537
                  APIs
                  • CloseHandle.KERNEL32(?,?,?), ref: 00330A62
                  • RegCloseKey.ADVAPI32(?,?,?), ref: 00330A76
                  • RegCreateKeyExW.ADVAPI32(CB28B7D0,00020019,00000000,00000000,00000000,00000026,00000000,?,CB28B7D0,?,?), ref: 00330A97
                  • CloseHandle.KERNEL32(?,?,?), ref: 00330B0A
                  • RegCloseKey.ADVAPI32(?,?,?), ref: 00330B1E
                  • RegOpenKeyExW.KERNEL32(CB28B7D0,00020019,00000000,00000026,?,?,?), ref: 00330B35
                  Strings
                  • Check failed: rootkey && subkey && access && disposition. , xrefs: 00330A32
                  • c:\qt\givememoney\base\win\registry.cc, xrefs: 00330A1F, 00330AC7, 00330B63
                  • Check failed: rootkey && subkey && access. , xrefs: 00330ADA
                  • Check failed: !subkey. , xrefs: 00330B76
                  Memory Dump Source
                  • Source File: 00000000.00000002.669225094.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true
                  • Associated: 00000000.00000002.669218827.00000000001C0000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669437430.0000000000394000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669462546.00000000003BC000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669470292.00000000003C1000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669476147.00000000003C3000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669480865.00000000003C6000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669487575.00000000003CC000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1c0000_winhost.jbxd
                  Similarity
                  • API ID: Close$Handle$CreateOpen
                  • String ID: Check failed: !subkey. $Check failed: rootkey && subkey && access && disposition. $Check failed: rootkey && subkey && access. $c:\qt\givememoney\base\win\registry.cc
                  • API String ID: 348691498-488730054
                  • Opcode ID: 7153a62e237a5763ccf6eac112d0095e3a14427936f02061515f03ac12466506
                  • Instruction ID: 33e1e19efa21e2ab83fc32201d4f29443dd42ed38b2115591b888934f38eb9da
                  • Opcode Fuzzy Hash: 7153a62e237a5763ccf6eac112d0095e3a14427936f02061515f03ac12466506
                  • Instruction Fuzzy Hash: 9951D335640304ABDB269F54ECD7F9AB7ACEF10711F05841AF94897282DB71D980CB90
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0030B9A0, Relevance: 16.1, APIs: 8, Strings: 1, Instructions: 362COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 1550 30b9a0-30b9ed 1551 30b9f3-30ba51 call 34ae60 SHGetFolderPathW PathAppendW * 2 PathFileExistsW 1550->1551 1552 30bedd-30bee2 call 1df620 1550->1552 1557 30ba53-30ba97 call 34ae60 SHGetFolderPathW PathAppendW * 2 1551->1557 1558 30ba99-30baa4 PathFileExistsW 1551->1558 1556 30bee7-30bf04 call 31a12e 1552->1556 1557->1558 1561 30be8a-30beab call 34ae60 call 325eb0 1558->1561 1562 30baaa-30bafd call 1e07b0 1558->1562 1571 30beb0-30bebc 1561->1571 1570 30bb04-30bb0d 1562->1570 1570->1570 1572 30bb0f-30bb69 call 1da610 call 3239d0 call 32f750 1570->1572 1573 30bec0-30bec5 1571->1573 1583 30bb78 1572->1583 1584 30bb6b-30bb72 1572->1584 1573->1573 1575 30bec7-30bedb call 1e07b0 1573->1575 1575->1552 1586 30bb7a-30bb99 call 1da3f0 * 2 1583->1586 1584->1583 1585 30bb74-30bb76 1584->1585 1585->1586 1591 30be2e-30be3e 1586->1591 1592 30bb9f-30bc0e call 1e07b0 call 32c2c0 1586->1592 1594 30be40-30be4f 1591->1594 1595 30be6f-30be83 1591->1595 1603 30bc14-30bc1b 1592->1603 1604 30bdd5-30bde2 1592->1604 1597 30be51-30be5f 1594->1597 1598 30be65-30be6c call 31a13f 1594->1598 1595->1561 1597->1598 1598->1595 1603->1604 1607 30bc21-30bc46 call 329b60 call 32b120 1603->1607 1605 30be13-30be27 1604->1605 1606 30bde4-30bdf3 1604->1606 1605->1591 1608 30bdf5-30be03 1606->1608 1609 30be09-30be10 call 31a13f 1606->1609 1615 30bc4b-30bc56 1607->1615 1608->1609 1609->1605 1616 30bd71-30bd7e 1615->1616 1617 30bc5c-30bc82 call 1df520 call 1df620 1615->1617 1619 30bd80-30bd8f 1616->1619 1620 30bdaf-30bdd0 call 1dd620 1616->1620 1629 30bcb3-30bce2 call 1dd620 1617->1629 1630 30bc84-30bc93 1617->1630 1623 30bd91-30bd9f 1619->1623 1624 30bda5-30bdac call 31a13f 1619->1624 1620->1604 1623->1624 1624->1620 1638 30bd13-30bd37 1629->1638 1639 30bce4-30bcf3 1629->1639 1631 30bc95-30bca3 1630->1631 1632 30bca9-30bcb0 call 31a13f 1630->1632 1631->1632 1634 30bf05-30bf23 call 353dc9 1631->1634 1632->1629 1638->1556 1644 30bd3d-30bd4c 1638->1644 1642 30bcf5-30bd03 1639->1642 1643 30bd09-30bd10 call 31a13f 1639->1643 1642->1643 1643->1638 1646 30bd62-30bd6c call 31a13f 1644->1646 1647 30bd4e-30bd5c 1644->1647 1646->1556 1647->1646
                  APIs
                  • SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,?,?), ref: 0030BA18
                  • PathAppendW.SHLWAPI(?,Sap), ref: 0030BA30
                  • PathAppendW.SHLWAPI(?,003ACA00), ref: 0030BA3E
                  • PathFileExistsW.SHLWAPI(?), ref: 0030BA4D
                  • SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000001,?), ref: 0030BA77
                  • PathAppendW.SHLWAPI(?,Sap), ref: 0030BA89
                  • PathAppendW.SHLWAPI(?,003ACA00), ref: 0030BA97
                  • PathFileExistsW.SHLWAPI(?), ref: 0030BAA0
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.669225094.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true
                  • Associated: 00000000.00000002.669218827.00000000001C0000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669437430.0000000000394000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669462546.00000000003BC000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669470292.00000000003C1000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669476147.00000000003C3000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669480865.00000000003C6000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669487575.00000000003CC000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1c0000_winhost.jbxd
                  Similarity
                  • API ID: Path$Append$ExistsFileFolder
                  • String ID: Sap
                  • API String ID: 1976240064-3176686113
                  • Opcode ID: 7480d681d4340aab21c8219f1c7d6637bc3c47a4d7844ee5cd3c07f8af652965
                  • Instruction ID: 814fb5eda46b604ec4dd312283869bf67e7eb66a2240a05fa05b331c9235567e
                  • Opcode Fuzzy Hash: 7480d681d4340aab21c8219f1c7d6637bc3c47a4d7844ee5cd3c07f8af652965
                  • Instruction Fuzzy Hash: 37D1D071A11218ABDB2ADB24DC99BEDB7BDAB04304F0441D9E109AB2D1DB74ABC4CF50
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00325810, Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 202COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 1651 325810-325833 call 1e1d60 1654 325985-3259a9 1651->1654 1655 325839-325866 call 31b42d 1651->1655 1656 3259fb-3259fd 1654->1656 1657 3259ab-3259b8 1654->1657 1671 325897-32589b 1655->1671 1672 325868-325877 call 31b42d 1655->1672 1658 325a06-325a12 1656->1658 1659 3259ff-325a04 1656->1659 1661 3259ba-3259bf 1657->1661 1662 3259df-3259ea 1657->1662 1665 325a15-325a34 call 1dc430 call 1dc790 call 323330 1658->1665 1659->1665 1661->1662 1667 3259c1-3259cd 1661->1667 1663 3259f1-3259f8 1662->1663 1664 3259ec 1662->1664 1664->1663 1667->1662 1678 3259cf-3259da call 1e0cd0 1667->1678 1674 3258ad 1671->1674 1675 32589d-3258a5 1671->1675 1688 325889-325891 call 31b485 1672->1688 1689 325879-325884 1672->1689 1681 3258af-3258b3 1674->1681 1679 325932-325943 call 31b485 1675->1679 1680 3258ab 1675->1680 1678->1662 1703 325945-325949 1679->1703 1704 32594d-325982 1679->1704 1680->1681 1685 3258c5-3258c7 1681->1685 1686 3258b5-3258bd call 31b67e 1681->1686 1685->1679 1693 3258c9-3258ce 1685->1693 1686->1693 1701 3258bf-3258c2 1686->1701 1688->1671 1689->1688 1698 3258d0-3258d2 1693->1698 1699 3258d4-3258e2 call 31a14d 1693->1699 1698->1679 1706 3258e4-3258e9 1699->1706 1707 32590b-32590e 1699->1707 1701->1685 1703->1704 1704->1654 1708 3258eb 1706->1708 1709 3258ee-325909 call 1dbe20 1706->1709 1710 325910-325912 1707->1710 1708->1709 1709->1710 1713 325914-325917 call 1dbee0 1710->1713 1714 32591c-32592c call 31b652 1710->1714 1713->1714 1714->1679
                  APIs
                  • std::_Lockit::_Lockit.LIBCPMT ref: 00325851
                  • std::_Lockit::_Lockit.LIBCPMT ref: 0032586C
                  • std::_Lockit::~_Lockit.LIBCPMT ref: 0032588C
                  • std::_Facet_Register.LIBCPMT ref: 0032591D
                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00325935
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.669225094.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true
                  • Associated: 00000000.00000002.669218827.00000000001C0000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669437430.0000000000394000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669462546.00000000003BC000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669470292.00000000003C1000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669476147.00000000003C3000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669480865.00000000003C6000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669487575.00000000003CC000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1c0000_winhost.jbxd
                  Similarity
                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
                  • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                  • API String ID: 459529453-1866435925
                  • Opcode ID: ac347cb92d22d276925b1b72e14da4850ab4b01f7d1616fce7478e54f0ba8b2a
                  • Instruction ID: 54a70db00ea5c4cb3f1262d9bd95cc9e400680bc01680579181dd45a4f509350
                  • Opcode Fuzzy Hash: ac347cb92d22d276925b1b72e14da4850ab4b01f7d1616fce7478e54f0ba8b2a
                  • Instruction Fuzzy Hash: C271EF35A00614DFCB16DF58D885FAAB7F5BF58310F168069E8469B362DB30EE80CB80
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 001DC860, Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 98COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 1720 1dc860-1dc878 1721 1dc87a-1dc87e 1720->1721 1722 1dc882-1dc886 1720->1722 1723 1dc880-1dc88d __CxxThrowException@8 1721->1723 1724 1dc892-1dc895 1721->1724 1723->1724 1726 1dc89e-1dc8ab 1724->1726 1727 1dc897-1dc89c 1724->1727 1728 1dc8ae-1dc971 call 1dc430 call 1dc790 __CxxThrowException@8 call 1dc860 call 31a14d call 31b684 1726->1728 1727->1728 1739 1dc976-1dc98f 1728->1739
                  APIs
                  • __CxxThrowException@8.LIBVCRUNTIME ref: 001DC88D
                    • Part of subcall function 0034ADEF: RaiseException.KERNEL32(?,?,0031B3D9,?,?,?,00000000,?,?,?,?,0031B3D9,?,003B7370,6F8373B0,?), ref: 0034AE4F
                  • __CxxThrowException@8.LIBVCRUNTIME ref: 001DC8D2
                  • std::locale::_Init.LIBCPMT ref: 001DC971
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.669225094.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true
                  • Associated: 00000000.00000002.669218827.00000000001C0000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669437430.0000000000394000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669462546.00000000003BC000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669470292.00000000003C1000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669476147.00000000003C3000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669480865.00000000003C6000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669487575.00000000003CC000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1c0000_winhost.jbxd
                  Similarity
                  • API ID: Exception@8Throw$ExceptionInitRaisestd::locale::_
                  • String ID: V2$V2$ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                  • API String ID: 687216407-348020702
                  • Opcode ID: 6a61be404e7d82157e58c7721f82106cf42e6826a7c34fb4031c24712a65a6a1
                  • Instruction ID: ff6393b376d8288407b170ddf8486be10e2c92a5ddfd37936a6ad8f17671c4b9
                  • Opcode Fuzzy Hash: 6a61be404e7d82157e58c7721f82106cf42e6826a7c34fb4031c24712a65a6a1
                  • Instruction Fuzzy Hash: 2D3135B1900B05BBE315DF64D806B96B7E4FB05714F044B2AF9148BBC0EBBAA554CBC1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00367CA2, Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 1740 367ca2-367cb2 1741 367cb4-367cc7 call 35cb71 call 35cb84 1740->1741 1742 367ccc-367cce 1740->1742 1756 36804e 1741->1756 1743 368036-368043 call 35cb71 call 35cb84 1742->1743 1744 367cd4-367cda 1742->1744 1761 368049 call 353db9 1743->1761 1744->1743 1746 367ce0-367d0b 1744->1746 1746->1743 1749 367d11-367d1a 1746->1749 1752 367d34-367d36 1749->1752 1753 367d1c-367d2f call 35cb71 call 35cb84 1749->1753 1758 368032-368034 1752->1758 1759 367d3c-367d40 1752->1759 1753->1761 1762 368051-368056 1756->1762 1758->1762 1759->1758 1764 367d46-367d4a 1759->1764 1761->1756 1764->1753 1767 367d4c-367d63 1764->1767 1769 367d65-367d68 1767->1769 1770 367d80-367d89 1767->1770 1773 367d72-367d7b 1769->1773 1774 367d6a-367d70 1769->1774 1771 367da7-367db1 1770->1771 1772 367d8b-367da2 call 35cb71 call 35cb84 call 353db9 1770->1772 1777 367db3-367db5 1771->1777 1778 367db8-367db9 call 364d40 1771->1778 1804 367f69 1772->1804 1775 367e1c-367e36 1773->1775 1774->1772 1774->1773 1780 367e3c-367e4c 1775->1780 1781 367f0a-367f13 call 36f6be 1775->1781 1777->1778 1786 367dbe-367dd6 call 364d06 * 2 1778->1786 1780->1781 1785 367e52-367e54 1780->1785 1792 367f86 1781->1792 1793 367f15-367f27 1781->1793 1785->1781 1789 367e5a-367e80 1785->1789 1808 367df3-367e19 call 36768a 1786->1808 1809 367dd8-367dee call 35cb84 call 35cb71 1786->1809 1789->1781 1794 367e86-367e99 1789->1794 1796 367f8a-367fa2 ReadFile 1792->1796 1793->1792 1798 367f29-367f38 GetConsoleMode 1793->1798 1794->1781 1799 367e9b-367e9d 1794->1799 1802 367fa4-367faa 1796->1802 1803 367ffe-368009 GetLastError 1796->1803 1798->1792 1805 367f3a-367f3e 1798->1805 1799->1781 1806 367e9f-367eca 1799->1806 1802->1803 1812 367fac 1802->1812 1810 368022-368025 1803->1810 1811 36800b-36801d call 35cb84 call 35cb71 1803->1811 1814 367f6c-367f76 call 364d06 1804->1814 1805->1796 1813 367f40-367f5a ReadConsoleW 1805->1813 1806->1781 1807 367ecc-367edf 1806->1807 1807->1781 1815 367ee1-367ee3 1807->1815 1808->1775 1809->1804 1820 367f62-367f68 __dosmaperr 1810->1820 1821 36802b-36802d 1810->1821 1811->1804 1818 367faf-367fc1 1812->1818 1822 367f5c GetLastError 1813->1822 1823 367f7b-367f84 1813->1823 1814->1762 1815->1781 1825 367ee5-367f05 1815->1825 1818->1814 1828 367fc3-367fc7 1818->1828 1820->1804 1821->1814 1822->1820 1823->1818 1825->1781 1833 367fe0-367feb 1828->1833 1834 367fc9-367fd9 call 3679bc 1828->1834 1838 367ff7-367ffc call 3677fc 1833->1838 1839 367fed call 367b0c 1833->1839 1844 367fdc-367fde 1834->1844 1845 367ff2-367ff5 1838->1845 1839->1845 1844->1814 1845->1844
                  Memory Dump Source
                  • Source File: 00000000.00000002.669225094.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true
                  • Associated: 00000000.00000002.669218827.00000000001C0000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669437430.0000000000394000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669462546.00000000003BC000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669470292.00000000003C1000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669476147.00000000003C3000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669480865.00000000003C6000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669487575.00000000003CC000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1c0000_winhost.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 2eb195640557882392590365550798888ffa8c10105b7e3f1177b8458321a34f
                  • Instruction ID: c11205898f500833a17d715426978c8cf0dae25362cd3d0aaa81fe27a4ece0b8
                  • Opcode Fuzzy Hash: 2eb195640557882392590365550798888ffa8c10105b7e3f1177b8458321a34f
                  • Instruction Fuzzy Hash: 38C1D270E08349AFDB13DFA8C852FADBBB4BF09314F558588E810AB396C7359945CB61
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003723DC, Relevance: 13.8, APIs: 9, Instructions: 272COMMONLIBRARYCODE
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 1846 3723dc-37240c call 3721b0 1849 372427-372433 call 363e1b 1846->1849 1850 37240e-372419 call 35cb71 1846->1850 1856 372435-37244a call 35cb71 call 35cb84 1849->1856 1857 37244c-372495 call 37211b 1849->1857 1855 37241b-372422 call 35cb84 1850->1855 1866 3726fe-372704 1855->1866 1856->1855 1864 372497-3724a0 1857->1864 1865 372502-37250b GetFileType 1857->1865 1868 3724d7-3724fd GetLastError __dosmaperr 1864->1868 1869 3724a2-3724a6 1864->1869 1870 372554-372557 1865->1870 1871 37250d-37253e GetLastError __dosmaperr CloseHandle 1865->1871 1868->1855 1869->1868 1873 3724a8-3724d5 call 37211b 1869->1873 1875 372560-372566 1870->1875 1876 372559-37255e 1870->1876 1871->1855 1874 372544-37254f call 35cb84 1871->1874 1873->1865 1873->1868 1874->1855 1879 37256a-3725b8 call 363d64 1875->1879 1880 372568 1875->1880 1876->1879 1885 3725ba-3725c6 call 37232c 1879->1885 1886 3725c8-3725ec call 371ece 1879->1886 1880->1879 1885->1886 1891 3725f0-3725fa call 3669fa 1885->1891 1892 3725ff-372642 1886->1892 1893 3725ee 1886->1893 1891->1866 1895 372644-372648 1892->1895 1896 372663-372671 1892->1896 1893->1891 1895->1896 1900 37264a-37265e 1895->1900 1897 372677-37267b 1896->1897 1898 3726fc 1896->1898 1897->1898 1901 37267d-3726b0 CloseHandle call 37211b 1897->1901 1898->1866 1900->1896 1904 3726e4-3726f8 1901->1904 1905 3726b2-3726de GetLastError __dosmaperr call 363f2d 1901->1905 1904->1898 1905->1904
                  APIs
                    • Part of subcall function 0037211B: CreateFileW.KERNEL32(00000000,00000000,?,00372485,?,?,00000000,?,00372485,00000000,0000000C), ref: 00372138
                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 003724F0
                  • __dosmaperr.LIBCMT ref: 003724F7
                  • GetFileType.KERNEL32(00000000), ref: 00372503
                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0037250D
                  • __dosmaperr.LIBCMT ref: 00372516
                  • CloseHandle.KERNEL32(00000000), ref: 00372536
                  • CloseHandle.KERNEL32(0032CC93), ref: 00372680
                  • GetLastError.KERNEL32 ref: 003726B2
                  • __dosmaperr.LIBCMT ref: 003726B9
                  Memory Dump Source
                  • Source File: 00000000.00000002.669225094.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true
                  • Associated: 00000000.00000002.669218827.00000000001C0000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669437430.0000000000394000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669462546.00000000003BC000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669470292.00000000003C1000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669476147.00000000003C3000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669480865.00000000003C6000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669487575.00000000003CC000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1c0000_winhost.jbxd
                  Similarity
                  • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                  • String ID:
                  • API String ID: 4237864984-0
                  • Opcode ID: 62301aaf906264be3609c784df82feb52f101235e9e9a3a1416b5ab7df7d2772
                  • Instruction ID: 71e33f9ff304c462c96dea5539fbf4423cd51f3965f19f163856eeea29fc351c
                  • Opcode Fuzzy Hash: 62301aaf906264be3609c784df82feb52f101235e9e9a3a1416b5ab7df7d2772
                  • Instruction Fuzzy Hash: 98A15732A142449FCF2ADF78DC92BAE7BA4EB06320F148159F805DF291CB359912DB51
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 001DE710, Relevance: 13.1, APIs: 1, Strings: 6, Instructions: 809COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 1908 1de710-1de7a1 call 1e07b0 call 3288e0 call 1dda80 1915 1de7a3-1de7b2 1908->1915 1916 1de7d2-1de89c call 30b9a0 call 328cc0 call 32cfc0 call 1da3f0 call 34ae60 SHGetValueW 1908->1916 1917 1de7c8-1de7cf call 31a13f 1915->1917 1918 1de7b4-1de7c2 1915->1918 1945 1de99d-1dea8c call 1e07b0 call 34ae60 call 1e0fd0 call 329b60 1916->1945 1946 1de8a2-1de8bb 1916->1946 1917->1916 1918->1917 1920 1def13-1def9c call 353dc9 1918->1920 1928 1df350-1df352 1920->1928 1929 1defa2-1df043 call 1e07b0 call 329b60 call 32b150 call 32d000 1920->1929 1933 1df35c-1df379 call 31a12e 1928->1933 1934 1df354-1df35a call 32d9c0 1928->1934 1958 1df045 1929->1958 1959 1df047-1df0bd call 328ec0 call 1da3f0 call 325de0 1929->1959 1934->1933 1977 1dea93-1dea98 1945->1977 1948 1de8c2-1de8cb 1946->1948 1948->1948 1951 1de8cd-1de908 call 1da610 call 32cfc0 1948->1951 1967 1de939-1de942 1951->1967 1968 1de90a-1de936 call 1df550 1951->1968 1958->1959 1985 1df201-1df20b 1959->1985 1986 1df0c3-1df0e2 1959->1986 1971 1de944-1de953 1967->1971 1972 1de973-1de998 call 1da3f0 1967->1972 1968->1967 1978 1de969-1de970 call 31a13f 1971->1978 1979 1de955-1de963 1971->1979 1972->1945 1977->1977 1983 1dea9a-1dead9 call 1e07b0 call 32b8d0 1977->1983 1978->1972 1979->1978 2005 1deadb-1deaea 1983->2005 2006 1deb0a-1deb84 call 1e07b0 1983->2006 1990 1df20d-1df21c 1985->1990 1991 1df23c-1df266 call 325dd0 1985->1991 1998 1df0e8-1df15f call 1e07b0 call 322460 1986->1998 1999 1df1f5-1df1fd 1986->1999 1994 1df21e-1df22c 1990->1994 1995 1df232-1df239 call 31a13f 1990->1995 2002 1df268-1df277 1991->2002 2003 1df297-1df2bc 1991->2003 1994->1995 1995->1991 2031 1df161-1df170 1998->2031 2032 1df190-1df1b5 1998->2032 1999->1985 2008 1df28d-1df294 call 31a13f 2002->2008 2009 1df279-1df287 2002->2009 2010 1df2be-1df2ca 2003->2010 2011 1df2ea-1df314 call 1dd620 2003->2011 2013 1deaec-1deafa 2005->2013 2014 1deb00-1deb07 call 31a13f 2005->2014 2028 1deb86-1debaf call 34b650 2006->2028 2029 1debb1-1debc5 call 1e1280 2006->2029 2008->2003 2009->2008 2017 1df2cc-1df2da 2010->2017 2018 1df2e0-1df2e7 call 31a13f 2010->2018 2034 1df33e-1df34c 2011->2034 2035 1df316-1df322 2011->2035 2013->2014 2014->2006 2017->2018 2018->2011 2042 1debca-1dec13 call 31a14d call 34ae60 call 32d880 call 30b530 2028->2042 2029->2042 2043 1df186-1df18d call 31a13f 2031->2043 2044 1df172-1df180 2031->2044 2037 1df1b7-1df1c3 2032->2037 2038 1df1e3-1df1f1 2032->2038 2034->1928 2039 1df334-1df33b call 31a13f 2035->2039 2040 1df324-1df332 2035->2040 2045 1df1d9-1df1e0 call 31a13f 2037->2045 2046 1df1c5-1df1d3 2037->2046 2038->1999 2039->2034 2040->2039 2065 1dec28-1dec35 2042->2065 2066 1dec15-1dec1b 2042->2066 2043->2032 2044->2043 2049 1df37c-1df3a0 call 353dc9 2044->2049 2045->2038 2046->2045 2067 1dec37-1dec46 2065->2067 2068 1dec66-1decb4 call 32eec0 call 32dbe0 call 32ee30 call 32ddd0 2065->2068 2069 1dec1d 2066->2069 2070 1dec1f-1dec23 call 1e07b0 2066->2070 2071 1dec5c-1dec63 call 31a13f 2067->2071 2072 1dec48-1dec56 2067->2072 2083 1decb9-1decc2 2068->2083 2069->2070 2070->2065 2071->2068 2072->2071 2084 1decc4-1decd3 2083->2084 2085 1decf3-1ded17 2083->2085 2086 1dece9-1decf0 call 31a13f 2084->2086 2087 1decd5-1dece3 2084->2087 2088 1ded19-1ded28 2085->2088 2089 1ded48-1ded77 call 1dd620 2085->2089 2086->2085 2087->2086 2091 1ded3e-1ded45 call 31a13f 2088->2091 2092 1ded2a-1ded38 2088->2092 2098 1ded79-1ded88 2089->2098 2099 1deda8-1dedcc 2089->2099 2091->2089 2092->2091 2102 1ded9e-1deda5 call 31a13f 2098->2102 2103 1ded8a-1ded98 2098->2103 2100 1dedfd-1dee21 2099->2100 2101 1dedce-1deddd 2099->2101 2107 1dee23-1dee32 2100->2107 2108 1dee52-1dee76 2100->2108 2105 1deddf-1deded 2101->2105 2106 1dedf3-1dedfa call 31a13f 2101->2106 2102->2099 2103->2102 2105->2106 2106->2100 2111 1dee48-1dee4f call 31a13f 2107->2111 2112 1dee34-1dee42 2107->2112 2113 1dee78-1dee87 2108->2113 2114 1deea7-1deecb 2108->2114 2111->2108 2112->2111 2115 1dee9d-1deea4 call 31a13f 2113->2115 2116 1dee89-1dee97 2113->2116 2117 1deecd-1deedc 2114->2117 2118 1deef8-1def12 call 31a12e 2114->2118 2115->2114 2116->2115 2122 1deeee-1deef5 call 31a13f 2117->2122 2123 1deede-1deeec 2117->2123 2122->2118 2123->2122
                  APIs
                    • Part of subcall function 003288E0: SHGetValueW.SHLWAPI(80000001,Software\Microsoft\Windows\CurrentVersion\WSR,NString,00000001,?,00000800), ref: 00328945
                  • SHGetValueW.SHLWAPI(80000001,Software\Microsoft\Windows\CurrentVersion\WSR,InstallDateOur,00000001,?,00000800,?,?,?,?,?,00000000), ref: 001DE894
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.669225094.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true
                  • Associated: 00000000.00000002.669218827.00000000001C0000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669437430.0000000000394000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669462546.00000000003BC000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669470292.00000000003C1000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669476147.00000000003C3000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669480865.00000000003C6000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669487575.00000000003CC000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1c0000_winhost.jbxd
                  Similarity
                  • API ID: Value
                  • String ID: 999$InstallDateOur$Software\Microsoft\Windows\CurrentVersion\WSR$f=g51&$info${"n":"%s","uid":"%s","v":"%s","ct":"%s","t":"%s"}
                  • API String ID: 3702945584-2899581116
                  • Opcode ID: fefd9cf48799a97828d7ec5c480d2ccea6cbc88187d5bbe5e1c3afda006a18cd
                  • Instruction ID: b945d9e5f99143b287ff3e80f5940538be55cc20fb32df58345ec992416b5c79
                  • Opcode Fuzzy Hash: fefd9cf48799a97828d7ec5c480d2ccea6cbc88187d5bbe5e1c3afda006a18cd
                  • Instruction Fuzzy Hash: 1C62C1719002589BEB29DB68CC98BDDBBB5AF45304F2046D9E009BB382DB755BC4CF51
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0030B530, Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 333libraryloaderCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 2131 30b530-30b5bd call 1e07b0 2134 30b5c3-30b60d call 1e07b0 call 1dd310 call 3223f0 2131->2134 2135 30b65f-30b697 SHGetValueW 2131->2135 2157 30b63e-30b640 2134->2157 2158 30b60f-30b61b 2134->2158 2137 30b6a5 2135->2137 2138 30b699-30b69e 2135->2138 2141 30b6ac-30b6b0 2137->2141 2140 30b6a0-30b6a3 2138->2140 2138->2141 2140->2137 2140->2141 2143 30b6b2-30b6e9 call 1e07b0 call 1dd310 call 1ddd30 2141->2143 2144 30b726-30b72c 2141->2144 2169 30b6ee-30b6f8 2143->2169 2145 30b72e-30b74a call 1e07b0 2144->2145 2146 30b74f-30b791 call 1df440 call 328cc0 call 32cfc0 call 1df4b0 2144->2146 2145->2146 2182 30b793-30b79f 2146->2182 2183 30b7bf-30b833 call 1da3f0 call 1df440 * 3 call 328bf0 call 1df4b0 2146->2183 2157->2135 2164 30b642-30b647 2157->2164 2161 30b631-30b63b call 31a13f 2158->2161 2162 30b61d-30b62b 2158->2162 2161->2157 2162->2161 2167 30b980-30b999 call 353dc9 2162->2167 2164->2144 2165 30b64d-30b650 2164->2165 2165->2144 2170 30b656-30b659 2165->2170 2169->2144 2174 30b6fa-30b706 2169->2174 2170->2135 2170->2144 2177 30b708-30b716 2174->2177 2178 30b71c-30b723 call 31a13f 2174->2178 2177->2178 2178->2144 2184 30b7a1-30b7af 2182->2184 2185 30b7b5-30b7bc call 31a13f 2182->2185 2200 30b861-30b89f call 1df440 call 30b1c0 call 335d00 call 1df4b0 2183->2200 2201 30b835-30b841 2183->2201 2184->2185 2185->2183 2214 30b8a1-30b8ad 2200->2214 2215 30b8cd-30b92c call 1da3f0 call 1df440 * 2 GetModuleHandleW GetProcAddress 2200->2215 2202 30b843-30b851 2201->2202 2203 30b857-30b85e call 31a13f 2201->2203 2202->2203 2203->2200 2216 30b8c3-30b8ca call 31a13f 2214->2216 2217 30b8af-30b8bd 2214->2217 2226 30b949-30b97f call 1df440 call 31a12e 2215->2226 2227 30b92e-30b93c GetNativeSystemInfo 2215->2227 2216->2215 2217->2216 2228 30b944 2227->2228 2229 30b93e-30b942 2227->2229 2228->2226 2229->2226 2229->2228
                  APIs
                  • SHGetValueW.SHLWAPI(80000001,Software\Microsoft\Windows\CurrentVersion\Uninstall\HYLite,003AB900,00000004,00000002,?,003A8F14,00000000), ref: 0030B68F
                  • GetModuleHandleW.KERNEL32(kernel32.dll,GetNativeSystemInfo,003AC9E8,003AC9EC,00000000,003AC9E8,00000000,00000000), ref: 0030B91D
                  • GetProcAddress.KERNEL32(00000000), ref: 0030B924
                  • GetNativeSystemInfo.KERNEL32(?), ref: 0030B932
                  Strings
                  • kernel32.dll, xrefs: 0030B90D
                  • GetNativeSystemInfo, xrefs: 0030B908
                  • Software\Microsoft\Windows\CurrentVersion\Uninstall\HYLite, xrefs: 0030B685
                  Memory Dump Source
                  • Source File: 00000000.00000002.669225094.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true
                  • Associated: 00000000.00000002.669218827.00000000001C0000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669437430.0000000000394000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669462546.00000000003BC000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669470292.00000000003C1000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669476147.00000000003C3000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669480865.00000000003C6000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669487575.00000000003CC000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1c0000_winhost.jbxd
                  Similarity
                  • API ID: AddressHandleInfoModuleNativeProcSystemValue
                  • String ID: GetNativeSystemInfo$Software\Microsoft\Windows\CurrentVersion\Uninstall\HYLite$kernel32.dll
                  • API String ID: 2162404873-2829805921
                  • Opcode ID: edf341d425e9cb0cebe7c292ad03f0b33ee1760fa300dd5b943d768af00eb6bd
                  • Instruction ID: 3ab41910bbc671425c88ac6cef9ab19c8de9391109d80d7f52dc34309d1b123c
                  • Opcode Fuzzy Hash: edf341d425e9cb0cebe7c292ad03f0b33ee1760fa300dd5b943d768af00eb6bd
                  • Instruction Fuzzy Hash: A2C14270E012489BDF16DBA8CC5ABAEFBBAEF50304F10411DE405AB3C2CB789A45CB51
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00306830, Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 201COMMON
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                  • SHGetFolderPathW.SHELL32(00000000,0000001C,00000000,00000000,?,CB28B7D0,?,00000000), ref: 003068B7
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.669225094.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true
                  • Associated: 00000000.00000002.669218827.00000000001C0000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669437430.0000000000394000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669462546.00000000003BC000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669470292.00000000003C1000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669476147.00000000003C3000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669480865.00000000003C6000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669487575.00000000003CC000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1c0000_winhost.jbxd
                  Similarity
                  • API ID: FolderPath
                  • String ID: Control Panel\Desktop$SCRNSAVE.EXE$ScreenSaver
                  • API String ID: 1514166925-345978226
                  • Opcode ID: 066c55d57342022ced7a411d8b3203c81663abb5f7a9b6b93826721e99d1f0bd
                  • Instruction ID: 1655940277ae59608d68fc11a75f5332fa858db9890ab4c40c6ec551c0209f30
                  • Opcode Fuzzy Hash: 066c55d57342022ced7a411d8b3203c81663abb5f7a9b6b93826721e99d1f0bd
                  • Instruction Fuzzy Hash: 4071B271950218EADB25EB64CC9ABEDB7B8FF15300F4041E9E40AA7291DB746F88CF51
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00308850, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 141COMMON
                  Download Yara Rule
                  APIs
                  • SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001C,00000000,CB28B7D0,?), ref: 003088A9
                  • SHCreateDirectoryExW.SHELL32(00000000,?,00000000,\ScreenSaver\,0000000D,?,?), ref: 00308929
                  • GetPrivateProfileStringW.KERNEL32 ref: 0030898E
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.669225094.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true
                  • Associated: 00000000.00000002.669218827.00000000001C0000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669437430.0000000000394000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669462546.00000000003BC000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669470292.00000000003C1000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669476147.00000000003C3000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669480865.00000000003C6000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669487575.00000000003CC000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1c0000_winhost.jbxd
                  Similarity
                  • API ID: CreateDirectoryFolderPathPrivateProfileSpecialString
                  • String ID: %General$SSCI$\ScreenSaver\
                  • API String ID: 2200349855-591173976
                  • Opcode ID: 92c2129e3640b8e40209124f1b804888647da0731bd5339059ffd73d27ac12b9
                  • Instruction ID: ff10814d6eeda633d723ef8c5efe8fb2a164f3ca2d8934276a64c04a6b7e3629
                  • Opcode Fuzzy Hash: 92c2129e3640b8e40209124f1b804888647da0731bd5339059ffd73d27ac12b9
                  • Instruction Fuzzy Hash: 75519171911218DBDB24DF54CC89BEAB7B4EF48704F4002DAE809AB290EB746F84CF55
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0030D050, Relevance: 9.6, APIs: 6, Instructions: 575COMMON
                  Download Yara Rule
                  APIs
                  • PowerGetActiveScheme.POWRPROF(00000000,?,75253BB0), ref: 0030D0E6
                  • PowerReadACValueIndex.POWRPROF(00000000,?,?,?,00000000), ref: 0030D11A
                  • PowerReadDCValueIndex.POWRPROF(00000000,?,?,?,?), ref: 0030D14C
                  • PowerReadACValueIndex.POWRPROF(00000000,?,?,?,?), ref: 0030D19B
                  • PowerReadDCValueIndex.POWRPROF(00000000,?,?,?,?), ref: 0030D1DA
                  • LocalFree.KERNEL32(?), ref: 0030D20B
                  Memory Dump Source
                  • Source File: 00000000.00000002.669225094.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true
                  • Associated: 00000000.00000002.669218827.00000000001C0000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669437430.0000000000394000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669462546.00000000003BC000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669470292.00000000003C1000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669476147.00000000003C3000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669480865.00000000003C6000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669487575.00000000003CC000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1c0000_winhost.jbxd
                  Similarity
                  • API ID: Power$IndexReadValue$ActiveFreeLocalScheme
                  • String ID:
                  • API String ID: 3907021037-0
                  • Opcode ID: 59fc48f7c4cddc7a56b3dc919ea8cb2f54ae2f4bfdaf8ec739248389b7d1212f
                  • Instruction ID: 405acb455fe24c87f616fbcd42c59ddd5bad1c23436c6077721aea5b79857206
                  • Opcode Fuzzy Hash: 59fc48f7c4cddc7a56b3dc919ea8cb2f54ae2f4bfdaf8ec739248389b7d1212f
                  • Instruction Fuzzy Hash: CF220671E012088BDB1ACFA8CD547EEFBB5AF55304F108259E415AB3D2EB74AA84CF51
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00312920, Relevance: 9.2, APIs: 3, Strings: 2, Instructions: 485COMMON
                  Download Yara Rule
                  APIs
                  • __CxxThrowException@8.LIBVCRUNTIME ref: 003129B8
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.669225094.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true
                  • Associated: 00000000.00000002.669218827.00000000001C0000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669437430.0000000000394000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669462546.00000000003BC000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669470292.00000000003C1000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669476147.00000000003C3000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669480865.00000000003C6000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669487575.00000000003CC000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1c0000_winhost.jbxd
                  Similarity
                  • API ID: Exception@8Throw
                  • String ID: FilterWithBufferedInput$FilterWithBufferedInput: invalid buffer size
                  • API String ID: 2005118841-1200219513
                  • Opcode ID: 411e32073d3aac7139a713e08144757c4fd490af332150cc1af5a1f31ce8ea5b
                  • Instruction ID: 3212c66b0e9499cd0205a08dc52606d9361208f77166d4ecdd79a1846e27bb36
                  • Opcode Fuzzy Hash: 411e32073d3aac7139a713e08144757c4fd490af332150cc1af5a1f31ce8ea5b
                  • Instruction Fuzzy Hash: DE124B71A006089FCB2ADFA8D984ADFBBF6FF48300F14462DE546A7A40D770B955CB90
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003288E0, Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 200COMMON
                  Download Yara Rule
                  APIs
                  • SHGetValueW.SHLWAPI(80000001,Software\Microsoft\Windows\CurrentVersion\WSR,NString,00000001,?,00000800), ref: 00328945
                  • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 003289E2
                  • SHSetValueW.SHLWAPI(80000001,Software\Microsoft\Windows\CurrentVersion\WSR,NString,00000001,?,00000000,?,00000003,?,?), ref: 00328B71
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.669225094.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true
                  • Associated: 00000000.00000002.669218827.00000000001C0000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669437430.0000000000394000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669462546.00000000003BC000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669470292.00000000003C1000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669476147.00000000003C3000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669480865.00000000003C6000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669487575.00000000003CC000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1c0000_winhost.jbxd
                  Similarity
                  • API ID: Value$FileModuleName
                  • String ID: NString$Software\Microsoft\Windows\CurrentVersion\WSR
                  • API String ID: 121066068-1594225538
                  • Opcode ID: b45fc834873705875602008681d88e64116674ed8a99ed4e1202f085ca121468
                  • Instruction ID: 26643ecae05b15c0a1ff130aea278d7330debedb3aad291735764b5b3fc6375f
                  • Opcode Fuzzy Hash: b45fc834873705875602008681d88e64116674ed8a99ed4e1202f085ca121468
                  • Instruction Fuzzy Hash: 48818371B103289ADB25DF24DC55BDDB3B8AF19304F4045EAE40AA7641EB746F84CF92
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 001D7BC0, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 187registryCOMMON
                  Download Yara Rule
                  APIs
                  • RegOpenKeyExW.KERNEL32(80000001,003C8A0C,00000000,00020019,00000000,00000000,76564830), ref: 001D7C33
                  • RegQueryValueExW.KERNEL32(00000000,Progid,00000000,00000000,?,?), ref: 001D7C65
                  • RegOpenKeyExW.ADVAPI32(80000000,003C8A24,00000000,00020019,00000000,00000000,76564830), ref: 001D7D94
                  • RegQueryValueExW.ADVAPI32(00000000,003A8C5C,00000000,00000000,?,?), ref: 001D7DC6
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.669225094.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true
                  • Associated: 00000000.00000002.669218827.00000000001C0000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669437430.0000000000394000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669462546.00000000003BC000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669470292.00000000003C1000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669476147.00000000003C3000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669480865.00000000003C6000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669487575.00000000003CC000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1c0000_winhost.jbxd
                  Similarity
                  • API ID: OpenQueryValue
                  • String ID: Progid
                  • API String ID: 4153817207-3999487396
                  • Opcode ID: 7def55fd1c272de358b756d8ea3630867f631154ebea8bf307e387e793e90054
                  • Instruction ID: 32e1f787b04a75186d4d6f6f2bd9d2e9a9efd8d46443f7841af44b53a0fb3ac9
                  • Opcode Fuzzy Hash: 7def55fd1c272de358b756d8ea3630867f631154ebea8bf307e387e793e90054
                  • Instruction Fuzzy Hash: 4E71C275A41218ABDB25DF54DC89BE9B3B5EF14300F5042DAE80AAA2D0EB706FC5CF50
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00325EB0, Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 178COMMON
                  Download Yara Rule
                  APIs
                  • SHGetValueA.SHLWAPI(80000001,Software\Microsoft\Windows\CurrentVersion\Uninstall\HYJiang,mid,?,?,?,CB28B7D0), ref: 00325F34
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.669225094.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true
                  • Associated: 00000000.00000002.669218827.00000000001C0000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669437430.0000000000394000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669462546.00000000003BC000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669470292.00000000003C1000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669476147.00000000003C3000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669480865.00000000003C6000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669487575.00000000003CC000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1c0000_winhost.jbxd
                  Similarity
                  • API ID: Value
                  • String ID: $Mid2Failed$Software\Microsoft\Windows\CurrentVersion\Uninstall\HYJiang$mid
                  • API String ID: 3702945584-1066741863
                  • Opcode ID: e4cde3b0ad37d688fcaa75aa1ccada901ff21b1370f806fd12031976c1dd3e14
                  • Instruction ID: 68f8989b85fdbe867d5579393f7b5fedbd951b2e6e80de7f039f672603ccc234
                  • Opcode Fuzzy Hash: e4cde3b0ad37d688fcaa75aa1ccada901ff21b1370f806fd12031976c1dd3e14
                  • Instruction Fuzzy Hash: E251BB71D04328AAEF22DA60ED46FEE77AD9F15704F4500A9F908DB182F771DA84C761
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0033B760, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 98COMMON
                  Download Yara Rule
                  APIs
                  • GetFileVersionInfoSizeW.VERSION(?,?,?,?,?,00328DAC,?,?,?,?), ref: 0033B779
                  • GetFileVersionInfoW.VERSION(?,?,00000000,00000000,?,?,00328DAC,?,?,?,?), ref: 0033B7A3
                  • VerQueryValueW.VERSION(00000000,\VarFileInfo\Translation,00000000,?,?,?,00000000,00000000,?,?,00328DAC), ref: 0033B7C5
                  • VerQueryValueW.VERSION(?,003A8C58,00000010,00328DAC,00000000,?,?,00328DAC), ref: 0033B82F
                  Strings
                  • \VarFileInfo\Translation, xrefs: 0033B7BF
                  Memory Dump Source
                  • Source File: 00000000.00000002.669225094.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true
                  • Associated: 00000000.00000002.669218827.00000000001C0000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669437430.0000000000394000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669462546.00000000003BC000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669470292.00000000003C1000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669476147.00000000003C3000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669480865.00000000003C6000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669487575.00000000003CC000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1c0000_winhost.jbxd
                  Similarity
                  • API ID: FileInfoQueryValueVersion$Size
                  • String ID: \VarFileInfo\Translation
                  • API String ID: 2099394744-675650646
                  • Opcode ID: 3ec09b6015df12ee39a87c3ebd4e1cfcf3b400c6ab20515e5c6d04495fa87ffb
                  • Instruction ID: e0bf3e1b8ec4c7ac8dcc3985c96a35684b3d9ffc16dd108cdf44c7277ddc3fc4
                  • Opcode Fuzzy Hash: 3ec09b6015df12ee39a87c3ebd4e1cfcf3b400c6ab20515e5c6d04495fa87ffb
                  • Instruction Fuzzy Hash: 5D21F272600604ABCB229E58DC81AABF3ECEF44751F14453EFE489A211E775E944C7E1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0032D9C0, Relevance: 7.7, APIs: 5, Instructions: 169threadsynchronizationinjectionCOMMON
                  Download Yara Rule
                  APIs
                  • SetEvent.KERNEL32(?), ref: 0032D9D4
                  • WaitForSingleObject.KERNEL32(00000000,000001F4), ref: 0032D9EA
                  • SuspendThread.KERNEL32(00000000), ref: 0032DA03
                  • TerminateThread.KERNEL32(00000000,000000F6), ref: 0032DA0E
                  • CloseHandle.KERNEL32(00000000), ref: 0032DA17
                  Memory Dump Source
                  • Source File: 00000000.00000002.669225094.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true
                  • Associated: 00000000.00000002.669218827.00000000001C0000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669437430.0000000000394000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669462546.00000000003BC000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669470292.00000000003C1000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669476147.00000000003C3000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669480865.00000000003C6000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669487575.00000000003CC000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1c0000_winhost.jbxd
                  Similarity
                  • API ID: Thread$CloseEventHandleObjectSingleSuspendTerminateWait
                  • String ID:
                  • API String ID: 1454233156-0
                  • Opcode ID: 89fefeefb9b65efc0a05bbd7728e657eb65a1b6734c353ef065083b267b8969d
                  • Instruction ID: fa5628db05e3ab419e30a5005dbf6606e1d654182ef66a8cdfe87907b6c60e1c
                  • Opcode Fuzzy Hash: 89fefeefb9b65efc0a05bbd7728e657eb65a1b6734c353ef065083b267b8969d
                  • Instruction Fuzzy Hash: 6851CE71510B109FD32A9F28DC99B5BBBE5FF44314F14492DE1968BAA1D7B1F884CB40
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0030A810, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 142COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 003309D0: CloseHandle.KERNEL32(?,?,?), ref: 00330A62
                    • Part of subcall function 003309D0: RegCloseKey.ADVAPI32(?,?,?), ref: 00330A76
                    • Part of subcall function 003309D0: RegCreateKeyExW.ADVAPI32(CB28B7D0,00020019,00000000,00000000,00000000,00000026,00000000,?,CB28B7D0,?,?), ref: 00330A97
                    • Part of subcall function 00330BE0: RegQueryValueExW.ADVAPI32(?,?,00000000,00000001,?,?), ref: 00330C98
                  • PathFileExistsW.SHLWAPI(?,DisplayIcon,?,80000002,003C7E54,00020119,CB28B7D0,?), ref: 0030A93B
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.669225094.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true
                  • Associated: 00000000.00000002.669218827.00000000001C0000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669437430.0000000000394000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669462546.00000000003BC000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669470292.00000000003C1000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669476147.00000000003C3000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669480865.00000000003C6000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669487575.00000000003CC000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1c0000_winhost.jbxd
                  Similarity
                  • API ID: Close$CreateExistsFileHandlePathQueryValue
                  • String ID: DisplayIcon$DisplayVersion$T~<
                  • API String ID: 2291167148-77127634
                  • Opcode ID: 7a4a99b6d1a51fca3924ac46b921869af2a9af60eb0f23c330e73f670a08af6b
                  • Instruction ID: 5ea7912557376088275e5ff7211703c2c323b28bb73acd5570805d336f927380
                  • Opcode Fuzzy Hash: 7a4a99b6d1a51fca3924ac46b921869af2a9af60eb0f23c330e73f670a08af6b
                  • Instruction Fuzzy Hash: 53515D71D1120CEEDB15DFA4D955BEEBBB8FF14304F60422AE411A7290EB746A48CB91
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0030A050, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 142COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 003309D0: CloseHandle.KERNEL32(?,?,?), ref: 00330A62
                    • Part of subcall function 003309D0: RegCloseKey.ADVAPI32(?,?,?), ref: 00330A76
                    • Part of subcall function 003309D0: RegCreateKeyExW.ADVAPI32(CB28B7D0,00020019,00000000,00000000,00000000,00000026,00000000,?,CB28B7D0,?,?), ref: 00330A97
                    • Part of subcall function 00330BE0: RegQueryValueExW.ADVAPI32(?,?,00000000,00000001,?,?), ref: 00330C98
                  • PathFileExistsW.SHLWAPI(?,DisplayIcon,?,80000002,003C7E24,00020119,CB28B7D0,?), ref: 0030A17B
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.669225094.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true
                  • Associated: 00000000.00000002.669218827.00000000001C0000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669437430.0000000000394000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669462546.00000000003BC000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669470292.00000000003C1000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669476147.00000000003C3000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669480865.00000000003C6000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669487575.00000000003CC000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1c0000_winhost.jbxd
                  Similarity
                  • API ID: Close$CreateExistsFileHandlePathQueryValue
                  • String ID: $~<$DisplayIcon$DisplayVersion
                  • API String ID: 2291167148-2576702453
                  • Opcode ID: b28cef501c61392d92f8323801fc0c37faef12a7ecbc372c604c824be9851f11
                  • Instruction ID: 5eba21fb78f610375fefbd7425d5149ba30f9cc8fd93bdb21f2894184765b2f8
                  • Opcode Fuzzy Hash: b28cef501c61392d92f8323801fc0c37faef12a7ecbc372c604c824be9851f11
                  • Instruction Fuzzy Hash: 98516E70D15208EFDB15DFA4E995BEEFBB8FF14304F60422AE411A7280EB746A44CB91
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0030AA00, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 142COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 003309D0: CloseHandle.KERNEL32(?,?,?), ref: 00330A62
                    • Part of subcall function 003309D0: RegCloseKey.ADVAPI32(?,?,?), ref: 00330A76
                    • Part of subcall function 003309D0: RegCreateKeyExW.ADVAPI32(CB28B7D0,00020019,00000000,00000000,00000000,00000026,00000000,?,CB28B7D0,?,?), ref: 00330A97
                    • Part of subcall function 00330BE0: RegQueryValueExW.ADVAPI32(?,?,00000000,00000001,?,?), ref: 00330C98
                  • PathFileExistsW.SHLWAPI(?,DisplayIcon,?,80000002,003C7E6C,00020019,CB28B7D0,?), ref: 0030AB2B
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.669225094.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true
                  • Associated: 00000000.00000002.669218827.00000000001C0000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669437430.0000000000394000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669462546.00000000003BC000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669470292.00000000003C1000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669476147.00000000003C3000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669480865.00000000003C6000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669487575.00000000003CC000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1c0000_winhost.jbxd
                  Similarity
                  • API ID: Close$CreateExistsFileHandlePathQueryValue
                  • String ID: DisplayIcon$DisplayVersion$l~<
                  • API String ID: 2291167148-786459642
                  • Opcode ID: 4373ac67e19654c3ef963a6590704da7601a57f39ca50f42d6c4aa3d6ccbf92b
                  • Instruction ID: 8d8c642bf102dccc2c58586d4f480354671c6e1e26bdebfbbc829e7fd59a311a
                  • Opcode Fuzzy Hash: 4373ac67e19654c3ef963a6590704da7601a57f39ca50f42d6c4aa3d6ccbf92b
                  • Instruction Fuzzy Hash: 12516E70D15208EFDB15DFA4E995BEEFBB9FF14304F50422AE411A3290EB746A44CB91
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0030A240, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 142COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 003309D0: CloseHandle.KERNEL32(?,?,?), ref: 00330A62
                    • Part of subcall function 003309D0: RegCloseKey.ADVAPI32(?,?,?), ref: 00330A76
                    • Part of subcall function 003309D0: RegCreateKeyExW.ADVAPI32(CB28B7D0,00020019,00000000,00000000,00000000,00000026,00000000,?,CB28B7D0,?,?), ref: 00330A97
                    • Part of subcall function 00330BE0: RegQueryValueExW.ADVAPI32(?,?,00000000,00000001,?,?), ref: 00330C98
                  • PathFileExistsW.SHLWAPI(?,DisplayIcon,?,80000002,003C7E3C,00020019,CB28B7D0,?), ref: 0030A36B
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.669225094.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true
                  • Associated: 00000000.00000002.669218827.00000000001C0000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669437430.0000000000394000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669462546.00000000003BC000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669470292.00000000003C1000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669476147.00000000003C3000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669480865.00000000003C6000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669487575.00000000003CC000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1c0000_winhost.jbxd
                  Similarity
                  • API ID: Close$CreateExistsFileHandlePathQueryValue
                  • String ID: <~<$DisplayIcon$DisplayVersion
                  • API String ID: 2291167148-3507452406
                  • Opcode ID: 00f07bb5ae5ad30c5c621c5ade69b971418ffb18ec38b39deb43770c8ab03863
                  • Instruction ID: 897e05310145cc79d80aef5abb95cc22a42ec1e5aa62f6ae38d9c75238bc5235
                  • Opcode Fuzzy Hash: 00f07bb5ae5ad30c5c621c5ade69b971418ffb18ec38b39deb43770c8ab03863
                  • Instruction Fuzzy Hash: 36516D70D15208EFDB15DFA4D955BEEFBB8FF14304F50422AE411A3291EB746A48CB91
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0030ABF0, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 142COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 003309D0: CloseHandle.KERNEL32(?,?,?), ref: 00330A62
                    • Part of subcall function 003309D0: RegCloseKey.ADVAPI32(?,?,?), ref: 00330A76
                    • Part of subcall function 003309D0: RegCreateKeyExW.ADVAPI32(CB28B7D0,00020019,00000000,00000000,00000000,00000026,00000000,?,CB28B7D0,?,?), ref: 00330A97
                    • Part of subcall function 00330BE0: RegQueryValueExW.ADVAPI32(?,?,00000000,00000001,?,?), ref: 00330C98
                  • PathFileExistsW.SHLWAPI(?,DisplayIcon,?,80000002,003C7E6C,00020119,CB28B7D0,?), ref: 0030AD1B
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.669225094.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true
                  • Associated: 00000000.00000002.669218827.00000000001C0000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669437430.0000000000394000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669462546.00000000003BC000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669470292.00000000003C1000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669476147.00000000003C3000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669480865.00000000003C6000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669487575.00000000003CC000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1c0000_winhost.jbxd
                  Similarity
                  • API ID: Close$CreateExistsFileHandlePathQueryValue
                  • String ID: DisplayIcon$DisplayVersion$l~<
                  • API String ID: 2291167148-786459642
                  • Opcode ID: 53dc6d95232874b1276b68c265ec7f139ef31c3aa46cc15d0139f25609347b07
                  • Instruction ID: 15ba6acdee828fdcd4a115220b0ff8fe86566ba9f5f50162a0fcb006ef56a780
                  • Opcode Fuzzy Hash: 53dc6d95232874b1276b68c265ec7f139ef31c3aa46cc15d0139f25609347b07
                  • Instruction Fuzzy Hash: 42517C70D11208EFDB15DFA4D951BEEFBB8FF18304F60422AE411A3290EB746A48CB91
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0030A430, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 142COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 003309D0: CloseHandle.KERNEL32(?,?,?), ref: 00330A62
                    • Part of subcall function 003309D0: RegCloseKey.ADVAPI32(?,?,?), ref: 00330A76
                    • Part of subcall function 003309D0: RegCreateKeyExW.ADVAPI32(CB28B7D0,00020019,00000000,00000000,00000000,00000026,00000000,?,CB28B7D0,?,?), ref: 00330A97
                    • Part of subcall function 00330BE0: RegQueryValueExW.ADVAPI32(?,?,00000000,00000001,?,?), ref: 00330C98
                  • PathFileExistsW.SHLWAPI(?,DisplayIcon,?,80000002,003C7E3C,00020119,CB28B7D0,?), ref: 0030A55B
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.669225094.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true
                  • Associated: 00000000.00000002.669218827.00000000001C0000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669437430.0000000000394000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669462546.00000000003BC000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669470292.00000000003C1000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669476147.00000000003C3000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669480865.00000000003C6000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669487575.00000000003CC000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1c0000_winhost.jbxd
                  Similarity
                  • API ID: Close$CreateExistsFileHandlePathQueryValue
                  • String ID: <~<$DisplayIcon$DisplayVersion
                  • API String ID: 2291167148-3507452406
                  • Opcode ID: 3b67a0ad8d44d2a0ada402c60a25ddcb4a409c7a2001b116808b8d0fa193d1e9
                  • Instruction ID: 1198e81c4cf0b1e4bfb5d7a078dd2581d6ebcb231ac19c39a93c28e42da480a5
                  • Opcode Fuzzy Hash: 3b67a0ad8d44d2a0ada402c60a25ddcb4a409c7a2001b116808b8d0fa193d1e9
                  • Instruction Fuzzy Hash: 86518D70D11208EFCB15DFA4D951BEEFBB9FF14304F60422AE411A3291EB74AA48CB91
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0030A620, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 142COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 003309D0: CloseHandle.KERNEL32(?,?,?), ref: 00330A62
                    • Part of subcall function 003309D0: RegCloseKey.ADVAPI32(?,?,?), ref: 00330A76
                    • Part of subcall function 003309D0: RegCreateKeyExW.ADVAPI32(CB28B7D0,00020019,00000000,00000000,00000000,00000026,00000000,?,CB28B7D0,?,?), ref: 00330A97
                    • Part of subcall function 00330BE0: RegQueryValueExW.ADVAPI32(?,?,00000000,00000001,?,?), ref: 00330C98
                  • PathFileExistsW.SHLWAPI(?,DisplayIcon,?,80000002,003C7E54,00020019,CB28B7D0,?), ref: 0030A74B
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.669225094.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true
                  • Associated: 00000000.00000002.669218827.00000000001C0000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669437430.0000000000394000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669462546.00000000003BC000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669470292.00000000003C1000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669476147.00000000003C3000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669480865.00000000003C6000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669487575.00000000003CC000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1c0000_winhost.jbxd
                  Similarity
                  • API ID: Close$CreateExistsFileHandlePathQueryValue
                  • String ID: DisplayIcon$DisplayVersion$T~<
                  • API String ID: 2291167148-77127634
                  • Opcode ID: 21c38568f02909252a6be735aef882021b70aa057d82f78bf85d3d8c43c8a333
                  • Instruction ID: 12a5868f3de3435c50374c5e0eb2dbd26a59bc506d9d255aa899c4eac2553928
                  • Opcode Fuzzy Hash: 21c38568f02909252a6be735aef882021b70aa057d82f78bf85d3d8c43c8a333
                  • Instruction Fuzzy Hash: 3C518D71D11208EFDB15DFA4D995BEEFBB8FF14704F60422AE411A7280EB746A48CB91
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00309E60, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 142COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 003309D0: CloseHandle.KERNEL32(?,?,?), ref: 00330A62
                    • Part of subcall function 003309D0: RegCloseKey.ADVAPI32(?,?,?), ref: 00330A76
                    • Part of subcall function 003309D0: RegCreateKeyExW.ADVAPI32(CB28B7D0,00020019,00000000,00000000,00000000,00000026,00000000,?,CB28B7D0,?,?), ref: 00330A97
                    • Part of subcall function 00330BE0: RegQueryValueExW.ADVAPI32(?,?,00000000,00000001,?,?), ref: 00330C98
                  • PathFileExistsW.SHLWAPI(?,DisplayIcon,?,80000002,003C7E24,00020019,CB28B7D0,?), ref: 00309F8B
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.669225094.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true
                  • Associated: 00000000.00000002.669218827.00000000001C0000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669437430.0000000000394000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669462546.00000000003BC000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669470292.00000000003C1000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669476147.00000000003C3000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669480865.00000000003C6000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669487575.00000000003CC000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1c0000_winhost.jbxd
                  Similarity
                  • API ID: Close$CreateExistsFileHandlePathQueryValue
                  • String ID: $~<$DisplayIcon$DisplayVersion
                  • API String ID: 2291167148-2576702453
                  • Opcode ID: d962b21f51dfc7f4da68b978ef457f4d45d8b40ba0011a7ef9630dc6e72a45a0
                  • Instruction ID: d7594d4fac54e7e1c1487033001ade5299527f58b9339a603029321fa8e97e0b
                  • Opcode Fuzzy Hash: d962b21f51dfc7f4da68b978ef457f4d45d8b40ba0011a7ef9630dc6e72a45a0
                  • Instruction Fuzzy Hash: 6E518E70D11208EFDB15DFA4D991BEEFBB8FF14304F60422AE415A3281EB746A44CB91
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00322D20, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 135COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00320A60: std::locale::_Init.LIBCPMT ref: 00320AB8
                  • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00322EAF
                  Strings
                  • ins_res.first->second != in_value, xrefs: 00322DF7
                  • c:\qt\givememoney\base\values.cc, xrefs: 00322EC3
                  • vs. , xrefs: 00322DE4
                  Memory Dump Source
                  • Source File: 00000000.00000002.669225094.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true
                  • Associated: 00000000.00000002.669218827.00000000001C0000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669437430.0000000000394000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669462546.00000000003BC000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669470292.00000000003C1000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669476147.00000000003C3000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669480865.00000000003C6000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669487575.00000000003CC000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1c0000_winhost.jbxd
                  Similarity
                  • API ID: InitIos_base_dtorstd::ios_base::_std::locale::_
                  • String ID: vs. $c:\qt\givememoney\base\values.cc$ins_res.first->second != in_value
                  • API String ID: 3469404174-1771313022
                  • Opcode ID: ade1710f3548e5f057b10c28c461a59f52512c00204f855b8ec26103284eb634
                  • Instruction ID: 42bfdbdc3a95ff7885f2a5cff690a3acfddc5e8d2d2f732bf868bb1e9f9607de
                  • Opcode Fuzzy Hash: ade1710f3548e5f057b10c28c461a59f52512c00204f855b8ec26103284eb634
                  • Instruction Fuzzy Hash: 63519275A00318AFDB16EF64DC86FDAB7B4BF09300F0545ADE409AB292DB70E984CB51
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00313860, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 123COMMON
                  Download Yara Rule
                  APIs
                  • __CxxThrowException@8.LIBVCRUNTIME ref: 00313951
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.669225094.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true
                  • Associated: 00000000.00000002.669218827.00000000001C0000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669437430.0000000000394000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669462546.00000000003BC000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669470292.00000000003C1000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669476147.00000000003C3000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669480865.00000000003C6000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669487575.00000000003CC000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1c0000_winhost.jbxd
                  Similarity
                  • API ID: Exception@8Throw
                  • String ID: 4K9$InputBuffer$StringStore: missing InputBuffer argument
                  • API String ID: 2005118841-374151919
                  • Opcode ID: 638cf6bdebea54bde1cb5bb7fdb07c552322dc67547b1dfabf2e73c88e8dd15d
                  • Instruction ID: e4f421f8f7ca1b608ea516b23e6ca2500179e81fff05ba00417ce6d2ddfb147c
                  • Opcode Fuzzy Hash: 638cf6bdebea54bde1cb5bb7fdb07c552322dc67547b1dfabf2e73c88e8dd15d
                  • Instruction Fuzzy Hash: 6E415075A00608EBCB05DFA4D891BDEBBF5FF49310F14826AE405AB241DB71AA44CBA4
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00306CF0, Relevance: 6.1, APIs: 4, Instructions: 60COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0031C278: mtx_do_lock.LIBCPMT ref: 0031C280
                  • __Cnd_signal.LIBCPMT ref: 00306D46
                  • __Mtx_unlock.LIBCPMT ref: 00306D5E
                  • SystemParametersInfoW.USER32 ref: 00306D7E
                  • __Cnd_do_broadcast_at_thread_exit.LIBCPMT ref: 00306D84
                  Memory Dump Source
                  • Source File: 00000000.00000002.669225094.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true
                  • Associated: 00000000.00000002.669218827.00000000001C0000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669437430.0000000000394000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669462546.00000000003BC000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669470292.00000000003C1000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669476147.00000000003C3000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669480865.00000000003C6000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669487575.00000000003CC000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1c0000_winhost.jbxd
                  Similarity
                  • API ID: Cnd_do_broadcast_at_thread_exitCnd_signalInfoMtx_unlockParametersSystemmtx_do_lock
                  • String ID:
                  • API String ID: 1329664465-0
                  • Opcode ID: 52b09fd5068b3f3d4f10687ab3e47f4cbf9e4b56fed92ff3d1154c1e8a5f6e0e
                  • Instruction ID: 3e7857b1006f9c87f82d3912bda872bb0c5820ab0bb3bc9d8cb79dc4b4793a48
                  • Opcode Fuzzy Hash: 52b09fd5068b3f3d4f10687ab3e47f4cbf9e4b56fed92ff3d1154c1e8a5f6e0e
                  • Instruction Fuzzy Hash: 1F110AB2D00604BBDB166F61DC02B86F7A8FF09310F044935F81996761E776E560CBA2
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00309880, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 142COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 003309D0: CloseHandle.KERNEL32(?,?,?), ref: 00330A62
                    • Part of subcall function 003309D0: RegCloseKey.ADVAPI32(?,?,?), ref: 00330A76
                    • Part of subcall function 003309D0: RegCreateKeyExW.ADVAPI32(CB28B7D0,00020019,00000000,00000000,00000000,00000026,00000000,?,CB28B7D0,?,?), ref: 00330A97
                    • Part of subcall function 00330BE0: RegQueryValueExW.ADVAPI32(?,?,00000000,00000001,?,?), ref: 00330C98
                  • PathFileExistsW.SHLWAPI(?,DisplayIcon,?,80000002,003C7DF4,00020119,CB28B7D0,?), ref: 003099AB
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.669225094.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true
                  • Associated: 00000000.00000002.669218827.00000000001C0000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669437430.0000000000394000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669462546.00000000003BC000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669470292.00000000003C1000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669476147.00000000003C3000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669480865.00000000003C6000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669487575.00000000003CC000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1c0000_winhost.jbxd
                  Similarity
                  • API ID: Close$CreateExistsFileHandlePathQueryValue
                  • String ID: DisplayIcon$DisplayVersion
                  • API String ID: 2291167148-3291662071
                  • Opcode ID: 86758105bd565efe5a770ccbce901b0194b7fcf42327569f9b8e007237e8d7c4
                  • Instruction ID: 1bac4946224920fb5ebb220ade489464d882c2efa03c397fd1e656ce7aeecb97
                  • Opcode Fuzzy Hash: 86758105bd565efe5a770ccbce901b0194b7fcf42327569f9b8e007237e8d7c4
                  • Instruction Fuzzy Hash: 51515C70D11208EEDB15DFA8D955BEEFBB8FF14304F60422EE411A3281EB746A44CB91
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00309A70, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 142COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 003309D0: CloseHandle.KERNEL32(?,?,?), ref: 00330A62
                    • Part of subcall function 003309D0: RegCloseKey.ADVAPI32(?,?,?), ref: 00330A76
                    • Part of subcall function 003309D0: RegCreateKeyExW.ADVAPI32(CB28B7D0,00020019,00000000,00000000,00000000,00000026,00000000,?,CB28B7D0,?,?), ref: 00330A97
                    • Part of subcall function 00330BE0: RegQueryValueExW.ADVAPI32(?,?,00000000,00000001,?,?), ref: 00330C98
                  • PathFileExistsW.SHLWAPI(?,DisplayIcon,?,80000002,003C7E0C,00020019,CB28B7D0,?), ref: 00309B9B
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.669225094.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true
                  • Associated: 00000000.00000002.669218827.00000000001C0000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669437430.0000000000394000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669462546.00000000003BC000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669470292.00000000003C1000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669476147.00000000003C3000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669480865.00000000003C6000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669487575.00000000003CC000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1c0000_winhost.jbxd
                  Similarity
                  • API ID: Close$CreateExistsFileHandlePathQueryValue
                  • String ID: DisplayIcon$DisplayVersion
                  • API String ID: 2291167148-3291662071
                  • Opcode ID: 5c156917a369ab072917af2b8ab094af456182dde8cb46b27cd27de8cccae497
                  • Instruction ID: 0635bc4cbb795a2932952c037e6cfacfe67c2b2bfcc236fc626cf0e9a14e03f7
                  • Opcode Fuzzy Hash: 5c156917a369ab072917af2b8ab094af456182dde8cb46b27cd27de8cccae497
                  • Instruction Fuzzy Hash: 35517D70D11208EFDB15DFA4D855BEEFBB8FF18304F60422AE411A3291EB746A44CB91
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003092B0, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 142COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 003309D0: CloseHandle.KERNEL32(?,?,?), ref: 00330A62
                    • Part of subcall function 003309D0: RegCloseKey.ADVAPI32(?,?,?), ref: 00330A76
                    • Part of subcall function 003309D0: RegCreateKeyExW.ADVAPI32(CB28B7D0,00020019,00000000,00000000,00000000,00000026,00000000,?,CB28B7D0,?,?), ref: 00330A97
                    • Part of subcall function 00330BE0: RegQueryValueExW.ADVAPI32(?,?,00000000,00000001,?,?), ref: 00330C98
                  • PathFileExistsW.SHLWAPI(?,DisplayIcon,?,80000002,003C7DDC,00020019,CB28B7D0,?), ref: 003093DB
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.669225094.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true
                  • Associated: 00000000.00000002.669218827.00000000001C0000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669437430.0000000000394000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669462546.00000000003BC000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669470292.00000000003C1000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669476147.00000000003C3000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669480865.00000000003C6000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669487575.00000000003CC000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1c0000_winhost.jbxd
                  Similarity
                  • API ID: Close$CreateExistsFileHandlePathQueryValue
                  • String ID: DisplayIcon$DisplayVersion
                  • API String ID: 2291167148-3291662071
                  • Opcode ID: 04d3434c556c2b89418cb2a6a129d934214d4d153d27dcab65829225461eeb64
                  • Instruction ID: 42f5b103d0c9d4e82b45ebf294aab2afe98f71d60f2adbcd1f39cdd3dc179eba
                  • Opcode Fuzzy Hash: 04d3434c556c2b89418cb2a6a129d934214d4d153d27dcab65829225461eeb64
                  • Instruction Fuzzy Hash: 85518E70D11208EFDB15DFA4D855BEEFBB9FF14304F50422AE415A3281EB746A44CB91
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00309C60, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 142COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 003309D0: CloseHandle.KERNEL32(?,?,?), ref: 00330A62
                    • Part of subcall function 003309D0: RegCloseKey.ADVAPI32(?,?,?), ref: 00330A76
                    • Part of subcall function 003309D0: RegCreateKeyExW.ADVAPI32(CB28B7D0,00020019,00000000,00000000,00000000,00000026,00000000,?,CB28B7D0,?,?), ref: 00330A97
                    • Part of subcall function 00330BE0: RegQueryValueExW.ADVAPI32(?,?,00000000,00000001,?,?), ref: 00330C98
                  • PathFileExistsW.SHLWAPI(?,DisplayIcon,?,80000002,003C7E0C,00020119,CB28B7D0,?), ref: 00309D8B
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.669225094.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true
                  • Associated: 00000000.00000002.669218827.00000000001C0000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669437430.0000000000394000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669462546.00000000003BC000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669470292.00000000003C1000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669476147.00000000003C3000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669480865.00000000003C6000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669487575.00000000003CC000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1c0000_winhost.jbxd
                  Similarity
                  • API ID: Close$CreateExistsFileHandlePathQueryValue
                  • String ID: DisplayIcon$DisplayVersion
                  • API String ID: 2291167148-3291662071
                  • Opcode ID: f81d4bdfddbb1d1f06c6046630ec5524d6297ccdedbbe96ad10570b28154e5a7
                  • Instruction ID: 659c91d1f5e57629a3251fd7ddf8c9edfc3716800611ca7444256becb55d9dfc
                  • Opcode Fuzzy Hash: f81d4bdfddbb1d1f06c6046630ec5524d6297ccdedbbe96ad10570b28154e5a7
                  • Instruction Fuzzy Hash: 5B518D70D11208EFCB15DFA4D891BEEFBB8FF14304F60422AE411A3291EB746A48CB91
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003094A0, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 142COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 003309D0: CloseHandle.KERNEL32(?,?,?), ref: 00330A62
                    • Part of subcall function 003309D0: RegCloseKey.ADVAPI32(?,?,?), ref: 00330A76
                    • Part of subcall function 003309D0: RegCreateKeyExW.ADVAPI32(CB28B7D0,00020019,00000000,00000000,00000000,00000026,00000000,?,CB28B7D0,?,?), ref: 00330A97
                    • Part of subcall function 00330BE0: RegQueryValueExW.ADVAPI32(?,?,00000000,00000001,?,?), ref: 00330C98
                  • PathFileExistsW.SHLWAPI(?,DisplayIcon,?,80000002,003C7DDC,00020119,CB28B7D0,?), ref: 003095CB
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.669225094.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true
                  • Associated: 00000000.00000002.669218827.00000000001C0000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669437430.0000000000394000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669462546.00000000003BC000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669470292.00000000003C1000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669476147.00000000003C3000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669480865.00000000003C6000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669487575.00000000003CC000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1c0000_winhost.jbxd
                  Similarity
                  • API ID: Close$CreateExistsFileHandlePathQueryValue
                  • String ID: DisplayIcon$DisplayVersion
                  • API String ID: 2291167148-3291662071
                  • Opcode ID: 7078b580204a5446d64d14c8c0f7600ae0276a721d74b6fb24730ce67eca159f
                  • Instruction ID: ea2b043c3207cc82b503fe9cac0fee4115c3ddebe1a339852762e1e6554d22e9
                  • Opcode Fuzzy Hash: 7078b580204a5446d64d14c8c0f7600ae0276a721d74b6fb24730ce67eca159f
                  • Instruction Fuzzy Hash: 78516D70D11208EFDB15DFA4D955BEEFBB8FF18304F60422AE415A3281EB746A48CB91
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0030ADE0, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 142COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 003309D0: CloseHandle.KERNEL32(?,?,?), ref: 00330A62
                    • Part of subcall function 003309D0: RegCloseKey.ADVAPI32(?,?,?), ref: 00330A76
                    • Part of subcall function 003309D0: RegCreateKeyExW.ADVAPI32(CB28B7D0,00020019,00000000,00000000,00000000,00000026,00000000,?,CB28B7D0,?,?), ref: 00330A97
                    • Part of subcall function 00330BE0: RegQueryValueExW.ADVAPI32(?,?,00000000,00000001,?,?), ref: 00330C98
                  • PathFileExistsW.SHLWAPI(?,DisplayIcon,?,80000002,003C7E84,00020019,CB28B7D0,?), ref: 0030AF0B
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.669225094.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true
                  • Associated: 00000000.00000002.669218827.00000000001C0000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669437430.0000000000394000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669462546.00000000003BC000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669470292.00000000003C1000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669476147.00000000003C3000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669480865.00000000003C6000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669487575.00000000003CC000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1c0000_winhost.jbxd
                  Similarity
                  • API ID: Close$CreateExistsFileHandlePathQueryValue
                  • String ID: DisplayIcon$DisplayVersion
                  • API String ID: 2291167148-3291662071
                  • Opcode ID: 040c6ec42d5292eff5b69736880b73643e6661720ff0e4d7c4799965e1911c1f
                  • Instruction ID: ab9da2f7185753f82aabe3dcd0ba5055b54a01bd7a383ba08b02e92238493e3e
                  • Opcode Fuzzy Hash: 040c6ec42d5292eff5b69736880b73643e6661720ff0e4d7c4799965e1911c1f
                  • Instruction Fuzzy Hash: 09516D71D11208EFDB15DFA4D995BEEFBB8FF14304F60422AE411A3290EB746A48CB91
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00309690, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 142COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 003309D0: CloseHandle.KERNEL32(?,?,?), ref: 00330A62
                    • Part of subcall function 003309D0: RegCloseKey.ADVAPI32(?,?,?), ref: 00330A76
                    • Part of subcall function 003309D0: RegCreateKeyExW.ADVAPI32(CB28B7D0,00020019,00000000,00000000,00000000,00000026,00000000,?,CB28B7D0,?,?), ref: 00330A97
                    • Part of subcall function 00330BE0: RegQueryValueExW.ADVAPI32(?,?,00000000,00000001,?,?), ref: 00330C98
                  • PathFileExistsW.SHLWAPI(?,DisplayIcon,?,80000002,003C7DF4,00020019,CB28B7D0,?), ref: 003097BB
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.669225094.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true
                  • Associated: 00000000.00000002.669218827.00000000001C0000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669437430.0000000000394000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669462546.00000000003BC000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669470292.00000000003C1000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669476147.00000000003C3000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669480865.00000000003C6000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669487575.00000000003CC000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1c0000_winhost.jbxd
                  Similarity
                  • API ID: Close$CreateExistsFileHandlePathQueryValue
                  • String ID: DisplayIcon$DisplayVersion
                  • API String ID: 2291167148-3291662071
                  • Opcode ID: 166a748ef797f389360180b5de63ad0161effb0ad60fbe5c45b354aa5e51baaf
                  • Instruction ID: c8842428eb43d7bdcd22bdd6817b020a8a4b58695c007c6beaf40b1dc7466698
                  • Opcode Fuzzy Hash: 166a748ef797f389360180b5de63ad0161effb0ad60fbe5c45b354aa5e51baaf
                  • Instruction Fuzzy Hash: 43516C71D11208EFDB15DFA4D995BEEFBB8FF14304F60422AE411A7281EB746A48CB91
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0030AFD0, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 142COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 003309D0: CloseHandle.KERNEL32(?,?,?), ref: 00330A62
                    • Part of subcall function 003309D0: RegCloseKey.ADVAPI32(?,?,?), ref: 00330A76
                    • Part of subcall function 003309D0: RegCreateKeyExW.ADVAPI32(CB28B7D0,00020019,00000000,00000000,00000000,00000026,00000000,?,CB28B7D0,?,?), ref: 00330A97
                    • Part of subcall function 00330BE0: RegQueryValueExW.ADVAPI32(?,?,00000000,00000001,?,?), ref: 00330C98
                  • PathFileExistsW.SHLWAPI(?,DisplayIcon,?,80000002,003C7E84,00020119,CB28B7D0,?), ref: 0030B0FB
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.669225094.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true
                  • Associated: 00000000.00000002.669218827.00000000001C0000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669437430.0000000000394000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669462546.00000000003BC000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669470292.00000000003C1000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669476147.00000000003C3000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669480865.00000000003C6000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669487575.00000000003CC000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1c0000_winhost.jbxd
                  Similarity
                  • API ID: Close$CreateExistsFileHandlePathQueryValue
                  • String ID: DisplayIcon$DisplayVersion
                  • API String ID: 2291167148-3291662071
                  • Opcode ID: 235b0ab63f0dbb48384613c3ffd2ace88f99a8c7d7dbbf93759475b8e943aaa8
                  • Instruction ID: 9126908dd76cf5e35a0c52d90d10b1faa087fa079abd2bf0ce9623d3d03227a8
                  • Opcode Fuzzy Hash: 235b0ab63f0dbb48384613c3ffd2ace88f99a8c7d7dbbf93759475b8e943aaa8
                  • Instruction Fuzzy Hash: 53518D70D11208EFDB15DFA4D951BEEFBB8FF14304F60422AE421A3290EB746A48CB91
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0032C5F0, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 39COMMON
                  Download Yara Rule
                  APIs
                  • FindCloseChangeNotification.KERNEL32(?,?,?,?,?), ref: 0032C61E
                    • Part of subcall function 00335FC0: GetLastError.KERNEL32(00000002,00000001,00000000,ios_base::failbit set,0000FFFD,?,ios_base::failbit set,00000000,8BBC7CCF,0032D179,?,?,?,?,?,0033E9A5), ref: 00335FEB
                    • Part of subcall function 003361B0: OutputDebugStringA.KERNEL32(?,?,?), ref: 0033628D
                    • Part of subcall function 003361B0: WaitForSingleObject.KERNEL32(000000FF,?,?), ref: 003362FE
                  Strings
                  • Check failed: false. , xrefs: 0032C642
                  • c:\qt\givememoney\base\win\scoped_handle.h, xrefs: 0032C62F
                  Memory Dump Source
                  • Source File: 00000000.00000002.669225094.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true
                  • Associated: 00000000.00000002.669218827.00000000001C0000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669437430.0000000000394000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669462546.00000000003BC000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669470292.00000000003C1000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669476147.00000000003C3000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669480865.00000000003C6000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669487575.00000000003CC000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1c0000_winhost.jbxd
                  Similarity
                  • API ID: ChangeCloseDebugErrorFindLastNotificationObjectOutputSingleStringWait
                  • String ID: Check failed: false. $c:\qt\givememoney\base\win\scoped_handle.h
                  • API String ID: 2870833451-3059587803
                  • Opcode ID: 80d6e87bdb9452d939d2edac5b597116cb451a3dad1f1d679b83001c71000d9c
                  • Instruction ID: 64c666f65fa359d9030ff9f3c98356043f624be4d915f00bb5ffda7d09e98186
                  • Opcode Fuzzy Hash: 80d6e87bdb9452d939d2edac5b597116cb451a3dad1f1d679b83001c71000d9c
                  • Instruction Fuzzy Hash: E1F02B7090021067DB32BF28FC43F9A779C9F10715F140A69F848D61D2EF715D6086D1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 001D66C0, Relevance: 4.7, APIs: 3, Instructions: 163registryCOMMON
                  Download Yara Rule
                  APIs
                  • RegOpenKeyExW.KERNEL32(?,?,00000000,00020019,00000000), ref: 001D6736
                  • RegQueryValueExW.ADVAPI32(00000000,?,00000000,00000000,?,?), ref: 001D676F
                  • PathFileExistsW.SHLWAPI(?,00000000,00000000,-00000002), ref: 001D68E4
                  Memory Dump Source
                  • Source File: 00000000.00000002.669225094.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true
                  • Associated: 00000000.00000002.669218827.00000000001C0000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669437430.0000000000394000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669462546.00000000003BC000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669470292.00000000003C1000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669476147.00000000003C3000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669480865.00000000003C6000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669487575.00000000003CC000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1c0000_winhost.jbxd
                  Similarity
                  • API ID: ExistsFileOpenPathQueryValue
                  • String ID:
                  • API String ID: 1170695514-0
                  • Opcode ID: 24f56614ed29b4981b59d57abe033d9c36d910e8e8c9aa089fba93e762f3119f
                  • Instruction ID: 778dc51cf2247fd5acdf0ed92a0590bf222c9e854b5b804ff3a882eb6a53de29
                  • Opcode Fuzzy Hash: 24f56614ed29b4981b59d57abe033d9c36d910e8e8c9aa089fba93e762f3119f
                  • Instruction Fuzzy Hash: 1E711771900258EADF24DF54CC99BEAB7B8EF18304F5002DAE409A6291DB74AA89CF51
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003669FA, Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • FindCloseChangeNotification.KERNEL32(00000000,?,00000000,?,003725F7,0032CC93), ref: 00366A50
                  • GetLastError.KERNEL32(?,00000000,?,003725F7,0032CC93), ref: 00366A5A
                  • __dosmaperr.LIBCMT ref: 00366A85
                  Memory Dump Source
                  • Source File: 00000000.00000002.669225094.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true
                  • Associated: 00000000.00000002.669218827.00000000001C0000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669437430.0000000000394000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669462546.00000000003BC000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669470292.00000000003C1000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669476147.00000000003C3000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669480865.00000000003C6000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669487575.00000000003CC000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1c0000_winhost.jbxd
                  Similarity
                  • API ID: ChangeCloseErrorFindLastNotification__dosmaperr
                  • String ID:
                  • API String ID: 490808831-0
                  • Opcode ID: dbeaa8c373515f61f3545449c60ad72a8554e29b2d8264f97ea6c1aa444794fc
                  • Instruction ID: 4552967ed86be379b99d1ea7514c8562acddd02e5fae161ed064fa623f66bb5d
                  • Opcode Fuzzy Hash: dbeaa8c373515f61f3545449c60ad72a8554e29b2d8264f97ea6c1aa444794fc
                  • Instruction Fuzzy Hash: A6016B72A1811016C22353B4EC47F7DAB6E8B917B4F2AC259FC16EF1C5DE31DC814290
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0035DD87, Relevance: 4.6, APIs: 3, Instructions: 54threadCOMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • CreateThread.KERNEL32(00306BCC,?,Function_0019DC33,00000000,001F0240,00306BCC), ref: 0035DDD0
                  • GetLastError.KERNEL32(?,0031DC52,00000000,00000000,?,00000000,00000000,00306BD0,003AC8CC,?,001F01F4,00306BCC,001F0240,003AC8CC), ref: 0035DDDC
                  • __dosmaperr.LIBCMT ref: 0035DDE3
                  Memory Dump Source
                  • Source File: 00000000.00000002.669225094.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true
                  • Associated: 00000000.00000002.669218827.00000000001C0000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669437430.0000000000394000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669462546.00000000003BC000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669470292.00000000003C1000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669476147.00000000003C3000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669480865.00000000003C6000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669487575.00000000003CC000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1c0000_winhost.jbxd
                  Similarity
                  • API ID: CreateErrorLastThread__dosmaperr
                  • String ID:
                  • API String ID: 2744730728-0
                  • Opcode ID: 5ce0d99be3f9ceb40026412411c633082eac6d7c9cb9fda3d7485628b2142f29
                  • Instruction ID: e4549e744547d2254d6bbe56b760c7362ec508a2e331a6698e7e185350d48f24
                  • Opcode Fuzzy Hash: 5ce0d99be3f9ceb40026412411c633082eac6d7c9cb9fda3d7485628b2142f29
                  • Instruction Fuzzy Hash: 87019E36504209ABCB27AFA5DC05DDF7BB9EF85322F010024FC048A260DA328959DBA1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0035DCE7, Relevance: 4.5, APIs: 3, Instructions: 31threadCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00364C3B: GetLastError.KERNEL32(?,?,?,0035CB89,003680A9,?,00364BE5,00000001,00000364,?,003548F1,?,?,00000000,00000000), ref: 00364C40
                    • Part of subcall function 00364C3B: _free.LIBCMT ref: 00364C75
                    • Part of subcall function 00364C3B: SetLastError.KERNEL32(00000000,?,00000000,00000000), ref: 00364CA9
                  • ExitThread.KERNEL32 ref: 0035DCF9
                  • CloseHandle.KERNEL32(?,?,?,0035DE19,?,?,0035DC90,00000000), ref: 0035DD21
                  • FreeLibraryAndExitThread.KERNEL32(?,?,?,?,0035DE19,?,?,0035DC90,00000000), ref: 0035DD37
                  Memory Dump Source
                  • Source File: 00000000.00000002.669225094.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true
                  • Associated: 00000000.00000002.669218827.00000000001C0000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669437430.0000000000394000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669462546.00000000003BC000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669470292.00000000003C1000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669476147.00000000003C3000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669480865.00000000003C6000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669487575.00000000003CC000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1c0000_winhost.jbxd
                  Similarity
                  • API ID: ErrorExitLastThread$CloseFreeHandleLibrary_free
                  • String ID:
                  • API String ID: 1198197534-0
                  • Opcode ID: b4d476af63e599c2fdfec71d25beaf4a56643207ab6be3a0c88f8aa06ba5c976
                  • Instruction ID: 0799d10c3455b125fe8cebd3efab60c5032942d4925bac6b39579a0fe83e0a5c
                  • Opcode Fuzzy Hash: b4d476af63e599c2fdfec71d25beaf4a56643207ab6be3a0c88f8aa06ba5c976
                  • Instruction Fuzzy Hash: 7EF05E704006067BDB335B75C848E5A3AACAF00362F1A8615FC64CB1B4EB61EC8AC650
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00328CC0, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 120COMMON
                  Download Yara Rule
                  APIs
                  • GetModuleFileNameW.KERNEL32(00000000,?,00000104,1.0.0.0,00000007,?), ref: 00328D2A
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.669225094.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true
                  • Associated: 00000000.00000002.669218827.00000000001C0000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669437430.0000000000394000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669462546.00000000003BC000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669470292.00000000003C1000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669476147.00000000003C3000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669480865.00000000003C6000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669487575.00000000003CC000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1c0000_winhost.jbxd
                  Similarity
                  • API ID: FileModuleName
                  • String ID: 1.0.0.0
                  • API String ID: 514040917-1185392965
                  • Opcode ID: 9aa0cd8bf1ce429f0ccfda33e0f6dbcbf19b5577a415bad38ba9fcf93aba29f0
                  • Instruction ID: 2a052bfe97f1c6fe190d4d0206dd0af5281d4097b5d6828be1cf96548051c790
                  • Opcode Fuzzy Hash: 9aa0cd8bf1ce429f0ccfda33e0f6dbcbf19b5577a415bad38ba9fcf93aba29f0
                  • Instruction Fuzzy Hash: 55515E70D0122D9ACB21EF64DD497E9B3B4AF68304F1042DAD40DA6281EB746BC4CF95
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0032F750, Relevance: 3.2, APIs: 2, Instructions: 176COMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.669225094.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true
                  • Associated: 00000000.00000002.669218827.00000000001C0000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669437430.0000000000394000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669462546.00000000003BC000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669470292.00000000003C1000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669476147.00000000003C3000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669480865.00000000003C6000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669487575.00000000003CC000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1c0000_winhost.jbxd
                  Similarity
                  • API ID: __fread_nolock
                  • String ID:
                  • API String ID: 2638373210-0
                  • Opcode ID: e926ec8fb7fcdf9098c4d3f605acf815c3416cda92894003d9e4b0d596bf945c
                  • Instruction ID: f840772eb357f7cc91c01849dfc68b7921b3adc786a0d359514b1fae37f457d0
                  • Opcode Fuzzy Hash: e926ec8fb7fcdf9098c4d3f605acf815c3416cda92894003d9e4b0d596bf945c
                  • Instruction Fuzzy Hash: F251B671A002189FCB279F28DC81FEDB3B9AF49340F1001B9F4999B251DBB09AC59F91
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 001EE3F0, Relevance: 3.1, APIs: 2, Instructions: 136COMMON
                  Download Yara Rule
                  APIs
                  • InitializeCriticalSection.KERNEL32(00000004), ref: 001EE45A
                  • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 001EE4CC
                  Memory Dump Source
                  • Source File: 00000000.00000002.669225094.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true
                  • Associated: 00000000.00000002.669218827.00000000001C0000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669437430.0000000000394000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669462546.00000000003BC000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669470292.00000000003C1000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669476147.00000000003C3000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669480865.00000000003C6000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669487575.00000000003CC000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1c0000_winhost.jbxd
                  Similarity
                  • API ID: CriticalFileInitializeModuleNameSection
                  • String ID:
                  • API String ID: 867279363-0
                  • Opcode ID: 6181fcf023444593086d347d1686db1e851d8a913b00b78a9a4479372b165e27
                  • Instruction ID: 31a2169d7945c561d2fbf9b2665288709c787fae95c058de7e0d26bd483adcee
                  • Opcode Fuzzy Hash: 6181fcf023444593086d347d1686db1e851d8a913b00b78a9a4479372b165e27
                  • Instruction Fuzzy Hash: 3E518074800659EADB11DF64CC49BDEFBF8EF14304F00469AE449A7291EB746B88CF51
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 001EA570, Relevance: 3.1, APIs: 2, Instructions: 91COMMON
                  Download Yara Rule
                  APIs
                  • Concurrency::cancel_current_task.LIBCPMT ref: 001EA681
                    • Part of subcall function 0031C278: mtx_do_lock.LIBCPMT ref: 0031C280
                  • __Mtx_unlock.LIBCPMT ref: 001EA616
                  Memory Dump Source
                  • Source File: 00000000.00000002.669225094.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true
                  • Associated: 00000000.00000002.669218827.00000000001C0000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669437430.0000000000394000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669462546.00000000003BC000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669470292.00000000003C1000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669476147.00000000003C3000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669480865.00000000003C6000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669487575.00000000003CC000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1c0000_winhost.jbxd
                  Similarity
                  • API ID: Concurrency::cancel_current_taskMtx_unlockmtx_do_lock
                  • String ID:
                  • API String ID: 3762464901-0
                  • Opcode ID: ce8f8e9a7296bbe73573814f8b1547283892d1f842033324a9a7d56c364b91cf
                  • Instruction ID: ea4aa6c2eb94cceb07bdf304bbff8f1f39f7d8a4428214760609ff60acd4d26c
                  • Opcode Fuzzy Hash: ce8f8e9a7296bbe73573814f8b1547283892d1f842033324a9a7d56c364b91cf
                  • Instruction Fuzzy Hash: D43135B0D00289AFDF15DB64D805BAFFBF4EF09300F14416DE416A7281DB74AA44CBA2
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0032CD10, Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON
                  Download Yara Rule
                  APIs
                  • CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000000,00000000,00000000,00000000,?,001DD51A,00000000,00000000,00000000,?,003A8F14), ref: 0032CD30
                  • WriteFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,001DD51A,00000000,00000000), ref: 0032CD7E
                  Memory Dump Source
                  • Source File: 00000000.00000002.669225094.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true
                  • Associated: 00000000.00000002.669218827.00000000001C0000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669437430.0000000000394000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669462546.00000000003BC000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669470292.00000000003C1000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669476147.00000000003C3000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669480865.00000000003C6000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669487575.00000000003CC000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1c0000_winhost.jbxd
                  Similarity
                  • API ID: File$CreateWrite
                  • String ID:
                  • API String ID: 2263783195-0
                  • Opcode ID: c9e7697566988ae17c86d566826378a3f9c080f0f36ba0d9eaacfb8214f22177
                  • Instruction ID: a83fedeba6bab53b9027fdd2871e491aca65091c537f6c39a8eb99a9f6c780a8
                  • Opcode Fuzzy Hash: c9e7697566988ae17c86d566826378a3f9c080f0f36ba0d9eaacfb8214f22177
                  • Instruction Fuzzy Hash: 5B115A71610228BBDB22DF58EC85F9E7B68AB05750F154224FD18AB1D0D770EE5087D4
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0035DC33, Relevance: 3.0, APIs: 2, Instructions: 38threadCOMMON
                  Download Yara Rule
                  APIs
                  • GetLastError.KERNEL32(003B7E48,00000010), ref: 0035DC46
                  • ExitThread.KERNEL32 ref: 0035DC4D
                  Memory Dump Source
                  • Source File: 00000000.00000002.669225094.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true
                  • Associated: 00000000.00000002.669218827.00000000001C0000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669437430.0000000000394000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669462546.00000000003BC000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669470292.00000000003C1000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669476147.00000000003C3000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669480865.00000000003C6000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669487575.00000000003CC000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1c0000_winhost.jbxd
                  Similarity
                  • API ID: ErrorExitLastThread
                  • String ID:
                  • API String ID: 1611280651-0
                  • Opcode ID: 784589c172154b60d4929fecef5ed04e90a0e3120fce209b4c4dfb6e2f21f02c
                  • Instruction ID: 27de7320355a0193c3498e6fe3243efe3ed11637eb354910703957dde870d173
                  • Opcode Fuzzy Hash: 784589c172154b60d4929fecef5ed04e90a0e3120fce209b4c4dfb6e2f21f02c
                  • Instruction Fuzzy Hash: 7CF0C271900204AFDB17AFB0D80AFAD3B74FF84705F114189F801AF2A2CB75A905DBA0
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 001EC500, Relevance: 1.7, APIs: 1, Instructions: 217COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 001DC860: std::locale::_Init.LIBCPMT ref: 001DC971
                  • std::locale::_Init.LIBCPMT ref: 001EC603
                    • Part of subcall function 001DC860: __CxxThrowException@8.LIBVCRUNTIME ref: 001DC88D
                    • Part of subcall function 001DC860: __CxxThrowException@8.LIBVCRUNTIME ref: 001DC8D2
                    • Part of subcall function 001ED9A0: std::_Lockit::_Lockit.LIBCPMT ref: 001ED9D5
                    • Part of subcall function 001ED9A0: std::_Lockit::_Lockit.LIBCPMT ref: 001ED9F7
                    • Part of subcall function 001ED9A0: std::_Lockit::~_Lockit.LIBCPMT ref: 001EDA17
                    • Part of subcall function 001ED9A0: std::_Lockit::~_Lockit.LIBCPMT ref: 001EDAFF
                  Memory Dump Source
                  • Source File: 00000000.00000002.669225094.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true
                  • Associated: 00000000.00000002.669218827.00000000001C0000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669437430.0000000000394000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669462546.00000000003BC000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669470292.00000000003C1000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669476147.00000000003C3000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669480865.00000000003C6000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669487575.00000000003CC000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1c0000_winhost.jbxd
                  Similarity
                  • API ID: Lockitstd::_$Exception@8InitLockit::_Lockit::~_Throwstd::locale::_
                  • String ID:
                  • API String ID: 3818760586-0
                  • Opcode ID: afe4b19c67cc568727f7fe38e6b9989320fafc58612c7b8b19e5c18947ba0c13
                  • Instruction ID: 2e5f3f0fa09e0e8052e8b3f109daf4a9b32f07938e1764e5a0af9e08aecb16d6
                  • Opcode Fuzzy Hash: afe4b19c67cc568727f7fe38e6b9989320fafc58612c7b8b19e5c18947ba0c13
                  • Instruction Fuzzy Hash: E7A1E2B4A00244CFDB05CF59C894B9ABBE4FF09314F1581AAE9099F392D776E945CFA0
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 001E1280, Relevance: 1.7, APIs: 1, Instructions: 160COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • ___std_exception_copy.LIBVCRUNTIME ref: 001E13FE
                  Memory Dump Source
                  • Source File: 00000000.00000002.669225094.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true
                  • Associated: 00000000.00000002.669218827.00000000001C0000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669437430.0000000000394000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669462546.00000000003BC000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669470292.00000000003C1000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669476147.00000000003C3000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669480865.00000000003C6000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669487575.00000000003CC000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1c0000_winhost.jbxd
                  Similarity
                  • API ID: ___std_exception_copy
                  • String ID:
                  • API String ID: 2659868963-0
                  • Opcode ID: 2b14b271d89e891cb470059760887a25a40abfa2ceed17b9dae969d8e27fbe43
                  • Instruction ID: 9bafa6f5bcd793de9ff7465866a7f3a017220d5fb294d77595d9c6aac09c5dbf
                  • Opcode Fuzzy Hash: 2b14b271d89e891cb470059760887a25a40abfa2ceed17b9dae969d8e27fbe43
                  • Instruction Fuzzy Hash: E4411472A00559AFCB15DFADDC806AEB7E9FF44360F140269E815EB341E770ED508B91
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0035EC35, Relevance: 1.6, APIs: 1, Instructions: 116COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.669225094.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true
                  • Associated: 00000000.00000002.669218827.00000000001C0000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669437430.0000000000394000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669462546.00000000003BC000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669470292.00000000003C1000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669476147.00000000003C3000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669480865.00000000003C6000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669487575.00000000003CC000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1c0000_winhost.jbxd
                  Similarity
                  • API ID: _free
                  • String ID:
                  • API String ID: 269201875-0
                  • Opcode ID: 113a54f6a9eda870a95d62c258958f172d03b6211dc4b6cc582c5ffae7200faa
                  • Instruction ID: 643adc84470c6ad73a94293ff852c0a3d91fed2503110f93d365a14af61b8aaf
                  • Opcode Fuzzy Hash: 113a54f6a9eda870a95d62c258958f172d03b6211dc4b6cc582c5ffae7200faa
                  • Instruction Fuzzy Hash: A5419136A10614CFCB29CF69D88096DBBF5EF8D310B1682AAE915DB3B0D730AD44CB41
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00306B20, Relevance: 1.6, APIs: 1, Instructions: 107COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 001F0110: __Cnd_init.LIBCPMT ref: 001F0140
                    • Part of subcall function 001F0110: __Mtx_init.LIBCPMT ref: 001F0173
                    • Part of subcall function 001F01E0: __Thrd_start.LIBCPMT ref: 001F01EF
                  • __Mtx_unlock.LIBCPMT ref: 00306BE9
                  Memory Dump Source
                  • Source File: 00000000.00000002.669225094.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true
                  • Associated: 00000000.00000002.669218827.00000000001C0000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669437430.0000000000394000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669462546.00000000003BC000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669470292.00000000003C1000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669476147.00000000003C3000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669480865.00000000003C6000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669487575.00000000003CC000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1c0000_winhost.jbxd
                  Similarity
                  • API ID: Cnd_initMtx_initMtx_unlockThrd_start
                  • String ID:
                  • API String ID: 2901745279-0
                  • Opcode ID: 5dbcbfcc4cdb353644dfeb4388792a6793f2bf9e30648b28bc5958aa8c9d8eb2
                  • Instruction ID: e97400adb947300a49f2530d7fa4a78087c17d26f5cb2b830e1a588bbd1a7a56
                  • Opcode Fuzzy Hash: 5dbcbfcc4cdb353644dfeb4388792a6793f2bf9e30648b28bc5958aa8c9d8eb2
                  • Instruction Fuzzy Hash: 4F3199B1D0120CABDF01DFA4DD467DEB7B8EF18310F144129E845BB281E775AA54CBA2
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00310810, Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                  Download Yara Rule
                  APIs
                  • __CxxThrowException@8.LIBVCRUNTIME ref: 00310881
                  Memory Dump Source
                  • Source File: 00000000.00000002.669225094.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true
                  • Associated: 00000000.00000002.669218827.00000000001C0000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669437430.0000000000394000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669462546.00000000003BC000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669470292.00000000003C1000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669476147.00000000003C3000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669480865.00000000003C6000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669487575.00000000003CC000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1c0000_winhost.jbxd
                  Similarity
                  • API ID: Exception@8Throw
                  • String ID:
                  • API String ID: 2005118841-0
                  • Opcode ID: c509f8493b547c1b5f7ba4448122242ec91fe584adf58bf440ba6e23446788b1
                  • Instruction ID: 1a6c2594229945533f2b201fc9bde8cdda6836aaf3fe9aeddca2e77d1346df61
                  • Opcode Fuzzy Hash: c509f8493b547c1b5f7ba4448122242ec91fe584adf58bf440ba6e23446788b1
                  • Instruction Fuzzy Hash: C0113432504208EFCB06DF90D844FDABBB9FB08710F108669FA159B661C775E960DB91
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0036D669, Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.669225094.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true
                  • Associated: 00000000.00000002.669218827.00000000001C0000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669437430.0000000000394000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669462546.00000000003BC000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669470292.00000000003C1000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669476147.00000000003C3000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669480865.00000000003C6000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669487575.00000000003CC000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1c0000_winhost.jbxd
                  Similarity
                  • API ID: __wsopen_s
                  • String ID:
                  • API String ID: 3347428461-0
                  • Opcode ID: b2ed81b5f0c7bea08eac976a63ec47ee20640bb953c828c4f16f98ae0b4ed3cd
                  • Instruction ID: ea8e886a06d2168cde98f26123c328751f7b6d14d5222b06fff63684e52fb0dc
                  • Opcode Fuzzy Hash: b2ed81b5f0c7bea08eac976a63ec47ee20640bb953c828c4f16f98ae0b4ed3cd
                  • Instruction Fuzzy Hash: 04118C71A04209AFCF06DF98E941DAB7BF8EF48310F118059F809AB301D671ED21CBA5
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0035A4DC, Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.669225094.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true
                  • Associated: 00000000.00000002.669218827.00000000001C0000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669437430.0000000000394000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669462546.00000000003BC000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669470292.00000000003C1000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669476147.00000000003C3000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669480865.00000000003C6000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669487575.00000000003CC000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1c0000_winhost.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 47d8fcbfbfc79f68c000c94ae1462f508f5b61fb2fbeafa1462d6cec1990a93e
                  • Instruction ID: dc02c89344efd6223c96cdc38f51ed126fc9bd918aae1b678b730be02419f744
                  • Opcode Fuzzy Hash: 47d8fcbfbfc79f68c000c94ae1462f508f5b61fb2fbeafa1462d6cec1990a93e
                  • Instruction Fuzzy Hash: 0CF0F932501E105AC6233A6ADC06F6A32A89F43376F114715FC609B1E1EBB0DD099593
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00311FF0, Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00389769: std::_Lockit::_Lockit.LIBCPMT ref: 00389792
                    • Part of subcall function 00389769: std::_Lockit::~_Lockit.LIBCPMT ref: 003897BA
                  • __CxxThrowException@8.LIBVCRUNTIME ref: 00312044
                  Memory Dump Source
                  • Source File: 00000000.00000002.669225094.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true
                  • Associated: 00000000.00000002.669218827.00000000001C0000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669437430.0000000000394000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669462546.00000000003BC000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669470292.00000000003C1000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669476147.00000000003C3000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669480865.00000000003C6000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669487575.00000000003CC000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1c0000_winhost.jbxd
                  Similarity
                  • API ID: Lockitstd::_$Exception@8Lockit::_Lockit::~_Throw
                  • String ID:
                  • API String ID: 2653793986-0
                  • Opcode ID: 27d1987c1e73653aff1062b257b035fa82163a1846aa4b8482528d68c5754421
                  • Instruction ID: 161ebea551624f8f6e4c6b96c1e6191fa4725423e8844f46cb3cb7a20d995580
                  • Opcode Fuzzy Hash: 27d1987c1e73653aff1062b257b035fa82163a1846aa4b8482528d68c5754421
                  • Instruction Fuzzy Hash: 95F0EC22D4121822DA2777B5AD03FEF775C4E59791F080176FD089E152FA50BA59C1E3
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 001E2240, Relevance: 1.5, APIs: 1, Instructions: 37COMMON
                  Download Yara Rule
                  APIs
                  • Concurrency::details::_Release_chore.LIBCPMT ref: 001E2286
                    • Part of subcall function 0031D539: ___crtAcquireSRWLockExclusive.LIBCPMT ref: 0031D554
                  Memory Dump Source
                  • Source File: 00000000.00000002.669225094.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true
                  • Associated: 00000000.00000002.669218827.00000000001C0000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669437430.0000000000394000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669462546.00000000003BC000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669470292.00000000003C1000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669476147.00000000003C3000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669480865.00000000003C6000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669487575.00000000003CC000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1c0000_winhost.jbxd
                  Similarity
                  • API ID: AcquireConcurrency::details::_ExclusiveLockRelease_chore___crt
                  • String ID:
                  • API String ID: 4271677666-0
                  • Opcode ID: ae7548d9a1cb17d88d60a8a572e2ce3a08be91655a9c9d993eaac99d0163e286
                  • Instruction ID: e793ae34280248904ce15d077432110d7b8fed6fdea7c77348e5393644bda01a
                  • Opcode Fuzzy Hash: ae7548d9a1cb17d88d60a8a572e2ce3a08be91655a9c9d993eaac99d0163e286
                  • Instruction Fuzzy Hash: 04F08171901618EFCB11EF54DC01BEEBBB8EF09710F10466AE815AB781D7746A008B91
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 001DDCD0, Relevance: 1.5, APIs: 1, Instructions: 34COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0031C278: mtx_do_lock.LIBCPMT ref: 0031C280
                  • __Mtx_unlock.LIBCPMT ref: 001DDD06
                  Memory Dump Source
                  • Source File: 00000000.00000002.669225094.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true
                  • Associated: 00000000.00000002.669218827.00000000001C0000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669437430.0000000000394000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669462546.00000000003BC000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669470292.00000000003C1000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669476147.00000000003C3000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669480865.00000000003C6000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669487575.00000000003CC000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1c0000_winhost.jbxd
                  Similarity
                  • API ID: Mtx_unlockmtx_do_lock
                  • String ID:
                  • API String ID: 147572093-0
                  • Opcode ID: 472d1bcc87c64ebe71dd7b8c42baf5fbe08ebbda7317c2ef368ad655b54160af
                  • Instruction ID: 206f85805defd8ec6325e685932c6a4409490fee5cad06b0bc90815d8136bfd7
                  • Opcode Fuzzy Hash: 472d1bcc87c64ebe71dd7b8c42baf5fbe08ebbda7317c2ef368ad655b54160af
                  • Instruction Fuzzy Hash: B3E0E5F390020037ED1536A0BC03AEB726C8A65310F04053AFD029A252FFA1F95691F3
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 001DDD30, Relevance: 1.5, APIs: 1, Instructions: 34COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0031C278: mtx_do_lock.LIBCPMT ref: 0031C280
                  • __Mtx_unlock.LIBCPMT ref: 001DDD67
                  Memory Dump Source
                  • Source File: 00000000.00000002.669225094.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true
                  • Associated: 00000000.00000002.669218827.00000000001C0000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669437430.0000000000394000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669462546.00000000003BC000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669470292.00000000003C1000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669476147.00000000003C3000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669480865.00000000003C6000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669487575.00000000003CC000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1c0000_winhost.jbxd
                  Similarity
                  • API ID: Mtx_unlockmtx_do_lock
                  • String ID:
                  • API String ID: 147572093-0
                  • Opcode ID: 8bdb4449e8ef7b24ef28e2961593cf71b2a654f3b4d58c046deba551e9f77f98
                  • Instruction ID: ac1624db9a3609afd56d7ed27ac23d9be74214700554c036f1455c71eacc8624
                  • Opcode Fuzzy Hash: 8bdb4449e8ef7b24ef28e2961593cf71b2a654f3b4d58c046deba551e9f77f98
                  • Instruction Fuzzy Hash: 48E0A0F290021037DE1A3AA0BC038AF736D8965320B04053AFD069A262FB61F95681B2
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 001F01E0, Relevance: 1.5, APIs: 1, Instructions: 33COMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.669225094.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true
                  • Associated: 00000000.00000002.669218827.00000000001C0000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669437430.0000000000394000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669462546.00000000003BC000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669470292.00000000003C1000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669476147.00000000003C3000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669480865.00000000003C6000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669487575.00000000003CC000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1c0000_winhost.jbxd
                  Similarity
                  • API ID: Thrd_start
                  • String ID:
                  • API String ID: 2176944979-0
                  • Opcode ID: 57c93b4e31c2a1a8c3336ab4267fc22d46700b5df6d1800701c542a72f667914
                  • Instruction ID: d2a5d9feac45e9c137b51cd9058bbbc8676be087bf928b4ff7f179f6450aebac
                  • Opcode Fuzzy Hash: 57c93b4e31c2a1a8c3336ab4267fc22d46700b5df6d1800701c542a72f667914
                  • Instruction Fuzzy Hash: 76F0A7B190020836EF3B16159C0ABB77A884F19350F048439EA0B54552E7A6EC908AB1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00364D40, Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0036D689,?,00000000,?,00000003,00364C3A), ref: 00364D72
                  Memory Dump Source
                  • Source File: 00000000.00000002.669225094.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true
                  • Associated: 00000000.00000002.669218827.00000000001C0000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669437430.0000000000394000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669462546.00000000003BC000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669470292.00000000003C1000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669476147.00000000003C3000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669480865.00000000003C6000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669487575.00000000003CC000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1c0000_winhost.jbxd
                  Similarity
                  • API ID: AllocateHeap
                  • String ID:
                  • API String ID: 1279760036-0
                  • Opcode ID: 707277bb576dc6fb65b46c7585613a7d21b11ba806505062eea20d2885f31c03
                  • Instruction ID: e1b86e44e4617f77583c125fde83d7010e563e6d793c33c170c567de1dc4fd4f
                  • Opcode Fuzzy Hash: 707277bb576dc6fb65b46c7585613a7d21b11ba806505062eea20d2885f31c03
                  • Instruction Fuzzy Hash: 32E06D35E006259AEB3327B69D09F9B3A5D9B417A1F168121EC159A1AADB20DC0086E1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 001F0260, Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                  Download Yara Rule
                  APIs
                  • std::_Throw_Cpp_error.LIBCPMT ref: 001F0272
                    • Part of subcall function 0031BE66: std::system_error::system_error.LIBCPMT ref: 0031BE87
                    • Part of subcall function 0031BE66: __CxxThrowException@8.LIBVCRUNTIME ref: 0031BE95
                    • Part of subcall function 0031BE66: ___crtInitializeCriticalSectionEx.LIBCPMT ref: 0031BEAF
                  Memory Dump Source
                  • Source File: 00000000.00000002.669225094.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true
                  • Associated: 00000000.00000002.669218827.00000000001C0000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669437430.0000000000394000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669462546.00000000003BC000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669470292.00000000003C1000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669476147.00000000003C3000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669480865.00000000003C6000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669487575.00000000003CC000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1c0000_winhost.jbxd
                  Similarity
                  • API ID: Cpp_errorCriticalException@8InitializeSectionThrowThrow____crtstd::_std::system_error::system_error
                  • String ID:
                  • API String ID: 25672295-0
                  • Opcode ID: c3e3068a391bbf9d0a76813924d160b6e70678e035ee53e318a0987d3d9ce2f6
                  • Instruction ID: e327f1a0cd1e1c3bdaa346d4006b3ba056115ae44f51c934765ad470fe13d065
                  • Opcode Fuzzy Hash: c3e3068a391bbf9d0a76813924d160b6e70678e035ee53e318a0987d3d9ce2f6
                  • Instruction Fuzzy Hash: CAE0D8F28113049AEF351B109C06792B2C89B18721F04452CE99A46291FBB2E55086F2
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0037211B, Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • CreateFileW.KERNEL32(00000000,00000000,?,00372485,?,?,00000000,?,00372485,00000000,0000000C), ref: 00372138
                  Memory Dump Source
                  • Source File: 00000000.00000002.669225094.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true
                  • Associated: 00000000.00000002.669218827.00000000001C0000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669437430.0000000000394000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669462546.00000000003BC000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669470292.00000000003C1000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669476147.00000000003C3000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669480865.00000000003C6000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669487575.00000000003CC000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1c0000_winhost.jbxd
                  Similarity
                  • API ID: CreateFile
                  • String ID:
                  • API String ID: 823142352-0
                  • Opcode ID: 091dbfe637eb903029eccf4657fc63c4efe30c60c59593ee2ef8500b69a90308
                  • Instruction ID: cc68679eff82a61e280d3dbefd198cc86954478d8747049d623d1270389eb667
                  • Opcode Fuzzy Hash: 091dbfe637eb903029eccf4657fc63c4efe30c60c59593ee2ef8500b69a90308
                  • Instruction Fuzzy Hash: 24D06C3200010DBBDF028F84DD06EDA3BAAFB48714F014100BA5856020C732E862AB90
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0032DDD0, Relevance: 1.5, APIs: 1, Instructions: 14threadCOMMON
                  Download Yara Rule
                  APIs
                  • CreateThread.KERNEL32(00000000,00000000,Function_0016E280,00000000,00000000,00000000), ref: 0032DDE1
                  Memory Dump Source
                  • Source File: 00000000.00000002.669225094.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true
                  • Associated: 00000000.00000002.669218827.00000000001C0000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669437430.0000000000394000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669462546.00000000003BC000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669470292.00000000003C1000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669476147.00000000003C3000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669480865.00000000003C6000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669487575.00000000003CC000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1c0000_winhost.jbxd
                  Similarity
                  • API ID: CreateThread
                  • String ID:
                  • API String ID: 2422867632-0
                  • Opcode ID: b44fd4b3f84e1a25dedd2b9ead14b457e735235f835affdb099a779e88eb0722
                  • Instruction ID: f913050a4046b1a81b86b6795198bf2dc8d0ae0106d5327952df1dc4fc10a733
                  • Opcode Fuzzy Hash: b44fd4b3f84e1a25dedd2b9ead14b457e735235f835affdb099a779e88eb0722
                  • Instruction Fuzzy Hash: 67C08C30381320BAF3B09B116D0BF872E88EF02FA0F01891AF289AE0C0D1D0680082A4
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0032CCF0, Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                  Download Yara Rule
                  APIs
                  • GetFileAttributesW.KERNEL32(?,?,?,?,?,76564830,00000000,?,?,?,0032F789,76564830,00395868,003A8ED4), ref: 0032CCFF
                  Memory Dump Source
                  • Source File: 00000000.00000002.669225094.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true
                  • Associated: 00000000.00000002.669218827.00000000001C0000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669437430.0000000000394000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669462546.00000000003BC000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669470292.00000000003C1000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669476147.00000000003C3000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669480865.00000000003C6000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669487575.00000000003CC000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1c0000_winhost.jbxd
                  Similarity
                  • API ID: AttributesFile
                  • String ID:
                  • API String ID: 3188754299-0
                  • Opcode ID: 9f866e9cb23ca7d7d3e53b2caaa9ba6a265f2015c6ae13bc70a56d6bb170bae3
                  • Instruction ID: fdc3eb6e4cf657743cd6d23db082f2ce6de489d14b2f2ebb9f6919a71e246cd1
                  • Opcode Fuzzy Hash: 9f866e9cb23ca7d7d3e53b2caaa9ba6a265f2015c6ae13bc70a56d6bb170bae3
                  • Instruction Fuzzy Hash: D2C012340202288B8A008BACE88D84A37AEAA013257404255F429CB2A0C330EAA18AA0
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0031DB9E, Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                  Download Yara Rule
                  APIs
                  • FindCloseChangeNotification.KERNEL32(?,?,001F0284,?,?,?,?,?,00306C1F,?,?,?), ref: 0031DBA4
                  Memory Dump Source
                  • Source File: 00000000.00000002.669225094.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true
                  • Associated: 00000000.00000002.669218827.00000000001C0000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669437430.0000000000394000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669462546.00000000003BC000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669470292.00000000003C1000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669476147.00000000003C3000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669480865.00000000003C6000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669487575.00000000003CC000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1c0000_winhost.jbxd
                  Similarity
                  • API ID: ChangeCloseFindNotification
                  • String ID:
                  • API String ID: 2591292051-0
                  • Opcode ID: 170d07973c60e34b68aaeace916801c46ab990c3564ddbd0578fa72f745f2e15
                  • Instruction ID: 80ff32eaa372904951f4445dfd83f1693b519af269a2074bc5f5a4acfb378649
                  • Opcode Fuzzy Hash: 170d07973c60e34b68aaeace916801c46ab990c3564ddbd0578fa72f745f2e15
                  • Instruction Fuzzy Hash: 45C092335E451D67DB011AB9EC07E543B9C9B2267AB188322F42AC51E0E72BE5D58580
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Non-executed Functions

                  Function 002BF5E0, Relevance: 291.0, APIs: 150, Strings: 15, Instructions: 2230keyboardclipboardwindowCOMMON
                  Download Yara Rule
                  APIs
                  • PathFileExistsW.SHLWAPI(?,CB28B7D0), ref: 002BF619
                  • OpenClipboard.USER32(00000000), ref: 002BF8E9
                  • EmptyClipboard.USER32 ref: 002BF8F3
                  • CloseClipboard.USER32 ref: 002BF8F9
                  • MapVirtualKeyW.USER32(0000004C,00000000), ref: 002BF92E
                  • SendInput.USER32(00000001,00000001,0000001C), ref: 002BF949
                  • MapVirtualKeyW.USER32(00000041,00000000), ref: 002BF95E
                  • SendInput.USER32(00000001,00000001,0000001C), ref: 002BF973
                  • MapVirtualKeyW.USER32(00000056,00000000), ref: 002BF988
                  • SendInput.USER32(00000001,00000001,0000001C), ref: 002BF99D
                  • MapVirtualKeyW.USER32(00000043,00000000), ref: 002BF9B2
                  • SendInput.USER32(00000001,00000001,0000001C), ref: 002BF9C7
                  • MapVirtualKeyW.USER32(00000011,00000000), ref: 002BF9DC
                  • SendInput.USER32(00000001,00000001,0000001C), ref: 002BF9F1
                  • MapVirtualKeyW.USER32(00000010,00000000), ref: 002BFA06
                  • SendInput.USER32(00000001,00000001,0000001C), ref: 002BFA1B
                  • MapVirtualKeyW.USER32(00000012,00000000), ref: 002BFA30
                  • SendInput.USER32(00000001,00000001,0000001C), ref: 002BFA45
                  • MapVirtualKeyW.USER32(00000009,00000000), ref: 002BFA5A
                  • SendInput.USER32(00000001,00000001,0000001C), ref: 002BFA6F
                  • MapVirtualKeyW.USER32(00000020,00000000), ref: 002BFA84
                  • SendInput.USER32(00000001,00000001,0000001C), ref: 002BFA99
                  • MapVirtualKeyW.USER32(0000000D,00000000), ref: 002BFAAE
                  • SendInput.USER32(00000001,00000001,0000001C), ref: 002BFAC3
                  • PostMessageW.USER32(003C7ADC,00000403,00000000,00000000), ref: 002BFAE1
                  • OpenClipboard.USER32(00000000), ref: 002BFB18
                  • EmptyClipboard.USER32 ref: 002BFB22
                  • CloseClipboard.USER32 ref: 002BFB28
                  • MapVirtualKeyW.USER32(0000004C,00000000), ref: 002BFB5D
                  • SendInput.USER32(00000001,00000001,0000001C), ref: 002BFB78
                  • MapVirtualKeyW.USER32(00000041,00000000), ref: 002BFB8D
                  • SendInput.USER32(00000001,00000001,0000001C), ref: 002BFBA2
                  • MapVirtualKeyW.USER32(00000056,00000000), ref: 002BFBB7
                  • SendInput.USER32(00000001,00000001,0000001C), ref: 002BFBCC
                  • MapVirtualKeyW.USER32(00000043,00000000), ref: 002BFBE1
                  • SendInput.USER32(00000001,00000001,0000001C), ref: 002BFBF6
                  • MapVirtualKeyW.USER32(00000011,00000000), ref: 002BFC0B
                  • SendInput.USER32(00000001,00000001,0000001C), ref: 002BFC20
                  • MapVirtualKeyW.USER32(00000010,00000000), ref: 002BFC35
                  • SendInput.USER32(00000001,00000001,0000001C), ref: 002BFC4A
                  • MapVirtualKeyW.USER32(00000012,00000000), ref: 002BFC5F
                  • SendInput.USER32(00000001,00000001,0000001C), ref: 002BFC74
                  • MapVirtualKeyW.USER32(00000009,00000000), ref: 002BFC89
                  • SendInput.USER32(00000001,00000001,0000001C), ref: 002BFC9E
                  • MapVirtualKeyW.USER32(00000020,00000000), ref: 002BFCB3
                  • SendInput.USER32(00000001,00000001,0000001C), ref: 002BFCC8
                  • MapVirtualKeyW.USER32(0000000D,00000000), ref: 002BFCDD
                  • SendInput.USER32(00000001,00000001,0000001C), ref: 002BFCF2
                  • PostMessageW.USER32(?,00000403,00000000,00000000), ref: 002BFD10
                  • OpenClipboard.USER32(00000000), ref: 002C0099
                  • EmptyClipboard.USER32 ref: 002C00A3
                  • CloseClipboard.USER32 ref: 002C00A9
                  • PostMessageW.USER32(00000006,00000403,00000000,00000000), ref: 002C0158
                  • OpenClipboard.USER32(00000000), ref: 002C01FF
                  • EmptyClipboard.USER32 ref: 002C0209
                  • CloseClipboard.USER32 ref: 002C020F
                  • MapVirtualKeyW.USER32(0000004C,00000000), ref: 002C024D
                  • SendInput.USER32(00000001,00000001,0000001C), ref: 002C0268
                  • MapVirtualKeyW.USER32(00000041,00000000), ref: 002C027D
                  • SendInput.USER32(00000001,00000001,0000001C), ref: 002C0292
                  • MapVirtualKeyW.USER32(00000056,00000000), ref: 002C02A7
                  • SendInput.USER32(00000001,00000001,0000001C), ref: 002C02BC
                  • MapVirtualKeyW.USER32(00000043,00000000), ref: 002C02D1
                  • SendInput.USER32(00000001,00000001,0000001C), ref: 002C02E6
                  • MapVirtualKeyW.USER32(00000011,00000000), ref: 002C02FB
                  • SendInput.USER32(00000001,00000001,0000001C), ref: 002C0310
                  • MapVirtualKeyW.USER32(00000010,00000000), ref: 002C0325
                  • SendInput.USER32(00000001,00000001,0000001C), ref: 002C033A
                  • MapVirtualKeyW.USER32(00000012,00000000), ref: 002C034F
                  • SendInput.USER32(00000001,00000001,0000001C), ref: 002C0364
                  • MapVirtualKeyW.USER32(00000009,00000000), ref: 002C0379
                  • SendInput.USER32(00000001,00000001,0000001C), ref: 002C038E
                  • MapVirtualKeyW.USER32(00000020,00000000), ref: 002C03A3
                  • SendInput.USER32(00000001,00000001,0000001C), ref: 002C03B8
                  • MapVirtualKeyW.USER32(0000000D,00000000), ref: 002C03CD
                  • SendInput.USER32(00000001,00000001,0000001C), ref: 002C03E2
                  • PostMessageW.USER32(00000000,00000403,00000000,00000000), ref: 002C0400
                  • GetTempPathW.KERNEL32(00000104,?), ref: 002C0501
                  • PathAppendW.SHLWAPI(?,003C7AC4), ref: 002C0522
                  • DeleteFileW.KERNEL32(?), ref: 002C0535
                  • PathFileExistsW.SHLWAPI(?), ref: 002C0644
                  • DeleteFileW.KERNEL32(?), ref: 002C0660
                  • MoveFileW.KERNEL32(?,?), ref: 002C0672
                  • SHSetValueW.SHLWAPI(80000001,003C7ADC,003C7AF4,00000001,?,?), ref: 002C095C
                  • SHSetValueW.SHLWAPI(80000001,003C7ADC,003C7B0C,00000001,?,?), ref: 002C09AD
                  • SHSetValueW.SHLWAPI(80000001,003C7ADC,003C7B24,00000004,?,00000004), ref: 002C09ED
                  • SHSetValueW.SHLWAPI(80000001,003C7ADC,003C7B3C,00000004,?,00000004), ref: 002C0A29
                  • OpenClipboard.USER32(00000000), ref: 002C0A78
                  • EmptyClipboard.USER32 ref: 002C0A82
                  • CloseClipboard.USER32 ref: 002C0A88
                  • PostMessageW.USER32(00000006,00000403,00000000,00000000), ref: 002C0B37
                  • OpenClipboard.USER32(00000000), ref: 002C0B92
                  • EmptyClipboard.USER32 ref: 002C0B9C
                  • CloseClipboard.USER32 ref: 002C0BA2
                  • PostMessageW.USER32(00000006,00000403,00000000,00000000), ref: 002C0C51
                  • OpenClipboard.USER32(00000000), ref: 002C0D63
                  • EmptyClipboard.USER32 ref: 002C0D6D
                  • CloseClipboard.USER32 ref: 002C0D73
                  • PostMessageW.USER32(00000006,00000403,00000000,00000000), ref: 002C0E22
                  • OpenClipboard.USER32(00000000), ref: 002C0E67
                  • EmptyClipboard.USER32 ref: 002C0E71
                  • CloseClipboard.USER32 ref: 002C0E77
                  • OpenClipboard.USER32(00000000), ref: 002C0F2C
                  • EmptyClipboard.USER32 ref: 002C0F36
                  • CloseClipboard.USER32 ref: 002C0F3C
                  • MapVirtualKeyW.USER32 ref: 002C0F80
                  • SendInput.USER32(00000001,00000001,0000001C), ref: 002C0FA4
                  • MapVirtualKeyW.USER32(00000041,00000000), ref: 002C0FBF
                  • SendInput.USER32(00000001,00000001,0000001C), ref: 002C0FDD
                  • MapVirtualKeyW.USER32(00000056,00000000), ref: 002C0FF8
                  • SendInput.USER32(00000001,00000001,0000001C), ref: 002C1016
                  • MapVirtualKeyW.USER32(00000043,00000000), ref: 002C1031
                  • SendInput.USER32(00000001,00000001,0000001C), ref: 002C104F
                  • MapVirtualKeyW.USER32(00000011,00000000), ref: 002C106A
                  • SendInput.USER32(00000001,00000001,0000001C), ref: 002C1088
                  • MapVirtualKeyW.USER32(00000010,00000000), ref: 002C10A3
                  • SendInput.USER32(00000001,00000001,0000001C), ref: 002C10C1
                  • MapVirtualKeyW.USER32(00000012,00000000), ref: 002C10DC
                  • SendInput.USER32(00000001,00000001,0000001C), ref: 002C10FA
                  • MapVirtualKeyW.USER32(00000009,00000000), ref: 002C1115
                  • SendInput.USER32(00000001,00000001,0000001C), ref: 002C1133
                  • MapVirtualKeyW.USER32(00000020,00000000), ref: 002C114E
                  • SendInput.USER32(00000001,00000001,0000001C), ref: 002C116C
                  • MapVirtualKeyW.USER32(0000000D,00000000), ref: 002C1187
                  • SendInput.USER32(00000001,00000001,0000001C), ref: 002C11A5
                  • PostMessageW.USER32(00000006,00000403,00000000,00000000), ref: 002C11C3
                  • OpenClipboard.USER32(00000000), ref: 002C11FD
                  • EmptyClipboard.USER32 ref: 002C1207
                  • CloseClipboard.USER32 ref: 002C120D
                  • MapVirtualKeyW.USER32 ref: 002C1251
                  • SendInput.USER32(00000001,00000001,0000001C), ref: 002C1275
                  • MapVirtualKeyW.USER32(00000041,00000000), ref: 002C1290
                  • SendInput.USER32(00000001,00000001,0000001C), ref: 002C12AE
                  • MapVirtualKeyW.USER32(00000056,00000000), ref: 002C12C9
                  • SendInput.USER32(00000001,00000001,0000001C), ref: 002C12E7
                  • MapVirtualKeyW.USER32(00000043,00000000), ref: 002C1302
                  • SendInput.USER32(00000001,00000001,0000001C), ref: 002C1320
                  • MapVirtualKeyW.USER32(00000011,00000000), ref: 002C133B
                  • SendInput.USER32(00000001,00000001,0000001C), ref: 002C1359
                  • MapVirtualKeyW.USER32(00000010,00000000), ref: 002C1374
                  • SendInput.USER32(00000001,00000001,0000001C), ref: 002C1392
                  • MapVirtualKeyW.USER32(00000012,00000000), ref: 002C13AD
                  • SendInput.USER32(00000001,00000001,0000001C), ref: 002C13CB
                  • MapVirtualKeyW.USER32(00000009,00000000), ref: 002C13E6
                  • SendInput.USER32(00000001,00000001,0000001C), ref: 002C1404
                  • MapVirtualKeyW.USER32(00000020,00000000), ref: 002C141F
                  • SendInput.USER32(00000001,00000001,0000001C), ref: 002C143D
                  • MapVirtualKeyW.USER32(0000000D,00000000), ref: 002C1458
                  • SendInput.USER32(00000001,00000001,0000001C), ref: 002C1476
                  • PostMessageW.USER32(00000006,00000403,00000000,00000000), ref: 002C1494
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.669225094.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true
                  • Associated: 00000000.00000002.669218827.00000000001C0000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669437430.0000000000394000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669462546.00000000003BC000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669470292.00000000003C1000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669476147.00000000003C3000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669480865.00000000003C6000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669487575.00000000003CC000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1c0000_winhost.jbxd
                  Similarity
                  • API ID: InputSendVirtual$Clipboard$CloseEmptyOpen$MessagePost$File$PathValue$DeleteExists$AppendMoveTemp
                  • String ID: $$${<$${<$${<$${<$0u$<{<$<{<$<{<$<{<$d$d$d$d$|
                  • API String ID: 3902815121-3627863322
                  • Opcode ID: 26cc3a879e4da3cc2e436c5f1dbb40eb5b1a263109d8553ec5f74219941dc2d4
                  • Instruction ID: 71ecca1522cd7d87194166b9c15127be736dd9722f525b96f58ea6542d307881
                  • Opcode Fuzzy Hash: 26cc3a879e4da3cc2e436c5f1dbb40eb5b1a263109d8553ec5f74219941dc2d4
                  • Instruction Fuzzy Hash: 2B139270A50318AEEB15DFA4CC8AFDDB7B8AF14704F004199F504AB2D2DBB56A84CF65
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 001FC4C0, Relevance: 49.2, APIs: 27, Strings: 1, Instructions: 245keyboardclipboardtimeCOMMON
                  Download Yara Rule
                  APIs
                  • KillTimer.USER32(?,00000006,CB28B7D0), ref: 001FC500
                  • mouse_event.USER32 ref: 001FC536
                  • GetTickCount.KERNEL32 ref: 001FC53C
                  • OpenClipboard.USER32(00000000), ref: 001FC5EE
                  • EmptyClipboard.USER32 ref: 001FC5F8
                  • CloseClipboard.USER32 ref: 001FC5FE
                  • MapVirtualKeyW.USER32(0000004C,00000000), ref: 001FC633
                  • SendInput.USER32(00000001,00000001,0000001C), ref: 001FC64E
                  • MapVirtualKeyW.USER32(00000041,00000000), ref: 001FC663
                  • SendInput.USER32(00000001,00000001,0000001C), ref: 001FC678
                  • MapVirtualKeyW.USER32(00000056,00000000), ref: 001FC68D
                  • SendInput.USER32(00000001,00000001,0000001C), ref: 001FC6A2
                  • MapVirtualKeyW.USER32(00000043,00000000), ref: 001FC6B7
                  • SendInput.USER32(00000001,00000001,0000001C), ref: 001FC6CC
                  • MapVirtualKeyW.USER32(00000011,00000000), ref: 001FC6E1
                  • SendInput.USER32(00000001,00000001,0000001C), ref: 001FC6F6
                  • MapVirtualKeyW.USER32(00000010,00000000), ref: 001FC70B
                  • SendInput.USER32(00000001,00000001,0000001C), ref: 001FC720
                  • MapVirtualKeyW.USER32(00000012,00000000), ref: 001FC735
                    • Part of subcall function 001FFDD0: ShowWindow.USER32(?,00000001,?,?,00000000), ref: 001FFDE3
                    • Part of subcall function 001FFDD0: GetWindowLongW.USER32(?,000000EC), ref: 001FFDEE
                    • Part of subcall function 001FFDD0: SetWindowLongW.USER32(?,000000EC,00000000), ref: 001FFDFD
                    • Part of subcall function 001FFDD0: FindWindowW.USER32(Qt5QWindowOwnDCIcon,003AC118), ref: 001FFEAB
                    • Part of subcall function 001FFDD0: GetWindowLongW.USER32(00000000,000000EC), ref: 001FFEBA
                    • Part of subcall function 001FFDD0: SetWindowLongW.USER32(00000000,000000EC,00000000), ref: 001FFEC7
                    • Part of subcall function 001FFDD0: BeginDeferWindowPos.USER32 ref: 001FFED3
                    • Part of subcall function 001FFDD0: DeferWindowPos.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,0000001B), ref: 001FFEEF
                    • Part of subcall function 001FFDD0: DeferWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,0000001B), ref: 001FFF03
                    • Part of subcall function 001FFDD0: DeferWindowPos.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,0000001B), ref: 001FFF18
                    • Part of subcall function 001FFDD0: EndDeferWindowPos.USER32(00000000,?,?,00000000), ref: 001FFF1B
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.669225094.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true
                  • Associated: 00000000.00000002.669218827.00000000001C0000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669437430.0000000000394000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669462546.00000000003BC000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669470292.00000000003C1000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669476147.00000000003C3000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669480865.00000000003C6000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669487575.00000000003CC000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1c0000_winhost.jbxd
                  Similarity
                  • API ID: Window$Virtual$InputSend$Defer$Long$Clipboard$BeginCloseCountEmptyFindKillOpenShowTickTimermouse_event
                  • String ID: d
                  • API String ID: 3265710587-2564639436
                  • Opcode ID: eee1890fc110c6d1c26b10338fc72639e4e977af291adfe71482733d1ea18430
                  • Instruction ID: 4c37b0ce6f9e1f153f150fa76aea2b1192a73efb3c4b91ae0bc87e5c4aded051
                  • Opcode Fuzzy Hash: eee1890fc110c6d1c26b10338fc72639e4e977af291adfe71482733d1ea18430
                  • Instruction Fuzzy Hash: 29A11174A5030CAAEB11DFA4CC85FDDBBB8EF08714F10416AE914BB2D2D7B598448F69
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003060B0, Relevance: 40.7, APIs: 19, Strings: 4, Instructions: 497stringfileCOMMON
                  Download Yara Rule
                  APIs
                  • SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,?,?,?), ref: 00306113
                  • PathAppendW.SHLWAPI(?,003C792C), ref: 00306136
                  • PathFileExistsW.SHLWAPI(?), ref: 00306145
                  • SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000001,?), ref: 0030616F
                  • PathAppendW.SHLWAPI(?,003C792C), ref: 0030618C
                  • PathFileExistsW.SHLWAPI(?), ref: 00306195
                  • lstrcpyW.KERNEL32(?,00000000), ref: 00306261
                  • FindFirstFileW.KERNEL32(?,?), ref: 003062A8
                  • lstrcmpW.KERNEL32(?,003A8CAC), ref: 003062CF
                  • lstrcmpW.KERNEL32(?,003A8CB0), ref: 003062E5
                  • PathAppendW.SHLWAPI(?,?,?,?), ref: 0030636C
                  • PathAppendW.SHLWAPI(?,003C7944), ref: 00306389
                  • PathFileExistsW.SHLWAPI(?), ref: 00306392
                  • lstrcpyW.KERNEL32(?,00000000), ref: 00306408
                  • FindFirstFileW.KERNEL32(?,?), ref: 0030644F
                  • lstrcmpW.KERNEL32(?,003A8CAC), ref: 003064EC
                  • lstrcmpW.KERNEL32(?,003A8CB0), ref: 00306502
                  • FindNextFileW.KERNEL32(?,?), ref: 00306749
                  • FindNextFileW.KERNEL32(?,?), ref: 00306773
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.669225094.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true
                  • Associated: 00000000.00000002.669218827.00000000001C0000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669437430.0000000000394000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669462546.00000000003BC000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669470292.00000000003C1000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669476147.00000000003C3000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669480865.00000000003C6000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669487575.00000000003CC000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1c0000_winhost.jbxd
                  Similarity
                  • API ID: Path$File$AppendFindlstrcmp$Exists$FirstFolderNextlstrcpy
                  • String ID: %d-%02d-%02d$,y<$,y<$Dy<
                  • API String ID: 3155479202-2107139703
                  • Opcode ID: 250b6b88664c6aaf1d1f16670693ae7c6b70921abb8ba80aca2fbbba160d6a87
                  • Instruction ID: 4764ce87f2180e9e0cbb29ac1ea3fb55af380ac55c8f47c219cef30f7343302d
                  • Opcode Fuzzy Hash: 250b6b88664c6aaf1d1f16670693ae7c6b70921abb8ba80aca2fbbba160d6a87
                  • Instruction Fuzzy Hash: 2C12D4719012289BDB26EB64CCA5FEDB7B9BF44318F4401D9E409A7281EB31AF94CF51
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 001FD150, Relevance: 39.4, APIs: 26, Instructions: 354keyboardclipboardwindowCOMMON
                  Download Yara Rule
                  APIs
                  • PathFileExistsW.SHLWAPI(?,003A8C5C,00000000,CB28B7D0,?,?,?,?,DisplayIcon,0000000B,?,003C78B4,?,80000002,?,DisplayIcon), ref: 001FD34D
                  • PostMessageW.USER32(00000000,00000406,00000000,00000000), ref: 001FD5F7
                    • Part of subcall function 003090A0: RegOpenKeyExW.ADVAPI32(?,001FD25E,00000000,-00020019,00000000,00000000), ref: 0030911C
                    • Part of subcall function 003090A0: RegQueryValueExW.ADVAPI32(00000000,?,00000000,00000000,?,?), ref: 00309155
                  • OpenClipboard.USER32(00000000), ref: 001FD399
                  • EmptyClipboard.USER32(?,?,DisplayIcon,0000000B,?,003C78B4,?,80000002,?,DisplayIcon,0000000B,?,003C789C,?,80000002,?), ref: 001FD3A3
                  • CloseClipboard.USER32(?,?,DisplayIcon,0000000B,?,003C78B4,?,80000002,?,DisplayIcon,0000000B,?,003C789C,?,80000002,?), ref: 001FD3A9
                  • MapVirtualKeyW.USER32(0000004C,00000000), ref: 001FD3DE
                  • SendInput.USER32(00000001,00000001,0000001C), ref: 001FD3F9
                  • MapVirtualKeyW.USER32(00000041,00000000), ref: 001FD40E
                  • SendInput.USER32(00000001,00000001,0000001C), ref: 001FD423
                  • MapVirtualKeyW.USER32(00000056,00000000), ref: 001FD438
                  • SendInput.USER32(00000001,00000001,0000001C), ref: 001FD44D
                  • MapVirtualKeyW.USER32(00000043,00000000), ref: 001FD462
                  • SendInput.USER32(00000001,00000001,0000001C), ref: 001FD477
                  • MapVirtualKeyW.USER32(00000011,00000000), ref: 001FD48C
                  • SendInput.USER32(00000001,00000001,0000001C), ref: 001FD4A1
                  • MapVirtualKeyW.USER32(00000010,00000000), ref: 001FD4B6
                  • SendInput.USER32(00000001,00000001,0000001C), ref: 001FD4CB
                    • Part of subcall function 003090A0: PathFileExistsW.SHLWAPI(?), ref: 0030922E
                  • MapVirtualKeyW.USER32(00000012,00000000), ref: 001FD4E0
                  • SendInput.USER32(00000001,00000001,0000001C), ref: 001FD4F5
                  • MapVirtualKeyW.USER32(00000009,00000000), ref: 001FD50A
                  • SendInput.USER32(00000001,00000001,0000001C), ref: 001FD51F
                  • MapVirtualKeyW.USER32(00000020,00000000), ref: 001FD534
                  • SendInput.USER32(00000001,00000001,0000001C), ref: 001FD549
                  • MapVirtualKeyW.USER32(0000000D,00000000), ref: 001FD55E
                  • SendInput.USER32(00000001,00000001,0000001C), ref: 001FD573
                  • PostMessageW.USER32(?,00000403,00000000,00000000), ref: 001FD591
                  Memory Dump Source
                  • Source File: 00000000.00000002.669225094.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true
                  • Associated: 00000000.00000002.669218827.00000000001C0000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669437430.0000000000394000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669462546.00000000003BC000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669470292.00000000003C1000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669476147.00000000003C3000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669480865.00000000003C6000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669487575.00000000003CC000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1c0000_winhost.jbxd
                  Similarity
                  • API ID: InputSendVirtual$Clipboard$ExistsFileMessageOpenPathPost$CloseEmptyQueryValue
                  • String ID:
                  • API String ID: 3223571943-0
                  • Opcode ID: f1dcb761f3b2c744a89ee57e60d1f325b52a57c13a2da212da2a85bb01c7f6d1
                  • Instruction ID: e92a73799c60e88fe2671050a73d750a07e333604e32f28ca90c5da35885b74e
                  • Opcode Fuzzy Hash: f1dcb761f3b2c744a89ee57e60d1f325b52a57c13a2da212da2a85bb01c7f6d1
                  • Instruction Fuzzy Hash: 29D1A170A403089BEB24DFB8CC85BEEF7F9EF08704F004519E655AB2C1D7B5A9448B69
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0033D380, Relevance: 10.8, APIs: 1, Strings: 5, Instructions: 263COMMON
                  Download Yara Rule
                  APIs
                  • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 0033D638
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.669225094.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true
                  • Associated: 00000000.00000002.669218827.00000000001C0000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669437430.0000000000394000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669462546.00000000003BC000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669470292.00000000003C1000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669476147.00000000003C3000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669480865.00000000003C6000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669487575.00000000003CC000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1c0000_winhost.jbxd
                  Similarity
                  • API ID: Ios_base_dtorstd::ios_base::_
                  • String ID: vs. $"$PlatformFile.UnknownErrors.Windows$c:\qt\givememoney\base\platform_file_win.cc$histogram->histogram_name() == "PlatformFile.UnknownErrors.Windows"
                  • API String ID: 323602529-3948446703
                  • Opcode ID: c0ec66a61ab764af5406bdcb2cebdecf561bca383e5de49fde4bd8baaeb56b6d
                  • Instruction ID: ad3c727913b6047727f7e3197fc783c35e09b341f43f85362fd78ec5e058d661
                  • Opcode Fuzzy Hash: c0ec66a61ab764af5406bdcb2cebdecf561bca383e5de49fde4bd8baaeb56b6d
                  • Instruction Fuzzy Hash: F891E871A001089BCF15DFA8ECC6BADB7B5EF49314F5042A9F819AB2D2DB319E44CB51
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00370196, Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.669225094.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true
                  • Associated: 00000000.00000002.669218827.00000000001C0000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669437430.0000000000394000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669462546.00000000003BC000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669470292.00000000003C1000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669476147.00000000003C3000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669480865.00000000003C6000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669487575.00000000003CC000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1c0000_winhost.jbxd
                  Similarity
                  • API ID: __floor_pentium4
                  • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                  • API String ID: 4168288129-2761157908
                  • Opcode ID: 227760530200e0e1faa45e7a98770720cb0784ced0eaa7eda9a6ff0abaeba594
                  • Instruction ID: 40ebc85faf0df099a882b5e6e7917af936182e35d5877e6f2dd0ee1ebfeb4c87
                  • Opcode Fuzzy Hash: 227760530200e0e1faa45e7a98770720cb0784ced0eaa7eda9a6ff0abaeba594
                  • Instruction Fuzzy Hash: BFC25072E046288FDB3ACE28DD407E9B7B9EB44305F1585EAD44DE7241E778AE858F40
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003274A0, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 180fileCOMMON
                  Download Yara Rule
                  APIs
                  • CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000003,00000000,00000000,?,?,?,CB28B7D0), ref: 00327502
                  • DeviceIoControl.KERNEL32(00000000,00074080,00000000,00000000,?,00000018,?,00000000), ref: 0032754F
                  • DeviceIoControl.KERNEL32(?,0007C088,00000000,00000021,00000000,00000221,?,00000000), ref: 0032759D
                  • CloseHandle.KERNEL32(?,?,?,?,?,CB28B7D0), ref: 003276E5
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.669225094.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true
                  • Associated: 00000000.00000002.669218827.00000000001C0000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669437430.0000000000394000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669462546.00000000003BC000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669470292.00000000003C1000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669476147.00000000003C3000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669480865.00000000003C6000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669487575.00000000003CC000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1c0000_winhost.jbxd
                  Similarity
                  • API ID: ControlDevice$CloseCreateFileHandle
                  • String ID: \\.\PhysicalDrive%d
                  • API String ID: 1375849437-2935326385
                  • Opcode ID: b698c7e1a794d69773d1cd3c071586685eb83e8fc450f60d3f81e29a0a7b0a0b
                  • Instruction ID: 95c4ed5a6f8ed40ae68d936b823c00deb53ad2d895fc7aba91c9f6ae3e7c43a4
                  • Opcode Fuzzy Hash: b698c7e1a794d69773d1cd3c071586685eb83e8fc450f60d3f81e29a0a7b0a0b
                  • Instruction Fuzzy Hash: CE610971E447259BEB22CF38DC45BA9B7B6BF95300F1543A9E408E7181EB71AA948F40
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0036C206, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMON
                  Download Yara Rule
                  APIs
                  • GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,0036C525,?,00000000), ref: 0036C29F
                  • GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,0036C525,?,00000000), ref: 0036C2C8
                  • GetACP.KERNEL32(?,?,0036C525,?,00000000), ref: 0036C2DD
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.669225094.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true
                  • Associated: 00000000.00000002.669218827.00000000001C0000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669437430.0000000000394000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669462546.00000000003BC000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669470292.00000000003C1000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669476147.00000000003C3000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669480865.00000000003C6000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669487575.00000000003CC000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1c0000_winhost.jbxd
                  Similarity
                  • API ID: InfoLocale
                  • String ID: ACP$OCP
                  • API String ID: 2299586839-711371036
                  • Opcode ID: b797e8a3338f46398b290c45221eefef992a5c771c6ccd2c9e837837ab640610
                  • Instruction ID: c5ef8abea6522e825ad0b290c32424af0ed369f57f3ae940900a0a4c94fa2273
                  • Opcode Fuzzy Hash: b797e8a3338f46398b290c45221eefef992a5c771c6ccd2c9e837837ab640610
                  • Instruction Fuzzy Hash: 0221A322A20104AADF268BD4D921AB772AABB54F54B57D924EC8AD7118E732DD41C390
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0036C3DA, Relevance: 7.7, APIs: 5, Instructions: 188COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00364BB7: GetLastError.KERNEL32(?,00000000,00355AE9,00000000,?,?,003548F1,?,?,00000000,00000000), ref: 00364BBB
                    • Part of subcall function 00364BB7: _free.LIBCMT ref: 00364BEE
                    • Part of subcall function 00364BB7: SetLastError.KERNEL32(00000000,?,00000000,00000000), ref: 00364C2F
                    • Part of subcall function 00364BB7: _free.LIBCMT ref: 00364C16
                    • Part of subcall function 00364BB7: SetLastError.KERNEL32(00000000,?,00000000,00000000), ref: 00364C23
                  • GetUserDefaultLCID.KERNEL32(?,?,?), ref: 0036C4E6
                  • IsValidCodePage.KERNEL32(00000000), ref: 0036C541
                  • IsValidLocale.KERNEL32(?,00000001), ref: 0036C550
                  • GetLocaleInfoW.KERNEL32(?,00001001,0035F99D,00000040,?,0035FABD,00000055,00000000,?,?,00000055,00000000), ref: 0036C598
                  • GetLocaleInfoW.KERNEL32(?,00001002,0035FA1D,00000040), ref: 0036C5B7
                  Memory Dump Source
                  • Source File: 00000000.00000002.669225094.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true
                  • Associated: 00000000.00000002.669218827.00000000001C0000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669437430.0000000000394000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669462546.00000000003BC000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669470292.00000000003C1000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669476147.00000000003C3000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669480865.00000000003C6000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669487575.00000000003CC000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1c0000_winhost.jbxd
                  Similarity
                  • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser
                  • String ID:
                  • API String ID: 2287132625-0
                  • Opcode ID: 0f93932adb1ef4cd559e316ab525318ac050694d6d37accc1972b55ea14950ae
                  • Instruction ID: 4b218308346a4d5351a5a06ef6d4642cbde36b432bbdb4adb47028ad9c70f308
                  • Opcode Fuzzy Hash: 0f93932adb1ef4cd559e316ab525318ac050694d6d37accc1972b55ea14950ae
                  • Instruction Fuzzy Hash: 7951B371910209AFEF23EFA6CC55EBE73B8BF49700F059029E995EB154EB7099408B61
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0030D9F0, Relevance: 6.0, APIs: 4, Instructions: 50comCOMMON
                  Download Yara Rule
                  APIs
                  • CoInitialize.OLE32(00000000), ref: 0030DA09
                  • CoCreateInstance.OLE32(00394B20,00000000,00000001,00394B10,?,?,?,?,?,CB28B7D0,?), ref: 0030DA21
                  • GetWindowLongW.USER32(?,000000EC), ref: 0030DA4A
                  • SetWindowLongW.USER32(?,000000EC,00000000), ref: 0030DA5E
                  Memory Dump Source
                  • Source File: 00000000.00000002.669225094.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true
                  • Associated: 00000000.00000002.669218827.00000000001C0000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669437430.0000000000394000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669462546.00000000003BC000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669470292.00000000003C1000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669476147.00000000003C3000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669480865.00000000003C6000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669487575.00000000003CC000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1c0000_winhost.jbxd
                  Similarity
                  • API ID: LongWindow$CreateInitializeInstance
                  • String ID:
                  • API String ID: 511273899-0
                  • Opcode ID: 7b41e790df0553c9e1e78b4456a650649ec046b18e3c2cfa06e35540656c0806
                  • Instruction ID: fe4a2aff0d01921ae54c0402d1a3feae8439526d3b22cf5f3c1be7a740838b6e
                  • Opcode Fuzzy Hash: 7b41e790df0553c9e1e78b4456a650649ec046b18e3c2cfa06e35540656c0806
                  • Instruction Fuzzy Hash: E6018035605114BFCB11DBA4DC55FAE7BACEF0A716F100295F505DB1D0CB719906CB61
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0032F0D0, Relevance: 4.3, Strings: 3, Instructions: 517COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.669225094.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true
                  • Associated: 00000000.00000002.669218827.00000000001C0000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669437430.0000000000394000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669462546.00000000003BC000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669470292.00000000003C1000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669476147.00000000003C3000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669480865.00000000003C6000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669487575.00000000003CC000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1c0000_winhost.jbxd
                  Similarity
                  • API ID:
                  • String ID: Check failed: c < 0x7F. $Check failed: c >= 0. $c:\qt\givememoney\base\strings\string_split.cc
                  • API String ID: 0-2914168844
                  • Opcode ID: e2326817020f6e892d0c2f6c0495a499194f5b6361528c4961b4d7d1f2e4586a
                  • Instruction ID: 42a7a1a95068248a5614d33000e815198dc63ff3db547810401c584e3c8f9490
                  • Opcode Fuzzy Hash: e2326817020f6e892d0c2f6c0495a499194f5b6361528c4961b4d7d1f2e4586a
                  • Instruction Fuzzy Hash: AC028E75E002199FCF15EF68EC81AAEBBB6EF48300F548579E805AB355DB34D941CBA0
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0036640D, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMON
                  Download Yara Rule
                  APIs
                  • GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,0035F3FB,?,00000004), ref: 00366460
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.669225094.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true
                  • Associated: 00000000.00000002.669218827.00000000001C0000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669437430.0000000000394000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669462546.00000000003BC000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669470292.00000000003C1000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669476147.00000000003C3000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669480865.00000000003C6000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669487575.00000000003CC000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1c0000_winhost.jbxd
                  Similarity
                  • API ID: InfoLocale
                  • String ID: GetLocaleInfoEx
                  • API String ID: 2299586839-2904428671
                  • Opcode ID: 51eda2a15caaaf1585993deff83a1d6bf8a22f1a4c6607e2fea80dc5eebe2583
                  • Instruction ID: c7930d1c6193dc42d1419d19fb2c9f8da8291a96d03a45d1ca294645139b211b
                  • Opcode Fuzzy Hash: 51eda2a15caaaf1585993deff83a1d6bf8a22f1a4c6607e2fea80dc5eebe2583
                  • Instruction Fuzzy Hash: 32F02431A04208BBCF136F61DC02EAE7F29EF08B50F018129FC04AA294CF328D20D691
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00338610, Relevance: 3.5, Strings: 2, Instructions: 975COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.669225094.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true
                  • Associated: 00000000.00000002.669218827.00000000001C0000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669437430.0000000000394000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669462546.00000000003BC000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669470292.00000000003C1000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669476147.00000000003C3000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669480865.00000000003C6000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669487575.00000000003CC000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1c0000_winhost.jbxd
                  Similarity
                  • API ID:
                  • String ID: Infinity$NaN
                  • API String ID: 0-4285296124
                  • Opcode ID: f0d4d48fd496e752e1409c4cff5a6997d28ec17672ff71f4a56923ddbc95e9f4
                  • Instruction ID: 6607959af8e3ce89ab987d1defa83c7103a0955a45f71ec99b3f3d56780c9383
                  • Opcode Fuzzy Hash: f0d4d48fd496e752e1409c4cff5a6997d28ec17672ff71f4a56923ddbc95e9f4
                  • Instruction Fuzzy Hash: 9A82DC71D00709DFDB17CF68C8917AEB7B5AF55340F15822AF806BB241EB759982CB90
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003268A0, Relevance: 3.2, Strings: 2, Instructions: 708COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.669225094.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true
                  • Associated: 00000000.00000002.669218827.00000000001C0000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669437430.0000000000394000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669462546.00000000003BC000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669470292.00000000003C1000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669476147.00000000003C3000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669480865.00000000003C6000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669487575.00000000003CC000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1c0000_winhost.jbxd
                  Similarity
                  • API ID:
                  • String ID: |h2$e2
                  • API String ID: 0-2719990233
                  • Opcode ID: 876fd60b069216ed52d8d6b238dcff939897a816e111d731dbb70adcf26c3237
                  • Instruction ID: d1ab88d268c40936602d24338cdedaea54a4c9212de5620ede2ce9e625f2b514
                  • Opcode Fuzzy Hash: 876fd60b069216ed52d8d6b238dcff939897a816e111d731dbb70adcf26c3237
                  • Instruction Fuzzy Hash: 88324EB7F505145BDB0CCA5DCCA27ECB2E3AFD8214B0E813DA81AE7345EA78D9158644
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00324240, Relevance: 3.1, Strings: 2, Instructions: 584COMMON
                  Download Yara Rule
                  Strings
                  • Check failed: components. , xrefs: 0032429B
                  • c:\qt\givememoney\base\files\file_path.cc, xrefs: 00324288
                  Memory Dump Source
                  • Source File: 00000000.00000002.669225094.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true
                  • Associated: 00000000.00000002.669218827.00000000001C0000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669437430.0000000000394000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669462546.00000000003BC000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669470292.00000000003C1000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669476147.00000000003C3000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669480865.00000000003C6000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669487575.00000000003CC000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1c0000_winhost.jbxd
                  Similarity
                  • API ID: ErrorLast
                  • String ID: Check failed: components. $c:\qt\givememoney\base\files\file_path.cc
                  • API String ID: 1452528299-888752659
                  • Opcode ID: 741e86a5f2d3bd489abb17ba3a76ce448350a278d0500b3003d5cc0b78109066
                  • Instruction ID: bde2efc995c14a6c8fcd6acc208a5dbea9387e71d30b1f71e2987db631901134
                  • Opcode Fuzzy Hash: 741e86a5f2d3bd489abb17ba3a76ce448350a278d0500b3003d5cc0b78109066
                  • Instruction Fuzzy Hash: 50220731E002199FCF15DFA4DC81AEEB7B9FF94300F65422DE415A7291EB34AA45CB50
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0033F9D0, Relevance: 2.7, Strings: 2, Instructions: 212COMMON
                  Download Yara Rule
                  Strings
                  • Check failed: CBU16_IS_SINGLE(code_unit16_high). , xrefs: 0033FB92
                  • c:\qt\givememoney\base\json\json_parser.cc, xrefs: 0033FB7F
                  Memory Dump Source
                  • Source File: 00000000.00000002.669225094.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true
                  • Associated: 00000000.00000002.669218827.00000000001C0000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669437430.0000000000394000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669462546.00000000003BC000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669470292.00000000003C1000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669476147.00000000003C3000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669480865.00000000003C6000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669487575.00000000003CC000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1c0000_winhost.jbxd
                  Similarity
                  • API ID:
                  • String ID: Check failed: CBU16_IS_SINGLE(code_unit16_high). $c:\qt\givememoney\base\json\json_parser.cc
                  • API String ID: 0-3558754076
                  • Opcode ID: bbb48b528bacfae9d182fd14310be3e7babe006e644c77ff05ba575daf631eeb
                  • Instruction ID: 42b4d38e66922a0e4e5c0b0d59d9890a69d29a285a3ca2d4de88edb1f9461822
                  • Opcode Fuzzy Hash: bbb48b528bacfae9d182fd14310be3e7babe006e644c77ff05ba575daf631eeb
                  • Instruction Fuzzy Hash: 76715771E4010D9FEF16DBA4C8926FEBB64DF11300F50857AD912AB382C638AF45CBA1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0030C820, Relevance: 2.5, Strings: 2, Instructions: 44COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.669225094.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true
                  • Associated: 00000000.00000002.669218827.00000000001C0000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669437430.0000000000394000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669462546.00000000003BC000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669470292.00000000003C1000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669476147.00000000003C3000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669480865.00000000003C6000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669487575.00000000003CC000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1c0000_winhost.jbxd
                  Similarity
                  • API ID:
                  • String ID: hXMV$hXMV
                  • API String ID: 0-400149659
                  • Opcode ID: 69d18cfd9bcbbec0520dc5d80fe568113c1f1711dd77b6a6ee19b3ac6b9ae868
                  • Instruction ID: e93f797896eb448383e8732e91d13442c47427cb5b0f041fa1da890c46c75b4e
                  • Opcode Fuzzy Hash: 69d18cfd9bcbbec0520dc5d80fe568113c1f1711dd77b6a6ee19b3ac6b9ae868
                  • Instruction Fuzzy Hash: CD012672A08789AFD700CB59DC91BAFFBF8EB45B24F20422AF404932C0D636180086A0
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0036D9F2, Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,0036D9ED,?,?,00000008,?,?,003727E6,00000000), ref: 0036DC1F
                  Memory Dump Source
                  • Source File: 00000000.00000002.669225094.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true
                  • Associated: 00000000.00000002.669218827.00000000001C0000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669437430.0000000000394000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669462546.00000000003BC000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669470292.00000000003C1000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669476147.00000000003C3000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669480865.00000000003C6000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669487575.00000000003CC000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1c0000_winhost.jbxd
                  Similarity
                  • API ID: ExceptionRaise
                  • String ID:
                  • API String ID: 3997070919-0
                  • Opcode ID: fe14f1072ff779d6c1b05ee1c82c38c042b957339191f4fa7b82619d801b401a
                  • Instruction ID: ac2679eabc838149f4ad10b264d5ae73c31d4426d4481658191c0912b50988b8
                  • Opcode Fuzzy Hash: fe14f1072ff779d6c1b05ee1c82c38c042b957339191f4fa7b82619d801b401a
                  • Instruction Fuzzy Hash: 17B15E31A10609DFD716CF28C48AB657BE0FF45364F26C658E89ACF2A9C375D991CB40
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0036C0DD, Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00364BB7: GetLastError.KERNEL32(?,00000000,00355AE9,00000000,?,?,003548F1,?,?,00000000,00000000), ref: 00364BBB
                    • Part of subcall function 00364BB7: _free.LIBCMT ref: 00364BEE
                    • Part of subcall function 00364BB7: SetLastError.KERNEL32(00000000,?,00000000,00000000), ref: 00364C2F
                    • Part of subcall function 00364BB7: _free.LIBCMT ref: 00364C16
                    • Part of subcall function 00364BB7: SetLastError.KERNEL32(00000000,?,00000000,00000000), ref: 00364C23
                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0036C131
                  Memory Dump Source
                  • Source File: 00000000.00000002.669225094.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true
                  • Associated: 00000000.00000002.669218827.00000000001C0000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669437430.0000000000394000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669462546.00000000003BC000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669470292.00000000003C1000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669476147.00000000003C3000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669480865.00000000003C6000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669487575.00000000003CC000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1c0000_winhost.jbxd
                  Similarity
                  • API ID: ErrorLast$_free$InfoLocale
                  • String ID:
                  • API String ID: 2955987475-0
                  • Opcode ID: 952d703f8083e049c2e0bfc8adb76541685652d8a9121afdad079103c6e22eb3
                  • Instruction ID: cf297b2b2563dd9e0d2750a5215f22347694bc033068ea644372d49e11b34bdb
                  • Opcode Fuzzy Hash: 952d703f8083e049c2e0bfc8adb76541685652d8a9121afdad079103c6e22eb3
                  • Instruction Fuzzy Hash: 3821C572520206ABEB26AB24DC45FBA73ACEB05310F11917AFD41CA14AEB75DD41CB50
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0036C30D, Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00364BB7: GetLastError.KERNEL32(?,00000000,00355AE9,00000000,?,?,003548F1,?,?,00000000,00000000), ref: 00364BBB
                    • Part of subcall function 00364BB7: _free.LIBCMT ref: 00364BEE
                    • Part of subcall function 00364BB7: SetLastError.KERNEL32(00000000,?,00000000,00000000), ref: 00364C2F
                  • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,0036C188,00000000,00000000,?), ref: 0036C339
                  Memory Dump Source
                  • Source File: 00000000.00000002.669225094.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true
                  • Associated: 00000000.00000002.669218827.00000000001C0000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669437430.0000000000394000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669462546.00000000003BC000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669470292.00000000003C1000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669476147.00000000003C3000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669480865.00000000003C6000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669487575.00000000003CC000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1c0000_winhost.jbxd
                  Similarity
                  • API ID: ErrorLast$InfoLocale_free
                  • String ID:
                  • API String ID: 787680540-0
                  • Opcode ID: 9bc772cd88983d93689a4b39e2c48f8ce7c356227c68fdca0fd24dcfb63060a6
                  • Instruction ID: 1578359bb615dd5dd1566b1328168681b098b0c987624f27d893fa679cfc624d
                  • Opcode Fuzzy Hash: 9bc772cd88983d93689a4b39e2c48f8ce7c356227c68fdca0fd24dcfb63060a6
                  • Instruction Fuzzy Hash: 85F07D36920111BBDB265B24CC09BFA7768EB01754F26C529EC85A3248EA38FD41CAE0
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00357429, Relevance: 1.5, Strings: 1, Instructions: 214COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.669225094.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true
                  • Associated: 00000000.00000002.669218827.00000000001C0000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669437430.0000000000394000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669462546.00000000003BC000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669470292.00000000003C1000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669476147.00000000003C3000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669480865.00000000003C6000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669487575.00000000003CC000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1c0000_winhost.jbxd
                  Similarity
                  • API ID:
                  • String ID: 0
                  • API String ID: 0-4108050209
                  • Opcode ID: 438c2294c82739902094e5352324f3ed750ea9a0ff417eebb8205ce52ffb9b1b
                  • Instruction ID: 6c3df50c63a160c0289238d7082eabadae88176f5dba4dd9480768d91be883a1
                  • Opcode Fuzzy Hash: 438c2294c82739902094e5352324f3ed750ea9a0ff417eebb8205ce52ffb9b1b
                  • Instruction Fuzzy Hash: 01516CE030CA4597DB37496DA555FFE2BDA9B02343F194D1AEC82CB6B2E604DD0E8352
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00357658, Relevance: 1.5, Strings: 1, Instructions: 214COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.669225094.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true
                  • Associated: 00000000.00000002.669218827.00000000001C0000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669437430.0000000000394000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669462546.00000000003BC000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669470292.00000000003C1000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669476147.00000000003C3000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669480865.00000000003C6000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669487575.00000000003CC000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1c0000_winhost.jbxd
                  Similarity
                  • API ID:
                  • String ID: 0
                  • API String ID: 0-4108050209
                  • Opcode ID: 942e5e18b644e4b8d0c090becf828d985cbb5046b9587b6edf9ecd6ca3f3d25f
                  • Instruction ID: 07eec715b7d73a437ecac9c3c1c442aa22b778cc9dc99c854635213753eef3f1
                  • Opcode Fuzzy Hash: 942e5e18b644e4b8d0c090becf828d985cbb5046b9587b6edf9ecd6ca3f3d25f
                  • Instruction Fuzzy Hash: 2551776130CB4597DB3B8A7CB45AFBE23998B0A307F1A091ADC42CB6B2C605ED0D8751
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00318550, Relevance: .7, Instructions: 737COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.669225094.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true
                  • Associated: 00000000.00000002.669218827.00000000001C0000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669437430.0000000000394000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669462546.00000000003BC000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669470292.00000000003C1000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669476147.00000000003C3000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669480865.00000000003C6000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669487575.00000000003CC000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1c0000_winhost.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 6dc6a591acad2cd4fddd0da2c0a0cb9388a6edf955a0676533c9897af9d02896
                  • Instruction ID: 5b9c86a3202961e3bf2e6a736898552a5c88809b9576f5ae9ecc0f25d6636364
                  • Opcode Fuzzy Hash: 6dc6a591acad2cd4fddd0da2c0a0cb9388a6edf955a0676533c9897af9d02896
                  • Instruction Fuzzy Hash: 5E424175B016068FDB19CF69C890AAAB3E5FF8D354B2A456DD806DB350DB30EC81CB94
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00357887, Relevance: .2, Instructions: 218COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.669225094.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true
                  • Associated: 00000000.00000002.669218827.00000000001C0000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669437430.0000000000394000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669462546.00000000003BC000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669470292.00000000003C1000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669476147.00000000003C3000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669480865.00000000003C6000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669487575.00000000003CC000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1c0000_winhost.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 1096db417e84a4403589431f5c324504f6c7ab920c64b858dd6b92e514e723a0
                  • Instruction ID: 94afc07f84d0900aaaa63ccffa211258b2150fcc419073970b0b559f7b1d5888
                  • Opcode Fuzzy Hash: 1096db417e84a4403589431f5c324504f6c7ab920c64b858dd6b92e514e723a0
                  • Instruction Fuzzy Hash: F251697260C6495ADF378568A45AFFE63899B02303F16050ADC86DB7B2D701DE4EC372
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003305D0, Relevance: .2, Instructions: 180COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.669225094.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true
                  • Associated: 00000000.00000002.669218827.00000000001C0000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669437430.0000000000394000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669462546.00000000003BC000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669470292.00000000003C1000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669476147.00000000003C3000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669480865.00000000003C6000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669487575.00000000003CC000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1c0000_winhost.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 6aa9dabe6d6c7580ec63fbc790bf147b46d3a9a96e7fa6bfc58885200c49436d
                  • Instruction ID: 0d4832602ed6b266b3916a6fe383859ad7ec820a7307c4124ef1858156b92e6e
                  • Opcode Fuzzy Hash: 6aa9dabe6d6c7580ec63fbc790bf147b46d3a9a96e7fa6bfc58885200c49436d
                  • Instruction Fuzzy Hash: 13711B719141998FDB1ECF28C8A03F8BFB1EB45308F5941EDC88ADB287D6349A85CB50
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00343620, Relevance: .1, Instructions: 143COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.669225094.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true
                  • Associated: 00000000.00000002.669218827.00000000001C0000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669437430.0000000000394000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669462546.00000000003BC000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669470292.00000000003C1000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669476147.00000000003C3000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669480865.00000000003C6000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669487575.00000000003CC000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1c0000_winhost.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: e9933dcc899219181f9779e3b09e0280b74be02be9940f998c21bb7812a2e0f9
                  • Instruction ID: c738a164eb7654494adbceb4a1b9185ce6d5bd1118245e0fb42738d0e2ce1d87
                  • Opcode Fuzzy Hash: e9933dcc899219181f9779e3b09e0280b74be02be9940f998c21bb7812a2e0f9
                  • Instruction Fuzzy Hash: 6441E4716241058BE70ACE1DECD04B9B7D6FF92320B59425ED486CB791C736FA22C790
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 001F0790, Relevance: 58.1, APIs: 25, Strings: 8, Instructions: 340windowCOMMON
                  Download Yara Rule
                  APIs
                  • GetWindowDC.USER32(?,731CDE00,731C4380,?,?,001F076B), ref: 001F085C
                  • CreateCompatibleDC.GDI32(00000000), ref: 001F086B
                  • CreateCompatibleBitmap.GDI32(00000000,?,731CDE00), ref: 001F0886
                  • SelectObject.GDI32(00000000,00000000), ref: 001F0894
                  • GdipCreateFromHDC.GDIPLUS(00000000,?), ref: 001F08AC
                  • GdipSetTextRenderingHint.GDIPLUS(00000000,00000003), ref: 001F08BB
                  • GdipSetSmoothingMode.GDIPLUS(00000000,00000002), ref: 001F08C4
                  • GdipSetInterpolationMode.GDIPLUS(00000000,00000007), ref: 001F08CD
                  • GdipSetPixelOffsetMode.GDIPLUS(00000000,00000002), ref: 001F08D6
                  • GdipCreateStringFormat.GDIPLUS(00000000,00000000,?), ref: 001F08F2
                  • GdipCreateSolidFill.GDIPLUS(000000FF,?), ref: 001F0911
                  • GdipDrawString.GDIPLUS(00000000,?,000000FF,00000000,?,?,?), ref: 001F0AA0
                  • GdipDrawString.GDIPLUS(00000000,003ABF08,000000FF,00000000,?,?,?), ref: 001F0B10
                  • GdipDrawString.GDIPLUS(00000000,?,000000FF,00000000,?,?,?), ref: 001F0B82
                  • GdipDrawString.GDIPLUS(00000000,?,000000FF,00000000,?,?,?), ref: 001F0BF4
                  • GetWindowDC.USER32(?), ref: 001F0C06
                  • UpdateLayeredWindow.USER32(?,00000000,?,003C6DB0,?,?,00000000,01FF0000,00000002), ref: 001F0C71
                  • GdipReleaseDC.GDIPLUS(00000000,?), ref: 001F0C7E
                  • ReleaseDC.USER32 ref: 001F0C91
                  • ReleaseDC.USER32 ref: 001F0C9F
                  • DeleteObject.GDI32(?), ref: 001F0CA7
                  • DeleteDC.GDI32(?), ref: 001F0CB3
                  • GdipDeleteBrush.GDIPLUS(?), ref: 001F0CBA
                  • GdipDeleteStringFormat.GDIPLUS(?), ref: 001F0CC6
                  • GdipDeleteGraphics.GDIPLUS(00000000), ref: 001F0CCD
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.669225094.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true
                  • Associated: 00000000.00000002.669218827.00000000001C0000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669437430.0000000000394000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669462546.00000000003BC000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669470292.00000000003C1000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669476147.00000000003C3000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669480865.00000000003C6000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669487575.00000000003CC000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1c0000_winhost.jbxd
                  Similarity
                  • API ID: Gdip$String$CreateDelete$Draw$ModeReleaseWindow$CompatibleFormatObject$BitmapBrushFillFromGraphicsHintInterpolationLayeredOffsetPixelRenderingSelectSmoothingSolidTextUpdate
                  • String ID: %02d$%02d$%02d$%02d$%02d$%02d$%02d$%02d
                  • API String ID: 1311691735-426798172
                  • Opcode ID: 7413928e00e9f4643ce36d532633b9bbe248b4d4ca6c502e3b72cc3cb9d5c8cc
                  • Instruction ID: 329e867f832a0b103f22d53a2c8e5ce94c4c73ba9c6e04806b06d1356f803a35
                  • Opcode Fuzzy Hash: 7413928e00e9f4643ce36d532633b9bbe248b4d4ca6c502e3b72cc3cb9d5c8cc
                  • Instruction Fuzzy Hash: 19E11C75A00218EFDB23DB64EC8AEF9B7BCEB49340F048196F509E2161DB716E858F51
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 001FB650, Relevance: 51.2, APIs: 28, Strings: 1, Instructions: 421keyboardclipboardwindowCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0032D880: CreateEventW.KERNEL32(00000000,00000000), ref: 0032D9A6
                  • OpenClipboard.USER32(00000000), ref: 001FB977
                  • EmptyClipboard.USER32(?,?,?,?,00000000,0038D304,000000FF,?,002C18E0,?,?,?,?), ref: 001FB981
                  • CloseClipboard.USER32(?,?,?,?,00000000,0038D304,000000FF,?,002C18E0,?,?,?,?), ref: 001FB987
                  • PostMessageW.USER32(?,00000403,00000000,00000000), ref: 001FBA2D
                  • OpenClipboard.USER32(00000000), ref: 001FBA5C
                  • EmptyClipboard.USER32(?,?,?,?,00000000,0038D304,000000FF,?,002C18E0,?,?,?,?), ref: 001FBA66
                  • CloseClipboard.USER32(?,?,?,?,00000000,0038D304,000000FF,?,002C18E0,?,?,?,?), ref: 001FBA6C
                  • MapVirtualKeyW.USER32(0000004C,00000000), ref: 001FBAA1
                  • SendInput.USER32(00000001,00000001,0000001C), ref: 001FBABC
                  • MapVirtualKeyW.USER32(00000041,00000000), ref: 001FBAD1
                  • SendInput.USER32(00000001,00000001,0000001C), ref: 001FBAE6
                  • MapVirtualKeyW.USER32(00000056,00000000), ref: 001FBAFB
                  • SendInput.USER32(00000001,00000001,0000001C), ref: 001FBB10
                  • MapVirtualKeyW.USER32(00000043,00000000), ref: 001FBB25
                  • SendInput.USER32(00000001,00000001,0000001C), ref: 001FBB3A
                  • MapVirtualKeyW.USER32(00000011,00000000), ref: 001FBB4F
                  • SendInput.USER32(00000001,00000001,0000001C), ref: 001FBB64
                  • MapVirtualKeyW.USER32(00000010,00000000), ref: 001FBB79
                  • SendInput.USER32(00000001,00000001,0000001C), ref: 001FBB8E
                  • MapVirtualKeyW.USER32(00000012,00000000), ref: 001FBBA3
                  • SendInput.USER32(00000001,00000001,0000001C), ref: 001FBBB8
                  • MapVirtualKeyW.USER32(00000009,00000000), ref: 001FBBCD
                  • SendInput.USER32(00000001,00000001,0000001C), ref: 001FBBE2
                  • MapVirtualKeyW.USER32(00000020,00000000), ref: 001FBBF7
                  • SendInput.USER32(00000001,00000001,0000001C), ref: 001FBC0C
                  • MapVirtualKeyW.USER32(0000000D,00000000), ref: 001FBC21
                  • SendInput.USER32(00000001,00000001,0000001C), ref: 001FBC36
                  • PostMessageW.USER32(?,00000403,00000000,00000000), ref: 001FBC54
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.669225094.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true
                  • Associated: 00000000.00000002.669218827.00000000001C0000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669437430.0000000000394000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669462546.00000000003BC000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669470292.00000000003C1000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669476147.00000000003C3000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669480865.00000000003C6000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669487575.00000000003CC000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1c0000_winhost.jbxd
                  Similarity
                  • API ID: InputSendVirtual$Clipboard$CloseEmptyMessageOpenPost$CreateEvent
                  • String ID: about:blank
                  • API String ID: 3502652839-258612819
                  • Opcode ID: d77cf4e78b8c8e1c8ff847daa86a9c347e4ff09f24ef2f9c0eaaeadd3495c48f
                  • Instruction ID: a451acb2d41bffa96499f46c00fdc631d079b37d88c1b9059527c63bc5b4e830
                  • Opcode Fuzzy Hash: d77cf4e78b8c8e1c8ff847daa86a9c347e4ff09f24ef2f9c0eaaeadd3495c48f
                  • Instruction Fuzzy Hash: 1B0271B0941348EEEF11DFA4C889BD9BBB8AF14704F14406AE908AF2D2D7F59548CB75
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 001FC810, Relevance: 49.3, APIs: 27, Strings: 1, Instructions: 311keyboardclipboardwindowCOMMON
                  Download Yara Rule
                  APIs
                  • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000019), ref: 001FC849
                  • Sleep.KERNEL32(000003E8), ref: 001FC854
                  • PostMessageW.USER32(?,00000403,00000000,00000000), ref: 001FC9CA
                  • OpenClipboard.USER32(00000000), ref: 001FC9F2
                  • EmptyClipboard.USER32 ref: 001FC9FC
                  • CloseClipboard.USER32 ref: 001FCA02
                  • MapVirtualKeyW.USER32(0000004C,00000000), ref: 001FCA37
                  • SendInput.USER32(00000001,00000001,0000001C), ref: 001FCA52
                  • MapVirtualKeyW.USER32(00000041,00000000), ref: 001FCA67
                  • SendInput.USER32(00000001,00000001,0000001C), ref: 001FCA7C
                  • MapVirtualKeyW.USER32(00000056,00000000), ref: 001FCA91
                  • SendInput.USER32(00000001,00000001,0000001C), ref: 001FCAA6
                  • MapVirtualKeyW.USER32(00000043,00000000), ref: 001FCABB
                  • SendInput.USER32(00000001,00000001,0000001C), ref: 001FCAD0
                  • MapVirtualKeyW.USER32(00000011,00000000), ref: 001FCAE5
                  • SendInput.USER32(00000001,00000001,0000001C), ref: 001FCAFA
                  • MapVirtualKeyW.USER32(00000010,00000000), ref: 001FCB0F
                  • SendInput.USER32(00000001,00000001,0000001C), ref: 001FCB24
                  • MapVirtualKeyW.USER32(00000012,00000000), ref: 001FCB39
                  • SendInput.USER32(00000001,00000001,0000001C), ref: 001FCB4E
                  • MapVirtualKeyW.USER32(00000009,00000000), ref: 001FCB63
                  • SendInput.USER32(00000001,00000001,0000001C), ref: 001FCB78
                  • MapVirtualKeyW.USER32(00000020,00000000), ref: 001FCB8D
                  • SendInput.USER32(00000001,00000001,0000001C), ref: 001FCBA2
                  • MapVirtualKeyW.USER32(0000000D,00000000), ref: 001FCBB7
                  • SendInput.USER32(00000001,00000001,0000001C), ref: 001FCBCC
                  • PostMessageW.USER32(?,00000403,00000000,00000000), ref: 001FCBEA
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.669225094.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true
                  • Associated: 00000000.00000002.669218827.00000000001C0000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669437430.0000000000394000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669462546.00000000003BC000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669470292.00000000003C1000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669476147.00000000003C3000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669480865.00000000003C6000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669487575.00000000003CC000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1c0000_winhost.jbxd
                  Similarity
                  • API ID: InputSendVirtual$Clipboard$MessagePost$CloseEmptyOpenSleepWindow
                  • String ID: d
                  • API String ID: 854906261-2564639436
                  • Opcode ID: 56bf7ddde07fd95a8584c275e7fe06f4d37c99ad883d89b83eeaaaa463b43d8c
                  • Instruction ID: 0e2ec4ac9d5b34d3c19a6c9e249997c7831ca980c09985c85d29bfb29e767abc
                  • Opcode Fuzzy Hash: 56bf7ddde07fd95a8584c275e7fe06f4d37c99ad883d89b83eeaaaa463b43d8c
                  • Instruction Fuzzy Hash: 44C16374E4034CAAEF11DFA8C845FEDBBB8AF08714F14405AE905BB2D2D7B59844CBA5
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 001F12F0, Relevance: 34.8, APIs: 23, Instructions: 261memorywindowCOMMON
                  Download Yara Rule
                  APIs
                  • GetWindowRect.USER32 ref: 001F1322
                  • GetWindowDC.USER32(?,?,?,CB28B7D0), ref: 001F133B
                  • CreateCompatibleDC.GDI32(00000000), ref: 001F1347
                  • CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 001F1359
                  • SelectObject.GDI32(00000000,00000000), ref: 001F1364
                  • GdipCreateFromHDC.GDIPLUS(00000000,?,?,?,?,CB28B7D0), ref: 001F137E
                  • GdipGraphicsClear.GDIPLUS(00000000,FF000000,?,?,?,CB28B7D0), ref: 001F1399
                  • GdipAlloc.GDIPLUS(00000008,?,?,?,CB28B7D0), ref: 001F1463
                  • GdipCreatePen1.GDIPLUS(01000000,?,00000000,00000000,?,?,?,CB28B7D0), ref: 001F149E
                  • GdipAlloc.GDIPLUS(00000008,?,?,?,CB28B7D0), ref: 001F14AB
                  • GdipCreatePen1.GDIPLUS(FF000000,?,00000000,00000000,?,?,?,CB28B7D0), ref: 001F14E6
                  • GdipDrawRectangleI.GDIPLUS(00000000,00000000,00000000,00000000,?,?,?,?,?,CB28B7D0), ref: 001F1502
                  • GdipDeletePen.GDIPLUS(00000000,?,?,?,CB28B7D0), ref: 001F1512
                  • GdipFree.GDIPLUS(00000000,?,?,?,CB28B7D0), ref: 001F1519
                  • GdipDrawImagePointRectI.GDIPLUS(00000000,?,-003C693A,-003C6A36,00000000,00000000,00000028,00000028,00000002), ref: 001F157A
                  • GetWindowDC.USER32(?,?,?,?,CB28B7D0), ref: 001F1598
                  • UpdateLayeredWindow.USER32(?,00000000,?,?,?,?,00000000,01FF0000,00000002), ref: 001F15D4
                  • GdipReleaseDC.GDIPLUS(00000000,?,?,00000000,?,?,?,?,00000000,01FF0000,00000002,?,?,?,?,CB28B7D0), ref: 001F15DF
                  • ReleaseDC.USER32 ref: 001F15ED
                  • ReleaseDC.USER32 ref: 001F15F3
                  • DeleteObject.GDI32(?), ref: 001F15F8
                  • DeleteDC.GDI32(?), ref: 001F1601
                  • GdipDeleteGraphics.GDIPLUS(00000000,?,?,?,00000000,?,00000000,?,?,?,?,00000000,01FF0000,00000002), ref: 001F1608
                  Memory Dump Source
                  • Source File: 00000000.00000002.669225094.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true
                  • Associated: 00000000.00000002.669218827.00000000001C0000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669437430.0000000000394000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669462546.00000000003BC000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669470292.00000000003C1000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669476147.00000000003C3000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669480865.00000000003C6000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669487575.00000000003CC000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1c0000_winhost.jbxd
                  Similarity
                  • API ID: Gdip$Create$DeleteWindow$Release$AllocCompatibleDrawGraphicsObjectPen1Rect$BitmapClearFreeFromImageLayeredPointRectangleSelectUpdate
                  • String ID:
                  • API String ID: 3881143532-0
                  • Opcode ID: 0b3278b09d5eb940b05fc9a2f8049cd31a4c5f7817a29b4474d0c2a00ab01b37
                  • Instruction ID: af4ab8a48c500e5a7cc532eb35e54e6d51da93796453e43a7392c5c20c3e8e38
                  • Opcode Fuzzy Hash: 0b3278b09d5eb940b05fc9a2f8049cd31a4c5f7817a29b4474d0c2a00ab01b37
                  • Instruction Fuzzy Hash: 58A14D75E00218EFCB26CFA4DD48FAEBBB9FF89710F15411AE906A7254D771A842CB50
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 002C1860, Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 318COMMON
                  Download Yara Rule
                  APIs
                  • SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,?,?,?,?), ref: 002C1960
                  • PathAppendW.SHLWAPI(?,003C786C), ref: 002C1983
                  • PathAppendW.SHLWAPI(?,003C7884), ref: 002C19A0
                  • PathFileExistsW.SHLWAPI(?), ref: 002C19A9
                  • SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000001,?), ref: 002C19D7
                  • PathAppendW.SHLWAPI(?,003C786C), ref: 002C19F4
                  • PathAppendW.SHLWAPI(?,003C7884), ref: 002C1A11
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.669225094.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true
                  • Associated: 00000000.00000002.669218827.00000000001C0000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669437430.0000000000394000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669462546.00000000003BC000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669470292.00000000003C1000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669476147.00000000003C3000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669480865.00000000003C6000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669487575.00000000003CC000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1c0000_winhost.jbxd
                  Similarity
                  • API ID: Path$Append$Folder$ExistsFile
                  • String ID: <x<$DisplayIcon$Tx<$lx<$lx<$sogou.com
                  • API String ID: 2743330544-1836181221
                  • Opcode ID: 985c5b50d558e0c26164e8f82d7fc108750315de3d8c024ae787c2b1ab9cf9dc
                  • Instruction ID: e029bac3a8a9f72a2d5f81b9e0adb6cbf11fcd3c6d4b46ac3e8ddadc9eda3579
                  • Opcode Fuzzy Hash: 985c5b50d558e0c26164e8f82d7fc108750315de3d8c024ae787c2b1ab9cf9dc
                  • Instruction Fuzzy Hash: 77D1B271911305EBDF11DF64CC8AF99B7B8EF14300F5041AEE90AA7282DB74AA94CF51
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 001F0400, Relevance: 22.7, APIs: 15, Instructions: 240COMMON
                  Download Yara Rule
                  APIs
                  • GetDC.USER32(00000000), ref: 001F0417
                  • EnumDisplayMonitors.USER32(00000000,00000000,Function_00030360,003C6DE8), ref: 001F0454
                  • ReleaseDC.USER32 ref: 001F045D
                  • GdipCreatePath.GDIPLUS(00000000,?), ref: 001F04F3
                  • GdipCreateStringFormat.GDIPLUS(00000000,00000000,?), ref: 001F050C
                  • GdipAddPathString.GDIPLUS(?,003ABF14,000000FF,00000000,00000000,?,?,?), ref: 001F0574
                  • GdipGetPathWorldBounds.GDIPLUS(?,00000000,00000000,00000000), ref: 001F0592
                  • GdipResetPath.GDIPLUS(?), ref: 001F05F2
                  • GdipAddPathString.GDIPLUS(?,003ABF08,000000FF,00000000,00000000,?,?,?), ref: 001F065C
                  • GdipGetPathWorldBounds.GDIPLUS(?,00000000,00000000,00000000), ref: 001F0674
                  • GdipResetPath.GDIPLUS(?), ref: 001F0697
                  • GdipAddPathString.GDIPLUS(?,003ABF1C,000000FF,00000000,00000000,?,?,?), ref: 001F0701
                  • GdipGetPathWorldBounds.GDIPLUS(?,00000000,00000000,00000000), ref: 001F0719
                  • GdipDeleteStringFormat.GDIPLUS(?), ref: 001F076E
                  • GdipDeletePath.GDIPLUS(?), ref: 001F0777
                  Memory Dump Source
                  • Source File: 00000000.00000002.669225094.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true
                  • Associated: 00000000.00000002.669218827.00000000001C0000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669437430.0000000000394000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669462546.00000000003BC000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669470292.00000000003C1000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669476147.00000000003C3000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669480865.00000000003C6000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669487575.00000000003CC000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1c0000_winhost.jbxd
                  Similarity
                  • API ID: Gdip$Path$String$BoundsWorld$CreateDeleteFormatReset$DisplayEnumMonitorsRelease
                  • String ID:
                  • API String ID: 2988191496-0
                  • Opcode ID: c3d14baa6fc6aa3215f23afbcd674505e957e6bcd412f5efd2f8dc1815234567
                  • Instruction ID: a24e9e8ea1f755b27caa4b62d0dada40f376fe8864abf56ea3206ba165cccbc3
                  • Opcode Fuzzy Hash: c3d14baa6fc6aa3215f23afbcd674505e957e6bcd412f5efd2f8dc1815234567
                  • Instruction Fuzzy Hash: 03B1FC70E14209EFDB06DFB5ED45BADBBB9AF49310F10825AE402F62A1E7716984CF50
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 002810D0, Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 205COMMON
                  Download Yara Rule
                  APIs
                  • SHGetFolderPathW.SHELL32(00000000,0000001C,00000000,00000000,?,?,?,001FC13F), ref: 0028122D
                  • PathAppendW.SHLWAPI(?,003C7A64,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00281254
                  • PathAppendW.SHLWAPI(?,003C7A7C,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00281271
                  • PathAppendW.SHLWAPI(?,003C7A94,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0028128E
                  • PathAppendW.SHLWAPI(?,003C7AAC,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 002812AB
                  • PathAppendW.SHLWAPI(?,003C7AC4,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 002812C8
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.669225094.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true
                  • Associated: 00000000.00000002.669218827.00000000001C0000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669437430.0000000000394000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669462546.00000000003BC000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669470292.00000000003C1000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669476147.00000000003C3000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669480865.00000000003C6000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669487575.00000000003CC000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1c0000_winhost.jbxd
                  Similarity
                  • API ID: Path$Append$Folder
                  • String ID: 4z<$Exe$Lz<$baidu.com$dz<$|z<
                  • API String ID: 2044587772-1636441062
                  • Opcode ID: 5a296eab4c186a021881c6e9c8785cb004dff0d6ce9eb1616081da00558f7f7b
                  • Instruction ID: 034e0b345a1b7ea98600821cf970d87553f8fa4c78ed54d744fc73c768e4f477
                  • Opcode Fuzzy Hash: 5a296eab4c186a021881c6e9c8785cb004dff0d6ce9eb1616081da00558f7f7b
                  • Instruction Fuzzy Hash: CF91AE75A04209EBDB15EF64DC49F9EBBB8FF18300F10029AE81997281DB74AA54CF91
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00310060, Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 402COMMON
                  Download Yara Rule
                  APIs
                  • __CxxThrowException@8.LIBVCRUNTIME ref: 003100EB
                  • __CxxThrowException@8.LIBVCRUNTIME ref: 0031022A
                  • __CxxThrowException@8.LIBVCRUNTIME ref: 003102E3
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.669225094.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true
                  • Associated: 00000000.00000002.669218827.00000000001C0000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669437430.0000000000394000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669462546.00000000003BC000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669470292.00000000003C1000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669476147.00000000003C3000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669480865.00000000003C6000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669487575.00000000003CC000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1c0000_winhost.jbxd
                  Similarity
                  • API ID: Exception@8Throw
                  • String ID: exceeds the maximum of $ is less than the minimum of $4K9$4K9$: IV length $: this object cannot use a null IV$: this object requires an IV
                  • API String ID: 2005118841-1564923227
                  • Opcode ID: fb8ce44e2c0c0787e0890f5da34f432331c66138dee389e19ea1a62aa909b144
                  • Instruction ID: c1fde82a54e65f1e0be75f39442a8fdfa62c678ffe10b4463f12394ab770889a
                  • Opcode Fuzzy Hash: fb8ce44e2c0c0787e0890f5da34f432331c66138dee389e19ea1a62aa909b144
                  • Instruction Fuzzy Hash: C6E16B71A00248AFDB06DBA8C885FDEBBF9EF5D310F1041A9E505A7381DB75AE44CB91
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0036B090, Relevance: 19.6, APIs: 13, Instructions: 114COMMON
                  Download Yara Rule
                  APIs
                  • ___free_lconv_mon.LIBCMT ref: 0036B0D4
                    • Part of subcall function 0036A306: _free.LIBCMT ref: 0036A323
                    • Part of subcall function 0036A306: _free.LIBCMT ref: 0036A335
                    • Part of subcall function 0036A306: _free.LIBCMT ref: 0036A347
                    • Part of subcall function 0036A306: _free.LIBCMT ref: 0036A359
                    • Part of subcall function 0036A306: _free.LIBCMT ref: 0036A36B
                    • Part of subcall function 0036A306: _free.LIBCMT ref: 0036A37D
                    • Part of subcall function 0036A306: _free.LIBCMT ref: 0036A38F
                    • Part of subcall function 0036A306: _free.LIBCMT ref: 0036A3A1
                    • Part of subcall function 0036A306: _free.LIBCMT ref: 0036A3B3
                    • Part of subcall function 0036A306: _free.LIBCMT ref: 0036A3C5
                    • Part of subcall function 0036A306: _free.LIBCMT ref: 0036A3D7
                    • Part of subcall function 0036A306: _free.LIBCMT ref: 0036A3E9
                    • Part of subcall function 0036A306: _free.LIBCMT ref: 0036A3FB
                  • _free.LIBCMT ref: 0036B0C9
                    • Part of subcall function 00364D06: RtlFreeHeap.NTDLL(00000000,00000000,?,0036AA73,?,00000000,?,00000000,?,0036AD17,?,00000007,?,?,0036B228,?), ref: 00364D1C
                    • Part of subcall function 00364D06: GetLastError.KERNEL32(?,?,0036AA73,?,00000000,?,00000000,?,0036AD17,?,00000007,?,?,0036B228,?,?), ref: 00364D2E
                  • _free.LIBCMT ref: 0036B0EB
                  • _free.LIBCMT ref: 0036B100
                  • _free.LIBCMT ref: 0036B10B
                  • _free.LIBCMT ref: 0036B12D
                  • _free.LIBCMT ref: 0036B140
                  • _free.LIBCMT ref: 0036B14E
                  • _free.LIBCMT ref: 0036B159
                  • _free.LIBCMT ref: 0036B191
                  • _free.LIBCMT ref: 0036B198
                  • _free.LIBCMT ref: 0036B1B5
                  • _free.LIBCMT ref: 0036B1CD
                  Memory Dump Source
                  • Source File: 00000000.00000002.669225094.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true
                  • Associated: 00000000.00000002.669218827.00000000001C0000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669437430.0000000000394000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669462546.00000000003BC000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669470292.00000000003C1000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669476147.00000000003C3000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669480865.00000000003C6000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669487575.00000000003CC000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1c0000_winhost.jbxd
                  Similarity
                  • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                  • String ID:
                  • API String ID: 161543041-0
                  • Opcode ID: 348180ce9b34d1ad48e436efa6d10b63f1f8a168e5af69bd29a6b3a7895ba4d2
                  • Instruction ID: 3a00552ee7ef340a81b4f0d6b9a6b22a7e1648e705a1a5fc062bd541b5a375fe
                  • Opcode Fuzzy Hash: 348180ce9b34d1ad48e436efa6d10b63f1f8a168e5af69bd29a6b3a7895ba4d2
                  • Instruction Fuzzy Hash: 2D314B31A00204AFEB32AF39D845B5AB7E9EF02750F15D429E459DB25ADF31ACC08B60
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00336730, Relevance: 17.8, APIs: 8, Strings: 2, Instructions: 250threadCOMMON
                  Download Yara Rule
                  APIs
                  • GetCurrentProcessId.KERNEL32(?,?,?,?), ref: 003367B2
                  • GetCurrentThreadId.KERNEL32 ref: 003367D6
                  • _Smanip.LIBCPMT ref: 00336837
                  • _Smanip.LIBCPMT ref: 00336856
                  • _Smanip.LIBCPMT ref: 003368F6
                  • GetTickCount.KERNEL32 ref: 00336945
                  • _Smanip.LIBCPMT ref: 003368C6
                    • Part of subcall function 00325810: std::_Facet_Register.LIBCPMT ref: 0032591D
                  • _Smanip.LIBCPMT ref: 0033688B
                    • Part of subcall function 00325810: std::_Lockit::_Lockit.LIBCPMT ref: 00325851
                    • Part of subcall function 00325810: std::_Lockit::_Lockit.LIBCPMT ref: 0032586C
                    • Part of subcall function 00325810: std::_Lockit::~_Lockit.LIBCPMT ref: 0032588C
                    • Part of subcall function 00325810: std::_Lockit::~_Lockit.LIBCPMT ref: 00325935
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.669225094.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true
                  • Associated: 00000000.00000002.669218827.00000000001C0000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669437430.0000000000394000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669462546.00000000003BC000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669470292.00000000003C1000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669476147.00000000003C3000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669480865.00000000003C6000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669487575.00000000003CC000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1c0000_winhost.jbxd
                  Similarity
                  • API ID: Smanipstd::_$Lockit$CurrentLockit::_Lockit::~_$CountFacet_ProcessRegisterThreadTick
                  • String ID: )] $VERBOSE
                  • API String ID: 3257458002-2781469043
                  • Opcode ID: 5c25c1c89d785a0389ddd531bb4ce3f6015a6a45b81ea8644c42c315807ec3c9
                  • Instruction ID: 3e997591621133f5cce300db003c97b4f9f6a35de94c30a064014e422c02034c
                  • Opcode Fuzzy Hash: 5c25c1c89d785a0389ddd531bb4ce3f6015a6a45b81ea8644c42c315807ec3c9
                  • Instruction Fuzzy Hash: 6B81D871E00204BFDB16EBB4EC86FADB7B9AF45304F048529F445AB292EB71A954C750
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 001FC280, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 181clipboardtimewindowCOMMON
                  Download Yara Rule
                  APIs
                  • IsWindow.USER32(00000000), ref: 001FC2AC
                  • KillTimer.USER32(?,00000005), ref: 001FC2DA
                  • SetTimer.USER32(?,00000006,000001F4,00000000), ref: 001FC2F0
                  • OpenClipboard.USER32(00000000), ref: 001FC3E5
                  • EmptyClipboard.USER32 ref: 001FC3EF
                  • CloseClipboard.USER32 ref: 001FC3F5
                  • PostMessageW.USER32(?,00000403,00000000,00000000), ref: 001FC49E
                    • Part of subcall function 00308D80: CreateToolhelp32Snapshot.KERNEL32 ref: 00308DAE
                    • Part of subcall function 00308D80: Process32FirstW.KERNEL32(00000000,0000022C), ref: 00308DC7
                    • Part of subcall function 00308D80: Process32NextW.KERNEL32(00000000,0000022C), ref: 00308E16
                    • Part of subcall function 00308D80: Process32NextW.KERNEL32(00000000,0000022C), ref: 00308E67
                    • Part of subcall function 00308D80: CloseHandle.KERNEL32(00000000,?,00000000), ref: 00308E6E
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.669225094.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true
                  • Associated: 00000000.00000002.669218827.00000000001C0000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669437430.0000000000394000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669462546.00000000003BC000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669470292.00000000003C1000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669476147.00000000003C3000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669480865.00000000003C6000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669487575.00000000003CC000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1c0000_winhost.jbxd
                  Similarity
                  • API ID: ClipboardProcess32$CloseNextTimer$CreateEmptyFirstHandleKillMessageOpenPostSnapshotToolhelp32Window
                  • String ID: d
                  • API String ID: 3452913711-2564639436
                  • Opcode ID: f66fab49ef2369279a0b763c7a74a9a480bfbaa25035a1b969f365e22f4ea6fa
                  • Instruction ID: 3b043221cca2cd29416feca15d0667d4b4d32f7863e1b7e41b72792dbe1e88dc
                  • Opcode Fuzzy Hash: f66fab49ef2369279a0b763c7a74a9a480bfbaa25035a1b969f365e22f4ea6fa
                  • Instruction Fuzzy Hash: A05126B0294B0DAEF7359F61DD4BF767798AB10700F04850DF399461D2EBE16C05A7A1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0034F957, Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 73COMMON
                  Download Yara Rule
                  APIs
                  • UnDecorator::getArgumentList.LIBVCRUNTIME ref: 0034F977
                    • Part of subcall function 0034F861: Replicator::operator[].LIBVCRUNTIME ref: 0034F8CD
                    • Part of subcall function 0034F861: DName::operator+=.LIBVCRUNTIME ref: 0034F8D5
                  • DName::operator+.LIBCMT ref: 0034F9CE
                  • DName::DName.LIBVCRUNTIME ref: 0034FA17
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.669225094.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true
                  • Associated: 00000000.00000002.669218827.00000000001C0000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669437430.0000000000394000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669462546.00000000003BC000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669470292.00000000003C1000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669476147.00000000003C3000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669480865.00000000003C6000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669487575.00000000003CC000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1c0000_winhost.jbxd
                  Similarity
                  • API ID: ArgumentDecorator::getListNameName::Name::operator+Name::operator+=Replicator::operator[]
                  • String ID: ,...$,<ellipsis>$...$<ellipsis>$void
                  • API String ID: 834187326-2211150622
                  • Opcode ID: baa3c7e010143260d8278d179e8727ba572868e52ab6184a25432adfc4ffa666
                  • Instruction ID: a6a44c356c697bf5eae53161a2d429f188f12a5511e14e27634dcdadcaf357da
                  • Opcode Fuzzy Hash: baa3c7e010143260d8278d179e8727ba572868e52ab6184a25432adfc4ffa666
                  • Instruction Fuzzy Hash: D7213B74600108AFCB0BDF5ED956F653BE8EB05348F098165E94ADF262DB32F9018B51
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003600AA, Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00364BB7: GetLastError.KERNEL32(?,00000000,00355AE9,00000000,?,?,003548F1,?,?,00000000,00000000), ref: 00364BBB
                    • Part of subcall function 00364BB7: _free.LIBCMT ref: 00364BEE
                    • Part of subcall function 00364BB7: SetLastError.KERNEL32(00000000,?,00000000,00000000), ref: 00364C2F
                  • _memcmp.LIBVCRUNTIME ref: 00360354
                  • _free.LIBCMT ref: 003603C5
                  • _free.LIBCMT ref: 003603DE
                  • _free.LIBCMT ref: 00360410
                  • _free.LIBCMT ref: 00360419
                  • _free.LIBCMT ref: 00360425
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.669225094.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true
                  • Associated: 00000000.00000002.669218827.00000000001C0000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669437430.0000000000394000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669462546.00000000003BC000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669470292.00000000003C1000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669476147.00000000003C3000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669480865.00000000003C6000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669487575.00000000003CC000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1c0000_winhost.jbxd
                  Similarity
                  • API ID: _free$ErrorLast$_memcmp
                  • String ID: C
                  • API String ID: 4275183328-1037565863
                  • Opcode ID: 8c58f61e9ea296d96164b05ef728efa88ab09525d7b0a0c68de711028f7bb671
                  • Instruction ID: 5fcafe96afa4f59965610e1401072f4aa7a963f8cbb7d09d51e4971f2723996d
                  • Opcode Fuzzy Hash: 8c58f61e9ea296d96164b05ef728efa88ab09525d7b0a0c68de711028f7bb671
                  • Instruction Fuzzy Hash: 26B14D75901219DFDB2ADF18C885BAEB7B4FF09304F5085AAD949A7354E731AE90CF40
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003361B0, Relevance: 10.7, APIs: 7, Instructions: 227synchronizationfileCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 001E0E20: std::_Lockit::_Lockit.LIBCPMT ref: 001E0E69
                    • Part of subcall function 001E0E20: std::_Lockit::_Lockit.LIBCPMT ref: 001E0E8B
                    • Part of subcall function 001E0E20: std::_Lockit::~_Lockit.LIBCPMT ref: 001E0EAB
                    • Part of subcall function 001E0E20: std::_Lockit::~_Lockit.LIBCPMT ref: 001E0F78
                  • OutputDebugStringA.KERNEL32(?,?,?), ref: 0033628D
                  • WaitForSingleObject.KERNEL32(000000FF,?,?), ref: 003362FE
                  • SetFilePointer.KERNEL32(00000000,00000000,00000002,?,?), ref: 00336326
                  • WriteFile.KERNEL32(?,?,?,00000000), ref: 00336356
                  • ReleaseMutex.KERNEL32(?,?), ref: 0033636B
                  • SetLastError.KERNEL32(?,?,?), ref: 00336471
                  • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 003364BF
                  Memory Dump Source
                  • Source File: 00000000.00000002.669225094.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true
                  • Associated: 00000000.00000002.669218827.00000000001C0000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669437430.0000000000394000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669462546.00000000003BC000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669470292.00000000003C1000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669476147.00000000003C3000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669480865.00000000003C6000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669487575.00000000003CC000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1c0000_winhost.jbxd
                  Similarity
                  • API ID: Lockitstd::_$FileLockit::_Lockit::~_$DebugErrorIos_base_dtorLastMutexObjectOutputPointerReleaseSingleStringWaitWritestd::ios_base::_
                  • String ID:
                  • API String ID: 2828274881-0
                  • Opcode ID: 5284f2af97ca1ea3841e3dcd4547290dfb37cfe29a72eddc1e492a5ed97b28eb
                  • Instruction ID: 7a5c589f7e340e333fb4266b135302dc5bb6100fcb236f559031985356a63ad0
                  • Opcode Fuzzy Hash: 5284f2af97ca1ea3841e3dcd4547290dfb37cfe29a72eddc1e492a5ed97b28eb
                  • Instruction Fuzzy Hash: 3E918370600208AFDB26DF55DC86F99B7F8EF04304F5084A9E64A9B162DB31BE89CF15
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003208F0, Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 201COMMON
                  Download Yara Rule
                  APIs
                  • std::locale::_Init.LIBCPMT ref: 0032098C
                  • std::ios_base::_Addstd.LIBCPMT ref: 00320A0F
                  • std::locale::_Init.LIBCPMT ref: 00320AB8
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.669225094.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true
                  • Associated: 00000000.00000002.669218827.00000000001C0000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669437430.0000000000394000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669462546.00000000003BC000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669470292.00000000003C1000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669476147.00000000003C3000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669480865.00000000003C6000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669487575.00000000003CC000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1c0000_winhost.jbxd
                  Similarity
                  • API ID: Initstd::locale::_$Addstdstd::ios_base::_
                  • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                  • API String ID: 2938473529-1866435925
                  • Opcode ID: 8ea3dd5cad68b7341e1c098acd30fc94ef27148b97ae02fdda8f204739e85dd9
                  • Instruction ID: 52d7e18aefc0f88edcff4b6cbe52f8af26e60ee824a89a219ccb3cc784e618ca
                  • Opcode Fuzzy Hash: 8ea3dd5cad68b7341e1c098acd30fc94ef27148b97ae02fdda8f204739e85dd9
                  • Instruction Fuzzy Hash: C881A9B46007069FE715CF68D884B96BBE0FF09304F44852AE94A8BB42D7B5E858CF90
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0030C070, Relevance: 10.7, APIs: 7, Instructions: 152windowthreadCOMMON
                  Download Yara Rule
                  APIs
                  • GetTopWindow.USER32(00000000), ref: 0030C0C7
                  • IsWindowVisible.USER32(00000000), ref: 0030C0D3
                  • GetWindowLongW.USER32(00000000,000000EC), ref: 0030C0E0
                  • GetAncestor.USER32(00000000,00000003), ref: 0030C0FE
                  • GetLastActivePopup.USER32(00000000), ref: 0030C113
                  • GetWindow.USER32(00000000,00000002), ref: 0030C14E
                  • GetWindowThreadProcessId.USER32(00000000,?), ref: 0030C179
                  Memory Dump Source
                  • Source File: 00000000.00000002.669225094.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true
                  • Associated: 00000000.00000002.669218827.00000000001C0000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669437430.0000000000394000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669462546.00000000003BC000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669470292.00000000003C1000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669476147.00000000003C3000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669480865.00000000003C6000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669487575.00000000003CC000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1c0000_winhost.jbxd
                  Similarity
                  • API ID: Window$ActiveAncestorLastLongPopupProcessThreadVisible
                  • String ID:
                  • API String ID: 1964951579-0
                  • Opcode ID: 6297477c6a7cd5617f42bfe92072ff9cb2d6582c4a8e7dd33f2892ab91929ab3
                  • Instruction ID: 1a5fddb503a7be85c229483e0038be3dcd1e2decedd274cdb994ec13a28d2ec4
                  • Opcode Fuzzy Hash: 6297477c6a7cd5617f42bfe92072ff9cb2d6582c4a8e7dd33f2892ab91929ab3
                  • Instruction Fuzzy Hash: 15516F71D11219EBDF19DFA8D895BEEBBB9EF08714F21021AF815A3281D7309E41CB90
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003260D0, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 111COMMON
                  Download Yara Rule
                  APIs
                  • Netbios.NETAPI32(00000037), ref: 00326120
                  • Netbios.NETAPI32(00000037), ref: 0032615C
                  • Netbios.NETAPI32(00000033), ref: 003261D6
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.669225094.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true
                  • Associated: 00000000.00000002.669218827.00000000001C0000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669437430.0000000000394000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669462546.00000000003BC000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669470292.00000000003C1000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669476147.00000000003C3000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669480865.00000000003C6000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669487575.00000000003CC000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1c0000_winhost.jbxd
                  Similarity
                  • API ID: Netbios
                  • String ID: %02X%02X%02X%02X%02X%02X$* $3
                  • API String ID: 544444789-3860363367
                  • Opcode ID: fda629d06e396b824b85c5fe3ac45459aa6b3aafb34f2f1fd8e4129ddf6631b6
                  • Instruction ID: 5f5fb6dd3aeb9f5cc3b2f09e13f8f9aa9d98a393c0c968119302e22196eda310
                  • Opcode Fuzzy Hash: fda629d06e396b824b85c5fe3ac45459aa6b3aafb34f2f1fd8e4129ddf6631b6
                  • Instruction Fuzzy Hash: 0741F771A052A85BDF23DB649C02BE97BFC9F49304F0440EAE58CEB192D675AF44CB61
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00308710, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 89COMMON
                  Download Yara Rule
                  APIs
                  • SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001C,00000000,CB28B7D0), ref: 0030874F
                  • SHCreateDirectoryExW.SHELL32(00000000,?,00000000,\ScreenSaver\,0000000D,?,?), ref: 003087D4
                  • WritePrivateProfileStringW.KERNEL32(%General,?,003ABBA4,?), ref: 00308818
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.669225094.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true
                  • Associated: 00000000.00000002.669218827.00000000001C0000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669437430.0000000000394000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669462546.00000000003BC000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669470292.00000000003C1000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669476147.00000000003C3000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669480865.00000000003C6000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669487575.00000000003CC000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1c0000_winhost.jbxd
                  Similarity
                  • API ID: CreateDirectoryFolderPathPrivateProfileSpecialStringWrite
                  • String ID: %General$SSCI$\ScreenSaver\
                  • API String ID: 3291460349-591173976
                  • Opcode ID: 736220626bb3ba0547068bbe1ccff889a78e5d2356eda4be2f487728e902477b
                  • Instruction ID: c3326c6cc29d9cb42b4e39bdf3ce5d0660ba856888b837359915b7b423bd59ba
                  • Opcode Fuzzy Hash: 736220626bb3ba0547068bbe1ccff889a78e5d2356eda4be2f487728e902477b
                  • Instruction Fuzzy Hash: BC316031950218EBDB21DF54DC99FDAB7B8FF15711F4001AAE509A7280DB74AB44CFA1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 001FA450, Relevance: 9.3, APIs: 6, Instructions: 261windowCOMMON
                  Download Yara Rule
                  APIs
                  • GetDlgItem.USER32 ref: 001FA609
                  • SendMessageW.USER32(00000000,0000000C,00000000,000000FF), ref: 001FA633
                  • GetDlgItem.USER32 ref: 001FA6A9
                  • SendMessageW.USER32(00000000,0000000C,00000000,000000FF), ref: 001FA6D3
                  • GetDlgItem.USER32 ref: 001FA74D
                  • SendMessageW.USER32(00000000,0000000C,00000000,000000FF), ref: 001FA777
                  Memory Dump Source
                  • Source File: 00000000.00000002.669225094.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true
                  • Associated: 00000000.00000002.669218827.00000000001C0000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669437430.0000000000394000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669462546.00000000003BC000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669470292.00000000003C1000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669476147.00000000003C3000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669480865.00000000003C6000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669487575.00000000003CC000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1c0000_winhost.jbxd
                  Similarity
                  • API ID: ItemMessageSend
                  • String ID:
                  • API String ID: 3015471070-0
                  • Opcode ID: ca7a84ed89b7dc5d9e7fca65e15e37124d54893ae8e8f8c95a4693beb4d798e3
                  • Instruction ID: 1ccb254ef9860a9580fd530e466045ad1ebab3d318a511926735d9d5fe0667d2
                  • Opcode Fuzzy Hash: ca7a84ed89b7dc5d9e7fca65e15e37124d54893ae8e8f8c95a4693beb4d798e3
                  • Instruction Fuzzy Hash: D5912576B00209CBCB1A9B24CC55BBE3776EF55310F90422DEA066B684EF759D428791
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0036D37C, Relevance: 9.2, APIs: 6, Instructions: 216COMMON
                  Download Yara Rule
                  APIs
                  • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00358657,00358657,?,?,?,0036D5CD,00000001,00000001,49E85006), ref: 0036D3D6
                  • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0036D5CD,00000001,00000001,49E85006,?,?,?), ref: 0036D45C
                  • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,49E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0036D556
                  • __freea.LIBCMT ref: 0036D563
                    • Part of subcall function 00364D40: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0036D689,?,00000000,?,00000003,00364C3A), ref: 00364D72
                  • __freea.LIBCMT ref: 0036D56C
                  • __freea.LIBCMT ref: 0036D591
                  Memory Dump Source
                  • Source File: 00000000.00000002.669225094.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true
                  • Associated: 00000000.00000002.669218827.00000000001C0000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669437430.0000000000394000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669462546.00000000003BC000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669470292.00000000003C1000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669476147.00000000003C3000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669480865.00000000003C6000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669487575.00000000003CC000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1c0000_winhost.jbxd
                  Similarity
                  • API ID: ByteCharMultiWide__freea$AllocateHeap
                  • String ID:
                  • API String ID: 1414292761-0
                  • Opcode ID: 2224f20136a6b3214c34741469278c18e93eacd6537bc68b3f84168507438739
                  • Instruction ID: dacf9d779b226452299da1bc3267e9f569d8754b8da853594e0b9841132029d6
                  • Opcode Fuzzy Hash: 2224f20136a6b3214c34741469278c18e93eacd6537bc68b3f84168507438739
                  • Instruction Fuzzy Hash: 45511172F00206AFDB279F60DC81EBB77A9EB45754F168629FE06DB158DB30DC5086A0
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003605C2, Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.669225094.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true
                  • Associated: 00000000.00000002.669218827.00000000001C0000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669437430.0000000000394000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669462546.00000000003BC000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669470292.00000000003C1000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669476147.00000000003C3000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669480865.00000000003C6000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669487575.00000000003CC000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1c0000_winhost.jbxd
                  Similarity
                  • API ID: __cftoe
                  • String ID:
                  • API String ID: 4189289331-0
                  • Opcode ID: 33a4e11dca0f8a4477a2fee9199f62b9c5a90c57e2f32302021e150d444baa2a
                  • Instruction ID: b7cdf0240b2b1908cedbdc831bb41fc00fc93e7048d6c75ad9a7f4204c7bb25c
                  • Opcode Fuzzy Hash: 33a4e11dca0f8a4477a2fee9199f62b9c5a90c57e2f32302021e150d444baa2a
                  • Instruction Fuzzy Hash: 17512D32900205ABDB2B9F68CC43EAF77B8DF89360F15C219F815DA19ADB31D9108A64
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 001ED9A0, Relevance: 9.1, APIs: 6, Instructions: 119COMMON
                  Download Yara Rule
                  APIs
                  • std::_Lockit::_Lockit.LIBCPMT ref: 001ED9D5
                  • std::_Lockit::_Lockit.LIBCPMT ref: 001ED9F7
                  • std::_Lockit::~_Lockit.LIBCPMT ref: 001EDA17
                  • __Getcvt.LIBCPMT ref: 001EDAB0
                  • std::_Facet_Register.LIBCPMT ref: 001EDAE7
                  • std::_Lockit::~_Lockit.LIBCPMT ref: 001EDAFF
                  Memory Dump Source
                  • Source File: 00000000.00000002.669225094.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true
                  • Associated: 00000000.00000002.669218827.00000000001C0000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669437430.0000000000394000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669462546.00000000003BC000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669470292.00000000003C1000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669476147.00000000003C3000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669480865.00000000003C6000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669487575.00000000003CC000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1c0000_winhost.jbxd
                  Similarity
                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetcvtRegister
                  • String ID:
                  • API String ID: 3552396256-0
                  • Opcode ID: 3bb4e872f7bd7ebe8f42d05e6b72e147b327df7359f1a22441b87b8477a6e31e
                  • Instruction ID: f21ab1452300b29f6a26baedac4dcf8c28e2211d84bb4c8653f78f0c87185d08
                  • Opcode Fuzzy Hash: 3bb4e872f7bd7ebe8f42d05e6b72e147b327df7359f1a22441b87b8477a6e31e
                  • Instruction Fuzzy Hash: 6E411171904655CFCB16CF55E841AAEB7F4FF58300F1581ADE846AB392EB30BA84CB90
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0034D0D5, Relevance: 9.1, APIs: 6, Instructions: 60COMMON
                  Download Yara Rule
                  APIs
                  • GetLastError.KERNEL32(?,?,0034D0CC,0034AB44,0031CC4C,00000008,0031CF71,?,?,?,?,001E1F97,?,?,CB28B7D0), ref: 0034D0E3
                  • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0034D0F1
                  • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0034D10A
                  • SetLastError.KERNEL32(00000000,?,0034D0CC,0034AB44,0031CC4C,00000008,0031CF71,?,?,?,?,001E1F97,?,?,CB28B7D0), ref: 0034D15C
                  Memory Dump Source
                  • Source File: 00000000.00000002.669225094.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true
                  • Associated: 00000000.00000002.669218827.00000000001C0000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669437430.0000000000394000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669462546.00000000003BC000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669470292.00000000003C1000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669476147.00000000003C3000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669480865.00000000003C6000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669487575.00000000003CC000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1c0000_winhost.jbxd
                  Similarity
                  • API ID: ErrorLastValue___vcrt_
                  • String ID:
                  • API String ID: 3852720340-0
                  • Opcode ID: 738f28e5d20f852e452503904cb7bd1653bb092979b75369e72976c1a09690bf
                  • Instruction ID: 4ca501f7a918166b42529ded343b1f9078293cddbcc5b856e882fba4744ac68a
                  • Opcode Fuzzy Hash: 738f28e5d20f852e452503904cb7bd1653bb092979b75369e72976c1a09690bf
                  • Instruction Fuzzy Hash: 6401F7761093115EE6672B787C8BA1A27DCEF013BAF71073AFA204E6E4EF526C019544
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0032C6B0, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 145COMMON
                  Download Yara Rule
                  APIs
                  • GetFileAttributesW.KERNEL32(003081F3,00000000,00000000), ref: 0032C6E3
                  • CreateDirectoryW.KERNEL32(?,00000000,?,?), ref: 0032C7F2
                  • GetLastError.KERNEL32 ref: 0032C7FC
                    • Part of subcall function 0032CBB0: GetFileAttributesW.KERNEL32(?,?,0032C812,003081F3), ref: 0032CBBF
                  Strings
                  • Check failed: *error != base::PLATFORM_FILE_OK. , xrefs: 0032C7C2
                  • c:\qt\givememoney\base\file_util_win.cc, xrefs: 0032C7AF
                  Memory Dump Source
                  • Source File: 00000000.00000002.669225094.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true
                  • Associated: 00000000.00000002.669218827.00000000001C0000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669437430.0000000000394000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669462546.00000000003BC000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669470292.00000000003C1000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669476147.00000000003C3000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669480865.00000000003C6000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669487575.00000000003CC000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1c0000_winhost.jbxd
                  Similarity
                  • API ID: AttributesFile$CreateDirectoryErrorLast
                  • String ID: Check failed: *error != base::PLATFORM_FILE_OK. $c:\qt\givememoney\base\file_util_win.cc
                  • API String ID: 3262623940-3979710063
                  • Opcode ID: e90a3c965f8ecb6072956d2ef0bba05fae0d265cedfc19a60d10691072be3886
                  • Instruction ID: f1a325fdf2b738eda95f1cca93ae57cc1f60d7c247251cb3be5a9f55ec53308f
                  • Opcode Fuzzy Hash: e90a3c965f8ecb6072956d2ef0bba05fae0d265cedfc19a60d10691072be3886
                  • Instruction Fuzzy Hash: 7B412736E102249FCF229F68FC466FDB3B8EF55311F10616AE8416B281EB319D45CBA1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 001FC1E0, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 47timeCOMMON
                  Download Yara Rule
                  APIs
                  • GetTickCount.KERNEL32 ref: 001FC21F
                  • ShellExecuteW.SHELL32(00000000,open,00000054,00000200,00000000,00000000), ref: 001FC251
                  • KillTimer.USER32(?,00000005), ref: 001FC263
                  • SetTimer.USER32(?,00000005,00000032,00000000), ref: 001FC272
                    • Part of subcall function 00308EB0: CreateToolhelp32Snapshot.KERNEL32 ref: 00308EDB
                    • Part of subcall function 00308EB0: Process32FirstW.KERNEL32(00000000,0000022C), ref: 00308EF4
                    • Part of subcall function 00308EB0: Process32NextW.KERNEL32(00000000,0000022C), ref: 00308F4D
                    • Part of subcall function 00308EB0: OpenProcess.KERNEL32(00100001,00000000,?,?,?,00000000), ref: 00308FB1
                    • Part of subcall function 00308EB0: TerminateProcess.KERNEL32(00000000,00000000,?,?,00000000), ref: 00308FC0
                    • Part of subcall function 00308EB0: CloseHandle.KERNEL32(00000000,?,?,00000000), ref: 00308FC7
                    • Part of subcall function 00308EB0: Process32NextW.KERNEL32(00000000,0000022C), ref: 00308FD7
                    • Part of subcall function 00308EB0: CloseHandle.KERNEL32(00000000,?,?,00000000), ref: 00308FE2
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.669225094.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true
                  • Associated: 00000000.00000002.669218827.00000000001C0000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669437430.0000000000394000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669462546.00000000003BC000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669470292.00000000003C1000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669476147.00000000003C3000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669480865.00000000003C6000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669487575.00000000003CC000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1c0000_winhost.jbxd
                  Similarity
                  • API ID: Process32$CloseHandleNextProcessTimer$CountCreateExecuteFirstKillOpenShellSnapshotTerminateTickToolhelp32
                  • String ID: open
                  • API String ID: 271766535-2758837156
                  • Opcode ID: 078e50f12e6048e8f2b82bd4d14399065b10c24e1a87395b68dc40fd3f74d93b
                  • Instruction ID: 5129e764d49e7d8f197c95d682f1796e344d73670b51cbfc1a34167ecf00cdce
                  • Opcode Fuzzy Hash: 078e50f12e6048e8f2b82bd4d14399065b10c24e1a87395b68dc40fd3f74d93b
                  • Instruction Fuzzy Hash: 68118230181B08EFE726DBA0CD4AFA27BE9EB02705F00055EE296561E1D7B17844CB90
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0035E337, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,0035E2E8,00000000,?,0035E288,00000000,003B7EA8,0000000C,0035E3DF,00000000,00000002), ref: 0035E357
                  • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0035E36A
                  • FreeLibrary.KERNEL32(00000000,?,?,?,0035E2E8,00000000,?,0035E288,00000000,003B7EA8,0000000C,0035E3DF,00000000,00000002), ref: 0035E38D
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.669225094.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true
                  • Associated: 00000000.00000002.669218827.00000000001C0000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669437430.0000000000394000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669462546.00000000003BC000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669470292.00000000003C1000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669476147.00000000003C3000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669480865.00000000003C6000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669487575.00000000003CC000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1c0000_winhost.jbxd
                  Similarity
                  • API ID: AddressFreeHandleLibraryModuleProc
                  • String ID: CorExitProcess$mscoree.dll
                  • API String ID: 4061214504-1276376045
                  • Opcode ID: d395b0281d4aa3dc4b708e23633e3c47bbf3c9bda936cfe9d48a37251acd8194
                  • Instruction ID: d9240d2ea15bbe25a12408d77155ddc0256e5a332ab9249a1fa4ccae03a9060b
                  • Opcode Fuzzy Hash: d395b0281d4aa3dc4b708e23633e3c47bbf3c9bda936cfe9d48a37251acd8194
                  • Instruction Fuzzy Hash: CAF04475605208BBCB165F90DC09FDDBFB8EF04716F010166FC05A2160DB358A45CB51
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0036A7C0, Relevance: 7.5, APIs: 5, Instructions: 40COMMON
                  Download Yara Rule
                  APIs
                  • _free.LIBCMT ref: 0036A7D8
                    • Part of subcall function 00364D06: RtlFreeHeap.NTDLL(00000000,00000000,?,0036AA73,?,00000000,?,00000000,?,0036AD17,?,00000007,?,?,0036B228,?), ref: 00364D1C
                    • Part of subcall function 00364D06: GetLastError.KERNEL32(?,?,0036AA73,?,00000000,?,00000000,?,0036AD17,?,00000007,?,?,0036B228,?,?), ref: 00364D2E
                  • _free.LIBCMT ref: 0036A7EA
                  • _free.LIBCMT ref: 0036A7FC
                  • _free.LIBCMT ref: 0036A80E
                  • _free.LIBCMT ref: 0036A820
                  Memory Dump Source
                  • Source File: 00000000.00000002.669225094.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true
                  • Associated: 00000000.00000002.669218827.00000000001C0000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669437430.0000000000394000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669462546.00000000003BC000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669470292.00000000003C1000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669476147.00000000003C3000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669480865.00000000003C6000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669487575.00000000003CC000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1c0000_winhost.jbxd
                  Similarity
                  • API ID: _free$ErrorFreeHeapLast
                  • String ID:
                  • API String ID: 776569668-0
                  • Opcode ID: 663c868889810892037d02a3f697f673e0701d4b43d6418176b963a54f731363
                  • Instruction ID: 4ee24c79141ee48c4be68a4a7672f71b464c00b25aa85dd6fca544b2a379c71e
                  • Opcode Fuzzy Hash: 663c868889810892037d02a3f697f673e0701d4b43d6418176b963a54f731363
                  • Instruction Fuzzy Hash: 7BF01232D046046BC633EF58F8C2C1A77EDEA05B14B65E815F144EB606CB34FCC18AA5
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00328070, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 172COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.669225094.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true
                  • Associated: 00000000.00000002.669218827.00000000001C0000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669437430.0000000000394000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669462546.00000000003BC000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669470292.00000000003C1000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669476147.00000000003C3000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669480865.00000000003C6000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669487575.00000000003CC000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1c0000_winhost.jbxd
                  Similarity
                  • API ID: __aulldiv
                  • String ID: Check failed: it != outbuf.begin(). $c:\qt\givememoney\base\strings\string_number_conversions.cc$null
                  • API String ID: 3732870572-2671372734
                  • Opcode ID: 300692b87b2c6d6a052134f809c47146ebe11eff1599e5c7495d605a3b14e0d1
                  • Instruction ID: 13ae5aff1e18e39c3ae9c19debe5016363ba3bf6f8540f402e34819d3a1481bf
                  • Opcode Fuzzy Hash: 300692b87b2c6d6a052134f809c47146ebe11eff1599e5c7495d605a3b14e0d1
                  • Instruction Fuzzy Hash: F7511871E002189FDF16DFA8DCC2BEDB7B0EF54300F148559E511AB282DB74A946CB51
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00341700, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
                  Download Yara Rule
                  APIs
                  • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00341871
                    • Part of subcall function 00340F90: InitializeCriticalSectionAndSpinCount.KERNEL32(00000000,000007D0,?,00336B7E), ref: 00340F99
                  Strings
                  • vs. , xrefs: 003417A7
                  • c:\qt\givememoney\base\metrics\sparse_histogram.cc, xrefs: 00341882
                  • SPARSE_HISTOGRAM == histogram->GetHistogramType(), xrefs: 003417B9
                  Memory Dump Source
                  • Source File: 00000000.00000002.669225094.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true
                  • Associated: 00000000.00000002.669218827.00000000001C0000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669437430.0000000000394000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669462546.00000000003BC000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669470292.00000000003C1000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669476147.00000000003C3000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669480865.00000000003C6000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669487575.00000000003CC000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1c0000_winhost.jbxd
                  Similarity
                  • API ID: CountCriticalInitializeIos_base_dtorSectionSpinstd::ios_base::_
                  • String ID: vs. $SPARSE_HISTOGRAM == histogram->GetHistogramType()$c:\qt\givememoney\base\metrics\sparse_histogram.cc
                  • API String ID: 1183622951-3267471456
                  • Opcode ID: 9a610fb0ab2fec01832237a5e72bb4734edfdd4554d3af4c1cbcf02633961d93
                  • Instruction ID: f46f671fbfac730224da1f42e5b442f345665c2920d22c6b3ea98fa9d6c6e57b
                  • Opcode Fuzzy Hash: 9a610fb0ab2fec01832237a5e72bb4734edfdd4554d3af4c1cbcf02633961d93
                  • Instruction Fuzzy Hash: D841D375A006145BCB26EB74DC46FDEB7E4AF45700F004464F80DAF352EE71AA898B91
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 001D4130, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 101COMMON
                  Download Yara Rule
                  APIs
                  • GetFileVersionInfoSizeW.VERSION(?,?), ref: 001D4175
                  • GetFileVersionInfoW.VERSION(?,00000000,00000000,?,?,?), ref: 001D41A1
                  • VerQueryValueW.VERSION(?,003A8C58,?,?,?,00000000,00000000,?,?,?), ref: 001D41C9
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.669225094.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true
                  • Associated: 00000000.00000002.669218827.00000000001C0000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669437430.0000000000394000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669462546.00000000003BC000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669470292.00000000003C1000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669476147.00000000003C3000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669480865.00000000003C6000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669487575.00000000003CC000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1c0000_winhost.jbxd
                  Similarity
                  • API ID: FileInfoVersion$QuerySizeValue
                  • String ID: %d.%d.%d.%d
                  • API String ID: 2179348866-3491811756
                  • Opcode ID: 1300cbf564b048acb8090dd61b9fd68d72062eb87f2b744b61abe9caad01686b
                  • Instruction ID: b0570324d81693bc2a6343bd33a1693286f12eb92363abf4f2ebb486b9ad1043
                  • Opcode Fuzzy Hash: 1300cbf564b048acb8090dd61b9fd68d72062eb87f2b744b61abe9caad01686b
                  • Instruction Fuzzy Hash: F431D6B16012189BCB24DB55DC45EBAB3BCEF44700F4445AAFA19D7181DB30EE85CBB4
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00336650, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 80COMMON
                  Download Yara Rule
                  APIs
                  • GetModuleFileNameW.KERNEL32(00000000,?,00000104,?,ios_base::failbit set), ref: 00336676
                  • SimpleUString::operator=.MSOBJ140-MSVCRT ref: 00336698
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.669225094.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true
                  • Associated: 00000000.00000002.669218827.00000000001C0000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669437430.0000000000394000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669462546.00000000003BC000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669470292.00000000003C1000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669476147.00000000003C3000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669480865.00000000003C6000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669487575.00000000003CC000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1c0000_winhost.jbxd
                  Similarity
                  • API ID: FileModuleNameSimpleString::operator=
                  • String ID: debug.log$ios_base::badbit set
                  • API String ID: 912069222-3077188659
                  • Opcode ID: 58e9ecca9f72d93b495cd3e05c64ec01f0ff4e2eb440bbcb9698d810c771593b
                  • Instruction ID: 1c375f3fec7b46903f6e3053e968a262f275ac3e7644391da8db658b06d9b04f
                  • Opcode Fuzzy Hash: 58e9ecca9f72d93b495cd3e05c64ec01f0ff4e2eb440bbcb9698d810c771593b
                  • Instruction Fuzzy Hash: D3210830710704AFCB31DF28C896A6EB3F9FF84744F11866ED551CB290DBB0A9458791
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00332620, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 74networkCOMMON
                  Download Yara Rule
                  APIs
                  • InternetCrackUrlW.WININET(?,?,N3,0000003C), ref: 003326CA
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.669225094.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true
                  • Associated: 00000000.00000002.669218827.00000000001C0000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669437430.0000000000394000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669462546.00000000003BC000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669470292.00000000003C1000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669476147.00000000003C3000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669480865.00000000003C6000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669487575.00000000003CC000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1c0000_winhost.jbxd
                  Similarity
                  • API ID: CrackInternet
                  • String ID: N3$ $<
                  • API String ID: 1381609488-3874681948
                  • Opcode ID: 3071fb918a6da631e689a022570c3bceb496cb493d0ccfbb3b584240bc3a85ef
                  • Instruction ID: 7abf71e1f06ec175358d9e0bb0b3d9cac18949adc006a95136f63d5b09b75842
                  • Opcode Fuzzy Hash: 3071fb918a6da631e689a022570c3bceb496cb493d0ccfbb3b584240bc3a85ef
                  • Instruction Fuzzy Hash: E63118748003099ADB24DF99D8887EEBBF8FF04314F10851AE85AA7290D7B569898F90
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0031F93E, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 58COMMON
                  Download Yara Rule
                  APIs
                  • SetLastError.KERNEL32(0000000D,?,0031C54D,00000001,00320A49,?,00000000,?,001DC447,003C6D54,001E1650,003C6D58,?,00320A49,00000001,00000001), ref: 0031F9C2
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.669225094.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true
                  • Associated: 00000000.00000002.669218827.00000000001C0000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669437430.0000000000394000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669462546.00000000003BC000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669470292.00000000003C1000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669476147.00000000003C3000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669480865.00000000003C6000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669487575.00000000003CC000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1c0000_winhost.jbxd
                  Similarity
                  • API ID: ErrorLast
                  • String ID: Xm<$ios_base::failbit set
                  • API String ID: 1452528299-3145023179
                  • Opcode ID: 5b1ecab0d34602022fbd0a816ae34a8040e1cc0d63572fa0575dd354fa099587
                  • Instruction ID: 26f932516814f7de8c34fbca21725c19d1c961eca28dbfe8812ccbca02086656
                  • Opcode Fuzzy Hash: 5b1ecab0d34602022fbd0a816ae34a8040e1cc0d63572fa0575dd354fa099587
                  • Instruction Fuzzy Hash: C6118232210215BFCF176F64DC44AAEB769BF4C755F028039F945D6220DB319851CB90
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003650C4, Relevance: 6.3, APIs: 4, Instructions: 305COMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.669225094.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true
                  • Associated: 00000000.00000002.669218827.00000000001C0000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669437430.0000000000394000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669462546.00000000003BC000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669470292.00000000003C1000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669476147.00000000003C3000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669480865.00000000003C6000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669487575.00000000003CC000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1c0000_winhost.jbxd
                  Similarity
                  • API ID: __alldvrm$_strrchr
                  • String ID:
                  • API String ID: 1036877536-0
                  • Opcode ID: 28f0e84ff7fb5002b5d8c937d361d8b050d2cdb14eb25cf1cfcc1d772b7d27b0
                  • Instruction ID: 750ae9af7f5712fdfdc73491fb4b027afc32f0962d501932c6f86009fdfc3a84
                  • Opcode Fuzzy Hash: 28f0e84ff7fb5002b5d8c937d361d8b050d2cdb14eb25cf1cfcc1d772b7d27b0
                  • Instruction Fuzzy Hash: 4DA16936A00B869FDB23CF18C8917AEBBE5EF16350F2985BDE4859B386C2748D41C750
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 001E8790, Relevance: 6.2, APIs: 4, Instructions: 194COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0031C278: mtx_do_lock.LIBCPMT ref: 0031C280
                  • __Mtx_unlock.LIBCPMT ref: 001E8883
                    • Part of subcall function 0031D7CA: std::future_error::future_error.LIBCPMT ref: 0031D7DB
                    • Part of subcall function 0031D7CA: __CxxThrowException@8.LIBVCRUNTIME ref: 0031D7E9
                  • std::_Rethrow_future_exception.LIBCPMT ref: 001E88D7
                    • Part of subcall function 0031D7A7: __EH_prolog3.LIBCMT ref: 0031D7AE
                  • std::_Rethrow_future_exception.LIBCPMT ref: 001E88E7
                  • __Mtx_unlock.LIBCPMT ref: 001E899F
                    • Part of subcall function 0031BE39: std::_Throw_Cpp_error.LIBCPMT ref: 0031BE60
                  Memory Dump Source
                  • Source File: 00000000.00000002.669225094.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true
                  • Associated: 00000000.00000002.669218827.00000000001C0000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669437430.0000000000394000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669462546.00000000003BC000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669470292.00000000003C1000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669476147.00000000003C3000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669480865.00000000003C6000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669487575.00000000003CC000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1c0000_winhost.jbxd
                  Similarity
                  • API ID: std::_$Mtx_unlockRethrow_future_exception$Cpp_errorException@8H_prolog3ThrowThrow_mtx_do_lockstd::future_error::future_error
                  • String ID:
                  • API String ID: 1557590360-0
                  • Opcode ID: d00f515d91e44facf17255a8e250fcd73bcae764c168d7d97dfd444218f53134
                  • Instruction ID: 7eda30aa4cf157ce5b942817394b73ff5cb77987cdfd6b1ba0603900a4d643cb
                  • Opcode Fuzzy Hash: d00f515d91e44facf17255a8e250fcd73bcae764c168d7d97dfd444218f53134
                  • Instruction Fuzzy Hash: 2561F8B1C00688ABDF26DBA5D805BEFFBF49F15304F04056DE90667281EB759A48C7A2
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 001E24B0, Relevance: 6.1, APIs: 4, Instructions: 133threadCOMMON
                  Download Yara Rule
                  APIs
                  • __Mtx_unlock.LIBCPMT ref: 001E255A
                  • GetCurrentThreadId.KERNEL32 ref: 001E257E
                  • __Mtx_unlock.LIBCPMT ref: 001E25D5
                  • __Cnd_broadcast.LIBCPMT ref: 001E25F5
                    • Part of subcall function 0031C278: mtx_do_lock.LIBCPMT ref: 0031C280
                  Memory Dump Source
                  • Source File: 00000000.00000002.669225094.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true
                  • Associated: 00000000.00000002.669218827.00000000001C0000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669437430.0000000000394000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669462546.00000000003BC000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669470292.00000000003C1000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669476147.00000000003C3000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669480865.00000000003C6000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669487575.00000000003CC000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1c0000_winhost.jbxd
                  Similarity
                  • API ID: Mtx_unlock$Cnd_broadcastCurrentThreadmtx_do_lock
                  • String ID:
                  • API String ID: 3471820992-0
                  • Opcode ID: 45c4d9def8f70d433a6c0267ee0ebf17d26c9f5030f8ad428c91d5cae7e6a9f8
                  • Instruction ID: 9a67dc0881501b84c1ed08c70154f590250fd80f2a454705cbc92f32e7f81f53
                  • Opcode Fuzzy Hash: 45c4d9def8f70d433a6c0267ee0ebf17d26c9f5030f8ad428c91d5cae7e6a9f8
                  • Instruction Fuzzy Hash: 2A41E1B1A00601AFDB15DF65CD51B9AB7E8EF19310F044639E81ACB390EB75EA04CBD1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 001E97A0, Relevance: 6.1, APIs: 4, Instructions: 109COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0031C278: mtx_do_lock.LIBCPMT ref: 0031C280
                  • __Mtx_unlock.LIBCPMT ref: 001E97F7
                  • __Mtx_unlock.LIBCPMT ref: 001E9833
                  • __Cnd_broadcast.LIBCPMT ref: 001E9880
                  • __Mtx_unlock.LIBCPMT ref: 001E989D
                    • Part of subcall function 0031BE39: std::_Throw_Cpp_error.LIBCPMT ref: 0031BE60
                  Memory Dump Source
                  • Source File: 00000000.00000002.669225094.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true
                  • Associated: 00000000.00000002.669218827.00000000001C0000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669437430.0000000000394000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669462546.00000000003BC000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669470292.00000000003C1000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669476147.00000000003C3000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669480865.00000000003C6000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669487575.00000000003CC000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1c0000_winhost.jbxd
                  Similarity
                  • API ID: Mtx_unlock$Cnd_broadcastCpp_errorThrow_mtx_do_lockstd::_
                  • String ID:
                  • API String ID: 3303054500-0
                  • Opcode ID: 4216563b01085c31aae961cc2205fd06b0b6e4ee7266d85bfd3d619e495c81e2
                  • Instruction ID: 1ec15d8ffeae3ee4d559a268c7554afb377aca9ece64a5c67442e0f03fb64443
                  • Opcode Fuzzy Hash: 4216563b01085c31aae961cc2205fd06b0b6e4ee7266d85bfd3d619e495c81e2
                  • Instruction Fuzzy Hash: E231E3F2D00644ABEB119F659D06BCAF7ACEB15310F044175EC1597351E771EA18C6B2
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0031D080, Relevance: 6.1, APIs: 4, Instructions: 80COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.669225094.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true
                  • Associated: 00000000.00000002.669218827.00000000001C0000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669437430.0000000000394000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669462546.00000000003BC000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669470292.00000000003C1000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669476147.00000000003C3000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669480865.00000000003C6000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669487575.00000000003CC000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1c0000_winhost.jbxd
                  Similarity
                  • API ID: Xtime_diff_to_millis2_xtime_get
                  • String ID:
                  • API String ID: 531285432-0
                  • Opcode ID: a2c590563f17a1f21fbfbbf0b99384b043d93111454ea3ed7dbaece0c4f976d4
                  • Instruction ID: bfb08dc484a10073248ff2b2a89b1b7ad5bcf739a3aac61c751e8ac6caf5fbb8
                  • Opcode Fuzzy Hash: a2c590563f17a1f21fbfbbf0b99384b043d93111454ea3ed7dbaece0c4f976d4
                  • Instruction Fuzzy Hash: 81215171A10219AFDF0AEFA4DC819FEB7B9EF0D714F100066F901AB251DB749D418BA0
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 001FA3B0, Relevance: 6.1, APIs: 4, Instructions: 60windowCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00308A70: GetModuleHandleW.KERNEL32(00000000,00000000,00000000,?,CB28B7D0), ref: 00308A8C
                    • Part of subcall function 00308A70: FindResourceW.KERNEL32(00000000,?,PNG), ref: 00308A9E
                    • Part of subcall function 00308A70: GetLastError.KERNEL32(?,PNG), ref: 00308AAA
                  • GetDlgItem.USER32 ref: 001FA3EA
                  • GdipCreateHBITMAPFromBitmap.GDIPLUS(?,00000000,00000000), ref: 001FA406
                  • SendMessageW.USER32(00000000,000000F7,00000000,00000000), ref: 001FA423
                  • DeleteObject.GDI32(00000000), ref: 001FA42C
                  Memory Dump Source
                  • Source File: 00000000.00000002.669225094.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true
                  • Associated: 00000000.00000002.669218827.00000000001C0000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669437430.0000000000394000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669462546.00000000003BC000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669470292.00000000003C1000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669476147.00000000003C3000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669480865.00000000003C6000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669487575.00000000003CC000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1c0000_winhost.jbxd
                  Similarity
                  • API ID: BitmapCreateDeleteErrorFindFromGdipHandleItemLastMessageModuleObjectResourceSend
                  • String ID:
                  • API String ID: 3303639060-0
                  • Opcode ID: 2e30afda20455dfdbce2591e953032961df56900a8061e495ac48aac73a9fc87
                  • Instruction ID: c7d50a96ab69952475b947657b1da85486f17ac74cc911969fadedbb56f2073e
                  • Opcode Fuzzy Hash: 2e30afda20455dfdbce2591e953032961df56900a8061e495ac48aac73a9fc87
                  • Instruction Fuzzy Hash: CF119175A00208AFDB219F64DC89FBEBBBCEF48700F544069E909E7290DB71DD419751
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 001FB530, Relevance: 6.1, APIs: 4, Instructions: 60COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0031C278: mtx_do_lock.LIBCPMT ref: 0031C280
                  • __Cnd_signal.LIBCPMT ref: 001FB586
                  • __Mtx_unlock.LIBCPMT ref: 001FB59E
                  • SystemParametersInfoW.USER32 ref: 001FB5BB
                  • __Cnd_do_broadcast_at_thread_exit.LIBCPMT ref: 001FB5C1
                  Memory Dump Source
                  • Source File: 00000000.00000002.669225094.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true
                  • Associated: 00000000.00000002.669218827.00000000001C0000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669437430.0000000000394000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669462546.00000000003BC000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669470292.00000000003C1000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669476147.00000000003C3000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669480865.00000000003C6000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669487575.00000000003CC000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1c0000_winhost.jbxd
                  Similarity
                  • API ID: Cnd_do_broadcast_at_thread_exitCnd_signalInfoMtx_unlockParametersSystemmtx_do_lock
                  • String ID:
                  • API String ID: 1329664465-0
                  • Opcode ID: f836c2c5227227e4d6c57ca15403b9b64e96b0a6636f3359794e166c256bdf42
                  • Instruction ID: 0354cff67f1ff51673a4945cdbb22bddce15d41ee1ab91007647cbd58c2afa35
                  • Opcode Fuzzy Hash: f836c2c5227227e4d6c57ca15403b9b64e96b0a6636f3359794e166c256bdf42
                  • Instruction Fuzzy Hash: 08112CB1D04704BBE7226F61EC02B97B7ACEF05710F040935FD1A967A1F775E5148A62
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00366156, Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,003548F1,00000000,00000000,?,003660FD,003548F1,00000000,00000000,00000000,?,003663DB,00000006,FlsSetValue), ref: 00366188
                  • GetLastError.KERNEL32(?,003660FD,003548F1,00000000,00000000,00000000,?,003663DB,00000006,FlsSetValue,0039FAD4,FlsSetValue,00000000,00000364,?,00364C89), ref: 00366194
                  • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,003660FD,003548F1,00000000,00000000,00000000,?,003663DB,00000006,FlsSetValue,0039FAD4,FlsSetValue,00000000), ref: 003661A2
                  Memory Dump Source
                  • Source File: 00000000.00000002.669225094.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true
                  • Associated: 00000000.00000002.669218827.00000000001C0000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669437430.0000000000394000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669462546.00000000003BC000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669470292.00000000003C1000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669476147.00000000003C3000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669480865.00000000003C6000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669487575.00000000003CC000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1c0000_winhost.jbxd
                  Similarity
                  • API ID: LibraryLoad$ErrorLast
                  • String ID:
                  • API String ID: 3177248105-0
                  • Opcode ID: 2ab77dde35f3bfb4049ddbddc7890fb8abe3d140e9a6370398d3a692a9829c61
                  • Instruction ID: 2e3606f03ab1075009bba840d223f13703c0f2362078d79c28cfe6c2e64e41fc
                  • Opcode Fuzzy Hash: 2ab77dde35f3bfb4049ddbddc7890fb8abe3d140e9a6370398d3a692a9829c61
                  • Instruction Fuzzy Hash: 3B012B32211222ABC7334B78AC46E567B9CAF177E1F224625F906E7141D722DC11C7E0
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00335460, Relevance: 6.0, APIs: 4, Instructions: 19sleepsynchronizationCOMMON
                  Download Yara Rule
                  APIs
                  • WaitForSingleObject.KERNEL32(?,000000FF,73BCF7F0,002C063D), ref: 0033546D
                  • CloseHandle.KERNEL32(?,73BCF7F0,002C063D), ref: 00335477
                  • CloseHandle.KERNEL32(?), ref: 0033548A
                  • Sleep.KERNEL32(0000000A), ref: 0033549C
                  Memory Dump Source
                  • Source File: 00000000.00000002.669225094.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true
                  • Associated: 00000000.00000002.669218827.00000000001C0000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669437430.0000000000394000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669462546.00000000003BC000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669470292.00000000003C1000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669476147.00000000003C3000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669480865.00000000003C6000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669487575.00000000003CC000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1c0000_winhost.jbxd
                  Similarity
                  • API ID: CloseHandle$ObjectSingleSleepWait
                  • String ID:
                  • API String ID: 2593906732-0
                  • Opcode ID: bad3ee672808b93cfc29affce6055efe117dfd7de827426e82e178cf35f61172
                  • Instruction ID: 88a6e91ef6026f756192c66086fbcb83ed187dfd56518a06db6673cd18f1a31d
                  • Opcode Fuzzy Hash: bad3ee672808b93cfc29affce6055efe117dfd7de827426e82e178cf35f61172
                  • Instruction Fuzzy Hash: 2FE0BF71204601ABDB155F65EC4CF45FBACFB55322F01C306F129C22A4CB769455CB51
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00325210, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 153COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 003208F0: std::locale::_Init.LIBCPMT ref: 0032098C
                    • Part of subcall function 003208F0: std::ios_base::_Addstd.LIBCPMT ref: 00320A0F
                  • std::locale::_Init.LIBCPMT ref: 00325292
                    • Part of subcall function 0031B684: __EH_prolog3.LIBCMT ref: 0031B68B
                    • Part of subcall function 0031B684: std::_Lockit::_Lockit.LIBCPMT ref: 0031B696
                    • Part of subcall function 0031B684: std::locale::_Setgloballocale.LIBCPMT ref: 0031B6B1
                    • Part of subcall function 0031B684: _Yarn.LIBCPMT ref: 0031B6C7
                    • Part of subcall function 0031B684: std::_Lockit::~_Lockit.LIBCPMT ref: 0031B707
                  • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00325449
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.669225094.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true
                  • Associated: 00000000.00000002.669218827.00000000001C0000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669437430.0000000000394000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669462546.00000000003BC000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669470292.00000000003C1000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669476147.00000000003C3000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669480865.00000000003C6000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669487575.00000000003CC000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1c0000_winhost.jbxd
                  Similarity
                  • API ID: std::locale::_$InitLockitstd::_std::ios_base::_$AddstdH_prolog3Ios_base_dtorLockit::_Lockit::~_SetgloballocaleYarn
                  • String ID: vs.
                  • API String ID: 3379718361-795465908
                  • Opcode ID: dc614da3c6f019eec55a1039415fad6180ada233ccf74f821b3b094a2947df12
                  • Instruction ID: d04d588f666dd6dba9f3717127503ad1b268c12e9425a7ad613e739a2a336a5b
                  • Opcode Fuzzy Hash: dc614da3c6f019eec55a1039415fad6180ada233ccf74f821b3b094a2947df12
                  • Instruction Fuzzy Hash: 71612A75E00218CFDB25DFA4D885BDEB7B4BB45704F1081A9E90DAB342DB71AA49CF90
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0036B901, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON
                  Download Yara Rule
                  APIs
                  • GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,0036BB5C,?,00000050,?,?,?,?,?), ref: 0036B9DC
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.669225094.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true
                  • Associated: 00000000.00000002.669218827.00000000001C0000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669437430.0000000000394000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669462546.00000000003BC000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669470292.00000000003C1000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669476147.00000000003C3000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669480865.00000000003C6000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669487575.00000000003CC000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1c0000_winhost.jbxd
                  Similarity
                  • API ID:
                  • String ID: ACP$OCP
                  • API String ID: 0-711371036
                  • Opcode ID: d1f273c745bb2ff963dde1a1280705dbed82a467eab16c28bcfaeef284c7b631
                  • Instruction ID: 9b2a984c021027518a77d988b416693e7debec3fb3df44c8d524b922d132275e
                  • Opcode Fuzzy Hash: d1f273c745bb2ff963dde1a1280705dbed82a467eab16c28bcfaeef284c7b631
                  • Instruction Fuzzy Hash: 4721B663A00105A6DB278B65C901BA7F3EAEF50B64F57C424EB4AD7208E732DD81CB90
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0030F850, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 81COMMON
                  Download Yara Rule
                  APIs
                  • __CxxThrowException@8.LIBVCRUNTIME ref: 0030F89E
                    • Part of subcall function 0034ADEF: RaiseException.KERNEL32(?,?,0031B3D9,?,?,?,00000000,?,?,?,?,0031B3D9,?,003B7370,6F8373B0,?), ref: 0034AE4F
                  • ___std_exception_copy.LIBVCRUNTIME ref: 0030F8F2
                  Strings
                  • BufferedTransformation: this object is not attachable, xrefs: 0030F875
                  Memory Dump Source
                  • Source File: 00000000.00000002.669225094.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true
                  • Associated: 00000000.00000002.669218827.00000000001C0000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669437430.0000000000394000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669462546.00000000003BC000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669470292.00000000003C1000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669476147.00000000003C3000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669480865.00000000003C6000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669487575.00000000003CC000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1c0000_winhost.jbxd
                  Similarity
                  • API ID: ExceptionException@8RaiseThrow___std_exception_copy
                  • String ID: BufferedTransformation: this object is not attachable
                  • API String ID: 640887848-3944187330
                  • Opcode ID: 2252698b4a76fd76183c3602f4dc04f77287b968c63bf6be3dc8d5362458049e
                  • Instruction ID: 184c9aad6e013a2179f6712f3037dd49b106c8ae0bee03a57a49e79ca50849fb
                  • Opcode Fuzzy Hash: 2252698b4a76fd76183c3602f4dc04f77287b968c63bf6be3dc8d5362458049e
                  • Instruction Fuzzy Hash: 722150B6910609EFC701DF55D841FDAF7FCFB15710F10862AE511A7640EB74AA04CBA0
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0030F570, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 81COMMON
                  Download Yara Rule
                  APIs
                  • __CxxThrowException@8.LIBVCRUNTIME ref: 0030F5BE
                    • Part of subcall function 0034ADEF: RaiseException.KERNEL32(?,?,0031B3D9,?,?,?,00000000,?,?,?,?,0031B3D9,?,003B7370,6F8373B0,?), ref: 0034AE4F
                  • ___std_exception_copy.LIBVCRUNTIME ref: 0030F612
                  Strings
                  • Clone() is not implemented yet., xrefs: 0030F595
                  Memory Dump Source
                  • Source File: 00000000.00000002.669225094.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true
                  • Associated: 00000000.00000002.669218827.00000000001C0000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669437430.0000000000394000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669462546.00000000003BC000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669470292.00000000003C1000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669476147.00000000003C3000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669480865.00000000003C6000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669487575.00000000003CC000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1c0000_winhost.jbxd
                  Similarity
                  • API ID: ExceptionException@8RaiseThrow___std_exception_copy
                  • String ID: Clone() is not implemented yet.
                  • API String ID: 640887848-226299721
                  • Opcode ID: 8b91e06dd8e6141347182760907408569c2a5d22c7495d6cf57b34835712ee4f
                  • Instruction ID: 97f56f7c915c1447806f40acec82db76b7ce8a90f069e75c946aa06a44ac42ff
                  • Opcode Fuzzy Hash: 8b91e06dd8e6141347182760907408569c2a5d22c7495d6cf57b34835712ee4f
                  • Instruction Fuzzy Hash: B32150B6910609EFC701DF55D841FDAF7FCFB15710F10862AE511A7640EB74AA04CBA0
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0033D790, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 80COMMON
                  Download Yara Rule
                  APIs
                  • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 0033D88D
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.669225094.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true
                  • Associated: 00000000.00000002.669218827.00000000001C0000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669437430.0000000000394000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669462546.00000000003BC000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669470292.00000000003C1000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669476147.00000000003C3000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669480865.00000000003C6000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669487575.00000000003CC000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1c0000_winhost.jbxd
                  Similarity
                  • API ID: Ios_base_dtorstd::ios_base::_
                  • String ID: vs. $pa<
                  • API String ID: 323602529-118028726
                  • Opcode ID: 9a0b73658f9c7370f880fb090ac3030eae5188f539b31341a7b526568d01179e
                  • Instruction ID: 143207a499120d09644990f6c32d9bcebdbf5110008dbcecbbf88b3b6c407ecc
                  • Opcode Fuzzy Hash: 9a0b73658f9c7370f880fb090ac3030eae5188f539b31341a7b526568d01179e
                  • Instruction Fuzzy Hash: 73219575A002189BCF56EF78EC46FD9B7A4AF05314F0044A5F80CAB342DA71A9898F90
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 001DC020, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON
                  Download Yara Rule
                  APIs
                  • std::_Lockit::_Lockit.LIBCPMT ref: 001DC03D
                  • std::_Lockit::~_Lockit.LIBCPMT ref: 001DC059
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.669225094.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true
                  • Associated: 00000000.00000002.669218827.00000000001C0000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669437430.0000000000394000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669462546.00000000003BC000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669470292.00000000003C1000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669476147.00000000003C3000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669480865.00000000003C6000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669487575.00000000003CC000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1c0000_winhost.jbxd
                  Similarity
                  • API ID: Lockitstd::_$Lockit::_Lockit::~_
                  • String ID: Be3
                  • API String ID: 593203224-721780296
                  • Opcode ID: 3e2f96bbdf377c313bd9f3943463a665f8d8e9158586d50794fa8314c23f8059
                  • Instruction ID: 61d63b4f1bc326d24e818b53fc13fc3f39f94b7fde399e5a6b9f09d8fb08d578
                  • Opcode Fuzzy Hash: 3e2f96bbdf377c313bd9f3943463a665f8d8e9158586d50794fa8314c23f8059
                  • Instruction Fuzzy Hash: 8FF08C30910209EBDB29EF54EC41AA8B7F8EB18300F5004AEE48197381EF706E88CB85
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003533BA, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.669225094.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true
                  • Associated: 00000000.00000002.669218827.00000000001C0000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669437430.0000000000394000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669462546.00000000003BC000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669470292.00000000003C1000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669476147.00000000003C3000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669480865.00000000003C6000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669487575.00000000003CC000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1c0000_winhost.jbxd
                  Similarity
                  • API ID: NameName::
                  • String ID: {flat}
                  • API String ID: 1333004437-2606204563
                  • Opcode ID: 4a668298a4574ad5a022e019bfc572fc21d93fee6ad13257d6450d439687214f
                  • Instruction ID: 9c1ffca5a2fd0c4d58d5ffc6659d4fd49bed7da0ad3d77a08658284b894a8164
                  • Opcode Fuzzy Hash: 4a668298a4574ad5a022e019bfc572fc21d93fee6ad13257d6450d439687214f
                  • Instruction Fuzzy Hash: 44F065751402089FD706CF59D556FB53BD8EF01756F05C044E94D4F262CB75E9448791
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003278B0, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22COMMON
                  Download Yara Rule
                  APIs
                  • SHSetValueA.SHLWAPI(80000001,Software\Microsoft\Windows\CurrentVersion\Uninstall\HYJiang,mid,00000001,?,?,?,?,0032609B,?,00001000,?,00001000,?,003A8C5C), ref: 003278DC
                  Strings
                  • mid, xrefs: 003278CD
                  • Software\Microsoft\Windows\CurrentVersion\Uninstall\HYJiang, xrefs: 003278D2
                  Memory Dump Source
                  • Source File: 00000000.00000002.669225094.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true
                  • Associated: 00000000.00000002.669218827.00000000001C0000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669437430.0000000000394000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669462546.00000000003BC000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669470292.00000000003C1000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669476147.00000000003C3000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669480865.00000000003C6000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669487575.00000000003CC000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1c0000_winhost.jbxd
                  Similarity
                  • API ID: Value
                  • String ID: Software\Microsoft\Windows\CurrentVersion\Uninstall\HYJiang$mid
                  • API String ID: 3702945584-2448618358
                  • Opcode ID: 27d8e1844bd0d75535a0abba15e9e2986eb12837f0e235a3cf6c3df208dfb256
                  • Instruction ID: 6700515e03d07dd8383fc3700ea94026998bad0f561c49a507b6ad13f0a965e3
                  • Opcode Fuzzy Hash: 27d8e1844bd0d75535a0abba15e9e2986eb12837f0e235a3cf6c3df208dfb256
                  • Instruction Fuzzy Hash: 96E0C271240314AFDA020B546C19DF37BACDB86B41F048040FE8C9B103CA61980082D4
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0031B3DA, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13COMMON
                  Download Yara Rule
                  APIs
                  • std::invalid_argument::invalid_argument.LIBCONCRT ref: 0031B3E6
                  • __CxxThrowException@8.LIBVCRUNTIME ref: 0031B3F4
                    • Part of subcall function 0034ADEF: RaiseException.KERNEL32(?,?,0031B3D9,?,?,?,00000000,?,?,?,?,0031B3D9,?,003B7370,6F8373B0,?), ref: 0034AE4F
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.669225094.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true
                  • Associated: 00000000.00000002.669218827.00000000001C0000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669437430.0000000000394000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669462546.00000000003BC000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669470292.00000000003C1000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669476147.00000000003C3000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669480865.00000000003C6000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.669487575.00000000003CC000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_1c0000_winhost.jbxd
                  Similarity
                  • API ID: ExceptionException@8RaiseThrowstd::invalid_argument::invalid_argument
                  • String ID: bad function call
                  • API String ID: 4038826145-3612616537
                  • Opcode ID: baca73a6b7349c38724b346b41ee95f30e7b0f9167dda76894ed3dea4f15cb44
                  • Instruction ID: 7c44079f103047c448f30bc890efa9c18fb310a2e90ba2d30a2d11ac2ec51f82
                  • Opcode Fuzzy Hash: baca73a6b7349c38724b346b41ee95f30e7b0f9167dda76894ed3dea4f15cb44
                  • Instruction Fuzzy Hash: A6C0122DC0410C77CF0AF6E4DC17DCD77AC9A04300B844460BA20964D1E7B0A61686D1
                  Uniqueness

                  Uniqueness Score: -1.00%