Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
PO#38595.exe

Overview

General Information

Sample name:PO#38595.exe
Analysis ID:1501331
MD5:c4e638a246b7dd028ac2be462ea75582
SHA1:d19ecd635b9f4c68775956438d0f140d7f04d488
SHA256:ae2f77ad311caf919d2c2ed85c691d9906185b06b01d153d49bfa8ddb132ee3d
Tags:exe
Infos:

Detection

FormBook
Score:92
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected FormBook
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
Switches to a custom stack to bypass stack traces
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found evaded block containing many API calls
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • PO#38595.exe (PID: 6304 cmdline: "C:\Users\user\Desktop\PO#38595.exe" MD5: C4E638A246B7DD028AC2BE462EA75582)
    • svchost.exe (PID: 6596 cmdline: "C:\Users\user\Desktop\PO#38595.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.1821016484.0000000000400000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000001.00000002.1821016484.0000000000400000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x2ed63:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0x16f92:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    00000001.00000002.1821267031.0000000003440000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000001.00000002.1821267031.0000000003440000.00000004.00001000.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x2bd00:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0x13f2f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      1.2.svchost.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        1.2.svchost.exe.400000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
        • 0x2df63:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
        • 0x16192:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
        1.2.svchost.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          1.2.svchost.exe.400000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x2ed63:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0x16f92:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

          Sigma Signatures

          System Summary

          barindex
          Sigma detected: Uncommon Svchost Parent Process
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\PO#38595.exe", CommandLine: "C:\Users\user\Desktop\PO#38595.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\PO#38595.exe", ParentImage: C:\Users\user\Desktop\PO#38595.exe, ParentProcessId: 6304, ParentProcessName: PO#38595.exe, ProcessCommandLine: "C:\Users\user\Desktop\PO#38595.exe", ProcessId: 6596, ProcessName: svchost.exe
          Sigma detected: Windows Processes Suspicious Parent Directory
          Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\PO#38595.exe", CommandLine: "C:\Users\user\Desktop\PO#38595.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\PO#38595.exe", ParentImage: C:\Users\user\Desktop\PO#38595.exe, ParentProcessId: 6304, ParentProcessName: PO#38595.exe, ProcessCommandLine: "C:\Users\user\Desktop\PO#38595.exe", ProcessId: 6596, ProcessName: svchost.exe

          Suricata Signatures

          No Suricata rule has matched

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Multi AV Scanner detection for submitted file
          Source: PO#38595.exeReversingLabs: Detection: 23%
          Yara detected FormBook
          Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000001.00000002.1821016484.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.1821267031.0000000003440000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          AI detected suspicious sample
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
          Machine Learning detection for sample
          Source: PO#38595.exeJoe Sandbox ML: detected
          Source: PO#38595.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
          Source: Binary string: wntdll.pdbUGP source: PO#38595.exe, 00000000.00000003.1702104629.0000000003F10000.00000004.00001000.00020000.00000000.sdmp, PO#38595.exe, 00000000.00000003.1702001511.0000000003D70000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1786059497.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1821296994.000000000379E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1821296994.0000000003600000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1788019689.0000000003400000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: PO#38595.exe, 00000000.00000003.1702104629.0000000003F10000.00000004.00001000.00020000.00000000.sdmp, PO#38595.exe, 00000000.00000003.1702001511.0000000003D70000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000001.00000003.1786059497.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1821296994.000000000379E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1821296994.0000000003600000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1788019689.0000000003400000.00000004.00000020.00020000.00000000.sdmp
          Source: C:\Users\user\Desktop\PO#38595.exeCode function: 0_2_00AC6CA9 GetFileAttributesW,FindFirstFileW,FindClose,0_2_00AC6CA9
          Source: C:\Users\user\Desktop\PO#38595.exeCode function: 0_2_00AC60DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,0_2_00AC60DD
          Source: C:\Users\user\Desktop\PO#38595.exeCode function: 0_2_00AC63F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,0_2_00AC63F9
          Source: C:\Users\user\Desktop\PO#38595.exeCode function: 0_2_00ACEB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00ACEB60
          Source: C:\Users\user\Desktop\PO#38595.exeCode function: 0_2_00ACF5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_00ACF5FA
          Source: C:\Users\user\Desktop\PO#38595.exeCode function: 0_2_00ACF56F FindFirstFileW,FindClose,0_2_00ACF56F
          Source: C:\Users\user\Desktop\PO#38595.exeCode function: 0_2_00AD1B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00AD1B2F
          Source: C:\Users\user\Desktop\PO#38595.exeCode function: 0_2_00AD1C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00AD1C8A
          Source: C:\Users\user\Desktop\PO#38595.exeCode function: 0_2_00AD1F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00AD1F94
          Source: C:\Users\user\Desktop\PO#38595.exeCode function: 0_2_00AD4EB5 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,0_2_00AD4EB5
          Source: C:\Users\user\Desktop\PO#38595.exeCode function: 0_2_00AD6B0C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00AD6B0C
          Source: C:\Users\user\Desktop\PO#38595.exeCode function: 0_2_00AD6D07 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00AD6D07
          Source: C:\Users\user\Desktop\PO#38595.exeCode function: 0_2_00AD6B0C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00AD6B0C
          Source: C:\Users\user\Desktop\PO#38595.exeCode function: 0_2_00AC2B37 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,0_2_00AC2B37
          Source: C:\Users\user\Desktop\PO#38595.exeCode function: 0_2_00AEF7FF DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_00AEF7FF

          E-Banking Fraud

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000001.00000002.1821016484.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.1821267031.0000000003440000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000001.00000002.1821016484.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000001.00000002.1821267031.0000000003440000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Binary is likely a compiled AutoIt script file
          Source: C:\Users\user\Desktop\PO#38595.exeCode function: This is a third-party compiled AutoIt script.0_2_00A83D19
          Source: PO#38595.exeString found in binary or memory: This is a third-party compiled AutoIt script.
          Source: PO#38595.exe, 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_8d50ff83-5
          Source: PO#38595.exe, 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_4d3a923b-f
          Source: PO#38595.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_94e37caa-9
          Source: PO#38595.exeString found in binary or memory: CSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_e618f0da-0
          Initial sample is a PE file and has a suspicious name
          Source: initial sampleStatic PE information: Filename: PO#38595.exe
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0042C063 NtClose,1_2_0042C063
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03672B60 NtClose,LdrInitializeThunk,1_2_03672B60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03672DF0 NtQuerySystemInformation,LdrInitializeThunk,1_2_03672DF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036735C0 NtCreateMutant,LdrInitializeThunk,1_2_036735C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03674340 NtSetContextThread,1_2_03674340
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03674650 NtSuspendThread,1_2_03674650
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03672BE0 NtQueryValueKey,1_2_03672BE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03672BF0 NtAllocateVirtualMemory,1_2_03672BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03672BA0 NtEnumerateValueKey,1_2_03672BA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03672B80 NtQueryInformationFile,1_2_03672B80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03672AF0 NtWriteFile,1_2_03672AF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03672AD0 NtReadFile,1_2_03672AD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03672AB0 NtWaitForSingleObject,1_2_03672AB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03672F60 NtCreateProcessEx,1_2_03672F60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03672F30 NtCreateSection,1_2_03672F30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03672FE0 NtCreateFile,1_2_03672FE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03672FA0 NtQuerySection,1_2_03672FA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03672FB0 NtResumeThread,1_2_03672FB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03672F90 NtProtectVirtualMemory,1_2_03672F90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03672E30 NtWriteVirtualMemory,1_2_03672E30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03672EE0 NtQueueApcThread,1_2_03672EE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03672EA0 NtAdjustPrivilegesToken,1_2_03672EA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03672E80 NtReadVirtualMemory,1_2_03672E80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03672D30 NtUnmapViewOfSection,1_2_03672D30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03672D00 NtSetInformationFile,1_2_03672D00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03672D10 NtMapViewOfSection,1_2_03672D10
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03672DD0 NtDelayExecution,1_2_03672DD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03672DB0 NtEnumerateKey,1_2_03672DB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03672C60 NtCreateKey,1_2_03672C60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03672C70 NtFreeVirtualMemory,1_2_03672C70
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03672C00 NtQueryInformationProcess,1_2_03672C00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03672CF0 NtOpenProcess,1_2_03672CF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03672CC0 NtQueryVirtualMemory,1_2_03672CC0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03672CA0 NtQueryInformationToken,1_2_03672CA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03673010 NtOpenDirectoryObject,1_2_03673010
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03673090 NtSetValueKey,1_2_03673090
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036739B0 NtGetContextThread,1_2_036739B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03673D70 NtOpenThread,1_2_03673D70
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03673D10 NtOpenProcessToken,1_2_03673D10
          Source: C:\Users\user\Desktop\PO#38595.exeCode function: 0_2_00AC6685: CreateFileW,DeviceIoControl,CloseHandle,0_2_00AC6685
          Source: C:\Users\user\Desktop\PO#38595.exeCode function: 0_2_00ABACC5 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00ABACC5
          Source: C:\Users\user\Desktop\PO#38595.exeCode function: 0_2_00AC79D3 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_00AC79D3
          Source: C:\Users\user\Desktop\PO#38595.exeCode function: 0_2_00AAB0430_2_00AAB043
          Source: C:\Users\user\Desktop\PO#38595.exeCode function: 0_2_00A932000_2_00A93200
          Source: C:\Users\user\Desktop\PO#38595.exeCode function: 0_2_00A93B700_2_00A93B70
          Source: C:\Users\user\Desktop\PO#38595.exeCode function: 0_2_00AB410F0_2_00AB410F
          Source: C:\Users\user\Desktop\PO#38595.exeCode function: 0_2_00AA02A40_2_00AA02A4
          Source: C:\Users\user\Desktop\PO#38595.exeCode function: 0_2_00A8E3B00_2_00A8E3B0
          Source: C:\Users\user\Desktop\PO#38595.exeCode function: 0_2_00AB038E0_2_00AB038E
          Source: C:\Users\user\Desktop\PO#38595.exeCode function: 0_2_00AA06D90_2_00AA06D9
          Source: C:\Users\user\Desktop\PO#38595.exeCode function: 0_2_00AB467F0_2_00AB467F
          Source: C:\Users\user\Desktop\PO#38595.exeCode function: 0_2_00AEAACE0_2_00AEAACE
          Source: C:\Users\user\Desktop\PO#38595.exeCode function: 0_2_00AB4BEF0_2_00AB4BEF
          Source: C:\Users\user\Desktop\PO#38595.exeCode function: 0_2_00AACCC10_2_00AACCC1
          Source: C:\Users\user\Desktop\PO#38595.exeCode function: 0_2_00A86F070_2_00A86F07
          Source: C:\Users\user\Desktop\PO#38595.exeCode function: 0_2_00A8AF500_2_00A8AF50
          Source: C:\Users\user\Desktop\PO#38595.exeCode function: 0_2_00AE31BC0_2_00AE31BC
          Source: C:\Users\user\Desktop\PO#38595.exeCode function: 0_2_00AAD1B90_2_00AAD1B9
          Source: C:\Users\user\Desktop\PO#38595.exeCode function: 0_2_00A9B11F0_2_00A9B11F
          Source: C:\Users\user\Desktop\PO#38595.exeCode function: 0_2_00AA123A0_2_00AA123A
          Source: C:\Users\user\Desktop\PO#38595.exeCode function: 0_2_00AB724D0_2_00AB724D
          Source: C:\Users\user\Desktop\PO#38595.exeCode function: 0_2_00A893F00_2_00A893F0
          Source: C:\Users\user\Desktop\PO#38595.exeCode function: 0_2_00AC13CA0_2_00AC13CA
          Source: C:\Users\user\Desktop\PO#38595.exeCode function: 0_2_00A9F5630_2_00A9F563
          Source: C:\Users\user\Desktop\PO#38595.exeCode function: 0_2_00ACB6CC0_2_00ACB6CC
          Source: C:\Users\user\Desktop\PO#38595.exeCode function: 0_2_00A896C00_2_00A896C0
          Source: C:\Users\user\Desktop\PO#38595.exeCode function: 0_2_00A877B00_2_00A877B0
          Source: C:\Users\user\Desktop\PO#38595.exeCode function: 0_2_00AEF7FF0_2_00AEF7FF
          Source: C:\Users\user\Desktop\PO#38595.exeCode function: 0_2_00AB79C90_2_00AB79C9
          Source: C:\Users\user\Desktop\PO#38595.exeCode function: 0_2_00A9FA570_2_00A9FA57
          Source: C:\Users\user\Desktop\PO#38595.exeCode function: 0_2_00A89B600_2_00A89B60
          Source: C:\Users\user\Desktop\PO#38595.exeCode function: 0_2_00A87D190_2_00A87D19
          Source: C:\Users\user\Desktop\PO#38595.exeCode function: 0_2_00AA9ED00_2_00AA9ED0
          Source: C:\Users\user\Desktop\PO#38595.exeCode function: 0_2_00A9FE6F0_2_00A9FE6F
          Source: C:\Users\user\Desktop\PO#38595.exeCode function: 0_2_00A87FA30_2_00A87FA3
          Source: C:\Users\user\Desktop\PO#38595.exeCode function: 0_2_039736100_2_03973610
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040F9C31_2_0040F9C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040F9BC1_2_0040F9BC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004022091_2_00402209
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004022101_2_00402210
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004162FE1_2_004162FE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004162BC1_2_004162BC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004163031_2_00416303
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040FBE31_2_0040FBE3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040DC631_2_0040DC63
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00402DC01_2_00402DC0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0042E6531_2_0042E653
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036FA3521_2_036FA352
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0364E3F01_2_0364E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037003E61_2_037003E6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036E02741_2_036E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036C02C01_2_036C02C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036C81581_2_036C8158
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036301001_2_03630100
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036DA1181_2_036DA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036F81CC1_2_036F81CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036F41A21_2_036F41A2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037001AA1_2_037001AA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036D20001_2_036D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036407701_2_03640770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036647501_2_03664750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0363C7C01_2_0363C7C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0365C6E01_2_0365C6E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036405351_2_03640535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037005911_2_03700591
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036F24461_2_036F2446
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036E44201_2_036E4420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036EE4F61_2_036EE4F6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036FAB401_2_036FAB40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036F6BD71_2_036F6BD7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0363EA801_2_0363EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036569621_2_03656962
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036429A01_2_036429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0370A9A61_2_0370A9A6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0364A8401_2_0364A840
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036428401_2_03642840
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366E8F01_2_0366E8F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036268B81_2_036268B8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B4F401_2_036B4F40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03682F281_2_03682F28
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03660F301_2_03660F30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036E2F301_2_036E2F30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03632FC81_2_03632FC8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036BEFA01_2_036BEFA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03640E591_2_03640E59
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036FEE261_2_036FEE26
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036FEEDB1_2_036FEEDB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03652E901_2_03652E90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036FCE931_2_036FCE93
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0364AD001_2_0364AD00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036DCD1F1_2_036DCD1F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0363ADE01_2_0363ADE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03658DBF1_2_03658DBF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03640C001_2_03640C00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03630CF21_2_03630CF2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036E0CB51_2_036E0CB5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0362D34C1_2_0362D34C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036F132D1_2_036F132D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0368739A1_2_0368739A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036E12ED1_2_036E12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0365B2C01_2_0365B2C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036452A01_2_036452A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0367516C1_2_0367516C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0362F1721_2_0362F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0370B16B1_2_0370B16B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0364B1B01_2_0364B1B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036F70E91_2_036F70E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036FF0E01_2_036FF0E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036EF0CC1_2_036EF0CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036470C01_2_036470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036FF7B01_2_036FF7B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036856301_2_03685630
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036F16CC1_2_036F16CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036F75711_2_036F7571
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037095C31_2_037095C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036DD5B01_2_036DD5B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036314601_2_03631460
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036FF43F1_2_036FF43F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036FFB761_2_036FFB76
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B5BF01_2_036B5BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0367DBF91_2_0367DBF9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0365FB801_2_0365FB80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B3A6C1_2_036B3A6C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036FFA491_2_036FFA49
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036F7A461_2_036F7A46
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036EDAC61_2_036EDAC6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036DDAAC1_2_036DDAAC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03685AA01_2_03685AA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036E1AA31_2_036E1AA3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036499501_2_03649950
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0365B9501_2_0365B950
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036D59101_2_036D5910
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036AD8001_2_036AD800
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036438E01_2_036438E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036FFF091_2_036FFF09
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03603FD21_2_03603FD2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03603FD51_2_03603FD5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036FFFB11_2_036FFFB1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03641F921_2_03641F92
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03649EB01_2_03649EB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036F7D731_2_036F7D73
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03643D401_2_03643D40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036F1D5A1_2_036F1D5A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0365FDC01_2_0365FDC0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B9C321_2_036B9C32
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036FFCF21_2_036FFCF2
          Source: C:\Users\user\Desktop\PO#38595.exeCode function: String function: 00A9EC2F appears 68 times
          Source: C:\Users\user\Desktop\PO#38595.exeCode function: String function: 00AAF8A0 appears 35 times
          Source: C:\Users\user\Desktop\PO#38595.exeCode function: String function: 00AA6AC0 appears 42 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03675130 appears 58 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 036BF290 appears 105 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 036AEA12 appears 86 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0362B970 appears 265 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03687E54 appears 108 times
          Source: PO#38595.exe, 00000000.00000003.1700998916.0000000003E43000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs PO#38595.exe
          Source: PO#38595.exe, 00000000.00000003.1702781457.000000000403D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs PO#38595.exe
          Source: PO#38595.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
          Source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000001.00000002.1821016484.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000001.00000002.1821267031.0000000003440000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: classification engineClassification label: mal92.troj.evad.winEXE@3/4@0/0
          Source: C:\Users\user\Desktop\PO#38595.exeCode function: 0_2_00ACCE7A GetLastError,FormatMessageW,0_2_00ACCE7A
          Source: C:\Users\user\Desktop\PO#38595.exeCode function: 0_2_00ABAB84 AdjustTokenPrivileges,CloseHandle,0_2_00ABAB84
          Source: C:\Users\user\Desktop\PO#38595.exeCode function: 0_2_00ABB134 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_00ABB134
          Source: C:\Users\user\Desktop\PO#38595.exeCode function: 0_2_00ACE1FD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_00ACE1FD
          Source: C:\Users\user\Desktop\PO#38595.exeCode function: 0_2_00AC6532 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,__wsplitpath,_wcscat,CloseHandle,0_2_00AC6532
          Source: C:\Users\user\Desktop\PO#38595.exeCode function: 0_2_00ADC18C CoInitializeSecurity,_memset,_memset,CoCreateInstanceEx,CoTaskMemFree,CoSetProxyBlanket,0_2_00ADC18C
          Source: C:\Users\user\Desktop\PO#38595.exeCode function: 0_2_00A8406B CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_00A8406B
          Source: C:\Users\user\Desktop\PO#38595.exeFile created: C:\Users\user\AppData\Local\Temp\aut3804.tmpJump to behavior
          Source: PO#38595.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\PO#38595.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: PO#38595.exeReversingLabs: Detection: 23%
          Source: unknownProcess created: C:\Users\user\Desktop\PO#38595.exe "C:\Users\user\Desktop\PO#38595.exe"
          Source: C:\Users\user\Desktop\PO#38595.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\PO#38595.exe"
          Source: C:\Users\user\Desktop\PO#38595.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\PO#38595.exe"Jump to behavior
          Source: C:\Users\user\Desktop\PO#38595.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\Desktop\PO#38595.exeSection loaded: wsock32.dllJump to behavior
          Source: C:\Users\user\Desktop\PO#38595.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\PO#38595.exeSection loaded: winmm.dllJump to behavior
          Source: C:\Users\user\Desktop\PO#38595.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Users\user\Desktop\PO#38595.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Users\user\Desktop\PO#38595.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\PO#38595.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\Desktop\PO#38595.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\Desktop\PO#38595.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\PO#38595.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\PO#38595.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\Desktop\PO#38595.exeSection loaded: ntmarta.dllJump to behavior
          Source: PO#38595.exeStatic file information: File size 1532928 > 1048576
          Source: PO#38595.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
          Source: PO#38595.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
          Source: PO#38595.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
          Source: PO#38595.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: PO#38595.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
          Source: PO#38595.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
          Source: PO#38595.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: Binary string: wntdll.pdbUGP source: PO#38595.exe, 00000000.00000003.1702104629.0000000003F10000.00000004.00001000.00020000.00000000.sdmp, PO#38595.exe, 00000000.00000003.1702001511.0000000003D70000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1786059497.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1821296994.000000000379E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1821296994.0000000003600000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1788019689.0000000003400000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: PO#38595.exe, 00000000.00000003.1702104629.0000000003F10000.00000004.00001000.00020000.00000000.sdmp, PO#38595.exe, 00000000.00000003.1702001511.0000000003D70000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000001.00000003.1786059497.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1821296994.000000000379E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1821296994.0000000003600000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1788019689.0000000003400000.00000004.00000020.00020000.00000000.sdmp
          Source: PO#38595.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
          Source: PO#38595.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
          Source: PO#38595.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
          Source: PO#38595.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
          Source: PO#38595.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
          Source: C:\Users\user\Desktop\PO#38595.exeCode function: 0_2_00A9E01E LoadLibraryA,GetProcAddress,0_2_00A9E01E
          Source: C:\Users\user\Desktop\PO#38595.exeCode function: 0_2_00AAC09E push esi; ret 0_2_00AAC0A0
          Source: C:\Users\user\Desktop\PO#38595.exeCode function: 0_2_00AAC187 push edi; ret 0_2_00AAC189
          Source: C:\Users\user\Desktop\PO#38595.exeCode function: 0_2_00AA6B05 push ecx; ret 0_2_00AA6B18
          Source: C:\Users\user\Desktop\PO#38595.exeCode function: 0_2_00ACB2B1 push FFFFFF8Bh; iretd 0_2_00ACB2B3
          Source: C:\Users\user\Desktop\PO#38595.exeCode function: 0_2_00AABDAA push edi; ret 0_2_00AABDAC
          Source: C:\Users\user\Desktop\PO#38595.exeCode function: 0_2_00AABEC3 push esi; ret 0_2_00AABEC5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00403060 push eax; ret 1_2_00403062
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004160FC push 00000030h; retf 1_2_00416149
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0041613C push 00000030h; retf 1_2_00416149
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004241D0 push 27BC0FE5h; iretd 1_2_00424215
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0042425C push ecx; retf 1_2_00424260
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040D211 pushad ; ret 1_2_0040D212
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004132A3 push esi; ret 1_2_004132A8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0041136F push edi; retf 1_2_00411372
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004135D8 push ds; retf 1_2_004135F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004135E3 push ds; retf 1_2_004135F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00414594 push edi; retf 1_2_004145B7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0041E67B push ebp; retf 1_2_0041E67D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0041E61E push eax; retf 1_2_0041E647
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0041E6DA pushad ; ret 1_2_0041E6DB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004016F6 push ss; ret 1_2_00401859
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00401FF6 push ecx; ret 1_2_00401FFF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0360225F pushad ; ret 1_2_036027F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036027FA pushad ; ret 1_2_036027F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036309AD push ecx; mov dword ptr [esp], ecx1_2_036309B6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0360283D push eax; iretd 1_2_03602858
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0360135F push eax; iretd 1_2_03601369
          Source: C:\Users\user\Desktop\PO#38595.exeCode function: 0_2_00AE8111 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_00AE8111
          Source: C:\Users\user\Desktop\PO#38595.exeCode function: 0_2_00A9EB42 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00A9EB42
          Source: C:\Users\user\Desktop\PO#38595.exeCode function: 0_2_00AA123A __initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00AA123A
          Source: C:\Users\user\Desktop\PO#38595.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO#38595.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion

          barindex
          Switches to a custom stack to bypass stack traces
          Source: C:\Users\user\Desktop\PO#38595.exeAPI/Special instruction interceptor: Address: 3973234
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0367096E rdtsc 1_2_0367096E
          Source: C:\Users\user\Desktop\PO#38595.exeEvaded block: after key decisiongraph_0-94358
          Source: C:\Users\user\Desktop\PO#38595.exeAPI coverage: 4.6 %
          Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.6 %
          Source: C:\Windows\SysWOW64\svchost.exe TID: 6528Thread sleep time: -30000s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\PO#38595.exeCode function: 0_2_00AC6CA9 GetFileAttributesW,FindFirstFileW,FindClose,0_2_00AC6CA9
          Source: C:\Users\user\Desktop\PO#38595.exeCode function: 0_2_00AC60DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,0_2_00AC60DD
          Source: C:\Users\user\Desktop\PO#38595.exeCode function: 0_2_00AC63F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,0_2_00AC63F9
          Source: C:\Users\user\Desktop\PO#38595.exeCode function: 0_2_00ACEB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00ACEB60
          Source: C:\Users\user\Desktop\PO#38595.exeCode function: 0_2_00ACF5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_00ACF5FA
          Source: C:\Users\user\Desktop\PO#38595.exeCode function: 0_2_00ACF56F FindFirstFileW,FindClose,0_2_00ACF56F
          Source: C:\Users\user\Desktop\PO#38595.exeCode function: 0_2_00AD1B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00AD1B2F
          Source: C:\Users\user\Desktop\PO#38595.exeCode function: 0_2_00AD1C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00AD1C8A
          Source: C:\Users\user\Desktop\PO#38595.exeCode function: 0_2_00AD1F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00AD1F94
          Source: C:\Users\user\Desktop\PO#38595.exeCode function: 0_2_00A9DDC0 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00A9DDC0
          Source: C:\Users\user\Desktop\PO#38595.exeAPI call chain: ExitProcess graph end nodegraph_0-93603
          Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0367096E rdtsc 1_2_0367096E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004172B3 LdrLoadDll,1_2_004172B3
          Source: C:\Users\user\Desktop\PO#38595.exeCode function: 0_2_00AD6AAF BlockInput,0_2_00AD6AAF
          Source: C:\Users\user\Desktop\PO#38595.exeCode function: 0_2_00A83D19 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00A83D19
          Source: C:\Users\user\Desktop\PO#38595.exeCode function: 0_2_00AB3920 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,IsDebuggerPresent,OutputDebugStringW,0_2_00AB3920
          Source: C:\Users\user\Desktop\PO#38595.exeCode function: 0_2_00A9E01E LoadLibraryA,GetProcAddress,0_2_00A9E01E
          Source: C:\Users\user\Desktop\PO#38595.exeCode function: 0_2_03973500 mov eax, dword ptr fs:[00000030h]0_2_03973500
          Source: C:\Users\user\Desktop\PO#38595.exeCode function: 0_2_039734A0 mov eax, dword ptr fs:[00000030h]0_2_039734A0
          Source: C:\Users\user\Desktop\PO#38595.exeCode function: 0_2_03971E70 mov eax, dword ptr fs:[00000030h]0_2_03971E70
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036D437C mov eax, dword ptr fs:[00000030h]1_2_036D437C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B2349 mov eax, dword ptr fs:[00000030h]1_2_036B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B2349 mov eax, dword ptr fs:[00000030h]1_2_036B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B2349 mov eax, dword ptr fs:[00000030h]1_2_036B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B2349 mov eax, dword ptr fs:[00000030h]1_2_036B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B2349 mov eax, dword ptr fs:[00000030h]1_2_036B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B2349 mov eax, dword ptr fs:[00000030h]1_2_036B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B2349 mov eax, dword ptr fs:[00000030h]1_2_036B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B2349 mov eax, dword ptr fs:[00000030h]1_2_036B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B2349 mov eax, dword ptr fs:[00000030h]1_2_036B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B2349 mov eax, dword ptr fs:[00000030h]1_2_036B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B2349 mov eax, dword ptr fs:[00000030h]1_2_036B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B2349 mov eax, dword ptr fs:[00000030h]1_2_036B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B2349 mov eax, dword ptr fs:[00000030h]1_2_036B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B2349 mov eax, dword ptr fs:[00000030h]1_2_036B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B2349 mov eax, dword ptr fs:[00000030h]1_2_036B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B035C mov eax, dword ptr fs:[00000030h]1_2_036B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B035C mov eax, dword ptr fs:[00000030h]1_2_036B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B035C mov eax, dword ptr fs:[00000030h]1_2_036B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B035C mov ecx, dword ptr fs:[00000030h]1_2_036B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B035C mov eax, dword ptr fs:[00000030h]1_2_036B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B035C mov eax, dword ptr fs:[00000030h]1_2_036B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036FA352 mov eax, dword ptr fs:[00000030h]1_2_036FA352
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036D8350 mov ecx, dword ptr fs:[00000030h]1_2_036D8350
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0370634F mov eax, dword ptr fs:[00000030h]1_2_0370634F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03708324 mov eax, dword ptr fs:[00000030h]1_2_03708324
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03708324 mov ecx, dword ptr fs:[00000030h]1_2_03708324
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03708324 mov eax, dword ptr fs:[00000030h]1_2_03708324
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03708324 mov eax, dword ptr fs:[00000030h]1_2_03708324
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366A30B mov eax, dword ptr fs:[00000030h]1_2_0366A30B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366A30B mov eax, dword ptr fs:[00000030h]1_2_0366A30B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366A30B mov eax, dword ptr fs:[00000030h]1_2_0366A30B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0362C310 mov ecx, dword ptr fs:[00000030h]1_2_0362C310
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03650310 mov ecx, dword ptr fs:[00000030h]1_2_03650310
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036403E9 mov eax, dword ptr fs:[00000030h]1_2_036403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036403E9 mov eax, dword ptr fs:[00000030h]1_2_036403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036403E9 mov eax, dword ptr fs:[00000030h]1_2_036403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036403E9 mov eax, dword ptr fs:[00000030h]1_2_036403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036403E9 mov eax, dword ptr fs:[00000030h]1_2_036403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036403E9 mov eax, dword ptr fs:[00000030h]1_2_036403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036403E9 mov eax, dword ptr fs:[00000030h]1_2_036403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036403E9 mov eax, dword ptr fs:[00000030h]1_2_036403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0364E3F0 mov eax, dword ptr fs:[00000030h]1_2_0364E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0364E3F0 mov eax, dword ptr fs:[00000030h]1_2_0364E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0364E3F0 mov eax, dword ptr fs:[00000030h]1_2_0364E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036663FF mov eax, dword ptr fs:[00000030h]1_2_036663FF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036EC3CD mov eax, dword ptr fs:[00000030h]1_2_036EC3CD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0363A3C0 mov eax, dword ptr fs:[00000030h]1_2_0363A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0363A3C0 mov eax, dword ptr fs:[00000030h]1_2_0363A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0363A3C0 mov eax, dword ptr fs:[00000030h]1_2_0363A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0363A3C0 mov eax, dword ptr fs:[00000030h]1_2_0363A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0363A3C0 mov eax, dword ptr fs:[00000030h]1_2_0363A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0363A3C0 mov eax, dword ptr fs:[00000030h]1_2_0363A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036383C0 mov eax, dword ptr fs:[00000030h]1_2_036383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036383C0 mov eax, dword ptr fs:[00000030h]1_2_036383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036383C0 mov eax, dword ptr fs:[00000030h]1_2_036383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036383C0 mov eax, dword ptr fs:[00000030h]1_2_036383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B63C0 mov eax, dword ptr fs:[00000030h]1_2_036B63C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036DE3DB mov eax, dword ptr fs:[00000030h]1_2_036DE3DB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036DE3DB mov eax, dword ptr fs:[00000030h]1_2_036DE3DB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036DE3DB mov ecx, dword ptr fs:[00000030h]1_2_036DE3DB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036DE3DB mov eax, dword ptr fs:[00000030h]1_2_036DE3DB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036D43D4 mov eax, dword ptr fs:[00000030h]1_2_036D43D4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036D43D4 mov eax, dword ptr fs:[00000030h]1_2_036D43D4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0362E388 mov eax, dword ptr fs:[00000030h]1_2_0362E388
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0362E388 mov eax, dword ptr fs:[00000030h]1_2_0362E388
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0362E388 mov eax, dword ptr fs:[00000030h]1_2_0362E388
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0365438F mov eax, dword ptr fs:[00000030h]1_2_0365438F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0365438F mov eax, dword ptr fs:[00000030h]1_2_0365438F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03628397 mov eax, dword ptr fs:[00000030h]1_2_03628397
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03628397 mov eax, dword ptr fs:[00000030h]1_2_03628397
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03628397 mov eax, dword ptr fs:[00000030h]1_2_03628397
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03634260 mov eax, dword ptr fs:[00000030h]1_2_03634260
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03634260 mov eax, dword ptr fs:[00000030h]1_2_03634260
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03634260 mov eax, dword ptr fs:[00000030h]1_2_03634260
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0362826B mov eax, dword ptr fs:[00000030h]1_2_0362826B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036E0274 mov eax, dword ptr fs:[00000030h]1_2_036E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036E0274 mov eax, dword ptr fs:[00000030h]1_2_036E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036E0274 mov eax, dword ptr fs:[00000030h]1_2_036E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036E0274 mov eax, dword ptr fs:[00000030h]1_2_036E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036E0274 mov eax, dword ptr fs:[00000030h]1_2_036E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036E0274 mov eax, dword ptr fs:[00000030h]1_2_036E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036E0274 mov eax, dword ptr fs:[00000030h]1_2_036E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036E0274 mov eax, dword ptr fs:[00000030h]1_2_036E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036E0274 mov eax, dword ptr fs:[00000030h]1_2_036E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036E0274 mov eax, dword ptr fs:[00000030h]1_2_036E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036E0274 mov eax, dword ptr fs:[00000030h]1_2_036E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036E0274 mov eax, dword ptr fs:[00000030h]1_2_036E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B8243 mov eax, dword ptr fs:[00000030h]1_2_036B8243
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B8243 mov ecx, dword ptr fs:[00000030h]1_2_036B8243
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0370625D mov eax, dword ptr fs:[00000030h]1_2_0370625D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0362A250 mov eax, dword ptr fs:[00000030h]1_2_0362A250
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03636259 mov eax, dword ptr fs:[00000030h]1_2_03636259
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036EA250 mov eax, dword ptr fs:[00000030h]1_2_036EA250
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036EA250 mov eax, dword ptr fs:[00000030h]1_2_036EA250
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0362823B mov eax, dword ptr fs:[00000030h]1_2_0362823B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036402E1 mov eax, dword ptr fs:[00000030h]1_2_036402E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036402E1 mov eax, dword ptr fs:[00000030h]1_2_036402E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036402E1 mov eax, dword ptr fs:[00000030h]1_2_036402E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0363A2C3 mov eax, dword ptr fs:[00000030h]1_2_0363A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0363A2C3 mov eax, dword ptr fs:[00000030h]1_2_0363A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0363A2C3 mov eax, dword ptr fs:[00000030h]1_2_0363A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0363A2C3 mov eax, dword ptr fs:[00000030h]1_2_0363A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0363A2C3 mov eax, dword ptr fs:[00000030h]1_2_0363A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037062D6 mov eax, dword ptr fs:[00000030h]1_2_037062D6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036402A0 mov eax, dword ptr fs:[00000030h]1_2_036402A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036402A0 mov eax, dword ptr fs:[00000030h]1_2_036402A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036C62A0 mov eax, dword ptr fs:[00000030h]1_2_036C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036C62A0 mov ecx, dword ptr fs:[00000030h]1_2_036C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036C62A0 mov eax, dword ptr fs:[00000030h]1_2_036C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036C62A0 mov eax, dword ptr fs:[00000030h]1_2_036C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036C62A0 mov eax, dword ptr fs:[00000030h]1_2_036C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036C62A0 mov eax, dword ptr fs:[00000030h]1_2_036C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366E284 mov eax, dword ptr fs:[00000030h]1_2_0366E284
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366E284 mov eax, dword ptr fs:[00000030h]1_2_0366E284
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B0283 mov eax, dword ptr fs:[00000030h]1_2_036B0283
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B0283 mov eax, dword ptr fs:[00000030h]1_2_036B0283
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B0283 mov eax, dword ptr fs:[00000030h]1_2_036B0283
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03704164 mov eax, dword ptr fs:[00000030h]1_2_03704164
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03704164 mov eax, dword ptr fs:[00000030h]1_2_03704164
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036C4144 mov eax, dword ptr fs:[00000030h]1_2_036C4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036C4144 mov eax, dword ptr fs:[00000030h]1_2_036C4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036C4144 mov ecx, dword ptr fs:[00000030h]1_2_036C4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036C4144 mov eax, dword ptr fs:[00000030h]1_2_036C4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036C4144 mov eax, dword ptr fs:[00000030h]1_2_036C4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0362C156 mov eax, dword ptr fs:[00000030h]1_2_0362C156
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036C8158 mov eax, dword ptr fs:[00000030h]1_2_036C8158
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03636154 mov eax, dword ptr fs:[00000030h]1_2_03636154
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03636154 mov eax, dword ptr fs:[00000030h]1_2_03636154
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03660124 mov eax, dword ptr fs:[00000030h]1_2_03660124
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036DE10E mov eax, dword ptr fs:[00000030h]1_2_036DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036DE10E mov ecx, dword ptr fs:[00000030h]1_2_036DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036DE10E mov eax, dword ptr fs:[00000030h]1_2_036DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036DE10E mov eax, dword ptr fs:[00000030h]1_2_036DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036DE10E mov ecx, dword ptr fs:[00000030h]1_2_036DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036DE10E mov eax, dword ptr fs:[00000030h]1_2_036DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036DE10E mov eax, dword ptr fs:[00000030h]1_2_036DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036DE10E mov ecx, dword ptr fs:[00000030h]1_2_036DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036DE10E mov eax, dword ptr fs:[00000030h]1_2_036DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036DE10E mov ecx, dword ptr fs:[00000030h]1_2_036DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036DA118 mov ecx, dword ptr fs:[00000030h]1_2_036DA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036DA118 mov eax, dword ptr fs:[00000030h]1_2_036DA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036DA118 mov eax, dword ptr fs:[00000030h]1_2_036DA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036DA118 mov eax, dword ptr fs:[00000030h]1_2_036DA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036F0115 mov eax, dword ptr fs:[00000030h]1_2_036F0115
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037061E5 mov eax, dword ptr fs:[00000030h]1_2_037061E5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036601F8 mov eax, dword ptr fs:[00000030h]1_2_036601F8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036F61C3 mov eax, dword ptr fs:[00000030h]1_2_036F61C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036F61C3 mov eax, dword ptr fs:[00000030h]1_2_036F61C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036AE1D0 mov eax, dword ptr fs:[00000030h]1_2_036AE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036AE1D0 mov eax, dword ptr fs:[00000030h]1_2_036AE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036AE1D0 mov ecx, dword ptr fs:[00000030h]1_2_036AE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036AE1D0 mov eax, dword ptr fs:[00000030h]1_2_036AE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036AE1D0 mov eax, dword ptr fs:[00000030h]1_2_036AE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03670185 mov eax, dword ptr fs:[00000030h]1_2_03670185
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036EC188 mov eax, dword ptr fs:[00000030h]1_2_036EC188
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036EC188 mov eax, dword ptr fs:[00000030h]1_2_036EC188
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036D4180 mov eax, dword ptr fs:[00000030h]1_2_036D4180
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036D4180 mov eax, dword ptr fs:[00000030h]1_2_036D4180
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B019F mov eax, dword ptr fs:[00000030h]1_2_036B019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B019F mov eax, dword ptr fs:[00000030h]1_2_036B019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B019F mov eax, dword ptr fs:[00000030h]1_2_036B019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B019F mov eax, dword ptr fs:[00000030h]1_2_036B019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0362A197 mov eax, dword ptr fs:[00000030h]1_2_0362A197
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0362A197 mov eax, dword ptr fs:[00000030h]1_2_0362A197
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0362A197 mov eax, dword ptr fs:[00000030h]1_2_0362A197
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0365C073 mov eax, dword ptr fs:[00000030h]1_2_0365C073
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03632050 mov eax, dword ptr fs:[00000030h]1_2_03632050
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B6050 mov eax, dword ptr fs:[00000030h]1_2_036B6050
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0362A020 mov eax, dword ptr fs:[00000030h]1_2_0362A020
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0362C020 mov eax, dword ptr fs:[00000030h]1_2_0362C020
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036C6030 mov eax, dword ptr fs:[00000030h]1_2_036C6030
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B4000 mov ecx, dword ptr fs:[00000030h]1_2_036B4000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036D2000 mov eax, dword ptr fs:[00000030h]1_2_036D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036D2000 mov eax, dword ptr fs:[00000030h]1_2_036D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036D2000 mov eax, dword ptr fs:[00000030h]1_2_036D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036D2000 mov eax, dword ptr fs:[00000030h]1_2_036D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036D2000 mov eax, dword ptr fs:[00000030h]1_2_036D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036D2000 mov eax, dword ptr fs:[00000030h]1_2_036D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036D2000 mov eax, dword ptr fs:[00000030h]1_2_036D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036D2000 mov eax, dword ptr fs:[00000030h]1_2_036D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0364E016 mov eax, dword ptr fs:[00000030h]1_2_0364E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0364E016 mov eax, dword ptr fs:[00000030h]1_2_0364E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0364E016 mov eax, dword ptr fs:[00000030h]1_2_0364E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0364E016 mov eax, dword ptr fs:[00000030h]1_2_0364E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0362A0E3 mov ecx, dword ptr fs:[00000030h]1_2_0362A0E3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036380E9 mov eax, dword ptr fs:[00000030h]1_2_036380E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B60E0 mov eax, dword ptr fs:[00000030h]1_2_036B60E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0362C0F0 mov eax, dword ptr fs:[00000030h]1_2_0362C0F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036720F0 mov ecx, dword ptr fs:[00000030h]1_2_036720F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B20DE mov eax, dword ptr fs:[00000030h]1_2_036B20DE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036280A0 mov eax, dword ptr fs:[00000030h]1_2_036280A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036C80A8 mov eax, dword ptr fs:[00000030h]1_2_036C80A8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036F60B8 mov eax, dword ptr fs:[00000030h]1_2_036F60B8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036F60B8 mov ecx, dword ptr fs:[00000030h]1_2_036F60B8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0363208A mov eax, dword ptr fs:[00000030h]1_2_0363208A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03638770 mov eax, dword ptr fs:[00000030h]1_2_03638770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03640770 mov eax, dword ptr fs:[00000030h]1_2_03640770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03640770 mov eax, dword ptr fs:[00000030h]1_2_03640770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03640770 mov eax, dword ptr fs:[00000030h]1_2_03640770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03640770 mov eax, dword ptr fs:[00000030h]1_2_03640770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03640770 mov eax, dword ptr fs:[00000030h]1_2_03640770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03640770 mov eax, dword ptr fs:[00000030h]1_2_03640770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03640770 mov eax, dword ptr fs:[00000030h]1_2_03640770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03640770 mov eax, dword ptr fs:[00000030h]1_2_03640770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03640770 mov eax, dword ptr fs:[00000030h]1_2_03640770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03640770 mov eax, dword ptr fs:[00000030h]1_2_03640770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03640770 mov eax, dword ptr fs:[00000030h]1_2_03640770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03640770 mov eax, dword ptr fs:[00000030h]1_2_03640770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366674D mov esi, dword ptr fs:[00000030h]1_2_0366674D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366674D mov eax, dword ptr fs:[00000030h]1_2_0366674D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366674D mov eax, dword ptr fs:[00000030h]1_2_0366674D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03630750 mov eax, dword ptr fs:[00000030h]1_2_03630750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036BE75D mov eax, dword ptr fs:[00000030h]1_2_036BE75D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03672750 mov eax, dword ptr fs:[00000030h]1_2_03672750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03672750 mov eax, dword ptr fs:[00000030h]1_2_03672750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B4755 mov eax, dword ptr fs:[00000030h]1_2_036B4755
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366C720 mov eax, dword ptr fs:[00000030h]1_2_0366C720
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366C720 mov eax, dword ptr fs:[00000030h]1_2_0366C720
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366273C mov eax, dword ptr fs:[00000030h]1_2_0366273C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366273C mov ecx, dword ptr fs:[00000030h]1_2_0366273C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366273C mov eax, dword ptr fs:[00000030h]1_2_0366273C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036AC730 mov eax, dword ptr fs:[00000030h]1_2_036AC730
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366C700 mov eax, dword ptr fs:[00000030h]1_2_0366C700
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03630710 mov eax, dword ptr fs:[00000030h]1_2_03630710
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03660710 mov eax, dword ptr fs:[00000030h]1_2_03660710
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036527ED mov eax, dword ptr fs:[00000030h]1_2_036527ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036527ED mov eax, dword ptr fs:[00000030h]1_2_036527ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036527ED mov eax, dword ptr fs:[00000030h]1_2_036527ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036BE7E1 mov eax, dword ptr fs:[00000030h]1_2_036BE7E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036347FB mov eax, dword ptr fs:[00000030h]1_2_036347FB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036347FB mov eax, dword ptr fs:[00000030h]1_2_036347FB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0363C7C0 mov eax, dword ptr fs:[00000030h]1_2_0363C7C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B07C3 mov eax, dword ptr fs:[00000030h]1_2_036B07C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036307AF mov eax, dword ptr fs:[00000030h]1_2_036307AF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036E47A0 mov eax, dword ptr fs:[00000030h]1_2_036E47A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036D678E mov eax, dword ptr fs:[00000030h]1_2_036D678E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036F866E mov eax, dword ptr fs:[00000030h]1_2_036F866E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036F866E mov eax, dword ptr fs:[00000030h]1_2_036F866E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366A660 mov eax, dword ptr fs:[00000030h]1_2_0366A660
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366A660 mov eax, dword ptr fs:[00000030h]1_2_0366A660
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03662674 mov eax, dword ptr fs:[00000030h]1_2_03662674
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0364C640 mov eax, dword ptr fs:[00000030h]1_2_0364C640
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0364E627 mov eax, dword ptr fs:[00000030h]1_2_0364E627
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03666620 mov eax, dword ptr fs:[00000030h]1_2_03666620
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03668620 mov eax, dword ptr fs:[00000030h]1_2_03668620
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0363262C mov eax, dword ptr fs:[00000030h]1_2_0363262C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036AE609 mov eax, dword ptr fs:[00000030h]1_2_036AE609
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0364260B mov eax, dword ptr fs:[00000030h]1_2_0364260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0364260B mov eax, dword ptr fs:[00000030h]1_2_0364260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0364260B mov eax, dword ptr fs:[00000030h]1_2_0364260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0364260B mov eax, dword ptr fs:[00000030h]1_2_0364260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0364260B mov eax, dword ptr fs:[00000030h]1_2_0364260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0364260B mov eax, dword ptr fs:[00000030h]1_2_0364260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0364260B mov eax, dword ptr fs:[00000030h]1_2_0364260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03672619 mov eax, dword ptr fs:[00000030h]1_2_03672619
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036AE6F2 mov eax, dword ptr fs:[00000030h]1_2_036AE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036AE6F2 mov eax, dword ptr fs:[00000030h]1_2_036AE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036AE6F2 mov eax, dword ptr fs:[00000030h]1_2_036AE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036AE6F2 mov eax, dword ptr fs:[00000030h]1_2_036AE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B06F1 mov eax, dword ptr fs:[00000030h]1_2_036B06F1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B06F1 mov eax, dword ptr fs:[00000030h]1_2_036B06F1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366A6C7 mov ebx, dword ptr fs:[00000030h]1_2_0366A6C7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366A6C7 mov eax, dword ptr fs:[00000030h]1_2_0366A6C7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366C6A6 mov eax, dword ptr fs:[00000030h]1_2_0366C6A6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036666B0 mov eax, dword ptr fs:[00000030h]1_2_036666B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03634690 mov eax, dword ptr fs:[00000030h]1_2_03634690
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03634690 mov eax, dword ptr fs:[00000030h]1_2_03634690
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366656A mov eax, dword ptr fs:[00000030h]1_2_0366656A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366656A mov eax, dword ptr fs:[00000030h]1_2_0366656A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366656A mov eax, dword ptr fs:[00000030h]1_2_0366656A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03638550 mov eax, dword ptr fs:[00000030h]1_2_03638550
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03638550 mov eax, dword ptr fs:[00000030h]1_2_03638550
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03640535 mov eax, dword ptr fs:[00000030h]1_2_03640535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03640535 mov eax, dword ptr fs:[00000030h]1_2_03640535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03640535 mov eax, dword ptr fs:[00000030h]1_2_03640535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03640535 mov eax, dword ptr fs:[00000030h]1_2_03640535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03640535 mov eax, dword ptr fs:[00000030h]1_2_03640535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03640535 mov eax, dword ptr fs:[00000030h]1_2_03640535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0365E53E mov eax, dword ptr fs:[00000030h]1_2_0365E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0365E53E mov eax, dword ptr fs:[00000030h]1_2_0365E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0365E53E mov eax, dword ptr fs:[00000030h]1_2_0365E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0365E53E mov eax, dword ptr fs:[00000030h]1_2_0365E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0365E53E mov eax, dword ptr fs:[00000030h]1_2_0365E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036C6500 mov eax, dword ptr fs:[00000030h]1_2_036C6500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03704500 mov eax, dword ptr fs:[00000030h]1_2_03704500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03704500 mov eax, dword ptr fs:[00000030h]1_2_03704500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03704500 mov eax, dword ptr fs:[00000030h]1_2_03704500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03704500 mov eax, dword ptr fs:[00000030h]1_2_03704500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03704500 mov eax, dword ptr fs:[00000030h]1_2_03704500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03704500 mov eax, dword ptr fs:[00000030h]1_2_03704500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03704500 mov eax, dword ptr fs:[00000030h]1_2_03704500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0365E5E7 mov eax, dword ptr fs:[00000030h]1_2_0365E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0365E5E7 mov eax, dword ptr fs:[00000030h]1_2_0365E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0365E5E7 mov eax, dword ptr fs:[00000030h]1_2_0365E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0365E5E7 mov eax, dword ptr fs:[00000030h]1_2_0365E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0365E5E7 mov eax, dword ptr fs:[00000030h]1_2_0365E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0365E5E7 mov eax, dword ptr fs:[00000030h]1_2_0365E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0365E5E7 mov eax, dword ptr fs:[00000030h]1_2_0365E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0365E5E7 mov eax, dword ptr fs:[00000030h]1_2_0365E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036325E0 mov eax, dword ptr fs:[00000030h]1_2_036325E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366C5ED mov eax, dword ptr fs:[00000030h]1_2_0366C5ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366C5ED mov eax, dword ptr fs:[00000030h]1_2_0366C5ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366E5CF mov eax, dword ptr fs:[00000030h]1_2_0366E5CF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366E5CF mov eax, dword ptr fs:[00000030h]1_2_0366E5CF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036365D0 mov eax, dword ptr fs:[00000030h]1_2_036365D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366A5D0 mov eax, dword ptr fs:[00000030h]1_2_0366A5D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366A5D0 mov eax, dword ptr fs:[00000030h]1_2_0366A5D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B05A7 mov eax, dword ptr fs:[00000030h]1_2_036B05A7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B05A7 mov eax, dword ptr fs:[00000030h]1_2_036B05A7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B05A7 mov eax, dword ptr fs:[00000030h]1_2_036B05A7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036545B1 mov eax, dword ptr fs:[00000030h]1_2_036545B1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036545B1 mov eax, dword ptr fs:[00000030h]1_2_036545B1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03632582 mov eax, dword ptr fs:[00000030h]1_2_03632582
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03632582 mov ecx, dword ptr fs:[00000030h]1_2_03632582
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03664588 mov eax, dword ptr fs:[00000030h]1_2_03664588
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366E59C mov eax, dword ptr fs:[00000030h]1_2_0366E59C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036BC460 mov ecx, dword ptr fs:[00000030h]1_2_036BC460
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0365A470 mov eax, dword ptr fs:[00000030h]1_2_0365A470
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0365A470 mov eax, dword ptr fs:[00000030h]1_2_0365A470
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0365A470 mov eax, dword ptr fs:[00000030h]1_2_0365A470
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366E443 mov eax, dword ptr fs:[00000030h]1_2_0366E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366E443 mov eax, dword ptr fs:[00000030h]1_2_0366E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366E443 mov eax, dword ptr fs:[00000030h]1_2_0366E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366E443 mov eax, dword ptr fs:[00000030h]1_2_0366E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366E443 mov eax, dword ptr fs:[00000030h]1_2_0366E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366E443 mov eax, dword ptr fs:[00000030h]1_2_0366E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366E443 mov eax, dword ptr fs:[00000030h]1_2_0366E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366E443 mov eax, dword ptr fs:[00000030h]1_2_0366E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036EA456 mov eax, dword ptr fs:[00000030h]1_2_036EA456
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0362645D mov eax, dword ptr fs:[00000030h]1_2_0362645D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0365245A mov eax, dword ptr fs:[00000030h]1_2_0365245A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0362E420 mov eax, dword ptr fs:[00000030h]1_2_0362E420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0362E420 mov eax, dword ptr fs:[00000030h]1_2_0362E420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0362E420 mov eax, dword ptr fs:[00000030h]1_2_0362E420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0362C427 mov eax, dword ptr fs:[00000030h]1_2_0362C427
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B6420 mov eax, dword ptr fs:[00000030h]1_2_036B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B6420 mov eax, dword ptr fs:[00000030h]1_2_036B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B6420 mov eax, dword ptr fs:[00000030h]1_2_036B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B6420 mov eax, dword ptr fs:[00000030h]1_2_036B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B6420 mov eax, dword ptr fs:[00000030h]1_2_036B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B6420 mov eax, dword ptr fs:[00000030h]1_2_036B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B6420 mov eax, dword ptr fs:[00000030h]1_2_036B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366A430 mov eax, dword ptr fs:[00000030h]1_2_0366A430
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03668402 mov eax, dword ptr fs:[00000030h]1_2_03668402
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03668402 mov eax, dword ptr fs:[00000030h]1_2_03668402
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03668402 mov eax, dword ptr fs:[00000030h]1_2_03668402
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036304E5 mov ecx, dword ptr fs:[00000030h]1_2_036304E5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036364AB mov eax, dword ptr fs:[00000030h]1_2_036364AB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036644B0 mov ecx, dword ptr fs:[00000030h]1_2_036644B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036BA4B0 mov eax, dword ptr fs:[00000030h]1_2_036BA4B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036EA49A mov eax, dword ptr fs:[00000030h]1_2_036EA49A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0362CB7E mov eax, dword ptr fs:[00000030h]1_2_0362CB7E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036E4B4B mov eax, dword ptr fs:[00000030h]1_2_036E4B4B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036E4B4B mov eax, dword ptr fs:[00000030h]1_2_036E4B4B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03702B57 mov eax, dword ptr fs:[00000030h]1_2_03702B57
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03702B57 mov eax, dword ptr fs:[00000030h]1_2_03702B57
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03702B57 mov eax, dword ptr fs:[00000030h]1_2_03702B57
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03702B57 mov eax, dword ptr fs:[00000030h]1_2_03702B57
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036C6B40 mov eax, dword ptr fs:[00000030h]1_2_036C6B40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036C6B40 mov eax, dword ptr fs:[00000030h]1_2_036C6B40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036FAB40 mov eax, dword ptr fs:[00000030h]1_2_036FAB40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036D8B42 mov eax, dword ptr fs:[00000030h]1_2_036D8B42
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03628B50 mov eax, dword ptr fs:[00000030h]1_2_03628B50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036DEB50 mov eax, dword ptr fs:[00000030h]1_2_036DEB50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0365EB20 mov eax, dword ptr fs:[00000030h]1_2_0365EB20
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0365EB20 mov eax, dword ptr fs:[00000030h]1_2_0365EB20
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036F8B28 mov eax, dword ptr fs:[00000030h]1_2_036F8B28
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036F8B28 mov eax, dword ptr fs:[00000030h]1_2_036F8B28
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03704B00 mov eax, dword ptr fs:[00000030h]1_2_03704B00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036AEB1D mov eax, dword ptr fs:[00000030h]1_2_036AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036AEB1D mov eax, dword ptr fs:[00000030h]1_2_036AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036AEB1D mov eax, dword ptr fs:[00000030h]1_2_036AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036AEB1D mov eax, dword ptr fs:[00000030h]1_2_036AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036AEB1D mov eax, dword ptr fs:[00000030h]1_2_036AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036AEB1D mov eax, dword ptr fs:[00000030h]1_2_036AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036AEB1D mov eax, dword ptr fs:[00000030h]1_2_036AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036AEB1D mov eax, dword ptr fs:[00000030h]1_2_036AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036AEB1D mov eax, dword ptr fs:[00000030h]1_2_036AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03638BF0 mov eax, dword ptr fs:[00000030h]1_2_03638BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03638BF0 mov eax, dword ptr fs:[00000030h]1_2_03638BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03638BF0 mov eax, dword ptr fs:[00000030h]1_2_03638BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0365EBFC mov eax, dword ptr fs:[00000030h]1_2_0365EBFC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036BCBF0 mov eax, dword ptr fs:[00000030h]1_2_036BCBF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03650BCB mov eax, dword ptr fs:[00000030h]1_2_03650BCB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03650BCB mov eax, dword ptr fs:[00000030h]1_2_03650BCB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03650BCB mov eax, dword ptr fs:[00000030h]1_2_03650BCB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03630BCD mov eax, dword ptr fs:[00000030h]1_2_03630BCD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03630BCD mov eax, dword ptr fs:[00000030h]1_2_03630BCD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03630BCD mov eax, dword ptr fs:[00000030h]1_2_03630BCD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036DEBD0 mov eax, dword ptr fs:[00000030h]1_2_036DEBD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03640BBE mov eax, dword ptr fs:[00000030h]1_2_03640BBE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03640BBE mov eax, dword ptr fs:[00000030h]1_2_03640BBE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036E4BB0 mov eax, dword ptr fs:[00000030h]1_2_036E4BB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036E4BB0 mov eax, dword ptr fs:[00000030h]1_2_036E4BB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366CA6F mov eax, dword ptr fs:[00000030h]1_2_0366CA6F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366CA6F mov eax, dword ptr fs:[00000030h]1_2_0366CA6F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366CA6F mov eax, dword ptr fs:[00000030h]1_2_0366CA6F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036DEA60 mov eax, dword ptr fs:[00000030h]1_2_036DEA60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036ACA72 mov eax, dword ptr fs:[00000030h]1_2_036ACA72
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036ACA72 mov eax, dword ptr fs:[00000030h]1_2_036ACA72
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03636A50 mov eax, dword ptr fs:[00000030h]1_2_03636A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03636A50 mov eax, dword ptr fs:[00000030h]1_2_03636A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03636A50 mov eax, dword ptr fs:[00000030h]1_2_03636A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03636A50 mov eax, dword ptr fs:[00000030h]1_2_03636A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03636A50 mov eax, dword ptr fs:[00000030h]1_2_03636A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03636A50 mov eax, dword ptr fs:[00000030h]1_2_03636A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03636A50 mov eax, dword ptr fs:[00000030h]1_2_03636A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03640A5B mov eax, dword ptr fs:[00000030h]1_2_03640A5B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03640A5B mov eax, dword ptr fs:[00000030h]1_2_03640A5B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366CA24 mov eax, dword ptr fs:[00000030h]1_2_0366CA24
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0365EA2E mov eax, dword ptr fs:[00000030h]1_2_0365EA2E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03654A35 mov eax, dword ptr fs:[00000030h]1_2_03654A35
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03654A35 mov eax, dword ptr fs:[00000030h]1_2_03654A35
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366CA38 mov eax, dword ptr fs:[00000030h]1_2_0366CA38
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036BCA11 mov eax, dword ptr fs:[00000030h]1_2_036BCA11
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366AAEE mov eax, dword ptr fs:[00000030h]1_2_0366AAEE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366AAEE mov eax, dword ptr fs:[00000030h]1_2_0366AAEE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03686ACC mov eax, dword ptr fs:[00000030h]1_2_03686ACC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03686ACC mov eax, dword ptr fs:[00000030h]1_2_03686ACC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03686ACC mov eax, dword ptr fs:[00000030h]1_2_03686ACC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03630AD0 mov eax, dword ptr fs:[00000030h]1_2_03630AD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03664AD0 mov eax, dword ptr fs:[00000030h]1_2_03664AD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03664AD0 mov eax, dword ptr fs:[00000030h]1_2_03664AD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03638AA0 mov eax, dword ptr fs:[00000030h]1_2_03638AA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03638AA0 mov eax, dword ptr fs:[00000030h]1_2_03638AA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03686AA4 mov eax, dword ptr fs:[00000030h]1_2_03686AA4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0363EA80 mov eax, dword ptr fs:[00000030h]1_2_0363EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0363EA80 mov eax, dword ptr fs:[00000030h]1_2_0363EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0363EA80 mov eax, dword ptr fs:[00000030h]1_2_0363EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0363EA80 mov eax, dword ptr fs:[00000030h]1_2_0363EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0363EA80 mov eax, dword ptr fs:[00000030h]1_2_0363EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0363EA80 mov eax, dword ptr fs:[00000030h]1_2_0363EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0363EA80 mov eax, dword ptr fs:[00000030h]1_2_0363EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0363EA80 mov eax, dword ptr fs:[00000030h]1_2_0363EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0363EA80 mov eax, dword ptr fs:[00000030h]1_2_0363EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03704A80 mov eax, dword ptr fs:[00000030h]1_2_03704A80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03668A90 mov edx, dword ptr fs:[00000030h]1_2_03668A90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03656962 mov eax, dword ptr fs:[00000030h]1_2_03656962
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03656962 mov eax, dword ptr fs:[00000030h]1_2_03656962
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03656962 mov eax, dword ptr fs:[00000030h]1_2_03656962
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0367096E mov eax, dword ptr fs:[00000030h]1_2_0367096E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0367096E mov edx, dword ptr fs:[00000030h]1_2_0367096E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0367096E mov eax, dword ptr fs:[00000030h]1_2_0367096E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036D4978 mov eax, dword ptr fs:[00000030h]1_2_036D4978
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036D4978 mov eax, dword ptr fs:[00000030h]1_2_036D4978
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036BC97C mov eax, dword ptr fs:[00000030h]1_2_036BC97C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B0946 mov eax, dword ptr fs:[00000030h]1_2_036B0946
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03704940 mov eax, dword ptr fs:[00000030h]1_2_03704940
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B892A mov eax, dword ptr fs:[00000030h]1_2_036B892A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036C892B mov eax, dword ptr fs:[00000030h]1_2_036C892B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036AE908 mov eax, dword ptr fs:[00000030h]1_2_036AE908
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036AE908 mov eax, dword ptr fs:[00000030h]1_2_036AE908
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036BC912 mov eax, dword ptr fs:[00000030h]1_2_036BC912
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03628918 mov eax, dword ptr fs:[00000030h]1_2_03628918
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03628918 mov eax, dword ptr fs:[00000030h]1_2_03628918
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036BE9E0 mov eax, dword ptr fs:[00000030h]1_2_036BE9E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036629F9 mov eax, dword ptr fs:[00000030h]1_2_036629F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036629F9 mov eax, dword ptr fs:[00000030h]1_2_036629F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036C69C0 mov eax, dword ptr fs:[00000030h]1_2_036C69C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0363A9D0 mov eax, dword ptr fs:[00000030h]1_2_0363A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0363A9D0 mov eax, dword ptr fs:[00000030h]1_2_0363A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0363A9D0 mov eax, dword ptr fs:[00000030h]1_2_0363A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0363A9D0 mov eax, dword ptr fs:[00000030h]1_2_0363A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0363A9D0 mov eax, dword ptr fs:[00000030h]1_2_0363A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0363A9D0 mov eax, dword ptr fs:[00000030h]1_2_0363A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036649D0 mov eax, dword ptr fs:[00000030h]1_2_036649D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036FA9D3 mov eax, dword ptr fs:[00000030h]1_2_036FA9D3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036429A0 mov eax, dword ptr fs:[00000030h]1_2_036429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036429A0 mov eax, dword ptr fs:[00000030h]1_2_036429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036429A0 mov eax, dword ptr fs:[00000030h]1_2_036429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036429A0 mov eax, dword ptr fs:[00000030h]1_2_036429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036429A0 mov eax, dword ptr fs:[00000030h]1_2_036429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036429A0 mov eax, dword ptr fs:[00000030h]1_2_036429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036429A0 mov eax, dword ptr fs:[00000030h]1_2_036429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036429A0 mov eax, dword ptr fs:[00000030h]1_2_036429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036429A0 mov eax, dword ptr fs:[00000030h]1_2_036429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036429A0 mov eax, dword ptr fs:[00000030h]1_2_036429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036429A0 mov eax, dword ptr fs:[00000030h]1_2_036429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036429A0 mov eax, dword ptr fs:[00000030h]1_2_036429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036429A0 mov eax, dword ptr fs:[00000030h]1_2_036429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036309AD mov eax, dword ptr fs:[00000030h]1_2_036309AD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036309AD mov eax, dword ptr fs:[00000030h]1_2_036309AD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B89B3 mov esi, dword ptr fs:[00000030h]1_2_036B89B3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B89B3 mov eax, dword ptr fs:[00000030h]1_2_036B89B3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B89B3 mov eax, dword ptr fs:[00000030h]1_2_036B89B3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036BE872 mov eax, dword ptr fs:[00000030h]1_2_036BE872
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036BE872 mov eax, dword ptr fs:[00000030h]1_2_036BE872
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036C6870 mov eax, dword ptr fs:[00000030h]1_2_036C6870
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036C6870 mov eax, dword ptr fs:[00000030h]1_2_036C6870
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03642840 mov ecx, dword ptr fs:[00000030h]1_2_03642840
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03660854 mov eax, dword ptr fs:[00000030h]1_2_03660854
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03634859 mov eax, dword ptr fs:[00000030h]1_2_03634859
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03634859 mov eax, dword ptr fs:[00000030h]1_2_03634859
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03652835 mov eax, dword ptr fs:[00000030h]1_2_03652835
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03652835 mov eax, dword ptr fs:[00000030h]1_2_03652835
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03652835 mov eax, dword ptr fs:[00000030h]1_2_03652835
          Source: C:\Users\user\Desktop\PO#38595.exeCode function: 0_2_00ABA66C GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_00ABA66C
          Source: C:\Users\user\Desktop\PO#38595.exeCode function: 0_2_00AA81AC SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00AA81AC
          Source: C:\Users\user\Desktop\PO#38595.exeCode function: 0_2_00AA8189 SetUnhandledExceptionFilter,0_2_00AA8189

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Maps a DLL or memory area into another process
          Source: C:\Users\user\Desktop\PO#38595.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
          Writes to foreign memory regions
          Source: C:\Users\user\Desktop\PO#38595.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2B69008Jump to behavior
          Source: C:\Users\user\Desktop\PO#38595.exeCode function: 0_2_00ABB106 LogonUserW,0_2_00ABB106
          Source: C:\Users\user\Desktop\PO#38595.exeCode function: 0_2_00A83D19 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00A83D19
          Source: C:\Users\user\Desktop\PO#38595.exeCode function: 0_2_00AC411C SendInput,keybd_event,0_2_00AC411C
          Source: C:\Users\user\Desktop\PO#38595.exeCode function: 0_2_00AC74BB mouse_event,0_2_00AC74BB
          Source: C:\Users\user\Desktop\PO#38595.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\PO#38595.exe"Jump to behavior
          Source: C:\Users\user\Desktop\PO#38595.exeCode function: 0_2_00ABA66C GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_00ABA66C
          Source: C:\Users\user\Desktop\PO#38595.exeCode function: 0_2_00AC71FA AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_00AC71FA
          Source: PO#38595.exeBinary or memory string: Shell_TrayWnd
          Source: PO#38595.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndTHISREMOVEblankinfoquestionstopwarning
          Source: C:\Users\user\Desktop\PO#38595.exeCode function: 0_2_00AA65C4 cpuid 0_2_00AA65C4
          Source: C:\Users\user\Desktop\PO#38595.exeCode function: 0_2_00AD091D GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,__wsplitpath,_wcscat,_wcscat,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,_wcscpy,SetCurrentDirectoryW,0_2_00AD091D
          Source: C:\Users\user\Desktop\PO#38595.exeCode function: 0_2_00AFB340 GetUserNameW,0_2_00AFB340
          Source: C:\Users\user\Desktop\PO#38595.exeCode function: 0_2_00AB1E8E __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_00AB1E8E
          Source: C:\Users\user\Desktop\PO#38595.exeCode function: 0_2_00A9DDC0 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00A9DDC0

          Stealing of Sensitive Information

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000001.00000002.1821016484.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.1821267031.0000000003440000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: PO#38595.exeBinary or memory string: WIN_81
          Source: PO#38595.exeBinary or memory string: WIN_XP
          Source: PO#38595.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 12, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubytep
          Source: PO#38595.exeBinary or memory string: WIN_XPe
          Source: PO#38595.exeBinary or memory string: WIN_VISTA
          Source: PO#38595.exeBinary or memory string: WIN_7
          Source: PO#38595.exeBinary or memory string: WIN_8

          Remote Access Functionality

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000001.00000002.1821016484.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.1821267031.0000000003440000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: C:\Users\user\Desktop\PO#38595.exeCode function: 0_2_00AD8C4F socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,0_2_00AD8C4F
          Source: C:\Users\user\Desktop\PO#38595.exeCode function: 0_2_00AD923B socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_00AD923B

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire Infrastructure2
          Valid Accounts          		2
          Native API          		2
          Valid Accounts          		2
          Valid Accounts          		2
          Valid Accounts          		21
          Input Capture          		2
          System Time Discovery          		Remote Services21
          Input Capture          		1
          Encrypted Channel          		Exfiltration Over Other Network Medium1
          System Shutdown/Reboot
          CredentialsDomainsDefault AccountsScheduled Task/Job1
          DLL Side-Loading          		1
          Exploitation for Privilege Escalation          		1
          Disable or Modify Tools          		LSASS Memory15
          Security Software Discovery          		Remote Desktop Protocol1
          Archive Collected Data          		1
          Ingress Tool Transfer          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)21
          Access Token Manipulation          		2
          Virtualization/Sandbox Evasion          		Security Account Manager2
          Virtualization/Sandbox Evasion          		SMB/Windows Admin Shares3
          Clipboard Data          		SteganographyAutomated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook212
          Process Injection          		21
          Access Token Manipulation          		NTDS3
          Process Discovery          		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script1
          DLL Side-Loading          		212
          Process Injection          		LSA Secrets1
          Application Window Discovery          		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
          Deobfuscate/Decode Files or Information          		Cached Domain Credentials1
          Account Discovery          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
          Obfuscated Files or Information          		DCSync1
          System Owner/User Discovery          		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
          DLL Side-Loading          		Proc Filesystem1
          File and Directory Discovery          		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
          Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow115
          System Information Discovery          		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          PO#38595.exe24%ReversingLabsWin32.Trojan.AutoitInject
          PO#38595.exe100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          No Antivirus matches

          Domains and IPs

          Contacted Domains

          No contacted domains info

          World Map of Contacted IPs

          No contacted IP infos

          General Information

          Joe Sandbox version:40.0.0 Tourmaline
          Analysis ID:1501331
          Start date and time:2024-08-29 18:49:09 +02:00
          Joe Sandbox product:CloudBasic
          Overall analysis duration:0h 4m 19s
          Hypervisor based Inspection enabled:false
          Report type:full
          Cookbook file name:default.jbs
          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
          Number of analysed new started processes analysed:3
          Number of new started drivers analysed:0
          Number of existing processes analysed:0
          Number of existing drivers analysed:0
          Number of injected processes analysed:0
          Technologies:
          • HCA enabled
          • EGA enabled
          • AMSI enabled
          Analysis Mode:default
          Analysis stop reason:Timeout
          Sample name:PO#38595.exe
          Detection:MAL
          Classification:mal92.troj.evad.winEXE@3/4@0/0
          EGA Information:
          • Successful, ratio: 100%
          HCA Information:
          • Successful, ratio: 100%
          • Number of executed functions: 59
          • Number of non-executed functions: 283
          Cookbook Comments:
          • Found application associated with file extension: .exe
          • Stop behavior analysis, all processes terminated

          Warnings

          • Exclude process from analysis (whitelisted): SIHClient.exe
          • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com
          • Report size exceeded maximum capacity and may have missing disassembly code.
          • VT rate limit hit for: PO#38595.exe

          Simulations

          Behavior and APIs

          TimeTypeDescription
          12:50:15API Interceptor3x Sleep call for process: svchost.exe modified

          Joe Sandbox View / Context

          IPs

          No context

          Domains

          No context

          ASNs

          No context

          JA3 Fingerprints

          No context

          Dropped Files

          No context

          Created / dropped Files

          C:\Users\user\AppData\Local\Temp\Melber

          Download File
          Process:C:\Users\user\Desktop\PO#38595.exe
          File Type:ASCII text, with very long lines (57348), with no line terminators
          Category:dropped
          Size (bytes):57348
          Entropy (8bit):2.789928733323229
          Encrypted:false
          SSDEEP:384:ljTF4Z76n17h8toAs6pZwsPsiKy8Dv0JCjWV+Xv2P05GfW4:lnF4Z76n17ioo5s1+J2WsXNo
          MD5:82527E0FB4FC16CC06E23809FAD6DD63
          SHA1:8426F44A2DC2824CDA6B951A9B9BFE6D9325D49B
          SHA-256:BF7A9F25DE58DFA5A4A2F47C847C8E2D5EC45528A1222ADAC375ACF18CD586A1
          SHA-512:D580216B1AACB77EF325A41F590D35D4ED1FDC8A29DAA52E2A0A9637818CCB190B56706333B25FAB42368CE498F84F9475FF9EF97647229320CE09B39F8B5F42
          Malicious:false
          Reputation:low
          Preview:0*0*0*0*0*0*0*0*0*0*0*0*0*0*0*0*0*0*0*0*0*0*0*0*0*0*0*0*0*0*0*0*0*0*0*0*0*0*0*0*0*0*0*0*0*0*0*0*0*0*0*0*0*0*0*0*0*0*0*0*0*0*0*0*0*0*0*0*0*0*0*0*0*0*0*0*0*0*0*0*0*0*0*0*0*0*0*0*0*0*0*0*0*0*0*0*0*0*0*0*0*0*0*0*0*0*0*0*0*0*0*0*0*0*0*0*0*0*0*0*0*0*0*0*0*0*0*0*0*0*0*0*0*0*0*0*0*0*0*0*0*0*0*0*0*0*0*0*0*0*0*0*0*0*0*0*0*0*0*0*0*0*0*0*0*0*0*0*0*0*0*0*0*c*2*c*d*5*5*e*b*8*0*c*3*3*2*0*b*e*c*f*5*4*b*8*0*0*0*0*0*0*0*0*c*f*5*4*7*c*7*0*b*e*c*f*d*4*9*8*8*f*d*4*b*8*8*0*4*7*0*c*5*8*0*0*0*0*0*0*c*8*5*9*f*f*f*f*a*6*0*5*8*f*5*4*d*8*4*2*4*7*0*0*0*0*0*0*0*0*c*8*d*b*3*8*8*0*c*e*3*8*c*e*b*8*5*5*c*c*c*c*c*c*c*c*c*c*c*c*c*c*c*c*c*c*0*0*c*0*2*c*e*5*f*5*9*5*4*a*3*f*8*1*4*2*c*4*b*8*0*1*4*2*c*7*b*8*4*1*4*2*4*7*b*8*1*5*7*5*6*5*c*c*c*c*c*c*c*c*c*c*c*c*c*c*c*c*c*c*c*c*c*c*0*0*8*0*2*c*a*f*5*7*b*4*2*4*2*0*8*8*c*0*4*2*c*5*b*8*8*0*4*2*4*4*b*8*4*0*4*2*4*5*b*8*c*c*c*c*c*c*c*c*c*c*c*c*c*c*c*c*c*c*c*c*0*0*4*0*2*c*d*5*5*e*b*8*0*d*7*f*c*f*5*4*b*8*f*f*f*f*f*f*6*5*9*e*4*f*d*4*9*8*1*0*1*c*3*8*4*f*d*4*b*8*c*f*5*4*9*8*0*d*5*4*3*3*8*0*

          C:\Users\user\AppData\Local\Temp\aut3804.tmp

          Download File
          Process:C:\Users\user\Desktop\PO#38595.exe
          File Type:data
          Category:dropped
          Size (bytes):286720
          Entropy (8bit):7.994773456801255
          Encrypted:true
          SSDEEP:6144:08+aHdAVJOtEwH5bEvmYeccRWl3e/R87yS:08PHdAVJOtECJkwgOS7yS
          MD5:A2C07D761664F42463E02C570385CF3F
          SHA1:D1C48F5A08AE9992FE02946F0EADC05C0A5FCFDE
          SHA-256:CD4A215CDE500C05E071ECE621BE7A4DD6BCA4C254DA7335507C1691E5C76C74
          SHA-512:F2EA48C84F0BE7FF54DB150AC5382D3650FC9A823B74AA197B8B32BD664953427F0C94F7ACD145ACDC17DD0191BDC51FAD07823ACF8EB5B7ADCB1E394E52A3B5
          Malicious:false
          Reputation:low
          Preview:...j.U2XH...?..e.O;...pKL..FYIRYBO83U2XHDH16FYIRYBO83U2XH.H16HF.\Y.F...3..e.Y_5y9 6%=Y^uQ9&*'E.$<i ,,oQ]uv..d%^R#wD_SfO83U2XH=I8.{9..d"(..5U.R....&>.H...S2.B...V!..;:*rXT.2XHDH16F..RY.N93.r.DH16FYIR.BM98T9XH.L16FYIRYBO('U2XXDH1VBYIR.BO(3U2ZHDN16FYIRYDO83U2XHD(56F[IRYBO81Ur.HDX16VYIRYRO8#U2XHDH!6FYIRYBO83U2XHDH16FYIRYBO83U2XHDH16FYIRYBO83U2XHDH16FYIRYBO83U2XHDH16FYIRYBO83U2XHDH16FYIRYBO83U2XHDH16FYIRYBO83U2XHDH16FYIRYBO83U2v<!0E6FY-.]BO(3U2.LDH!6FYIRYBO83U2XHdH1VFYIRYBO83U2XHDH16FYIRYBO83U2XHDH16FYIRYBO83U2XHDH16FYIRYBO83U2XHDH16FYIRYBO83U2XHDH16FYIRYBO83U2XHDH16FYIRYBO83U2XHDH16FYIRYBO83U2XHDH16FYIRYBO83U2XHDH16FYIRYBO83U2XHDH16FYIRYBO83U2XHDH16FYIRYBO83U2XHDH16FYIRYBO83U2XHDH16FYIRYBO83U2XHDH16FYIRYBO83U2XHDH16FYIRYBO83U2XHDH16FYIRYBO83U2XHDH16FYIRYBO83U2XHDH16FYIRYBO83U2XHDH16FYIRYBO83U2XHDH16FYIRYBO83U2XHDH16FYIRYBO83U2XHDH16FYIRYBO83U2XHDH16FYIRYBO83U2XHDH16FYIRYBO83U2XHDH16FYIRYBO83U2XHDH16FYIRYBO83U2XHDH16FYIRYBO83U2XHDH16FYIRYBO83U2XHDH16FYIRYBO83U2XHDH16FYIRYBO83U2XHDH16F

          C:\Users\user\AppData\Local\Temp\aut3843.tmp

          Download File
          Process:C:\Users\user\Desktop\PO#38595.exe
          File Type:data
          Category:dropped
          Size (bytes):11228
          Entropy (8bit):7.615610313043063
          Encrypted:false
          SSDEEP:192:RE7FGNNtmlNBngKgUnVXN5yk0QDa6XL6aAYsDmjp6hw97EbU/RCMrljgukT:RcGrtmlXxpnVXf0V6XOgsDCUDBT
          MD5:B43AE8006B9E12925738EB6BB3ACA6BA
          SHA1:7B4F0655F723DFFAEBEF94EFDB15C45A0E50FB72
          SHA-256:B12AEE397E52C1B2EDE5C49EC73FDE83AE08BDED74EC5AA24AB43D6ACA8F3164
          SHA-512:1F5FD96CE9B602DF923A61E3F7029493AFEED29569E7CBDF53EA4EDFF67FDF5876001A9D7DC481A2FA0A3D4D7DD57BC55C05835D785C203611C95F6D064E687E
          Malicious:false
          Reputation:low
          Preview:EA06.....J........d..Y%SP.".*.J........... .B.*....@...|`......p.........8......|.. ....3...P."......l.,.. ......@. ...........Y.....B.....C .M.....L...B.....L.....(.`..b..X.C6.!....4.....C3...n..M. ?...N."3a......... ...2......@....M..6.A.....h...!O....Y..>.0..@9...a4.......Lg.......&' ....@....p.... N....Sv.)..bj.MY........vf@.......14.p...'.....W@..(..,...E....8}V ....q.p..`........p~...M......l......d.....t.....l.s..*f..........6@"0.....b.(..53.@.....bvn......s........d.....6.....#.)........1a.0..S14.L...5.$' .......3.@.....@........vd.....h.... l...... .L..C...... ........eFh......@y55. ..90.,.-3p!..@I:...-.l`.....|........l.........c....G...7.......<.Y..*g.......A.>.....2.x.,>0..L..:.....>`'....9H.....'.Y..>@&.M.Q..D.S..J|...).6.....1b....I..O....@.O.... ,......`.... <.....X0.)... :..V&.H. .f.Q8...(<&@...$.I..z|.Y...H}........8.H...>i.....X..~ U....a..&.\.....& 0..=......H...;<....3 ...d.y.DO.`.y...h.C..ff...LAM?@........@.4.........n>i.&ff."...lA].......I8...

          C:\Users\user\AppData\Local\Temp\harrowment

          Download File
          Process:C:\Users\user\Desktop\PO#38595.exe
          File Type:data
          Category:dropped
          Size (bytes):286720
          Entropy (8bit):7.994773456801255
          Encrypted:true
          SSDEEP:6144:08+aHdAVJOtEwH5bEvmYeccRWl3e/R87yS:08PHdAVJOtECJkwgOS7yS
          MD5:A2C07D761664F42463E02C570385CF3F
          SHA1:D1C48F5A08AE9992FE02946F0EADC05C0A5FCFDE
          SHA-256:CD4A215CDE500C05E071ECE621BE7A4DD6BCA4C254DA7335507C1691E5C76C74
          SHA-512:F2EA48C84F0BE7FF54DB150AC5382D3650FC9A823B74AA197B8B32BD664953427F0C94F7ACD145ACDC17DD0191BDC51FAD07823ACF8EB5B7ADCB1E394E52A3B5
          Malicious:false
          Reputation:low
          Preview:...j.U2XH...?..e.O;...pKL..FYIRYBO83U2XHDH16FYIRYBO83U2XH.H16HF.\Y.F...3..e.Y_5y9 6%=Y^uQ9&*'E.$<i ,,oQ]uv..d%^R#wD_SfO83U2XH=I8.{9..d"(..5U.R....&>.H...S2.B...V!..;:*rXT.2XHDH16F..RY.N93.r.DH16FYIR.BM98T9XH.L16FYIRYBO('U2XXDH1VBYIR.BO(3U2ZHDN16FYIRYDO83U2XHD(56F[IRYBO81Ur.HDX16VYIRYRO8#U2XHDH!6FYIRYBO83U2XHDH16FYIRYBO83U2XHDH16FYIRYBO83U2XHDH16FYIRYBO83U2XHDH16FYIRYBO83U2XHDH16FYIRYBO83U2XHDH16FYIRYBO83U2XHDH16FYIRYBO83U2v<!0E6FY-.]BO(3U2.LDH!6FYIRYBO83U2XHdH1VFYIRYBO83U2XHDH16FYIRYBO83U2XHDH16FYIRYBO83U2XHDH16FYIRYBO83U2XHDH16FYIRYBO83U2XHDH16FYIRYBO83U2XHDH16FYIRYBO83U2XHDH16FYIRYBO83U2XHDH16FYIRYBO83U2XHDH16FYIRYBO83U2XHDH16FYIRYBO83U2XHDH16FYIRYBO83U2XHDH16FYIRYBO83U2XHDH16FYIRYBO83U2XHDH16FYIRYBO83U2XHDH16FYIRYBO83U2XHDH16FYIRYBO83U2XHDH16FYIRYBO83U2XHDH16FYIRYBO83U2XHDH16FYIRYBO83U2XHDH16FYIRYBO83U2XHDH16FYIRYBO83U2XHDH16FYIRYBO83U2XHDH16FYIRYBO83U2XHDH16FYIRYBO83U2XHDH16FYIRYBO83U2XHDH16FYIRYBO83U2XHDH16FYIRYBO83U2XHDH16FYIRYBO83U2XHDH16FYIRYBO83U2XHDH16FYIRYBO83U2XHDH16F

          Static File Info

          General

          File type:PE32 executable (GUI) Intel 80386, for MS Windows
          Entropy (8bit):6.802897165564634
          TrID:
          • Win32 Executable (generic) a (10002005/4) 99.96%
          • Generic Win/DOS Executable (2004/3) 0.02%
          • DOS Executable Generic (2002/1) 0.02%
          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
          File name:PO#38595.exe
          File size:1'532'928 bytes
          MD5:c4e638a246b7dd028ac2be462ea75582
          SHA1:d19ecd635b9f4c68775956438d0f140d7f04d488
          SHA256:ae2f77ad311caf919d2c2ed85c691d9906185b06b01d153d49bfa8ddb132ee3d
          SHA512:e37ceef34045b929840bf34df381d6849b5e9a173a25ae15dfe706578cfd49f94b734e7a342701e83f3cef68031dfe9f6f9fc4cacba64e9734c218541ee94baa
          SSDEEP:24576:Ytb20pkaCqT5TBWgNQ7authteGoQ8p/bSsFxxmxC6A:hVg5tQ7aoAGoQ8pj3FxN5
          TLSH:5F65D02227EDC266C372117379A5F725AE7F6D241DA5F6032F942CBCBD307602A4A253
          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d..............'.a.....H.k.....H.h.....H.i......}%......}5...............~.......k.......o.......1.......j.....Rich...........

          File Icon

          Icon Hash:41c0c45471554d45

          Static PE Info

          General

          Entrypoint:0x425f74
          Entrypoint Section:.text
          Digitally signed:false
          Imagebase:0x400000
          Subsystem:windows gui
          Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
          DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
          Time Stamp:0x66CFCB1F [Thu Aug 29 01:13:03 2024 UTC]
          TLS Callbacks:
          CLR (.Net) Version:
          OS Version Major:5
          OS Version Minor:1
          File Version Major:5
          File Version Minor:1
          Subsystem Version Major:5
          Subsystem Version Minor:1
          Import Hash:3d95adbf13bbe79dc24dccb401c12091

          Entrypoint Preview

          Instruction
          call 00007FDE3C85B99Fh
          jmp 00007FDE3C84E9B4h
          int3
          int3
          push edi
          push esi
          mov esi, dword ptr [esp+10h]
          mov ecx, dword ptr [esp+14h]
          mov edi, dword ptr [esp+0Ch]
          mov eax, ecx
          mov edx, ecx
          add eax, esi
          cmp edi, esi
          jbe 00007FDE3C84EB3Ah
          cmp edi, eax
          jc 00007FDE3C84EE9Eh
          bt dword ptr [004C0158h], 01h
          jnc 00007FDE3C84EB39h
          rep movsb
          jmp 00007FDE3C84EE4Ch
          cmp ecx, 00000080h
          jc 00007FDE3C84ED04h
          mov eax, edi
          xor eax, esi
          test eax, 0000000Fh
          jne 00007FDE3C84EB40h
          bt dword ptr [004BA370h], 01h
          jc 00007FDE3C84F010h
          bt dword ptr [004C0158h], 00000000h
          jnc 00007FDE3C84ECDDh
          test edi, 00000003h
          jne 00007FDE3C84ECEEh
          test esi, 00000003h
          jne 00007FDE3C84ECCDh
          bt edi, 02h
          jnc 00007FDE3C84EB3Fh
          mov eax, dword ptr [esi]
          sub ecx, 04h
          lea esi, dword ptr [esi+04h]
          mov dword ptr [edi], eax
          lea edi, dword ptr [edi+04h]
          bt edi, 03h
          jnc 00007FDE3C84EB43h
          movq xmm1, qword ptr [esi]
          sub ecx, 08h
          lea esi, dword ptr [esi+08h]
          movq qword ptr [edi], xmm1
          lea edi, dword ptr [edi+08h]
          test esi, 00000007h
          je 00007FDE3C84EB95h
          bt esi, 03h
          jnc 00007FDE3C84EBE8h
          movdqa xmm1, dqword ptr [esi+00h]

          Rich Headers

          Programming Language:
          • [ C ] VS2008 SP1 build 30729
          • [IMP] VS2008 SP1 build 30729
          • [ASM] VS2012 UPD4 build 61030
          • [RES] VS2012 UPD4 build 61030
          • [LNK] VS2012 UPD4 build 61030

          Data Directories

          NameVirtual AddressVirtual Size Is in Section
          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_IMPORT0xb70040x17c.rdata
          IMAGE_DIRECTORY_ENTRY_RESOURCE0xc40000xad2d8.rsrc
          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
          IMAGE_DIRECTORY_ENTRY_BASERELOC0x1720000x6c4c.reloc
          IMAGE_DIRECTORY_ENTRY_DEBUG0x8d8d00x1c.rdata
          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xb27300x40.rdata
          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_IAT0x8d0000x860.rdata
          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

          Sections

          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
          .text0x10000x8b54f0x8b600f437a6545e938612764dbb0a314376fcFalse0.5699499019058296data6.680413749210956IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          .rdata0x8d0000x2cc420x2ce00827ffd24759e8e420890ecf164be989eFalse0.330464397632312data5.770192333189168IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
          .data0xba0000x9d540x6200e0a519f8e3a35fae0d9c2cfd5a4bacfcFalse0.16402264030612246data2.002691099965349IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          .rsrc0xc40000xad2d80xad400d6b59784e540b286e62536ecc0bdca52False0.6649728309884559data6.834703266999181IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
          .reloc0x1720000xa4740xa6000bc98f8631ef0bde830a7f83bb06ff08False0.5017884036144579data5.245426654116355IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

          Resources

          NameRVASizeTypeLanguageCountryZLIB Complexity
          RT_ICON0xc45480x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
          RT_ICON0xc46700x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
          RT_ICON0xc47980x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
          RT_ICON0xc48c00x42028Device independent bitmap graphic, 256 x 512 x 32, image size 262144EnglishGreat Britain0.3619626002307897
          RT_ICON0x1068e80x10828Device independent bitmap graphic, 128 x 256 x 32, image size 65536EnglishGreat Britain0.40127765290429435
          RT_ICON0x1171100x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16384EnglishGreat Britain0.4653991497401984
          RT_ICON0x11b3380x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216EnglishGreat Britain0.5120331950207468
          RT_ICON0x11d8e00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096EnglishGreat Britain0.5834896810506567
          RT_ICON0x11e9880x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024EnglishGreat Britain0.6356382978723404
          RT_MENU0x11edf00x50dataEnglishGreat Britain0.9
          RT_STRING0x11ee400x594dataEnglishGreat Britain0.3333333333333333
          RT_STRING0x11f3d40x68adataEnglishGreat Britain0.2747909199522103
          RT_STRING0x11fa600x490dataEnglishGreat Britain0.3715753424657534
          RT_STRING0x11fef00x5fcdataEnglishGreat Britain0.3087467362924282
          RT_STRING0x1204ec0x65cdataEnglishGreat Britain0.34336609336609336
          RT_STRING0x120b480x466dataEnglishGreat Britain0.3605683836589698
          RT_STRING0x120fb00x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
          RT_RCDATA0x1211080x4fc7cdata1.00032437725687
          RT_GROUP_ICON0x170d840x5adataEnglishGreat Britain0.7555555555555555
          RT_GROUP_ICON0x170de00x14dataEnglishGreat Britain1.25
          RT_GROUP_ICON0x170df40x14dataEnglishGreat Britain1.15
          RT_GROUP_ICON0x170e080x14dataEnglishGreat Britain1.25
          RT_VERSION0x170e1c0x10cdataEnglishGreat Britain0.5932835820895522
          RT_MANIFEST0x170f280x3b0ASCII text, with CRLF line terminatorsEnglishGreat Britain0.5116525423728814

          Imports

          DLLImport
          WSOCK32.dll__WSAFDIsSet, recv, send, setsockopt, ntohs, recvfrom, select, WSAStartup, htons, accept, listen, bind, closesocket, connect, WSACleanup, ioctlsocket, sendto, WSAGetLastError, inet_addr, gethostbyname, gethostname, socket
          VERSION.dllGetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
          WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
          COMCTL32.dllImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, ImageList_Create, InitCommonControlsEx, ImageList_ReplaceIcon
          MPR.dllWNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
          WININET.dllInternetReadFile, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetConnectW, InternetQueryDataAvailable
          PSAPI.DLLGetProcessMemoryInfo
          IPHLPAPI.DLLIcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
          USERENV.dllUnloadUserProfile, DestroyEnvironmentBlock, CreateEnvironmentBlock, LoadUserProfileW
          UxTheme.dllIsThemeActive
          KERNEL32.dllHeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetCurrentThread, FindNextFileW, MoveFileW, CopyFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, DeleteCriticalSection, WaitForSingleObject, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, GetShortPathNameW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, SetPriorityClass, LoadLibraryW, VirtualAlloc, CloseHandle, GetLastError, GetFullPathNameW, SetCurrentDirectoryW, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, RaiseException, InitializeCriticalSectionAndSpinCount, InterlockedDecrement, InterlockedIncrement, CreateThread, DuplicateHandle, EnterCriticalSection, GetCurrentProcess, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, HeapSize, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, SetFilePointer, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, HeapReAlloc, WriteConsoleW, SetEndOfFile, DeleteFileW, SetEnvironmentVariableA
          USER32.dllSetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, DrawMenuBar, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, MonitorFromRect, LoadImageW, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, CopyImage, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, UnregisterHotKey, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, DeleteMenu, PeekMessageW, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, CharLowerBuffW, GetWindowTextW
          GDI32.dllSetPixel, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, StrokePath, GetDeviceCaps, CloseFigure, LineTo, AngleArc, CreateCompatibleBitmap, CreateCompatibleDC, MoveToEx, Ellipse, PolyDraw, BeginPath, SelectObject, StretchBlt, GetDIBits, DeleteDC, GetPixel, CreateDCW, GetStockObject, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, EndPath
          COMDLG32.dllGetSaveFileNameW, GetOpenFileNameW
          ADVAPI32.dllGetAclInformation, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegCreateKeyExW, GetUserNameW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, InitiateSystemShutdownExW, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, SetSecurityDescriptorDacl, AddAce, GetAce
          SHELL32.dllDragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
          ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
          OLEAUT32.dllRegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, UnRegisterTypeLib, SafeArrayCreateVector, SysAllocString, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, OleLoadPicture, QueryPathOfRegTypeLib, VariantCopy, VariantClear, CreateDispTypeInfo, CreateStdDispatch, DispCallFunc, VariantChangeType, SafeArrayAllocDescriptorEx, VariantInit

          Possible Origin

          Language of compilation systemCountry where language is spokenMap
          EnglishGreat Britain

          Network Behavior

          No network behavior found

          Statistics

          CPU Usage

          Click to jump to process

          Memory Usage

          Click to jump to process

          High Level Behavior Distribution

          Click to dive into process behavior distribution

          Behavior

          Click to jump to process

          System Behavior

          General

          Target ID:0
          Start time:12:50:03
          Start date:29/08/2024
          Path:C:\Users\user\Desktop\PO#38595.exe
          Wow64 process (32bit):true
          Commandline:"C:\Users\user\Desktop\PO#38595.exe"
          Imagebase:0xa80000
          File size:1'532'928 bytes
          MD5 hash:C4E638A246B7DD028AC2BE462EA75582
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:low
          Has exited:true

          General

          Target ID:1
          Start time:12:50:04
          Start date:29/08/2024
          Path:C:\Windows\SysWOW64\svchost.exe
          Wow64 process (32bit):true
          Commandline:"C:\Users\user\Desktop\PO#38595.exe"
          Imagebase:0x940000
          File size:46'504 bytes
          MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Yara matches:
          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.1821016484.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.1821016484.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.1821267031.0000000003440000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.1821267031.0000000003440000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
          Reputation:high
          Has exited:true

          Disassembly

          Reset < >

            Execution Graph

            Execution Coverage:4.2%
            Dynamic/Decrypted Code Coverage:0.4%
            Signature Coverage:6.1%
            Total number of Nodes:2000
            Total number of Limit Nodes:55
            execution_graph 93272 af9bec 93310 a90ae0 _memcpy_s Mailbox 93272->93310 93274 a9f4ea 48 API calls 93274->93310 93277 a9f4ea 48 API calls 93300 a8fec8 93277->93300 93279 a90509 93451 accc5c 86 API calls 4 library calls 93279->93451 93280 a9146e 93283 a86eed 48 API calls 93280->93283 93303 a8ffe1 Mailbox 93283->93303 93285 afa922 93286 a91473 93450 accc5c 86 API calls 4 library calls 93286->93450 93287 afa246 93442 a86eed 93287->93442 93289 a86eed 48 API calls 93289->93300 93292 ab97ed InterlockedDecrement 93292->93300 93293 afa873 93294 a8d7f7 48 API calls 93294->93300 93295 afa30e 93295->93303 93446 ab97ed InterlockedDecrement 93295->93446 93297 aa0f0a 52 API calls __cinit 93297->93300 93299 afa973 93452 accc5c 86 API calls 4 library calls 93299->93452 93300->93277 93300->93279 93300->93280 93300->93286 93300->93287 93300->93289 93300->93292 93300->93294 93300->93295 93300->93297 93300->93299 93300->93303 93304 a915b5 93300->93304 93401 a91820 346 API calls 2 library calls 93300->93401 93402 a91d10 59 API calls Mailbox 93300->93402 93302 afa982 93449 accc5c 86 API calls 4 library calls 93304->93449 93307 afa706 93447 accc5c 86 API calls 4 library calls 93307->93447 93309 a91526 Mailbox 93448 accc5c 86 API calls 4 library calls 93309->93448 93310->93274 93310->93300 93310->93303 93310->93307 93310->93309 93311 ab97ed InterlockedDecrement 93310->93311 93317 ae0d1d 93310->93317 93320 ae4585 93310->93320 93360 ad6ff0 93310->93360 93369 ae510c 93310->93369 93398 ae0d09 93310->93398 93403 a8fe30 93310->93403 93432 adef61 82 API calls 2 library calls 93310->93432 93433 adf0ac 90 API calls Mailbox 93310->93433 93434 aca6ef 48 API calls 93310->93434 93435 a8ce19 93310->93435 93441 ade822 346 API calls Mailbox 93310->93441 93311->93310 93453 adf8ae 93317->93453 93319 ae0d2d 93319->93310 93649 acb55b 93320->93649 93322 ae45a4 93323 ae45da 93322->93323 93324 ae45b9 93322->93324 93327 ae45ed 93323->93327 93685 a8d286 48 API calls 93323->93685 93684 a8cdb9 48 API calls 93324->93684 93328 ae4634 93327->93328 93329 ae4616 93327->93329 93331 ae46ec 93328->93331 93333 ae4646 93328->93333 93686 a8cdb9 48 API calls 93329->93686 93653 ac9d2d 93331->93653 93335 ae464a 93333->93335 93336 ae4685 93333->93336 93339 a86b0f 48 API calls 93335->93339 93338 a9f4ea 48 API calls 93336->93338 93341 ae468b 93338->93341 93342 ae465d 93339->93342 93340 ae4702 93671 a86b0f 93340->93671 93346 a86b0f 48 API calls 93341->93346 93687 a8c24f 93342->93687 93350 ae46c5 93346->93350 93347 ae466a 93699 a86b68 48 API calls 93347->93699 93348 ae471b 93676 a8c1de MultiByteToWideChar 93348->93676 93349 ae4722 93701 ac5cf1 50 API calls 93349->93701 93353 a8c24f 48 API calls 93350->93353 93357 ae46d6 93353->93357 93355 ae45c6 Mailbox 93355->93310 93356 ae4720 93702 a86b68 48 API calls 93356->93702 93700 a86b68 48 API calls 93357->93700 93361 a8936c 81 API calls 93360->93361 93362 ad702a 93361->93362 93716 a8b470 93362->93716 93364 ad703a 93365 ad705f 93364->93365 93366 a8fe30 346 API calls 93364->93366 93368 ad7063 93365->93368 93744 a8cdb9 48 API calls 93365->93744 93366->93365 93368->93310 93370 a8936c 81 API calls 93369->93370 93371 ae5129 93370->93371 93372 a86b0f 48 API calls 93371->93372 93373 ae5138 93372->93373 93374 ae5166 93373->93374 93794 a8d286 48 API calls 93373->93794 93765 a826a7 93374->93765 93377 ae5149 93377->93374 93379 ae514e 93377->93379 93381 a86eed 48 API calls 93379->93381 93380 a8ce19 48 API calls 93382 ae517d 93380->93382 93385 ae5158 93381->93385 93770 a86e7b 93382->93770 93384 ae518b Mailbox 93779 a86e5e 93384->93779 93797 a86b68 48 API calls 93385->93797 93389 ae5236 Mailbox 93389->93310 93390 a8d7f7 48 API calls 93393 ae51bd 93390->93393 93391 ae51f4 93396 ae520e Mailbox 93391->93396 93795 a8510d 48 API calls Mailbox 93391->93795 93393->93391 93782 ac20b1 93393->93782 93788 a864cf 93393->93788 93796 a88e1a 47 API calls Mailbox 93396->93796 93399 adf8ae 129 API calls 93398->93399 93400 ae0d19 93399->93400 93400->93310 93401->93300 93402->93300 93404 a8fe50 93403->93404 93411 a8fe7e 93403->93411 93405 a9f4ea 48 API calls 93404->93405 93405->93411 93406 a9146e 93407 a86eed 48 API calls 93406->93407 93415 a8ffe1 93407->93415 93408 a91473 93817 accc5c 86 API calls 4 library calls 93408->93817 93409 a8d7f7 48 API calls 93409->93411 93410 a90509 93818 accc5c 86 API calls 4 library calls 93410->93818 93411->93406 93411->93408 93411->93409 93411->93410 93413 a9f4ea 48 API calls 93411->93413 93411->93415 93418 afa246 93411->93418 93420 a86eed 48 API calls 93411->93420 93424 afa30e 93411->93424 93425 aa0f0a 52 API calls __cinit 93411->93425 93427 ab97ed InterlockedDecrement 93411->93427 93428 afa973 93411->93428 93431 a915b5 93411->93431 93813 a91820 346 API calls 2 library calls 93411->93813 93814 a91d10 59 API calls Mailbox 93411->93814 93413->93411 93415->93310 93417 afa922 93417->93310 93422 a86eed 48 API calls 93418->93422 93420->93411 93422->93415 93423 afa873 93423->93310 93424->93415 93815 ab97ed InterlockedDecrement 93424->93815 93425->93411 93427->93411 93819 accc5c 86 API calls 4 library calls 93428->93819 93430 afa982 93816 accc5c 86 API calls 4 library calls 93431->93816 93432->93310 93433->93310 93434->93310 93436 a8ce28 __NMSG_WRITE 93435->93436 93437 a9ee75 48 API calls 93436->93437 93438 a8ce50 _memcpy_s 93437->93438 93439 a9f4ea 48 API calls 93438->93439 93440 a8ce66 93439->93440 93440->93310 93441->93310 93443 a86ef8 93442->93443 93444 a86f00 93442->93444 93820 a8dd47 48 API calls _memcpy_s 93443->93820 93444->93303 93446->93303 93447->93309 93448->93303 93449->93303 93450->93293 93451->93285 93452->93302 93489 a8936c 93453->93489 93455 adf8ea 93457 adf92c Mailbox 93455->93457 93509 ae0567 93455->93509 93457->93319 93458 adfb8b 93459 adfcfa 93458->93459 93463 adfb95 93458->93463 93572 ae0688 89 API calls Mailbox 93459->93572 93462 adfd07 93462->93463 93465 adfd13 93462->93465 93522 adf70a 93463->93522 93464 a8936c 81 API calls 93480 adf984 Mailbox 93464->93480 93465->93457 93470 adfbc9 93536 a9ed18 93470->93536 93473 adfbfd 93543 a9c050 93473->93543 93474 adfbe3 93542 accc5c 86 API calls 4 library calls 93474->93542 93477 adfbee GetCurrentProcess TerminateProcess 93477->93473 93478 adfc14 93488 adfc3e 93478->93488 93554 a91b90 93478->93554 93479 adfd65 93479->93457 93485 adfd7e FreeLibrary 93479->93485 93480->93457 93480->93458 93480->93464 93540 ae29e8 48 API calls _memcpy_s 93480->93540 93541 adfda5 60 API calls Mailbox 93480->93541 93482 adfc2d 93570 ae040f 105 API calls _free 93482->93570 93483 a91b90 48 API calls 93483->93488 93485->93457 93488->93479 93488->93483 93571 a8dcae 50 API calls Mailbox 93488->93571 93573 ae040f 105 API calls _free 93488->93573 93490 a89384 93489->93490 93507 a89380 93489->93507 93491 af4cbd __i64tow 93490->93491 93492 af4bbf 93490->93492 93493 a89398 93490->93493 93500 a893b0 __itow Mailbox _wcscpy 93490->93500 93494 af4bc8 93492->93494 93495 af4ca5 93492->93495 93574 aa172b 80 API calls 3 library calls 93493->93574 93494->93500 93501 af4be7 93494->93501 93584 aa172b 80 API calls 3 library calls 93495->93584 93499 a893ba 93503 a8ce19 48 API calls 93499->93503 93499->93507 93575 a9f4ea 93500->93575 93502 a9f4ea 48 API calls 93501->93502 93504 af4c04 93502->93504 93503->93507 93505 a9f4ea 48 API calls 93504->93505 93506 af4c2a 93505->93506 93506->93507 93508 a8ce19 48 API calls 93506->93508 93507->93455 93508->93507 93607 a8bdfa 93509->93607 93511 ae0582 CharLowerBuffW 93613 ac1f11 93511->93613 93518 ae061a Mailbox 93518->93480 93519 ae05d2 93626 a8b18b 93519->93626 93521 ae05de Mailbox 93521->93518 93630 adfda5 60 API calls Mailbox 93521->93630 93523 adf725 93522->93523 93527 adf77a 93522->93527 93524 a9f4ea 48 API calls 93523->93524 93525 adf747 93524->93525 93526 a9f4ea 48 API calls 93525->93526 93525->93527 93526->93525 93528 ae0828 93527->93528 93529 ae0a53 Mailbox 93528->93529 93535 ae084b _strcat _wcscpy __NMSG_WRITE 93528->93535 93529->93470 93530 a8d286 48 API calls 93530->93535 93531 a8cf93 58 API calls 93531->93535 93532 a8936c 81 API calls 93532->93535 93533 aa395c 47 API calls __crtGetStringTypeA_stat 93533->93535 93535->93529 93535->93530 93535->93531 93535->93532 93535->93533 93644 ac8035 50 API calls __NMSG_WRITE 93535->93644 93537 a9ed2d 93536->93537 93538 a9edc5 VirtualAlloc 93537->93538 93539 a9ed93 93537->93539 93538->93539 93539->93473 93539->93474 93540->93480 93541->93480 93542->93477 93544 a9c064 93543->93544 93546 a9c069 Mailbox 93543->93546 93645 a9c1af 48 API calls 93544->93645 93551 a9c077 93546->93551 93646 a9c15c 48 API calls 93546->93646 93548 a9f4ea 48 API calls 93550 a9c108 93548->93550 93549 a9c152 93549->93478 93552 a9f4ea 48 API calls 93550->93552 93551->93548 93551->93549 93553 a9c113 93552->93553 93553->93478 93553->93553 93555 a91cf6 93554->93555 93558 a91ba2 93554->93558 93555->93482 93556 a91bae 93562 a91bb9 93556->93562 93648 a9c15c 48 API calls 93556->93648 93558->93556 93559 a9f4ea 48 API calls 93558->93559 93560 af49c4 93559->93560 93561 a9f4ea 48 API calls 93560->93561 93569 af49cf 93561->93569 93563 a91c5d 93562->93563 93564 a9f4ea 48 API calls 93562->93564 93563->93482 93565 a91c9f 93564->93565 93566 a91cb2 93565->93566 93647 a82925 48 API calls 93565->93647 93566->93482 93568 a9f4ea 48 API calls 93568->93569 93569->93556 93569->93568 93570->93488 93571->93488 93572->93462 93573->93488 93574->93500 93577 a9f4f2 __calloc_impl 93575->93577 93578 a9f50c 93577->93578 93579 a9f50e std::exception::exception 93577->93579 93585 aa395c 93577->93585 93578->93499 93599 aa6805 RaiseException 93579->93599 93581 a9f538 93600 aa673b 47 API calls _free 93581->93600 93583 a9f54a 93583->93499 93584->93500 93586 aa39d7 __calloc_impl 93585->93586 93591 aa3968 __calloc_impl 93585->93591 93606 aa7c0e 47 API calls __getptd_noexit 93586->93606 93589 aa399b RtlAllocateHeap 93589->93591 93598 aa39cf 93589->93598 93591->93589 93592 aa3973 93591->93592 93593 aa39c3 93591->93593 93596 aa39c1 93591->93596 93592->93591 93601 aa81c2 47 API calls __NMSG_WRITE 93592->93601 93602 aa821f 47 API calls 5 library calls 93592->93602 93603 aa1145 GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 93592->93603 93604 aa7c0e 47 API calls __getptd_noexit 93593->93604 93605 aa7c0e 47 API calls __getptd_noexit 93596->93605 93598->93577 93599->93581 93600->93583 93601->93592 93602->93592 93604->93596 93605->93598 93606->93598 93608 a8be0d 93607->93608 93612 a8be0a _memcpy_s 93607->93612 93609 a9f4ea 48 API calls 93608->93609 93610 a8be17 93609->93610 93631 a9ee75 93610->93631 93612->93511 93615 ac1f3b __NMSG_WRITE 93613->93615 93614 ac1f79 93614->93521 93620 a8d7f7 93614->93620 93615->93614 93617 ac1f6f 93615->93617 93618 ac1ffa 93615->93618 93617->93614 93642 a9d37a 60 API calls 93617->93642 93618->93614 93643 a9d37a 60 API calls 93618->93643 93621 a9f4ea 48 API calls 93620->93621 93622 a8d818 93621->93622 93623 a9f4ea 48 API calls 93622->93623 93624 a8d826 93623->93624 93625 a869e9 48 API calls _memcpy_s 93624->93625 93625->93519 93627 a8b199 93626->93627 93629 a8b1a2 _memcpy_s 93626->93629 93628 a8bdfa 48 API calls 93627->93628 93627->93629 93628->93629 93629->93521 93630->93518 93634 a9f4ea __calloc_impl 93631->93634 93632 aa395c __crtGetStringTypeA_stat 47 API calls 93632->93634 93633 a9f50c 93633->93612 93634->93632 93634->93633 93635 a9f50e std::exception::exception 93634->93635 93640 aa6805 RaiseException 93635->93640 93637 a9f538 93641 aa673b 47 API calls _free 93637->93641 93639 a9f54a 93639->93612 93640->93637 93641->93639 93642->93617 93643->93618 93644->93535 93645->93546 93646->93551 93647->93566 93648->93562 93650 acb569 93649->93650 93651 acb564 93649->93651 93650->93322 93703 aca4d5 50 API calls 2 library calls 93651->93703 93654 a9f4ea 48 API calls 93653->93654 93655 ac9d44 93654->93655 93704 a86b4a 93655->93704 93658 a9e6c3 93659 a9e70e 93658->93659 93660 a9e6d1 93658->93660 93708 ac59f9 48 API calls _memcpy_s 93659->93708 93660->93659 93662 a9e6dc 93660->93662 93663 af3d6f 93662->93663 93664 a9e6eb 93662->93664 93666 a86b4a 48 API calls 93663->93666 93707 a9e717 48 API calls 93664->93707 93668 af3d79 93666->93668 93667 a9e6f1 _memcpy_s 93667->93340 93669 a9f4ea 48 API calls 93668->93669 93670 af3d8b 93669->93670 93672 a9f4ea 48 API calls 93671->93672 93673 a86b34 93672->93673 93674 a86b4a 48 API calls 93673->93674 93675 a86b43 93674->93675 93675->93348 93675->93349 93677 a8c201 93676->93677 93678 a8c245 93676->93678 93679 a9f4ea 48 API calls 93677->93679 93709 a8bcce 93678->93709 93681 a8c216 MultiByteToWideChar 93679->93681 93682 a8c24f 48 API calls 93681->93682 93683 a8c237 93682->93683 93683->93356 93684->93355 93685->93327 93686->93355 93688 a8c25e 93687->93688 93689 a8c2d1 93687->93689 93688->93689 93691 a8c26a 93688->93691 93690 a8b18b 48 API calls 93689->93690 93698 a8c27c _memcpy_s 93690->93698 93692 a8c2a2 93691->93692 93693 a8c274 93691->93693 93695 a86b4a 48 API calls 93692->93695 93715 a8c369 48 API calls 93693->93715 93696 a8c2ac 93695->93696 93697 a9f4ea 48 API calls 93696->93697 93697->93698 93698->93347 93699->93355 93700->93355 93701->93356 93702->93355 93703->93650 93705 a9f4ea 48 API calls 93704->93705 93706 a86b54 93705->93706 93706->93658 93707->93667 93708->93667 93710 a8bce8 93709->93710 93711 a8bcdb 93709->93711 93712 a9f4ea 48 API calls 93710->93712 93711->93683 93713 a8bcf2 93712->93713 93714 a9ee75 48 API calls 93713->93714 93714->93711 93715->93698 93717 a86b0f 48 API calls 93716->93717 93736 a8b495 93717->93736 93718 a8b69b 93752 a8ba85 93718->93752 93720 a8b6b5 Mailbox 93720->93364 93723 af397b 93763 ac26bc 88 API calls 4 library calls 93723->93763 93726 a8b9e4 93764 ac26bc 88 API calls 4 library calls 93726->93764 93727 af3973 93727->93720 93730 a8ba85 48 API calls 93730->93736 93731 af3989 93733 a8ba85 48 API calls 93731->93733 93732 a8bcce 48 API calls 93732->93736 93733->93727 93734 af3909 93737 a86b4a 48 API calls 93734->93737 93736->93718 93736->93723 93736->93726 93736->93730 93736->93732 93736->93734 93740 a8bdfa 48 API calls 93736->93740 93743 af3939 _memcpy_s 93736->93743 93745 a8c413 59 API calls 93736->93745 93746 a8bb85 93736->93746 93751 a8bc74 48 API calls 93736->93751 93760 a8c6a5 49 API calls 93736->93760 93761 a8c799 48 API calls _memcpy_s 93736->93761 93738 af3914 93737->93738 93742 a9f4ea 48 API calls 93738->93742 93741 a8b66c CharUpperBuffW 93740->93741 93741->93736 93742->93743 93762 ac26bc 88 API calls 4 library calls 93743->93762 93744->93368 93745->93736 93747 a8bb9b 93746->93747 93750 a8bb96 _memcpy_s 93746->93750 93748 af1b77 93747->93748 93749 a9ee75 48 API calls 93747->93749 93749->93750 93750->93736 93751->93736 93753 a8bb25 93752->93753 93756 a8ba98 _memcpy_s 93752->93756 93755 a9f4ea 48 API calls 93753->93755 93754 a9f4ea 48 API calls 93757 a8ba9f 93754->93757 93755->93756 93756->93754 93758 a9f4ea 48 API calls 93757->93758 93759 a8bac8 93757->93759 93758->93759 93759->93720 93760->93736 93761->93736 93762->93727 93763->93731 93764->93727 93766 a8d7f7 48 API calls 93765->93766 93767 a826b0 93766->93767 93768 a8d7f7 48 API calls 93767->93768 93769 a826bd 93768->93769 93769->93380 93798 a88e32 93770->93798 93772 a86e88 93773 a86eed 48 API calls 93772->93773 93774 a86e93 93773->93774 93802 a86f07 93774->93802 93776 a86eda 93776->93384 93777 a86ea8 93777->93776 93778 a9f4ea 48 API calls 93777->93778 93778->93776 93780 a86eed 48 API calls 93779->93780 93781 a86e6c 93780->93781 93781->93390 93783 ac20bc 93782->93783 93784 ac20ca 93782->93784 93785 a8b18b 48 API calls 93783->93785 93786 a8c24f 48 API calls 93784->93786 93787 ac20c8 93785->93787 93786->93787 93787->93393 93790 a8651b 93788->93790 93793 a864dd _memcpy_s 93788->93793 93789 a9f4ea 48 API calls 93791 a864e4 93789->93791 93792 a9f4ea 48 API calls 93790->93792 93791->93393 93792->93793 93793->93789 93794->93377 93795->93391 93797->93389 93799 a88e58 93798->93799 93800 a88e3c 93798->93800 93806 aa1c9d 93799->93806 93800->93772 93804 a86f14 __ftell_nolock 93802->93804 93803 a86fa8 93803->93777 93804->93803 93805 aa1d25 60 API calls __forcdecpt_l 93804->93805 93805->93804 93807 aa1ccf _free 93806->93807 93808 aa1ca6 RtlFreeHeap 93806->93808 93807->93800 93808->93807 93809 aa1cbb 93808->93809 93812 aa7c0e 47 API calls __getptd_noexit 93809->93812 93811 aa1cc1 GetLastError 93811->93807 93812->93811 93813->93411 93814->93411 93815->93415 93816->93415 93817->93423 93818->93417 93819->93430 93820->93444 93821 af19cb 93826 a82322 93821->93826 93823 af19d1 93859 aa0f0a 52 API calls __cinit 93823->93859 93825 af19db 93827 a82344 93826->93827 93860 a826df 93827->93860 93832 a8d7f7 48 API calls 93833 a82384 93832->93833 93834 a8d7f7 48 API calls 93833->93834 93835 a8238e 93834->93835 93836 a8d7f7 48 API calls 93835->93836 93837 a82398 93836->93837 93838 a8d7f7 48 API calls 93837->93838 93839 a823de 93838->93839 93840 a8d7f7 48 API calls 93839->93840 93841 a824c1 93840->93841 93868 a8263f 93841->93868 93845 a824f1 93846 a8d7f7 48 API calls 93845->93846 93847 a824fb 93846->93847 93897 a82745 93847->93897 93849 a82546 93850 a82556 GetStdHandle 93849->93850 93851 af501d 93850->93851 93852 a825b1 93850->93852 93851->93852 93854 af5026 93851->93854 93853 a825b7 CoInitialize 93852->93853 93853->93823 93904 ac92d4 53 API calls 93854->93904 93856 af502d 93905 ac99f9 CreateThread 93856->93905 93858 af5039 CloseHandle 93858->93853 93859->93825 93906 a82854 93860->93906 93864 a8234a 93865 a8272e 93864->93865 93932 a827ec 6 API calls 93865->93932 93867 a8237a 93867->93832 93869 a8d7f7 48 API calls 93868->93869 93870 a8264f 93869->93870 93871 a8d7f7 48 API calls 93870->93871 93872 a82657 93871->93872 93873 a826a7 48 API calls 93872->93873 93874 a8265f 93873->93874 93875 a826a7 48 API calls 93874->93875 93876 a82667 93875->93876 93877 a8d7f7 48 API calls 93876->93877 93878 a82672 93877->93878 93879 a9f4ea 48 API calls 93878->93879 93880 a824cb 93879->93880 93881 a822a4 93880->93881 93882 a822b2 93881->93882 93883 a8d7f7 48 API calls 93882->93883 93884 a822bd 93883->93884 93885 a8d7f7 48 API calls 93884->93885 93886 a822c8 93885->93886 93887 a8d7f7 48 API calls 93886->93887 93888 a822d3 93887->93888 93889 a8d7f7 48 API calls 93888->93889 93890 a822de 93889->93890 93891 a826a7 48 API calls 93890->93891 93892 a822e9 93891->93892 93893 a9f4ea 48 API calls 93892->93893 93894 a822f0 93893->93894 93895 a822f9 RegisterWindowMessageW 93894->93895 93896 af1fe7 93894->93896 93895->93845 93898 af5f4d 93897->93898 93899 a82755 93897->93899 93933 acc942 50 API calls 93898->93933 93901 a9f4ea 48 API calls 93899->93901 93903 a8275d 93901->93903 93902 af5f58 93903->93849 93904->93856 93905->93858 93934 ac99df 54 API calls 93905->93934 93924 a82870 93906->93924 93909 a82870 48 API calls 93910 a82864 93909->93910 93911 a8d7f7 48 API calls 93910->93911 93912 a82716 93911->93912 93913 a86a63 93912->93913 93914 a86adf 93913->93914 93916 a86a6f __NMSG_WRITE 93913->93916 93915 a8b18b 48 API calls 93914->93915 93921 a86ab6 _memcpy_s 93915->93921 93917 a86a8b 93916->93917 93918 a86ad7 93916->93918 93920 a86b4a 48 API calls 93917->93920 93931 a8c369 48 API calls 93918->93931 93922 a86a95 93920->93922 93921->93864 93923 a9ee75 48 API calls 93922->93923 93923->93921 93925 a8d7f7 48 API calls 93924->93925 93926 a8287b 93925->93926 93927 a8d7f7 48 API calls 93926->93927 93928 a82883 93927->93928 93929 a8d7f7 48 API calls 93928->93929 93930 a8285c 93929->93930 93930->93909 93931->93921 93932->93867 93933->93902 93935 39723b0 93949 3970000 93935->93949 93937 3972472 93952 39722a0 93937->93952 93955 39734a0 GetPEB 93949->93955 93951 397068b 93951->93937 93953 39722a9 Sleep 93952->93953 93954 39722b7 93953->93954 93956 39734ca 93955->93956 93956->93951 93957 a8ef80 93960 a93b70 93957->93960 93959 a8ef8c 93961 a93bc8 93960->93961 93982 a942a5 93960->93982 93962 a93bef 93961->93962 93964 af6fd1 93961->93964 93966 af6f7e 93961->93966 93973 af6f9b 93961->93973 93963 a9f4ea 48 API calls 93962->93963 93965 a93c18 93963->93965 94044 adceca 346 API calls Mailbox 93964->94044 93969 a9f4ea 48 API calls 93965->93969 93966->93962 93970 af6f87 93966->93970 93968 af6fbe 94043 accc5c 86 API calls 4 library calls 93968->94043 94011 a93c2c _memcpy_s __NMSG_WRITE 93969->94011 94041 add552 346 API calls Mailbox 93970->94041 93973->93968 94042 adda0e 346 API calls 2 library calls 93973->94042 93975 a942f2 94063 accc5c 86 API calls 4 library calls 93975->94063 93977 af73b0 93977->93959 93978 af737a 94062 accc5c 86 API calls 4 library calls 93978->94062 93979 af7297 94052 accc5c 86 API calls 4 library calls 93979->94052 94056 accc5c 86 API calls 4 library calls 93982->94056 93984 a9dce0 53 API calls 93984->94011 93986 a940df 94053 accc5c 86 API calls 4 library calls 93986->94053 93988 af707e 94045 accc5c 86 API calls 4 library calls 93988->94045 93992 a9f4ea 48 API calls 93992->94011 93993 a8d645 53 API calls 93993->94011 93996 af72d2 94054 accc5c 86 API calls 4 library calls 93996->94054 93998 af7350 94060 accc5c 86 API calls 4 library calls 93998->94060 94000 af7363 94061 accc5c 86 API calls 4 library calls 94000->94061 94002 af72e9 94055 accc5c 86 API calls 4 library calls 94002->94055 94005 a86a63 48 API calls 94005->94011 94007 a8fe30 346 API calls 94007->94011 94008 af714c 94049 adccdc 48 API calls 94008->94049 94009 a9c050 48 API calls 94009->94011 94011->93975 94011->93978 94011->93979 94011->93982 94011->93984 94011->93986 94011->93988 94011->93992 94011->93993 94011->93996 94011->93998 94011->94000 94011->94002 94011->94005 94011->94007 94011->94008 94011->94009 94012 af733f 94011->94012 94014 a8d286 48 API calls 94011->94014 94016 a86eed 48 API calls 94011->94016 94017 af71e1 94011->94017 94019 a93f2b 94011->94019 94022 a9ee75 48 API calls 94011->94022 94032 a8d9a0 53 API calls __cinit 94011->94032 94033 a8d83d 53 API calls 94011->94033 94034 a8cdb9 48 API calls 94011->94034 94035 a8d6e9 94011->94035 94039 a9c15c 48 API calls 94011->94039 94040 a9becb 346 API calls 94011->94040 94046 a8dcae 50 API calls Mailbox 94011->94046 94047 adccdc 48 API calls 94011->94047 94048 aca1eb 50 API calls 94011->94048 94059 accc5c 86 API calls 4 library calls 94012->94059 94014->94011 94016->94011 94017->94019 94058 accc5c 86 API calls 4 library calls 94017->94058 94018 af715f 94029 af71a1 94018->94029 94050 adccdc 48 API calls 94018->94050 94019->93959 94022->94011 94025 af71ce 94026 a9c050 48 API calls 94025->94026 94028 af71d6 94026->94028 94027 af71ab 94027->93982 94027->94025 94028->94017 94030 af7313 94028->94030 94051 a9c15c 48 API calls 94029->94051 94057 accc5c 86 API calls 4 library calls 94030->94057 94032->94011 94033->94011 94034->94011 94036 a8d6f4 94035->94036 94037 a8d71b 94036->94037 94064 a8d764 55 API calls 94036->94064 94037->94011 94039->94011 94040->94011 94041->94019 94042->93968 94043->93964 94044->94011 94045->94019 94046->94011 94047->94011 94048->94011 94049->94018 94050->94018 94051->94027 94052->93986 94053->94019 94054->94002 94055->94019 94056->94019 94057->94019 94058->94019 94059->94019 94060->94019 94061->94019 94062->94019 94063->93977 94064->94037 94065 af9c06 94076 a9d3be 94065->94076 94067 af9c1c 94075 af9c91 Mailbox 94067->94075 94111 a81caa 49 API calls 94067->94111 94070 af9cc5 94073 afa7ab Mailbox 94070->94073 94113 accc5c 86 API calls 4 library calls 94070->94113 94072 af9c71 94072->94070 94112 acb171 48 API calls 94072->94112 94085 a93200 94075->94085 94077 a9d3ca 94076->94077 94078 a9d3dc 94076->94078 94114 a8dcae 50 API calls Mailbox 94077->94114 94080 a9d40b 94078->94080 94081 a9d3e2 94078->94081 94115 a8dcae 50 API calls Mailbox 94080->94115 94083 a9f4ea 48 API calls 94081->94083 94084 a9d3d4 94083->94084 94084->94067 94116 a8bd30 94085->94116 94087 a93267 94088 a93313 _memcpy_s Mailbox 94087->94088 94189 a9c36b 86 API calls 94087->94189 94092 a8fe30 346 API calls 94088->94092 94096 a8d6e9 55 API calls 94088->94096 94100 a9c3c3 48 API calls 94088->94100 94101 accc5c 86 API calls 94088->94101 94103 a9f4ea 48 API calls 94088->94103 94106 a9c2d6 48 API calls 94088->94106 94107 a86eed 48 API calls 94088->94107 94109 a8dcae 50 API calls 94088->94109 94110 a93635 Mailbox 94088->94110 94121 a82b7a 94088->94121 94128 a8e8d0 94088->94128 94190 a8d9a0 53 API calls __cinit 94088->94190 94191 a8d8c0 53 API calls 94088->94191 94192 a8d645 94088->94192 94202 adf320 346 API calls 94088->94202 94203 adf5ee 346 API calls 94088->94203 94204 a81caa 49 API calls 94088->94204 94205 adcda2 82 API calls Mailbox 94088->94205 94206 ac80e3 53 API calls 94088->94206 94207 a8d764 55 API calls 94088->94207 94208 acc942 50 API calls 94088->94208 94092->94088 94096->94088 94100->94088 94101->94088 94103->94088 94106->94088 94107->94088 94109->94088 94110->94070 94111->94072 94112->94075 94113->94073 94114->94084 94115->94084 94117 a8bd3f 94116->94117 94120 a8bd5a 94116->94120 94118 a8bdfa 48 API calls 94117->94118 94119 a8bd47 CharUpperBuffW 94118->94119 94119->94120 94120->94087 94122 a82b8b 94121->94122 94123 af436a 94121->94123 94124 a9f4ea 48 API calls 94122->94124 94125 a82b92 94124->94125 94126 a82bb3 94125->94126 94209 a82bce 48 API calls 94125->94209 94126->94088 94129 a8e8f6 94128->94129 94188 a8e906 Mailbox 94128->94188 94131 a8ed52 94129->94131 94129->94188 94130 accc5c 86 API calls 94130->94188 94303 a9e3cd 346 API calls 94131->94303 94133 a8ebc7 94134 a8ebdd 94133->94134 94304 a82ff6 16 API calls 94133->94304 94134->94088 94136 a8ed63 94136->94134 94137 a8ed70 94136->94137 94305 a9e312 346 API calls Mailbox 94137->94305 94138 a8e94c PeekMessageW 94138->94188 94140 af526e Sleep 94140->94188 94141 a8ed77 LockWindowUpdate DestroyWindow GetMessageW 94141->94134 94143 a8eda9 94141->94143 94145 af59ef TranslateMessage DispatchMessageW GetMessageW 94143->94145 94145->94145 94146 af5a1f 94145->94146 94146->94134 94147 a8ed21 PeekMessageW 94147->94188 94148 a9f4ea 48 API calls 94148->94188 94149 a8ebf7 timeGetTime 94149->94188 94151 a86eed 48 API calls 94151->94188 94152 af5557 WaitForSingleObject 94156 af5574 GetExitCodeProcess CloseHandle 94152->94156 94152->94188 94153 a8ed3a TranslateMessage DispatchMessageW 94153->94147 94154 a82aae 322 API calls 94154->94188 94155 af588f Sleep 94184 af5429 Mailbox 94155->94184 94156->94188 94157 a8d7f7 48 API calls 94157->94184 94158 a8edae timeGetTime 94306 a81caa 49 API calls 94158->94306 94160 af5733 Sleep 94160->94184 94163 a9dc38 timeGetTime 94163->94184 94164 af5926 GetExitCodeProcess 94166 af593c WaitForSingleObject 94164->94166 94167 af5952 CloseHandle 94164->94167 94166->94167 94166->94188 94167->94184 94168 af5445 Sleep 94168->94188 94169 a82c79 107 API calls 94169->94184 94171 af5432 Sleep 94171->94168 94172 ae8c4b 108 API calls 94172->94184 94173 af59ae Sleep 94173->94188 94174 a81caa 49 API calls 94174->94188 94176 a8ce19 48 API calls 94176->94184 94179 a8fe30 322 API calls 94179->94188 94180 a8d6e9 55 API calls 94180->94184 94183 a93200 322 API calls 94183->94188 94184->94157 94184->94163 94184->94164 94184->94168 94184->94169 94184->94171 94184->94172 94184->94173 94184->94176 94184->94180 94184->94188 94308 ac4cbe 49 API calls Mailbox 94184->94308 94309 a81caa 49 API calls 94184->94309 94310 a82aae 346 API calls 94184->94310 94311 adccb2 50 API calls 94184->94311 94312 ac7a58 QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 94184->94312 94313 ac6532 63 API calls 2 library calls 94184->94313 94186 a8d6e9 55 API calls 94186->94188 94187 a8ce19 48 API calls 94187->94188 94188->94130 94188->94133 94188->94138 94188->94140 94188->94147 94188->94148 94188->94149 94188->94151 94188->94152 94188->94153 94188->94154 94188->94155 94188->94158 94188->94160 94188->94168 94188->94174 94188->94179 94188->94183 94188->94184 94188->94186 94188->94187 94210 a8ef00 94188->94210 94217 a8f110 94188->94217 94282 a945e0 94188->94282 94300 a8eed0 346 API calls Mailbox 94188->94300 94301 a9e244 TranslateAcceleratorW 94188->94301 94302 a9dc5f IsDialogMessageW GetClassLongW 94188->94302 94307 ae8d23 48 API calls 94188->94307 94189->94088 94190->94088 94191->94088 94193 a8d654 94192->94193 94201 a8d67e 94192->94201 94194 a8d65b 94193->94194 94197 a8d6c2 94193->94197 94195 a8d666 94194->94195 94200 a8d6ab 94194->94200 95255 a8d9a0 53 API calls __cinit 94195->95255 94197->94200 95257 a9dce0 53 API calls 94197->95257 94200->94201 95256 a9dce0 53 API calls 94200->95256 94201->94088 94202->94088 94203->94088 94204->94088 94205->94088 94206->94088 94207->94088 94208->94088 94209->94126 94211 a8ef1d 94210->94211 94212 a8ef2f 94210->94212 94314 a8e3b0 346 API calls 2 library calls 94211->94314 94315 accc5c 86 API calls 4 library calls 94212->94315 94214 a8ef26 94214->94188 94216 af86f9 94216->94216 94218 a8f130 94217->94218 94220 a8fe30 346 API calls 94218->94220 94222 a8f199 94218->94222 94219 a8f595 94227 a8d7f7 48 API calls 94219->94227 94254 a8f431 Mailbox 94219->94254 94223 af8728 94220->94223 94221 af87c8 94320 accc5c 86 API calls 4 library calls 94221->94320 94222->94219 94229 a8d7f7 48 API calls 94222->94229 94236 a8f229 94222->94236 94270 a8f3dd 94222->94270 94223->94222 94317 accc5c 86 API calls 4 library calls 94223->94317 94224 a8fe30 346 API calls 94224->94254 94228 af87a3 94227->94228 94319 aa0f0a 52 API calls __cinit 94228->94319 94231 af8772 94229->94231 94230 af8b1b 94248 af8bcf 94230->94248 94249 af8b2c 94230->94249 94318 aa0f0a 52 API calls __cinit 94231->94318 94233 a8f3f2 94271 a8f418 94233->94271 94321 ac9af1 48 API calls 94233->94321 94234 a8f770 94242 a8f77a 94234->94242 94243 af8a45 94234->94243 94236->94219 94236->94254 94236->94270 94236->94271 94237 a8d6e9 55 API calls 94237->94254 94239 a8fe30 346 API calls 94247 a8f6aa 94239->94247 94240 accc5c 86 API calls 94240->94254 94241 af8b7e 94330 ade40a 346 API calls Mailbox 94241->94330 94261 a91b90 48 API calls 94242->94261 94327 a9c1af 48 API calls 94243->94327 94244 af8c53 94335 accc5c 86 API calls 4 library calls 94244->94335 94245 af8810 94322 adeef8 346 API calls 94245->94322 94247->94234 94247->94239 94247->94254 94257 a8f537 Mailbox 94247->94257 94258 a8fce0 94247->94258 94332 accc5c 86 API calls 4 library calls 94248->94332 94329 adf5ee 346 API calls 94249->94329 94250 af8beb 94333 adbdbd 346 API calls Mailbox 94250->94333 94254->94224 94254->94237 94254->94240 94254->94241 94254->94244 94254->94250 94254->94257 94254->94258 94262 a91b90 48 API calls 94254->94262 94316 a8dd47 48 API calls _memcpy_s 94254->94316 94328 ab97ed InterlockedDecrement 94254->94328 94336 a9c1af 48 API calls 94254->94336 94257->94188 94258->94257 94331 accc5c 86 API calls 4 library calls 94258->94331 94261->94254 94262->94254 94263 af8c00 94263->94257 94334 accc5c 86 API calls 4 library calls 94263->94334 94265 af884b 94323 adccdc 48 API calls 94265->94323 94268 af8823 94268->94265 94268->94271 94270->94221 94270->94233 94270->94254 94271->94230 94271->94247 94271->94254 94272 af8857 94274 af8865 94272->94274 94275 af88aa 94272->94275 94324 ac9b72 48 API calls 94274->94324 94278 af88a0 Mailbox 94275->94278 94325 aca69d 48 API calls 94275->94325 94276 a8fe30 346 API calls 94276->94257 94278->94276 94280 af88e7 94326 a8bc74 48 API calls 94280->94326 94283 a9479f 94282->94283 94284 a94637 94282->94284 94287 a8ce19 48 API calls 94283->94287 94285 af6e05 94284->94285 94286 a94643 94284->94286 94402 ade822 346 API calls Mailbox 94285->94402 94337 a94300 94286->94337 94294 a946e4 Mailbox 94287->94294 94290 af6e11 94291 a94739 Mailbox 94290->94291 94403 accc5c 86 API calls 4 library calls 94290->94403 94291->94188 94293 a94659 94293->94290 94293->94291 94293->94294 94296 ae0d09 129 API calls 94294->94296 94299 ad6ff0 346 API calls 94294->94299 94352 acfa0c 94294->94352 94393 a84252 94294->94393 94399 ac6524 94294->94399 94296->94291 94299->94291 94300->94188 94301->94188 94302->94188 94303->94133 94304->94136 94305->94141 94306->94188 94307->94188 94308->94184 94309->94184 94310->94184 94311->94184 94312->94184 94313->94184 94314->94214 94315->94216 94316->94254 94317->94222 94318->94236 94319->94254 94320->94257 94321->94245 94322->94268 94323->94272 94324->94278 94325->94280 94326->94278 94327->94254 94328->94254 94329->94254 94330->94258 94331->94257 94332->94257 94333->94263 94334->94257 94335->94257 94336->94254 94338 af6e60 94337->94338 94341 a9432c 94337->94341 94405 accc5c 86 API calls 4 library calls 94338->94405 94340 af6e71 94406 accc5c 86 API calls 4 library calls 94340->94406 94341->94340 94349 a94366 _memcpy_s 94341->94349 94343 a94435 94348 a94445 94343->94348 94404 adcda2 82 API calls Mailbox 94343->94404 94345 a9f4ea 48 API calls 94345->94349 94346 a944b1 94346->94293 94347 a8fe30 346 API calls 94347->94349 94348->94293 94349->94343 94349->94345 94349->94347 94349->94348 94350 af6ebd 94349->94350 94407 accc5c 86 API calls 4 library calls 94350->94407 94353 acfa1c __ftell_nolock 94352->94353 94354 acfa44 94353->94354 94496 a8d286 48 API calls 94353->94496 94356 a8936c 81 API calls 94354->94356 94358 acfa5e 94356->94358 94357 acfb92 94357->94291 94358->94357 94359 acfb68 94358->94359 94360 acfa80 94358->94360 94408 a841a9 94359->94408 94362 a8936c 81 API calls 94360->94362 94368 acfa8c _wcscpy _wcschr 94362->94368 94364 acfb8e 94364->94357 94365 a8936c 81 API calls 94364->94365 94367 acfbc7 94365->94367 94366 a841a9 136 API calls 94366->94364 94432 aa1dfc 94367->94432 94372 acfab0 _wcscat _wcscpy 94368->94372 94375 acfade _wcscat 94368->94375 94370 a8936c 81 API calls 94371 acfafc _wcscpy 94370->94371 94497 ac72cb GetFileAttributesW 94371->94497 94373 a8936c 81 API calls 94372->94373 94373->94375 94375->94370 94376 acfb1c __NMSG_WRITE 94376->94357 94378 a8936c 81 API calls 94376->94378 94377 acfbeb _wcscat _wcscpy 94381 a8936c 81 API calls 94377->94381 94379 acfb48 94378->94379 94498 ac60dd 77 API calls 4 library calls 94379->94498 94383 acfc82 94381->94383 94382 acfb5c 94382->94357 94435 ac690b 94383->94435 94385 acfca2 94386 ac6524 3 API calls 94385->94386 94387 acfcb1 94386->94387 94388 a8936c 81 API calls 94387->94388 94390 acfce2 94387->94390 94389 acfccb 94388->94389 94441 acbfa4 94389->94441 94392 a84252 84 API calls 94390->94392 94392->94357 94394 a8425c 94393->94394 94398 a84263 94393->94398 94395 aa35e4 __fcloseall 83 API calls 94394->94395 94395->94398 94396 a84272 94396->94291 94397 a84283 FreeLibrary 94397->94396 94398->94396 94398->94397 95251 ac6ca9 GetFileAttributesW 94399->95251 94402->94290 94403->94291 94404->94346 94405->94340 94406->94348 94407->94348 94499 a84214 94408->94499 94413 af4f73 94416 a84252 84 API calls 94413->94416 94414 a841d4 LoadLibraryExW 94509 a84291 94414->94509 94418 af4f7a 94416->94418 94420 a84291 3 API calls 94418->94420 94422 af4f82 94420->94422 94421 a841fb 94421->94422 94423 a84207 94421->94423 94535 a844ed 94422->94535 94424 a84252 84 API calls 94423->94424 94427 a8420c 94424->94427 94427->94364 94427->94366 94429 af4fa9 94543 a84950 94429->94543 94877 aa1e46 94432->94877 94436 ac6918 _wcschr __ftell_nolock 94435->94436 94437 aa1dfc __wsplitpath 47 API calls 94436->94437 94439 ac692e _wcscat _wcscpy 94436->94439 94438 ac695d 94437->94438 94440 aa1dfc __wsplitpath 47 API calls 94438->94440 94439->94385 94440->94439 94442 acbfb1 __ftell_nolock 94441->94442 94443 a9f4ea 48 API calls 94442->94443 94444 acc00e 94443->94444 94445 a847b7 48 API calls 94444->94445 94446 acc018 94445->94446 94447 acbdb4 GetSystemTimeAsFileTime 94446->94447 94448 acc023 94447->94448 94449 a84517 83 API calls 94448->94449 94450 acc036 _wcscmp 94449->94450 94451 acc05a 94450->94451 94452 acc107 94450->94452 94933 acc56d 94451->94933 94454 acc56d 94 API calls 94452->94454 94469 acc0d3 _wcscat 94454->94469 94456 aa1dfc __wsplitpath 47 API calls 94461 acc088 _wcscat _wcscpy 94456->94461 94457 a844ed 64 API calls 94458 acc12c 94457->94458 94460 a844ed 64 API calls 94458->94460 94459 acc110 94459->94390 94462 acc13c 94460->94462 94464 aa1dfc __wsplitpath 47 API calls 94461->94464 94463 a844ed 64 API calls 94462->94463 94465 acc157 94463->94465 94464->94469 94466 a844ed 64 API calls 94465->94466 94467 acc167 94466->94467 94468 a844ed 64 API calls 94467->94468 94470 acc182 94468->94470 94469->94457 94469->94459 94471 a844ed 64 API calls 94470->94471 94472 acc192 94471->94472 94473 a844ed 64 API calls 94472->94473 94474 acc1a2 94473->94474 94475 a844ed 64 API calls 94474->94475 94476 acc1b2 94475->94476 94903 acc71a GetTempPathW GetTempFileNameW 94476->94903 94478 acc1be 94479 aa3499 117 API calls 94478->94479 94485 acc1cf 94479->94485 94481 acc294 94483 acc2ae 94481->94483 94484 acc29a DeleteFileW 94481->94484 94482 a844ed 64 API calls 94482->94485 94486 acc2b8 94483->94486 94487 acc342 CopyFileW 94483->94487 94484->94459 94485->94459 94485->94482 94494 acc289 94485->94494 94904 aa2aae 94485->94904 94939 acb965 94486->94939 94488 acc358 DeleteFileW 94487->94488 94489 acc36a DeleteFileW 94487->94489 94488->94459 94930 acc6d9 CreateFileW 94489->94930 94917 aa35e4 94494->94917 94495 acc331 DeleteFileW 94495->94459 94496->94354 94497->94376 94498->94382 94548 a84339 94499->94548 94502 a8423c 94504 a841bb 94502->94504 94505 a84244 FreeLibrary 94502->94505 94506 aa3499 94504->94506 94505->94504 94556 aa34ae 94506->94556 94508 a841c8 94508->94413 94508->94414 94673 a842e4 94509->94673 94512 a842b8 94514 a841ec 94512->94514 94515 a842c1 FreeLibrary 94512->94515 94516 a84380 94514->94516 94515->94514 94517 a9f4ea 48 API calls 94516->94517 94518 a84395 94517->94518 94681 a847b7 94518->94681 94520 a843dc 94524 a84950 57 API calls 94520->94524 94521 a843a1 _memcpy_s 94521->94520 94522 a84499 94521->94522 94523 a844d1 94521->94523 94684 a8406b CreateStreamOnHGlobal 94522->94684 94695 acc750 93 API calls 94523->94695 94532 a843e5 94524->94532 94527 a844ed 64 API calls 94527->94532 94528 a84479 94528->94421 94530 af4ed7 94531 a84517 83 API calls 94530->94531 94533 af4eeb 94531->94533 94532->94527 94532->94528 94532->94530 94690 a84517 94532->94690 94534 a844ed 64 API calls 94533->94534 94534->94528 94536 a844ff 94535->94536 94537 af4fc0 94535->94537 94719 aa381e 94536->94719 94540 acbf5a 94854 acbdb4 94540->94854 94542 acbf70 94542->94429 94544 a8495f 94543->94544 94545 af5002 94543->94545 94859 aa3e65 94544->94859 94547 a84967 94552 a8434b 94548->94552 94551 a84321 LoadLibraryA GetProcAddress 94551->94502 94553 a8422f 94552->94553 94554 a84354 LoadLibraryA 94552->94554 94553->94502 94553->94551 94554->94553 94555 a84365 GetProcAddress 94554->94555 94555->94553 94558 aa34ba __fcloseall 94556->94558 94557 aa34cd 94604 aa7c0e 47 API calls __getptd_noexit 94557->94604 94558->94557 94561 aa34fe 94558->94561 94560 aa34d2 94605 aa6e10 8 API calls __wcsicmp_l 94560->94605 94575 aae4c8 94561->94575 94564 aa3503 94565 aa3519 94564->94565 94566 aa350c 94564->94566 94568 aa3543 94565->94568 94569 aa3523 94565->94569 94606 aa7c0e 47 API calls __getptd_noexit 94566->94606 94589 aae5e0 94568->94589 94607 aa7c0e 47 API calls __getptd_noexit 94569->94607 94572 aa34dd __fcloseall @_EH4_CallFilterFunc@8 94572->94508 94576 aae4d4 __fcloseall 94575->94576 94609 aa7cf4 94576->94609 94578 aae4e2 94579 aae559 94578->94579 94587 aae552 94578->94587 94619 aa7d7c 94578->94619 94643 aa4e5b 48 API calls __lock 94578->94643 94644 aa4ec5 LeaveCriticalSection LeaveCriticalSection _doexit 94578->94644 94645 aa69d0 47 API calls __crtGetStringTypeA_stat 94579->94645 94582 aae5cc __fcloseall 94582->94564 94583 aae560 94584 aae56f InitializeCriticalSectionAndSpinCount EnterCriticalSection 94583->94584 94583->94587 94584->94587 94616 aae5d7 94587->94616 94591 aae600 __wopenfile 94589->94591 94590 aae61a 94657 aa7c0e 47 API calls __getptd_noexit 94590->94657 94591->94590 94603 aae7d5 94591->94603 94659 aa185b 59 API calls 2 library calls 94591->94659 94593 aae61f 94658 aa6e10 8 API calls __wcsicmp_l 94593->94658 94595 aae838 94654 ab63c9 94595->94654 94596 aa354e 94608 aa3570 LeaveCriticalSection LeaveCriticalSection _fprintf 94596->94608 94599 aae7ce 94599->94603 94660 aa185b 59 API calls 2 library calls 94599->94660 94601 aae7ed 94601->94603 94661 aa185b 59 API calls 2 library calls 94601->94661 94603->94590 94603->94595 94604->94560 94605->94572 94606->94572 94607->94572 94608->94572 94610 aa7d18 EnterCriticalSection 94609->94610 94611 aa7d05 94609->94611 94610->94578 94612 aa7d7c __mtinitlocknum 46 API calls 94611->94612 94613 aa7d0b 94612->94613 94613->94610 94646 aa115b 47 API calls 3 library calls 94613->94646 94647 aa7e58 LeaveCriticalSection 94616->94647 94618 aae5de 94618->94582 94620 aa7d88 __fcloseall 94619->94620 94621 aa7da9 94620->94621 94622 aa7d91 94620->94622 94623 aa7da7 94621->94623 94629 aa7e11 __fcloseall 94621->94629 94648 aa81c2 47 API calls __NMSG_WRITE 94622->94648 94623->94621 94651 aa69d0 47 API calls __crtGetStringTypeA_stat 94623->94651 94626 aa7d96 94649 aa821f 47 API calls 5 library calls 94626->94649 94627 aa7dbd 94630 aa7dd3 94627->94630 94631 aa7dc4 94627->94631 94629->94578 94635 aa7cf4 __lock 46 API calls 94630->94635 94652 aa7c0e 47 API calls __getptd_noexit 94631->94652 94632 aa7d9d 94650 aa1145 GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 94632->94650 94637 aa7dda 94635->94637 94636 aa7dc9 94636->94629 94638 aa7de9 InitializeCriticalSectionAndSpinCount 94637->94638 94639 aa7dfe 94637->94639 94640 aa7e04 94638->94640 94641 aa1c9d _free 46 API calls 94639->94641 94653 aa7e1a LeaveCriticalSection _doexit 94640->94653 94641->94640 94643->94578 94644->94578 94645->94583 94647->94618 94648->94626 94649->94632 94651->94627 94652->94636 94653->94629 94662 ab5bb1 94654->94662 94656 ab63e2 94656->94596 94657->94593 94658->94596 94659->94599 94660->94601 94661->94603 94663 ab5bbd __fcloseall 94662->94663 94664 ab5bcf 94663->94664 94667 ab5c06 94663->94667 94665 aa7c0e __wcsicmp_l 47 API calls 94664->94665 94666 ab5bd4 94665->94666 94668 aa6e10 __wcsicmp_l 8 API calls 94666->94668 94669 ab5c78 __wsopen_helper 110 API calls 94667->94669 94672 ab5bde __fcloseall 94668->94672 94670 ab5c23 94669->94670 94671 ab5c4c __wsopen_helper LeaveCriticalSection 94670->94671 94671->94672 94672->94656 94677 a842f6 94673->94677 94676 a842cc LoadLibraryA GetProcAddress 94676->94512 94678 a842aa 94677->94678 94679 a842ff LoadLibraryA 94677->94679 94678->94512 94678->94676 94679->94678 94680 a84310 GetProcAddress 94679->94680 94680->94678 94682 a9f4ea 48 API calls 94681->94682 94683 a847c9 94682->94683 94683->94521 94685 a84085 FindResourceExW 94684->94685 94687 a840a2 94684->94687 94686 af4f16 LoadResource 94685->94686 94685->94687 94686->94687 94688 af4f2b SizeofResource 94686->94688 94687->94520 94688->94687 94689 af4f3f LockResource 94688->94689 94689->94687 94691 a84526 94690->94691 94692 af4fe0 94690->94692 94696 aa3a8d 94691->94696 94694 a84534 94694->94532 94695->94520 94697 aa3a99 __fcloseall 94696->94697 94698 aa3aa7 94697->94698 94699 aa3acd 94697->94699 94709 aa7c0e 47 API calls __getptd_noexit 94698->94709 94711 aa4e1c 94699->94711 94702 aa3aac 94710 aa6e10 8 API calls __wcsicmp_l 94702->94710 94706 aa3ae2 94718 aa3b04 LeaveCriticalSection LeaveCriticalSection _fprintf 94706->94718 94708 aa3ab7 __fcloseall 94708->94694 94709->94702 94710->94708 94712 aa4e4e EnterCriticalSection 94711->94712 94713 aa4e2c 94711->94713 94715 aa3ad3 94712->94715 94713->94712 94714 aa4e34 94713->94714 94716 aa7cf4 __lock 47 API calls 94714->94716 94717 aa39fe 81 API calls 4 library calls 94715->94717 94716->94715 94717->94706 94718->94708 94722 aa3839 94719->94722 94721 a84510 94721->94540 94723 aa3845 __fcloseall 94722->94723 94724 aa3880 __fcloseall 94723->94724 94725 aa385b _memset 94723->94725 94726 aa3888 94723->94726 94724->94721 94749 aa7c0e 47 API calls __getptd_noexit 94725->94749 94727 aa4e1c __lock_file 48 API calls 94726->94727 94729 aa388e 94727->94729 94735 aa365b 94729->94735 94730 aa3875 94750 aa6e10 8 API calls __wcsicmp_l 94730->94750 94737 aa3676 _memset 94735->94737 94741 aa3691 94735->94741 94736 aa3681 94850 aa7c0e 47 API calls __getptd_noexit 94736->94850 94737->94736 94737->94741 94746 aa36cf 94737->94746 94739 aa3686 94851 aa6e10 8 API calls __wcsicmp_l 94739->94851 94751 aa38c2 LeaveCriticalSection LeaveCriticalSection _fprintf 94741->94751 94743 aa37e0 _memset 94853 aa7c0e 47 API calls __getptd_noexit 94743->94853 94746->94741 94746->94743 94752 aa2933 94746->94752 94759 aaee0e 94746->94759 94830 aaeb66 94746->94830 94852 aaec87 47 API calls 3 library calls 94746->94852 94749->94730 94750->94724 94751->94724 94753 aa293d 94752->94753 94754 aa2952 94752->94754 94755 aa7c0e __wcsicmp_l 47 API calls 94753->94755 94754->94746 94756 aa2942 94755->94756 94757 aa6e10 __wcsicmp_l 8 API calls 94756->94757 94758 aa294d 94757->94758 94758->94746 94760 aaee2f 94759->94760 94761 aaee46 94759->94761 94762 aa7bda __set_osfhnd 47 API calls 94760->94762 94763 aaf57e 94761->94763 94767 aaee80 94761->94767 94764 aaee34 94762->94764 94765 aa7bda __set_osfhnd 47 API calls 94763->94765 94766 aa7c0e __wcsicmp_l 47 API calls 94764->94766 94768 aaf583 94765->94768 94773 aaee3b 94766->94773 94769 aaee88 94767->94769 94770 aaee9f 94767->94770 94771 aa7c0e __wcsicmp_l 47 API calls 94768->94771 94772 aa7bda __set_osfhnd 47 API calls 94769->94772 94770->94773 94777 aaeeb4 94770->94777 94779 aaeece 94770->94779 94781 aaeeec 94770->94781 94775 aaee94 94771->94775 94774 aaee8d 94772->94774 94773->94746 94780 aa7c0e __wcsicmp_l 47 API calls 94774->94780 94776 aa6e10 __wcsicmp_l 8 API calls 94775->94776 94776->94773 94778 aa7bda __set_osfhnd 47 API calls 94777->94778 94778->94774 94779->94777 94785 aaeed9 94779->94785 94780->94775 94783 aa69d0 __malloc_crt 47 API calls 94781->94783 94786 aaeefc 94783->94786 94784 ab3bf2 __flswbuf 47 API calls 94787 aaefed 94784->94787 94785->94784 94788 aaef1f 94786->94788 94789 aaef04 94786->94789 94791 aaf066 ReadFile 94787->94791 94796 aaf003 GetConsoleMode 94787->94796 94792 aaf82f __lseeki64_nolock 49 API calls 94788->94792 94790 aa7c0e __wcsicmp_l 47 API calls 94789->94790 94793 aaef09 94790->94793 94794 aaf088 94791->94794 94795 aaf546 GetLastError 94791->94795 94797 aaef2d 94792->94797 94798 aa7bda __set_osfhnd 47 API calls 94793->94798 94794->94795 94804 aaf058 94794->94804 94799 aaf046 94795->94799 94800 aaf553 94795->94800 94801 aaf063 94796->94801 94802 aaf017 94796->94802 94797->94785 94803 aaef14 94798->94803 94809 aa7bed __dosmaperr 47 API calls 94799->94809 94812 aaf04c 94799->94812 94805 aa7c0e __wcsicmp_l 47 API calls 94800->94805 94801->94791 94802->94801 94806 aaf01d ReadConsoleW 94802->94806 94803->94773 94804->94812 94815 aaf0bd 94804->94815 94816 aaf32a 94804->94816 94807 aaf558 94805->94807 94806->94804 94808 aaf040 GetLastError 94806->94808 94810 aa7bda __set_osfhnd 47 API calls 94807->94810 94808->94799 94809->94812 94810->94812 94811 aa1c9d _free 47 API calls 94811->94773 94812->94773 94812->94811 94814 aaf129 ReadFile 94818 aaf14a GetLastError 94814->94818 94828 aaf154 94814->94828 94815->94814 94821 aaf1aa 94815->94821 94816->94812 94817 aaf430 ReadFile 94816->94817 94823 aaf453 GetLastError 94817->94823 94829 aaf461 94817->94829 94818->94828 94819 aaf267 94824 aaf217 MultiByteToWideChar 94819->94824 94825 aaf82f __lseeki64_nolock 49 API calls 94819->94825 94820 aaf257 94822 aa7c0e __wcsicmp_l 47 API calls 94820->94822 94821->94812 94821->94819 94821->94820 94821->94824 94822->94812 94823->94829 94824->94808 94824->94812 94825->94824 94826 aaf82f __lseeki64_nolock 49 API calls 94826->94828 94827 aaf82f __lseeki64_nolock 49 API calls 94827->94829 94828->94815 94828->94826 94829->94816 94829->94827 94831 aaeb71 94830->94831 94834 aaeb86 94830->94834 94832 aa7c0e __wcsicmp_l 47 API calls 94831->94832 94833 aaeb76 94832->94833 94835 aa6e10 __wcsicmp_l 8 API calls 94833->94835 94836 aaebbb 94834->94836 94837 ab3e24 __getbuf 47 API calls 94834->94837 94842 aaeb81 94834->94842 94835->94842 94838 aa2933 __flush 47 API calls 94836->94838 94837->94836 94839 aaebcf 94838->94839 94840 aaed06 __filbuf 62 API calls 94839->94840 94841 aaebd6 94840->94841 94841->94842 94843 aa2933 __flush 47 API calls 94841->94843 94842->94746 94844 aaebf9 94843->94844 94844->94842 94845 aa2933 __flush 47 API calls 94844->94845 94846 aaec05 94845->94846 94846->94842 94847 aa2933 __flush 47 API calls 94846->94847 94848 aaec12 94847->94848 94849 aa2933 __flush 47 API calls 94848->94849 94849->94842 94850->94739 94851->94741 94852->94746 94853->94739 94857 aa344a GetSystemTimeAsFileTime 94854->94857 94856 acbdc3 94856->94542 94858 aa3478 __aulldiv 94857->94858 94858->94856 94860 aa3e71 __fcloseall 94859->94860 94861 aa3e7f 94860->94861 94862 aa3e94 94860->94862 94873 aa7c0e 47 API calls __getptd_noexit 94861->94873 94864 aa4e1c __lock_file 48 API calls 94862->94864 94866 aa3e9a 94864->94866 94865 aa3e84 94874 aa6e10 8 API calls __wcsicmp_l 94865->94874 94875 aa3b0c 55 API calls 6 library calls 94866->94875 94869 aa3ea5 94876 aa3ec5 LeaveCriticalSection LeaveCriticalSection _fprintf 94869->94876 94871 aa3eb7 94872 aa3e8f __fcloseall 94871->94872 94872->94547 94873->94865 94874->94872 94875->94869 94876->94871 94878 aa1e61 94877->94878 94881 aa1e55 94877->94881 94901 aa7c0e 47 API calls __getptd_noexit 94878->94901 94880 aa2019 94885 aa1e41 94880->94885 94902 aa6e10 8 API calls __wcsicmp_l 94880->94902 94881->94878 94887 aa1ed4 94881->94887 94896 aa9d6b 47 API calls __wcsicmp_l 94881->94896 94884 aa1fa0 94884->94878 94884->94885 94888 aa1fb0 94884->94888 94885->94377 94886 aa1f5f 94886->94878 94889 aa1f7b 94886->94889 94898 aa9d6b 47 API calls __wcsicmp_l 94886->94898 94887->94878 94895 aa1f41 94887->94895 94897 aa9d6b 47 API calls __wcsicmp_l 94887->94897 94900 aa9d6b 47 API calls __wcsicmp_l 94888->94900 94889->94878 94889->94885 94891 aa1f91 94889->94891 94899 aa9d6b 47 API calls __wcsicmp_l 94891->94899 94895->94884 94895->94886 94896->94887 94897->94895 94898->94889 94899->94885 94900->94885 94901->94880 94902->94885 94903->94478 94905 aa2aba __fcloseall 94904->94905 94906 aa2aec 94905->94906 94907 aa2ad4 94905->94907 94909 aa2ae4 __fcloseall 94905->94909 94910 aa4e1c __lock_file 48 API calls 94906->94910 94982 aa7c0e 47 API calls __getptd_noexit 94907->94982 94909->94485 94912 aa2af2 94910->94912 94911 aa2ad9 94983 aa6e10 8 API calls __wcsicmp_l 94911->94983 94970 aa2957 94912->94970 94918 aa35f0 __fcloseall 94917->94918 94919 aa361c 94918->94919 94920 aa3604 94918->94920 94922 aa4e1c __lock_file 48 API calls 94919->94922 94927 aa3614 __fcloseall 94919->94927 95147 aa7c0e 47 API calls __getptd_noexit 94920->95147 94924 aa362e 94922->94924 94923 aa3609 95148 aa6e10 8 API calls __wcsicmp_l 94923->95148 95131 aa3578 94924->95131 94927->94481 94931 acc6ff SetFileTime CloseHandle 94930->94931 94932 acc715 94930->94932 94931->94932 94932->94459 94934 acc581 __tzset_nolock _wcscmp 94933->94934 94935 a844ed 64 API calls 94934->94935 94936 acbf5a GetSystemTimeAsFileTime 94934->94936 94937 acc05f 94934->94937 94938 a84517 83 API calls 94934->94938 94935->94934 94936->94934 94937->94456 94937->94459 94938->94934 94940 acb97e 94939->94940 94941 acb970 94939->94941 94943 acb9c3 94940->94943 94944 aa3499 117 API calls 94940->94944 94953 acb987 94940->94953 94942 aa3499 117 API calls 94941->94942 94942->94940 95216 acbbe8 94943->95216 94945 acb9a8 94944->94945 94945->94943 94947 acb9b1 94945->94947 94951 aa35e4 __fcloseall 83 API calls 94947->94951 94947->94953 94948 acba07 94949 acba2c 94948->94949 94950 acba0b 94948->94950 95220 acb7e5 94949->95220 94955 aa35e4 __fcloseall 83 API calls 94950->94955 94959 acba18 94950->94959 94951->94953 94953->94489 94953->94495 94955->94959 94956 aa35e4 __fcloseall 83 API calls 94956->94953 94959->94953 94959->94956 94973 aa2966 94970->94973 94977 aa2984 94970->94977 94971 aa2974 95010 aa7c0e 47 API calls __getptd_noexit 94971->95010 94973->94971 94976 aa299c _memcpy_s 94973->94976 94973->94977 94974 aa2979 95011 aa6e10 8 API calls __wcsicmp_l 94974->95011 94976->94977 94980 aa2933 __flush 47 API calls 94976->94980 94985 aaaf61 94976->94985 95012 aa2c84 94976->95012 95018 aa8e63 78 API calls 5 library calls 94976->95018 94984 aa2b24 LeaveCriticalSection LeaveCriticalSection _fprintf 94977->94984 94980->94976 94982->94911 94983->94909 94984->94909 94986 aaaf6d __fcloseall 94985->94986 94987 aaaf75 94986->94987 94989 aaaf8d 94986->94989 95092 aa7bda 47 API calls __getptd_noexit 94987->95092 94988 aab022 95097 aa7bda 47 API calls __getptd_noexit 94988->95097 94989->94988 94995 aaafbf 94989->94995 94992 aaaf7a 95093 aa7c0e 47 API calls __getptd_noexit 94992->95093 94994 aab027 95098 aa7c0e 47 API calls __getptd_noexit 94994->95098 95019 aaa8ed 94995->95019 94998 aab02f 95099 aa6e10 8 API calls __wcsicmp_l 94998->95099 94999 aaafc5 95001 aaafeb 94999->95001 95002 aaafd8 94999->95002 95094 aa7c0e 47 API calls __getptd_noexit 95001->95094 95028 aab043 95002->95028 95004 aaaf82 __fcloseall 95004->94976 95006 aaafe4 95007 aaaff0 95095 aa7bda 47 API calls __getptd_noexit 95007->95095 95010->94974 95011->94977 95013 aa2c97 95012->95013 95017 aa2cbb 95012->95017 95014 aa2933 __flush 47 API calls 95013->95014 95013->95017 95015 aa2cb4 95014->95015 95016 aaaf61 __flush 78 API calls 95015->95016 95016->95017 95017->94976 95018->94976 95020 aaa8f9 __fcloseall 95019->95020 95021 aaa946 EnterCriticalSection 95020->95021 95022 aa7cf4 __lock 47 API calls 95020->95022 95023 aaa96c __fcloseall 95021->95023 95024 aaa91d 95022->95024 95023->94999 95025 aaa93a 95024->95025 95026 aaa928 InitializeCriticalSectionAndSpinCount 95024->95026 95100 aaa970 LeaveCriticalSection _doexit 95025->95100 95026->95025 95029 aab050 __ftell_nolock 95028->95029 95030 aab0ac 95029->95030 95031 aab08d 95029->95031 95063 aab082 95029->95063 95035 aab105 95030->95035 95036 aab0e9 95030->95036 95110 aa7bda 47 API calls __getptd_noexit 95031->95110 95124 aaa70c 95063->95124 95092->94992 95093->95004 95094->95007 95095->95006 95097->94994 95098->94998 95099->95004 95100->95021 95132 aa359b 95131->95132 95133 aa3587 95131->95133 95136 aa2c84 __flush 78 API calls 95132->95136 95139 aa3597 95132->95139 95177 aa7c0e 47 API calls __getptd_noexit 95133->95177 95135 aa358c 95178 aa6e10 8 API calls __wcsicmp_l 95135->95178 95138 aa35a7 95136->95138 95150 aaeb36 95138->95150 95149 aa3653 LeaveCriticalSection LeaveCriticalSection _fprintf 95139->95149 95142 aa2933 __flush 47 API calls 95143 aa35b5 95142->95143 95154 aae9d2 95143->95154 95145 aa35bb 95145->95139 95147->94923 95148->94927 95149->94927 95151 aa35af 95150->95151 95152 aaeb43 95150->95152 95151->95142 95152->95151 95153 aa1c9d _free 47 API calls 95152->95153 95153->95151 95155 aae9de __fcloseall 95154->95155 95156 aae9fe 95155->95156 95157 aae9e6 95155->95157 95158 aaea7b 95156->95158 95163 aaea28 95156->95163 95194 aa7bda 47 API calls __getptd_noexit 95157->95194 95198 aa7bda 47 API calls __getptd_noexit 95158->95198 95161 aae9eb 95195 aa7c0e 47 API calls __getptd_noexit 95161->95195 95162 aaea80 95199 aa7c0e 47 API calls __getptd_noexit 95162->95199 95166 aaa8ed ___lock_fhandle 49 API calls 95163->95166 95169 aaea2e 95166->95169 95167 aae9f3 __fcloseall 95167->95145 95171 aaea4c 95169->95171 95172 aaea41 95169->95172 95196 aa7c0e 47 API calls __getptd_noexit 95171->95196 95179 aaea9c 95172->95179 95177->95135 95178->95139 95194->95161 95195->95167 95198->95162 95217 acbc0d 95216->95217 95219 acbbf6 _memcpy_s __tzset_nolock 95216->95219 95218 aa381e __fread_nolock 64 API calls 95217->95218 95218->95219 95219->94948 95221 aa395c __crtGetStringTypeA_stat 47 API calls 95220->95221 95222 acb7f4 95221->95222 95223 aa395c __crtGetStringTypeA_stat 47 API calls 95222->95223 95224 acb808 95223->95224 95225 aa395c __crtGetStringTypeA_stat 47 API calls 95224->95225 95226 acb81c 95225->95226 95252 ac6529 95251->95252 95253 ac6cc4 FindFirstFileW 95251->95253 95252->94291 95253->95252 95254 ac6cd9 FindClose 95253->95254 95254->95252 95255->94201 95256->94201 95257->94200 95258 a83742 95259 a8374b 95258->95259 95260 a837c8 95259->95260 95261 a83769 95259->95261 95299 a837c6 95259->95299 95263 a837ce 95260->95263 95264 af1e00 95260->95264 95265 a8382c PostQuitMessage 95261->95265 95266 a83776 95261->95266 95262 a837ab DefWindowProcW 95267 a837b9 95262->95267 95268 a837d3 95263->95268 95269 a837f6 SetTimer RegisterWindowMessageW 95263->95269 95307 a82ff6 16 API calls 95264->95307 95265->95267 95271 af1e88 95266->95271 95272 a83781 95266->95272 95274 a837da KillTimer 95268->95274 95275 af1da3 95268->95275 95269->95267 95277 a8381f CreatePopupMenu 95269->95277 95322 ac4ddd 60 API calls _memset 95271->95322 95278 a83789 95272->95278 95279 a83836 95272->95279 95303 a83847 Shell_NotifyIconW _memset 95274->95303 95284 af1ddc MoveWindow 95275->95284 95285 af1da8 95275->95285 95276 af1e27 95308 a9e312 346 API calls Mailbox 95276->95308 95277->95267 95280 af1e6d 95278->95280 95281 a83794 95278->95281 95305 a9eb83 53 API calls _memset 95279->95305 95280->95262 95321 aba5f3 48 API calls 95280->95321 95288 a8379f 95281->95288 95289 af1e58 95281->95289 95282 af1e9a 95282->95262 95282->95267 95284->95267 95291 af1dac 95285->95291 95292 af1dcb SetFocus 95285->95292 95288->95262 95309 a83847 Shell_NotifyIconW _memset 95288->95309 95320 ac55bd 70 API calls _memset 95289->95320 95290 a83845 95290->95267 95291->95288 95294 af1db5 95291->95294 95292->95267 95293 a837ed 95304 a8390f DeleteObject DestroyWindow Mailbox 95293->95304 95306 a82ff6 16 API calls 95294->95306 95299->95262 95301 af1e4c 95310 a84ffc 95301->95310 95303->95293 95304->95267 95305->95290 95306->95267 95307->95276 95308->95288 95309->95301 95311 a85027 _memset 95310->95311 95323 a84c30 95311->95323 95315 a850ca Shell_NotifyIconW 95327 a851af 95315->95327 95316 af3d28 Shell_NotifyIconW 95317 a850ac 95317->95315 95317->95316 95319 a850df 95319->95299 95320->95290 95321->95299 95322->95282 95324 af3c33 95323->95324 95325 a84c44 95323->95325 95324->95325 95326 af3c3c DestroyIcon 95324->95326 95325->95317 95349 ac5819 61 API calls 95325->95349 95326->95325 95328 a851cb 95327->95328 95348 a852a2 Mailbox 95327->95348 95329 a86b0f 48 API calls 95328->95329 95330 a851d9 95329->95330 95331 af3ca1 LoadStringW 95330->95331 95332 a851e6 95330->95332 95335 af3cbb 95331->95335 95333 a86a63 48 API calls 95332->95333 95334 a851fb 95333->95334 95334->95335 95337 a8520c 95334->95337 95351 a8510d 48 API calls Mailbox 95335->95351 95338 a85216 95337->95338 95339 a852a7 95337->95339 95350 a8510d 48 API calls Mailbox 95338->95350 95341 a86eed 48 API calls 95339->95341 95343 a85220 _memset _wcscpy 95341->95343 95342 af3cc5 95342->95343 95352 a8518c 95342->95352 95346 a85288 Shell_NotifyIconW 95343->95346 95345 af3ce7 95347 a8518c 48 API calls 95345->95347 95346->95348 95347->95343 95348->95319 95349->95317 95350->95343 95351->95342 95353 a85197 95352->95353 95354 af1ace 95353->95354 95355 a8519f 95353->95355 95357 a86b4a 48 API calls 95354->95357 95362 a85130 95355->95362 95359 af1adb __NMSG_WRITE 95357->95359 95358 a851aa 95358->95345 95360 a9ee75 48 API calls 95359->95360 95361 af1b07 _memcpy_s 95360->95361 95363 a8513f __NMSG_WRITE 95362->95363 95364 af1b27 95363->95364 95365 a85151 95363->95365 95366 a86b4a 48 API calls 95364->95366 95367 a8bb85 48 API calls 95365->95367 95369 af1b34 95366->95369 95368 a8515e _memcpy_s 95367->95368 95368->95358 95370 a9ee75 48 API calls 95369->95370 95371 af1b57 _memcpy_s 95370->95371 95372 a91407 95373 a9d3be 50 API calls 95372->95373 95374 a9141d 95373->95374 95402 a9d922 95374->95402 95377 a9f4ea 48 API calls 95395 a8fec8 95377->95395 95378 a90509 95419 accc5c 86 API calls 4 library calls 95378->95419 95379 a9146e 95383 a86eed 48 API calls 95379->95383 95382 a91473 95418 accc5c 86 API calls 4 library calls 95382->95418 95400 a8ffe1 95383->95400 95384 afa922 95385 afa246 95389 a86eed 48 API calls 95385->95389 95387 a86eed 48 API calls 95387->95395 95389->95400 95390 ab97ed InterlockedDecrement 95390->95395 95391 afa873 95392 a8d7f7 48 API calls 95392->95395 95393 afa30e 95393->95400 95416 ab97ed InterlockedDecrement 95393->95416 95395->95377 95395->95378 95395->95379 95395->95382 95395->95385 95395->95387 95395->95390 95395->95392 95395->95393 95396 afa973 95395->95396 95397 aa0f0a 52 API calls __cinit 95395->95397 95395->95400 95401 a9144d 95395->95401 95414 a91820 346 API calls 2 library calls 95395->95414 95415 a91d10 59 API calls Mailbox 95395->95415 95420 accc5c 86 API calls 4 library calls 95396->95420 95397->95395 95399 afa982 95417 accc5c 86 API calls 4 library calls 95401->95417 95403 a86b0f 48 API calls 95402->95403 95404 a9d947 _wcscmp 95403->95404 95405 afabcf 95404->95405 95406 a8ce19 48 API calls 95404->95406 95409 a9d975 Mailbox 95404->95409 95421 a8510d 48 API calls Mailbox 95405->95421 95406->95405 95408 afabdd 95410 a8d645 53 API calls 95408->95410 95409->95395 95411 afabef 95410->95411 95413 afabf4 Mailbox 95411->95413 95422 a8dcae 50 API calls Mailbox 95411->95422 95413->95395 95414->95395 95415->95395 95416->95400 95417->95400 95418->95391 95419->95384 95420->95399 95421->95408 95422->95413 95423 afb31e GetTempPathW 95424 afb33b 95423->95424 95425 af19dd 95430 a84a30 95425->95430 95427 af19f1 95450 aa0f0a 52 API calls __cinit 95427->95450 95429 af19fb 95431 a84a40 __ftell_nolock 95430->95431 95432 a8d7f7 48 API calls 95431->95432 95433 a84af6 95432->95433 95451 a85374 95433->95451 95435 a84aff 95458 a8363c 95435->95458 95438 a8518c 48 API calls 95439 a84b18 95438->95439 95440 a864cf 48 API calls 95439->95440 95441 a84b29 95440->95441 95442 a8d7f7 48 API calls 95441->95442 95443 a84b32 95442->95443 95464 a849fb 95443->95464 95445 a861a6 48 API calls 95449 a84b3d _wcscat Mailbox __NMSG_WRITE 95445->95449 95446 a84b43 Mailbox 95446->95427 95447 a8ce19 48 API calls 95447->95449 95448 a864cf 48 API calls 95448->95449 95449->95445 95449->95446 95449->95447 95449->95448 95450->95429 95478 aaf8a0 95451->95478 95454 a8ce19 48 API calls 95455 a853a7 95454->95455 95480 a8660f 95455->95480 95457 a853b1 Mailbox 95457->95435 95459 a83649 __ftell_nolock 95458->95459 95491 a8366c GetFullPathNameW 95459->95491 95461 a8365a 95462 a86a63 48 API calls 95461->95462 95463 a83669 95462->95463 95463->95438 95465 a8bcce 48 API calls 95464->95465 95466 a84a0a RegOpenKeyExW 95465->95466 95467 af41cc RegQueryValueExW 95466->95467 95468 a84a2b 95466->95468 95469 af4246 RegCloseKey 95467->95469 95470 af41e5 95467->95470 95468->95449 95471 a9f4ea 48 API calls 95470->95471 95472 af41fe 95471->95472 95473 a847b7 48 API calls 95472->95473 95474 af4208 RegQueryValueExW 95473->95474 95475 af423b 95474->95475 95476 af4224 95474->95476 95475->95469 95477 a86a63 48 API calls 95476->95477 95477->95475 95479 a85381 GetModuleFileNameW 95478->95479 95479->95454 95481 aaf8a0 __ftell_nolock 95480->95481 95482 a8661c GetFullPathNameW 95481->95482 95483 a86a63 48 API calls 95482->95483 95484 a86643 95483->95484 95487 a86571 95484->95487 95488 a8657f 95487->95488 95489 a8b18b 48 API calls 95488->95489 95490 a8658f 95489->95490 95490->95457 95492 a8368a 95491->95492 95492->95461 95493 af865b 95494 a93b70 346 API calls 95493->95494 95495 af8667 95494->95495 95496 a93b70 346 API calls 95495->95496 95496->95495 95497 af197b 95502 a9dd94 95497->95502 95501 af198a 95503 a9f4ea 48 API calls 95502->95503 95504 a9dd9c 95503->95504 95506 a9ddb0 95504->95506 95510 a9df3d 95504->95510 95509 aa0f0a 52 API calls __cinit 95506->95509 95509->95501 95511 a9dda8 95510->95511 95512 a9df46 95510->95512 95514 a9ddc0 95511->95514 95542 aa0f0a 52 API calls __cinit 95512->95542 95515 a8d7f7 48 API calls 95514->95515 95516 a9ddd7 GetVersionExW 95515->95516 95517 a86a63 48 API calls 95516->95517 95518 a9de1a 95517->95518 95543 a9dfb4 95518->95543 95521 a86571 48 API calls 95525 a9de2e 95521->95525 95524 af24c8 95525->95524 95547 a9df77 95525->95547 95526 a9dea4 GetCurrentProcess 95556 a9df5f LoadLibraryA GetProcAddress 95526->95556 95527 a9debb 95529 a9df31 GetSystemInfo 95527->95529 95530 a9dee3 95527->95530 95531 a9df0e 95529->95531 95550 a9e00c 95530->95550 95533 a9df1c FreeLibrary 95531->95533 95534 a9df21 95531->95534 95533->95534 95534->95506 95536 a9df29 GetSystemInfo 95538 a9df03 95536->95538 95537 a9def9 95553 a9dff4 95537->95553 95538->95531 95541 a9df09 FreeLibrary 95538->95541 95541->95531 95542->95511 95544 a9dfbd 95543->95544 95545 a8b18b 48 API calls 95544->95545 95546 a9de22 95545->95546 95546->95521 95557 a9df89 95547->95557 95561 a9e01e 95550->95561 95554 a9e00c 2 API calls 95553->95554 95555 a9df01 GetNativeSystemInfo 95554->95555 95555->95538 95556->95527 95558 a9dea0 95557->95558 95559 a9df92 LoadLibraryA 95557->95559 95558->95526 95558->95527 95559->95558 95560 a9dfa3 GetProcAddress 95559->95560 95560->95558 95562 a9def1 95561->95562 95563 a9e027 LoadLibraryA 95561->95563 95562->95536 95562->95537 95563->95562 95564 a9e038 GetProcAddress 95563->95564 95564->95562 95565 af19ba 95570 a9c75a 95565->95570 95569 af19c9 95571 a8d7f7 48 API calls 95570->95571 95572 a9c7c8 95571->95572 95578 a9d26c 95572->95578 95575 a9c865 95576 a9c881 95575->95576 95581 a9d1fa 48 API calls _memcpy_s 95575->95581 95577 aa0f0a 52 API calls __cinit 95576->95577 95577->95569 95582 a9d298 95578->95582 95581->95575 95583 a9d28b 95582->95583 95584 a9d2a5 95582->95584 95583->95575 95584->95583 95585 a9d2ac RegOpenKeyExW 95584->95585 95585->95583 95586 a9d2c6 RegQueryValueExW 95585->95586 95587 a9d2fc RegCloseKey 95586->95587 95588 a9d2e7 95586->95588 95587->95583 95588->95587 95589 aa5dfd 95590 aa5e09 __fcloseall 95589->95590 95626 aa7eeb GetStartupInfoW 95590->95626 95592 aa5e0e 95628 aa9ca7 GetProcessHeap 95592->95628 95594 aa5e66 95597 aa5e71 95594->95597 95713 aa5f4d 47 API calls 3 library calls 95594->95713 95629 aa7b47 95597->95629 95598 aa5e77 95599 aa5e82 __RTC_Initialize 95598->95599 95714 aa5f4d 47 API calls 3 library calls 95598->95714 95650 aaacb3 95599->95650 95602 aa5e91 95603 aa5e9d GetCommandLineW 95602->95603 95715 aa5f4d 47 API calls 3 library calls 95602->95715 95669 ab2e7d GetEnvironmentStringsW 95603->95669 95606 aa5e9c 95606->95603 95610 aa5ec2 95682 ab2cb4 95610->95682 95613 aa5ec8 95614 aa5ed3 95613->95614 95717 aa115b 47 API calls 3 library calls 95613->95717 95696 aa1195 95614->95696 95617 aa5edb 95618 aa5ee6 __wwincmdln 95617->95618 95718 aa115b 47 API calls 3 library calls 95617->95718 95700 a83a0f 95618->95700 95621 aa5efa 95622 aa5f09 95621->95622 95719 aa13f1 47 API calls _doexit 95621->95719 95720 aa1186 47 API calls _doexit 95622->95720 95625 aa5f0e __fcloseall 95627 aa7f01 95626->95627 95627->95592 95628->95594 95721 aa123a 30 API calls 2 library calls 95629->95721 95631 aa7b4c 95722 aa7e23 InitializeCriticalSectionAndSpinCount 95631->95722 95633 aa7b51 95634 aa7b55 95633->95634 95724 aa7e6d TlsAlloc 95633->95724 95723 aa7bbd 50 API calls 2 library calls 95634->95723 95637 aa7b5a 95637->95598 95638 aa7b67 95638->95634 95639 aa7b72 95638->95639 95725 aa6986 95639->95725 95642 aa7bb4 95733 aa7bbd 50 API calls 2 library calls 95642->95733 95645 aa7b93 95645->95642 95647 aa7b99 95645->95647 95646 aa7bb9 95646->95598 95732 aa7a94 47 API calls 4 library calls 95647->95732 95649 aa7ba1 GetCurrentThreadId 95649->95598 95651 aaacbf __fcloseall 95650->95651 95652 aa7cf4 __lock 47 API calls 95651->95652 95653 aaacc6 95652->95653 95654 aa6986 __calloc_crt 47 API calls 95653->95654 95656 aaacd7 95654->95656 95655 aaad42 GetStartupInfoW 95663 aaae80 95655->95663 95666 aaad57 95655->95666 95656->95655 95657 aaace2 __fcloseall @_EH4_CallFilterFunc@8 95656->95657 95657->95602 95658 aaaf44 95742 aaaf58 LeaveCriticalSection _doexit 95658->95742 95660 aaaec9 GetStdHandle 95660->95663 95661 aa6986 __calloc_crt 47 API calls 95661->95666 95662 aaaedb GetFileType 95662->95663 95663->95658 95663->95660 95663->95662 95665 aaaf08 InitializeCriticalSectionAndSpinCount 95663->95665 95664 aaada5 95664->95663 95667 aaadd7 GetFileType 95664->95667 95668 aaade5 InitializeCriticalSectionAndSpinCount 95664->95668 95665->95663 95666->95661 95666->95663 95666->95664 95667->95664 95667->95668 95668->95664 95670 ab2e8e 95669->95670 95671 aa5ead 95669->95671 95743 aa69d0 47 API calls __crtGetStringTypeA_stat 95670->95743 95676 ab2a7b GetModuleFileNameW 95671->95676 95674 ab2eb4 _memcpy_s 95675 ab2eca FreeEnvironmentStringsW 95674->95675 95675->95671 95678 ab2aaf _wparse_cmdline 95676->95678 95677 aa5eb7 95677->95610 95716 aa115b 47 API calls 3 library calls 95677->95716 95678->95677 95679 ab2ae9 95678->95679 95744 aa69d0 47 API calls __crtGetStringTypeA_stat 95679->95744 95681 ab2aef _wparse_cmdline 95681->95677 95683 ab2ccd __NMSG_WRITE 95682->95683 95687 ab2cc5 95682->95687 95684 aa6986 __calloc_crt 47 API calls 95683->95684 95692 ab2cf6 __NMSG_WRITE 95684->95692 95685 ab2d4d 95686 aa1c9d _free 47 API calls 95685->95686 95686->95687 95687->95613 95688 aa6986 __calloc_crt 47 API calls 95688->95692 95689 ab2d72 95690 aa1c9d _free 47 API calls 95689->95690 95690->95687 95692->95685 95692->95687 95692->95688 95692->95689 95693 ab2d89 95692->95693 95745 ab2567 47 API calls __wcsicmp_l 95692->95745 95746 aa6e20 IsProcessorFeaturePresent 95693->95746 95695 ab2d95 95695->95613 95697 aa11a1 __initterm_e __initp_misc_cfltcvt_tab __IsNonwritableInCurrentImage 95696->95697 95699 aa11e0 __IsNonwritableInCurrentImage 95697->95699 95761 aa0f0a 52 API calls __cinit 95697->95761 95699->95617 95701 af1ebf 95700->95701 95702 a83a29 95700->95702 95703 a83a63 IsThemeActive 95702->95703 95762 aa1405 95703->95762 95707 a83a8f 95774 a83adb SystemParametersInfoW SystemParametersInfoW 95707->95774 95709 a83a9b 95775 a83d19 95709->95775 95711 a83aa3 SystemParametersInfoW 95712 a83ac8 95711->95712 95712->95621 95713->95597 95714->95599 95715->95606 95719->95622 95720->95625 95721->95631 95722->95633 95723->95637 95724->95638 95728 aa698d 95725->95728 95727 aa69ca 95727->95642 95731 aa7ec9 TlsSetValue 95727->95731 95728->95727 95729 aa69ab Sleep 95728->95729 95734 ab30aa 95728->95734 95730 aa69c2 95729->95730 95730->95727 95730->95728 95731->95645 95732->95649 95733->95646 95735 ab30b5 95734->95735 95740 ab30d0 __calloc_impl 95734->95740 95736 ab30c1 95735->95736 95735->95740 95741 aa7c0e 47 API calls __getptd_noexit 95736->95741 95738 ab30e0 RtlAllocateHeap 95739 ab30c6 95738->95739 95738->95740 95739->95728 95740->95738 95740->95739 95741->95739 95742->95657 95743->95674 95744->95681 95745->95692 95747 aa6e2b 95746->95747 95752 aa6cb5 95747->95752 95751 aa6e46 95751->95695 95753 aa6ccf _memset __call_reportfault 95752->95753 95754 aa6cef IsDebuggerPresent 95753->95754 95760 aa81ac SetUnhandledExceptionFilter UnhandledExceptionFilter 95754->95760 95756 aaa70c __call_reportfault 6 API calls 95758 aa6dd6 95756->95758 95757 aa6db3 __call_reportfault 95757->95756 95759 aa8197 GetCurrentProcess TerminateProcess 95758->95759 95759->95751 95760->95757 95761->95699 95763 aa7cf4 __lock 47 API calls 95762->95763 95764 aa1410 95763->95764 95827 aa7e58 LeaveCriticalSection 95764->95827 95766 a83a88 95767 aa146d 95766->95767 95768 aa1491 95767->95768 95769 aa1477 95767->95769 95768->95707 95769->95768 95828 aa7c0e 47 API calls __getptd_noexit 95769->95828 95771 aa1481 95829 aa6e10 8 API calls __wcsicmp_l 95771->95829 95773 aa148c 95773->95707 95774->95709 95776 a83d26 __ftell_nolock 95775->95776 95777 a8d7f7 48 API calls 95776->95777 95778 a83d31 GetCurrentDirectoryW 95777->95778 95830 a861ca 95778->95830 95780 a83d57 IsDebuggerPresent 95781 a83d65 95780->95781 95782 af1cc1 MessageBoxA 95780->95782 95784 af1cd9 95781->95784 95785 a83d82 95781->95785 95813 a83e3a 95781->95813 95782->95784 95783 a83e41 SetCurrentDirectoryW 95786 a83e4e Mailbox 95783->95786 95945 a9c682 48 API calls 95784->95945 95904 a840e5 95785->95904 95786->95711 95789 af1ce9 95794 af1cff SetCurrentDirectoryW 95789->95794 95794->95786 95813->95783 95827->95766 95828->95771 95829->95773 95948 a9e99b 95830->95948 95834 a861eb 95835 a85374 50 API calls 95834->95835 95836 a861ff 95835->95836 95837 a8ce19 48 API calls 95836->95837 95838 a8620c 95837->95838 95965 a839db 95838->95965 95840 a86216 Mailbox 95841 a86eed 48 API calls 95840->95841 95842 a8622b 95841->95842 95977 a89048 95842->95977 95845 a8ce19 48 API calls 95846 a86244 95845->95846 95847 a8d6e9 55 API calls 95846->95847 95848 a86254 Mailbox 95847->95848 95849 a8ce19 48 API calls 95848->95849 95850 a8627c 95849->95850 95851 a8d6e9 55 API calls 95850->95851 95852 a8628f Mailbox 95851->95852 95853 a8ce19 48 API calls 95852->95853 95854 a862a0 95853->95854 95855 a8d645 53 API calls 95854->95855 95856 a862b2 Mailbox 95855->95856 95857 a8d7f7 48 API calls 95856->95857 95858 a862c5 95857->95858 95980 a863fc 95858->95980 95862 a862df 95863 a862e9 95862->95863 95864 af1c08 95862->95864 95866 aa0fa7 59 API calls 95863->95866 95865 a863fc 48 API calls 95864->95865 95867 af1c1c 95865->95867 95868 a862f4 95866->95868 95871 a863fc 48 API calls 95867->95871 95868->95867 95869 a862fe 95868->95869 95870 aa0fa7 59 API calls 95869->95870 95872 a86309 95870->95872 95873 af1c38 95871->95873 95872->95873 95874 a86313 95872->95874 95876 a85374 50 API calls 95873->95876 95875 aa0fa7 59 API calls 95874->95875 95877 a8631e 95875->95877 95878 af1c5d 95876->95878 95879 a8635f 95877->95879 95882 af1c86 95877->95882 95885 a863fc 48 API calls 95877->95885 95880 a863fc 48 API calls 95878->95880 95879->95882 95883 a8636c 95879->95883 95881 af1c69 95880->95881 95884 a86eed 48 API calls 95881->95884 95886 a86eed 48 API calls 95882->95886 95890 a9c050 48 API calls 95883->95890 95887 af1c77 95884->95887 95888 a86342 95885->95888 95889 af1ca8 95886->95889 95892 a863fc 48 API calls 95887->95892 95893 a86eed 48 API calls 95888->95893 95894 a863fc 48 API calls 95889->95894 95891 a86384 95890->95891 95895 a91b90 48 API calls 95891->95895 95892->95882 95896 a86350 95893->95896 95897 af1cb5 95894->95897 95901 a86394 95895->95901 95898 a863fc 48 API calls 95896->95898 95897->95897 95898->95879 95899 a91b90 48 API calls 95899->95901 95901->95899 95902 a863fc 48 API calls 95901->95902 95903 a863d6 Mailbox 95901->95903 95996 a86b68 48 API calls 95901->95996 95902->95901 95903->95780 95905 a840f2 __ftell_nolock 95904->95905 95906 af370e _memset 95905->95906 95907 a8410b 95905->95907 95910 af372a GetOpenFileNameW 95906->95910 95908 a8660f 49 API calls 95907->95908 95909 a84114 95908->95909 96038 a840a7 95909->96038 95912 af3779 95910->95912 95913 a86a63 48 API calls 95912->95913 95915 af378e 95913->95915 95915->95915 95945->95789 95949 a8d7f7 48 API calls 95948->95949 95950 a861db 95949->95950 95951 a86009 95950->95951 95952 a86016 __ftell_nolock 95951->95952 95953 a86a63 48 API calls 95952->95953 95957 a8617c Mailbox 95952->95957 95955 a86048 95953->95955 95961 a8607e Mailbox 95955->95961 95997 a861a6 95955->95997 95956 a8614f 95956->95957 95958 a8ce19 48 API calls 95956->95958 95957->95834 95959 a86170 95958->95959 95962 a864cf 48 API calls 95959->95962 95960 a8ce19 48 API calls 95960->95961 95961->95956 95961->95957 95961->95960 95963 a864cf 48 API calls 95961->95963 95964 a861a6 48 API calls 95961->95964 95962->95957 95963->95961 95964->95961 95966 a841a9 136 API calls 95965->95966 95967 a839fe 95966->95967 95968 a83a06 95967->95968 96000 acc396 95967->96000 95968->95840 95971 af2ff0 95972 aa1c9d _free 47 API calls 95971->95972 95974 af2ffd 95972->95974 95973 a84252 84 API calls 95973->95971 95975 a84252 84 API calls 95974->95975 95976 af3006 95975->95976 95976->95976 95978 a9f4ea 48 API calls 95977->95978 95979 a86237 95978->95979 95979->95845 95981 a8641f 95980->95981 95982 a86406 95980->95982 95984 a86a63 48 API calls 95981->95984 95983 a86eed 48 API calls 95982->95983 95985 a862d1 95983->95985 95984->95985 95986 aa0fa7 95985->95986 95987 aa1028 95986->95987 95988 aa0fb3 95986->95988 96037 aa103a 59 API calls 3 library calls 95987->96037 95995 aa0fd8 95988->95995 96035 aa7c0e 47 API calls __getptd_noexit 95988->96035 95991 aa1035 95991->95862 95992 aa0fbf 96036 aa6e10 8 API calls __wcsicmp_l 95992->96036 95994 aa0fca 95994->95862 95995->95862 95996->95901 95998 a8bdfa 48 API calls 95997->95998 95999 a861b1 95998->95999 95999->95955 96001 a84517 83 API calls 96000->96001 96002 acc405 96001->96002 96003 acc56d 94 API calls 96002->96003 96004 acc417 96003->96004 96005 a844ed 64 API calls 96004->96005 96033 acc41b 96004->96033 96006 acc432 96005->96006 96007 a844ed 64 API calls 96006->96007 96008 acc442 96007->96008 96009 a844ed 64 API calls 96008->96009 96010 acc45d 96009->96010 96011 a844ed 64 API calls 96010->96011 96012 acc478 96011->96012 96013 a84517 83 API calls 96012->96013 96014 acc48f 96013->96014 96015 aa395c __crtGetStringTypeA_stat 47 API calls 96014->96015 96016 acc496 96015->96016 96017 aa395c __crtGetStringTypeA_stat 47 API calls 96016->96017 96018 acc4a0 96017->96018 96019 a844ed 64 API calls 96018->96019 96020 acc4b4 96019->96020 96021 acbf5a GetSystemTimeAsFileTime 96020->96021 96022 acc4c7 96021->96022 96023 acc4dc 96022->96023 96024 acc4f1 96022->96024 96025 aa1c9d _free 47 API calls 96023->96025 96026 acc556 96024->96026 96027 acc4f7 96024->96027 96028 acc4e2 96025->96028 96030 aa1c9d _free 47 API calls 96026->96030 96029 acb965 118 API calls 96027->96029 96031 aa1c9d _free 47 API calls 96028->96031 96032 acc54e 96029->96032 96030->96033 96031->96033 96034 aa1c9d _free 47 API calls 96032->96034 96033->95971 96033->95973 96034->96033 96035->95992 96036->95994 96037->95991 96039 aaf8a0 __ftell_nolock 96038->96039 96040 a840b4 GetLongPathNameW 96039->96040 96041 a86a63 48 API calls 96040->96041 96042 a840dc 96041->96042 96043 a849a0 96042->96043 96044 a8d7f7 48 API calls 96043->96044 96045 a849b2 96044->96045 96046 a8660f 49 API calls 96045->96046 96047 a849bd 96046->96047 96247 a8b792 96248 a8b79c 96247->96248 96249 a8ba85 48 API calls 96248->96249 96250 a8b7a8 96249->96250

            Executed Functions

            Function 00AAB043 Relevance: 21.5, APIs: 14, Instructions: 537COMMONLIBRARYCODE
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 856 aab043-aab080 call aaf8a0 859 aab089-aab08b 856->859 860 aab082-aab084 856->860 861 aab0ac-aab0d9 859->861 862 aab08d-aab0a7 call aa7bda call aa7c0e call aa6e10 859->862 863 aab860-aab86c call aaa70c 860->863 865 aab0db-aab0de 861->865 866 aab0e0-aab0e7 861->866 862->863 865->866 869 aab10b-aab110 865->869 870 aab0e9-aab100 call aa7bda call aa7c0e call aa6e10 866->870 871 aab105 866->871 874 aab11f-aab12d call ab3bf2 869->874 875 aab112-aab11c call aaf82f 869->875 899 aab851-aab854 870->899 871->869 886 aab44b-aab45d 874->886 887 aab133-aab145 874->887 875->874 890 aab7b8-aab7d5 WriteFile 886->890 891 aab463-aab473 886->891 887->886 889 aab14b-aab183 call aa7a0d GetConsoleMode 887->889 889->886 912 aab189-aab18f 889->912 894 aab7e1-aab7e7 GetLastError 890->894 895 aab7d7-aab7df 890->895 897 aab55a-aab55f 891->897 898 aab479-aab484 891->898 900 aab7e9 894->900 895->900 901 aab663-aab66e 897->901 902 aab565-aab56e 897->902 904 aab48a-aab49a 898->904 905 aab81b-aab833 898->905 911 aab85e-aab85f 899->911 909 aab7ef-aab7f1 900->909 901->905 908 aab674 901->908 902->905 910 aab574 902->910 913 aab4a0-aab4a3 904->913 906 aab83e-aab84e call aa7c0e call aa7bda 905->906 907 aab835-aab838 905->907 906->899 907->906 916 aab83a-aab83c 907->916 917 aab67e-aab693 908->917 919 aab7f3-aab7f5 909->919 920 aab856-aab85c 909->920 921 aab57e-aab595 910->921 911->863 922 aab199-aab1bc GetConsoleCP 912->922 923 aab191-aab193 912->923 914 aab4e9-aab520 WriteFile 913->914 915 aab4a5-aab4be 913->915 914->894 928 aab526-aab538 914->928 926 aab4cb-aab4e7 915->926 927 aab4c0-aab4ca 915->927 916->911 929 aab699-aab69b 917->929 919->905 931 aab7f7-aab7fc 919->931 920->911 932 aab59b-aab59e 921->932 924 aab1c2-aab1ca 922->924 925 aab440-aab446 922->925 923->886 923->922 933 aab1d4-aab1d6 924->933 925->919 926->913 926->914 927->926 928->909 934 aab53e-aab54f 928->934 935 aab6d8-aab719 WideCharToMultiByte 929->935 936 aab69d-aab6b3 929->936 938 aab7fe-aab810 call aa7c0e call aa7bda 931->938 939 aab812-aab819 call aa7bed 931->939 940 aab5de-aab627 WriteFile 932->940 941 aab5a0-aab5b6 932->941 944 aab36b-aab36e 933->944 945 aab1dc-aab1fe 933->945 934->904 946 aab555 934->946 935->894 950 aab71f-aab721 935->950 947 aab6c7-aab6d6 936->947 948 aab6b5-aab6c4 936->948 938->899 939->899 940->894 943 aab62d-aab645 940->943 952 aab5b8-aab5ca 941->952 953 aab5cd-aab5dc 941->953 943->909 955 aab64b-aab658 943->955 958 aab370-aab373 944->958 959 aab375-aab3a2 944->959 956 aab200-aab215 945->956 957 aab217-aab223 call aa1688 945->957 946->909 947->929 947->935 948->947 960 aab727-aab75a WriteFile 950->960 952->953 953->932 953->940 955->921 962 aab65e 955->962 963 aab271-aab283 call ab40f7 956->963 977 aab269-aab26b 957->977 978 aab225-aab239 957->978 958->959 965 aab3a8-aab3ab 958->965 959->965 966 aab77a-aab78e GetLastError 960->966 967 aab75c-aab776 960->967 962->909 982 aab289 963->982 983 aab435-aab43b 963->983 971 aab3ad-aab3b0 965->971 972 aab3b2-aab3c5 call ab5884 965->972 969 aab794-aab796 966->969 967->960 974 aab778 967->974 969->900 976 aab798-aab7b0 969->976 971->972 979 aab407-aab40a 971->979 972->894 989 aab3cb-aab3d5 972->989 974->969 976->917 984 aab7b6 976->984 977->963 986 aab23f-aab254 call ab40f7 978->986 987 aab412-aab42d 978->987 979->933 985 aab410 979->985 990 aab28f-aab2c4 WideCharToMultiByte 982->990 983->900 984->909 985->983 986->983 998 aab25a-aab267 986->998 987->983 992 aab3fb-aab401 989->992 993 aab3d7-aab3ee call ab5884 989->993 990->983 994 aab2ca-aab2f0 WriteFile 990->994 992->979 993->894 1001 aab3f4-aab3f5 993->1001 994->894 997 aab2f6-aab30e 994->997 997->983 1000 aab314-aab31b 997->1000 998->990 1000->992 1002 aab321-aab34c WriteFile 1000->1002 1001->992 1002->894 1003 aab352-aab359 1002->1003 1003->983 1004 aab35f-aab366 1003->1004 1004->992
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 2fe05c32cc485aa11e71dfc1c3cb9b92f19f4ec737aa4530ba3b051aabfc6675
            • Instruction ID: 2e1bc427c19555e3fc95b78b5fdb98febd7199fa7bb8891ef562b3b845374a3d
            • Opcode Fuzzy Hash: 2fe05c32cc485aa11e71dfc1c3cb9b92f19f4ec737aa4530ba3b051aabfc6675
            • Instruction Fuzzy Hash: 8D325F75B122288FCB24DF58DD416E9B7B5FB4B310F1841D9E40AA7A92D7349E80CF62
            Function 00A83D19 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151windowCOMMON
            Download Yara Rule

            Control-flow Graph

            APIs
            • GetCurrentDirectoryW.KERNEL32(00007FFF,?,00000000,00000001,?,?,00A83AA3,?), ref: 00A83D45
            • IsDebuggerPresent.KERNEL32(?,?,?,?,00A83AA3,?), ref: 00A83D57
            • GetFullPathNameW.KERNEL32(00007FFF,?,?,00B41148,00B41130,?,?,?,?,00A83AA3,?), ref: 00A83DC8
              • Part of subcall function 00A86430: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00A83DEE,00B41148,?,?,?,?,?,00A83AA3,?), ref: 00A86471
            • SetCurrentDirectoryW.KERNEL32(?,?,?,00A83AA3,?), ref: 00A83E48
            • MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,00B328F4,00000010), ref: 00AF1CCE
            • SetCurrentDirectoryW.KERNEL32(?,00B41148,?,?,?,?,?,00A83AA3,?), ref: 00AF1D06
            • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00B1DAB4,00B41148,?,?,?,?,?,00A83AA3,?), ref: 00AF1D89
            • ShellExecuteW.SHELL32(00000000,?,?,?,?,00A83AA3), ref: 00AF1D90
              • Part of subcall function 00A83E6E: GetSysColorBrush.USER32(0000000F), ref: 00A83E79
              • Part of subcall function 00A83E6E: LoadCursorW.USER32(00000000,00007F00), ref: 00A83E88
              • Part of subcall function 00A83E6E: LoadIconW.USER32(00000063), ref: 00A83E9E
              • Part of subcall function 00A83E6E: LoadIconW.USER32(000000A4), ref: 00A83EB0
              • Part of subcall function 00A83E6E: LoadIconW.USER32(000000A2), ref: 00A83EC2
              • Part of subcall function 00A83E6E: RegisterClassExW.USER32(?), ref: 00A83F30
              • Part of subcall function 00A836B8: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00A836E6
              • Part of subcall function 00A836B8: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00A83707
              • Part of subcall function 00A836B8: ShowWindow.USER32(00000000,?,?,?,?,00A83AA3,?), ref: 00A8371B
              • Part of subcall function 00A836B8: ShowWindow.USER32(00000000,?,?,?,?,00A83AA3,?), ref: 00A83724
              • Part of subcall function 00A84FFC: _memset.LIBCMT ref: 00A85022
              • Part of subcall function 00A84FFC: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00A850CB
            Strings
            • runas, xrefs: 00AF1D84
            • This is a third-party compiled AutoIt script., xrefs: 00AF1CC8
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: Window$IconLoad$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundMessageNotifyPresentRegisterShellShell__memset
            • String ID: This is a third-party compiled AutoIt script.$runas
            • API String ID: 438480954-3287110873
            • Opcode ID: b9bee9e894de47725c580678b0784f0de688cd5b9cba022308462110cffffb40
            • Instruction ID: c40c259f1c07f4e75e0715bbbcd56a4ce93a59d0242f0528fabf8c305329f070
            • Opcode Fuzzy Hash: b9bee9e894de47725c580678b0784f0de688cd5b9cba022308462110cffffb40
            • Instruction Fuzzy Hash: 9B51E336E04248AADF11BBF8DD46EAE7BB5AF16B00F0045A5F601731A2DE744B859B21
            Function 00A9DDC0 Relevance: 10.7, APIs: 7, Instructions: 175COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 1350 a9ddc0-a9de4f call a8d7f7 GetVersionExW call a86a63 call a9dfb4 call a86571 1359 af24c8-af24cb 1350->1359 1360 a9de55-a9de56 1350->1360 1361 af24cd 1359->1361 1362 af24e4-af24e8 1359->1362 1363 a9de58-a9de63 1360->1363 1364 a9de92-a9dea2 call a9df77 1360->1364 1365 af24d0 1361->1365 1366 af24ea-af24f3 1362->1366 1367 af24d3-af24dc 1362->1367 1368 a9de69-a9de6b 1363->1368 1369 af244e-af2454 1363->1369 1377 a9dea4-a9dec1 GetCurrentProcess call a9df5f 1364->1377 1378 a9dec7-a9dee1 1364->1378 1365->1367 1366->1365 1374 af24f5-af24f8 1366->1374 1367->1362 1375 af2469-af2475 1368->1375 1376 a9de71-a9de74 1368->1376 1372 af245e-af2464 1369->1372 1373 af2456-af2459 1369->1373 1372->1364 1373->1364 1374->1367 1379 af247f-af2485 1375->1379 1380 af2477-af247a 1375->1380 1381 a9de7a-a9de89 1376->1381 1382 af2495-af2498 1376->1382 1377->1378 1401 a9dec3 1377->1401 1384 a9df31-a9df3b GetSystemInfo 1378->1384 1385 a9dee3-a9def7 call a9e00c 1378->1385 1379->1364 1380->1364 1386 af248a-af2490 1381->1386 1387 a9de8f 1381->1387 1382->1364 1388 af249e-af24b3 1382->1388 1390 a9df0e-a9df1a 1384->1390 1398 a9df29-a9df2f GetSystemInfo 1385->1398 1399 a9def9-a9df01 call a9dff4 GetNativeSystemInfo 1385->1399 1386->1364 1387->1364 1392 af24bd-af24c3 1388->1392 1393 af24b5-af24b8 1388->1393 1394 a9df1c-a9df1f FreeLibrary 1390->1394 1395 a9df21-a9df26 1390->1395 1392->1364 1393->1364 1394->1395 1400 a9df03-a9df07 1398->1400 1399->1400 1400->1390 1404 a9df09-a9df0c FreeLibrary 1400->1404 1401->1378 1404->1390
            APIs
            • GetVersionExW.KERNEL32(?), ref: 00A9DDEC
            • GetCurrentProcess.KERNEL32(00000000,00B1DC38,?,?), ref: 00A9DEAC
            • GetNativeSystemInfo.KERNELBASE(?,00B1DC38,?,?), ref: 00A9DF01
            • FreeLibrary.KERNEL32(00000000,?,?), ref: 00A9DF0C
            • FreeLibrary.KERNEL32(00000000,?,?), ref: 00A9DF1F
            • GetSystemInfo.KERNEL32(?,00B1DC38,?,?), ref: 00A9DF29
            • GetSystemInfo.KERNEL32(?,00B1DC38,?,?), ref: 00A9DF35
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: InfoSystem$FreeLibrary$CurrentNativeProcessVersion
            • String ID:
            • API String ID: 3851250370-0
            • Opcode ID: 8cb034b5acc477e3855ab18195740187efb15f41db76e63c3fb1781b5c14eb53
            • Instruction ID: f2d3ddaf4c2c1cf24d5d39d40ccab4edb24294f7e03e7ac9c459319e9517d5ec
            • Opcode Fuzzy Hash: 8cb034b5acc477e3855ab18195740187efb15f41db76e63c3fb1781b5c14eb53
            • Instruction Fuzzy Hash: 0661B2B190A384DFCF15CFA898C11E9BFB4AF29300B1989D9D8459F247C674C949CB65
            Function 00A8406B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 1422 a8406b-a84083 CreateStreamOnHGlobal 1423 a840a3-a840a6 1422->1423 1424 a84085-a8409c FindResourceExW 1422->1424 1425 af4f16-af4f25 LoadResource 1424->1425 1426 a840a2 1424->1426 1425->1426 1427 af4f2b-af4f39 SizeofResource 1425->1427 1426->1423 1427->1426 1428 af4f3f-af4f4a LockResource 1427->1428 1428->1426 1429 af4f50-af4f6e 1428->1429 1429->1426
            APIs
            • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00A8449E,?,?,00000000,00000001), ref: 00A8407B
            • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00A8449E,?,?,00000000,00000001), ref: 00A84092
            • LoadResource.KERNEL32(?,00000000,?,?,00A8449E,?,?,00000000,00000001,?,?,?,?,?,?,00A841FB), ref: 00AF4F1A
            • SizeofResource.KERNEL32(?,00000000,?,?,00A8449E,?,?,00000000,00000001,?,?,?,?,?,?,00A841FB), ref: 00AF4F2F
            • LockResource.KERNEL32(00A8449E,?,?,00A8449E,?,?,00000000,00000001,?,?,?,?,?,?,00A841FB,00000000), ref: 00AF4F42
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
            • String ID: SCRIPT
            • API String ID: 3051347437-3967369404
            • Opcode ID: 46f5b602babaf6ad7d22bcf47971f892f5609080b9b46c590c336effe9466d27
            • Instruction ID: c54b6b415e19e57020d19a06687ab6272ca9f46ba13d806f960614a78b91c2b1
            • Opcode Fuzzy Hash: 46f5b602babaf6ad7d22bcf47971f892f5609080b9b46c590c336effe9466d27
            • Instruction Fuzzy Hash: 14110C71200701BFE7219B65EC49F677BB9EBC9B51F14856CF616972A0DB71DC008B60
            Function 00AC6CA9 Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON
            Download Yara Rule
            APIs
            • GetFileAttributesW.KERNELBASE(?,00AF2F49), ref: 00AC6CB9
            • FindFirstFileW.KERNELBASE(?,?), ref: 00AC6CCA
            • FindClose.KERNEL32(00000000), ref: 00AC6CDA
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: FileFind$AttributesCloseFirst
            • String ID:
            • API String ID: 48322524-0
            • Opcode ID: 91d6b4d51bf5b6ccc2ddd34eec01997c9e406da70967d42f4f3af2ebd7d0fe39
            • Instruction ID: b063c2df39ca3ee6285cd7400a3b202d8b85ea804fe429cb10cf5a4ca761f7c3
            • Opcode Fuzzy Hash: 91d6b4d51bf5b6ccc2ddd34eec01997c9e406da70967d42f4f3af2ebd7d0fe39
            • Instruction Fuzzy Hash: E1E0DF31818410ABC220A778EC0D8EA37ACEE16339F10070AF872D21E0EF74DD0086D6
            Function 00A93B70 Relevance: 2.2, Strings: 1, Instructions: 903COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: Exception@8Throwstd::exception::exception
            • String ID: @
            • API String ID: 3728558374-2766056989
            • Opcode ID: f77ace125e556cbc51c2aff6ecdca8b23f7656b29c3eed4fe4f36d624cadc7cb
            • Instruction ID: 552a855427bb4255c7e27fc1b0fca5112d59377a7de67ac734e7be9095074144
            • Opcode Fuzzy Hash: f77ace125e556cbc51c2aff6ecdca8b23f7656b29c3eed4fe4f36d624cadc7cb
            • Instruction Fuzzy Hash: 37728A75A04209ABCF14EF94C581EBEB7F5EF48310F14805AF90AAB291D771AE45CB91
            Function 00A93200 Relevance: 1.0, Instructions: 986COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: BuffCharUpper
            • String ID:
            • API String ID: 3964851224-0
            • Opcode ID: dee0e79fe033393c4fea98533a581870fdbac6d6e67f0c196a6dc103d84b1b64
            • Instruction ID: a6e6c6eb1e0611653af486091c7c4c4ff74c445ed8e22a018deb6b4e161ff999
            • Opcode Fuzzy Hash: dee0e79fe033393c4fea98533a581870fdbac6d6e67f0c196a6dc103d84b1b64
            • Instruction Fuzzy Hash: 619257716083419FDB24DF18C584B6ABBF1BF88308F14885DF99A8B2A2D771ED45CB52
            Function 00A8E8D0 Relevance: 49.8, APIs: 24, Strings: 4, Instructions: 816windowsleeptimeCOMMON
            Download Yara Rule
            APIs
            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00A8E959
            • timeGetTime.WINMM ref: 00A8EBFA
            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00A8ED2E
            • TranslateMessage.USER32(?), ref: 00A8ED3F
            • DispatchMessageW.USER32(?), ref: 00A8ED4A
            • LockWindowUpdate.USER32(00000000), ref: 00A8ED79
            • DestroyWindow.USER32 ref: 00A8ED85
            • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00A8ED9F
            • Sleep.KERNEL32(0000000A), ref: 00AF5270
            • TranslateMessage.USER32(?), ref: 00AF59F7
            • DispatchMessageW.USER32(?), ref: 00AF5A05
            • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00AF5A19
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: Message$DispatchPeekTranslateWindow$DestroyLockSleepTimeUpdatetime
            • String ID: @GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
            • API String ID: 2641332412-570651680
            • Opcode ID: b01284162ce8dad0a32edd3e774b896c8b6cbe06c59d357a54f1deb04bb6ad08
            • Instruction ID: f272dfd623033e3067b9d515e822c8088e03e4e72889253df7a25719c1181c31
            • Opcode Fuzzy Hash: b01284162ce8dad0a32edd3e774b896c8b6cbe06c59d357a54f1deb04bb6ad08
            • Instruction Fuzzy Hash: 7062D570A08344DFDB24EF64C985BAA77E4BF45304F14497DFA8A8B292DB71D848CB52
            Function 00AB5C78 Relevance: 47.9, APIs: 26, Strings: 1, Instructions: 626fileCOMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • ___createFile.LIBCMT ref: 00AB5EC3
            • ___createFile.LIBCMT ref: 00AB5F04
            • GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 00AB5F2D
            • __dosmaperr.LIBCMT ref: 00AB5F34
            • GetFileType.KERNELBASE(00000000,?,?,?,?,?,00000000,00000109), ref: 00AB5F47
            • GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 00AB5F6A
            • __dosmaperr.LIBCMT ref: 00AB5F73
            • CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 00AB5F7C
            • __set_osfhnd.LIBCMT ref: 00AB5FAC
            • __lseeki64_nolock.LIBCMT ref: 00AB6016
            • __close_nolock.LIBCMT ref: 00AB603C
            • __chsize_nolock.LIBCMT ref: 00AB606C
            • __lseeki64_nolock.LIBCMT ref: 00AB607E
            • __lseeki64_nolock.LIBCMT ref: 00AB6176
            • __lseeki64_nolock.LIBCMT ref: 00AB618B
            • __close_nolock.LIBCMT ref: 00AB61EB
              • Part of subcall function 00AAEA9C: FindCloseChangeNotification.KERNELBASE(00000000,00B2EEF4,00000000,?,00AB6041,00B2EEF4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 00AAEAEC
              • Part of subcall function 00AAEA9C: GetLastError.KERNEL32(?,00AB6041,00B2EEF4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 00AAEAF6
              • Part of subcall function 00AAEA9C: __free_osfhnd.LIBCMT ref: 00AAEB03
              • Part of subcall function 00AAEA9C: __dosmaperr.LIBCMT ref: 00AAEB25
              • Part of subcall function 00AA7C0E: __getptd_noexit.LIBCMT ref: 00AA7C0E
            • __lseeki64_nolock.LIBCMT ref: 00AB620D
            • CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 00AB6342
            • ___createFile.LIBCMT ref: 00AB6361
            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000109), ref: 00AB636E
            • __dosmaperr.LIBCMT ref: 00AB6375
            • __free_osfhnd.LIBCMT ref: 00AB6395
            • __invoke_watson.LIBCMT ref: 00AB63C3
            • __wsopen_helper.LIBCMT ref: 00AB63DD
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: __lseeki64_nolock$ErrorFileLast__dosmaperr$Close___create$Handle__close_nolock__free_osfhnd$ChangeFindNotificationType__chsize_nolock__getptd_noexit__invoke_watson__set_osfhnd__wsopen_helper
            • String ID: @
            • API String ID: 3388700018-2766056989
            • Opcode ID: 8d1b45d9af42a76a016581153c5e749b3902d85f3eaf24292529ad616b8535b1
            • Instruction ID: d0edb14122a46de4680f311034d0b0389d18f89fe2f65508c5780e82e59eba75
            • Opcode Fuzzy Hash: 8d1b45d9af42a76a016581153c5e749b3902d85f3eaf24292529ad616b8535b1
            • Instruction Fuzzy Hash: 30221371D0060A9BEB299F78DC45BFD7B79EB15320F284229E5219B2D3C73A8D50CB51
            Function 00AAEE0E Relevance: 26.2, APIs: 17, Instructions: 664COMMONLIBRARYCODE
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: __getptd_noexit
            • String ID:
            • API String ID: 3074181302-0
            • Opcode ID: a408715ece70e9abc7bf3ca8eb48ffd6a2b24153056561c1f2294666dd6a433c
            • Instruction ID: 7d927c8142e9a71499f92e831db178902179dd8d2e7f8f7da0fa31a9aa08cd4b
            • Opcode Fuzzy Hash: a408715ece70e9abc7bf3ca8eb48ffd6a2b24153056561c1f2294666dd6a433c
            • Instruction Fuzzy Hash: 37324774E04252DFDB29DFA8C880BADBBB1AF57310F24416AE9559F2D2D7309942C760
            Function 00ACFA0C Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 238COMMON
            Download Yara Rule

            Control-flow Graph

            APIs
            • _wcscpy.LIBCMT ref: 00ACFA96
            • _wcschr.LIBCMT ref: 00ACFAA4
            • _wcscpy.LIBCMT ref: 00ACFABB
            • _wcscat.LIBCMT ref: 00ACFACA
            • _wcscat.LIBCMT ref: 00ACFAE8
            • _wcscpy.LIBCMT ref: 00ACFB09
            • __wsplitpath.LIBCMT ref: 00ACFBE6
            • _wcscpy.LIBCMT ref: 00ACFC0B
            • _wcscpy.LIBCMT ref: 00ACFC1D
            • _wcscpy.LIBCMT ref: 00ACFC32
            • _wcscat.LIBCMT ref: 00ACFC47
            • _wcscat.LIBCMT ref: 00ACFC59
            • _wcscat.LIBCMT ref: 00ACFC6E
              • Part of subcall function 00ACBFA4: _wcscmp.LIBCMT ref: 00ACC03E
              • Part of subcall function 00ACBFA4: __wsplitpath.LIBCMT ref: 00ACC083
              • Part of subcall function 00ACBFA4: _wcscpy.LIBCMT ref: 00ACC096
              • Part of subcall function 00ACBFA4: _wcscat.LIBCMT ref: 00ACC0A9
              • Part of subcall function 00ACBFA4: __wsplitpath.LIBCMT ref: 00ACC0CE
              • Part of subcall function 00ACBFA4: _wcscat.LIBCMT ref: 00ACC0E4
              • Part of subcall function 00ACBFA4: _wcscat.LIBCMT ref: 00ACC0F7
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: _wcscat$_wcscpy$__wsplitpath$_wcschr_wcscmp
            • String ID: >>>AUTOIT SCRIPT<<<
            • API String ID: 2955681530-2806939583
            • Opcode ID: 059ccc9752258fe653d10f350fcb9d86a83189466019bb0242f6f8a4ecbb0e9e
            • Instruction ID: 2a5f34104c7fdbeada297e83c0a8e632c59b29c03739e6e855a672beb403a98b
            • Opcode Fuzzy Hash: 059ccc9752258fe653d10f350fcb9d86a83189466019bb0242f6f8a4ecbb0e9e
            • Instruction Fuzzy Hash: 38919172504305AFDB11EB54C951F9BB3E9FF48314F04486DF9599B292DB30EA44CB91
            Function 00A83F53 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53windowregistryCOMMON
            Download Yara Rule

            Control-flow Graph

            APIs
            • GetSysColorBrush.USER32(0000000F), ref: 00A83F86
            • RegisterClassExW.USER32(00000030), ref: 00A83FB0
            • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00A83FC1
            • InitCommonControlsEx.COMCTL32(?), ref: 00A83FDE
            • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00A83FEE
            • LoadIconW.USER32(000000A9), ref: 00A84004
            • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00A84013
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
            • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
            • API String ID: 2914291525-1005189915
            • Opcode ID: d4ad13f8a5374ad96808db5314c6511ae7501b59db900e6d9f15e732cecd15ef
            • Instruction ID: 737ab478c8f0cce20b6e75d252cebaf38e2afab56bb29b325dfc40a26af658ab
            • Opcode Fuzzy Hash: d4ad13f8a5374ad96808db5314c6511ae7501b59db900e6d9f15e732cecd15ef
            • Instruction Fuzzy Hash: 8521C9B9D00318AFDB00DFE8E889BCDBBB4FB19700F11461AF515A72A0DBB546848F91
            Function 00ACBFA4 Relevance: 18.3, APIs: 12, Instructions: 316fileCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 1006 acbfa4-acc054 call aaf8a0 call a9f4ea call a847b7 call acbdb4 call a84517 call aa15e3 1019 acc05a-acc061 call acc56d 1006->1019 1020 acc107-acc10e call acc56d 1006->1020 1025 acc067-acc105 call aa1dfc call aa0d23 call aa0cf4 call aa1dfc call aa0cf4 * 2 1019->1025 1026 acc110-acc112 1019->1026 1020->1026 1027 acc117 1020->1027 1028 acc11a-acc1d6 call a844ed * 8 call acc71a call aa3499 1025->1028 1030 acc367-acc368 1026->1030 1027->1028 1065 acc1df-acc1fa call acbdf8 1028->1065 1066 acc1d8-acc1da 1028->1066 1033 acc385-acc393 call a847e2 1030->1033 1069 acc28c-acc298 call aa35e4 1065->1069 1070 acc200-acc208 1065->1070 1066->1030 1077 acc2ae-acc2b2 1069->1077 1078 acc29a-acc2a9 DeleteFileW 1069->1078 1071 acc20a-acc20e 1070->1071 1072 acc210 1070->1072 1074 acc215-acc233 call a844ed 1071->1074 1072->1074 1085 acc25d-acc273 call acb791 call aa2aae 1074->1085 1086 acc235-acc23b 1074->1086 1080 acc2b8-acc32f call acc81d call acc845 call acb965 1077->1080 1081 acc342-acc356 CopyFileW 1077->1081 1078->1030 1084 acc36a-acc380 DeleteFileW call acc6d9 1080->1084 1102 acc331-acc340 DeleteFileW 1080->1102 1083 acc358-acc365 DeleteFileW 1081->1083 1081->1084 1083->1030 1084->1033 1099 acc278-acc283 1085->1099 1087 acc23d-acc250 call acbf2e 1086->1087 1097 acc252-acc25b 1087->1097 1097->1085 1099->1070 1101 acc289 1099->1101 1101->1069 1102->1030
            APIs
              • Part of subcall function 00ACBDB4: __time64.LIBCMT ref: 00ACBDBE
              • Part of subcall function 00A84517: _fseek.LIBCMT ref: 00A8452F
            • __wsplitpath.LIBCMT ref: 00ACC083
              • Part of subcall function 00AA1DFC: __wsplitpath_helper.LIBCMT ref: 00AA1E3C
            • _wcscpy.LIBCMT ref: 00ACC096
            • _wcscat.LIBCMT ref: 00ACC0A9
            • __wsplitpath.LIBCMT ref: 00ACC0CE
            • _wcscat.LIBCMT ref: 00ACC0E4
            • _wcscat.LIBCMT ref: 00ACC0F7
            • _wcscmp.LIBCMT ref: 00ACC03E
              • Part of subcall function 00ACC56D: _wcscmp.LIBCMT ref: 00ACC65D
              • Part of subcall function 00ACC56D: _wcscmp.LIBCMT ref: 00ACC670
            • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00ACC2A1
            • DeleteFileW.KERNEL32(?,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00ACC338
            • CopyFileW.KERNELBASE(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00ACC34E
            • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00ACC35F
            • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00ACC371
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath$Copy__time64__wsplitpath_helper_fseek_wcscpy
            • String ID:
            • API String ID: 2378138488-0
            • Opcode ID: efef0edb64c8ad55755262111965c2c6c6e303029b7ce60ea070940227618b17
            • Instruction ID: 0ffaa4a252fbf40dcf95a66d67cf1f972b81bb6cbb6b70a8bb9a0218e3417e92
            • Opcode Fuzzy Hash: efef0edb64c8ad55755262111965c2c6c6e303029b7ce60ea070940227618b17
            • Instruction Fuzzy Hash: C7C119B1900219AFDF11EFA5CD81FDEBBB8AF49310F0040AAF609E7151DB319A848F65
            Function 00A83742 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151windowtimeregistryCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 1170 a83742-a83762 1172 a837c2-a837c4 1170->1172 1173 a83764-a83767 1170->1173 1172->1173 1174 a837c6 1172->1174 1175 a837c8 1173->1175 1176 a83769-a83770 1173->1176 1177 a837ab-a837b3 DefWindowProcW 1174->1177 1178 a837ce-a837d1 1175->1178 1179 af1e00-af1e2e call a82ff6 call a9e312 1175->1179 1180 a8382c-a83834 PostQuitMessage 1176->1180 1181 a83776-a8377b 1176->1181 1183 a837b9-a837bf 1177->1183 1184 a837d3-a837d4 1178->1184 1185 a837f6-a8381d SetTimer RegisterWindowMessageW 1178->1185 1213 af1e33-af1e3a 1179->1213 1182 a837f2-a837f4 1180->1182 1187 af1e88-af1e9c call ac4ddd 1181->1187 1188 a83781-a83783 1181->1188 1182->1183 1190 a837da-a837ed KillTimer call a83847 call a8390f 1184->1190 1191 af1da3-af1da6 1184->1191 1185->1182 1193 a8381f-a8382a CreatePopupMenu 1185->1193 1187->1182 1207 af1ea2 1187->1207 1194 a83789-a8378e 1188->1194 1195 a83836-a83845 call a9eb83 1188->1195 1190->1182 1200 af1ddc-af1dfb MoveWindow 1191->1200 1201 af1da8-af1daa 1191->1201 1193->1182 1196 af1e6d-af1e74 1194->1196 1197 a83794-a83799 1194->1197 1195->1182 1196->1177 1212 af1e7a-af1e83 call aba5f3 1196->1212 1205 af1e58-af1e68 call ac55bd 1197->1205 1206 a8379f-a837a5 1197->1206 1200->1182 1209 af1dac-af1daf 1201->1209 1210 af1dcb-af1dd7 SetFocus 1201->1210 1205->1182 1206->1177 1206->1213 1207->1177 1209->1206 1214 af1db5-af1dc6 call a82ff6 1209->1214 1210->1182 1212->1177 1213->1177 1218 af1e40-af1e53 call a83847 call a84ffc 1213->1218 1214->1182 1218->1177
            APIs
            • DefWindowProcW.USER32(?,?,?,?), ref: 00A837B3
            • KillTimer.USER32(?,00000001), ref: 00A837DD
            • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00A83800
            • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00A8380B
            • CreatePopupMenu.USER32 ref: 00A8381F
            • PostQuitMessage.USER32(00000000), ref: 00A8382E
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
            • String ID: TaskbarCreated
            • API String ID: 129472671-2362178303
            • Opcode ID: 9bc7e6adb5ace9a43bdb9fa0267e93724e74a50bdedcf162e4da03074ae5f02d
            • Instruction ID: 7ff841da03e7968dcb23423c516126e42a9583ec2f7e536c3c50b78ca7b10452
            • Opcode Fuzzy Hash: 9bc7e6adb5ace9a43bdb9fa0267e93724e74a50bdedcf162e4da03074ae5f02d
            • Instruction Fuzzy Hash: 314115F7604249ABDF14FBACED4AB7A3AA9F711B00F000529FA0293191DF65DF909761
            Function 00A83E6E Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 66windowregistryCOMMON
            Download Yara Rule

            Control-flow Graph

            APIs
            • GetSysColorBrush.USER32(0000000F), ref: 00A83E79
            • LoadCursorW.USER32(00000000,00007F00), ref: 00A83E88
            • LoadIconW.USER32(00000063), ref: 00A83E9E
            • LoadIconW.USER32(000000A4), ref: 00A83EB0
            • LoadIconW.USER32(000000A2), ref: 00A83EC2
              • Part of subcall function 00A84024: LoadImageW.USER32(00A80000,00000063,00000001,00000010,00000010,00000000), ref: 00A84048
            • RegisterClassExW.USER32(?), ref: 00A83F30
              • Part of subcall function 00A83F53: GetSysColorBrush.USER32(0000000F), ref: 00A83F86
              • Part of subcall function 00A83F53: RegisterClassExW.USER32(00000030), ref: 00A83FB0
              • Part of subcall function 00A83F53: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00A83FC1
              • Part of subcall function 00A83F53: InitCommonControlsEx.COMCTL32(?), ref: 00A83FDE
              • Part of subcall function 00A83F53: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00A83FEE
              • Part of subcall function 00A83F53: LoadIconW.USER32(000000A9), ref: 00A84004
              • Part of subcall function 00A83F53: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00A84013
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
            • String ID: #$0$AutoIt v3
            • API String ID: 423443420-4155596026
            • Opcode ID: a4704a9c376f0143b544ff4ed4effca1e2e3db6dc759744b7b35c2847cb5b7ab
            • Instruction ID: bb728144f2f35fc20eb8c4dc3955b04e12a09fc87e4cb24655326f07a9892e75
            • Opcode Fuzzy Hash: a4704a9c376f0143b544ff4ed4effca1e2e3db6dc759744b7b35c2847cb5b7ab
            • Instruction Fuzzy Hash: A8213EB9D00314AFCB10DFADEC45A99BFF5FB49710F00852AE214A73A0DB754A848F91
            Function 00AAACB3 Relevance: 15.2, APIs: 10, Instructions: 219COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 1234 aaacb3-aaace0 call aa6ac0 call aa7cf4 call aa6986 1241 aaacfd-aaad02 1234->1241 1242 aaace2-aaacf8 call aae880 1234->1242 1244 aaad08-aaad0f 1241->1244 1250 aaaf52-aaaf57 call aa6b05 1242->1250 1246 aaad42-aaad51 GetStartupInfoW 1244->1246 1247 aaad11-aaad40 1244->1247 1248 aaae80-aaae86 1246->1248 1249 aaad57-aaad5c 1246->1249 1247->1244 1252 aaae8c-aaae9d 1248->1252 1253 aaaf44-aaaf50 call aaaf58 1248->1253 1249->1248 1251 aaad62-aaad79 1249->1251 1256 aaad7b-aaad7d 1251->1256 1257 aaad80-aaad83 1251->1257 1258 aaae9f-aaaea2 1252->1258 1259 aaaeb2-aaaeb8 1252->1259 1253->1250 1256->1257 1261 aaad86-aaad8c 1257->1261 1258->1259 1262 aaaea4-aaaead 1258->1262 1263 aaaeba-aaaebd 1259->1263 1264 aaaebf-aaaec6 1259->1264 1266 aaadae-aaadb6 1261->1266 1267 aaad8e-aaad9f call aa6986 1261->1267 1268 aaaf3e-aaaf3f 1262->1268 1269 aaaec9-aaaed5 GetStdHandle 1263->1269 1264->1269 1273 aaadb9-aaadbb 1266->1273 1279 aaae33-aaae3a 1267->1279 1280 aaada5-aaadab 1267->1280 1268->1248 1270 aaaf1c-aaaf32 1269->1270 1271 aaaed7-aaaed9 1269->1271 1270->1268 1276 aaaf34-aaaf37 1270->1276 1271->1270 1274 aaaedb-aaaee4 GetFileType 1271->1274 1273->1248 1277 aaadc1-aaadc6 1273->1277 1274->1270 1278 aaaee6-aaaef0 1274->1278 1276->1268 1281 aaadc8-aaadcb 1277->1281 1282 aaae20-aaae31 1277->1282 1283 aaaefa-aaaefd 1278->1283 1284 aaaef2-aaaef8 1278->1284 1285 aaae40-aaae4e 1279->1285 1280->1266 1281->1282 1286 aaadcd-aaadd1 1281->1286 1282->1273 1288 aaaf08-aaaf1a InitializeCriticalSectionAndSpinCount 1283->1288 1289 aaaeff-aaaf03 1283->1289 1287 aaaf05 1284->1287 1290 aaae50-aaae72 1285->1290 1291 aaae74-aaae7b 1285->1291 1286->1282 1292 aaadd3-aaadd5 1286->1292 1287->1288 1288->1268 1289->1287 1290->1285 1291->1261 1293 aaadd7-aaade3 GetFileType 1292->1293 1294 aaade5-aaae1a InitializeCriticalSectionAndSpinCount 1292->1294 1293->1294 1295 aaae1d 1293->1295 1294->1295 1295->1282
            APIs
            • __lock.LIBCMT ref: 00AAACC1
              • Part of subcall function 00AA7CF4: __mtinitlocknum.LIBCMT ref: 00AA7D06
              • Part of subcall function 00AA7CF4: EnterCriticalSection.KERNEL32(00000000,?,00AA7ADD,0000000D), ref: 00AA7D1F
            • __calloc_crt.LIBCMT ref: 00AAACD2
              • Part of subcall function 00AA6986: __calloc_impl.LIBCMT ref: 00AA6995
              • Part of subcall function 00AA6986: Sleep.KERNEL32(00000000,000003BC,00A9F507,?,0000000E), ref: 00AA69AC
            • @_EH4_CallFilterFunc@8.LIBCMT ref: 00AAACED
            • GetStartupInfoW.KERNEL32(?,00B36E28,00000064,00AA5E91,00B36C70,00000014), ref: 00AAAD46
            • __calloc_crt.LIBCMT ref: 00AAAD91
            • GetFileType.KERNEL32(00000001), ref: 00AAADD8
            • InitializeCriticalSectionAndSpinCount.KERNEL32(0000000D,00000FA0), ref: 00AAAE11
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: CriticalSection__calloc_crt$CallCountEnterFileFilterFunc@8InfoInitializeSleepSpinStartupType__calloc_impl__lock__mtinitlocknum
            • String ID:
            • API String ID: 1426640281-0
            • Opcode ID: 4fd8978372bdc704166c8e218926983cedfa54b6ea347c220884d97ddfaf284f
            • Instruction ID: 6f00a634b12867f11e5176a51a4d1fccb13a476cecfdbc06e50aaae21c87e04d
            • Opcode Fuzzy Hash: 4fd8978372bdc704166c8e218926983cedfa54b6ea347c220884d97ddfaf284f
            • Instruction Fuzzy Hash: 8D81F6719053558FDB24CF68C9805ADBBF0BF2B324B24426DE4A6AB3D1D7349843CB56
            Function 039725F0 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 1296 39725f0-397269e call 3970000 1299 39726a5-39726cb call 3973500 CreateFileW 1296->1299 1302 39726d2-39726e2 1299->1302 1303 39726cd 1299->1303 1311 39726e4 1302->1311 1312 39726e9-3972703 VirtualAlloc 1302->1312 1304 397281d-3972821 1303->1304 1305 3972863-3972866 1304->1305 1306 3972823-3972827 1304->1306 1308 3972869-3972870 1305->1308 1309 3972833-3972837 1306->1309 1310 3972829-397282c 1306->1310 1313 39728c5-39728da 1308->1313 1314 3972872-397287d 1308->1314 1315 3972847-397284b 1309->1315 1316 3972839-3972843 1309->1316 1310->1309 1311->1304 1317 3972705 1312->1317 1318 397270a-3972721 ReadFile 1312->1318 1323 39728dc-39728e7 VirtualFree 1313->1323 1324 39728ea-39728f2 1313->1324 1321 3972881-397288d 1314->1321 1322 397287f 1314->1322 1325 397284d-3972857 1315->1325 1326 397285b 1315->1326 1316->1315 1317->1304 1319 3972723 1318->1319 1320 3972728-3972768 VirtualAlloc 1318->1320 1319->1304 1327 397276f-397278a call 3973750 1320->1327 1328 397276a 1320->1328 1329 39728a1-39728ad 1321->1329 1330 397288f-397289f 1321->1330 1322->1313 1323->1324 1325->1326 1326->1305 1336 3972795-397279f 1327->1336 1328->1304 1333 39728af-39728b8 1329->1333 1334 39728ba-39728c0 1329->1334 1332 39728c3 1330->1332 1332->1308 1333->1332 1334->1332 1337 39727d2-39727e6 call 3973560 1336->1337 1338 39727a1-39727d0 call 3973750 1336->1338 1344 39727ea-39727ee 1337->1344 1345 39727e8 1337->1345 1338->1336 1346 39727f0-39727f4 FindCloseChangeNotification 1344->1346 1347 39727fa-39727fe 1344->1347 1345->1304 1346->1347 1348 3972800-397280b VirtualFree 1347->1348 1349 397280e-3972817 1347->1349 1348->1349 1349->1299 1349->1304
            APIs
            • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 039726C1
            • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 039728E7
            Memory Dump Source
            • Source File: 00000000.00000002.1703639932.0000000003970000.00000040.00001000.00020000.00000000.sdmp, Offset: 03970000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_3970000_PO#38595.jbxd
            Similarity
            • API ID: CreateFileFreeVirtual
            • String ID:
            • API String ID: 204039940-0
            • Opcode ID: d349c2c11462b54f33c86561be68849ac3e84e681e3d8bb3fdc8e10bc75df865
            • Instruction ID: 9d05d162a9a34981a838b57070d32c0dfd5728abb69507df08fa17981b8f6bf5
            • Opcode Fuzzy Hash: d349c2c11462b54f33c86561be68849ac3e84e681e3d8bb3fdc8e10bc75df865
            • Instruction Fuzzy Hash: B5A12874E10208EBDB14CFA4C994BEEB7B9BF48704F208999E141BB2C0D7759A81CF94
            Function 00A849FB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 73registryCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 1405 a849fb-a84a25 call a8bcce RegOpenKeyExW 1408 af41cc-af41e3 RegQueryValueExW 1405->1408 1409 a84a2b-a84a2f 1405->1409 1410 af4246-af424f RegCloseKey 1408->1410 1411 af41e5-af4222 call a9f4ea call a847b7 RegQueryValueExW 1408->1411 1416 af423d-af4245 call a847e2 1411->1416 1417 af4224-af423b call a86a63 1411->1417 1416->1410 1417->1416
            APIs
            • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?), ref: 00A84A1D
            • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00AF41DB
            • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00AF421A
            • RegCloseKey.ADVAPI32(?), ref: 00AF4249
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: QueryValue$CloseOpen
            • String ID: Include$Software\AutoIt v3\AutoIt
            • API String ID: 1586453840-614718249
            • Opcode ID: dcb4eaf0321f3ff24b8835952f05b3322cbe239fbcb401c2add951179c9d8f58
            • Instruction ID: 30f63f1e161c08091d294f3ff7035222fb568ad0af49039cec0463195e4a9902
            • Opcode Fuzzy Hash: dcb4eaf0321f3ff24b8835952f05b3322cbe239fbcb401c2add951179c9d8f58
            • Instruction Fuzzy Hash: 61113A71A00109BEEB04ABE4CE96DFF7BBCEF18344F004469B506E71A1EA70AE419B50
            Function 00A836B8 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 1432 a836b8-a83728 CreateWindowExW * 2 ShowWindow * 2
            APIs
            • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00A836E6
            • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00A83707
            • ShowWindow.USER32(00000000,?,?,?,?,00A83AA3,?), ref: 00A8371B
            • ShowWindow.USER32(00000000,?,?,?,?,00A83AA3,?), ref: 00A83724
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: Window$CreateShow
            • String ID: AutoIt v3$edit
            • API String ID: 1584632944-3779509399
            • Opcode ID: d6a6549f50ccc0003c238c3948107767d52e31a284295d7c8ae6da4245301984
            • Instruction ID: 1e453cd9ca63e5caa77cb5d4d4d38c02b181e0f70b29617db633c0f0e9a46e17
            • Opcode Fuzzy Hash: d6a6549f50ccc0003c238c3948107767d52e31a284295d7c8ae6da4245301984
            • Instruction Fuzzy Hash: 53F0DA799802D07AE731979BAC08E672E7EE7C7F20B00441ABA04A32B0C96509D5DAB1
            Function 039723B0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 147fileCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 1537 39723b0-39724e8 call 3970000 call 39722a0 CreateFileW 1544 39724ef-39724ff 1537->1544 1545 39724ea 1537->1545 1548 3972506-3972520 VirtualAlloc 1544->1548 1549 3972501 1544->1549 1546 397259f-39725a4 1545->1546 1550 3972524-397253b ReadFile 1548->1550 1551 3972522 1548->1551 1549->1546 1552 397253f-3972579 call 39722e0 call 39712a0 1550->1552 1553 397253d 1550->1553 1551->1546 1558 3972595-397259d ExitProcess 1552->1558 1559 397257b-3972590 call 3972330 1552->1559 1553->1546 1558->1546 1559->1558
            APIs
              • Part of subcall function 039722A0: Sleep.KERNELBASE(000001F4), ref: 039722B1
            • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 039724DE
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1703639932.0000000003970000.00000040.00001000.00020000.00000000.sdmp, Offset: 03970000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_3970000_PO#38595.jbxd
            Similarity
            • API ID: CreateFileSleep
            • String ID: YBO83U2XHDH16FYIR
            • API String ID: 2694422964-2922396156
            • Opcode ID: abe1fd285c5cf130b661f67bb85ed0801763cff407203f4a8fc5f8584efa6456
            • Instruction ID: 9b45bfbf99bf3e8de344e41d862f3b259369b35b8bade61dc8b0a757129c0209
            • Opcode Fuzzy Hash: abe1fd285c5cf130b661f67bb85ed0801763cff407203f4a8fc5f8584efa6456
            • Instruction Fuzzy Hash: 9A518F30D14348EBEF11DBB4C854BEEBB79AF59700F004599E249BB2C1D6B91B44CB65
            Function 00A851AF Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON
            Download Yara Rule
            APIs
            • _memset.LIBCMT ref: 00A8522F
            • _wcscpy.LIBCMT ref: 00A85283
            • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00A85293
            • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00AF3CB0
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: IconLoadNotifyShell_String_memset_wcscpy
            • String ID: Line:
            • API String ID: 1053898822-1585850449
            • Opcode ID: c7650f0a2ed2a402d79952bbc9f7732dfdd3a5749952ab03abb78592458d9924
            • Instruction ID: cec68671c2e6480d98e56d7c9af901adaf659c869b90ef0388f1ea132a935902
            • Opcode Fuzzy Hash: c7650f0a2ed2a402d79952bbc9f7732dfdd3a5749952ab03abb78592458d9924
            • Instruction Fuzzy Hash: 43317E71808740AED725FB64DD46FDAB7E8AB45310F004A1EF98593191EF70A688CB96
            Function 00A84139 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 258COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00A841A9: LoadLibraryExW.KERNELBASE(00000001,00000000,00000002,?,?,?,?,00A839FE,?,00000001), ref: 00A841DB
            • _free.LIBCMT ref: 00AF36B7
            • _free.LIBCMT ref: 00AF36FE
              • Part of subcall function 00A8C833: __wsplitpath.LIBCMT ref: 00A8C93E
              • Part of subcall function 00A8C833: _wcscpy.LIBCMT ref: 00A8C953
              • Part of subcall function 00A8C833: _wcscat.LIBCMT ref: 00A8C968
              • Part of subcall function 00A8C833: SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,00000001,?,?,00000000), ref: 00A8C978
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: _free$CurrentDirectoryLibraryLoad__wsplitpath_wcscat_wcscpy
            • String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
            • API String ID: 805182592-1757145024
            • Opcode ID: 1761db4563f6fbb281e49ce86bc9e6102780cc29fea52dafb3e0847394827e0e
            • Instruction ID: ef0650de4b884dd68782244e1f227ebc5392ce31929cb0c5af27f9ae056d9ab9
            • Opcode Fuzzy Hash: 1761db4563f6fbb281e49ce86bc9e6102780cc29fea52dafb3e0847394827e0e
            • Instruction Fuzzy Hash: B7914D72A10219AFCF04EFA4CD919FEB7B4BF18310F104429F916EB291DB749A45CBA0
            Function 00A84A30 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 138COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00A85374: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00B41148,?,00A861FF,?,00000000,00000001,00000000), ref: 00A85392
              • Part of subcall function 00A849FB: RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?), ref: 00A84A1D
            • _wcscat.LIBCMT ref: 00AF2D80
            • _wcscat.LIBCMT ref: 00AF2DB5
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: _wcscat$FileModuleNameOpen
            • String ID: \$\Include\
            • API String ID: 3592542968-2640467822
            • Opcode ID: 9800ade2e41f74de0ee41cf1b012e963ae4286a27573ff82172331ac5ff24540
            • Instruction ID: 709f0d411d69debb308c350d8af26e510418b0fc1d779e9d3310afe59317179a
            • Opcode Fuzzy Hash: 9800ade2e41f74de0ee41cf1b012e963ae4286a27573ff82172331ac5ff24540
            • Instruction Fuzzy Hash: 5851827A4043409FD714EF65DA829AAB7F4FF5A310BC0492EF644A3261EF309B48DB52
            Function 00AA34AE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMON
            Download Yara Rule
            APIs
            • __getstream.LIBCMT ref: 00AA34FE
              • Part of subcall function 00AA7C0E: __getptd_noexit.LIBCMT ref: 00AA7C0E
            • @_EH4_CallFilterFunc@8.LIBCMT ref: 00AA3539
            • __wopenfile.LIBCMT ref: 00AA3549
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: CallFilterFunc@8__getptd_noexit__getstream__wopenfile
            • String ID: <G
            • API String ID: 1820251861-2138716496
            • Opcode ID: 4b4181dee3edb6d814e3852bceadcda8c7b213f9c1215b80e99b33a1f0bed322
            • Instruction ID: 8029e2f9199605f0e43fe3c1900c3d8f0abef61c3eee86021f093672cf51dd51
            • Opcode Fuzzy Hash: 4b4181dee3edb6d814e3852bceadcda8c7b213f9c1215b80e99b33a1f0bed322
            • Instruction Fuzzy Hash: 2211C472A003069FDF52BF749D4266E76A4AF4B350B148425F415C71C1EB34CA119BA1
            Function 00A9D298 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON
            Download Yara Rule
            APIs
            • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,00A9D28B,SwapMouseButtons,00000004,?), ref: 00A9D2BC
            • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,00A9D28B,SwapMouseButtons,00000004,?,?,?,?,00A9C865), ref: 00A9D2DD
            • RegCloseKey.KERNELBASE(00000000,?,?,00A9D28B,SwapMouseButtons,00000004,?,?,?,?,00A9C865), ref: 00A9D2FF
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: CloseOpenQueryValue
            • String ID: Control Panel\Mouse
            • API String ID: 3677997916-824357125
            • Opcode ID: cfdbd0f2503f4a95067e7b2735a55ba14ae32c982a8f60fb219cb43e2b10cc55
            • Instruction ID: 4ff5b4de93cf340cd88bdb03ca3b4ca161d158e05c6475385fafbab76240d200
            • Opcode Fuzzy Hash: cfdbd0f2503f4a95067e7b2735a55ba14ae32c982a8f60fb219cb43e2b10cc55
            • Instruction Fuzzy Hash: 86112775611218BFDF218FA8CC84EAF7BF8EF54745B104469A805DB110E731AE819B60
            Function 039712A0 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
            Download Yara Rule
            APIs
            • CreateProcessW.KERNELBASE(?,00000000), ref: 03971A5B
            • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 03971AF1
            • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 03971B13
            Memory Dump Source
            • Source File: 00000000.00000002.1703639932.0000000003970000.00000040.00001000.00020000.00000000.sdmp, Offset: 03970000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_3970000_PO#38595.jbxd
            Similarity
            • API ID: Process$ContextCreateMemoryReadThreadWow64
            • String ID:
            • API String ID: 2438371351-0
            • Opcode ID: 91de96a0508c6d9b88b93d6c14255c09b3dee72855056c89e06ebe7f8a996ab2
            • Instruction ID: d41fac66ccaba8fe449c5e60d3fe3f5a47abed7dc9be0481b8fa11af08c96227
            • Opcode Fuzzy Hash: 91de96a0508c6d9b88b93d6c14255c09b3dee72855056c89e06ebe7f8a996ab2
            • Instruction Fuzzy Hash: 30620930A14258DBEB24CFA4C850BDEB376EF58700F1095A9D10DEB2E4E7799E81CB59
            Function 00AA365B Relevance: 6.2, APIs: 4, Instructions: 162COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: _memset$__filbuf__getptd_noexit_memcpy_s
            • String ID:
            • API String ID: 3877424927-0
            • Opcode ID: 25276d1f646da7b76298e578b8e053e7e3b96e54df01e447abe6ae266d0f960a
            • Instruction ID: 271438a12f9b9c01752c47f1cd1c273cc2def011f28edfee3caa3dab38a0f836
            • Opcode Fuzzy Hash: 25276d1f646da7b76298e578b8e053e7e3b96e54df01e447abe6ae266d0f960a
            • Instruction Fuzzy Hash: E151A2B2A00305ABDF24DFA9C98466FB7B1AF46320F24872DF826972D0D7759F508B40
            Function 00ACC396 Relevance: 6.2, APIs: 4, Instructions: 154COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00A84517: _fseek.LIBCMT ref: 00A8452F
              • Part of subcall function 00ACC56D: _wcscmp.LIBCMT ref: 00ACC65D
              • Part of subcall function 00ACC56D: _wcscmp.LIBCMT ref: 00ACC670
            • _free.LIBCMT ref: 00ACC4DD
            • _free.LIBCMT ref: 00ACC4E4
            • _free.LIBCMT ref: 00ACC54F
              • Part of subcall function 00AA1C9D: RtlFreeHeap.NTDLL(00000000,00000000,?,00AA7A85), ref: 00AA1CB1
              • Part of subcall function 00AA1C9D: GetLastError.KERNEL32(00000000,?,00AA7A85), ref: 00AA1CC3
            • _free.LIBCMT ref: 00ACC557
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
            • String ID:
            • API String ID: 1552873950-0
            • Opcode ID: b65899378bf3342bbca379e6add13c382c527f2a3cc8d4197ef29e3466f89dfc
            • Instruction ID: d1e01f939edbdb24e30b14f3764464a06b4f684b6a0194d72b4d83a1c1aed191
            • Opcode Fuzzy Hash: b65899378bf3342bbca379e6add13c382c527f2a3cc8d4197ef29e3466f89dfc
            • Instruction Fuzzy Hash: 4F514FB5904219AFDF149F64DD81BADBBB9EF48310F10409EF25DA3281DB715E808F59
            Function 00A840E5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64COMMON
            Download Yara Rule
            APIs
            • _memset.LIBCMT ref: 00AF3725
            • GetOpenFileNameW.COMDLG32 ref: 00AF376F
              • Part of subcall function 00A8660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00A853B1,?,?,00A861FF,?,00000000,00000001,00000000), ref: 00A8662F
              • Part of subcall function 00A840A7: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00A840C6
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: Name$Path$FileFullLongOpen_memset
            • String ID: X
            • API String ID: 3777226403-3081909835
            • Opcode ID: bbcbdf0f99d581b9884b8001eae3e00bca067175fd9467b895e5fc3360a8b1fe
            • Instruction ID: 3c1d7982e1ce054dd0487891f3db27a4fe12213dd708e63fbdb0f63f13c93330
            • Opcode Fuzzy Hash: bbcbdf0f99d581b9884b8001eae3e00bca067175fd9467b895e5fc3360a8b1fe
            • Instruction Fuzzy Hash: 3521EB71A002889FDF01EFD4C8057EE7BF89F49304F10405AE504E7281DBB85A898F65
            Function 00ACC71A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON
            Download Yara Rule
            APIs
            • GetTempPathW.KERNEL32(00000104,?), ref: 00ACC72F
            • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00ACC746
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: Temp$FileNamePath
            • String ID: aut
            • API String ID: 3285503233-3010740371
            • Opcode ID: 60cfd3dc94c933ce55e80782a829d68ff627e7aa901a03034df895d6c16dbb8a
            • Instruction ID: 203dad3711e3f549e7eff650b7da12fa261ad7c4d7ca1cf258ad752841fb1b88
            • Opcode Fuzzy Hash: 60cfd3dc94c933ce55e80782a829d68ff627e7aa901a03034df895d6c16dbb8a
            • Instruction Fuzzy Hash: CDD05E7150030EABDB10AB90DC0EF8AB7ACA710704F0002A07651A60F1DAB4E6998B54
            Function 00ADF8AE Relevance: 4.9, APIs: 3, Instructions: 385COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: a5fb0a320a47376ce889c823b294106574336883df3ac22dfc57b86027865077
            • Instruction ID: 2b4f304837e2995e7d4d33f8b08972c04a99fe762c7094e84218ce0ae589d5e1
            • Opcode Fuzzy Hash: a5fb0a320a47376ce889c823b294106574336883df3ac22dfc57b86027865077
            • Instruction Fuzzy Hash: 38F158716043019FCB10DF24C995B6BB7E5BF88314F14892EF99A9B392DB70E945CB82
            Function 00A84FFC Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON
            Download Yara Rule
            APIs
            • _memset.LIBCMT ref: 00A85022
            • Shell_NotifyIconW.SHELL32(00000000,?), ref: 00A850CB
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: IconNotifyShell__memset
            • String ID:
            • API String ID: 928536360-0
            • Opcode ID: 73f5e98353ec2331ceefc024f388589f091c6a7884b0fbcddbb2b12374137761
            • Instruction ID: b7cc2d41a927d7995b8631ae981f9dc0ff2e4f1947e2b34478372fe615ad3690
            • Opcode Fuzzy Hash: 73f5e98353ec2331ceefc024f388589f091c6a7884b0fbcddbb2b12374137761
            • Instruction Fuzzy Hash: 32314FB19047019FD721EF78D84569BBBF4FF49304F00092EFA9A87251E771AA84CB92
            Function 00AA395C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • __FF_MSGBANNER.LIBCMT ref: 00AA3973
              • Part of subcall function 00AA81C2: __NMSG_WRITE.LIBCMT ref: 00AA81E9
              • Part of subcall function 00AA81C2: __NMSG_WRITE.LIBCMT ref: 00AA81F3
            • __NMSG_WRITE.LIBCMT ref: 00AA397A
              • Part of subcall function 00AA821F: GetModuleFileNameW.KERNEL32(00000000,00B40312,00000104,00000000,00000001,00000000), ref: 00AA82B1
              • Part of subcall function 00AA821F: ___crtMessageBoxW.LIBCMT ref: 00AA835F
              • Part of subcall function 00AA1145: ___crtCorExitProcess.LIBCMT ref: 00AA114B
              • Part of subcall function 00AA1145: ExitProcess.KERNEL32 ref: 00AA1154
              • Part of subcall function 00AA7C0E: __getptd_noexit.LIBCMT ref: 00AA7C0E
            • RtlAllocateHeap.NTDLL(013D0000,00000000,00000001,00000001,00000000,?,?,00A9F507,?,0000000E), ref: 00AA399F
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
            • String ID:
            • API String ID: 1372826849-0
            • Opcode ID: 4fef4cdd87d1c7a429e9a1934ca033424db6cf94a3558f4c37d6ee1e9b49443c
            • Instruction ID: 65d323abb76e9d11340cab1440c3bc36095d8160bb1850d2761e91ebd9bc1de0
            • Opcode Fuzzy Hash: 4fef4cdd87d1c7a429e9a1934ca033424db6cf94a3558f4c37d6ee1e9b49443c
            • Instruction Fuzzy Hash: 4401B577355301ABEA223B69ED62B7F73589F83760F21012AF5059B1D2DFB49D4086A0
            Function 00ACC6D9 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON
            Download Yara Rule
            APIs
            • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,00ACC385,?,?,?,?,?,00000004), ref: 00ACC6F2
            • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00ACC385,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 00ACC708
            • CloseHandle.KERNEL32(00000000,?,00ACC385,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00ACC70F
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: File$CloseCreateHandleTime
            • String ID:
            • API String ID: 3397143404-0
            • Opcode ID: 8cb4fd60d8f3e312cc7480940770ffbc4c4a862ec02eb84ebbe24fa780761058
            • Instruction ID: 758eff3de03fd6f503a67a9892a6376da741092aef38f00722a804ea9ab572c4
            • Opcode Fuzzy Hash: 8cb4fd60d8f3e312cc7480940770ffbc4c4a862ec02eb84ebbe24fa780761058
            • Instruction Fuzzy Hash: 28E08632140214B7D7211B94AC09FCA7F18EB15770F104210FB157A0E09BB165118798
            Function 00ACBB64 Relevance: 4.5, APIs: 3, Instructions: 22COMMON
            Download Yara Rule
            APIs
            • _free.LIBCMT ref: 00ACBB72
              • Part of subcall function 00AA1C9D: RtlFreeHeap.NTDLL(00000000,00000000,?,00AA7A85), ref: 00AA1CB1
              • Part of subcall function 00AA1C9D: GetLastError.KERNEL32(00000000,?,00AA7A85), ref: 00AA1CC3
            • _free.LIBCMT ref: 00ACBB83
            • _free.LIBCMT ref: 00ACBB95
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: _free$ErrorFreeHeapLast
            • String ID:
            • API String ID: 776569668-0
            • Opcode ID: 8aabdc7c5b8b24ec3e6cd746ab92beece9ca5442ccfa872a0ae046f14ec4a344
            • Instruction ID: 7f3a0ddff3690b50a3d4ef37d747f1b8a0f95a2215d040fb620bfe0d58c25b38
            • Opcode Fuzzy Hash: 8aabdc7c5b8b24ec3e6cd746ab92beece9ca5442ccfa872a0ae046f14ec4a344
            • Instruction Fuzzy Hash: 35E0C7A1610700A6CA20AB78AF4AFB323CC0F05321F04080EB429E3182EF22EC4088B8
            Function 00A82322 Relevance: 3.9, APIs: 3, Instructions: 159COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00A822A4: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,00A824F1), ref: 00A82303
            • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00A825A1
            • CoInitialize.OLE32(00000000), ref: 00A82618
            • CloseHandle.KERNEL32(00000000), ref: 00AF503A
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: Handle$CloseInitializeMessageRegisterWindow
            • String ID:
            • API String ID: 3815369404-0
            • Opcode ID: c148c47b0c2f62271e6b6743bbcd9fd8839e6760536ab4aeabe0bec55de4934c
            • Instruction ID: ae476e5f6a7dc34d9f96543d0b50c8602f04a7e797292997c5b0830047d14c72
            • Opcode Fuzzy Hash: c148c47b0c2f62271e6b6743bbcd9fd8839e6760536ab4aeabe0bec55de4934c
            • Instruction Fuzzy Hash: DE71CCB9D413859BC704EF6EE990595BBE4BBAA3407904A6ED109D73B1DFB046C0CF18
            Function 00ACBBE8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: __fread_nolock
            • String ID: EA06
            • API String ID: 2638373210-3962188686
            • Opcode ID: a5773c2462405691d2c127992f20bf82240a73d64f69f0491e28dfbf8fab1c39
            • Instruction ID: f9d75d6b4dcc9bb12a5bf74777dc457720d6043da5ac564b51bd7bc8b41cc308
            • Opcode Fuzzy Hash: a5773c2462405691d2c127992f20bf82240a73d64f69f0491e28dfbf8fab1c39
            • Instruction Fuzzy Hash: 4301B572904258BEDF28C7A8CC56FEEBBF89B15301F00459EF593D6181E5B8A7088B60
            Function 00A83A0F Relevance: 3.1, APIs: 2, Instructions: 59COMMON
            Download Yara Rule
            APIs
            • IsThemeActive.UXTHEME ref: 00A83A73
              • Part of subcall function 00AA1405: __lock.LIBCMT ref: 00AA140B
              • Part of subcall function 00A83ADB: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00A83AF3
              • Part of subcall function 00A83ADB: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00A83B08
              • Part of subcall function 00A83D19: GetCurrentDirectoryW.KERNEL32(00007FFF,?,00000000,00000001,?,?,00A83AA3,?), ref: 00A83D45
              • Part of subcall function 00A83D19: IsDebuggerPresent.KERNEL32(?,?,?,?,00A83AA3,?), ref: 00A83D57
              • Part of subcall function 00A83D19: GetFullPathNameW.KERNEL32(00007FFF,?,?,00B41148,00B41130,?,?,?,?,00A83AA3,?), ref: 00A83DC8
              • Part of subcall function 00A83D19: SetCurrentDirectoryW.KERNEL32(?,?,?,00A83AA3,?), ref: 00A83E48
            • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00A83AB3
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: InfoParametersSystem$CurrentDirectory$ActiveDebuggerFullNamePathPresentTheme__lock
            • String ID:
            • API String ID: 924797094-0
            • Opcode ID: 36e1b7ee5987088cfb11a5ee483947fd1acc8c727f1dbd32ff63902b16b641d9
            • Instruction ID: a9dfa4bfc47aaa760392a0d0caebc86c2da5c63335e4604a36a0bd8f1ad3b04f
            • Opcode Fuzzy Hash: 36e1b7ee5987088cfb11a5ee483947fd1acc8c727f1dbd32ff63902b16b641d9
            • Instruction Fuzzy Hash: 29119D75904341AFC700EF69E945A1AFBE9FF95750F00891EF584872A1DF709A84CB92
            Function 00AAE9D2 Relevance: 3.1, APIs: 2, Instructions: 52COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • ___lock_fhandle.LIBCMT ref: 00AAEA29
            • __close_nolock.LIBCMT ref: 00AAEA42
              • Part of subcall function 00AA7BDA: __getptd_noexit.LIBCMT ref: 00AA7BDA
              • Part of subcall function 00AA7C0E: __getptd_noexit.LIBCMT ref: 00AA7C0E
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: __getptd_noexit$___lock_fhandle__close_nolock
            • String ID:
            • API String ID: 1046115767-0
            • Opcode ID: f7aadb76d6397e3eec06d730f101c0af1b6d1ffff30ca1cdc7afdae6acef782a
            • Instruction ID: 0b40511dd96789a0769caef9befb4bdd351d937b67e3c447816b82658d501415
            • Opcode Fuzzy Hash: f7aadb76d6397e3eec06d730f101c0af1b6d1ffff30ca1cdc7afdae6acef782a
            • Instruction Fuzzy Hash: 7E11A1729096109AD712FF68DE4236E7AA17F83372F2A4340E4355F1E3CBB48D418AA1
            Function 00A9F4EA Relevance: 3.0, APIs: 2, Instructions: 43COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00AA395C: __FF_MSGBANNER.LIBCMT ref: 00AA3973
              • Part of subcall function 00AA395C: __NMSG_WRITE.LIBCMT ref: 00AA397A
              • Part of subcall function 00AA395C: RtlAllocateHeap.NTDLL(013D0000,00000000,00000001,00000001,00000000,?,?,00A9F507,?,0000000E), ref: 00AA399F
            • std::exception::exception.LIBCMT ref: 00A9F51E
            • __CxxThrowException@8.LIBCMT ref: 00A9F533
              • Part of subcall function 00AA6805: RaiseException.KERNEL32(?,?,0000000E,00B36A30,?,?,?,00A9F538,0000000E,00B36A30,?,00000001), ref: 00AA6856
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
            • String ID:
            • API String ID: 3902256705-0
            • Opcode ID: 6e7d3bcb204306f231205ce3069218bd5383f873fc1e7cfb2af833c70e8dc7e0
            • Instruction ID: 9ad9dd94b27fe6969fdc2a45f5d2a9a2b5bc7ad294ec637999bd663d57a99950
            • Opcode Fuzzy Hash: 6e7d3bcb204306f231205ce3069218bd5383f873fc1e7cfb2af833c70e8dc7e0
            • Instruction Fuzzy Hash: 79F0AF7220421EABDB04BF9CDA019DE7BECAF05354F6484A9FA08E21C1DBB1964097A5
            Function 00AA3839 Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: __lock_file_memset
            • String ID:
            • API String ID: 26237723-0
            • Opcode ID: fcb8f3bf13599a1c3e389ec2f056816f3f3d0104ae85e34947f7baecb4b8d868
            • Instruction ID: dcacdce801dea4416a74a5e6198943c7dcd996c89fa80c8d5325bb75d422456f
            • Opcode Fuzzy Hash: fcb8f3bf13599a1c3e389ec2f056816f3f3d0104ae85e34947f7baecb4b8d868
            • Instruction Fuzzy Hash: 48018472800209FBCF22AFA48E028AF7B71AF86360F158119F824571E1D7798B61DF91
            Function 00AA35E4 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE
            Download Yara Rule
            APIs
              • Part of subcall function 00AA7C0E: __getptd_noexit.LIBCMT ref: 00AA7C0E
            • __lock_file.LIBCMT ref: 00AA3629
              • Part of subcall function 00AA4E1C: __lock.LIBCMT ref: 00AA4E3F
            • __fclose_nolock.LIBCMT ref: 00AA3634
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
            • String ID:
            • API String ID: 2800547568-0
            • Opcode ID: ecde3cb86bd030c55dfdc7df051e8b7f9b5a36db5934f19b387771796cf88372
            • Instruction ID: c748845c227b5ebd124cc9365da5ea84331d0feb7842d0914af15b970f28126e
            • Opcode Fuzzy Hash: ecde3cb86bd030c55dfdc7df051e8b7f9b5a36db5934f19b387771796cf88372
            • Instruction Fuzzy Hash: A6F0B433941204AADF21BF65890276FBAF06F53330F29C108F420AB2D1CB7C8A419F55
            Function 00A8C1DE Relevance: 2.6, APIs: 2, Instructions: 54COMMON
            Download Yara Rule
            APIs
            • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,?,00000000,00000000,00000000,?,?,00A9E581,00000010,?,00000010,?,00000000), ref: 00A8C1F4
            • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,?,00000000,00000000,00000000,?,?,00A9E581,00000010,?,00000010,?,00000000), ref: 00A8C224
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: ByteCharMultiWide
            • String ID:
            • API String ID: 626452242-0
            • Opcode ID: 64eda32d5c4268b5073f356e31c3e67f97c1ce12936d49ccf9b72850e4333f61
            • Instruction ID: f7d4ba5823ae600c499822c80471c8761413d635a53e5ec3a3431dbb64e31504
            • Opcode Fuzzy Hash: 64eda32d5c4268b5073f356e31c3e67f97c1ce12936d49ccf9b72850e4333f61
            • Instruction Fuzzy Hash: 7C016271200214BFEB147B65DC4AFBB7B6CEF95760F108129FA05DE1D0DA71A8408770
            Function 0397129D Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON
            Download Yara Rule
            APIs
            • CreateProcessW.KERNELBASE(?,00000000), ref: 03971A5B
            • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 03971AF1
            • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 03971B13
            Memory Dump Source
            • Source File: 00000000.00000002.1703639932.0000000003970000.00000040.00001000.00020000.00000000.sdmp, Offset: 03970000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_3970000_PO#38595.jbxd
            Similarity
            • API ID: Process$ContextCreateMemoryReadThreadWow64
            • String ID:
            • API String ID: 2438371351-0
            • Opcode ID: 1e5ff81ed8f871418fabb2f1fb9f15c50bab29dc79b391b745a61db8bf218849
            • Instruction ID: e23f2f0e03bba51d01ec4d9f5116db59dbc3a5728029a9af2fe77fcc8d74d609
            • Opcode Fuzzy Hash: 1e5ff81ed8f871418fabb2f1fb9f15c50bab29dc79b391b745a61db8bf218849
            • Instruction Fuzzy Hash: 5212CD24E24658C6EB24DF64D8507DEB232EF68300F1094E9910DEB7A5E77A4F81CF5A
            Function 00AA2957 Relevance: 1.6, APIs: 1, Instructions: 135COMMON
            Download Yara Rule
            APIs
            • __flush.LIBCMT ref: 00AA2A0B
              • Part of subcall function 00AA7C0E: __getptd_noexit.LIBCMT ref: 00AA7C0E
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: __flush__getptd_noexit
            • String ID:
            • API String ID: 4101623367-0
            • Opcode ID: ba1b573b9a1c5d238bdcc52ef1885e10968c5b94d85714b9232a10917baff8d1
            • Instruction ID: 39666eceae84b9c8f98fad880b39990fbfa21bb3b2c79cb8725062554f70534a
            • Opcode Fuzzy Hash: ba1b573b9a1c5d238bdcc52ef1885e10968c5b94d85714b9232a10917baff8d1
            • Instruction Fuzzy Hash: 284172717007069FDB288F6DC9816AF77B6AF467A0F24852DE855C72C0EB71DD618B40
            Function 00AF9A75 Relevance: 1.6, APIs: 1, Instructions: 88COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: ClearVariant
            • String ID:
            • API String ID: 1473721057-0
            • Opcode ID: 32df4440bf275784f172944765dd953bf5283475382a5b10407547d9727d044b
            • Instruction ID: d47003657d9239fafcb1dceda692e1c4994771c9fb3e0586b61cdc52d921de0c
            • Opcode Fuzzy Hash: 32df4440bf275784f172944765dd953bf5283475382a5b10407547d9727d044b
            • Instruction Fuzzy Hash: 63413B746046518FDB24DF18C484F2ABBF0BF45348F1989ACE99A4B362C772E885CF52
            Function 00AAED06 Relevance: 1.6, APIs: 1, Instructions: 66COMMONLIBRARYCODE
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: __getptd_noexit
            • String ID:
            • API String ID: 3074181302-0
            • Opcode ID: 288d6d2e02ca361addf09c82f2b80b7539a51095da13378e66c962a974cd1ebe
            • Instruction ID: fea74502f445be5cf566d08351a4e10661117e692a8b883cf0e9c11bb206883a
            • Opcode Fuzzy Hash: 288d6d2e02ca361addf09c82f2b80b7539a51095da13378e66c962a974cd1ebe
            • Instruction Fuzzy Hash: D8218E728446509BD762FFA8DD4536E3AA16F43736F260640E4314F1E2DBB48D008BA1
            Function 00A9D922 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: _wcscmp
            • String ID:
            • API String ID: 856254489-0
            • Opcode ID: 6af88e4e534438e4f81254197745cec984f597e711d7a5963fb2acfcb44585b5
            • Instruction ID: 630382781f3bf690208b852b0f9afbf7469346a779c1bba4cf911d7c9b258386
            • Opcode Fuzzy Hash: 6af88e4e534438e4f81254197745cec984f597e711d7a5963fb2acfcb44585b5
            • Instruction Fuzzy Hash: B8119375A0010DABCF14FFA4DD82CEE7BB9EF55364F104026F925A71A0DB309984CB91
            Function 00A841A9 Relevance: 1.6, APIs: 1, Instructions: 63libraryCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00A84214: FreeLibrary.KERNEL32(00000000,?), ref: 00A84247
            • LoadLibraryExW.KERNELBASE(00000001,00000000,00000002,?,?,?,?,00A839FE,?,00000001), ref: 00A841DB
              • Part of subcall function 00A84291: FreeLibrary.KERNEL32(00000000), ref: 00A842C4
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: Library$Free$Load
            • String ID:
            • API String ID: 2391024519-0
            • Opcode ID: 6687eec7d536ba4ac8ec1c1e177616f09805e53160ef584704d74362c4c965c9
            • Instruction ID: 2498de6ec547d89cbc91a44c1410bbf022b4151e8c3760c1e06afe3d6205bd0e
            • Opcode Fuzzy Hash: 6687eec7d536ba4ac8ec1c1e177616f09805e53160ef584704d74362c4c965c9
            • Instruction Fuzzy Hash: BD11A331604207ABDF10FB74DE06FAE77A99F48700F108429F596AA1C1FF75DA049B60
            Function 00AF9B45 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: ClearVariant
            • String ID:
            • API String ID: 1473721057-0
            • Opcode ID: 8f00761043a2cc2ab35cbf99047d7953332c1bec2488bef9bede28efe024f0d8
            • Instruction ID: 0ef4e338b3526979675479dfa7a5767fbe20a27f09a89c2e6275d7a807d6e872
            • Opcode Fuzzy Hash: 8f00761043a2cc2ab35cbf99047d7953332c1bec2488bef9bede28efe024f0d8
            • Instruction Fuzzy Hash: 24210774608601CFDB24DF68C584E1ABBF1BF85344F258968FA9A87261C732E845DF92
            Function 00AAAF61 Relevance: 1.6, APIs: 1, Instructions: 56COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • ___lock_fhandle.LIBCMT ref: 00AAAFC0
              • Part of subcall function 00AA7BDA: __getptd_noexit.LIBCMT ref: 00AA7BDA
              • Part of subcall function 00AA7C0E: __getptd_noexit.LIBCMT ref: 00AA7C0E
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: __getptd_noexit$___lock_fhandle
            • String ID:
            • API String ID: 1144279405-0
            • Opcode ID: e13c31860539a1a590b28cf6150ef2d6e348be7c93a59839427dc5a826b46b6e
            • Instruction ID: 6ae2cc690baae665166aa75e33859c72c55d863896cb9406694a4845202d1326
            • Opcode Fuzzy Hash: e13c31860539a1a590b28cf6150ef2d6e348be7c93a59839427dc5a826b46b6e
            • Instruction Fuzzy Hash: 011191728156509FD712BFA8DE4276E7AA0AF53331F2A4240E5351F1E3CBB48D019BB1
            Function 00A839DB Relevance: 1.5, APIs: 1, Instructions: 41COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: LibraryLoad
            • String ID:
            • API String ID: 1029625771-0
            • Opcode ID: 650b71de3c9a30fbac77a3276d03968b028a674fcee853f14ed520da4f0fcb35
            • Instruction ID: 76cb2d333e9a0f365f0ce6717094a618fe6e3dbde8a2f5c0fd1b8bc950d2b2ed
            • Opcode Fuzzy Hash: 650b71de3c9a30fbac77a3276d03968b028a674fcee853f14ed520da4f0fcb35
            • Instruction Fuzzy Hash: 0501863150010EEECF04FFA4C9918FEBB74EF14344F008129B55597195EA319A49CB60
            Function 00AA2AAE Relevance: 1.5, APIs: 1, Instructions: 35COMMON
            Download Yara Rule
            APIs
            • __lock_file.LIBCMT ref: 00AA2AED
              • Part of subcall function 00AA7C0E: __getptd_noexit.LIBCMT ref: 00AA7C0E
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: __getptd_noexit__lock_file
            • String ID:
            • API String ID: 2597487223-0
            • Opcode ID: 9ad4e51836a013334776ca7ceeb7985fff4b4850450ae5a7c680cfe27c0e5ce7
            • Instruction ID: 6744b7b546f03ea8491757cd4f05022907134fe93bd6bd807678660f515535d0
            • Opcode Fuzzy Hash: 9ad4e51836a013334776ca7ceeb7985fff4b4850450ae5a7c680cfe27c0e5ce7
            • Instruction Fuzzy Hash: 5EF06231540215ABEF31AF688E067DF36A5BF42360F198415F8149B1D1D7788A62DB51
            Function 00A84252 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
            Download Yara Rule
            APIs
            • FreeLibrary.KERNEL32(?,?,?,?,?,00A839FE,?,00000001), ref: 00A84286
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: FreeLibrary
            • String ID:
            • API String ID: 3664257935-0
            • Opcode ID: 6964596e0a2ec6466de4aa00492a530e12aaa67ee8cd1ac6a2b08bd05505423b
            • Instruction ID: 4a3479e4b34157a22e9d22efaf8e25fa9b24d1fd5b3a6dda9a46c92fe8131633
            • Opcode Fuzzy Hash: 6964596e0a2ec6466de4aa00492a530e12aaa67ee8cd1ac6a2b08bd05505423b
            • Instruction Fuzzy Hash: 34F015B1509702CFCB34AF64D890896BBF4AF183253248A2EF1D682610D7329840DB50
            Function 00A840A7 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
            Download Yara Rule
            APIs
            • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00A840C6
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: LongNamePath
            • String ID:
            • API String ID: 82841172-0
            • Opcode ID: e8b761e1344552c0968c61be1a27de2f19c0afafbfc7883c61d6634b88f72746
            • Instruction ID: 8abd7c7bf82df0851c7b6d187d659ffea3c92fe7f04a8b9453a7f980b233ef6d
            • Opcode Fuzzy Hash: e8b761e1344552c0968c61be1a27de2f19c0afafbfc7883c61d6634b88f72746
            • Instruction Fuzzy Hash: 71E0C2366002245FC711A698CC46FEA77ADDF8C6A0F0A00B5F909E7284DE64ED818690
            Function 00ACBCF4 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: __fread_nolock
            • String ID:
            • API String ID: 2638373210-0
            • Opcode ID: 3cca4198d2bc13ecada8dba30311a83a0df564d107d747b73ddd6f796e1577fd
            • Instruction ID: ae3712368be8c7e977c77f7efe194c45e2ee4ffa1f12c1bcc9e07b70130607e5
            • Opcode Fuzzy Hash: 3cca4198d2bc13ecada8dba30311a83a0df564d107d747b73ddd6f796e1577fd
            • Instruction Fuzzy Hash: 16E092B1114B009BDB358B24D801BE373E0EB0A305F00085DF29B83241EB637C418659
            Function 00AFB31E Relevance: 1.5, APIs: 1, Instructions: 7COMMON
            Download Yara Rule
            APIs
            • GetTempPathW.KERNEL32(00000104,?), ref: 00AFB32A
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: PathTemp
            • String ID:
            • API String ID: 2920410445-0
            • Opcode ID: 3770704cb36509223c037fe854832dfe9a66a8e12385827a786d848ed0cde3c6
            • Instruction ID: 1e87816714f2c07a503376ace0dde2711a8ecd9deaa8042221c44c857b3f3aaa
            • Opcode Fuzzy Hash: 3770704cb36509223c037fe854832dfe9a66a8e12385827a786d848ed0cde3c6
            • Instruction Fuzzy Hash: 4AC09BF150169EDFDB52B7D0CD559F9737CAB10B01F0400E1764AA11A0DE705BC28F11
            Function 00A9ED18 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: AllocVirtual
            • String ID:
            • API String ID: 4275171209-0
            • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
            • Instruction ID: a90092eaf0842a2876cf7820c14def3782ae809145d27dbcfb4717e18bf9c185
            • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
            • Instruction Fuzzy Hash: 9931A374B00105DBDB18DF58C494A69FBF6FF49350B6486A5E40ACB266DB31EDC1CB90
            Function 039722A0 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
            Download Yara Rule
            APIs
            • Sleep.KERNELBASE(000001F4), ref: 039722B1
            Memory Dump Source
            • Source File: 00000000.00000002.1703639932.0000000003970000.00000040.00001000.00020000.00000000.sdmp, Offset: 03970000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_3970000_PO#38595.jbxd
            Similarity
            • API ID: Sleep
            • String ID:
            • API String ID: 3472027048-0
            • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
            • Instruction ID: 850d60e1b4ecabf8f364d5213eaaa0dbc5decd808ba43456b109d35bffb28a8d
            • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
            • Instruction Fuzzy Hash: 88E0E67494010EDFDB00EFB8D54969E7FB4EF04301F1005A1FD01D2280D6309D508A72

            Non-executed Functions

            Function 00AEF7FF Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 630windowkeyboardCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00A9B34E: GetWindowLongW.USER32(?,000000EB), ref: 00A9B35F
            • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?,?), ref: 00AEF87D
            • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00AEF8DC
            • GetWindowLongW.USER32(?,000000F0), ref: 00AEF919
            • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00AEF940
            • SendMessageW.USER32 ref: 00AEF966
            • _wcsncpy.LIBCMT ref: 00AEF9D2
            • GetKeyState.USER32(00000011), ref: 00AEF9F3
            • GetKeyState.USER32(00000009), ref: 00AEFA00
            • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00AEFA16
            • GetKeyState.USER32(00000010), ref: 00AEFA20
            • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00AEFA4F
            • SendMessageW.USER32 ref: 00AEFA72
            • SendMessageW.USER32(?,00001030,?,00AEE059), ref: 00AEFB6F
            • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?,?), ref: 00AEFB85
            • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00AEFB96
            • SetCapture.USER32(?), ref: 00AEFB9F
            • ClientToScreen.USER32(?,?), ref: 00AEFC03
            • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00AEFC0F
            • InvalidateRect.USER32(?,00000000,00000001,?,?,?,?), ref: 00AEFC29
            • ReleaseCapture.USER32 ref: 00AEFC34
            • GetCursorPos.USER32(?), ref: 00AEFC69
            • ScreenToClient.USER32(?,?), ref: 00AEFC76
            • SendMessageW.USER32(?,00001012,00000000,?), ref: 00AEFCD8
            • SendMessageW.USER32 ref: 00AEFD02
            • SendMessageW.USER32(?,00001111,00000000,?), ref: 00AEFD41
            • SendMessageW.USER32 ref: 00AEFD6C
            • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00AEFD84
            • SendMessageW.USER32(?,0000110B,00000009,?), ref: 00AEFD8F
            • GetCursorPos.USER32(?), ref: 00AEFDB0
            • ScreenToClient.USER32(?,?), ref: 00AEFDBD
            • GetParent.USER32(?), ref: 00AEFDD9
            • SendMessageW.USER32(?,00001012,00000000,?), ref: 00AEFE3F
            • SendMessageW.USER32 ref: 00AEFE6F
            • ClientToScreen.USER32(?,?), ref: 00AEFEC5
            • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00AEFEF1
            • SendMessageW.USER32(?,00001111,00000000,?), ref: 00AEFF19
            • SendMessageW.USER32 ref: 00AEFF3C
            • ClientToScreen.USER32(?,?), ref: 00AEFF86
            • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00AEFFB6
            • GetWindowLongW.USER32(?,000000F0), ref: 00AF004B
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: MessageSend$ClientScreen$Image$CursorDragList_LongStateWindow$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
            • String ID: @GUI_DRAGID$F
            • API String ID: 2516578528-4164748364
            • Opcode ID: b1a5a586efe620e090e253a1ad9de71c4c90b295a253f4f1bfdd29314c52c248
            • Instruction ID: acabc9f0d754e551eb9aecd1183c58d353cc5f1fd74e0de0d03d190df8d5e3fd
            • Opcode Fuzzy Hash: b1a5a586efe620e090e253a1ad9de71c4c90b295a253f4f1bfdd29314c52c248
            • Instruction Fuzzy Hash: CA32AB74604285EFDB20CF69C884BAABBA8FF49354F144A29F695C72E1CB31ED41CB51
            Function 00AEAACE Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 574windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(?,00000400,00000000,00000000), ref: 00AEB1CD
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: MessageSend
            • String ID: %d/%02d/%02d
            • API String ID: 3850602802-328681919
            • Opcode ID: df049c91ee45607c2eb334f68de49ae67b592a7cb7881e5cfccdc6099a714a24
            • Instruction ID: 8bd55202ecc909111448bfa7dd9d4fb9a71fb3086b47a3932827e965a3fc6e8b
            • Opcode Fuzzy Hash: df049c91ee45607c2eb334f68de49ae67b592a7cb7881e5cfccdc6099a714a24
            • Instruction Fuzzy Hash: 2912D071600248ABEB259F66CC49FAF7BB8FF95320F108219F919DB2D1DB709941CB21
            Function 00A9EB42 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON
            Download Yara Rule
            APIs
            • GetForegroundWindow.USER32(00000000,00000000), ref: 00A9EB4A
            • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00AF3AEA
            • IsIconic.USER32(000000FF), ref: 00AF3AF3
            • ShowWindow.USER32(000000FF,00000009), ref: 00AF3B00
            • SetForegroundWindow.USER32(000000FF), ref: 00AF3B0A
            • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00AF3B20
            • GetCurrentThreadId.KERNEL32 ref: 00AF3B27
            • GetWindowThreadProcessId.USER32(000000FF,00000000), ref: 00AF3B33
            • AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 00AF3B44
            • AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 00AF3B4C
            • AttachThreadInput.USER32(00000000,?,00000001), ref: 00AF3B54
            • SetForegroundWindow.USER32(000000FF), ref: 00AF3B57
            • MapVirtualKeyW.USER32(00000012,00000000), ref: 00AF3B6C
            • keybd_event.USER32(00000012,00000000), ref: 00AF3B77
            • MapVirtualKeyW.USER32(00000012,00000000), ref: 00AF3B81
            • keybd_event.USER32(00000012,00000000), ref: 00AF3B86
            • MapVirtualKeyW.USER32(00000012,00000000), ref: 00AF3B8F
            • keybd_event.USER32(00000012,00000000), ref: 00AF3B94
            • MapVirtualKeyW.USER32(00000012,00000000), ref: 00AF3B9E
            • keybd_event.USER32(00000012,00000000), ref: 00AF3BA3
            • SetForegroundWindow.USER32(000000FF), ref: 00AF3BA6
            • AttachThreadInput.USER32(000000FF,?,00000000), ref: 00AF3BCD
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
            • String ID: Shell_TrayWnd
            • API String ID: 4125248594-2988720461
            • Opcode ID: 2f39abd2abde62813546f40f967feb30c91ce4a989e8913c14aacc2f31e5cd6f
            • Instruction ID: b311230b570cee8915f2867bbb9ac9ff653b24d8c064fe0d9d1bdb892fbfb459
            • Opcode Fuzzy Hash: 2f39abd2abde62813546f40f967feb30c91ce4a989e8913c14aacc2f31e5cd6f
            • Instruction Fuzzy Hash: DC313E72A40218BBEF216BE59C49F7E7E6CEB54B90F104015FA05AB1D1DAB19D00AAA0
            Function 00ABACC5 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 223COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00ABB134: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00ABB180
              • Part of subcall function 00ABB134: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00ABB1AD
              • Part of subcall function 00ABB134: GetLastError.KERNEL32 ref: 00ABB1BA
            • _memset.LIBCMT ref: 00ABAD08
            • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 00ABAD5A
            • CloseHandle.KERNEL32(?), ref: 00ABAD6B
            • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00ABAD82
            • GetProcessWindowStation.USER32 ref: 00ABAD9B
            • SetProcessWindowStation.USER32(00000000), ref: 00ABADA5
            • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00ABADBF
              • Part of subcall function 00ABAB84: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00ABACC0), ref: 00ABAB99
              • Part of subcall function 00ABAB84: CloseHandle.KERNEL32(?,?,00ABACC0), ref: 00ABABAB
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
            • String ID: $default$winsta0
            • API String ID: 2063423040-1027155976
            • Opcode ID: d26a6d326b79fb18f6b6c374e1cbc5841859db4e391c90f42b1538f6a7440008
            • Instruction ID: 5800a4887bf77b067f58a3087b3f87c8805163edd702ae7590b334d0f6075771
            • Opcode Fuzzy Hash: d26a6d326b79fb18f6b6c374e1cbc5841859db4e391c90f42b1538f6a7440008
            • Instruction Fuzzy Hash: 9B818DB1900209AFEF119FA4DD45AEEBBBCFF24304F044119F914A71A2DB728E54DB61
            Function 00AC60DD Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 174filestringCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00AC6EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00AC5FA6,?), ref: 00AC6ED8
              • Part of subcall function 00AC6EBB: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00AC5FA6,?), ref: 00AC6EF1
              • Part of subcall function 00AC725E: __wsplitpath.LIBCMT ref: 00AC727B
              • Part of subcall function 00AC725E: __wsplitpath.LIBCMT ref: 00AC728E
              • Part of subcall function 00AC72CB: GetFileAttributesW.KERNEL32(?,00AC6019), ref: 00AC72CC
            • _wcscat.LIBCMT ref: 00AC6149
            • _wcscat.LIBCMT ref: 00AC6167
            • __wsplitpath.LIBCMT ref: 00AC618E
            • FindFirstFileW.KERNEL32(?,?), ref: 00AC61A4
            • _wcscpy.LIBCMT ref: 00AC6209
            • _wcscat.LIBCMT ref: 00AC621C
            • _wcscat.LIBCMT ref: 00AC622F
            • lstrcmpiW.KERNEL32(?,?), ref: 00AC625D
            • DeleteFileW.KERNEL32(?), ref: 00AC626E
            • MoveFileW.KERNEL32(?,?), ref: 00AC6289
            • MoveFileW.KERNEL32(?,?), ref: 00AC6298
            • CopyFileW.KERNEL32(?,?,00000000), ref: 00AC62AD
            • DeleteFileW.KERNEL32(?), ref: 00AC62BE
            • FindNextFileW.KERNEL32(00000000,00000010), ref: 00AC62E1
            • FindClose.KERNEL32(00000000), ref: 00AC62FD
            • FindClose.KERNEL32(00000000), ref: 00AC630B
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: File$Find_wcscat$__wsplitpath$CloseDeleteFullMoveNamePath$AttributesCopyFirstNext_wcscpylstrcmpi
            • String ID: \*.*
            • API String ID: 1917200108-1173974218
            • Opcode ID: f80cf683a05757ca221e1907f4fda0a715a8118bd3d93d860e93f4dcf37670d6
            • Instruction ID: d85e9fb78c3192714cfff7af9d7a6837a273449b037f6600147c4201292df450
            • Opcode Fuzzy Hash: f80cf683a05757ca221e1907f4fda0a715a8118bd3d93d860e93f4dcf37670d6
            • Instruction Fuzzy Hash: 02510F72D0821C6ACB21EBA1CD44EEF77BCAF15310F0A05EAE545E3141DE3697898FA4
            Function 00AD6B0C Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON
            Download Yara Rule
            APIs
            • OpenClipboard.USER32(00B1DC00), ref: 00AD6B36
            • IsClipboardFormatAvailable.USER32(0000000D), ref: 00AD6B44
            • GetClipboardData.USER32(0000000D), ref: 00AD6B4C
            • CloseClipboard.USER32 ref: 00AD6B58
            • GlobalLock.KERNEL32(00000000), ref: 00AD6B74
            • CloseClipboard.USER32 ref: 00AD6B7E
            • GlobalUnlock.KERNEL32(00000000,00000000), ref: 00AD6B93
            • IsClipboardFormatAvailable.USER32(00000001), ref: 00AD6BA0
            • GetClipboardData.USER32(00000001), ref: 00AD6BA8
            • GlobalLock.KERNEL32(00000000), ref: 00AD6BB5
            • GlobalUnlock.KERNEL32(00000000,00000000,?), ref: 00AD6BE9
            • CloseClipboard.USER32 ref: 00AD6CF6
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
            • String ID:
            • API String ID: 3222323430-0
            • Opcode ID: 087b05c2e8c88cb089ec7f7e0538edf2f8a6611588f8ea453decf3ebfd162653
            • Instruction ID: 872bada6d1cc5913eb11ba8ff62ad2a2f416b6ccc6c8b9e42b7718d415fbf46e
            • Opcode Fuzzy Hash: 087b05c2e8c88cb089ec7f7e0538edf2f8a6611588f8ea453decf3ebfd162653
            • Instruction Fuzzy Hash: 33517D71240201ABD310FFA4DE9AF6E77A8EF98B11F00452AF596D72E1DF70D9058B62
            Function 00ACF5FA Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 278timefileCOMMON
            Download Yara Rule
            APIs
            • FindFirstFileW.KERNEL32(?,?), ref: 00ACF62B
            • FindClose.KERNEL32(00000000), ref: 00ACF67F
            • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00ACF6A4
            • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00ACF6BB
            • FileTimeToSystemTime.KERNEL32(?,?), ref: 00ACF6E2
            • __swprintf.LIBCMT ref: 00ACF72E
            • __swprintf.LIBCMT ref: 00ACF767
            • __swprintf.LIBCMT ref: 00ACF7BB
              • Part of subcall function 00AA172B: __woutput_l.LIBCMT ref: 00AA1784
            • __swprintf.LIBCMT ref: 00ACF809
            • __swprintf.LIBCMT ref: 00ACF858
            • __swprintf.LIBCMT ref: 00ACF8A7
            • __swprintf.LIBCMT ref: 00ACF8F6
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: __swprintf$FileTime$FindLocal$CloseFirstSystem__woutput_l
            • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
            • API String ID: 835046349-2428617273
            • Opcode ID: 1a26177449b6d3a8b92db24ff14b7c542ba4eb6677f7ecd31cbbb4aa65f21b03
            • Instruction ID: 95e0f61f0c03e9798f8a92156337588bff05d46d1937548ce8bc4deaa0044791
            • Opcode Fuzzy Hash: 1a26177449b6d3a8b92db24ff14b7c542ba4eb6677f7ecd31cbbb4aa65f21b03
            • Instruction Fuzzy Hash: D9A1FEB2508344ABC710EBA4C985EAFB7ECBF98704F44092EF595C3191EB34D949CB62
            Function 00AD1B2F Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 118fileCOMMON
            Download Yara Rule
            APIs
            • FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00AD1B50
            • _wcscmp.LIBCMT ref: 00AD1B65
            • _wcscmp.LIBCMT ref: 00AD1B7C
            • GetFileAttributesW.KERNEL32(?), ref: 00AD1B8E
            • SetFileAttributesW.KERNEL32(?,?), ref: 00AD1BA8
            • FindNextFileW.KERNEL32(00000000,?), ref: 00AD1BC0
            • FindClose.KERNEL32(00000000), ref: 00AD1BCB
            • FindFirstFileW.KERNEL32(*.*,?), ref: 00AD1BE7
            • _wcscmp.LIBCMT ref: 00AD1C0E
            • _wcscmp.LIBCMT ref: 00AD1C25
            • SetCurrentDirectoryW.KERNEL32(?), ref: 00AD1C37
            • SetCurrentDirectoryW.KERNEL32(00B339FC), ref: 00AD1C55
            • FindNextFileW.KERNEL32(00000000,00000010), ref: 00AD1C5F
            • FindClose.KERNEL32(00000000), ref: 00AD1C6C
            • FindClose.KERNEL32(00000000), ref: 00AD1C7C
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
            • String ID: *.*
            • API String ID: 1803514871-438819550
            • Opcode ID: 98fc3a2df17ba76a034d035299a4a43cbc647bea368f33134f565baa35abdd54
            • Instruction ID: a8b9b26e00493ceeda6f16d4ba8cfed43535f3c631acf4788300da5f294aed36
            • Opcode Fuzzy Hash: 98fc3a2df17ba76a034d035299a4a43cbc647bea368f33134f565baa35abdd54
            • Instruction Fuzzy Hash: 86319232A4021ABADB10ABE0DC49ADE77EC9F05325F144197E912E31E0EB70DE858A64
            Function 00AD1C8A Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 111fileCOMMON
            Download Yara Rule
            APIs
            • FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00AD1CAB
            • _wcscmp.LIBCMT ref: 00AD1CC0
            • _wcscmp.LIBCMT ref: 00AD1CD7
              • Part of subcall function 00AC6BD4: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00AC6BEF
            • FindNextFileW.KERNEL32(00000000,?), ref: 00AD1D06
            • FindClose.KERNEL32(00000000), ref: 00AD1D11
            • FindFirstFileW.KERNEL32(*.*,?), ref: 00AD1D2D
            • _wcscmp.LIBCMT ref: 00AD1D54
            • _wcscmp.LIBCMT ref: 00AD1D6B
            • SetCurrentDirectoryW.KERNEL32(?), ref: 00AD1D7D
            • SetCurrentDirectoryW.KERNEL32(00B339FC), ref: 00AD1D9B
            • FindNextFileW.KERNEL32(00000000,00000010), ref: 00AD1DA5
            • FindClose.KERNEL32(00000000), ref: 00AD1DB2
            • FindClose.KERNEL32(00000000), ref: 00AD1DC2
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
            • String ID: *.*
            • API String ID: 1824444939-438819550
            • Opcode ID: f649331a5c1f2ab5575706b95eec4bb553472b2f966f19dbee089aef971035e8
            • Instruction ID: 1c15b9466b022f43403f88ecc6e8efb1750c51fe5572b24c50738871ace66ebf
            • Opcode Fuzzy Hash: f649331a5c1f2ab5575706b95eec4bb553472b2f966f19dbee089aef971035e8
            • Instruction Fuzzy Hash: 2B31E63250061ABADF10EFE0DD49ADE77BD9F45324F140592F842A32E1EF70DE858A64
            Function 00AD091D Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185timeCOMMON
            Download Yara Rule
            APIs
            • GetLocalTime.KERNEL32(?), ref: 00AD09DF
            • SystemTimeToFileTime.KERNEL32(?,?), ref: 00AD09EF
            • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00AD09FB
            • __wsplitpath.LIBCMT ref: 00AD0A59
            • _wcscat.LIBCMT ref: 00AD0A71
            • _wcscat.LIBCMT ref: 00AD0A83
            • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00AD0A98
            • SetCurrentDirectoryW.KERNEL32(?), ref: 00AD0AAC
            • SetCurrentDirectoryW.KERNEL32(?), ref: 00AD0ADE
            • SetCurrentDirectoryW.KERNEL32(?), ref: 00AD0AFF
            • _wcscpy.LIBCMT ref: 00AD0B0B
            • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00AD0B4A
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
            • String ID: *.*
            • API String ID: 3566783562-438819550
            • Opcode ID: a3af5ed09fded9e0711cb08c85015549783b9349c1b211ae1ff4f69b5dbfb28c
            • Instruction ID: cdec3e472afbad50bf1482f05f020e318bcb58cab92ff4b35d32f9001b43f09d
            • Opcode Fuzzy Hash: a3af5ed09fded9e0711cb08c85015549783b9349c1b211ae1ff4f69b5dbfb28c
            • Instruction Fuzzy Hash: 9F6137725083059FD710EF60C945EAEB3E8FF89314F04891EF99A97251EB31EA45CB92
            Function 00ABA66C Relevance: 21.2, APIs: 14, Instructions: 178memoryCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00ABABBB: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 00ABABD7
              • Part of subcall function 00ABABBB: GetLastError.KERNEL32(?,00ABA69F,?,?,?), ref: 00ABABE1
              • Part of subcall function 00ABABBB: GetProcessHeap.KERNEL32(00000008,?,?,00ABA69F,?,?,?), ref: 00ABABF0
              • Part of subcall function 00ABABBB: HeapAlloc.KERNEL32(00000000,?,00ABA69F,?,?,?), ref: 00ABABF7
              • Part of subcall function 00ABABBB: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 00ABAC0E
              • Part of subcall function 00ABAC56: GetProcessHeap.KERNEL32(00000008,00ABA6B5,00000000,00000000,?,00ABA6B5,?), ref: 00ABAC62
              • Part of subcall function 00ABAC56: HeapAlloc.KERNEL32(00000000,?,00ABA6B5,?), ref: 00ABAC69
              • Part of subcall function 00ABAC56: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00ABA6B5,?), ref: 00ABAC7A
            • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00ABA6D0
            • _memset.LIBCMT ref: 00ABA6E5
            • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00ABA704
            • GetLengthSid.ADVAPI32(?), ref: 00ABA715
            • GetAce.ADVAPI32(?,00000000,?), ref: 00ABA752
            • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00ABA76E
            • GetLengthSid.ADVAPI32(?), ref: 00ABA78B
            • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00ABA79A
            • HeapAlloc.KERNEL32(00000000), ref: 00ABA7A1
            • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00ABA7C2
            • CopySid.ADVAPI32(00000000), ref: 00ABA7C9
            • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00ABA7FA
            • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00ABA820
            • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00ABA834
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
            • String ID:
            • API String ID: 3996160137-0
            • Opcode ID: 7daa70ab69f09ac0d4ab71143e8a84eadc5b35ea4d9d14ae399e24071279dd16
            • Instruction ID: 942b2dbd8931fc00cc6ca7e576fcc2c4a5a8da999ec77dcba1df559e5edfbc6f
            • Opcode Fuzzy Hash: 7daa70ab69f09ac0d4ab71143e8a84eadc5b35ea4d9d14ae399e24071279dd16
            • Instruction Fuzzy Hash: 94512971900209AFDF14DFA5DC45AEEBBB9FF14300F048169F915AB292EB359A06CB61
            Function 00A86F07 Relevance: 18.4, Strings: 14, Instructions: 883COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID:
            • String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)
            • API String ID: 0-4052911093
            • Opcode ID: 6fb948b8f84d3da08f38d285418b197b3d9c31a5421b63e09965e8d0d95810b1
            • Instruction ID: fd83d11b9c2b61a546baa09a611bf8c1c9ac9e2acb4cd2f25befe614b56ab386
            • Opcode Fuzzy Hash: 6fb948b8f84d3da08f38d285418b197b3d9c31a5421b63e09965e8d0d95810b1
            • Instruction Fuzzy Hash: 9D726071E042199BDB24DF58C8847AEBBF5FF48710F2441AAE815EB280EB74DE45DB90
            Function 00AC63F9 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 89fileCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00AC6EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00AC5FA6,?), ref: 00AC6ED8
              • Part of subcall function 00AC72CB: GetFileAttributesW.KERNEL32(?,00AC6019), ref: 00AC72CC
            • _wcscat.LIBCMT ref: 00AC6441
            • __wsplitpath.LIBCMT ref: 00AC645F
            • FindFirstFileW.KERNEL32(?,?), ref: 00AC6474
            • _wcscpy.LIBCMT ref: 00AC64A3
            • _wcscat.LIBCMT ref: 00AC64B8
            • _wcscat.LIBCMT ref: 00AC64CA
            • DeleteFileW.KERNEL32(?), ref: 00AC64DA
            • FindNextFileW.KERNEL32(00000000,00000010), ref: 00AC64EB
            • FindClose.KERNEL32(00000000), ref: 00AC6506
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: File$Find_wcscat$AttributesCloseDeleteFirstFullNameNextPath__wsplitpath_wcscpy
            • String ID: \*.*
            • API String ID: 2643075503-1173974218
            • Opcode ID: 76d717062fec9da53e45e2290e9c9aeac3e954e38a5d4c58691d3a42df580d72
            • Instruction ID: 9b8c4909d63b4e854adbb1ce4a29140429ce270a851ea3d78acd06f29795782c
            • Opcode Fuzzy Hash: 76d717062fec9da53e45e2290e9c9aeac3e954e38a5d4c58691d3a42df580d72
            • Instruction Fuzzy Hash: CA3184B2408388AEC721DBE48985EDBB7DCAF56310F44491EF5D9C3181EB35D50987A7
            Function 00AE31BC Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00AE3C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00AE2BB5,?,?), ref: 00AE3C1D
            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00AE328E
              • Part of subcall function 00A8936C: __swprintf.LIBCMT ref: 00A893AB
              • Part of subcall function 00A8936C: __itow.LIBCMT ref: 00A893DF
            • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00AE332D
            • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00AE33C5
            • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00AE3604
            • RegCloseKey.ADVAPI32(00000000), ref: 00AE3611
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
            • String ID:
            • API String ID: 1240663315-0
            • Opcode ID: 2445b33ed0f67b7503175881888de65dac074a6744f91620c5289c6df6792ecf
            • Instruction ID: 2866380bcfeae41dc885939f1f78c6024f8d644ff3367fa7f87cad3f39a68d7b
            • Opcode Fuzzy Hash: 2445b33ed0f67b7503175881888de65dac074a6744f91620c5289c6df6792ecf
            • Instruction Fuzzy Hash: BAE14C31604210AFCB15EF29C995E6ABBF8EF88714F04896DF54ADB2A1DB30ED05CB51
            Function 00AC2B37 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON
            Download Yara Rule
            APIs
            • GetKeyboardState.USER32(?), ref: 00AC2B5F
            • GetAsyncKeyState.USER32(000000A0), ref: 00AC2BE0
            • GetKeyState.USER32(000000A0), ref: 00AC2BFB
            • GetAsyncKeyState.USER32(000000A1), ref: 00AC2C15
            • GetKeyState.USER32(000000A1), ref: 00AC2C2A
            • GetAsyncKeyState.USER32(00000011), ref: 00AC2C42
            • GetKeyState.USER32(00000011), ref: 00AC2C54
            • GetAsyncKeyState.USER32(00000012), ref: 00AC2C6C
            • GetKeyState.USER32(00000012), ref: 00AC2C7E
            • GetAsyncKeyState.USER32(0000005B), ref: 00AC2C96
            • GetKeyState.USER32(0000005B), ref: 00AC2CA8
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: State$Async$Keyboard
            • String ID:
            • API String ID: 541375521-0
            • Opcode ID: 57ea4624f6ab5eab70e931db22354166b624dc456c1544e3d5ff84198776f876
            • Instruction ID: 25eb77d7476a07416d9642f549bffc4ae968068d8e38bb2eb938c9231a39388e
            • Opcode Fuzzy Hash: 57ea4624f6ab5eab70e931db22354166b624dc456c1544e3d5ff84198776f876
            • Instruction Fuzzy Hash: F941C6345087C96DFF359BA48804BBABFA06F21344F05805DD9C6572C2EFA49DC8C7A2
            Function 00AD6D07 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: Clipboard$AllocCloseEmptyGlobalOpen
            • String ID:
            • API String ID: 1737998785-0
            • Opcode ID: 85493a66afa9c2610d38807eec453e6ee2f2ef141c515b5d1efea09e9e11c0c7
            • Instruction ID: e411eb163d3c617e1355ae6f7eb4f15312764061c35e87a6a159e9343b8803cd
            • Opcode Fuzzy Hash: 85493a66afa9c2610d38807eec453e6ee2f2ef141c515b5d1efea09e9e11c0c7
            • Instruction Fuzzy Hash: 35217A35300610AFDB11AFA8ED49B2D77A9FF54721F04841AF94ADB2A1DF31ED018B94
            Function 00ADC18C Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 232COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00AB9ABF: CLSIDFromProgID.OLE32 ref: 00AB9ADC
              • Part of subcall function 00AB9ABF: ProgIDFromCLSID.OLE32(?,00000000), ref: 00AB9AF7
              • Part of subcall function 00AB9ABF: lstrcmpiW.KERNEL32(?,00000000), ref: 00AB9B05
              • Part of subcall function 00AB9ABF: CoTaskMemFree.OLE32(00000000,?,00000000), ref: 00AB9B15
            • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 00ADC235
            • _memset.LIBCMT ref: 00ADC242
            • _memset.LIBCMT ref: 00ADC360
            • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000001), ref: 00ADC38C
            • CoTaskMemFree.OLE32(?), ref: 00ADC397
            Strings
            • NULL Pointer assignment, xrefs: 00ADC3E5
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
            • String ID: NULL Pointer assignment
            • API String ID: 1300414916-2785691316
            • Opcode ID: cc654dc7c0b2cad3a982c3e5d2a40d83b77131042c500895149bd8f92a4f7a81
            • Instruction ID: 5142cca5499503f506dd844951ca2f9b33f8f8d6540b227ecb40046ad7b4f8a6
            • Opcode Fuzzy Hash: cc654dc7c0b2cad3a982c3e5d2a40d83b77131042c500895149bd8f92a4f7a81
            • Instruction Fuzzy Hash: F7915D71D00219EBDB10DFA4DD85EDEBBB8EF04720F10815AF516A7291EB709A45CFA0
            Function 00AC79D3 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 58shutdownCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00ABB134: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00ABB180
              • Part of subcall function 00ABB134: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00ABB1AD
              • Part of subcall function 00ABB134: GetLastError.KERNEL32 ref: 00ABB1BA
            • ExitWindowsEx.USER32(?,00000000), ref: 00AC7A0F
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
            • String ID: $@$SeShutdownPrivilege
            • API String ID: 2234035333-194228
            • Opcode ID: 3a60269a191f0f7174a92a902d8be763361f7c6e29247eafc04430ce60d74937
            • Instruction ID: 9cd8b645a9a6bf8f76e71e1dd125f0e0639fb73fe4d35016956bd7392b961460
            • Opcode Fuzzy Hash: 3a60269a191f0f7174a92a902d8be763361f7c6e29247eafc04430ce60d74937
            • Instruction Fuzzy Hash: B401A7716582216AF72C6778DC5AFBF72689B147C0F26152CBD53A20D2EDA09E0089B0
            Function 00AD8C4F Relevance: 9.1, APIs: 6, Instructions: 83networkCOMMON
            Download Yara Rule
            APIs
            • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00AD8CA8
            • WSAGetLastError.WSOCK32(00000000), ref: 00AD8CB7
            • bind.WSOCK32(00000000,?,00000010), ref: 00AD8CD3
            • listen.WSOCK32(00000000,00000005), ref: 00AD8CE2
            • WSAGetLastError.WSOCK32(00000000), ref: 00AD8CFC
            • closesocket.WSOCK32(00000000,00000000), ref: 00AD8D10
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: ErrorLast$bindclosesocketlistensocket
            • String ID:
            • API String ID: 1279440585-0
            • Opcode ID: 8958a1e335705bc072f87a10ae5a658c1a1990881aab5236d875e2a6b73f4bd4
            • Instruction ID: 3575ae46d7f46c039a96d720e92773b35d4c7e6a0040c0e1f03986ca02da38ac
            • Opcode Fuzzy Hash: 8958a1e335705bc072f87a10ae5a658c1a1990881aab5236d875e2a6b73f4bd4
            • Instruction Fuzzy Hash: 5A217A31600200AFCB10EF68CE85B6EB7A9EF58724F148559E957AB3D2CB74AD418B61
            Function 00AC6532 Relevance: 9.1, APIs: 6, Instructions: 71processCOMMON
            Download Yara Rule
            APIs
            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00AC6554
            • Process32FirstW.KERNEL32(00000000,0000022C), ref: 00AC6564
            • Process32NextW.KERNEL32(00000000,0000022C), ref: 00AC6583
            • __wsplitpath.LIBCMT ref: 00AC65A7
            • _wcscat.LIBCMT ref: 00AC65BA
            • CloseHandle.KERNEL32(00000000,?,00000000), ref: 00AC65F9
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wsplitpath_wcscat
            • String ID:
            • API String ID: 1605983538-0
            • Opcode ID: e1ce65bc0533bf4b0d3088c55a63f3459876907a565f5db9e131a6ae40cd7c2e
            • Instruction ID: 6dc597bbab42252309b3b74df43333ca1d18ad2e94c58127385afa6289e48acc
            • Opcode Fuzzy Hash: e1ce65bc0533bf4b0d3088c55a63f3459876907a565f5db9e131a6ae40cd7c2e
            • Instruction Fuzzy Hash: 8B21657190021CABDB10EBA4CD89FDDB7BCAB49300F5004A9E505E7181DB759F85CB61
            Function 00AD923B Relevance: 7.6, APIs: 5, Instructions: 146networkCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00ADA82C: inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 00ADA84E
            • socket.WSOCK32(00000002,00000002,00000011,?,?,?,00000000), ref: 00AD9296
            • WSAGetLastError.WSOCK32(00000000,00000000), ref: 00AD92B9
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: ErrorLastinet_addrsocket
            • String ID:
            • API String ID: 4170576061-0
            • Opcode ID: e70b1804ed4b6ece601cce357d49a0deaee03a929f4594784176fc5d5b565ee2
            • Instruction ID: 91ac863a909bc271f273654653036f127f9a6aabd290ff217a2a74e53fcae509
            • Opcode Fuzzy Hash: e70b1804ed4b6ece601cce357d49a0deaee03a929f4594784176fc5d5b565ee2
            • Instruction Fuzzy Hash: 7A419A70600200AFEB10AB688D86E7F77E9EF48728F14844DF956AB3D2DA749D018B91
            Function 00ACEB60 Relevance: 7.6, APIs: 5, Instructions: 125fileCOMMON
            Download Yara Rule
            APIs
            • FindFirstFileW.KERNEL32(?,?), ref: 00ACEB8A
            • _wcscmp.LIBCMT ref: 00ACEBBA
            • _wcscmp.LIBCMT ref: 00ACEBCF
            • FindNextFileW.KERNEL32(00000000,?), ref: 00ACEBE0
            • FindClose.KERNEL32(00000000,00000001,00000000), ref: 00ACEC0E
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: Find$File_wcscmp$CloseFirstNext
            • String ID:
            • API String ID: 2387731787-0
            • Opcode ID: c47448cab36c4791d4b7181b96baf327587d52cd47551e0df1b2670c5e6a6134
            • Instruction ID: c515b902aa75bed05ab65df824ac802ce0d4c82f14c960b35db98cc1a25d42a7
            • Opcode Fuzzy Hash: c47448cab36c4791d4b7181b96baf327587d52cd47551e0df1b2670c5e6a6134
            • Instruction Fuzzy Hash: 774188356046029FCB18DF68C891EAAB7E4FF49324F10455EEA5A8B3A1DF31ED40CB95
            Function 00AE8111 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: Window$EnabledForegroundIconicVisibleZoomed
            • String ID:
            • API String ID: 292994002-0
            • Opcode ID: ee6c549927d45dac5bf21481749c818a257dbbc025eb5a20f66586a377292eed
            • Instruction ID: 48eeacdae52e13a554fa108033e433e978ab853efde6e07f43c6c01f0f0f0cb3
            • Opcode Fuzzy Hash: ee6c549927d45dac5bf21481749c818a257dbbc025eb5a20f66586a377292eed
            • Instruction Fuzzy Hash: 73118F317002516FE7216F66DD44F6FBBA9EF54760B054529F84ED7281CF38E90286A4
            Function 00A89B60 Relevance: 7.3, Strings: 5, Instructions: 1055COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID:
            • String ID: ERCP$VUUU$VUUU$VUUU$VUUU
            • API String ID: 0-1546025612
            • Opcode ID: 80ba76acfabb78d874e96284b189dc4bbade7e49380a4434dcdb49344e36d7ef
            • Instruction ID: de68afe1c26dbde7501934bdab6ddde08bd9b0c94db2a67618521ae4558c9113
            • Opcode Fuzzy Hash: 80ba76acfabb78d874e96284b189dc4bbade7e49380a4434dcdb49344e36d7ef
            • Instruction Fuzzy Hash: 62926071E0021ACBEF24DF58C8407BEBBB1FB54314F1486AAE916AB280D7759D81DF91
            Function 00A9E01E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
            Download Yara Rule
            APIs
            • LoadLibraryA.KERNEL32(kernel32.dll,?,00A9E014,74DF0AE0,00A9DEF1,00B1DC38,?,?), ref: 00A9E02C
            • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00A9E03E
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: AddressLibraryLoadProc
            • String ID: GetNativeSystemInfo$kernel32.dll
            • API String ID: 2574300362-192647395
            • Opcode ID: 3a05d7798ab76f5423733fecaae6c45f71bf0166cd7508965ab7c52150e88ee7
            • Instruction ID: 3a70d0eaca56668ca88763a206b36eef99604d6b7268e3ef2b043b6727292956
            • Opcode Fuzzy Hash: 3a05d7798ab76f5423733fecaae6c45f71bf0166cd7508965ab7c52150e88ee7
            • Instruction Fuzzy Hash: 90D0C7716407229FDB35DFA5EC0975276D5AB14711F288459E495E31A0FFB4D8808650
            Function 00AC13CA Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 560stringCOMMON
            Download Yara Rule
            APIs
            • lstrlenW.KERNEL32(?,?,?,00000000), ref: 00AC13DC
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: lstrlen
            • String ID: ($|
            • API String ID: 1659193697-1631851259
            • Opcode ID: 702084db9339245f00aa7347fb0c30896412a14372a249e4cd3241ca0d5df5bc
            • Instruction ID: 2c403441c93b0cb01797cf821162369615a6e307b4b78172690b5a8958df5064
            • Opcode Fuzzy Hash: 702084db9339245f00aa7347fb0c30896412a14372a249e4cd3241ca0d5df5bc
            • Instruction Fuzzy Hash: 9C322675A006059FCB28CF69C480E6AB7F0FF49320B16C56EE59ADB3A2D770E941CB44
            Function 00A9B11F Relevance: 4.9, APIs: 3, Instructions: 377COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00A9B34E: GetWindowLongW.USER32(?,000000EB), ref: 00A9B35F
            • DefDlgProcW.USER32(?,?,?,?,?), ref: 00A9B22F
              • Part of subcall function 00A9B55D: DefDlgProcW.USER32(?,00000020,?,00000000), ref: 00A9B5A5
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: Proc$LongWindow
            • String ID:
            • API String ID: 2749884682-0
            • Opcode ID: 3c9b4e45f7f1499978b2bb1153b6a974d9723b9a646a9e2eecc2d8176f8c7f5e
            • Instruction ID: cfb06f5c9702f33c0b0e7392226481aff463a4f47e0fdfbd801dbebff58ae202
            • Opcode Fuzzy Hash: 3c9b4e45f7f1499978b2bb1153b6a974d9723b9a646a9e2eecc2d8176f8c7f5e
            • Instruction Fuzzy Hash: 1FA14970334109BADF28EBAE6F88DFF29FDEB52744B10451EF502D65A1DB259D009272
            Function 00AD4EB5 Relevance: 4.7, APIs: 3, Instructions: 155networkfileCOMMON
            Download Yara Rule
            APIs
            • InternetQueryDataAvailable.WININET(?,?,00000000,00000000), ref: 00AD4FA6
            • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00AD4FD2
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: Internet$AvailableDataFileQueryRead
            • String ID:
            • API String ID: 599397726-0
            • Opcode ID: c86bc3ada55a2064330d9c4fa3620b02a1a8307b7d95aba7106c8c9f4340442f
            • Instruction ID: a1dee9bd06728e73dfbda48685c4327658fa18fa6fd19f4d8ea274dc1b653f48
            • Opcode Fuzzy Hash: c86bc3ada55a2064330d9c4fa3620b02a1a8307b7d95aba7106c8c9f4340442f
            • Instruction Fuzzy Hash: 1541E671A04209BFEB209F94CD85EBFB7BCEB44754F10402FF207A6290DA719E4196A0
            Function 00ACE1FD Relevance: 4.6, APIs: 3, Instructions: 72COMMON
            Download Yara Rule
            APIs
            • SetErrorMode.KERNEL32(00000001), ref: 00ACE20D
            • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00ACE267
            • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 00ACE2B4
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: ErrorMode$DiskFreeSpace
            • String ID:
            • API String ID: 1682464887-0
            • Opcode ID: 40fef33364af0b24739d47321c3be9755dd66243dede037da305bf103b6b3a60
            • Instruction ID: 7ca3f0acf28348f2ec2327c374dc99dc20344c1c368e497ba3b95e31e4f4dec6
            • Opcode Fuzzy Hash: 40fef33364af0b24739d47321c3be9755dd66243dede037da305bf103b6b3a60
            • Instruction Fuzzy Hash: 62212835A00218EFCB00EFA5D985FAEBBB8FF58314F1584A9E905AB291DB319915CB50
            Function 00ABB134 Relevance: 4.6, APIs: 3, Instructions: 67COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00A9F4EA: std::exception::exception.LIBCMT ref: 00A9F51E
              • Part of subcall function 00A9F4EA: __CxxThrowException@8.LIBCMT ref: 00A9F533
            • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00ABB180
            • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00ABB1AD
            • GetLastError.KERNEL32 ref: 00ABB1BA
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
            • String ID:
            • API String ID: 1922334811-0
            • Opcode ID: d15476315643253499dd4349ca1554647fd25b92d3d21222b266a92af769a150
            • Instruction ID: 640db2298aaf0d679c36752c8b48778d0c1b90297542aa455f25f19daa3b89f6
            • Opcode Fuzzy Hash: d15476315643253499dd4349ca1554647fd25b92d3d21222b266a92af769a150
            • Instruction Fuzzy Hash: 1B11BFB1510204AFE7189F58EC85D6BB7FCFB44310B20852EE05693241EBB0FC418B60
            Function 00AC6685 Relevance: 4.6, APIs: 3, Instructions: 61fileCOMMON
            Download Yara Rule
            APIs
            • CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00AC66AF
            • DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,0000000C,?,00000000), ref: 00AC66EC
            • CloseHandle.KERNEL32(00000000,?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00AC66F5
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: CloseControlCreateDeviceFileHandle
            • String ID:
            • API String ID: 33631002-0
            • Opcode ID: c3f3c5255d30b083c8dc3660d57596a26206b7386c6a5a53569ca05f7231886e
            • Instruction ID: de2c22a98fe87efab05f5b577735aa6668c00355bb194f16bcabb94f66eb648a
            • Opcode Fuzzy Hash: c3f3c5255d30b083c8dc3660d57596a26206b7386c6a5a53569ca05f7231886e
            • Instruction Fuzzy Hash: 9B11A1B1900228BEE710CBA8DC49FAFBBBCEB08754F014656F901F71D0C6B89E0487A5
            Function 00AC71FA Relevance: 4.5, APIs: 3, Instructions: 42memoryCOMMON
            Download Yara Rule
            APIs
            • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00AC7223
            • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00AC723A
            • FreeSid.ADVAPI32(?), ref: 00AC724A
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: AllocateCheckFreeInitializeMembershipToken
            • String ID:
            • API String ID: 3429775523-0
            • Opcode ID: 8edfe3f97791f8d80d87689803ac09b09bd18e2bd6c3abea1e61d04cd8336e38
            • Instruction ID: 0578032c6d06f21e3cec44a853d8b5a7e7965795a431952cd3ada47fe316e3cf
            • Opcode Fuzzy Hash: 8edfe3f97791f8d80d87689803ac09b09bd18e2bd6c3abea1e61d04cd8336e38
            • Instruction Fuzzy Hash: 8FF01D76A04209BFDF04DFE4DD99EEEBBB8EF08201F104469A606E31D1E6709A448B10
            Function 00ACF56F Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON
            Download Yara Rule
            APIs
            • FindFirstFileW.KERNEL32(?,?), ref: 00ACF599
            • FindClose.KERNEL32(00000000), ref: 00ACF5C9
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: Find$CloseFileFirst
            • String ID:
            • API String ID: 2295610775-0
            • Opcode ID: caecf64caad62d7fbdddf5924d6244f8376702bd90b37f5d3d33a550f033e4dd
            • Instruction ID: 028b702094a93ba8c7c9372626d3c3540bba939422294cfeeab881bba6764afc
            • Opcode Fuzzy Hash: caecf64caad62d7fbdddf5924d6244f8376702bd90b37f5d3d33a550f033e4dd
            • Instruction Fuzzy Hash: 7E1161726006049FDB10EF68D845A2EB7E9FF98324F05891EF9A9D7291DF34ED018B81
            Function 00ACCE7A Relevance: 3.0, APIs: 2, Instructions: 30windowCOMMON
            Download Yara Rule
            APIs
            • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,00ADBE6A,?,?,00000000,?), ref: 00ACCEA7
            • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,00ADBE6A,?,?,00000000,?), ref: 00ACCEB9
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: ErrorFormatLastMessage
            • String ID:
            • API String ID: 3479602957-0
            • Opcode ID: dc5d9a7faf2877a55a213a003514df0360272d577783c1d02a877d8308247199
            • Instruction ID: cac6808a18c666e9b813f2da3dd4d03a537b24a4a6ca1a83d593d372a4fad0f0
            • Opcode Fuzzy Hash: dc5d9a7faf2877a55a213a003514df0360272d577783c1d02a877d8308247199
            • Instruction Fuzzy Hash: 0BF08C35100229ABDB20ABA4DC49FEA776DBF093A1F00816AF919D7191DB309A40CBA4
            Function 00AC411C Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON
            Download Yara Rule
            APIs
            • SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00AC4153
            • keybd_event.USER32(?,75C0C0D0,?,00000000), ref: 00AC4166
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: InputSendkeybd_event
            • String ID:
            • API String ID: 3536248340-0
            • Opcode ID: 0989efcad3422f5e9268486d26c4d87d68f7d6169eb178d77baad51779311426
            • Instruction ID: 06f6818b3e35361f63f163b6424c22d82daac38f5a49a58bb48b51fd576fd201
            • Opcode Fuzzy Hash: 0989efcad3422f5e9268486d26c4d87d68f7d6169eb178d77baad51779311426
            • Instruction Fuzzy Hash: A2F0677080024DAFEB058FA0CC05BBE7FB0EF14305F04800AF966A6192D77986129FA4
            Function 00ABAB84 Relevance: 3.0, APIs: 2, Instructions: 22COMMON
            Download Yara Rule
            APIs
            • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00ABACC0), ref: 00ABAB99
            • CloseHandle.KERNEL32(?,?,00ABACC0), ref: 00ABABAB
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: AdjustCloseHandlePrivilegesToken
            • String ID:
            • API String ID: 81990902-0
            • Opcode ID: bfb69c3dd835c51c5b6948c39f2b1e584c9b6a50f436d83822fd1a645aadaa6b
            • Instruction ID: 3f07304a17fecb5a713d91576643b7e9582995331af9b0dc32ed9eb2dcad56ec
            • Opcode Fuzzy Hash: bfb69c3dd835c51c5b6948c39f2b1e584c9b6a50f436d83822fd1a645aadaa6b
            • Instruction Fuzzy Hash: CDE0E675000510AFEB252F54ED05D777BEDEF04320711C929F459C1471DB639C90DB50
            Function 00AA81AC Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • SetUnhandledExceptionFilter.KERNEL32(00000000,0000000E,00AA6DB3,-0000031A,?,?,00000001), ref: 00AA81B1
            • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 00AA81BA
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: ExceptionFilterUnhandled
            • String ID:
            • API String ID: 3192549508-0
            • Opcode ID: c09dcd88ab003f9e228f4a91c51c5af6f604324ebfc38d397893557bb3d4f2cd
            • Instruction ID: 5b7aafc11c83e691681e2c422f48f730aec92f776fe284dd99578171195b702b
            • Opcode Fuzzy Hash: c09dcd88ab003f9e228f4a91c51c5af6f604324ebfc38d397893557bb3d4f2cd
            • Instruction Fuzzy Hash: C0B09231144608ABDB002BE1EC09B587F68EB18652F008010F60D460A18F7254108A9A
            Function 00A877B0 Relevance: 2.6, APIs: 1, Instructions: 1076COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: _memmove
            • String ID:
            • API String ID: 4104443479-0
            • Opcode ID: 5d108471879a9782cc131460f434176f91ac70e3aeae9827e80d6088ccd40029
            • Instruction ID: 9a75c3f02b4b88eeaa90e0afc6d552739645009bbede5e182220c46344e84f5f
            • Opcode Fuzzy Hash: 5d108471879a9782cc131460f434176f91ac70e3aeae9827e80d6088ccd40029
            • Instruction Fuzzy Hash: E5A24B71E04219CFCB28DF58C8847ADBBB1FF48314F2581A9E859AB391D7349E81DB90
            Function 00AAD1B9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 70fc487576f52b473a12343b9712775c96b986d9092d40a408121868e95e0476
            • Instruction ID: 0b01a0def7a31be2edf7c20a7cfb57694ab05e6300c5a91cf6fe8bb9b2fe8bb7
            • Opcode Fuzzy Hash: 70fc487576f52b473a12343b9712775c96b986d9092d40a408121868e95e0476
            • Instruction Fuzzy Hash: BD32F421D29F014DD7239635D822336A298AFB73D4F55D737E85AB6EE6EF29C8834100
            Function 00A896C0 Relevance: 2.1, APIs: 1, Instructions: 573COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: __itow__swprintf
            • String ID:
            • API String ID: 674341424-0
            • Opcode ID: 6217a4adbc6248456780f530182055cf83d15138fb56a65384f1b7c0cc21439c
            • Instruction ID: 9d8c7c48cb25afb5c6017db590f86c610ebbe04cfb362793e7cd4b133136f220
            • Opcode Fuzzy Hash: 6217a4adbc6248456780f530182055cf83d15138fb56a65384f1b7c0cc21439c
            • Instruction Fuzzy Hash: D222B9716083049FDB24EF64C990BAFB7E4EF84320F14491DF99A9B291DB71E945CB82
            Function 00AB038E Relevance: 1.8, APIs: 1, Instructions: 294COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 94e4b903e366048bb7c4e195316695c10368191562feafb3f4d07fc04fd9b891
            • Instruction ID: 218c1ef052394c11e894370e1aebe4926ea712710a05e4253b32ce844ce1365a
            • Opcode Fuzzy Hash: 94e4b903e366048bb7c4e195316695c10368191562feafb3f4d07fc04fd9b891
            • Instruction Fuzzy Hash: 57B1E120D2AF418DD32396798835336B69CAFFB2D5F91D71BFC2A75D22EB2185834180
            Function 00ACB6CC Relevance: 1.6, APIs: 1, Instructions: 71COMMON
            Download Yara Rule
            APIs
            • __time64.LIBCMT ref: 00ACB6DF
              • Part of subcall function 00AA344A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00ACBDC3,00000000,?,?,?,?,00ACBF70,00000000,?), ref: 00AA3453
              • Part of subcall function 00AA344A: __aulldiv.LIBCMT ref: 00AA3473
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: Time$FileSystem__aulldiv__time64
            • String ID:
            • API String ID: 2893107130-0
            • Opcode ID: 19e11828cc03d7a1f019e245f098b2a45631db0b4c5e4d104f08a45c3cefdccc
            • Instruction ID: 953cd450e1a5716d207875fd3a287b49d803b01818ac030c971a245553d53238
            • Opcode Fuzzy Hash: 19e11828cc03d7a1f019e245f098b2a45631db0b4c5e4d104f08a45c3cefdccc
            • Instruction Fuzzy Hash: 0C21A276634510CBC729CF28C481B62B7E1EB95310B248E6DE4E5CB2C0CB74BA05DB54
            Function 00AD6AAF Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
            Download Yara Rule
            APIs
            • BlockInput.USER32(00000001), ref: 00AD6ACA
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: BlockInput
            • String ID:
            • API String ID: 3456056419-0
            • Opcode ID: 4dcf25a01bcbc5267ac8fb6f658b80060e450a32b9158d1f14b03d66a0b062b4
            • Instruction ID: 7fa1955cd6d98f889454a125b9f743a8a641211f5aa206317356a38956355021
            • Opcode Fuzzy Hash: 4dcf25a01bcbc5267ac8fb6f658b80060e450a32b9158d1f14b03d66a0b062b4
            • Instruction Fuzzy Hash: 08E012352002046FC700EF99D504996B7ECAF74791F058416E946D73A1DAB0E8048B90
            Function 00AC74BB Relevance: 1.5, APIs: 1, Instructions: 24COMMON
            Download Yara Rule
            APIs
            • mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 00AC74DE
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: mouse_event
            • String ID:
            • API String ID: 2434400541-0
            • Opcode ID: 0abd3435cf54072ceb5fb86d7e08ce87cc1b86d0a0bfee28518d423e2cba9713
            • Instruction ID: 6c80e7dbd7b7ed8eda37da1d15dcf6443825b7757fd89f9fcb8f731c8e4a4e64
            • Opcode Fuzzy Hash: 0abd3435cf54072ceb5fb86d7e08ce87cc1b86d0a0bfee28518d423e2cba9713
            • Instruction Fuzzy Hash: E9D05EA022C30538EC2C8724CE0FF7E0908F3207C1F82818DB482CE0C1B88058059832
            Function 00ABB106 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
            Download Yara Rule
            APIs
            • LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00ABAD3E), ref: 00ABB124
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: LogonUser
            • String ID:
            • API String ID: 1244722697-0
            • Opcode ID: 00940e786a3a1f423997ba61768af0c97e86e65eb1541ef2f54ddb93a57073bd
            • Instruction ID: 3114cae39beb0f6045ba9bf7dbb22001966a0c87fd0cdabb86c8c3dfe7b146f1
            • Opcode Fuzzy Hash: 00940e786a3a1f423997ba61768af0c97e86e65eb1541ef2f54ddb93a57073bd
            • Instruction Fuzzy Hash: C5D05E320A460EAEDF024FA4DC02EAE3F6AEB04700F408110FA15C60A0C671D531AB50
            Function 00AFB340 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: NameUser
            • String ID:
            • API String ID: 2645101109-0
            • Opcode ID: 2b5ba05fc626109770569316a1e1b0d14c2226a79555f168c9badca7137a5eb8
            • Instruction ID: eae1ba7058296edfd27f4155c871360448922208031b83f03dd2ca7961095cbb
            • Opcode Fuzzy Hash: 2b5ba05fc626109770569316a1e1b0d14c2226a79555f168c9badca7137a5eb8
            • Instruction Fuzzy Hash: 99C04CF140014DDFD751CBC0C9449EEB7BCAB14301F104091A249F2150DB709B459B72
            Function 00AA8189 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
            Download Yara Rule
            APIs
            • SetUnhandledExceptionFilter.KERNEL32(?), ref: 00AA818F
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: ExceptionFilterUnhandled
            • String ID:
            • API String ID: 3192549508-0
            • Opcode ID: c38fcff7fca51c1202ac7fc5e549e08d0a09bc88d250bb603325345624eac1a2
            • Instruction ID: f9f1ccfdfe6a7ba578c6143e19325621ccdf41279cac65569f6c6802d2392a1d
            • Opcode Fuzzy Hash: c38fcff7fca51c1202ac7fc5e549e08d0a09bc88d250bb603325345624eac1a2
            • Instruction Fuzzy Hash: DCA0113000020CABCF002B82EC088883F2CEA002A0B000020F80C020208B22A8208A8A
            Function 00A8E3B0 Relevance: .5, Instructions: 540COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: cd91ec78eec819a528d9d14e1567f852f07d7fd39104ce84bf4e3a56c52c0ba0
            • Instruction ID: a72b655afba048edad09adf7cbeac6949579529607922490042201763c0783c6
            • Opcode Fuzzy Hash: cd91ec78eec819a528d9d14e1567f852f07d7fd39104ce84bf4e3a56c52c0ba0
            • Instruction Fuzzy Hash: 82229C74A0420ADFDB24EF58C480ABEBBF1FF18314F148169E95A9B351E735AD81CB91
            Function 00A893F0 Relevance: .5, Instructions: 531COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 8398f9a2c16b551d91548a444e003848778ae9142a31e451bb399c48677b1c50
            • Instruction ID: 009b75378921e89d0f296f22ad70b9d29772fd089c4e51dee824ee529d8966ec
            • Opcode Fuzzy Hash: 8398f9a2c16b551d91548a444e003848778ae9142a31e451bb399c48677b1c50
            • Instruction Fuzzy Hash: 39125970A00609EBDF14EFA5DA85ABEB7F5FF48300F248529E806E7251EB35AD14CB54
            Function 00A8AF50 Relevance: .5, Instructions: 514COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: Exception@8Throwstd::exception::exception
            • String ID:
            • API String ID: 3728558374-0
            • Opcode ID: 408fe1041938277b8c05dcbda8ebea5ee2816b921475394f18c67fb5d9a4ea09
            • Instruction ID: 238a4fbf4409dbba21a6b42c6cfb981b45d5128d07ab16cc90c06bb0ffcdddc8
            • Opcode Fuzzy Hash: 408fe1041938277b8c05dcbda8ebea5ee2816b921475394f18c67fb5d9a4ea09
            • Instruction Fuzzy Hash: D0027E70A00209DBDF14EF68D991AAEBBB5FF48300F108069F906DB295EB35DE15CB91
            Function 00AA02A4 Relevance: .3, Instructions: 345COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
            • Instruction ID: ddb52454639a53e9779b9a46b8ec7e221a35f9cd35b79360c9dab03a5511a10c
            • Opcode Fuzzy Hash: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
            • Instruction Fuzzy Hash: 6BC192322051930EDF2D473A887493EFAE15AA2BB571A176DD8B3CF5D5EF20C528D620
            Function 00AA06D9 Relevance: .3, Instructions: 341COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
            • Instruction ID: ab955e94bdef2a6cf233fe3d4f3a5346926db49e148f601a1c8ee21ab3663583
            • Opcode Fuzzy Hash: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
            • Instruction Fuzzy Hash: D9C17E322051930EEF6D473AC87493EBBE15AA3BB131A176DD4B2CB5D5EF20D528D620
            Function 00A9FA57 Relevance: .3, Instructions: 323COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
            • Instruction ID: a3a07633090ef462717c229966eda4f9955bdb4a7a2ec5cc4253e8b70a0d9de6
            • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
            • Instruction Fuzzy Hash: 11C16D323091930EDF6D473AC87443EBAE15AA2BB531A077DD8B2CB5E5EF20D564D620
            Function 03973610 Relevance: .1, Instructions: 92COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1703639932.0000000003970000.00000040.00001000.00020000.00000000.sdmp, Offset: 03970000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_3970000_PO#38595.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
            • Instruction ID: 5f01c6cfe46848841580781195364856b78dd04ffe919ecc783b94dec626b44c
            • Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
            • Instruction Fuzzy Hash: 8E41A471D1051CDBCF48CFADC991AEEBBF1AF88201F548299D516AB345D730AB41DB90
            Function 03973500 Relevance: .0, Instructions: 35COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1703639932.0000000003970000.00000040.00001000.00020000.00000000.sdmp, Offset: 03970000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_3970000_PO#38595.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
            • Instruction ID: e523ab068ded770385639497bd6475762368a8f3a93f208dbe4eeedb23a75a19
            • Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
            • Instruction Fuzzy Hash: EA01A478A04209EFCB44DF98C5909AEF7F9FF88350F248699D819A7741E730AE41DB80
            Function 039734A0 Relevance: .0, Instructions: 35COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1703639932.0000000003970000.00000040.00001000.00020000.00000000.sdmp, Offset: 03970000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_3970000_PO#38595.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
            • Instruction ID: dbc6a1bed3977c6c412521494145472253d9262f38086b86b047e31a2b831810
            • Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
            • Instruction Fuzzy Hash: 07019278A04209EFCB48DF98C5909AEF7B9FB88310F248599D819AB741D730EE41DB80
            Function 03971E70 Relevance: .0, Instructions: 6COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1703639932.0000000003970000.00000040.00001000.00020000.00000000.sdmp, Offset: 03970000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_3970000_PO#38595.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
            • Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
            • Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
            • Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48
            Function 00ADA2A9 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 490filecommemoryCOMMON
            Download Yara Rule
            APIs
            • DeleteObject.GDI32(00000000), ref: 00ADA2FE
            • DeleteObject.GDI32(00000000), ref: 00ADA310
            • DestroyWindow.USER32 ref: 00ADA31E
            • GetDesktopWindow.USER32 ref: 00ADA338
            • GetWindowRect.USER32(00000000), ref: 00ADA33F
            • SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 00ADA480
            • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 00ADA490
            • CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00ADA4D8
            • GetClientRect.USER32(00000000,?), ref: 00ADA4E4
            • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00ADA51E
            • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00ADA540
            • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00ADA553
            • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00ADA55E
            • GlobalLock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00ADA567
            • ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00ADA576
            • GlobalUnlock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00ADA57F
            • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00ADA586
            • GlobalFree.KERNEL32(00000000), ref: 00ADA591
            • CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00ADA5A3
            • OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,00B0D9BC,00000000), ref: 00ADA5B9
            • GlobalFree.KERNEL32(00000000), ref: 00ADA5C9
            • CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 00ADA5EF
            • SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 00ADA60E
            • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00ADA630
            • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00ADA81D
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
            • String ID: $AutoIt v3$DISPLAY$static
            • API String ID: 2211948467-2373415609
            • Opcode ID: be88934bff4b7d159a94b33a2c51c21349a242bf6c374721b08b32a54db1afc7
            • Instruction ID: 62d75e07b1e01c87eb1d743d20f1af4e504c52acb206b5518f295687e4ce5235
            • Opcode Fuzzy Hash: be88934bff4b7d159a94b33a2c51c21349a242bf6c374721b08b32a54db1afc7
            • Instruction Fuzzy Hash: CF027C75900204EFDB14DFA8CD89EAE7BB9FB59310F048559F916AB2A0DB70ED41CB60
            Function 00AED285 Relevance: 49.8, APIs: 33, Instructions: 260COMMON
            Download Yara Rule
            APIs
            • SetTextColor.GDI32(?,00000000), ref: 00AED2DB
            • GetSysColorBrush.USER32(0000000F), ref: 00AED30C
            • GetSysColor.USER32(0000000F), ref: 00AED318
            • SetBkColor.GDI32(?,000000FF), ref: 00AED332
            • SelectObject.GDI32(?,00000000), ref: 00AED341
            • InflateRect.USER32(?,000000FF,000000FF), ref: 00AED36C
            • GetSysColor.USER32(00000010), ref: 00AED374
            • CreateSolidBrush.GDI32(00000000), ref: 00AED37B
            • FrameRect.USER32(?,?,00000000), ref: 00AED38A
            • DeleteObject.GDI32(00000000), ref: 00AED391
            • InflateRect.USER32(?,000000FE,000000FE), ref: 00AED3DC
            • FillRect.USER32(?,?,00000000), ref: 00AED40E
            • GetWindowLongW.USER32(?,000000F0), ref: 00AED439
              • Part of subcall function 00AED575: GetSysColor.USER32(00000012), ref: 00AED5AE
              • Part of subcall function 00AED575: SetTextColor.GDI32(?,?), ref: 00AED5B2
              • Part of subcall function 00AED575: GetSysColorBrush.USER32(0000000F), ref: 00AED5C8
              • Part of subcall function 00AED575: GetSysColor.USER32(0000000F), ref: 00AED5D3
              • Part of subcall function 00AED575: GetSysColor.USER32(00000011), ref: 00AED5F0
              • Part of subcall function 00AED575: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00AED5FE
              • Part of subcall function 00AED575: SelectObject.GDI32(?,00000000), ref: 00AED60F
              • Part of subcall function 00AED575: SetBkColor.GDI32(?,00000000), ref: 00AED618
              • Part of subcall function 00AED575: SelectObject.GDI32(?,?), ref: 00AED625
              • Part of subcall function 00AED575: InflateRect.USER32(?,000000FF,000000FF), ref: 00AED644
              • Part of subcall function 00AED575: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00AED65B
              • Part of subcall function 00AED575: GetWindowLongW.USER32(00000000,000000F0), ref: 00AED670
              • Part of subcall function 00AED575: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00AED698
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
            • String ID:
            • API String ID: 3521893082-0
            • Opcode ID: ee92efb3f245021539400f5aad9182845b0220eefe8af181757061b0147cbb13
            • Instruction ID: e4b663594d1f13dd7d9cf08a62f9644515bd68d194a07a756cc66bd52bf8434a
            • Opcode Fuzzy Hash: ee92efb3f245021539400f5aad9182845b0220eefe8af181757061b0147cbb13
            • Instruction Fuzzy Hash: AC919172408301BFCB109FA4DC08E6B7BA9FF99325F104A19F962A71E0DB71D944CB52
            Function 00A9B8FD Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 491windowCOMMON
            Download Yara Rule
            APIs
            • DestroyWindow.USER32 ref: 00A9B98B
            • DeleteObject.GDI32(00000000), ref: 00A9B9CD
            • DeleteObject.GDI32(00000000), ref: 00A9B9D8
            • DestroyIcon.USER32(00000000), ref: 00A9B9E3
            • DestroyWindow.USER32(00000000), ref: 00A9B9EE
            • SendMessageW.USER32(?,00001308,?,00000000), ref: 00AFD2AA
            • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00AFD2E3
            • MoveWindow.USER32(00000000,?,?,?,?,00000000), ref: 00AFD711
              • Part of subcall function 00A9B9FF: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00A9B759,?,00000000,?,?,?,?,00A9B72B,00000000,?), ref: 00A9BA58
            • SendMessageW.USER32 ref: 00AFD758
            • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00AFD76F
            • ImageList_Destroy.COMCTL32(00000000), ref: 00AFD785
            • ImageList_Destroy.COMCTL32(00000000), ref: 00AFD790
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
            • String ID: 0
            • API String ID: 464785882-4108050209
            • Opcode ID: ac46db831ec74c318c1d588eafce6caf5ea2f9375cbc4c6303e8ec0a9b2e3824
            • Instruction ID: 6fa902f22b2ff19663eb5b9d1abec4ac3f5dcab774c862f1c99e062b2a3965a1
            • Opcode Fuzzy Hash: ac46db831ec74c318c1d588eafce6caf5ea2f9375cbc4c6303e8ec0a9b2e3824
            • Instruction Fuzzy Hash: 8B128D302142059FDB22DF58D988BB9BBF6BF15304F144569FA89CB662CB31EC41CBA1
            Function 00ACDBC4 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 187COMMON
            Download Yara Rule
            APIs
            • SetErrorMode.KERNEL32(00000001), ref: 00ACDBD6
            • GetDriveTypeW.KERNEL32(?,00B1DC54,?,\\.\,00B1DC00), ref: 00ACDCC3
            • SetErrorMode.KERNEL32(00000000,00B1DC54,?,\\.\,00B1DC00), ref: 00ACDE29
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: ErrorMode$DriveType
            • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
            • API String ID: 2907320926-4222207086
            • Opcode ID: cd08c6b29140621b57c382608837e1482ecee0841edbeea9b4387d67a3df737b
            • Instruction ID: a76cf5491f4c621e24fafcf122f90b63d0f82ce5e4769cb09f488cb560be60d8
            • Opcode Fuzzy Hash: cd08c6b29140621b57c382608837e1482ecee0841edbeea9b4387d67a3df737b
            • Instruction Fuzzy Hash: 9F518030A48302ABC611EF24C981F2AF7E0FB94B15F2659BDF4479B2A1DB60D945DB42
            Function 00A8CC24 Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 267COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: __wcsnicmp
            • String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
            • API String ID: 1038674560-86951937
            • Opcode ID: 7abdd9b6a1141da9c206131e20aab598921eb1d5063c95a086026600d1e552b1
            • Instruction ID: ddc25f84a3009a8f6043b138ba401c24ef18a9d08f20dc0294fc745bb812452d
            • Opcode Fuzzy Hash: 7abdd9b6a1141da9c206131e20aab598921eb1d5063c95a086026600d1e552b1
            • Instruction Fuzzy Hash: 6481F971640209BBCB14BFA4DE42FBB3BB8AF15720F144029F905AB1D2EB74D951CBA1
            Function 00AEC6E9 Relevance: 42.4, APIs: 23, Strings: 1, Instructions: 447windowCOMMON
            Download Yara Rule
            APIs
            • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013,?,?,?), ref: 00AEC788
            • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00AEC83E
            • SendMessageW.USER32(?,00001102,00000002,?), ref: 00AEC859
            • SendMessageW.USER32(?,000000F1,?,00000000), ref: 00AECB15
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: MessageSend$Window
            • String ID: 0
            • API String ID: 2326795674-4108050209
            • Opcode ID: 71c5d654e60ecc7256b9cb2d9bbd7b58db7410b23dd2662d57bc3cc719a60175
            • Instruction ID: cc7653787be43946e2dfbe5e563c997d9745066fe9df9e586baef903d9fdcfc0
            • Opcode Fuzzy Hash: 71c5d654e60ecc7256b9cb2d9bbd7b58db7410b23dd2662d57bc3cc719a60175
            • Instruction Fuzzy Hash: 8AF1E471204381AFD7218F2ACC85BAABBE4FF49364F144A2DF599D72A1C774C942CB91
            Function 00AE638D Relevance: 42.4, APIs: 1, Strings: 23, Instructions: 352COMMON
            Download Yara Rule
            APIs
            • CharUpperBuffW.USER32(?,?,00B1DC00), ref: 00AE6449
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: BuffCharUpper
            • String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
            • API String ID: 3964851224-45149045
            • Opcode ID: aa1015fd6764aaef677c05600197204b9f4e6feef9a15e30aabbabc98f09bc09
            • Instruction ID: 7869d3377c3c48a0792ec4837c756261455b41471f32236ad327cfee82e44794
            • Opcode Fuzzy Hash: aa1015fd6764aaef677c05600197204b9f4e6feef9a15e30aabbabc98f09bc09
            • Instruction Fuzzy Hash: 2AC16E302042858BCB04EF15C651AAE77E6BFA5394F144C59F8965B3E3DB30ED4ACB92
            Function 00AED575 Relevance: 39.2, APIs: 26, Instructions: 186windowCOMMON
            Download Yara Rule
            APIs
            • GetSysColor.USER32(00000012), ref: 00AED5AE
            • SetTextColor.GDI32(?,?), ref: 00AED5B2
            • GetSysColorBrush.USER32(0000000F), ref: 00AED5C8
            • GetSysColor.USER32(0000000F), ref: 00AED5D3
            • CreateSolidBrush.GDI32(?), ref: 00AED5D8
            • GetSysColor.USER32(00000011), ref: 00AED5F0
            • CreatePen.GDI32(00000000,00000001,00743C00), ref: 00AED5FE
            • SelectObject.GDI32(?,00000000), ref: 00AED60F
            • SetBkColor.GDI32(?,00000000), ref: 00AED618
            • SelectObject.GDI32(?,?), ref: 00AED625
            • InflateRect.USER32(?,000000FF,000000FF), ref: 00AED644
            • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00AED65B
            • GetWindowLongW.USER32(00000000,000000F0), ref: 00AED670
            • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00AED698
            • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00AED6BF
            • InflateRect.USER32(?,000000FD,000000FD), ref: 00AED6DD
            • DrawFocusRect.USER32(?,?), ref: 00AED6E8
            • GetSysColor.USER32(00000011), ref: 00AED6F6
            • SetTextColor.GDI32(?,00000000), ref: 00AED6FE
            • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 00AED712
            • SelectObject.GDI32(?,00AED2A5), ref: 00AED729
            • DeleteObject.GDI32(?), ref: 00AED734
            • SelectObject.GDI32(?,?), ref: 00AED73A
            • DeleteObject.GDI32(?), ref: 00AED73F
            • SetTextColor.GDI32(?,?), ref: 00AED745
            • SetBkColor.GDI32(?,?), ref: 00AED74F
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
            • String ID:
            • API String ID: 1996641542-0
            • Opcode ID: 214ce561feda875fc5a1f9a5d4067b5c986fdaf1ba7e555bb2d9e55cd6dabb40
            • Instruction ID: caf4918d174b6bb4dccb5252f087e0d8f7a70eddbefc6e5e8617fde5f5ced512
            • Opcode Fuzzy Hash: 214ce561feda875fc5a1f9a5d4067b5c986fdaf1ba7e555bb2d9e55cd6dabb40
            • Instruction Fuzzy Hash: 83512B71900208AFDF109FA9DC48EAE7BB9FB58324F104515FA15AB2E1DB759A40DF60
            Function 00AEB6C4 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 400windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00AEB7B0
            • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00AEB7C1
            • CharNextW.USER32(0000014E), ref: 00AEB7F0
            • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00AEB831
            • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00AEB847
            • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00AEB858
            • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00AEB875
            • SetWindowTextW.USER32(?,0000014E), ref: 00AEB8C7
            • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00AEB8DD
            • SendMessageW.USER32(?,00001002,00000000,?), ref: 00AEB90E
            • _memset.LIBCMT ref: 00AEB933
            • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00AEB97C
            • _memset.LIBCMT ref: 00AEB9DB
            • SendMessageW.USER32 ref: 00AEBA05
            • SendMessageW.USER32(?,00001074,?,00000001), ref: 00AEBA5D
            • SendMessageW.USER32(?,0000133D,?,?), ref: 00AEBB0A
            • InvalidateRect.USER32(?,00000000,00000001), ref: 00AEBB2C
            • GetMenuItemInfoW.USER32(?), ref: 00AEBB76
            • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00AEBBA3
            • DrawMenuBar.USER32(?), ref: 00AEBBB2
            • SetWindowTextW.USER32(?,0000014E), ref: 00AEBBDA
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
            • String ID: 0
            • API String ID: 1073566785-4108050209
            • Opcode ID: d488172944e35733a0ef22363879eb5ee2d4ba985ddd20455f1c27306e02f48f
            • Instruction ID: b3700faee7ffdfc58cfe1416fc0480fc729a8c972a8f87187110effa7647ff09
            • Opcode Fuzzy Hash: d488172944e35733a0ef22363879eb5ee2d4ba985ddd20455f1c27306e02f48f
            • Instruction Fuzzy Hash: 88E16E75910258ABDF209FA6CC88EEF7BB8FF05714F108156F919AB291DB708A41DF60
            Function 00AE764F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
            Download Yara Rule
            APIs
            • GetCursorPos.USER32(?), ref: 00AE778A
            • GetDesktopWindow.USER32 ref: 00AE779F
            • GetWindowRect.USER32(00000000), ref: 00AE77A6
            • GetWindowLongW.USER32(?,000000F0), ref: 00AE7808
            • DestroyWindow.USER32(?), ref: 00AE7834
            • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00AE785D
            • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00AE787B
            • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00AE78A1
            • SendMessageW.USER32(?,00000421,?,?), ref: 00AE78B6
            • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00AE78C9
            • IsWindowVisible.USER32(?), ref: 00AE78E9
            • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00AE7904
            • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00AE7918
            • GetWindowRect.USER32(?,?), ref: 00AE7930
            • MonitorFromPoint.USER32(?,?,00000002), ref: 00AE7956
            • GetMonitorInfoW.USER32 ref: 00AE7970
            • CopyRect.USER32(?,?), ref: 00AE7987
            • SendMessageW.USER32(?,00000412,00000000), ref: 00AE79F2
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
            • String ID: ($0$tooltips_class32
            • API String ID: 698492251-4156429822
            • Opcode ID: c64642158cf0bd89355107de202beb5d9bb7d62b63b0b30c7e41947d0c578948
            • Instruction ID: 08ac6cdfe689d6090f35310809531c151c122d14e98e0b78596c78766af2ee58
            • Opcode Fuzzy Hash: c64642158cf0bd89355107de202beb5d9bb7d62b63b0b30c7e41947d0c578948
            • Instruction Fuzzy Hash: 61B18A71608340AFDB44DF65C988B6EBBE4FF98310F00891DF5999B291DB71E845CB92
            Function 00A9A856 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 285windowtimeCOMMON
            Download Yara Rule
            APIs
            • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00A9A939
            • GetSystemMetrics.USER32(00000007), ref: 00A9A941
            • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00A9A96C
            • GetSystemMetrics.USER32(00000008), ref: 00A9A974
            • GetSystemMetrics.USER32(00000004), ref: 00A9A999
            • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00A9A9B6
            • AdjustWindowRectEx.USER32(000000FF,00000000,00000000,00000000), ref: 00A9A9C6
            • CreateWindowExW.USER32(00000000,AutoIt v3 GUI,?,00000000,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00A9A9F9
            • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00A9AA0D
            • GetClientRect.USER32(00000000,000000FF), ref: 00A9AA2B
            • GetStockObject.GDI32(00000011), ref: 00A9AA47
            • SendMessageW.USER32(00000000,00000030,00000000), ref: 00A9AA52
              • Part of subcall function 00A9B63C: GetCursorPos.USER32(000000FF), ref: 00A9B64F
              • Part of subcall function 00A9B63C: ScreenToClient.USER32(00000000,000000FF), ref: 00A9B66C
              • Part of subcall function 00A9B63C: GetAsyncKeyState.USER32(00000001), ref: 00A9B691
              • Part of subcall function 00A9B63C: GetAsyncKeyState.USER32(00000002), ref: 00A9B69F
            • SetTimer.USER32(00000000,00000000,00000028,00A9AB87), ref: 00A9AA79
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
            • String ID: AutoIt v3 GUI
            • API String ID: 1458621304-248962490
            • Opcode ID: 61377e11690d9fc5007f9de6cbce627e166dc29b6a85477db50a6c516f98b9bd
            • Instruction ID: 90e35eb799b8c1c4be3c0cbe35e4f9074f59685f8f10694f59ff0a8c4bc0ab22
            • Opcode Fuzzy Hash: 61377e11690d9fc5007f9de6cbce627e166dc29b6a85477db50a6c516f98b9bd
            • Instruction Fuzzy Hash: DCB17975A0020AAFDF14DFA8DD45BAE7BB5FB18314F11422AFA15A72E0DB70E940CB51
            Function 00A82EC0 Relevance: 30.1, APIs: 8, Strings: 9, Instructions: 346COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: Window$Foreground
            • String ID: ACTIVE$ALL$CLASS$HANDLE$INSTANCE$LAST$REGEXPCLASS$REGEXPTITLE$TITLE
            • API String ID: 62970417-1919597938
            • Opcode ID: 1c74aa20f42fd8ff597f27728a0c73e3c56e58268483e94ebbca82c756052f04
            • Instruction ID: 72dfede24d5008957226c656e356b0246c9db8f4e7201f27876feee3d6e92e55
            • Opcode Fuzzy Hash: 1c74aa20f42fd8ff597f27728a0c73e3c56e58268483e94ebbca82c756052f04
            • Instruction Fuzzy Hash: 55D1D431104646ABCB04EFA0C981BBAFBF4FF54344F504A19F596572A2DB30E99ACB91
            Function 00AE3639 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
            Download Yara Rule
            APIs
            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00AE3735
            • RegCreateKeyExW.ADVAPI32(?,?,00000000,00B1DC00,00000000,?,00000000,?,?), ref: 00AE37A3
            • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00AE37EB
            • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00AE3874
            • RegCloseKey.ADVAPI32(?), ref: 00AE3B94
            • RegCloseKey.ADVAPI32(00000000), ref: 00AE3BA1
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: Close$ConnectCreateRegistryValue
            • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
            • API String ID: 536824911-966354055
            • Opcode ID: 99b0c2d87fa69c81629cca58b4d3dbb93c2c971a0d33bcd9c236696c361471e2
            • Instruction ID: 13030b78d6c7e5c9bd50d5dd175d77e98d4717c9dbce50ea0a2f7fdc795e688a
            • Opcode Fuzzy Hash: 99b0c2d87fa69c81629cca58b4d3dbb93c2c971a0d33bcd9c236696c361471e2
            • Instruction Fuzzy Hash: 210248766046019FCB15EF25C995E2AB7E5FF88720F04845DF99A9B3A1DB30ED01CB81
            Function 00AE6BC9 Relevance: 26.5, APIs: 2, Strings: 13, Instructions: 281windowCOMMON
            Download Yara Rule
            APIs
            • CharUpperBuffW.USER32(?,?), ref: 00AE6C56
            • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00AE6D16
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: BuffCharMessageSendUpper
            • String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
            • API String ID: 3974292440-719923060
            • Opcode ID: f2ae7ce791b004a644a5e08b9526a783477fb9b6590d1ee8468c6226fd76da5e
            • Instruction ID: b6d13939544b9e2c39a561cdc1ca1777f4818a974b64fdd481f0ca13d8a49e64
            • Opcode Fuzzy Hash: f2ae7ce791b004a644a5e08b9526a783477fb9b6590d1ee8468c6226fd76da5e
            • Instruction Fuzzy Hash: 03A13C302142819FCB14EF25CA91AAAB3E5FF94354F144D6DB8A66B3D2DB30ED05CB91
            Function 00ABCF50 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON
            Download Yara Rule
            APIs
            • GetClassNameW.USER32(?,?,00000100), ref: 00ABCF91
            • __swprintf.LIBCMT ref: 00ABD032
            • _wcscmp.LIBCMT ref: 00ABD045
            • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00ABD09A
            • _wcscmp.LIBCMT ref: 00ABD0D6
            • GetClassNameW.USER32(?,?,00000400), ref: 00ABD10D
            • GetDlgCtrlID.USER32(?), ref: 00ABD15F
            • GetWindowRect.USER32(?,?), ref: 00ABD195
            • GetParent.USER32(?), ref: 00ABD1B3
            • ScreenToClient.USER32(00000000), ref: 00ABD1BA
            • GetClassNameW.USER32(?,?,00000100), ref: 00ABD234
            • _wcscmp.LIBCMT ref: 00ABD248
            • GetWindowTextW.USER32(?,?,00000400), ref: 00ABD26E
            • _wcscmp.LIBCMT ref: 00ABD282
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf
            • String ID: %s%u
            • API String ID: 3119225716-679674701
            • Opcode ID: 9fdeb879b7d56bf5049d9635c391e32207dda9b9be204a4662971f04f8ea3971
            • Instruction ID: 698e6cd19853094523dddf088f825994b72d394209a3b491190f3afc4b245eff
            • Opcode Fuzzy Hash: 9fdeb879b7d56bf5049d9635c391e32207dda9b9be204a4662971f04f8ea3971
            • Instruction Fuzzy Hash: 92A1CD71604742AFD714DF64C984FEAB7ACFF44314F008629F99993192EB30EA45CBA1
            Function 00ABD8A7 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON
            Download Yara Rule
            APIs
            • GetClassNameW.USER32(00000008,?,00000400), ref: 00ABD8EB
            • _wcscmp.LIBCMT ref: 00ABD8FC
            • GetWindowTextW.USER32(00000001,?,00000400), ref: 00ABD924
            • CharUpperBuffW.USER32(?,00000000), ref: 00ABD941
            • _wcscmp.LIBCMT ref: 00ABD95F
            • _wcsstr.LIBCMT ref: 00ABD970
            • GetClassNameW.USER32(00000018,?,00000400), ref: 00ABD9A8
            • _wcscmp.LIBCMT ref: 00ABD9B8
            • GetWindowTextW.USER32(00000002,?,00000400), ref: 00ABD9DF
            • GetClassNameW.USER32(00000018,?,00000400), ref: 00ABDA28
            • _wcscmp.LIBCMT ref: 00ABDA38
            • GetClassNameW.USER32(00000010,?,00000400), ref: 00ABDA60
            • GetWindowRect.USER32(00000004,?), ref: 00ABDAC9
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
            • String ID: @$ThumbnailClass
            • API String ID: 1788623398-1539354611
            • Opcode ID: 2bb286314a6847441bf462123c159f3bf67f0dc2764f710b51cf3efcdec090a3
            • Instruction ID: f788a5e2355fd7f51628ede2e9f068bd1b230df56002d2095fdfd5862c374127
            • Opcode Fuzzy Hash: 2bb286314a6847441bf462123c159f3bf67f0dc2764f710b51cf3efcdec090a3
            • Instruction Fuzzy Hash: 10819C310083069BDB05DF50C985FAA7BECEF84754F08846EFD899A096EB34ED45CBA1
            Function 00ABD6F4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 104COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: __wcsnicmp
            • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
            • API String ID: 1038674560-1810252412
            • Opcode ID: 0f1612a374781c2e6cdedac4e17e2179ab863283cf147885dc61c9b5886444bf
            • Instruction ID: 88c67dc34e8fe71adf87e0b1ff797d5346976be700da0e7e14ca871a7af62dec
            • Opcode Fuzzy Hash: 0f1612a374781c2e6cdedac4e17e2179ab863283cf147885dc61c9b5886444bf
            • Instruction Fuzzy Hash: A6316B31A44205AAEB14FB60DF53EEDB7B89F20755F7001A9F441B20E2FF61AE448761
            Function 00ABEA9D Relevance: 25.7, APIs: 17, Instructions: 168windowtimeCOMMON
            Download Yara Rule
            APIs
            • LoadIconW.USER32(00000063), ref: 00ABEAB0
            • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00ABEAC2
            • SetWindowTextW.USER32(?,?), ref: 00ABEAD9
            • GetDlgItem.USER32(?,000003EA), ref: 00ABEAEE
            • SetWindowTextW.USER32(00000000,?), ref: 00ABEAF4
            • GetDlgItem.USER32(?,000003E9), ref: 00ABEB04
            • SetWindowTextW.USER32(00000000,?), ref: 00ABEB0A
            • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00ABEB2B
            • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00ABEB45
            • GetWindowRect.USER32(?,?), ref: 00ABEB4E
            • SetWindowTextW.USER32(?,?), ref: 00ABEBB9
            • GetDesktopWindow.USER32 ref: 00ABEBBF
            • GetWindowRect.USER32(00000000), ref: 00ABEBC6
            • MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 00ABEC12
            • GetClientRect.USER32(?,?), ref: 00ABEC1F
            • PostMessageW.USER32(?,00000005,00000000,00000000), ref: 00ABEC44
            • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00ABEC6F
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
            • String ID:
            • API String ID: 3869813825-0
            • Opcode ID: c51be70bb3992a47cc9339873204763fcf4cca66958ae14c1539d60721b41df0
            • Instruction ID: 118662ba20d8bc7d59c169fca98cff829dfe1849b4a0998eedc50a05d008cc23
            • Opcode Fuzzy Hash: c51be70bb3992a47cc9339873204763fcf4cca66958ae14c1539d60721b41df0
            • Instruction Fuzzy Hash: 9A512D71900709EFDB20DFA8CD89BAEBBF9FF04705F004918E556A35A1DB75A944CB50
            Function 00AD79B0 Relevance: 25.6, APIs: 17, Instructions: 109COMMON
            Download Yara Rule
            APIs
            • LoadCursorW.USER32(00000000,00007F8A), ref: 00AD79C6
            • LoadCursorW.USER32(00000000,00007F00), ref: 00AD79D1
            • LoadCursorW.USER32(00000000,00007F03), ref: 00AD79DC
            • LoadCursorW.USER32(00000000,00007F8B), ref: 00AD79E7
            • LoadCursorW.USER32(00000000,00007F01), ref: 00AD79F2
            • LoadCursorW.USER32(00000000,00007F81), ref: 00AD79FD
            • LoadCursorW.USER32(00000000,00007F88), ref: 00AD7A08
            • LoadCursorW.USER32(00000000,00007F80), ref: 00AD7A13
            • LoadCursorW.USER32(00000000,00007F86), ref: 00AD7A1E
            • LoadCursorW.USER32(00000000,00007F83), ref: 00AD7A29
            • LoadCursorW.USER32(00000000,00007F85), ref: 00AD7A34
            • LoadCursorW.USER32(00000000,00007F82), ref: 00AD7A3F
            • LoadCursorW.USER32(00000000,00007F84), ref: 00AD7A4A
            • LoadCursorW.USER32(00000000,00007F04), ref: 00AD7A55
            • LoadCursorW.USER32(00000000,00007F02), ref: 00AD7A60
            • LoadCursorW.USER32(00000000,00007F89), ref: 00AD7A6B
            • GetCursorInfo.USER32(?), ref: 00AD7A7B
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: Cursor$Load$Info
            • String ID:
            • API String ID: 2577412497-0
            • Opcode ID: 1688b2e3367a25d9fdc2379636c4cc64dec903743707e5b0c4f789a5630a516c
            • Instruction ID: 987bb25d0d0297cfbfd072d37894ccf60fa924f336ae8b98b5402e26bdc19019
            • Opcode Fuzzy Hash: 1688b2e3367a25d9fdc2379636c4cc64dec903743707e5b0c4f789a5630a516c
            • Instruction Fuzzy Hash: 6F31E5B1D4831A6ADB509FB68C8995FBFF8FF04750F50452BA50DE7280EA78A5008FA1
            Function 00A8C833 Relevance: 25.0, APIs: 7, Strings: 7, Instructions: 479COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00A9E968: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00A8C8B7,?,00002000,?,?,00000000,?,00A8419E,?,?,?,00B1DC00), ref: 00A9E984
              • Part of subcall function 00A8660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00A853B1,?,?,00A861FF,?,00000000,00000001,00000000), ref: 00A8662F
            • __wsplitpath.LIBCMT ref: 00A8C93E
              • Part of subcall function 00AA1DFC: __wsplitpath_helper.LIBCMT ref: 00AA1E3C
            • _wcscpy.LIBCMT ref: 00A8C953
            • _wcscat.LIBCMT ref: 00A8C968
            • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,00000001,?,?,00000000), ref: 00A8C978
            • SetCurrentDirectoryW.KERNEL32(?), ref: 00A8CABE
              • Part of subcall function 00A8B337: _wcscpy.LIBCMT ref: 00A8B36F
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: CurrentDirectory$_wcscpy$FullNamePath__wsplitpath__wsplitpath_helper_wcscat
            • String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
            • API String ID: 2258743419-1018226102
            • Opcode ID: a98ab22fd38b9fedeb01c6febc7f34e11161094c7fea2d0ca5f50953756f003d
            • Instruction ID: e185e849ff0a4ce5ea071cc796350fd86ba119429ca813b27bf2e17cdfc868b3
            • Opcode Fuzzy Hash: a98ab22fd38b9fedeb01c6febc7f34e11161094c7fea2d0ca5f50953756f003d
            • Instruction Fuzzy Hash: 1412C0715083459FCB24EF64C981AAFBBF5BF99314F00491EF589932A1DB30DA49CB62
            Function 00AECE58 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON
            Download Yara Rule
            APIs
            • _memset.LIBCMT ref: 00AECEFB
            • DestroyWindow.USER32(?,?), ref: 00AECF73
            • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00AECFF4
            • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00AED016
            • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00AED025
            • DestroyWindow.USER32(?), ref: 00AED042
            • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00A80000,00000000), ref: 00AED075
            • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00AED094
            • GetDesktopWindow.USER32 ref: 00AED0A9
            • GetWindowRect.USER32(00000000), ref: 00AED0B0
            • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00AED0C2
            • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00AED0DA
              • Part of subcall function 00A9B526: GetWindowLongW.USER32(?,000000EB), ref: 00A9B537
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memset
            • String ID: 0$tooltips_class32
            • API String ID: 3877571568-3619404913
            • Opcode ID: 536807de92c3d7f751d88b0967d2738789c2a12d14ef60290e7767e895ebab94
            • Instruction ID: 52e46be94df607f22ed72aee379f1039f642ea49ebb68237787cca745a7e715c
            • Opcode Fuzzy Hash: 536807de92c3d7f751d88b0967d2738789c2a12d14ef60290e7767e895ebab94
            • Instruction Fuzzy Hash: 2F71CCB4140345AFEB20CF28DC85F667BE5FB89704F08491DF986872A1DB31E942CB22
            Function 00AEF351 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 178windowfileCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00A9B34E: GetWindowLongW.USER32(?,000000EB), ref: 00A9B35F
            • DragQueryPoint.SHELL32(?,?), ref: 00AEF37A
              • Part of subcall function 00AED7DE: ClientToScreen.USER32(?,?), ref: 00AED807
              • Part of subcall function 00AED7DE: GetWindowRect.USER32(?,?), ref: 00AED87D
              • Part of subcall function 00AED7DE: PtInRect.USER32(?,?,00AEED5A), ref: 00AED88D
            • SendMessageW.USER32(?,000000B0,?,?), ref: 00AEF3E3
            • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00AEF3EE
            • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00AEF411
            • _wcscat.LIBCMT ref: 00AEF441
            • SendMessageW.USER32(?,000000C2,00000001,?), ref: 00AEF458
            • SendMessageW.USER32(?,000000B0,?,?), ref: 00AEF471
            • SendMessageW.USER32(?,000000B1,?,?), ref: 00AEF488
            • SendMessageW.USER32(?,000000B1,?,?), ref: 00AEF4AA
            • DragFinish.SHELL32(?), ref: 00AEF4B1
            • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00AEF59C
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
            • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
            • API String ID: 169749273-3440237614
            • Opcode ID: ad5872ff29369916250e9b3bd8eaeb893996cbf2fef7f1a046ee25c316d55a58
            • Instruction ID: 363e46e5eb15d934afb9cc2729b7ea0d73a0562839e2dde6b2ffc97c1f941d9d
            • Opcode Fuzzy Hash: ad5872ff29369916250e9b3bd8eaeb893996cbf2fef7f1a046ee25c316d55a58
            • Instruction Fuzzy Hash: BC613771108340AFC701EF64CD85E9FBBF8EF99714F104A1EB595931A1DB70AA09CB62
            Function 00ACAAF8 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 374timeCOMMON
            Download Yara Rule
            APIs
            • VariantInit.OLEAUT32(00000000), ref: 00ACAB3D
            • VariantCopy.OLEAUT32(?,?), ref: 00ACAB46
            • VariantClear.OLEAUT32(?), ref: 00ACAB52
            • VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 00ACAC40
            • __swprintf.LIBCMT ref: 00ACAC70
            • VarR8FromDec.OLEAUT32(?,?), ref: 00ACAC9C
            • VariantInit.OLEAUT32(?), ref: 00ACAD4D
            • SysFreeString.OLEAUT32(00000016), ref: 00ACADDF
            • VariantClear.OLEAUT32(?), ref: 00ACAE35
            • VariantClear.OLEAUT32(?), ref: 00ACAE44
            • VariantInit.OLEAUT32(00000000), ref: 00ACAE80
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem__swprintf
            • String ID: %4d%02d%02d%02d%02d%02d$Default
            • API String ID: 3730832054-3931177956
            • Opcode ID: 8944defe986e4b7481c61caa3dd47a59badc848b97e7bdcfaa4e3a33bdffe15e
            • Instruction ID: 54e2a2bef4026b9c1905ed4f38b0137c43b66fdbe492415f8debfd5c4e9382e4
            • Opcode Fuzzy Hash: 8944defe986e4b7481c61caa3dd47a59badc848b97e7bdcfaa4e3a33bdffe15e
            • Instruction Fuzzy Hash: FBD1F171604219EBDB24AFA5D884F7EB7B5FF14704F16845DE40A9B280DB74EC40DBA2
            Function 00AE716A Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 244windowCOMMON
            Download Yara Rule
            APIs
            • CharUpperBuffW.USER32(?,?), ref: 00AE71FC
            • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00AE7247
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: BuffCharMessageSendUpper
            • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
            • API String ID: 3974292440-4258414348
            • Opcode ID: 25ec35e3842760f4f84ff8bb3d48d847a7f6b73d4859449a46c320d96f077943
            • Instruction ID: ec5ff963b4fcb3ea7f0adb207d1975df143af7f3fecb21b0215cb88faf1f7698
            • Opcode Fuzzy Hash: 25ec35e3842760f4f84ff8bb3d48d847a7f6b73d4859449a46c320d96f077943
            • Instruction Fuzzy Hash: 1A915D342087419BCB05EF21C951AAEB7E5BF94310F14489DF8966B3A3DB31ED4ADB81
            Function 00AEE4F5 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 199windowlibraryCOMMON
            Download Yara Rule
            APIs
            • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00AEE5AB
            • LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00AEBEAF), ref: 00AEE607
            • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00AEE647
            • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00AEE68C
            • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00AEE6C3
            • FreeLibrary.KERNEL32(?,00000004,?,?,?,?,00AEBEAF), ref: 00AEE6CF
            • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00AEE6DF
            • DestroyIcon.USER32(?,?,?,?,?,00AEBEAF), ref: 00AEE6EE
            • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00AEE70B
            • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00AEE717
              • Part of subcall function 00AA0FA7: __wcsicmp_l.LIBCMT ref: 00AA1030
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
            • String ID: .dll$.exe$.icl
            • API String ID: 1212759294-1154884017
            • Opcode ID: 2c8d51d359c531324dd77d8b9c4fc2c94e077ea96c55f406d43ed698c7f93ca0
            • Instruction ID: 36276ced761a17669c21c07ddfd5c32e881d2ce8a594b8fbe3babb522420ddc8
            • Opcode Fuzzy Hash: 2c8d51d359c531324dd77d8b9c4fc2c94e077ea96c55f406d43ed698c7f93ca0
            • Instruction Fuzzy Hash: 1B61EF71500255BEEB24DF65CD86FBE7BA8BB18724F104105F911E71D1EB70AA90CBA0
            Function 00ACD219 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00A8936C: __swprintf.LIBCMT ref: 00A893AB
              • Part of subcall function 00A8936C: __itow.LIBCMT ref: 00A893DF
            • CharLowerBuffW.USER32(?,?), ref: 00ACD292
            • GetDriveTypeW.KERNEL32 ref: 00ACD2DF
            • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00ACD327
            • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00ACD35E
            • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00ACD38C
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: SendString$BuffCharDriveLowerType__itow__swprintf
            • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
            • API String ID: 1148790751-4113822522
            • Opcode ID: 33b876ac94f3ccf9165023ee50b8564821a4297479efecb7be7d833130c78385
            • Instruction ID: 80e11486a89d8c90ccf18864444809afe80fa9e06fa02194bbede8baa4057f38
            • Opcode Fuzzy Hash: 33b876ac94f3ccf9165023ee50b8564821a4297479efecb7be7d833130c78385
            • Instruction Fuzzy Hash: 8A511A71604705AFC700EF20C99196EB7E4FF98758F10496DF8956B2A1DB31EE05CB92
            Function 00AC26BC Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 137windowCOMMON
            Download Yara Rule
            APIs
            • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000016,00000000,?,?,00AF3973,00000016,0000138C,00000016,?,00000016,00B1DDB4,00000000,?), ref: 00AC26F1
            • LoadStringW.USER32(00000000,?,00AF3973,00000016), ref: 00AC26FA
            • GetModuleHandleW.KERNEL32(00000000,00000016,?,00000FFF,?,?,00AF3973,00000016,0000138C,00000016,?,00000016,00B1DDB4,00000000,?,00000016), ref: 00AC271C
            • LoadStringW.USER32(00000000,?,00AF3973,00000016), ref: 00AC271F
            • __swprintf.LIBCMT ref: 00AC276F
            • __swprintf.LIBCMT ref: 00AC2780
            • _wprintf.LIBCMT ref: 00AC2829
            • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00AC2840
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: HandleLoadModuleString__swprintf$Message_wprintf
            • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
            • API String ID: 618562835-2268648507
            • Opcode ID: d18ef0fee671215df0e977538b535237e73830c146a43c5d3c5f8dc7a0861280
            • Instruction ID: 1cbbb1296003901c3acd3e016e1920f99219859487fafa2585d555df8c39b00f
            • Opcode Fuzzy Hash: d18ef0fee671215df0e977538b535237e73830c146a43c5d3c5f8dc7a0861280
            • Instruction Fuzzy Hash: CE412C72800219BACB14FBE0DE86EEEB7B8AF15754F500169B50177092EE746F59CF60
            Function 00ACD0B8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 101fileCOMMON
            Download Yara Rule
            APIs
            • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00ACD0D8
            • __swprintf.LIBCMT ref: 00ACD0FA
            • CreateDirectoryW.KERNEL32(?,00000000), ref: 00ACD137
            • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00ACD15C
            • _memset.LIBCMT ref: 00ACD17B
            • _wcsncpy.LIBCMT ref: 00ACD1B7
            • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00ACD1EC
            • CloseHandle.KERNEL32(00000000), ref: 00ACD1F7
            • RemoveDirectoryW.KERNEL32(?), ref: 00ACD200
            • CloseHandle.KERNEL32(00000000), ref: 00ACD20A
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
            • String ID: :$\$\??\%s
            • API String ID: 2733774712-3457252023
            • Opcode ID: fcc2419f4e5a012d9ec6d9ad6c5b1a2b62db3ec5d516393c907b6afd1daae703
            • Instruction ID: 16f231878af83902b27088f0ebcb082bf40976415999d84ec14d35925daeb6be
            • Opcode Fuzzy Hash: fcc2419f4e5a012d9ec6d9ad6c5b1a2b62db3ec5d516393c907b6afd1daae703
            • Instruction Fuzzy Hash: 0631A2B6500109ABDB21DFA4DC49FEB77BCEF89740F1041BAF509D21A1EB70D6458B24
            Function 00AB87CD Relevance: 22.7, APIs: 15, Instructions: 210COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: _free$__malloc_crt__recalloc_crt_strlen$EnvironmentVariable___wtomb_environ__calloc_crt__getptd_noexit__invoke_watson_copy_environ
            • String ID:
            • API String ID: 884005220-0
            • Opcode ID: c6806250b7ff6e4621dcd3923ba2aceaf55f1b6156fa5c7c828789ec2dd794d0
            • Instruction ID: 7bb69ab5d8a94cbb13b07c2efa9509e86a04ad93ef8322bb3243e99735709e0c
            • Opcode Fuzzy Hash: c6806250b7ff6e4621dcd3923ba2aceaf55f1b6156fa5c7c828789ec2dd794d0
            • Instruction Fuzzy Hash: 3761C472500211EFDB256FA8DD417FA77ACEF117A1F24012AE811AB1D2EF38D941CB96
            Function 00AEE731 Relevance: 22.6, APIs: 15, Instructions: 129filecommemoryCOMMON
            Download Yara Rule
            APIs
            • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00AEBEF4,?,?), ref: 00AEE754
            • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00AEBEF4,?,?,00000000,?), ref: 00AEE76B
            • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00AEBEF4,?,?,00000000,?), ref: 00AEE776
            • CloseHandle.KERNEL32(00000000,?,?,?,?,00AEBEF4,?,?,00000000,?), ref: 00AEE783
            • GlobalLock.KERNEL32(00000000,?,?,?,?,00AEBEF4,?,?,00000000,?), ref: 00AEE78C
            • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,00AEBEF4,?,?,00000000,?), ref: 00AEE79B
            • GlobalUnlock.KERNEL32(00000000,?,?,?,?,00AEBEF4,?,?,00000000,?), ref: 00AEE7A4
            • CloseHandle.KERNEL32(00000000,?,?,?,?,00AEBEF4,?,?,00000000,?), ref: 00AEE7AB
            • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00AEBEF4,?,?,00000000,?), ref: 00AEE7BC
            • OleLoadPicture.OLEAUT32(?,00000000,00000000,00B0D9BC,?), ref: 00AEE7D5
            • GlobalFree.KERNEL32(00000000), ref: 00AEE7E5
            • GetObjectW.GDI32(00000000,00000018,?), ref: 00AEE809
            • CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 00AEE834
            • DeleteObject.GDI32(00000000), ref: 00AEE85C
            • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00AEE872
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
            • String ID:
            • API String ID: 3840717409-0
            • Opcode ID: 7b0a36c3323f8a11b7e77565e881111914cc81800cc40c2fae09c7bbae955f4a
            • Instruction ID: 3742b5812e6e0f543a5ce7642506eaa1b69c991192257762a3d78fe95802f151
            • Opcode Fuzzy Hash: 7b0a36c3323f8a11b7e77565e881111914cc81800cc40c2fae09c7bbae955f4a
            • Instruction Fuzzy Hash: EC413975600245EFDB11DFA6DC88EAA7BB8EF99711F108058F90AE72A0DB319D41DB60
            Function 00AD05F8 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON
            Download Yara Rule
            APIs
            • __wsplitpath.LIBCMT ref: 00AD076F
            • _wcscat.LIBCMT ref: 00AD0787
            • _wcscat.LIBCMT ref: 00AD0799
            • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00AD07AE
            • SetCurrentDirectoryW.KERNEL32(?), ref: 00AD07C2
            • GetFileAttributesW.KERNEL32(?), ref: 00AD07DA
            • SetFileAttributesW.KERNEL32(?,00000000), ref: 00AD07F4
            • SetCurrentDirectoryW.KERNEL32(?), ref: 00AD0806
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
            • String ID: *.*
            • API String ID: 34673085-438819550
            • Opcode ID: 2a88f52f971b4667a878a169d2a6562e27a4e0c28dc6fe4c30e2f6b9f55ab1c9
            • Instruction ID: d9368d18e5215818099f02b93664541309b394bc04e202922886e09136daf4f7
            • Opcode Fuzzy Hash: 2a88f52f971b4667a878a169d2a6562e27a4e0c28dc6fe4c30e2f6b9f55ab1c9
            • Instruction Fuzzy Hash: D1817F715043019FCB24EF64C945EAEB7E8BB98314F14882FF886D7351EB74D9548B92
            Function 00AEEEEB Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00A9B34E: GetWindowLongW.USER32(?,000000EB), ref: 00A9B35F
            • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00AEEF3B
            • GetFocus.USER32 ref: 00AEEF4B
            • GetDlgCtrlID.USER32(00000000), ref: 00AEEF56
            • _memset.LIBCMT ref: 00AEF081
            • GetMenuItemInfoW.USER32 ref: 00AEF0AC
            • GetMenuItemCount.USER32(00000000), ref: 00AEF0CC
            • GetMenuItemID.USER32(?,00000000), ref: 00AEF0DF
            • GetMenuItemInfoW.USER32(00000000,-00000001,00000001,?), ref: 00AEF113
            • GetMenuItemInfoW.USER32(00000000,?,00000001,?), ref: 00AEF15B
            • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00AEF193
            • DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 00AEF1C8
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
            • String ID: 0
            • API String ID: 1296962147-4108050209
            • Opcode ID: 3d85e4ee6c561772a15fcb08918b4185296da88f1150918fe9978aea5dadc530
            • Instruction ID: 4ea15e3a4c9b554a77014acd010a7de4f9b765bbcd4a09b8db11861d0b26065f
            • Opcode Fuzzy Hash: 3d85e4ee6c561772a15fcb08918b4185296da88f1150918fe9978aea5dadc530
            • Instruction Fuzzy Hash: 4A819F71608385EFDB10CF16DD84A6BBBE9FB88314F004A6EFA9997291D730D941CB52
            Function 00ABA867 Relevance: 21.2, APIs: 14, Instructions: 178memoryCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00ABABBB: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 00ABABD7
              • Part of subcall function 00ABABBB: GetLastError.KERNEL32(?,00ABA69F,?,?,?), ref: 00ABABE1
              • Part of subcall function 00ABABBB: GetProcessHeap.KERNEL32(00000008,?,?,00ABA69F,?,?,?), ref: 00ABABF0
              • Part of subcall function 00ABABBB: HeapAlloc.KERNEL32(00000000,?,00ABA69F,?,?,?), ref: 00ABABF7
              • Part of subcall function 00ABABBB: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 00ABAC0E
              • Part of subcall function 00ABAC56: GetProcessHeap.KERNEL32(00000008,00ABA6B5,00000000,00000000,?,00ABA6B5,?), ref: 00ABAC62
              • Part of subcall function 00ABAC56: HeapAlloc.KERNEL32(00000000,?,00ABA6B5,?), ref: 00ABAC69
              • Part of subcall function 00ABAC56: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00ABA6B5,?), ref: 00ABAC7A
            • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00ABA8CB
            • _memset.LIBCMT ref: 00ABA8E0
            • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00ABA8FF
            • GetLengthSid.ADVAPI32(?), ref: 00ABA910
            • GetAce.ADVAPI32(?,00000000,?), ref: 00ABA94D
            • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00ABA969
            • GetLengthSid.ADVAPI32(?), ref: 00ABA986
            • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00ABA995
            • HeapAlloc.KERNEL32(00000000), ref: 00ABA99C
            • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00ABA9BD
            • CopySid.ADVAPI32(00000000), ref: 00ABA9C4
            • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00ABA9F5
            • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00ABAA1B
            • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00ABAA2F
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
            • String ID:
            • API String ID: 3996160137-0
            • Opcode ID: 3ef493e08ae6e6e7c6929426cf5f31721d9609c61cc41ccbfd362b3ea5157f92
            • Instruction ID: 540580077c24db5f8fddf89825dae5c89516699665959be8291945c618a9595f
            • Opcode Fuzzy Hash: 3ef493e08ae6e6e7c6929426cf5f31721d9609c61cc41ccbfd362b3ea5157f92
            • Instruction Fuzzy Hash: B7516A71900209AFDF14DFA0DD95EEEBBB9FF14300F048129F915A7291EB359A05CB61
            Function 00ACCC5C Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 155COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: LoadString__swprintf_wprintf
            • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
            • API String ID: 2889450990-2391861430
            • Opcode ID: 8a011f0b636c59368faad4a7772f1c3b345522f5d226f81bde48013ad17de852
            • Instruction ID: 36b41462d1b69d31e865b670136dd46cfbfd9c24e33df126fccc883cd5b000b3
            • Opcode Fuzzy Hash: 8a011f0b636c59368faad4a7772f1c3b345522f5d226f81bde48013ad17de852
            • Instruction Fuzzy Hash: D8513731800509AACB15FBE0CE46EEEB7B8EF09354F104169F506721A2EB316F99DB60
            Function 00ACCA48 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 151COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: LoadString__swprintf_wprintf
            • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
            • API String ID: 2889450990-3420473620
            • Opcode ID: 8549be2513c627606ae0a2fc08cc90cde38a138317286829ad826631673d77e8
            • Instruction ID: 02339490954bff73972d5e9ef18501c9bfcd9b61dcbf8089e1623ce400c33282
            • Opcode Fuzzy Hash: 8549be2513c627606ae0a2fc08cc90cde38a138317286829ad826631673d77e8
            • Instruction Fuzzy Hash: DA516931800609AACB15FBE0CE46EEEB7B8AF04354F104169F509730A2EB346F99DF60
            Function 00AC55BD Relevance: 19.7, APIs: 13, Instructions: 213windowCOMMON
            Download Yara Rule
            APIs
            • _memset.LIBCMT ref: 00AC55D7
            • GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 00AC5664
            • GetMenuItemCount.USER32(00B41708), ref: 00AC56ED
            • DeleteMenu.USER32(00B41708,00000005,00000000,000000F5,?,?), ref: 00AC577D
            • DeleteMenu.USER32(00B41708,00000004,00000000), ref: 00AC5785
            • DeleteMenu.USER32(00B41708,00000006,00000000), ref: 00AC578D
            • DeleteMenu.USER32(00B41708,00000003,00000000), ref: 00AC5795
            • GetMenuItemCount.USER32(00B41708), ref: 00AC579D
            • SetMenuItemInfoW.USER32(00B41708,00000004,00000000,00000030), ref: 00AC57D3
            • GetCursorPos.USER32(?), ref: 00AC57DD
            • SetForegroundWindow.USER32(00000000), ref: 00AC57E6
            • TrackPopupMenuEx.USER32(00B41708,00000000,?,00000000,00000000,00000000), ref: 00AC57F9
            • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00AC5805
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
            • String ID:
            • API String ID: 3993528054-0
            • Opcode ID: afac061a01cf095f9119811e58c5d59fe20cda3700678870692d21fc3975a898
            • Instruction ID: 14d8e2340770446248f8108eb8db565b98dea9ae41b68948a98aa22b66421ce4
            • Opcode Fuzzy Hash: afac061a01cf095f9119811e58c5d59fe20cda3700678870692d21fc3975a898
            • Instruction Fuzzy Hash: 7971F470A40605BFEB209B64CC49FAABF65FF04368F694209F5186A1E1CB717C90DB94
            Function 00ABA14D Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 127registryshareCOMMON
            Download Yara Rule
            APIs
            • _memset.LIBCMT ref: 00ABA1DC
            • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00ABA211
            • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00ABA22D
            • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00ABA249
            • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00ABA273
            • CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 00ABA29B
            • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00ABA2A6
            • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00ABA2AB
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memset
            • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
            • API String ID: 1687751970-22481851
            • Opcode ID: 15d1d2b5c4fa2c30ab19afb1353abc3f16f9c253a6fa50402bb7a2eed46ef00e
            • Instruction ID: ce5c76d9706fb010534b86a301671b1f73ea2de688d05688051d0b0e885196ce
            • Opcode Fuzzy Hash: 15d1d2b5c4fa2c30ab19afb1353abc3f16f9c253a6fa50402bb7a2eed46ef00e
            • Instruction Fuzzy Hash: 8B41F676C10229ABDB25EBA4DD95DEEB7B8FF18350F004169F805B31A1EB709E15CB60
            Function 00AC25B5 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 74windowCOMMON
            Download Yara Rule
            APIs
            • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00AF36F4,00000010,?,Bad directive syntax error,00B1DC00,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 00AC25D6
            • LoadStringW.USER32(00000000,?,00AF36F4,00000010), ref: 00AC25DD
            • _wprintf.LIBCMT ref: 00AC2610
            • __swprintf.LIBCMT ref: 00AC2632
            • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00AC26A1
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: HandleLoadMessageModuleString__swprintf_wprintf
            • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
            • API String ID: 1080873982-4153970271
            • Opcode ID: 5a3c357821c8ea71aed511c918379fd47c384495954a44c8ddf3ed06d882a1de
            • Instruction ID: 59ab6cd968e6676138053dc67501dda30430a3ad8ebe92eb798da28ab8b2164c
            • Opcode Fuzzy Hash: 5a3c357821c8ea71aed511c918379fd47c384495954a44c8ddf3ed06d882a1de
            • Instruction Fuzzy Hash: 9921193180021ABFCF15BBA0CD4AFEE7BB9FF19704F044459B505660A2EB75A668DF60
            Function 00AC7AD9 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 73COMMON
            Download Yara Rule
            APIs
            • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00AC7B42
            • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00AC7B58
            • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00AC7B69
            • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00AC7B7B
            • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00AC7B8C
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: SendString
            • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
            • API String ID: 890592661-1007645807
            • Opcode ID: e05dbadb36fa4d70c6a8073a1545e0e19a551cbe8e8029f3034987b84c72518a
            • Instruction ID: ce408e5f13695161cb1eb81034175270a9a42699f37d616650ef9c87669ca0be
            • Opcode Fuzzy Hash: e05dbadb36fa4d70c6a8073a1545e0e19a551cbe8e8029f3034987b84c72518a
            • Instruction Fuzzy Hash: FF11C4B0A40259B9D720B361CC4AEFFBAFCEBD1F10F1005597412A70D1DE601E48CAB0
            Function 00AC778F Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
            Download Yara Rule
            APIs
            • timeGetTime.WINMM ref: 00AC7794
              • Part of subcall function 00A9DC38: timeGetTime.WINMM(?,75C0B400,00AF58AB), ref: 00A9DC3C
            • Sleep.KERNEL32(0000000A), ref: 00AC77C0
            • EnumThreadWindows.USER32(?,Function_00047744,00000000), ref: 00AC77E4
            • FindWindowExW.USER32(?,00000000,BUTTON,00000000), ref: 00AC7806
            • SetActiveWindow.USER32 ref: 00AC7825
            • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00AC7833
            • SendMessageW.USER32(00000010,00000000,00000000), ref: 00AC7852
            • Sleep.KERNEL32(000000FA), ref: 00AC785D
            • IsWindow.USER32 ref: 00AC7869
            • EndDialog.USER32(00000000), ref: 00AC787A
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
            • String ID: BUTTON
            • API String ID: 1194449130-3405671355
            • Opcode ID: fa6343d3b73bbf2d133e3df20610d0effc552ec54b6daff6620224de972d6763
            • Instruction ID: e5da6588ac3d33e4dd5ce7642ff0c1d94a731c55555d08107a1593568921401f
            • Opcode Fuzzy Hash: fa6343d3b73bbf2d133e3df20610d0effc552ec54b6daff6620224de972d6763
            • Instruction Fuzzy Hash: 36213EB4204209AFE7015FA0EC89F2A3FB9FB55B48B094018F505931A6CF725E50DB64
            Function 00AC2E5B Relevance: 18.2, APIs: 12, Instructions: 185keyboardCOMMON
            Download Yara Rule
            APIs
            • GetKeyboardState.USER32(?), ref: 00AC2ED6
            • SetKeyboardState.USER32(?), ref: 00AC2F41
            • GetAsyncKeyState.USER32(000000A0), ref: 00AC2F61
            • GetKeyState.USER32(000000A0), ref: 00AC2F78
            • GetAsyncKeyState.USER32(000000A1), ref: 00AC2FA7
            • GetKeyState.USER32(000000A1), ref: 00AC2FB8
            • GetAsyncKeyState.USER32(00000011), ref: 00AC2FE4
            • GetKeyState.USER32(00000011), ref: 00AC2FF2
            • GetAsyncKeyState.USER32(00000012), ref: 00AC301B
            • GetKeyState.USER32(00000012), ref: 00AC3029
            • GetAsyncKeyState.USER32(0000005B), ref: 00AC3052
            • GetKeyState.USER32(0000005B), ref: 00AC3060
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: State$Async$Keyboard
            • String ID:
            • API String ID: 541375521-0
            • Opcode ID: 31048104d163343e65dbba2508001f875f98525758dff01e37759ccabf6f4a53
            • Instruction ID: 33c13b7a17cfb8e4dac613c89edb4523d758232f4ef2b17c5103d00ae07a10b6
            • Opcode Fuzzy Hash: 31048104d163343e65dbba2508001f875f98525758dff01e37759ccabf6f4a53
            • Instruction Fuzzy Hash: 6C51E925A04B8829FF35DBB48910FEABFF45F11380F09859DD5C25B1C2DA949B8CC7A6
            Function 00ABED02 Relevance: 18.2, APIs: 12, Instructions: 174COMMON
            Download Yara Rule
            APIs
            • GetDlgItem.USER32(?,00000001), ref: 00ABED1E
            • GetWindowRect.USER32(00000000,?), ref: 00ABED30
            • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 00ABED8E
            • GetDlgItem.USER32(?,00000002), ref: 00ABED99
            • GetWindowRect.USER32(00000000,?), ref: 00ABEDAB
            • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 00ABEE01
            • GetDlgItem.USER32(?,000003E9), ref: 00ABEE0F
            • GetWindowRect.USER32(00000000,?), ref: 00ABEE20
            • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 00ABEE63
            • GetDlgItem.USER32(?,000003EA), ref: 00ABEE71
            • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00ABEE8E
            • InvalidateRect.USER32(?,00000000,00000001), ref: 00ABEE9B
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: Window$ItemMoveRect$Invalidate
            • String ID:
            • API String ID: 3096461208-0
            • Opcode ID: 4426cb0f21f1f4cb5b6fe9ea22c4a40b9d9278ec267f28a110520ac2319fb037
            • Instruction ID: ecb9ada58a34f6e38f42c7e6d6351325e45c71b33848d9fdc0d56c208711c259
            • Opcode Fuzzy Hash: 4426cb0f21f1f4cb5b6fe9ea22c4a40b9d9278ec267f28a110520ac2319fb037
            • Instruction Fuzzy Hash: 63510F71B00205AFDB18CFA9DD85AAEBBBAEB98700F14852DF51AD72D1DB71DD008B10
            Function 00A9B73E Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00A9B9FF: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00A9B759,?,00000000,?,?,?,?,00A9B72B,00000000,?), ref: 00A9BA58
            • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00A9B72B), ref: 00A9B7F6
            • KillTimer.USER32(00000000,?,00000000,?,?,?,?,00A9B72B,00000000,?,?,00A9B2EF,?,?), ref: 00A9B88D
            • DestroyAcceleratorTable.USER32(00000000), ref: 00AFD8A6
            • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00A9B72B,00000000,?,?,00A9B2EF,?,?), ref: 00AFD8D7
            • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00A9B72B,00000000,?,?,00A9B2EF,?,?), ref: 00AFD8EE
            • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00A9B72B,00000000,?,?,00A9B2EF,?,?), ref: 00AFD90A
            • DeleteObject.GDI32(00000000), ref: 00AFD91C
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
            • String ID:
            • API String ID: 641708696-0
            • Opcode ID: d294307cef53ab3f878868963ec8b1a7fa8e8f4865c2469cd4eb70869981a840
            • Instruction ID: 935a01b2f00684c0cebbc56ef9dac81792f7103449b12c714ccac7c1a9659838
            • Opcode Fuzzy Hash: d294307cef53ab3f878868963ec8b1a7fa8e8f4865c2469cd4eb70869981a840
            • Instruction Fuzzy Hash: 9261AF34A12604DFDF269F98EA88B35B7F6FF95311F15491DE14647AB0CB70A980CB90
            Function 00A9B40A Relevance: 18.1, APIs: 12, Instructions: 131COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00A9B526: GetWindowLongW.USER32(?,000000EB), ref: 00A9B537
            • GetSysColor.USER32(0000000F), ref: 00A9B438
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: ColorLongWindow
            • String ID:
            • API String ID: 259745315-0
            • Opcode ID: a7e81282a2b5930945debc2f17290a2691a419d8c7262767dc1d30f0e55e3020
            • Instruction ID: 20cde12611ecf6657fba483383d857a68564bf1173609108480ea3d7bcc196c6
            • Opcode Fuzzy Hash: a7e81282a2b5930945debc2f17290a2691a419d8c7262767dc1d30f0e55e3020
            • Instruction Fuzzy Hash: 0741A2302101449FDF215F68ED89BB93BA6AB96731F144261FE659F1E6DB308C41EB31
            Function 00AC690B Relevance: 18.1, APIs: 12, Instructions: 113COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: _wcscat_wcscpy$__wsplitpath$_wcschr
            • String ID:
            • API String ID: 136442275-0
            • Opcode ID: b604fb8a984f25ac844100ea8e65b6e9ae35a8dbbfcd5aeb7421cdcdb3740c9f
            • Instruction ID: 9034d09f92e3d7fdb2b472df1faa1138aefa2b214f2f987363df531c9188c076
            • Opcode Fuzzy Hash: b604fb8a984f25ac844100ea8e65b6e9ae35a8dbbfcd5aeb7421cdcdb3740c9f
            • Instruction Fuzzy Hash: 04410C7688521CAECF65EB94CD45DDA73BCEB49310F0041E6B659A3091EB30ABE98F50
            Function 00ACD76A Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 180COMMON
            Download Yara Rule
            APIs
            • CharLowerBuffW.USER32(00B1DC00,00B1DC00,00B1DC00), ref: 00ACD7CE
            • GetDriveTypeW.KERNEL32(?,00B33A70,00000061), ref: 00ACD898
            • _wcscpy.LIBCMT ref: 00ACD8C2
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: BuffCharDriveLowerType_wcscpy
            • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
            • API String ID: 2820617543-1000479233
            • Opcode ID: 9116c05c99d13bee84acadfb8995e6608315f44940a4cd75ef2dbd6a0656d138
            • Instruction ID: 40a68db53a94d73c85617a1ec830e9871dc2baaf3023aa77cf43f6529799f120
            • Opcode Fuzzy Hash: 9116c05c99d13bee84acadfb8995e6608315f44940a4cd75ef2dbd6a0656d138
            • Instruction Fuzzy Hash: 3A515E35204204AFCB00EF14D991FAFB7E5EF94714F21896DF59A572A2EB31D905CB82
            Function 00A8936C Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 145COMMON
            Download Yara Rule
            APIs
            • __swprintf.LIBCMT ref: 00A893AB
            • __itow.LIBCMT ref: 00A893DF
              • Part of subcall function 00AA1557: _xtow@16.LIBCMT ref: 00AA1578
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: __itow__swprintf_xtow@16
            • String ID: %.15g$0x%p$False$True
            • API String ID: 1502193981-2263619337
            • Opcode ID: 997417ba55212808e3a6f55e4f8fd333c63ed2c972aadca3f8a909495d0bd45c
            • Instruction ID: 80f2133ec8aaab28b34807b620d60dd810d1b3270fb18c04943e8303874e9a37
            • Opcode Fuzzy Hash: 997417ba55212808e3a6f55e4f8fd333c63ed2c972aadca3f8a909495d0bd45c
            • Instruction Fuzzy Hash: B741A172604209AFDB24EB74DA42E7B77F8EF49310F2444AEF14ADB1D1EA319942CB51
            Function 00AEA1B6 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
            Download Yara Rule
            APIs
            • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00AEA259
            • CreateCompatibleDC.GDI32(00000000), ref: 00AEA260
            • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00AEA273
            • SelectObject.GDI32(00000000,00000000), ref: 00AEA27B
            • GetPixel.GDI32(00000000,00000000,00000000), ref: 00AEA286
            • DeleteDC.GDI32(00000000), ref: 00AEA28F
            • GetWindowLongW.USER32(?,000000EC), ref: 00AEA299
            • SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 00AEA2AD
            • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 00AEA2B9
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
            • String ID: static
            • API String ID: 2559357485-2160076837
            • Opcode ID: b39595672d6b407a08f22b148a2fa0990a164ad9adf01c8c9427785ee699d808
            • Instruction ID: 9df3e1f067e491e076caa68c7a5e52c3399fd4e97bbc518e06e5c3a30b7a981c
            • Opcode Fuzzy Hash: b39595672d6b407a08f22b148a2fa0990a164ad9adf01c8c9427785ee699d808
            • Instruction Fuzzy Hash: 0C317C32100255ABDF219FA5DC49FEB3B69FF29360F110214FA19A61E0CB36E811DBA5
            Function 00AC6F02 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 72networkCOMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: _wcscpy$CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
            • String ID: 0.0.0.0
            • API String ID: 2620052-3771769585
            • Opcode ID: edbe6e74e8458ecb6ffc8f8a19eb11f53e2606278e0d903a3a247f95ea0d258f
            • Instruction ID: 95d39f42c2469ace063a31a80c68e722d880c69d907fbffd109265cd641bcfb7
            • Opcode Fuzzy Hash: edbe6e74e8458ecb6ffc8f8a19eb11f53e2606278e0d903a3a247f95ea0d258f
            • Instruction Fuzzy Hash: 7811E472904219AFCB25ABA0AD0AFDA77BCEF45710F0100ADF005A70D1EF70DE818B91
            Function 00AA500E Relevance: 16.8, APIs: 11, Instructions: 257COMMON
            Download Yara Rule
            APIs
            • _memset.LIBCMT ref: 00AA5047
              • Part of subcall function 00AA7C0E: __getptd_noexit.LIBCMT ref: 00AA7C0E
            • __gmtime64_s.LIBCMT ref: 00AA50E0
            • __gmtime64_s.LIBCMT ref: 00AA5116
            • __gmtime64_s.LIBCMT ref: 00AA5133
            • __allrem.LIBCMT ref: 00AA5189
            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00AA51A5
            • __allrem.LIBCMT ref: 00AA51BC
            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00AA51DA
            • __allrem.LIBCMT ref: 00AA51F1
            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00AA520F
            • __invoke_watson.LIBCMT ref: 00AA5280
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
            • String ID:
            • API String ID: 384356119-0
            • Opcode ID: d5e017027a87c5018ad803d53256558374d4b82fb585307daa6d96de3ac92c4c
            • Instruction ID: 59477cb97a72ead0de5f7ebd200204bec7ac840d45b5a577b28463f11c4c666e
            • Opcode Fuzzy Hash: d5e017027a87c5018ad803d53256558374d4b82fb585307daa6d96de3ac92c4c
            • Instruction Fuzzy Hash: 8671C672E00B16ABD714AF78CD91BAAB3A8AF12764F14423AF510D76C1E770DD448BD4
            Function 00AC4DDD Relevance: 16.7, APIs: 11, Instructions: 189windowsleepCOMMON
            Download Yara Rule
            APIs
            • _memset.LIBCMT ref: 00AC4DF8
            • GetMenuItemInfoW.USER32(00B41708,000000FF,00000000,00000030), ref: 00AC4E59
            • SetMenuItemInfoW.USER32(00B41708,00000004,00000000,00000030), ref: 00AC4E8F
            • Sleep.KERNEL32(000001F4), ref: 00AC4EA1
            • GetMenuItemCount.USER32(?), ref: 00AC4EE5
            • GetMenuItemID.USER32(?,00000000), ref: 00AC4F01
            • GetMenuItemID.USER32(?,-00000001), ref: 00AC4F2B
            • GetMenuItemID.USER32(?,?), ref: 00AC4F70
            • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00AC4FB6
            • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00AC4FCA
            • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00AC4FEB
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
            • String ID:
            • API String ID: 4176008265-0
            • Opcode ID: cc8968403d229a54baabba0e499f10f1fd4e40b93cd5a1fb17a49fa3ee0e3563
            • Instruction ID: a4c31d0b094dd0d9c0c7fc90ff45e48690fc85227c582f5acfdd905d5f33374a
            • Opcode Fuzzy Hash: cc8968403d229a54baabba0e499f10f1fd4e40b93cd5a1fb17a49fa3ee0e3563
            • Instruction Fuzzy Hash: F361BF71900249AFEB20CFA8CD98FAE7BB8FB59704F16055DF801A7291D730AD40CB64
            Function 00AB94E1 Relevance: 16.6, APIs: 11, Instructions: 109memoryCOMMON
            Download Yara Rule
            APIs
            • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,00000000,?), ref: 00AB94FE
            • SafeArrayAllocData.OLEAUT32(?), ref: 00AB9549
            • VariantInit.OLEAUT32(?), ref: 00AB955B
            • SafeArrayAccessData.OLEAUT32(?,?), ref: 00AB957B
            • VariantCopy.OLEAUT32(?,?), ref: 00AB95BE
            • SafeArrayUnaccessData.OLEAUT32(?), ref: 00AB95D2
            • VariantClear.OLEAUT32(?), ref: 00AB95E7
            • SafeArrayDestroyData.OLEAUT32(?), ref: 00AB95F4
            • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00AB95FD
            • VariantClear.OLEAUT32(?), ref: 00AB960F
            • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00AB961A
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
            • String ID:
            • API String ID: 2706829360-0
            • Opcode ID: 9133eb6ced942eb12c52ac2cde0695a9fb5d89382cf26bc4986de1f65ad2cecb
            • Instruction ID: 443a793c1a75ad725808e9630d4e78e352952d6c186cd107cb709b18a4bc7a14
            • Opcode Fuzzy Hash: 9133eb6ced942eb12c52ac2cde0695a9fb5d89382cf26bc4986de1f65ad2cecb
            • Instruction Fuzzy Hash: 3D412C75A00219AFCB01EFE4D8849DEBBBDFF18354F108065E612A7261DB31EA45CBA1
            Function 00ADADAE Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00A8936C: __swprintf.LIBCMT ref: 00A893AB
              • Part of subcall function 00A8936C: __itow.LIBCMT ref: 00A893DF
            • CoInitialize.OLE32 ref: 00ADADF6
            • CoUninitialize.OLE32 ref: 00ADAE01
            • CoCreateInstance.OLE32(?,00000000,00000017,00B0D8FC,?), ref: 00ADAE61
            • IIDFromString.OLE32(?,?), ref: 00ADAED4
            • VariantInit.OLEAUT32(?), ref: 00ADAF6E
            • VariantClear.OLEAUT32(?), ref: 00ADAFCF
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
            • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
            • API String ID: 834269672-1287834457
            • Opcode ID: 3a447fb62a551a0e0e511b5d9ad8491612bfb0d34ca635ae452d5764ef28cce2
            • Instruction ID: 00d75a8bc6c1a3ae29a68c30335afb7f0dd798a37d387d7659e37ff40621253c
            • Opcode Fuzzy Hash: 3a447fb62a551a0e0e511b5d9ad8491612bfb0d34ca635ae452d5764ef28cce2
            • Instruction Fuzzy Hash: DA619B712083119FC711EF54C948B6ABBE8AF98714F14494EF9869B3A1CB70ED44CB93
            Function 00AD8107 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON
            Download Yara Rule
            APIs
            • WSAStartup.WSOCK32(00000101,?), ref: 00AD8168
            • inet_addr.WSOCK32(?,?,?), ref: 00AD81AD
            • gethostbyname.WSOCK32(?), ref: 00AD81B9
            • IcmpCreateFile.IPHLPAPI ref: 00AD81C7
            • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00AD8237
            • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00AD824D
            • IcmpCloseHandle.IPHLPAPI(00000000), ref: 00AD82C2
            • WSACleanup.WSOCK32 ref: 00AD82C8
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
            • String ID: Ping
            • API String ID: 1028309954-2246546115
            • Opcode ID: d133c8fa0f4a17b4b585295a91862f8934de7fcf15d3b23863fdcf26d3595b37
            • Instruction ID: 45cdf441d6db5d37ccd865cfc5280c6495541986816d47969686a24a15bde76d
            • Opcode Fuzzy Hash: d133c8fa0f4a17b4b585295a91862f8934de7fcf15d3b23863fdcf26d3595b37
            • Instruction Fuzzy Hash: 65518E31604700AFDB11EF64CD45B6AB7F4AF48720F04896AFA669B3A1DF34E905CB42
            Function 00ACE389 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 97COMMON
            Download Yara Rule
            APIs
            • SetErrorMode.KERNEL32(00000001), ref: 00ACE396
            • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00ACE40C
            • GetLastError.KERNEL32 ref: 00ACE416
            • SetErrorMode.KERNEL32(00000000,READY), ref: 00ACE483
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: Error$Mode$DiskFreeLastSpace
            • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
            • API String ID: 4194297153-14809454
            • Opcode ID: 1d5ff5dccbbb41bc0f0d26610349f7ec036abcf376c52c384b230e177544edf4
            • Instruction ID: 41352d7b7f62084fc7b4670b054daa1a3bc9753b724fe9ea18bf1d5ada988956
            • Opcode Fuzzy Hash: 1d5ff5dccbbb41bc0f0d26610349f7ec036abcf376c52c384b230e177544edf4
            • Instruction Fuzzy Hash: 2931B539A00209AFDB05EFA4CA45FBEB7F4EF14700F158059E506EB291DB719E41CB91
            Function 00ABB907 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00ABB98C
            • GetDlgCtrlID.USER32 ref: 00ABB997
            • GetParent.USER32 ref: 00ABB9B3
            • SendMessageW.USER32(00000000,?,00000111,?), ref: 00ABB9B6
            • GetDlgCtrlID.USER32(?), ref: 00ABB9BF
            • GetParent.USER32(?), ref: 00ABB9DB
            • SendMessageW.USER32(00000000,?,?,00000111), ref: 00ABB9DE
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: MessageSend$CtrlParent
            • String ID: ComboBox$ListBox
            • API String ID: 1383977212-1403004172
            • Opcode ID: c969c4a99b4620c3af901e9ba87112b1ebd51284ff16a2e6fb5d84a342c87e3c
            • Instruction ID: 7dda567e63132142a5e5dfd7d85e3d20f6012d0b3ba3d24d7454606c10e28e2f
            • Opcode Fuzzy Hash: c969c4a99b4620c3af901e9ba87112b1ebd51284ff16a2e6fb5d84a342c87e3c
            • Instruction Fuzzy Hash: B6218374900104BFDB04ABA4CC86EFEBBB9EF59310F10411AF651972E2DBB55919DB70
            Function 00ABB9F0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 80windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 00ABBA73
            • GetDlgCtrlID.USER32 ref: 00ABBA7E
            • GetParent.USER32 ref: 00ABBA9A
            • SendMessageW.USER32(00000000,?,00000111,?), ref: 00ABBA9D
            • GetDlgCtrlID.USER32(?), ref: 00ABBAA6
            • GetParent.USER32(?), ref: 00ABBAC2
            • SendMessageW.USER32(00000000,?,?,00000111), ref: 00ABBAC5
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: MessageSend$CtrlParent
            • String ID: ComboBox$ListBox
            • API String ID: 1383977212-1403004172
            • Opcode ID: 6a1070d5a23fb84ec8dfc65aa6cad3ba2cd8336eac94cd9ccdaa0b991bfcb703
            • Instruction ID: 372fc1a239ae281ea0baed7b2048ba6c2769cc73fbf6f4e19c2a4f9cabe7c881
            • Opcode Fuzzy Hash: 6a1070d5a23fb84ec8dfc65aa6cad3ba2cd8336eac94cd9ccdaa0b991bfcb703
            • Instruction Fuzzy Hash: AE2180B4A40108BFDB01ABA4CC85EFEBBB9EF55300F104119F551A71E2DBBA59199B30
            Function 00ABBAD7 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 71windowCOMMON
            Download Yara Rule
            APIs
            • GetParent.USER32 ref: 00ABBAE3
            • GetClassNameW.USER32(00000000,?,00000100), ref: 00ABBAF8
            • _wcscmp.LIBCMT ref: 00ABBB0A
            • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00ABBB85
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: ClassMessageNameParentSend_wcscmp
            • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
            • API String ID: 1704125052-3381328864
            • Opcode ID: 9c7a4aafc0206917e8cd48490b0bc397ec1e5750388db496d60459783b6e8c87
            • Instruction ID: 204e3d0c23665da7329ea9fc3dd351ba6be2cf0282b24b3a71839cf34396448f
            • Opcode Fuzzy Hash: 9c7a4aafc0206917e8cd48490b0bc397ec1e5750388db496d60459783b6e8c87
            • Instruction Fuzzy Hash: A511E976658307FEFA246735DC07DEA77ACDB22724F200022F904E60EBEFE268515524
            Function 00ADB2A9 Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON
            Download Yara Rule
            APIs
            • VariantInit.OLEAUT32(?), ref: 00ADB2D5
            • CoInitialize.OLE32(00000000), ref: 00ADB302
            • CoUninitialize.OLE32 ref: 00ADB30C
            • GetRunningObjectTable.OLE32(00000000,?), ref: 00ADB40C
            • SetErrorMode.KERNEL32(00000001,00000029), ref: 00ADB539
            • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002), ref: 00ADB56D
            • CoGetObject.OLE32(?,00000000,00B0D91C,?), ref: 00ADB590
            • SetErrorMode.KERNEL32(00000000), ref: 00ADB5A3
            • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00ADB623
            • VariantClear.OLEAUT32(00B0D91C), ref: 00ADB633
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
            • String ID:
            • API String ID: 2395222682-0
            • Opcode ID: 90c7d9c264243e580f633841d8d7b65228181fbde1d0df020884fd0de57ce900
            • Instruction ID: 94fd5a32056e6655eccbfa75898d57613a3627357ed3262e4404cb1625362d35
            • Opcode Fuzzy Hash: 90c7d9c264243e580f633841d8d7b65228181fbde1d0df020884fd0de57ce900
            • Instruction Fuzzy Hash: C3C102B1618301EFD700EF68C88496AB7E9BF88344F05495EF58A9B361DB71ED05CB62
            Function 00AC67E9 Relevance: 15.1, APIs: 10, Instructions: 107windowCOMMON
            Download Yara Rule
            APIs
            • __swprintf.LIBCMT ref: 00AC67FD
            • __swprintf.LIBCMT ref: 00AC680A
              • Part of subcall function 00AA172B: __woutput_l.LIBCMT ref: 00AA1784
            • FindResourceW.KERNEL32(?,?,0000000E), ref: 00AC6834
            • LoadResource.KERNEL32(?,00000000), ref: 00AC6840
            • LockResource.KERNEL32(00000000), ref: 00AC684D
            • FindResourceW.KERNEL32(?,?,00000003), ref: 00AC686D
            • LoadResource.KERNEL32(?,00000000), ref: 00AC687F
            • SizeofResource.KERNEL32(?,00000000), ref: 00AC688E
            • LockResource.KERNEL32(?), ref: 00AC689A
            • CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 00AC68F9
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
            • String ID:
            • API String ID: 1433390588-0
            • Opcode ID: 508b279f57b4f4d3cc55de60979363f8dec8620a86653835386d98225a1dfa51
            • Instruction ID: 703525055aa60bbbaf2c310af7452a041fa453e1b8306e3dbf0e2fa418132f30
            • Opcode Fuzzy Hash: 508b279f57b4f4d3cc55de60979363f8dec8620a86653835386d98225a1dfa51
            • Instruction Fuzzy Hash: 11318D7590021AABDB11DFA0DD45EBF7BA8FF18340F018429F912E3190EB34DA51DBA0
            Function 00AC4025 Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON
            Download Yara Rule
            APIs
            • GetCurrentThreadId.KERNEL32 ref: 00AC4047
            • GetForegroundWindow.USER32(00000000,?,?,?,?,?,00AC30A5,?,00000001), ref: 00AC405B
            • GetWindowThreadProcessId.USER32(00000000), ref: 00AC4062
            • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00AC30A5,?,00000001), ref: 00AC4071
            • GetWindowThreadProcessId.USER32(?,00000000), ref: 00AC4083
            • AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,00AC30A5,?,00000001), ref: 00AC409C
            • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00AC30A5,?,00000001), ref: 00AC40AE
            • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00AC30A5,?,00000001), ref: 00AC40F3
            • AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,00AC30A5,?,00000001), ref: 00AC4108
            • AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,00AC30A5,?,00000001), ref: 00AC4113
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: Thread$AttachInput$Window$Process$CurrentForeground
            • String ID:
            • API String ID: 2156557900-0
            • Opcode ID: 4876277f64ac80c2570fb0cb4a34512f91d704ceb96cdd596c060f3701c43e8e
            • Instruction ID: ee9f9025102953411c06ad69b7739294df8aca930b225ddca1c575df83b7f9d1
            • Opcode Fuzzy Hash: 4876277f64ac80c2570fb0cb4a34512f91d704ceb96cdd596c060f3701c43e8e
            • Instruction Fuzzy Hash: B2318F75500204BBDB10DF54DC96F6977B9FB69711F1A8109FA04E7290CFB59A808B68
            Function 00ABCB82 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 239COMMON
            Download Yara Rule
            APIs
            • EnumChildWindows.USER32(?,00ABCF50), ref: 00ABCE90
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: ChildEnumWindows
            • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
            • API String ID: 3555792229-1603158881
            • Opcode ID: b387bc77a6d1a16f8522426f77e8cfc35b2ab0e54ade8915f58fbb03ccd6f872
            • Instruction ID: 8c256370913291511969e8f4d310c75522b91e90ee01972ed8f45213c7b85abd
            • Opcode Fuzzy Hash: b387bc77a6d1a16f8522426f77e8cfc35b2ab0e54ade8915f58fbb03ccd6f872
            • Instruction Fuzzy Hash: D4918431A00606EBCB18EF60C582FEAFBB9BF04310F548559D559E7292DF30A959DBE0
            Function 00A83093 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 210COMMON
            Download Yara Rule
            APIs
            • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00A830DC
            • CoUninitialize.OLE32(?,00000000), ref: 00A83181
            • UnregisterHotKey.USER32(?), ref: 00A832A9
            • DestroyWindow.USER32(?), ref: 00AF5079
            • FreeLibrary.KERNEL32(?), ref: 00AF50F8
            • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00AF5125
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
            • String ID: close all
            • API String ID: 469580280-3243417748
            • Opcode ID: f9e21692f0b95ad13cfa694ac0af2348e1868a637969548f9b63649b35ac8a8e
            • Instruction ID: 8503d481d45828d27246ea52abbf8d69a578e22eb391e8f601ec36fdd1cb0d53
            • Opcode Fuzzy Hash: f9e21692f0b95ad13cfa694ac0af2348e1868a637969548f9b63649b35ac8a8e
            • Instruction Fuzzy Hash: 2B913A357002068FCB19FF64C999A68F3B4FF14B04F5482A9E50AA7262DF30AE56CF54
            Function 00A9CB8D Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 185windowCOMMON
            Download Yara Rule
            APIs
            • SetWindowLongW.USER32(?,000000EB), ref: 00A9CC15
              • Part of subcall function 00A9CCCD: GetClientRect.USER32(?,?), ref: 00A9CCF6
              • Part of subcall function 00A9CCCD: GetWindowRect.USER32(?,?), ref: 00A9CD37
              • Part of subcall function 00A9CCCD: ScreenToClient.USER32(?,?), ref: 00A9CD5F
            • GetDC.USER32 ref: 00AFD137
            • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00AFD14A
            • SelectObject.GDI32(00000000,00000000), ref: 00AFD158
            • SelectObject.GDI32(00000000,00000000), ref: 00AFD16D
            • ReleaseDC.USER32(?,00000000), ref: 00AFD175
            • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00AFD200
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
            • String ID: U
            • API String ID: 4009187628-3372436214
            • Opcode ID: 1f615feffa650c229f0d21d6ecb16be607dea2c082900ea1b2e55f781cc9980c
            • Instruction ID: 3443cf50192bf5360cbb253b59d7c2e90c205317d9145b091bfefbba4d204beb
            • Opcode Fuzzy Hash: 1f615feffa650c229f0d21d6ecb16be607dea2c082900ea1b2e55f781cc9980c
            • Instruction Fuzzy Hash: 9A71C130500209DFCF22DFA4C885ABA7BB6FF49324F144669FE565B2A6CB318841DB60
            Function 00AEECD4 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00A9B34E: GetWindowLongW.USER32(?,000000EB), ref: 00A9B35F
              • Part of subcall function 00A9B63C: GetCursorPos.USER32(000000FF), ref: 00A9B64F
              • Part of subcall function 00A9B63C: ScreenToClient.USER32(00000000,000000FF), ref: 00A9B66C
              • Part of subcall function 00A9B63C: GetAsyncKeyState.USER32(00000001), ref: 00A9B691
              • Part of subcall function 00A9B63C: GetAsyncKeyState.USER32(00000002), ref: 00A9B69F
            • ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?), ref: 00AEED3C
            • ImageList_EndDrag.COMCTL32 ref: 00AEED42
            • ReleaseCapture.USER32 ref: 00AEED48
            • SetWindowTextW.USER32(?,00000000), ref: 00AEEDF0
            • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00AEEE03
            • DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?), ref: 00AEEEDC
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
            • String ID: @GUI_DRAGFILE$@GUI_DROPID
            • API String ID: 1924731296-2107944366
            • Opcode ID: 321d6d56382a12ad8adc6abdb8b5fb131fbcdcfb82b78153ca1433829fd790be
            • Instruction ID: c22c464f84136bb9647b704cbdfc65e5aee0401b11b16c373e6872dd4359161b
            • Opcode Fuzzy Hash: 321d6d56382a12ad8adc6abdb8b5fb131fbcdcfb82b78153ca1433829fd790be
            • Instruction Fuzzy Hash: C3518974204340AFD710EF24DD9AFAA77E4FB88714F004929F595972E2DB70A944CB52
            Function 00AD45C4 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 133networkCOMMON
            Download Yara Rule
            APIs
            • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00AD45FF
            • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00AD462B
            • InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 00AD466D
            • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00AD4682
            • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00AD468F
            • HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 00AD46BF
            • InternetCloseHandle.WININET(00000000), ref: 00AD4706
              • Part of subcall function 00AD5052: GetLastError.KERNEL32(?,?,00AD43CC,00000000,00000000,00000001), ref: 00AD5067
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorHandleInfoLastOpenSend
            • String ID:
            • API String ID: 1241431887-3916222277
            • Opcode ID: a6b290a3de26812644d7b827aec2fc7d59a1fd409e721693c1f368015e52c493
            • Instruction ID: d75595d1a4d8a263ea36ba5edbe74ae222927afaf529a7a14527ca0cee933362
            • Opcode Fuzzy Hash: a6b290a3de26812644d7b827aec2fc7d59a1fd409e721693c1f368015e52c493
            • Instruction Fuzzy Hash: 71413EB1501205BFEB129FA4CC89FBA77ACEF09754F104116FA069A291DBB0DD448BA4
            Function 00ADB644 Relevance: 13.9, APIs: 9, Instructions: 432COMMON
            Download Yara Rule
            APIs
            • GetModuleFileNameW.KERNEL32(?,?,00000104,?,00B1DC00), ref: 00ADB715
            • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,00B1DC00), ref: 00ADB749
            • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00ADB8C1
            • SysFreeString.OLEAUT32(?), ref: 00ADB8EB
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: Free$FileLibraryModuleNamePathQueryStringType
            • String ID:
            • API String ID: 560350794-0
            • Opcode ID: ea2117de7b81daf90963967cbae311edb36b26460be9a336a1a70686666103e0
            • Instruction ID: 3463cc775bc364cb19c7a79db40a2d79818ff704990333dfe3eead116f4ca0b9
            • Opcode Fuzzy Hash: ea2117de7b81daf90963967cbae311edb36b26460be9a336a1a70686666103e0
            • Instruction Fuzzy Hash: 28F13C75A10209EFDF04DF94C888EAEB7B9FF49315F118459F906AB250DB31AE45CBA0
            Function 00AE24D4 Relevance: 13.9, APIs: 9, Instructions: 376processCOMMON
            Download Yara Rule
            APIs
            • _memset.LIBCMT ref: 00AE24F5
            • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00AE2688
            • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00AE26AC
            • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00AE26EC
            • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00AE270E
            • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00AE286F
            • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 00AE28A1
            • CloseHandle.KERNEL32(?), ref: 00AE28D0
            • CloseHandle.KERNEL32(?), ref: 00AE2947
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
            • String ID:
            • API String ID: 4090791747-0
            • Opcode ID: 561db5e6257f6380a71cd8f7fcc91e5d955eed71f2d73bdb6552791fa64812f4
            • Instruction ID: f7629a470932befc173de449277b350620850a94d9e91759df5b1b06ef644d90
            • Opcode Fuzzy Hash: 561db5e6257f6380a71cd8f7fcc91e5d955eed71f2d73bdb6552791fa64812f4
            • Instruction Fuzzy Hash: 13D1AE35604240DFCB15EF25CA91B6ABBE5AF85320F18895DF8999B2A2DB31DC40CB52
            Function 00AEB33A Relevance: 13.7, APIs: 9, Instructions: 167COMMON
            Download Yara Rule
            APIs
            • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00AEB3F4
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: InvalidateRect
            • String ID:
            • API String ID: 634782764-0
            • Opcode ID: d93896ac7867e53c97f841804ed914a82ecbecaa71be59af85ba08bbf1d510a5
            • Instruction ID: a9629fd803ea43f70d105cf557c60a99d0a988f2a66835030ba3ad8f04c2c4fc
            • Opcode Fuzzy Hash: d93896ac7867e53c97f841804ed914a82ecbecaa71be59af85ba08bbf1d510a5
            • Instruction Fuzzy Hash: 5651B530621285BBEF20AF6ACD8EB9F3B74AB05714F244011F615DB5E1CB71E9508B71
            Function 00A9A699 Relevance: 13.7, APIs: 9, Instructions: 163windowCOMMON
            Download Yara Rule
            APIs
            • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 00AFDB1B
            • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00AFDB3C
            • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00AFDB51
            • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 00AFDB6E
            • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00AFDB95
            • DestroyIcon.USER32(00000000,?,?,?,?,?,?,00A9A67C,00000000,00000000,00000000,000000FF,00000000,000000FF,000000FF), ref: 00AFDBA0
            • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00AFDBBD
            • DestroyIcon.USER32(00000000,?,?,?,?,?,?,00A9A67C,00000000,00000000,00000000,000000FF,00000000,000000FF,000000FF), ref: 00AFDBC8
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: Icon$DestroyExtractImageLoadMessageSend
            • String ID:
            • API String ID: 1268354404-0
            • Opcode ID: 5855302b3c6fe15750515470df3d853e7136c0f0333c6b10e5149e1e837b472e
            • Instruction ID: 6016e77364dfa89fe97bbbdf889287a8af0bba5dac9e68617abcf42b9062576e
            • Opcode Fuzzy Hash: 5855302b3c6fe15750515470df3d853e7136c0f0333c6b10e5149e1e837b472e
            • Instruction Fuzzy Hash: 9A515970700209AFDF21DFA8CC82FAA77F5AB28754F110519FA4697290DBB0AD90DB90
            Function 00AC7555 Relevance: 13.6, APIs: 9, Instructions: 142filestringCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00AC6EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00AC5FA6,?), ref: 00AC6ED8
              • Part of subcall function 00AC6EBB: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00AC5FA6,?), ref: 00AC6EF1
              • Part of subcall function 00AC72CB: GetFileAttributesW.KERNEL32(?,00AC6019), ref: 00AC72CC
            • lstrcmpiW.KERNEL32(?,?), ref: 00AC75CA
            • _wcscmp.LIBCMT ref: 00AC75E2
            • MoveFileW.KERNEL32(?,?), ref: 00AC75FB
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
            • String ID:
            • API String ID: 793581249-0
            • Opcode ID: 10262ab2c516a7052bdb823b9036397ae0d718949fc4bdfa16303cdaad15d192
            • Instruction ID: 2f8788294a83a8eec11ae43bf85cb1467a9299c57ffe0cd8ec86ee8f3c11db8d
            • Opcode Fuzzy Hash: 10262ab2c516a7052bdb823b9036397ae0d718949fc4bdfa16303cdaad15d192
            • Instruction Fuzzy Hash: 715112B2A092199ADF54EB94D941EDD73BC9F09320F00449EF605E3181EB7496C5CF64
            Function 00A9EA69 Relevance: 13.6, APIs: 9, Instructions: 135COMMON
            Download Yara Rule
            APIs
            • ShowWindow.USER32(00000000,000000FF,00000000,00000000,00000000,?,00AFDAD1,00000004,00000000,00000000), ref: 00A9EAEB
            • ShowWindow.USER32(00000000,00000000,00000000,00000000,00000000,?,00AFDAD1,00000004,00000000,00000000), ref: 00A9EB32
            • ShowWindow.USER32(00000000,00000006,00000000,00000000,00000000,?,00AFDAD1,00000004,00000000,00000000), ref: 00AFDC86
            • ShowWindow.USER32(00000000,000000FF,00000000,00000000,00000000,?,00AFDAD1,00000004,00000000,00000000), ref: 00AFDCF2
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: ShowWindow
            • String ID:
            • API String ID: 1268545403-0
            • Opcode ID: b99a314b76f7b1cadf6740b332bf406d73cfbcf486849b4c05abdfc9687d81f8
            • Instruction ID: 0c683dd8672e66b1ac78f763c492a41efd2753f4fa002468622338d0db5511fb
            • Opcode Fuzzy Hash: b99a314b76f7b1cadf6740b332bf406d73cfbcf486849b4c05abdfc9687d81f8
            • Instruction Fuzzy Hash: AC41E671705280DADF36CB788D8DA3A7AE6BB51306F19880DF187879A3CA71A881D311
            Function 00ABB263 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
            Download Yara Rule
            APIs
            • GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,00ABAEF1,00000B00,?,?), ref: 00ABB26C
            • HeapAlloc.KERNEL32(00000000,?,00ABAEF1,00000B00,?,?), ref: 00ABB273
            • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00ABAEF1,00000B00,?,?), ref: 00ABB288
            • GetCurrentProcess.KERNEL32(?,00000000,?,00ABAEF1,00000B00,?,?), ref: 00ABB290
            • DuplicateHandle.KERNEL32(00000000,?,00ABAEF1,00000B00,?,?), ref: 00ABB293
            • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00ABAEF1,00000B00,?,?), ref: 00ABB2A3
            • GetCurrentProcess.KERNEL32(00ABAEF1,00000000,?,00ABAEF1,00000B00,?,?), ref: 00ABB2AB
            • DuplicateHandle.KERNEL32(00000000,?,00ABAEF1,00000B00,?,?), ref: 00ABB2AE
            • CreateThread.KERNEL32(00000000,00000000,00ABB2D4,00000000,00000000,00000000), ref: 00ABB2C8
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
            • String ID:
            • API String ID: 1957940570-0
            • Opcode ID: 6eb60be2f77ffbd741a60b326b0e84de0d9db10be50090b9fe6fbaf47fd7964a
            • Instruction ID: b10d4324d158ec988e49ea7f2240058ff90bb7df5e6ff7741c4c529799cdbaf8
            • Opcode Fuzzy Hash: 6eb60be2f77ffbd741a60b326b0e84de0d9db10be50090b9fe6fbaf47fd7964a
            • Instruction Fuzzy Hash: 0E01B6B5240308BFEB10ABA5DC49F6B7BACEB98711F018411FA05DB1E1CAB49800CB65
            Function 00ADC43F Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 401COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID:
            • String ID: NULL Pointer assignment$Not an Object type
            • API String ID: 0-572801152
            • Opcode ID: 3a372bc726d547be0259bc789ba67b23877070ca49a055dadac7bc0056c4627a
            • Instruction ID: 91df09bdec1d41e1ae2ffa127de0fc90476a4526b69a3e605510909ac9d3bd51
            • Opcode Fuzzy Hash: 3a372bc726d547be0259bc789ba67b23877070ca49a055dadac7bc0056c4627a
            • Instruction Fuzzy Hash: 25E1C371A0021AABDF14DFA8D985FEE77B5EF48724F54802AE906A7381D770ED41CB90
            Function 00ADBB08 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 264COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: Variant$ClearInit$_memset
            • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
            • API String ID: 2862541840-625585964
            • Opcode ID: cc77b82da7f96a274f9e822d95e4139a84d2c9ec9efdc8f218535628bd0e0d27
            • Instruction ID: 7ec1e0d137ab6d21afe66a7eb1d555135c4847ff0dfa1141457f259755bb4985
            • Opcode Fuzzy Hash: cc77b82da7f96a274f9e822d95e4139a84d2c9ec9efdc8f218535628bd0e0d27
            • Instruction Fuzzy Hash: 70918071A10219EFDF24CFA5C848FAEBBB9EF45710F11855AF516AB290DB709940CFA0
            Function 00AE9A75 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 142windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00AE9B19
            • SendMessageW.USER32(?,00001036,00000000,?), ref: 00AE9B2D
            • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00AE9B47
            • _wcscat.LIBCMT ref: 00AE9BA2
            • SendMessageW.USER32(?,00001057,00000000,?), ref: 00AE9BB9
            • SendMessageW.USER32(?,00001061,?,0000000F), ref: 00AE9BE7
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: MessageSend$Window_wcscat
            • String ID: SysListView32
            • API String ID: 307300125-78025650
            • Opcode ID: be046426e4f7dbb0790f990e37c51129ff5ff29c28a3b776ef4ae414d89d801a
            • Instruction ID: 7ba239908a66977ad9f5c9c8052d8458f9aa3b43f15cf7b1f449a4a47bb5089b
            • Opcode Fuzzy Hash: be046426e4f7dbb0790f990e37c51129ff5ff29c28a3b776ef4ae414d89d801a
            • Instruction Fuzzy Hash: 1241AD71A00348ABDB219FA4DC85BEF77A8EF08350F10486AF549A7292D7719D85CB60
            Function 00AE172F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 135COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00AC6532: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00AC6554
              • Part of subcall function 00AC6532: Process32FirstW.KERNEL32(00000000,0000022C), ref: 00AC6564
              • Part of subcall function 00AC6532: CloseHandle.KERNEL32(00000000,?,00000000), ref: 00AC65F9
            • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00AE179A
            • GetLastError.KERNEL32 ref: 00AE17AD
            • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00AE17D9
            • TerminateProcess.KERNEL32(00000000,00000000), ref: 00AE1855
            • GetLastError.KERNEL32(00000000), ref: 00AE1860
            • CloseHandle.KERNEL32(00000000), ref: 00AE1895
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
            • String ID: SeDebugPrivilege
            • API String ID: 2533919879-2896544425
            • Opcode ID: a76c9153d74fc986f7e5f1e7d3ca3781ef7ec1753de36de8b9d678d7f5647851
            • Instruction ID: 45acf0134ae11d7695c4b3369105fcc5e14d803e6e6b8d1372c5386743c19a7d
            • Opcode Fuzzy Hash: a76c9153d74fc986f7e5f1e7d3ca3781ef7ec1753de36de8b9d678d7f5647851
            • Instruction Fuzzy Hash: 8941AC72700210AFDB05EF94C9A5FADB7A5AF54710F05845CF9069F2D2DFB4E9008B91
            Function 00AC5819 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON
            Download Yara Rule
            APIs
            • LoadIconW.USER32(00000000,00007F03), ref: 00AC58B8
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: IconLoad
            • String ID: blank$info$question$stop$warning
            • API String ID: 2457776203-404129466
            • Opcode ID: ac90f5b14341e1159eba901f5a6b79d50ac688ff877f47fcf6138e090e334496
            • Instruction ID: 0aa5e9eda270a28f615d94a94df42061f70c9e0f783ce09a5c19025df8f6cc24
            • Opcode Fuzzy Hash: ac90f5b14341e1159eba901f5a6b79d50ac688ff877f47fcf6138e090e334496
            • Instruction Fuzzy Hash: 3911D835A0DB42BEE7055B649C82E6E33EC9F26720F21007EF500A62C1E760BA805764
            Function 00ACA729 Relevance: 12.3, APIs: 8, Instructions: 317COMMON
            Download Yara Rule
            APIs
            • SafeArrayGetVartype.OLEAUT32(?,00000000), ref: 00ACA806
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: ArraySafeVartype
            • String ID:
            • API String ID: 1725837607-0
            • Opcode ID: b6dfacc5f836d34434f57600c710b55926818cbd87fda737977ec3bc54b00824
            • Instruction ID: 4673c791ad1f5989a81b3fbcfd4282b2c5f68ce7eb6e2ebc1ff084fb218b7427
            • Opcode Fuzzy Hash: b6dfacc5f836d34434f57600c710b55926818cbd87fda737977ec3bc54b00824
            • Instruction Fuzzy Hash: 9AC15675A0021A9FDB00CF98D585BBEB7F4EF18319F21806EE606E7291D734AA41CB91
            Function 00AC6B49 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 46windowCOMMON
            Download Yara Rule
            APIs
            • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00AC6B63
            • LoadStringW.USER32(00000000), ref: 00AC6B6A
            • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00AC6B80
            • LoadStringW.USER32(00000000), ref: 00AC6B87
            • _wprintf.LIBCMT ref: 00AC6BAD
            • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00AC6BCB
            Strings
            • %s (%d) : ==> %s: %s %s, xrefs: 00AC6BA8
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: HandleLoadModuleString$Message_wprintf
            • String ID: %s (%d) : ==> %s: %s %s
            • API String ID: 3648134473-3128320259
            • Opcode ID: d5c5f0f507f5740fd9a700eb5979ceb0f2ac25becb30d8832e118cc0ea855300
            • Instruction ID: 288e5e2f5fd1a173d50cae1f6563387ee8040bcba7deaa52390dc129762da18e
            • Opcode Fuzzy Hash: d5c5f0f507f5740fd9a700eb5979ceb0f2ac25becb30d8832e118cc0ea855300
            • Instruction Fuzzy Hash: 1A011DF6900218BFEB11ABE49D89EE7776CEB18304F0044A5B746E7081EE749E848B74
            Function 00AE2B19 Relevance: 12.3, APIs: 8, Instructions: 251registryCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00AE3C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00AE2BB5,?,?), ref: 00AE3C1D
            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00AE2BF6
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: BuffCharConnectRegistryUpper
            • String ID:
            • API String ID: 2595220575-0
            • Opcode ID: 3172c2f7c2c1835067b977e3e6778ce92eb00d2ca0f158b1cac0d74e3dec056f
            • Instruction ID: 00a22f23b8aef6bfddc3fbb28f64bc1b4f73b36da26fc8cacc789ffe202ff5ef
            • Opcode Fuzzy Hash: 3172c2f7c2c1835067b977e3e6778ce92eb00d2ca0f158b1cac0d74e3dec056f
            • Instruction Fuzzy Hash: 82918971604201AFCB01EF55C995B6EB7E9FF98310F14881DF99A9B2A1DB30E905CF42
            Function 00AD961C Relevance: 12.2, APIs: 8, Instructions: 220networkCOMMON
            Download Yara Rule
            APIs
            • select.WSOCK32 ref: 00AD9691
            • WSAGetLastError.WSOCK32(00000000), ref: 00AD969E
            • __WSAFDIsSet.WSOCK32(00000000,?,00000000), ref: 00AD96C8
            • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00AD96E9
            • WSAGetLastError.WSOCK32(00000000), ref: 00AD96F8
            • inet_ntoa.WSOCK32(?), ref: 00AD9765
            • htons.WSOCK32(?,?,?,00000000,?), ref: 00AD97AA
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: ErrorLast$htonsinet_ntoaselect
            • String ID:
            • API String ID: 500251541-0
            • Opcode ID: da3764ed59f407cb3c34a8a02d4dfb686186974ba9078888adbcf33c551a7fe9
            • Instruction ID: 80f9fb5006553449758f0119ba3175296d65b03feeacae9ad73a6a5a8a8efb7a
            • Opcode Fuzzy Hash: da3764ed59f407cb3c34a8a02d4dfb686186974ba9078888adbcf33c551a7fe9
            • Instruction Fuzzy Hash: 7E71AA31504240ABC710EF64CD85E6FB7E9EF99B14F104A1EF5569B2A1EB30DD04CBA2
            Function 00AAA979 Relevance: 12.1, APIs: 8, Instructions: 118COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • __mtinitlocknum.LIBCMT ref: 00AAA991
              • Part of subcall function 00AA7D7C: __FF_MSGBANNER.LIBCMT ref: 00AA7D91
              • Part of subcall function 00AA7D7C: __NMSG_WRITE.LIBCMT ref: 00AA7D98
              • Part of subcall function 00AA7D7C: __malloc_crt.LIBCMT ref: 00AA7DB8
            • __lock.LIBCMT ref: 00AAA9A4
            • __lock.LIBCMT ref: 00AAA9F0
            • InitializeCriticalSectionAndSpinCount.KERNEL32(8000000C,00000FA0,00B36DE0,00000018,00AB5E7B,?,00000000,00000109), ref: 00AAAA0C
            • EnterCriticalSection.KERNEL32(8000000C,00B36DE0,00000018,00AB5E7B,?,00000000,00000109), ref: 00AAAA29
            • LeaveCriticalSection.KERNEL32(8000000C), ref: 00AAAA39
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: CriticalSection$__lock$CountEnterInitializeLeaveSpin__malloc_crt__mtinitlocknum
            • String ID:
            • API String ID: 1422805418-0
            • Opcode ID: fc6266e92ad03a9579b7fdfb513866a99ddf512e0b471afb6dfc3e15092935c7
            • Instruction ID: 82abca2f3e63f7b18f7b11838fffa9e15a694763ec1aef69d24df9814f77ffc7
            • Opcode Fuzzy Hash: fc6266e92ad03a9579b7fdfb513866a99ddf512e0b471afb6dfc3e15092935c7
            • Instruction Fuzzy Hash: 4F413671A007119BEB10DFACDA4475DB7F0BF23374F248219E525AB2D2DB749940CB92
            Function 00AE8ECC Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
            Download Yara Rule
            APIs
            • DeleteObject.GDI32(00000000), ref: 00AE8EE4
            • GetDC.USER32(00000000), ref: 00AE8EEC
            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00AE8EF7
            • ReleaseDC.USER32(00000000,00000000), ref: 00AE8F03
            • CreateFontW.GDI32(?,00000000,00000000,00000000,00000000,?,?,?,00000001,00000004,00000000,?,00000000,?), ref: 00AE8F3F
            • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00AE8F50
            • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00AEBD19,?,?,000000FF,00000000,?,000000FF,?), ref: 00AE8F8A
            • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00AE8FAA
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
            • String ID:
            • API String ID: 3864802216-0
            • Opcode ID: d07defe302fb280a9fffc2bae649b9e7279b4441b5dca9915eaf0990d52ff856
            • Instruction ID: 2bc54f4e02514dbb2ad5b904dab389839f268c2267ab35f5e45bbb8bbe01e845
            • Opcode Fuzzy Hash: d07defe302fb280a9fffc2bae649b9e7279b4441b5dca9915eaf0990d52ff856
            • Instruction Fuzzy Hash: 28316B72200254BFEB108F95CC4AFEA3BA9EF59755F044065FE099B191DABA9841CB70
            Function 00AD16DA Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 309COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00A8936C: __swprintf.LIBCMT ref: 00A893AB
              • Part of subcall function 00A8936C: __itow.LIBCMT ref: 00A893DF
              • Part of subcall function 00A9C6F4: _wcscpy.LIBCMT ref: 00A9C717
            • _wcstok.LIBCMT ref: 00AD184E
            • _wcscpy.LIBCMT ref: 00AD18DD
            • _memset.LIBCMT ref: 00AD1910
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: _wcscpy$__itow__swprintf_memset_wcstok
            • String ID: X
            • API String ID: 774024439-3081909835
            • Opcode ID: de619bf2ebf9f861d39ccf435f189af3a351aa4aacbeaff30e38a3e508ce449f
            • Instruction ID: 209d3644fbeeaba92b3f4898ae399f55c38d91a72adedc6a1196ef5801ae5ef5
            • Opcode Fuzzy Hash: de619bf2ebf9f861d39ccf435f189af3a351aa4aacbeaff30e38a3e508ce449f
            • Instruction Fuzzy Hash: C9C15C356043409FC724FF64CA95A9AB7E4EF85350F04496EF89A973A2DB30ED05CB82
            Function 00AF0133 Relevance: 10.7, APIs: 7, Instructions: 245windowCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00A9B34E: GetWindowLongW.USER32(?,000000EB), ref: 00A9B35F
            • GetSystemMetrics.USER32(0000000F), ref: 00AF016D
            • MoveWindow.USER32(00000003,?,00000000,00000001,00000000,00000000,?,?,?), ref: 00AF038D
            • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00AF03AB
            • InvalidateRect.USER32(?,00000000,00000001,?), ref: 00AF03D6
            • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00AF03FF
            • ShowWindow.USER32(00000003,00000000), ref: 00AF0421
            • DefDlgProcW.USER32(?,00000005,?,?), ref: 00AF0440
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: Window$MessageSend$InvalidateLongMetricsMoveProcRectShowSystem
            • String ID:
            • API String ID: 3356174886-0
            • Opcode ID: 881a6822181c55d51a451053a01e2474a6f31cd571b2dcfb3054d76c602120ac
            • Instruction ID: 6e24057f2320bf2ce03b0735a53cf7d5f7dad497bfa2925cd751b1082ed1de2f
            • Opcode Fuzzy Hash: 881a6822181c55d51a451053a01e2474a6f31cd571b2dcfb3054d76c602120ac
            • Instruction Fuzzy Hash: B6A1AF3560061AEFDB18CFA8C985BBDBBB1BF04741F148215FE54AB291DB34AD50CB90
            Function 00A9AE78 Relevance: 10.7, APIs: 7, Instructions: 218COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: b1f05e37096880b3402ea6ef21875b50a07efedfd6f7d8261fc3556a1c7ddd54
            • Instruction ID: dcaf4ce96e11db42b601789f98714f249f16a6c67466b3aebbc2ed4fe1cef2d9
            • Opcode Fuzzy Hash: b1f05e37096880b3402ea6ef21875b50a07efedfd6f7d8261fc3556a1c7ddd54
            • Instruction Fuzzy Hash: C8715CB1A00119EFCF14CF98CC49ABEBBB4FF95314F24814AF915AB251D734AA41CBA1
            Function 00AE2230 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 191COMMON
            Download Yara Rule
            APIs
            • _memset.LIBCMT ref: 00AE225A
            • _memset.LIBCMT ref: 00AE2323
            • ShellExecuteExW.SHELL32(?), ref: 00AE2368
              • Part of subcall function 00A8936C: __swprintf.LIBCMT ref: 00A893AB
              • Part of subcall function 00A8936C: __itow.LIBCMT ref: 00A893DF
              • Part of subcall function 00A9C6F4: _wcscpy.LIBCMT ref: 00A9C717
            • CloseHandle.KERNEL32(00000000), ref: 00AE242F
            • FreeLibrary.KERNEL32(00000000), ref: 00AE243E
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: _memset$CloseExecuteFreeHandleLibraryShell__itow__swprintf_wcscpy
            • String ID: @
            • API String ID: 4082843840-2766056989
            • Opcode ID: 2bcca10d155860e632df97f82782d9d449b637383e8ccb028bd12bcb2726c030
            • Instruction ID: 2fc48731d22bae134c4ff05d7d9eaaaa112fe11daac57942533485ef772ab7d8
            • Opcode Fuzzy Hash: 2bcca10d155860e632df97f82782d9d449b637383e8ccb028bd12bcb2726c030
            • Instruction Fuzzy Hash: D1717D75A006599FCF05EFA5C981AAEBBF9FF48310F108459E856AB391CB34AD40CF90
            Function 00AC3BC3 Relevance: 10.7, APIs: 7, Instructions: 164windowCOMMON
            Download Yara Rule
            APIs
            • GetParent.USER32(00000000), ref: 00AC3C02
            • GetKeyboardState.USER32(?), ref: 00AC3C17
            • SetKeyboardState.USER32(?), ref: 00AC3C78
            • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00AC3CA4
            • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00AC3CC1
            • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00AC3D05
            • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00AC3D26
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: MessagePost$KeyboardState$Parent
            • String ID:
            • API String ID: 87235514-0
            • Opcode ID: 718d35b27d3d0e8d20ff2524ce5c60f12b6806cfd75620bc6d5e39e8ae9658f8
            • Instruction ID: 378cf12099f5fec6d85aecef97f6bd0ff64fe2c8e6507d615b0f24750ad7a449
            • Opcode Fuzzy Hash: 718d35b27d3d0e8d20ff2524ce5c60f12b6806cfd75620bc6d5e39e8ae9658f8
            • Instruction Fuzzy Hash: E351E4A25087D53DFF3383648C55FBABEA96B06300F0DC98CE0D6564C2D695EE88E760
            Function 00AE8FC8 Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00AE8FE7
            • GetWindowLongW.USER32(013EEEC8,000000F0), ref: 00AE901A
            • GetWindowLongW.USER32(013EEEC8,000000F0), ref: 00AE904F
            • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00AE9081
            • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00AE90AB
            • GetWindowLongW.USER32(00000000,000000F0), ref: 00AE90BC
            • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00AE90D6
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: LongWindow$MessageSend
            • String ID:
            • API String ID: 2178440468-0
            • Opcode ID: 478fdcf5e850619b8e3b2ceea8a43da0f2756206b7b3fb5ff39817699c5a5e7e
            • Instruction ID: 268321a55f486ba18f59872cf75521dc442d1b69ab8327e923488e2f076e196b
            • Opcode Fuzzy Hash: 478fdcf5e850619b8e3b2ceea8a43da0f2756206b7b3fb5ff39817699c5a5e7e
            • Instruction Fuzzy Hash: 5A315378600254EFDB20CF99DC84F6637B5FB5A314F1941A4FA198B2B2CF72A840CB41
            Function 00AC08AF Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON
            Download Yara Rule
            APIs
            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00AC08F2
            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00AC0918
            • SysAllocString.OLEAUT32(00000000), ref: 00AC091B
            • SysAllocString.OLEAUT32(?), ref: 00AC0939
            • SysFreeString.OLEAUT32(?), ref: 00AC0942
            • StringFromGUID2.OLE32(?,?,00000028), ref: 00AC0967
            • SysAllocString.OLEAUT32(?), ref: 00AC0975
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
            • String ID:
            • API String ID: 3761583154-0
            • Opcode ID: c9562847b2ca0bc29c2e7478cf69012db7a707c19d184d1d855c15952c6f0009
            • Instruction ID: d28721cc14dc5b45a6d1c3e5d19cbc0a3e1739707e3d7732a8c821bf7d570038
            • Opcode Fuzzy Hash: c9562847b2ca0bc29c2e7478cf69012db7a707c19d184d1d855c15952c6f0009
            • Instruction Fuzzy Hash: 8F219576601219EFEF109FA8CC88EBF77ECEB09360B418125F915DB291DA70EC458B60
            Function 00AC2472 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: __wcsnicmp
            • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
            • API String ID: 1038674560-2734436370
            • Opcode ID: a577db40aa9b392a993b2cbe41aeb57745e72995475baee282dbfd3f2c2e606d
            • Instruction ID: 8c4b6ef8161e2a6a0e7ff6aae26643058b7df3fb9a34371aca01ec02523e4992
            • Opcode Fuzzy Hash: a577db40aa9b392a993b2cbe41aeb57745e72995475baee282dbfd3f2c2e606d
            • Instruction Fuzzy Hash: 6F216B3224461577D724BB349E12FBB73ECEF65310F51843EF44697082EB699982C3A5
            Function 00AC0986 Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON
            Download Yara Rule
            APIs
            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00AC09CB
            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00AC09F1
            • SysAllocString.OLEAUT32(00000000), ref: 00AC09F4
            • SysAllocString.OLEAUT32 ref: 00AC0A15
            • SysFreeString.OLEAUT32 ref: 00AC0A1E
            • StringFromGUID2.OLE32(?,?,00000028), ref: 00AC0A38
            • SysAllocString.OLEAUT32(?), ref: 00AC0A46
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
            • String ID:
            • API String ID: 3761583154-0
            • Opcode ID: 0c88bfdf6a46346e29644ef96f5be5f8526fdfd59f0ca3441b197d51b2caf350
            • Instruction ID: 9a0e0d695f6806964cfd8649e111b209446841529ef17762d6dfbf1141dd2ae8
            • Opcode Fuzzy Hash: 0c88bfdf6a46346e29644ef96f5be5f8526fdfd59f0ca3441b197d51b2caf350
            • Instruction Fuzzy Hash: 84215375600204AFDB10DFE8DC89EBA77ECEF58360741C129F909DB2A5EA70EC418B64
            Function 00AEA2C8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00A9D17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00A9D1BA
              • Part of subcall function 00A9D17C: GetStockObject.GDI32(00000011), ref: 00A9D1CE
              • Part of subcall function 00A9D17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 00A9D1D8
            • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00AEA32D
            • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00AEA33A
            • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00AEA345
            • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00AEA354
            • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00AEA360
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: MessageSend$CreateObjectStockWindow
            • String ID: Msctls_Progress32
            • API String ID: 1025951953-3636473452
            • Opcode ID: 173dc1fff1438937ff7e0a59111a35cd3f8566e20fe475dde48990777c7ce1e1
            • Instruction ID: f3f74ba1d3b2f0756a2509d79abea94de7963b0a0d171714155ad82f5cbef175
            • Opcode Fuzzy Hash: 173dc1fff1438937ff7e0a59111a35cd3f8566e20fe475dde48990777c7ce1e1
            • Instruction Fuzzy Hash: BE1193B5150119BEEF115F65CC85EE77F6DFF09798F014115BA04A60A0C772AC21DBA4
            Function 00A9CCCD Relevance: 9.3, APIs: 6, Instructions: 253COMMON
            Download Yara Rule
            APIs
            • GetClientRect.USER32(?,?), ref: 00A9CCF6
            • GetWindowRect.USER32(?,?), ref: 00A9CD37
            • ScreenToClient.USER32(?,?), ref: 00A9CD5F
            • GetClientRect.USER32(?,?), ref: 00A9CE8C
            • GetWindowRect.USER32(?,?), ref: 00A9CEA5
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: Rect$Client$Window$Screen
            • String ID:
            • API String ID: 1296646539-0
            • Opcode ID: 96bdea81c20ff940f63f3878ba0841d5012ca6bad3ab9dd86d5843cbb213cdc8
            • Instruction ID: eef2a107fdf3ce5073b638de0b01f4cafe3ac0445b874856b468b0fc8811d4a1
            • Opcode Fuzzy Hash: 96bdea81c20ff940f63f3878ba0841d5012ca6bad3ab9dd86d5843cbb213cdc8
            • Instruction Fuzzy Hash: 7FB12979A00649DBDF10CFA8C5807EEBBF1FF08350F149529ED5AAB254DB70AA50CB64
            Function 00AE1BDF Relevance: 9.2, APIs: 6, Instructions: 163processCOMMON
            Download Yara Rule
            APIs
            • CreateToolhelp32Snapshot.KERNEL32 ref: 00AE1C18
            • Process32FirstW.KERNEL32(00000000,?), ref: 00AE1C26
            • __wsplitpath.LIBCMT ref: 00AE1C54
              • Part of subcall function 00AA1DFC: __wsplitpath_helper.LIBCMT ref: 00AA1E3C
            • _wcscat.LIBCMT ref: 00AE1C69
            • Process32NextW.KERNEL32(00000000,?), ref: 00AE1CDF
            • CloseHandle.KERNEL32(00000000,?,?,00000002,00000000), ref: 00AE1CF1
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wsplitpath__wsplitpath_helper_wcscat
            • String ID:
            • API String ID: 1380811348-0
            • Opcode ID: a6e32f231362f52ba83bde4b73646802e14e1b17b9eadc10d131991e2c46b077
            • Instruction ID: 871f8a145d833dcdd0f45016b031f20ff0d820ba6e30b575af0f821bf69126aa
            • Opcode Fuzzy Hash: a6e32f231362f52ba83bde4b73646802e14e1b17b9eadc10d131991e2c46b077
            • Instruction Fuzzy Hash: 96513C71504341AFD720EF64CD85EABB7E8EF88754F10491EF58697291EB70EA04CBA2
            Function 00AE2FD6 Relevance: 9.2, APIs: 6, Instructions: 160registryCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00AE3C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00AE2BB5,?,?), ref: 00AE3C1D
            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00AE30AF
            • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00AE30EF
            • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00AE3112
            • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00AE313B
            • RegCloseKey.ADVAPI32(?,?,00000000), ref: 00AE317E
            • RegCloseKey.ADVAPI32(00000000), ref: 00AE318B
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue
            • String ID:
            • API String ID: 3451389628-0
            • Opcode ID: a067ebf35ac321a426f6367dc340b9922f26c61022a333f0912595768ea60cf3
            • Instruction ID: 9bb5f824e56803ed6165bf1c6ad7084c4fb4b67abb3200519fbc7e56ced3f649
            • Opcode Fuzzy Hash: a067ebf35ac321a426f6367dc340b9922f26c61022a333f0912595768ea60cf3
            • Instruction Fuzzy Hash: 8E514832208340AFCB04EF64C999E6ABBF9FF88314F04491DF555972A1DB71EA05CB52
            Function 00AE84DE Relevance: 9.2, APIs: 6, Instructions: 152windowCOMMON
            Download Yara Rule
            APIs
            • GetMenu.USER32(?), ref: 00AE8540
            • GetMenuItemCount.USER32(00000000), ref: 00AE8577
            • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00AE859F
            • GetMenuItemID.USER32(?,?), ref: 00AE860E
            • GetSubMenu.USER32(?,?), ref: 00AE861C
            • PostMessageW.USER32(?,00000111,?,00000000), ref: 00AE866D
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: Menu$Item$CountMessagePostString
            • String ID:
            • API String ID: 650687236-0
            • Opcode ID: 0296fb53ca6bc42e9e8315f11f07ea5578550c3094205c1b35afc0c0b6b86eea
            • Instruction ID: f525c16eb12b793d7b51bc8ae921b5fccfdd3cc136a96abbf750f236f760f04d
            • Opcode Fuzzy Hash: 0296fb53ca6bc42e9e8315f11f07ea5578550c3094205c1b35afc0c0b6b86eea
            • Instruction Fuzzy Hash: 6C519C71A00215AFCF11EFA9CA41AAEB7F4FF48710F104459E91ABB391DF34AE418B90
            Function 00AC4AC2 Relevance: 9.1, APIs: 6, Instructions: 136windowCOMMON
            Download Yara Rule
            APIs
            • _memset.LIBCMT ref: 00AC4B10
            • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00AC4B5B
            • IsMenu.USER32(00000000), ref: 00AC4B7B
            • CreatePopupMenu.USER32 ref: 00AC4BAF
            • GetMenuItemCount.USER32(000000FF), ref: 00AC4C0D
            • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00AC4C3E
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
            • String ID:
            • API String ID: 3311875123-0
            • Opcode ID: ad4beb1ea2ad99fbb8e8b18b3ca4704fc1d369531041a9cd604e0cd7a34fbbc5
            • Instruction ID: fa4e207979aaf03bdb4ee222b8163b67e8d544408607a547c020361e2c77b5dd
            • Opcode Fuzzy Hash: ad4beb1ea2ad99fbb8e8b18b3ca4704fc1d369531041a9cd604e0cd7a34fbbc5
            • Instruction Fuzzy Hash: BF51FF70A05209EFDF20CF68C9A8FAEBBF4AF58318F15411DE8259B2A1D7709D40CB19
            Function 00AD8DE2 Relevance: 9.1, APIs: 6, Instructions: 136networkCOMMON
            Download Yara Rule
            APIs
            • select.WSOCK32(00000000,00000001,00000000,00000000,?,000003E8,00B1DC00), ref: 00AD8E7C
            • WSAGetLastError.WSOCK32(00000000), ref: 00AD8E89
            • __WSAFDIsSet.WSOCK32(00000000,00000001,00000000), ref: 00AD8EAD
            • #16.WSOCK32(?,?,00000000,00000000), ref: 00AD8EC5
            • _strlen.LIBCMT ref: 00AD8EF7
            • WSAGetLastError.WSOCK32(00000000), ref: 00AD8F6A
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: ErrorLast$_strlenselect
            • String ID:
            • API String ID: 2217125717-0
            • Opcode ID: ff3939310f1c608eea198e8cf824d89f6c06b838f7217f5103632aab6ce7acc3
            • Instruction ID: 60f9f190c44266a15f4662787e3d82027e7143bf153a8cff9e5bdf65c7c0f96f
            • Opcode Fuzzy Hash: ff3939310f1c608eea198e8cf824d89f6c06b838f7217f5103632aab6ce7acc3
            • Instruction Fuzzy Hash: BB414071500204AFDB14EBA4CE95EAEB7B9EF58314F10465AF51A972D1EF34EE40CB60
            Function 00A9ABF5 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00A9B34E: GetWindowLongW.USER32(?,000000EB), ref: 00A9B35F
            • BeginPaint.USER32(?,?,?), ref: 00A9AC2A
            • GetWindowRect.USER32(?,?), ref: 00A9AC8E
            • ScreenToClient.USER32(?,?), ref: 00A9ACAB
            • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00A9ACBC
            • EndPaint.USER32(?,?,?,?,?), ref: 00A9AD06
            • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00AFE673
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: PaintWindow$BeginClientLongRectRectangleScreenViewport
            • String ID:
            • API String ID: 2592858361-0
            • Opcode ID: 48330ec074c6a37984a4d02dd7eaa86bc0aa5513751d15445f980aea4ab3e6a6
            • Instruction ID: bbafe40569d5bdf6b8c1899ce5bebb19f92c006414cc46728e1f483409156fef
            • Opcode Fuzzy Hash: 48330ec074c6a37984a4d02dd7eaa86bc0aa5513751d15445f980aea4ab3e6a6
            • Instruction Fuzzy Hash: A441B374604304AFCB10DF58DC84F767BF8FB65320F140669FA958B2A1CB319984DBA2
            Function 00AEE397 Relevance: 9.1, APIs: 6, Instructions: 108windowCOMMON
            Download Yara Rule
            APIs
            • ShowWindow.USER32(00B41628,00000000,00B41628,00000000,00000000,00B41628,?,00AFDC5D,00000000,?,00000000,00000000,00000000,?,00AFDAD1,00000004), ref: 00AEE40B
            • EnableWindow.USER32(00000000,00000000), ref: 00AEE42F
            • ShowWindow.USER32(00B41628,00000000), ref: 00AEE48F
            • ShowWindow.USER32(00000000,00000004), ref: 00AEE4A1
            • EnableWindow.USER32(00000000,00000001), ref: 00AEE4C5
            • SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 00AEE4E8
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: Window$Show$Enable$MessageSend
            • String ID:
            • API String ID: 642888154-0
            • Opcode ID: bc31998fdf8f628ef7935244e466bf899e951fc29b1b99e67833f63d908fc58f
            • Instruction ID: ce118648cf4d068df47cabbfb541ef86964cfb392ea12090f7a26a20be07f4f3
            • Opcode Fuzzy Hash: bc31998fdf8f628ef7935244e466bf899e951fc29b1b99e67833f63d908fc58f
            • Instruction Fuzzy Hash: 2E417F30601581EFDB22CF69C599B947BE1BF09304F1881B9EA598F2E2C732E842CB51
            Function 00AC98BA Relevance: 9.1, APIs: 6, Instructions: 100fileCOMMON
            Download Yara Rule
            APIs
            • InterlockedExchange.KERNEL32(?,000001F5), ref: 00AC98D1
              • Part of subcall function 00A9F4EA: std::exception::exception.LIBCMT ref: 00A9F51E
              • Part of subcall function 00A9F4EA: __CxxThrowException@8.LIBCMT ref: 00A9F533
            • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00AC9908
            • EnterCriticalSection.KERNEL32(?), ref: 00AC9924
            • LeaveCriticalSection.KERNEL32(?), ref: 00AC999E
            • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 00AC99B3
            • InterlockedExchange.KERNEL32(?,000001F6), ref: 00AC99D2
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: CriticalExchangeFileInterlockedReadSection$EnterException@8LeaveThrowstd::exception::exception
            • String ID:
            • API String ID: 2537439066-0
            • Opcode ID: 8ac4520902bf9aa30fd79c2b3594b3b68e7e07b35f58e3f65723ede001d11dde
            • Instruction ID: a66a0188a41bfaf8266366ca04a336e7f0efac08108fd937cbfdcbf9312b8982
            • Opcode Fuzzy Hash: 8ac4520902bf9aa30fd79c2b3594b3b68e7e07b35f58e3f65723ede001d11dde
            • Instruction Fuzzy Hash: 41315E31A00205EBDF10DFA5DD85E6FB7B8FF84310B1580A9E905AB296DB70DE10DBA4
            Function 00AD9B45 Relevance: 9.1, APIs: 6, Instructions: 99COMMON
            Download Yara Rule
            APIs
            • GetForegroundWindow.USER32(?,?,?,?,?,?,00AD77F4,?,?,00000000,00000001), ref: 00AD9B53
              • Part of subcall function 00AD6544: GetWindowRect.USER32(?,?), ref: 00AD6557
            • GetDesktopWindow.USER32 ref: 00AD9B7D
            • GetWindowRect.USER32(00000000), ref: 00AD9B84
            • mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00AD9BB6
              • Part of subcall function 00AC7A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00AC7AD0
            • GetCursorPos.USER32(?), ref: 00AD9BE2
            • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00AD9C44
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
            • String ID:
            • API String ID: 4137160315-0
            • Opcode ID: 485689639d03e7916a3749672d5de2a49561992a453b61264a1e87a38d47c775
            • Instruction ID: 790b7b4c95d7d6d9e1d6aee6d66f72d823b31f2b5294048b6de2ebf7c6e77d95
            • Opcode Fuzzy Hash: 485689639d03e7916a3749672d5de2a49561992a453b61264a1e87a38d47c775
            • Instruction Fuzzy Hash: FF31C172104305ABC710DF58DC49F9BB7E9FF98314F01091AF58AE7291DA71E908CB91
            Function 00ABAF64 Relevance: 9.1, APIs: 6, Instructions: 73processCOMMON
            Download Yara Rule
            APIs
            • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00ABAFAE
            • OpenProcessToken.ADVAPI32(00000000), ref: 00ABAFB5
            • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00ABAFC4
            • CloseHandle.KERNEL32(00000004), ref: 00ABAFCF
            • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00ABAFFE
            • DestroyEnvironmentBlock.USERENV(00000000), ref: 00ABB012
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
            • String ID:
            • API String ID: 1413079979-0
            • Opcode ID: 346a5b2564d6e1369c41c1412e087db31499787f4afe4320657e7e4d734af07b
            • Instruction ID: 9655b6f4c57670cdcddf1e460f37f8a8d3285eef51d186e4641b9083dd956c28
            • Opcode Fuzzy Hash: 346a5b2564d6e1369c41c1412e087db31499787f4afe4320657e7e4d734af07b
            • Instruction Fuzzy Hash: AB2149B2104209ABDB029FA4DD09BEE7BADAB54304F048015FA01A21A2D776DD21EB61
            Function 00AEEBF6 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00A9AF83: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 00A9AFE3
              • Part of subcall function 00A9AF83: SelectObject.GDI32(?,00000000), ref: 00A9AFF2
              • Part of subcall function 00A9AF83: BeginPath.GDI32(?), ref: 00A9B009
              • Part of subcall function 00A9AF83: SelectObject.GDI32(?,00000000), ref: 00A9B033
            • MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 00AEEC20
            • LineTo.GDI32(00000000,00000003,?), ref: 00AEEC34
            • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 00AEEC42
            • LineTo.GDI32(00000000,00000000,?), ref: 00AEEC52
            • EndPath.GDI32(00000000), ref: 00AEEC62
            • StrokePath.GDI32(00000000), ref: 00AEEC72
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
            • String ID:
            • API String ID: 43455801-0
            • Opcode ID: 591db65145227bff3346d2808f290e8350039366894765a4b57a74446e5ac1f4
            • Instruction ID: 9a525fe3975baf7d8595241d2fd640e922eec98d3b34e84ae167d16cac99d1f0
            • Opcode Fuzzy Hash: 591db65145227bff3346d2808f290e8350039366894765a4b57a74446e5ac1f4
            • Instruction Fuzzy Hash: D8111B7640014DBFEF029F94DD88EEA7F6DEB18350F048112BE099A1A0DB719E55DBA0
            Function 00ABE19B Relevance: 9.0, APIs: 6, Instructions: 48COMMON
            Download Yara Rule
            APIs
            • GetDC.USER32(00000000), ref: 00ABE1C0
            • GetDeviceCaps.GDI32(00000000,00000058), ref: 00ABE1D1
            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00ABE1D8
            • ReleaseDC.USER32(00000000,00000000), ref: 00ABE1E0
            • MulDiv.KERNEL32(000009EC,?,00000000), ref: 00ABE1F7
            • MulDiv.KERNEL32(000009EC,?,?), ref: 00ABE209
              • Part of subcall function 00AB9AA3: RaiseException.KERNEL32(-C0000018,00000001,00000000,00000000,00AB9A05,00000000,00000000,?,00AB9DDB), ref: 00ABA53A
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: CapsDevice$ExceptionRaiseRelease
            • String ID:
            • API String ID: 603618608-0
            • Opcode ID: a8bf2c8c468ebc2be903cf91d979fd3894e3bcfd680d5d29d855b88d8c207d74
            • Instruction ID: 74a6a487963e5e9f31c1ebfb687e1c985d66a1ab40276172bf3e81254b2b2aaf
            • Opcode Fuzzy Hash: a8bf2c8c468ebc2be903cf91d979fd3894e3bcfd680d5d29d855b88d8c207d74
            • Instruction Fuzzy Hash: E10184B5A00214BFEB109BE59C45B9EBFB8EB58351F004166EA08A72D1DA719C01CBA0
            Function 00AA7B47 Relevance: 9.0, APIs: 6, Instructions: 45threadCOMMON
            Download Yara Rule
            APIs
            • __init_pointers.LIBCMT ref: 00AA7B47
              • Part of subcall function 00AA123A: __initp_misc_winsig.LIBCMT ref: 00AA125E
              • Part of subcall function 00AA123A: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00AA7F51
              • Part of subcall function 00AA123A: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00AA7F65
              • Part of subcall function 00AA123A: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00AA7F78
              • Part of subcall function 00AA123A: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00AA7F8B
              • Part of subcall function 00AA123A: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00AA7F9E
              • Part of subcall function 00AA123A: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00AA7FB1
              • Part of subcall function 00AA123A: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00AA7FC4
              • Part of subcall function 00AA123A: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00AA7FD7
              • Part of subcall function 00AA123A: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00AA7FEA
              • Part of subcall function 00AA123A: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00AA7FFD
              • Part of subcall function 00AA123A: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00AA8010
              • Part of subcall function 00AA123A: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00AA8023
              • Part of subcall function 00AA123A: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00AA8036
              • Part of subcall function 00AA123A: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00AA8049
              • Part of subcall function 00AA123A: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 00AA805C
              • Part of subcall function 00AA123A: GetProcAddress.KERNEL32(00000000,FlushProcessWriteBuffers), ref: 00AA806F
            • __mtinitlocks.LIBCMT ref: 00AA7B4C
              • Part of subcall function 00AA7E23: InitializeCriticalSectionAndSpinCount.KERNEL32(00B3AC68,00000FA0,?,?,00AA7B51,00AA5E77,00B36C70,00000014), ref: 00AA7E41
            • __mtterm.LIBCMT ref: 00AA7B55
              • Part of subcall function 00AA7BBD: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00AA7B5A,00AA5E77,00B36C70,00000014), ref: 00AA7D3F
              • Part of subcall function 00AA7BBD: _free.LIBCMT ref: 00AA7D46
              • Part of subcall function 00AA7BBD: DeleteCriticalSection.KERNEL32(00B3AC68,?,?,00AA7B5A,00AA5E77,00B36C70,00000014), ref: 00AA7D68
            • __calloc_crt.LIBCMT ref: 00AA7B7A
            • GetCurrentThreadId.KERNEL32 ref: 00AA7BA3
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: AddressProc$CriticalSection$Delete$CountCurrentHandleInitializeModuleSpinThread__calloc_crt__init_pointers__initp_misc_winsig__mtinitlocks__mtterm_free
            • String ID:
            • API String ID: 2942034483-0
            • Opcode ID: bc0966ddfbe9fdd1e5f72c92b63115d65cf56387d42847e438b8519130c10c77
            • Instruction ID: 0904226c82d93d60ca987e7c4168c8d992c9e54ed077f69579eac970ded2bd13
            • Opcode Fuzzy Hash: bc0966ddfbe9fdd1e5f72c92b63115d65cf56387d42847e438b8519130c10c77
            • Instruction Fuzzy Hash: D8F0907210D31229EA3677747E06A8F26949F03730F2406A9F8A2DB0D2FF218C4145B0
            Function 00A827EC Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
            Download Yara Rule
            APIs
            • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00A8281D
            • MapVirtualKeyW.USER32(00000010,00000000), ref: 00A82825
            • MapVirtualKeyW.USER32(000000A0,00000000), ref: 00A82830
            • MapVirtualKeyW.USER32(000000A1,00000000), ref: 00A8283B
            • MapVirtualKeyW.USER32(00000011,00000000), ref: 00A82843
            • MapVirtualKeyW.USER32(00000012,00000000), ref: 00A8284B
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: Virtual
            • String ID:
            • API String ID: 4278518827-0
            • Opcode ID: e9d19a8c9faa13b397bd826e78aef081734afaf37bc33dfeec0ab03f464df416
            • Instruction ID: cb0b993f57c529dac3cc6d3680db761eab06a1f3f57ab96ec3ea4aebbad39cab
            • Opcode Fuzzy Hash: e9d19a8c9faa13b397bd826e78aef081734afaf37bc33dfeec0ab03f464df416
            • Instruction Fuzzy Hash: 5B0167B0902B5ABDE3008F6A8C85B52FFA8FF19354F00411BA15C47A82C7F5A864CBE5
            Function 00AC9AD5 Relevance: 9.0, APIs: 6, Instructions: 44COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: CriticalExchangeInterlockedSection$EnterLeaveObjectSingleTerminateThreadWait
            • String ID:
            • API String ID: 1423608774-0
            • Opcode ID: 14f9d3b5d4caaf16eff9efd1899f192656dba3f064d90f3fe484736b5b7b6881
            • Instruction ID: 16229bfd861cb666d10c561711a8ab25a97d42cf2b2e58e2f7665568080a6f18
            • Opcode Fuzzy Hash: 14f9d3b5d4caaf16eff9efd1899f192656dba3f064d90f3fe484736b5b7b6881
            • Instruction Fuzzy Hash: 5001A432102611EBD7151B94ED4CEEB7769FF98741B05042DF507970E4DF74A801DB50
            Function 00AC7BF7 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON
            Download Yara Rule
            APIs
            • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00AC7C07
            • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00AC7C1D
            • GetWindowThreadProcessId.USER32(?,?), ref: 00AC7C2C
            • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00AC7C3B
            • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00AC7C45
            • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00AC7C4C
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
            • String ID:
            • API String ID: 839392675-0
            • Opcode ID: 3932f8e48d7aad4c9c4ff36feca00a22b80785dbb510eb644db2f7cd2ed72286
            • Instruction ID: 13094152ab981e78ea0ee15055a6eb6b077709115809f80e961ffd315f6ebc6d
            • Opcode Fuzzy Hash: 3932f8e48d7aad4c9c4ff36feca00a22b80785dbb510eb644db2f7cd2ed72286
            • Instruction Fuzzy Hash: 37F03A72241158BBE7215B929C0EEEF7F7CEFD6B11F000118FA01A2091DFA15A41D6B5
            Function 00AC9A20 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • InterlockedExchange.KERNEL32(?,?), ref: 00AC9A33
            • EnterCriticalSection.KERNEL32(?,?,?,?,00AF5DEE,?,?,?,?,?,00A8ED63), ref: 00AC9A44
            • TerminateThread.KERNEL32(?,000001F6,?,?,?,00AF5DEE,?,?,?,?,?,00A8ED63), ref: 00AC9A51
            • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00AF5DEE,?,?,?,?,?,00A8ED63), ref: 00AC9A5E
              • Part of subcall function 00AC93D1: CloseHandle.KERNEL32(?,?,00AC9A6B,?,?,?,00AF5DEE,?,?,?,?,?,00A8ED63), ref: 00AC93DB
            • InterlockedExchange.KERNEL32(?,000001F6), ref: 00AC9A71
            • LeaveCriticalSection.KERNEL32(?,?,?,?,00AF5DEE,?,?,?,?,?,00A8ED63), ref: 00AC9A78
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
            • String ID:
            • API String ID: 3495660284-0
            • Opcode ID: 414c84d9ec04fde917f8c66ccb3e202b3940601ddf77c2c32fa4bedc7a61c6a6
            • Instruction ID: c810464d839379dabe85640f1d68d56c5b964677d4ba14775ff0b508ed91c45d
            • Opcode Fuzzy Hash: 414c84d9ec04fde917f8c66ccb3e202b3940601ddf77c2c32fa4bedc7a61c6a6
            • Instruction Fuzzy Hash: E9F08C32142211EBD7112BE4EC8DEEB7739FF98302B150429F603A60E4DFB59911DB60
            Function 00A81CDE Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 250COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00A9F4EA: std::exception::exception.LIBCMT ref: 00A9F51E
              • Part of subcall function 00A9F4EA: __CxxThrowException@8.LIBCMT ref: 00A9F533
            • __swprintf.LIBCMT ref: 00A81EA6
            Strings
            • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00A81D49
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: Exception@8Throw__swprintfstd::exception::exception
            • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
            • API String ID: 2125237772-557222456
            • Opcode ID: 5303716c379490bd645582e5a136b9314d27494ebc4b93759a4ec6606f8e73ae
            • Instruction ID: e0269632c7f62dc6bc8953bed4c818c7710b696379d27c3471c7840604bdbbba
            • Opcode Fuzzy Hash: 5303716c379490bd645582e5a136b9314d27494ebc4b93759a4ec6606f8e73ae
            • Instruction Fuzzy Hash: E8916771504205AFC724FF64CA96D7AB7B8EF85710F00492DF9869B2A1DB30ED05CB92
            Function 00ADAFE0 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 229COMMON
            Download Yara Rule
            APIs
            • VariantInit.OLEAUT32(?), ref: 00ADB006
            • CharUpperBuffW.USER32(?,?), ref: 00ADB115
            • VariantClear.OLEAUT32(?), ref: 00ADB298
              • Part of subcall function 00AC9DC5: VariantInit.OLEAUT32(00000000), ref: 00AC9E05
              • Part of subcall function 00AC9DC5: VariantCopy.OLEAUT32(?,?), ref: 00AC9E0E
              • Part of subcall function 00AC9DC5: VariantClear.OLEAUT32(?), ref: 00AC9E1A
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: Variant$ClearInit$BuffCharCopyUpper
            • String ID: AUTOIT.ERROR$Incorrect Parameter format
            • API String ID: 4237274167-1221869570
            • Opcode ID: f1677b28da9b0828b202537b78d33ea84b1d6cf4b412e7a0b49579b1a6dd9bf4
            • Instruction ID: d9534bb523b41422d56359a2887ade4bc9402d63b7dd4fb3b613638c6216dc40
            • Opcode Fuzzy Hash: f1677b28da9b0828b202537b78d33ea84b1d6cf4b412e7a0b49579b1a6dd9bf4
            • Instruction Fuzzy Hash: 1C915971608301DFCB10EF24C58599AB7F4EF89714F04496EF89A9B362DB31E945CB62
            Function 00AC0213 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON
            Download Yara Rule
            APIs
            • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00AC027B
            • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00AC02B1
            • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00AC02C2
            • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00AC0344
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: ErrorMode$AddressCreateInstanceProc
            • String ID: DllGetClassObject
            • API String ID: 753597075-1075368562
            • Opcode ID: 5d358ad36f506072119bbf3230f775c091662f06096c04fc1cc376b1519d2819
            • Instruction ID: b6510e2e080adfd2aa4d93ab0c3bf5916f07e5b096f84771d9ff99dd2d1ee4e3
            • Opcode Fuzzy Hash: 5d358ad36f506072119bbf3230f775c091662f06096c04fc1cc376b1519d2819
            • Instruction Fuzzy Hash: A8415B71604204EFDB05CF58C984F9A7BB9EF44310F1580ADA909DF256DBB1D945CBA0
            Function 00AC5007 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
            Download Yara Rule
            APIs
            • _memset.LIBCMT ref: 00AC5075
            • GetMenuItemInfoW.USER32 ref: 00AC5091
            • DeleteMenu.USER32(00000004,00000007,00000000), ref: 00AC50D7
            • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00B41708,00000000), ref: 00AC5120
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: Menu$Delete$InfoItem_memset
            • String ID: 0
            • API String ID: 1173514356-4108050209
            • Opcode ID: 1850f877ff9e0bfeea198de323641b23db8d48b63862f96b2c9471ae76997e4d
            • Instruction ID: 71a7d83d1c9fae35b997d3e31a889a895fe87746f4b7bd8830a429ad7c43e366
            • Opcode Fuzzy Hash: 1850f877ff9e0bfeea198de323641b23db8d48b63862f96b2c9471ae76997e4d
            • Instruction Fuzzy Hash: A341B171A047019FD720EF34D888F6ABBE4AF89324F19461EF855972D1DB30E940CB62
            Function 00AE0567 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 100COMMON
            Download Yara Rule
            APIs
            • CharLowerBuffW.USER32(?,?,?,?), ref: 00AE0587
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: BuffCharLower
            • String ID: cdecl$none$stdcall$winapi
            • API String ID: 2358735015-567219261
            • Opcode ID: 0607ec823cb2e818acbe98b543743021a1321397c4cbb443706fafd55ad71587
            • Instruction ID: 94b2ef78f3faf7e1ff08d29c5c9e2b3af68af44c4149abb60323455265c27a8e
            • Opcode Fuzzy Hash: 0607ec823cb2e818acbe98b543743021a1321397c4cbb443706fafd55ad71587
            • Instruction Fuzzy Hash: BA31D030600656AFCF00EF68CA41EAEB3B4FF55314B108629E866A73D1DBB1E955CB90
            Function 00ABB80A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00ABB88E
            • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00ABB8A1
            • SendMessageW.USER32(?,00000189,?,00000000), ref: 00ABB8D1
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: MessageSend
            • String ID: ComboBox$ListBox
            • API String ID: 3850602802-1403004172
            • Opcode ID: ad4b4729916b5331c71543f697fe66c8f04d60a9e636fdc5afb27d2569bf0606
            • Instruction ID: 0600de1b1a735b74d28a7477e6bd0f3a7a4c5d4f8972d880f2182372fd271a8e
            • Opcode Fuzzy Hash: ad4b4729916b5331c71543f697fe66c8f04d60a9e636fdc5afb27d2569bf0606
            • Instruction Fuzzy Hash: A721D176A00108BFDB14ABB4D986DFEB7BCDF45364B104529F021A71E2DBB54D0A9B70
            Function 00AD43E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 85networkCOMMON
            Download Yara Rule
            APIs
            • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00AD4401
            • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00AD4427
            • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00AD4457
            • InternetCloseHandle.WININET(00000000), ref: 00AD449E
              • Part of subcall function 00AD5052: GetLastError.KERNEL32(?,?,00AD43CC,00000000,00000000,00000001), ref: 00AD5067
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: HttpInternet$CloseErrorHandleInfoLastOpenQueryRequestSend
            • String ID:
            • API String ID: 1951874230-3916222277
            • Opcode ID: bf984cf87c70dfd7469b8fbf86523f79767d88db7b61d787d473e584a5044f92
            • Instruction ID: 9aaa96833b3b782fa881dc3252e6a6d316629af0c64d25ef4c718ca2f8f6051d
            • Opcode Fuzzy Hash: bf984cf87c70dfd7469b8fbf86523f79767d88db7b61d787d473e584a5044f92
            • Instruction Fuzzy Hash: 48218EB2600208BFE7119FA4CD85EBFB6FCEB48748F10801BF10AA3240EA748D459771
            Function 00AE90E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00A9D17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00A9D1BA
              • Part of subcall function 00A9D17C: GetStockObject.GDI32(00000011), ref: 00A9D1CE
              • Part of subcall function 00A9D17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 00A9D1D8
            • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00AE915C
            • LoadLibraryW.KERNEL32(?), ref: 00AE9163
            • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00AE9178
            • DestroyWindow.USER32(?), ref: 00AE9180
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
            • String ID: SysAnimate32
            • API String ID: 4146253029-1011021900
            • Opcode ID: 4f2e7280592067b3f55d17858f5da3d32f0f0be43cef002c040d1002a47393ca
            • Instruction ID: 41176340c30fca65c4a4217bce8cde95309545f186a8565a074c69b6f427897e
            • Opcode Fuzzy Hash: 4f2e7280592067b3f55d17858f5da3d32f0f0be43cef002c040d1002a47393ca
            • Instruction Fuzzy Hash: 11218B71200386BBEF208F66DC88EBB77A9EB99364F100718F91493190C772DC81A761
            Function 00AC9568 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78filepipeCOMMON
            Download Yara Rule
            APIs
            • GetStdHandle.KERNEL32(0000000C), ref: 00AC9588
            • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00AC95B9
            • GetStdHandle.KERNEL32(0000000C), ref: 00AC95CB
            • CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00AC9605
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: CreateHandle$FilePipe
            • String ID: nul
            • API String ID: 4209266947-2873401336
            • Opcode ID: 81acde81d0af5d664da21aedc743b6696a28c340e290e430dd85e37d77cbaf4d
            • Instruction ID: 848fdd8bb0274bcbad540851a6ad5eb36fbda3e833966bbe7eb1bf3cfd3d6185
            • Opcode Fuzzy Hash: 81acde81d0af5d664da21aedc743b6696a28c340e290e430dd85e37d77cbaf4d
            • Instruction Fuzzy Hash: 7A219074600209ABDB21AF65DC09F9B7BF8AF58720F224A1DF8A1E72D0DB70D945CB10
            Function 00AC9634 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78filepipeCOMMON
            Download Yara Rule
            APIs
            • GetStdHandle.KERNEL32(000000F6), ref: 00AC9653
            • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00AC9683
            • GetStdHandle.KERNEL32(000000F6), ref: 00AC9694
            • CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00AC96CE
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: CreateHandle$FilePipe
            • String ID: nul
            • API String ID: 4209266947-2873401336
            • Opcode ID: 85efb467341101d2a34ef3818fc46cab4091a778ce0bedd245802ec7aaaa15cc
            • Instruction ID: 473124cb291a78d0676595f34d34e22762a1bf989b8f14d5e6c8215823ee341b
            • Opcode Fuzzy Hash: 85efb467341101d2a34ef3818fc46cab4091a778ce0bedd245802ec7aaaa15cc
            • Instruction Fuzzy Hash: DB214C75600205ABDB209F69DC49F9BB7E8AF95734F210A1DF8A1E72D0EB70D941CB60
            Function 00ACDAF6 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 72COMMON
            Download Yara Rule
            APIs
            • SetErrorMode.KERNEL32(00000001), ref: 00ACDB0A
            • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00ACDB5E
            • __swprintf.LIBCMT ref: 00ACDB77
            • SetErrorMode.KERNEL32(00000000,00000001,00000000,00B1DC00), ref: 00ACDBB5
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: ErrorMode$InformationVolume__swprintf
            • String ID: %lu
            • API String ID: 3164766367-685833217
            • Opcode ID: abe0dc96e30b7a666beefe9853cdab2a4f5b3dae559c6cfc7175ae710c618b26
            • Instruction ID: 016448fa6aeb425d22da6a46d1806c698bc6a131d136392dac13f144f1542c84
            • Opcode Fuzzy Hash: abe0dc96e30b7a666beefe9853cdab2a4f5b3dae559c6cfc7175ae710c618b26
            • Instruction Fuzzy Hash: 6D215335A00208AFCB10EFA4CE85EAEB7F8EF49714B114069F509E7291DB71EA41CB61
            Function 00ABC9E0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 67windowCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00ABC82D: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00ABC84A
              • Part of subcall function 00ABC82D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00ABC85D
              • Part of subcall function 00ABC82D: GetCurrentThreadId.KERNEL32 ref: 00ABC864
              • Part of subcall function 00ABC82D: AttachThreadInput.USER32(00000000), ref: 00ABC86B
            • GetFocus.USER32 ref: 00ABCA05
              • Part of subcall function 00ABC876: GetParent.USER32(?), ref: 00ABC884
            • GetClassNameW.USER32(?,?,00000100), ref: 00ABCA4E
            • EnumChildWindows.USER32(?,00ABCAC4), ref: 00ABCA76
            • __swprintf.LIBCMT ref: 00ABCA90
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf
            • String ID: %s%d
            • API String ID: 3187004680-1110647743
            • Opcode ID: 7222463601c77f8623f130c20fda6040d4eee70252b24467a77b90adc43f3ff2
            • Instruction ID: cda08be815f3dfcaaf061eb827bbd3381e6c63b5086dfc2f1b7ff3332e662013
            • Opcode Fuzzy Hash: 7222463601c77f8623f130c20fda6040d4eee70252b24467a77b90adc43f3ff2
            • Instruction Fuzzy Hash: EF118E756002097BDB11BFA08D86FEA777DAF54764F00806AFE08AB183DB719945DB70
            Function 00AE1945 Relevance: 7.7, APIs: 5, Instructions: 232COMMON
            Download Yara Rule
            APIs
            • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00AE19F3
            • GetProcessIoCounters.KERNEL32(00000000,?), ref: 00AE1A26
            • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 00AE1B49
            • CloseHandle.KERNEL32(?), ref: 00AE1BBF
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: Process$CloseCountersHandleInfoMemoryOpen
            • String ID:
            • API String ID: 2364364464-0
            • Opcode ID: b96fecf224172e2160e05cbffd69b163beb4c063d95f57adc9cf39a86d3f337d
            • Instruction ID: 70372f6e4d5fe014d308f885967b02ba4515e0a44d52872b5a14190a8c68b367
            • Opcode Fuzzy Hash: b96fecf224172e2160e05cbffd69b163beb4c063d95f57adc9cf39a86d3f337d
            • Instruction Fuzzy Hash: 89815F70700215ABDF10AF65C996BADBBE5EF08720F148459F905AF3C2EBB5E9418B90
            Function 00AEE062 Relevance: 7.7, APIs: 5, Instructions: 187windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 00AEE1D5
            • SendMessageW.USER32(?,000000B0,?,?), ref: 00AEE20D
            • IsDlgButtonChecked.USER32(?,00000001), ref: 00AEE248
            • GetWindowLongW.USER32(?,000000EC), ref: 00AEE269
            • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00AEE281
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: MessageSend$ButtonCheckedLongWindow
            • String ID:
            • API String ID: 3188977179-0
            • Opcode ID: dc4428d86894a52a81d523058117bdfa7965bc0586d305567e3c7668386d4acc
            • Instruction ID: 95b74277698483ac1e73b71794cf3b6e16d997078dcb8a6eeeba8199e8154edb
            • Opcode Fuzzy Hash: dc4428d86894a52a81d523058117bdfa7965bc0586d305567e3c7668386d4acc
            • Instruction Fuzzy Hash: 8461BD34A40284AFDB21DF5ACC94FEA77BAEF99300F044599F959973A1C771A980CB11
            Function 00AC1C9A Relevance: 7.7, APIs: 5, Instructions: 158COMMON
            Download Yara Rule
            APIs
            • VariantInit.OLEAUT32(?), ref: 00AC1CB4
            • VariantClear.OLEAUT32(00000013), ref: 00AC1D26
            • VariantClear.OLEAUT32(00000000), ref: 00AC1D81
            • VariantClear.OLEAUT32(?), ref: 00AC1DF8
            • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00AC1E26
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: Variant$Clear$ChangeInitType
            • String ID:
            • API String ID: 4136290138-0
            • Opcode ID: 9149e9ca29532982ae8f2d45e8c585eea09b373f8ee372ba951b384f0265e214
            • Instruction ID: 615dcfed9fc94ef9e64af93444cfb8320633191fc6e60d7779b3270cb12bbc69
            • Opcode Fuzzy Hash: 9149e9ca29532982ae8f2d45e8c585eea09b373f8ee372ba951b384f0265e214
            • Instruction Fuzzy Hash: 7E5139B5A00209EFDB14CF58C880EAAB7B8FF4D314B158559E95ADB345D730EA51CBA0
            Function 00AE0688 Relevance: 7.6, APIs: 5, Instructions: 149libraryloaderCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00A8936C: __swprintf.LIBCMT ref: 00A893AB
              • Part of subcall function 00A8936C: __itow.LIBCMT ref: 00A893DF
            • LoadLibraryW.KERNEL32(?,00000004,?,?), ref: 00AE06EE
            • GetProcAddress.KERNEL32(00000000,?), ref: 00AE077D
            • GetProcAddress.KERNEL32(00000000,00000000), ref: 00AE079B
            • GetProcAddress.KERNEL32(00000000,?), ref: 00AE07E1
            • FreeLibrary.KERNEL32(00000000,00000004), ref: 00AE07FB
              • Part of subcall function 00A9E65E: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,00ACA574,?,?,00000000,00000008), ref: 00A9E675
              • Part of subcall function 00A9E65E: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,00ACA574,?,?,00000000,00000008), ref: 00A9E699
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
            • String ID:
            • API String ID: 327935632-0
            • Opcode ID: ac640b79f57bd4b6f31cdfea4479ec2f874401314fe633adba6068a04347fb2c
            • Instruction ID: 1e02f0aa0d4fa799dc0e314ec3e608a858cb8b52752a270d161aa69b12c9b2e9
            • Opcode Fuzzy Hash: ac640b79f57bd4b6f31cdfea4479ec2f874401314fe633adba6068a04347fb2c
            • Instruction Fuzzy Hash: D7513675A00645DFCB00EFA8C995EADB7F5BF58310B04805AEA15AB392DB70ED85CF90
            Function 00AE2E29 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00AE3C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00AE2BB5,?,?), ref: 00AE3C1D
            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00AE2EEF
            • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00AE2F2E
            • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00AE2F75
            • RegCloseKey.ADVAPI32(?,?), ref: 00AE2FA1
            • RegCloseKey.ADVAPI32(00000000), ref: 00AE2FAE
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: Close$BuffCharConnectEnumOpenRegistryUpper
            • String ID:
            • API String ID: 3740051246-0
            • Opcode ID: 8830b19987ca0672e536946d26c241951cc5e0e33fdf00da5c8ed06fc1a477d9
            • Instruction ID: e6acf2d62cea6aab39c13fd9bf0eb68d71fe73e885efcbae3174fdc2212e7f98
            • Opcode Fuzzy Hash: 8830b19987ca0672e536946d26c241951cc5e0e33fdf00da5c8ed06fc1a477d9
            • Instruction Fuzzy Hash: 78515972208244AFD704EF64C995F6AB7F9FF88314F04882DF595972A1EB70E914CB52
            Function 00AECCF7 Relevance: 7.6, APIs: 5, Instructions: 129COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 4e7d41a411659629ac5af3b9ff90e2cc6820f7c9389775977ec972a29dbb6d02
            • Instruction ID: 54245176f2d6b031aaa070759cc8315470d4040b6af19b29b6274da2ebde2c19
            • Opcode Fuzzy Hash: 4e7d41a411659629ac5af3b9ff90e2cc6820f7c9389775977ec972a29dbb6d02
            • Instruction Fuzzy Hash: 1841E479900294AFC720DF69CC84FA9BF79FB09330F150265F959A72D1CB31AE42DA90
            Function 00AD1206 Relevance: 7.6, APIs: 5, Instructions: 127COMMON
            Download Yara Rule
            APIs
            • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00AD12B4
            • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 00AD12DD
            • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00AD131C
              • Part of subcall function 00A8936C: __swprintf.LIBCMT ref: 00A893AB
              • Part of subcall function 00A8936C: __itow.LIBCMT ref: 00A893DF
            • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00AD1341
            • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00AD1349
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
            • String ID:
            • API String ID: 1389676194-0
            • Opcode ID: 7756e9ffd17b9ba683199d7f86cd8c1ab2c38dda2685796839f0772342192508
            • Instruction ID: 3591aa5437b12e6ed1c46851bd0460e5877de005d3357d242d6ed736e37111c5
            • Opcode Fuzzy Hash: 7756e9ffd17b9ba683199d7f86cd8c1ab2c38dda2685796839f0772342192508
            • Instruction Fuzzy Hash: FB41FE35A00505EFDF01EF64CA95AAEBBF5FF48314B148099E906AB3A2DB31ED01DB51
            Function 00A9B63C Relevance: 7.6, APIs: 5, Instructions: 110keyboardCOMMON
            Download Yara Rule
            APIs
            • GetCursorPos.USER32(000000FF), ref: 00A9B64F
            • ScreenToClient.USER32(00000000,000000FF), ref: 00A9B66C
            • GetAsyncKeyState.USER32(00000001), ref: 00A9B691
            • GetAsyncKeyState.USER32(00000002), ref: 00A9B69F
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: AsyncState$ClientCursorScreen
            • String ID:
            • API String ID: 4210589936-0
            • Opcode ID: 1b2ee677dd0c6ab73b8902119af9c6e6f13611db4832c562f2727d431e38ba9b
            • Instruction ID: 414a304c1dea7231062e08a185dfa268ea1bdc5d2b368489ec567bad1c7a9623
            • Opcode Fuzzy Hash: 1b2ee677dd0c6ab73b8902119af9c6e6f13611db4832c562f2727d431e38ba9b
            • Instruction Fuzzy Hash: C2416D31608119FBCF159FA8CD44EE9BBB5BF05324F10431AF929962D0CB30A994DFA1
            Function 00ABB358 Relevance: 7.6, APIs: 5, Instructions: 88sleepwindowCOMMON
            Download Yara Rule
            APIs
            • GetWindowRect.USER32(?,?), ref: 00ABB369
            • PostMessageW.USER32(?,00000201,00000001), ref: 00ABB413
            • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00ABB41B
            • PostMessageW.USER32(?,00000202,00000000), ref: 00ABB429
            • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00ABB431
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: MessagePostSleep$RectWindow
            • String ID:
            • API String ID: 3382505437-0
            • Opcode ID: 5b78975b0412c1d92721642dee58a6ab176fce0960c15c464b0ac9dbd06597ed
            • Instruction ID: 062d0d2fdae6bee091cc2436949ae624a4b34308f9bd81c9fbb5a373b149203e
            • Opcode Fuzzy Hash: 5b78975b0412c1d92721642dee58a6ab176fce0960c15c464b0ac9dbd06597ed
            • Instruction Fuzzy Hash: 2F31AC71900219EBDF04CFA8DD4DADE7BB9FB04319F108229F921AB1D2C7B09954DBA0
            Function 00ABDBBF Relevance: 7.6, APIs: 5, Instructions: 87windowCOMMON
            Download Yara Rule
            APIs
            • IsWindowVisible.USER32(?), ref: 00ABDBD7
            • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00ABDBF4
            • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00ABDC2C
            • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00ABDC52
            • _wcsstr.LIBCMT ref: 00ABDC5C
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
            • String ID:
            • API String ID: 3902887630-0
            • Opcode ID: 66ec193783ba130593ee50f6d165092530acc3434a1815f7a4d6942e1da1e655
            • Instruction ID: c2756cdf5bbde7bc65f6f0b593027d364873b76890c9cb6fdaba46122b5249ef
            • Opcode Fuzzy Hash: 66ec193783ba130593ee50f6d165092530acc3434a1815f7a4d6942e1da1e655
            • Instruction Fuzzy Hash: EF21C571204104BBEB155F799D49EBB7FACDF46760F108039F809DA192EEA2DC41D660
            Function 00AC6318 Relevance: 7.6, APIs: 5, Instructions: 80COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00A850E6: _wcsncpy.LIBCMT ref: 00A850FA
            • GetFileAttributesW.KERNEL32(?,?,?,?,00AC60C3), ref: 00AC6369
            • GetLastError.KERNEL32(?,?,?,00AC60C3), ref: 00AC6374
            • CreateDirectoryW.KERNEL32(?,00000000,?,?,?,00AC60C3), ref: 00AC6388
            • _wcsrchr.LIBCMT ref: 00AC63AA
              • Part of subcall function 00AC6318: CreateDirectoryW.KERNEL32(?,00000000,?,?,?,00AC60C3), ref: 00AC63E0
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: CreateDirectory$AttributesErrorFileLast_wcsncpy_wcsrchr
            • String ID:
            • API String ID: 3633006590-0
            • Opcode ID: a7ab042ab343b40d62efd4f2c0d2151698848e0b3e06702d38055fd06efe53fb
            • Instruction ID: d05541bc50f99c6aaf80b05fca298eaf9b77bd58b4eac8b50ecb5a9eb0c8a61f
            • Opcode Fuzzy Hash: a7ab042ab343b40d62efd4f2c0d2151698848e0b3e06702d38055fd06efe53fb
            • Instruction Fuzzy Hash: 712120316046555BEF15EB78AD42FEE33ACEF19360F11046DF045DB2C1EF60D9808A65
            Function 00AD8B95 Relevance: 7.6, APIs: 5, Instructions: 71networkCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00ADA82C: inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 00ADA84E
            • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00AD8BD3
            • WSAGetLastError.WSOCK32(00000000), ref: 00AD8BE2
            • connect.WSOCK32(00000000,?,00000010), ref: 00AD8BFE
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: ErrorLastconnectinet_addrsocket
            • String ID:
            • API String ID: 3701255441-0
            • Opcode ID: 2c9668738bb9a765cb67d1f5b505733cda92f9f8f46d7e8508202ee5508e8594
            • Instruction ID: c42e11dfa50c24a69ddfcfc113279171b5edbb0d63bd1e9d8dc3dd82721cb2e4
            • Opcode Fuzzy Hash: 2c9668738bb9a765cb67d1f5b505733cda92f9f8f46d7e8508202ee5508e8594
            • Instruction Fuzzy Hash: B8214A31600214AFDB10AB68CD85B7E77A9EB58720F04845EF957AB3D2CE78EC018B61
            Function 00AD8420 Relevance: 7.6, APIs: 5, Instructions: 69COMMON
            Download Yara Rule
            APIs
            • IsWindow.USER32(00000000), ref: 00AD8441
            • GetForegroundWindow.USER32 ref: 00AD8458
            • GetDC.USER32(00000000), ref: 00AD8494
            • GetPixel.GDI32(00000000,?,00000003), ref: 00AD84A0
            • ReleaseDC.USER32(00000000,00000003), ref: 00AD84DB
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: Window$ForegroundPixelRelease
            • String ID:
            • API String ID: 4156661090-0
            • Opcode ID: e20451b325f3b38f9ecdc0722f55e82583311db9d7b164da31f7d7c6547464e5
            • Instruction ID: 8f49d351fe3818772b853e6c541f9780ccf04cd6f6b5b5babf9592e4fd3ab1ec
            • Opcode Fuzzy Hash: e20451b325f3b38f9ecdc0722f55e82583311db9d7b164da31f7d7c6547464e5
            • Instruction Fuzzy Hash: 43215175A00204AFD700EFA5D985AAEBBF5EF48301F048479E85AA7391DF75ED40CB60
            Function 00A9AF83 Relevance: 7.6, APIs: 5, Instructions: 67COMMON
            Download Yara Rule
            APIs
            • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 00A9AFE3
            • SelectObject.GDI32(?,00000000), ref: 00A9AFF2
            • BeginPath.GDI32(?), ref: 00A9B009
            • SelectObject.GDI32(?,00000000), ref: 00A9B033
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: ObjectSelect$BeginCreatePath
            • String ID:
            • API String ID: 3225163088-0
            • Opcode ID: 80168e0209840f62a897e9ca73a7e77b3ed5e257668e31197bcc8d267479b3a8
            • Instruction ID: 147e228fcbdffa0eb128e2964bb482e38610e12658ed361cfd6ac798993c7a9f
            • Opcode Fuzzy Hash: 80168e0209840f62a897e9ca73a7e77b3ed5e257668e31197bcc8d267479b3a8
            • Instruction Fuzzy Hash: 0621A174D00309EFDB10DF99ED487AA7BB8B721355F15471AF524970E0DB708A81DB90
            Function 00AA217F Relevance: 7.6, APIs: 5, Instructions: 61threadCOMMON
            Download Yara Rule
            APIs
            • __calloc_crt.LIBCMT ref: 00AA21A9
            • CreateThread.KERNEL32(?,?,00AA22DF,00000000,?,?), ref: 00AA21ED
            • GetLastError.KERNEL32 ref: 00AA21F7
            • _free.LIBCMT ref: 00AA2200
            • __dosmaperr.LIBCMT ref: 00AA220B
              • Part of subcall function 00AA7C0E: __getptd_noexit.LIBCMT ref: 00AA7C0E
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: CreateErrorLastThread__calloc_crt__dosmaperr__getptd_noexit_free
            • String ID:
            • API String ID: 2664167353-0
            • Opcode ID: b9ca03743960eb33cfad6afbc09d4f6c4cd5044dcee388f8557a0d4c70bb9bbf
            • Instruction ID: 1742eb63d32ffd0f35ca50e6012242a7e87aedacf81576dca5a0bcd2d223ae9d
            • Opcode Fuzzy Hash: b9ca03743960eb33cfad6afbc09d4f6c4cd5044dcee388f8557a0d4c70bb9bbf
            • Instruction Fuzzy Hash: FC11C432104306AFDB21AFA9DD41FAF3BA8EF07770B10052AF914871D1EB71D8218BA1
            Function 00ABABBB Relevance: 7.5, APIs: 5, Instructions: 48memoryCOMMON
            Download Yara Rule
            APIs
            • GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 00ABABD7
            • GetLastError.KERNEL32(?,00ABA69F,?,?,?), ref: 00ABABE1
            • GetProcessHeap.KERNEL32(00000008,?,?,00ABA69F,?,?,?), ref: 00ABABF0
            • HeapAlloc.KERNEL32(00000000,?,00ABA69F,?,?,?), ref: 00ABABF7
            • GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 00ABAC0E
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
            • String ID:
            • API String ID: 842720411-0
            • Opcode ID: 8b97114a46ddb4af5d78ee90e39aa255b07681129eba3bdb332c36ec6b5e8bc3
            • Instruction ID: 8cfb0e135462a56a60b02cf4a6ce07d19d29dd59d33d6cf4ef33bea4cdf7e85a
            • Opcode Fuzzy Hash: 8b97114a46ddb4af5d78ee90e39aa255b07681129eba3bdb332c36ec6b5e8bc3
            • Instruction Fuzzy Hash: 890114B1200204BFDB104FEADC88EAB7FADEF9A755B100429F945D32A0DE719C80DB61
            Function 00AB9ABF Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON
            Download Yara Rule
            APIs
            • CLSIDFromProgID.OLE32 ref: 00AB9ADC
            • ProgIDFromCLSID.OLE32(?,00000000), ref: 00AB9AF7
            • lstrcmpiW.KERNEL32(?,00000000), ref: 00AB9B05
            • CoTaskMemFree.OLE32(00000000,?,00000000), ref: 00AB9B15
            • CLSIDFromString.OLE32(?,?), ref: 00AB9B21
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: From$Prog$FreeStringTasklstrcmpi
            • String ID:
            • API String ID: 3897988419-0
            • Opcode ID: 3440576d85501a278d4a16a5b117286d01834f70b62018d8df5628958188fd37
            • Instruction ID: 53a4f5947fa1f675ac899e4deda056820876a7184dee2268216fc70ce62b9ccf
            • Opcode Fuzzy Hash: 3440576d85501a278d4a16a5b117286d01834f70b62018d8df5628958188fd37
            • Instruction Fuzzy Hash: 0E014F7A610219BFDB114F98ED44BAA7AFDEF54751F148024FA05D3261DB70DD409BA0
            Function 00AC7A58 Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON
            Download Yara Rule
            APIs
            • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00AC7A74
            • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00AC7A82
            • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00AC7A8A
            • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00AC7A94
            • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00AC7AD0
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: PerformanceQuery$CounterSleep$Frequency
            • String ID:
            • API String ID: 2833360925-0
            • Opcode ID: 69f266449240028b2320dc2ae59489e6c70ad0143e89ed3ac4409c2334d54a97
            • Instruction ID: b0aff005132e821f5ec704756c1a3bd1fe8a136f7833052f456afd1d59e03f2e
            • Opcode Fuzzy Hash: 69f266449240028b2320dc2ae59489e6c70ad0143e89ed3ac4409c2334d54a97
            • Instruction Fuzzy Hash: E401D775D04619EBDF00EFE5D849AEDBB78FF18791F024499E502B3190DF309A548BA1
            Function 00ABAAC3 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
            Download Yara Rule
            APIs
            • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00ABAADA
            • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00ABAAE4
            • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00ABAAF3
            • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00ABAAFA
            • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00ABAB10
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: HeapInformationToken$AllocErrorLastProcess
            • String ID:
            • API String ID: 44706859-0
            • Opcode ID: 82448c63a0e44a8fcdb343d76e9e0f68e6794f494426455691568b35d63272b6
            • Instruction ID: 489a60ea8d64cf2ed23f60ac67c2fd7a557b06ff0ad00df344a94ba45f8e3f80
            • Opcode Fuzzy Hash: 82448c63a0e44a8fcdb343d76e9e0f68e6794f494426455691568b35d63272b6
            • Instruction Fuzzy Hash: 38F06D75210208AFEB110FE4EC88EAB3BADFF5A754F004029F956D71A0DE609C42DB61
            Function 00ABAA62 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
            Download Yara Rule
            APIs
            • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00ABAA79
            • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00ABAA83
            • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00ABAA92
            • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00ABAA99
            • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00ABAAAF
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: HeapInformationToken$AllocErrorLastProcess
            • String ID:
            • API String ID: 44706859-0
            • Opcode ID: a2d8da06e50730e0b7015d86bd81391f8de398c276339568a04499fb7a33777e
            • Instruction ID: 36d3176761bede0a0a6f5edfb84045dc713cbc8e2b8c9024fa2df99e6c3bd958
            • Opcode Fuzzy Hash: a2d8da06e50730e0b7015d86bd81391f8de398c276339568a04499fb7a33777e
            • Instruction Fuzzy Hash: C4F04976200204AFEB115FE4AC89EAB3BACFF5A794F80442DF945D71A1DE619C41CA71
            Function 00ABEC80 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON
            Download Yara Rule
            APIs
            • GetDlgItem.USER32(?,000003E9), ref: 00ABEC94
            • GetWindowTextW.USER32(00000000,?,00000100), ref: 00ABECAB
            • MessageBeep.USER32(00000000), ref: 00ABECC3
            • KillTimer.USER32(?,0000040A), ref: 00ABECDF
            • EndDialog.USER32(?,00000001), ref: 00ABECF9
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: BeepDialogItemKillMessageTextTimerWindow
            • String ID:
            • API String ID: 3741023627-0
            • Opcode ID: e4d6a886464b966cb8f1f6195d948381769a23aaa8e2b229102459690d559866
            • Instruction ID: 166e682900ba258be607fad117077c6f6f6e61b452a6ddf35da596395911e149
            • Opcode Fuzzy Hash: e4d6a886464b966cb8f1f6195d948381769a23aaa8e2b229102459690d559866
            • Instruction Fuzzy Hash: B7013130500715ABEB259B50DE5EBD67BBCFB21705F000559B982A24E1DFF4AA88CBD0
            Function 00A9B0AB Relevance: 7.5, APIs: 5, Instructions: 29COMMON
            Download Yara Rule
            APIs
            • EndPath.GDI32(?), ref: 00A9B0BA
            • StrokeAndFillPath.GDI32(?,?,00AFE680,00000000,?,?,?), ref: 00A9B0D6
            • SelectObject.GDI32(?,00000000), ref: 00A9B0E9
            • DeleteObject.GDI32 ref: 00A9B0FC
            • StrokePath.GDI32(?), ref: 00A9B117
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: Path$ObjectStroke$DeleteFillSelect
            • String ID:
            • API String ID: 2625713937-0
            • Opcode ID: 0476c5cbcca328387c8f0fba1c52f0045c6b002d50f0ff147f48219359919f48
            • Instruction ID: 9147497aed5356860fa04d03ab0f760c34bc6ad976c7e55a17c9c23707736e24
            • Opcode Fuzzy Hash: 0476c5cbcca328387c8f0fba1c52f0045c6b002d50f0ff147f48219359919f48
            • Instruction Fuzzy Hash: A7F01938510304EFCB219FA9ED0D7543FA4B712362F188715E429860F0CF308A95DF60
            Function 00ACF23D Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 277comCOMMON
            Download Yara Rule
            APIs
            • CoInitialize.OLE32(00000000), ref: 00ACF2DA
            • CoCreateInstance.OLE32(00B0DA7C,00000000,00000001,00B0D8EC,?), ref: 00ACF2F2
            • CoUninitialize.OLE32 ref: 00ACF555
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: CreateInitializeInstanceUninitialize
            • String ID: .lnk
            • API String ID: 948891078-24824748
            • Opcode ID: 691fb5070a8b3f633591ea90fb17414ef8b05e18865db89e1acf22e8a6453bc5
            • Instruction ID: 450f04d0a07f9435a264b0c91c031cef1cf98c0751eec815aa30d87112b72725
            • Opcode Fuzzy Hash: 691fb5070a8b3f633591ea90fb17414ef8b05e18865db89e1acf22e8a6453bc5
            • Instruction Fuzzy Hash: 36A11A71204301AFD700EFA4C985EABB7E8EF98718F00495DF55597192EB70EA49CBA2
            Function 00ACE7DD Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00A8660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00A853B1,?,?,00A861FF,?,00000000,00000001,00000000), ref: 00A8662F
            • CoInitialize.OLE32(00000000), ref: 00ACE85D
            • CoCreateInstance.OLE32(00B0DA7C,00000000,00000001,00B0D8EC,?), ref: 00ACE876
            • CoUninitialize.OLE32 ref: 00ACE893
              • Part of subcall function 00A8936C: __swprintf.LIBCMT ref: 00A893AB
              • Part of subcall function 00A8936C: __itow.LIBCMT ref: 00A893DF
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
            • String ID: .lnk
            • API String ID: 2126378814-24824748
            • Opcode ID: 25b585ba984c109d2ee237a92150363d3cb8adebe2e5ae518502a58122c7f64b
            • Instruction ID: b133b5506a9ce540c5a2a0e87912f232980585bb7d24828e2f7a02c1bb9d4ae2
            • Opcode Fuzzy Hash: 25b585ba984c109d2ee237a92150363d3cb8adebe2e5ae518502a58122c7f64b
            • Instruction Fuzzy Hash: 4FA121356043019FCB14EF24C984E2ABBE5BF88720F15899CF9969B3A1CB31EC45CB91
            Function 00AA325D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON
            Download Yara Rule
            APIs
            • __startOneArgErrorHandling.LIBCMT ref: 00AA32ED
              • Part of subcall function 00AAE0D0: __87except.LIBCMT ref: 00AAE10B
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: ErrorHandling__87except__start
            • String ID: pow
            • API String ID: 2905807303-2276729525
            • Opcode ID: 63b0bb1ef26cfc5b5a41da869052c87030cf7e612c3d635c3c5576d0aabaae10
            • Instruction ID: 985639d7ea0decd5258b1f6403c6bb3150ec1c9498efcb408e7b9fc67267ab29
            • Opcode Fuzzy Hash: 63b0bb1ef26cfc5b5a41da869052c87030cf7e612c3d635c3c5576d0aabaae10
            • Instruction Fuzzy Hash: 6B513A32A0C20196CF15B718C9413BA6BA4DB63750F308E69F4D5871E9DF348E989A52
            Function 00AC4606 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 122COMMON
            Download Yara Rule
            APIs
            • CharUpperBuffW.USER32(0000000C,00000016,00000016,00000000,00000000,?,00000000,00B1DC50,?,0000000F,0000000C,00000016,00B1DC50,?), ref: 00AC4645
              • Part of subcall function 00A8936C: __swprintf.LIBCMT ref: 00A893AB
              • Part of subcall function 00A8936C: __itow.LIBCMT ref: 00A893DF
            • CharUpperBuffW.USER32(?,?,00000000,?), ref: 00AC46C5
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: BuffCharUpper$__itow__swprintf
            • String ID: REMOVE$THIS
            • API String ID: 3797816924-776492005
            • Opcode ID: 1718ac1075e07b9e86a3e5ba66da684e9fd5eee9aeb50ef683f1067b7700d9bf
            • Instruction ID: a194b3c92de93a5cfe6b5c51e740a61bed552f86058aebf981e8c870947732ed
            • Opcode Fuzzy Hash: 1718ac1075e07b9e86a3e5ba66da684e9fd5eee9aeb50ef683f1067b7700d9bf
            • Instruction Fuzzy Hash: 79418834A002099FCF01EFA4C995EAEB7B4FF49314F15806DE916AB2A2DB30ED41CB54
            Function 00ABC189 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00AC430B: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00ABBC08,?,?,00000034,00000800,?,00000034), ref: 00AC4335
            • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00ABC1D3
              • Part of subcall function 00AC42D6: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00ABBC37,?,?,00000800,?,00001073,00000000,?,?), ref: 00AC4300
              • Part of subcall function 00AC422F: GetWindowThreadProcessId.USER32(?,?), ref: 00AC425A
              • Part of subcall function 00AC422F: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00ABBBCC,00000034,?,?,00001004,00000000,00000000), ref: 00AC426A
              • Part of subcall function 00AC422F: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00ABBBCC,00000034,?,?,00001004,00000000,00000000), ref: 00AC4280
            • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00ABC240
            • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00ABC28D
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
            • String ID: @
            • API String ID: 4150878124-2766056989
            • Opcode ID: b7f344ef7971b88325e8f6e3976c302ee13f524bf47f519c8e98aab7903dfb9f
            • Instruction ID: 2d5169242bae5db5a6e22e0178496b69e5ec0a32d36c5c1cf1acdaadf99c607d
            • Opcode Fuzzy Hash: b7f344ef7971b88325e8f6e3976c302ee13f524bf47f519c8e98aab7903dfb9f
            • Instruction Fuzzy Hash: A5413C72900218AFDB10EFA4CD92FEEBBB8AF19710F004099FA45B7181DA716E45CB61
            Function 00AEA63F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON
            Download Yara Rule
            APIs
            • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00B1DC00,00000000,?,?,?,?), ref: 00AEA6D8
            • GetWindowLongW.USER32 ref: 00AEA6F5
            • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00AEA705
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: Window$Long
            • String ID: SysTreeView32
            • API String ID: 847901565-1698111956
            • Opcode ID: 9fa70cdcbca18e0e35a4ec41901e7a25c72d22e7014baf1c460bd05d2492bc13
            • Instruction ID: faf8e4052fab43a093f1c151d79fc40266e0a7ab3287ed133a6a0b9028fe9877
            • Opcode Fuzzy Hash: 9fa70cdcbca18e0e35a4ec41901e7a25c72d22e7014baf1c460bd05d2492bc13
            • Instruction Fuzzy Hash: 8831BE31600245ABDF119F79CC41BEA7BA9FB59324F244715F975D32E0CB30E8509B90
            Function 00AEA0D6 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00AEA15E
            • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00AEA172
            • SendMessageW.USER32(?,00001002,00000000,?), ref: 00AEA196
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: MessageSend$Window
            • String ID: SysMonthCal32
            • API String ID: 2326795674-1439706946
            • Opcode ID: 357547c65d5a8b7407dc42cc6203573bfd824d9fc201fd837583f78e5ed8c107
            • Instruction ID: d5c123a3fb6ade429d9a3795cc2ba7fb9c1abec59bc17d7557ca5eb5e4e3d31f
            • Opcode Fuzzy Hash: 357547c65d5a8b7407dc42cc6203573bfd824d9fc201fd837583f78e5ed8c107
            • Instruction Fuzzy Hash: CD21A132510218ABEF128F94CC82FEA3BB9FF58754F110214FA556B1D0D6B5BC51CB90
            Function 00AEA88A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00AEA941
            • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00AEA94F
            • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00AEA956
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: MessageSend$DestroyWindow
            • String ID: msctls_updown32
            • API String ID: 4014797782-2298589950
            • Opcode ID: f29170021eb4fef8668ef0d23bc5b0d58039ef5cbabc2c2742fd41f32187e082
            • Instruction ID: e4c725f4757d52168e6f760db2e31132a960e8d41f8e971d12cb6658a874c8c7
            • Opcode Fuzzy Hash: f29170021eb4fef8668ef0d23bc5b0d58039ef5cbabc2c2742fd41f32187e082
            • Instruction Fuzzy Hash: 862190B5600649AFDB10DF69CC81D7737ADEB6A3A4F050459FA049B2A2CB31FC518B61
            Function 00AE99A5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00AE9A30
            • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00AE9A40
            • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00AE9A65
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: MessageSend$MoveWindow
            • String ID: Listbox
            • API String ID: 3315199576-2633736733
            • Opcode ID: 4cef5cc1c06ca9ace2488109438f4afb65a23b4e654db941cd9e7b8f4aa10f90
            • Instruction ID: c0ab74082532cfcd97d82777bfd6ea8bc30a6e58873cce95103b4a7f9cd7c829
            • Opcode Fuzzy Hash: 4cef5cc1c06ca9ace2488109438f4afb65a23b4e654db941cd9e7b8f4aa10f90
            • Instruction Fuzzy Hash: 7021C272610258BFDF218F55CC85EBB3BAAEF89790F118129F9449B1A0CA719C5287A0
            Function 00AEA409 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00AEA46D
            • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00AEA482
            • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00AEA48F
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: MessageSend
            • String ID: msctls_trackbar32
            • API String ID: 3850602802-1010561917
            • Opcode ID: d130b5b838206d882fbbcdd515c42f7eb6f57c668a87ab07bdae82be7cec93aa
            • Instruction ID: f1ed2aac0e1930ee9e7de73181bc393b51654eb9b327d6eaf79a87e980e04615
            • Opcode Fuzzy Hash: d130b5b838206d882fbbcdd515c42f7eb6f57c668a87ab07bdae82be7cec93aa
            • Instruction Fuzzy Hash: A1110671240248BEEF209F65CC49FEB3BADFF99754F114218FA45A60E1D6B2E851CB20
            Function 00AA2287 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,00AA2350,?), ref: 00AA22A1
            • GetProcAddress.KERNEL32(00000000), ref: 00AA22A8
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: AddressLibraryLoadProc
            • String ID: RoInitialize$combase.dll
            • API String ID: 2574300362-340411864
            • Opcode ID: 1a943dfdbda662e1a46a2051b853b0e6f56d6f31ae5f761c619ff2d355987f96
            • Instruction ID: 69fe4b160cfad2517f223a2cd2801d4fd09c0c3c0a22a7f3b9de8118ce3e092a
            • Opcode Fuzzy Hash: 1a943dfdbda662e1a46a2051b853b0e6f56d6f31ae5f761c619ff2d355987f96
            • Instruction Fuzzy Hash: C4E01A746A0302ABEB206FB4ED49B583AA4B712702F204064B242F70F0CFB44154CF04
            Function 00AA235C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00AA2276), ref: 00AA2376
            • GetProcAddress.KERNEL32(00000000), ref: 00AA237D
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: AddressLibraryLoadProc
            • String ID: RoUninitialize$combase.dll
            • API String ID: 2574300362-2819208100
            • Opcode ID: 002b2baccd28a30185b2d4d394f5cf599a7f6858a4fbd82dce6a443a17e0a27a
            • Instruction ID: 08a85a1743c62e75c03c52baad98ba549d2fa80fe3dcd5d99e09cd9302066934
            • Opcode Fuzzy Hash: 002b2baccd28a30185b2d4d394f5cf599a7f6858a4fbd82dce6a443a17e0a27a
            • Instruction Fuzzy Hash: EFE0BD786A4310AFDB20AFA0ED1DB083AA5B726706F200464F249F70F0CFB996108B24
            Function 00AFAC59 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: LocalTime__swprintf
            • String ID: %.3d$WIN_XPe
            • API String ID: 2070861257-2409531811
            • Opcode ID: 431895e8c6939447c03ef35a83e6e50513c17a7bc5952908cc0a8e46cbd30fb1
            • Instruction ID: dbd2293786bf4ef38ea0cca21b9b9ab41246a34d9d4333da025bbda88926529d
            • Opcode Fuzzy Hash: 431895e8c6939447c03ef35a83e6e50513c17a7bc5952908cc0a8e46cbd30fb1
            • Instruction Fuzzy Hash: 22E012F180461CEBCB5197D0CE05DFAB3BCA714741F1000D2FA4AA2450D7359B95AA12
            Function 00A842F6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
            Download Yara Rule
            APIs
            • LoadLibraryA.KERNEL32(kernel32.dll,00000000,00A842EC,?,00A842AA,?), ref: 00A84304
            • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00A84316
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: AddressLibraryLoadProc
            • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
            • API String ID: 2574300362-1355242751
            • Opcode ID: 01d6fdeb84b8002eb6601dfa2ae564727d5e15b6aeae2cddc48dbcf76ed198e5
            • Instruction ID: d23d5e39f126b904689adc9c2febb74f8b3a885fb3dbb00461b9d56195e97c5c
            • Opcode Fuzzy Hash: 01d6fdeb84b8002eb6601dfa2ae564727d5e15b6aeae2cddc48dbcf76ed198e5
            • Instruction Fuzzy Hash: 22D0C7715447139FD7206F65E84D74276D4EB1C711F104459F596E31B4DFB0C8808750
            Function 00AE2205 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
            Download Yara Rule
            APIs
            • LoadLibraryA.KERNEL32(kernel32.dll,?,00AE21FB,?,00AE23EF), ref: 00AE2213
            • GetProcAddress.KERNEL32(00000000,GetProcessId), ref: 00AE2225
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: AddressLibraryLoadProc
            • String ID: GetProcessId$kernel32.dll
            • API String ID: 2574300362-399901964
            • Opcode ID: 22e760869c6d7b0ddbd9f1822b9b5bda0a377a2b4c9f4ebb5b3c0611ead5c621
            • Instruction ID: 80fceed6c252d5f07cad56500427dfef3ebfe795c235e2b4f67fe1989be3d1fc
            • Opcode Fuzzy Hash: 22e760869c6d7b0ddbd9f1822b9b5bda0a377a2b4c9f4ebb5b3c0611ead5c621
            • Instruction Fuzzy Hash: B3D0A7359007129FC7215F75F80874176D8EB19301F104459E841F31A0DF70D8808760
            Function 00A8434B Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
            Download Yara Rule
            APIs
            • LoadLibraryA.KERNEL32(kernel32.dll,00A841BB,00A84341,?,00A8422F,?,00A841BB,?,?,?,?,00A839FE,?,00000001), ref: 00A84359
            • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00A8436B
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: AddressLibraryLoadProc
            • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
            • API String ID: 2574300362-3689287502
            • Opcode ID: 36a360867688a41ade724aa5b0009f023177fa282bb37fe40da10b60f918a1d3
            • Instruction ID: b4261f1c678605c08c1db6e2cbd919159d4649c0a6fe6e69164782360c05f93f
            • Opcode Fuzzy Hash: 36a360867688a41ade724aa5b0009f023177fa282bb37fe40da10b60f918a1d3
            • Instruction Fuzzy Hash: 91D0C7715447139FD7206FB5E80974276D4EB28715F104569E496E31A0DFB0D8808750
            Function 00AC0539 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
            Download Yara Rule
            APIs
            • LoadLibraryA.KERNEL32(oleaut32.dll,?,00AC051D,?,00AC05FE), ref: 00AC0547
            • GetProcAddress.KERNEL32(00000000,RegisterTypeLibForUser), ref: 00AC0559
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: AddressLibraryLoadProc
            • String ID: RegisterTypeLibForUser$oleaut32.dll
            • API String ID: 2574300362-1071820185
            • Opcode ID: 41078d49977ed4b903acb403a1bf6ae4faf4427588955f3afa09ceb1c6bed3d1
            • Instruction ID: 3df48d2c001cf83ad8e704200cb999c25498600790b0e465cfc3afab91bca5ad
            • Opcode Fuzzy Hash: 41078d49977ed4b903acb403a1bf6ae4faf4427588955f3afa09ceb1c6bed3d1
            • Instruction Fuzzy Hash: 75D0C774544716DFD7209F65E809F41B6E4AB24711F21C45DE556E32A0DE70C8808A50
            Function 00AC0564 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
            Download Yara Rule
            APIs
            • LoadLibraryA.KERNEL32(oleaut32.dll,00000000,00AC052F,?,00AC06D7), ref: 00AC0572
            • GetProcAddress.KERNEL32(00000000,UnRegisterTypeLibForUser), ref: 00AC0584
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: AddressLibraryLoadProc
            • String ID: UnRegisterTypeLibForUser$oleaut32.dll
            • API String ID: 2574300362-1587604923
            • Opcode ID: 7309d15b8fa7e69bc2e25ee2ee37a1f1aa30b3b60802371c5eab2bd4ee5a6f85
            • Instruction ID: 9d139fab3fbeb7a6b192a1b2f9c263918c52520343e14af5b72354167504461c
            • Opcode Fuzzy Hash: 7309d15b8fa7e69bc2e25ee2ee37a1f1aa30b3b60802371c5eab2bd4ee5a6f85
            • Instruction Fuzzy Hash: 7DD0C774544716DFDB205F75E808F47B7E4AB14711F21C55DE855E31A0DF70D4C08A60
            Function 00ADECC8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
            Download Yara Rule
            APIs
            • LoadLibraryA.KERNEL32(kernel32.dll,?,00ADECBE,?,00ADEBBB), ref: 00ADECD6
            • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00ADECE8
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: AddressLibraryLoadProc
            • String ID: GetSystemWow64DirectoryW$kernel32.dll
            • API String ID: 2574300362-1816364905
            • Opcode ID: caa770f1a06a7e0aa129a00a347170622b3ee626e63f947c9a49eb83e8c3335b
            • Instruction ID: f7dac96f98818f0ed0a744b5b3688c885cd7877a7904d0e3d8a001e88da71dc4
            • Opcode Fuzzy Hash: caa770f1a06a7e0aa129a00a347170622b3ee626e63f947c9a49eb83e8c3335b
            • Instruction Fuzzy Hash: A2D0A7305107239FCB20AFA0E84870276F4AB14304F10846AF846E33A0DF70D8808690
            Function 00ADBADD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
            Download Yara Rule
            APIs
            • LoadLibraryA.KERNEL32(kernel32.dll,00000000,00ADBAD3,00000001,00ADB6EE,?,00B1DC00), ref: 00ADBAEB
            • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00ADBAFD
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: AddressLibraryLoadProc
            • String ID: GetModuleHandleExW$kernel32.dll
            • API String ID: 2574300362-199464113
            • Opcode ID: a23198f3e5069803e83a9421d0ae530c53600c4ee0997e6d768fa557419847d8
            • Instruction ID: 3a42f3b47c044b688953706f482ab367b8d86099d9952babb90692f9e14ac70d
            • Opcode Fuzzy Hash: a23198f3e5069803e83a9421d0ae530c53600c4ee0997e6d768fa557419847d8
            • Instruction Fuzzy Hash: 10D0A730910712DFC7305F60E849B1576D4AB15300F11845BE843E32A0DFB0D880C660
            Function 00AE3BDB Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
            Download Yara Rule
            APIs
            • LoadLibraryA.KERNEL32(advapi32.dll,?,00AE3BD1,?,00AE3E06), ref: 00AE3BE9
            • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00AE3BFB
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: AddressLibraryLoadProc
            • String ID: RegDeleteKeyExW$advapi32.dll
            • API String ID: 2574300362-4033151799
            • Opcode ID: 0f904f259d4c54901de4095529c22925499b1f7360b7c22f90d7b721ceb908b3
            • Instruction ID: d6ef624a02744480faa7b167daa9007e20716997b7fc6eaf76e9c78fcbea2523
            • Opcode Fuzzy Hash: 0f904f259d4c54901de4095529c22925499b1f7360b7c22f90d7b721ceb908b3
            • Instruction Fuzzy Hash: 0BD0C7B15007529FDB205FA5E81D743BAF4AB55715F304499E455F31A0DFB0D8848E50
            Function 00AB9B30 Relevance: 6.3, APIs: 4, Instructions: 306COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 32d81abf6449d19de6536da2e78be631c773848120a65019c362e09179f6ef49
            • Instruction ID: 8f3d697a2d04d8c494649f0f2b3e168a097a5482af9bcafadc7e250d45c10809
            • Opcode Fuzzy Hash: 32d81abf6449d19de6536da2e78be631c773848120a65019c362e09179f6ef49
            • Instruction Fuzzy Hash: 80C12D75A0021AEFDB14DF94C984AEFBBB9FF48714F108598EA05AB252D730DE41DB90
            Function 00ADAA84 Relevance: 6.3, APIs: 4, Instructions: 268COMMON
            Download Yara Rule
            APIs
            • CoInitialize.OLE32(00000000), ref: 00ADAAB4
            • CoUninitialize.OLE32 ref: 00ADAABF
              • Part of subcall function 00AC0213: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00AC027B
            • VariantInit.OLEAUT32(?), ref: 00ADAACA
            • VariantClear.OLEAUT32(?), ref: 00ADAD9D
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
            • String ID:
            • API String ID: 780911581-0
            • Opcode ID: 478b58f12ab4a7bbd5ed5f68d2fbac859bcacee82368e255f36336a3ee1983ff
            • Instruction ID: 7af405e493adabcea1592ea67c3552f8af9eebfb2a6920d3e068fc2158d2e9ea
            • Opcode Fuzzy Hash: 478b58f12ab4a7bbd5ed5f68d2fbac859bcacee82368e255f36336a3ee1983ff
            • Instruction Fuzzy Hash: 0FA139352047019FCB11EF54C985B6AB7E5FF98720F14844AF9969B3A2CB30ED45CB86
            Function 00AB91CC Relevance: 6.2, APIs: 4, Instructions: 201memoryCOMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: Variant$AllocClearCopyInitString
            • String ID:
            • API String ID: 2808897238-0
            • Opcode ID: 4e586a50e65a35c6e5563d7734012bb6351d7ce52cbd80cf90e5d5e4d2e5217b
            • Instruction ID: 83698d8edd547f3a16bbc316c5bc87bde0a11fe02a8d11b45c51431ee18bca8c
            • Opcode Fuzzy Hash: 4e586a50e65a35c6e5563d7734012bb6351d7ce52cbd80cf90e5d5e4d2e5217b
            • Instruction Fuzzy Hash: 42519130A047069BDB24AF65D895BAFB3EDEF55310F20881FE646CB2D3DB7098808715
            Function 00AEC4D7 Relevance: 6.1, APIs: 4, Instructions: 137COMMON
            Download Yara Rule
            APIs
            • GetWindowRect.USER32(013F7A58,?), ref: 00AEC544
            • ScreenToClient.USER32(?,00000002), ref: 00AEC574
            • MoveWindow.USER32(00000002,?,?,?,000000FF,00000001,?,00000002,?,?,?,00000002,?,?), ref: 00AEC5DA
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: Window$ClientMoveRectScreen
            • String ID:
            • API String ID: 3880355969-0
            • Opcode ID: d41e6609bc6a49a98ed8a277c803ccea3aff1c3707888ea81dd4a5fe05b7ed59
            • Instruction ID: 15a5b5f6dff580fdc3c44271c47a16bf6a3b062e6c3c932d93617d317b7a1fd5
            • Opcode Fuzzy Hash: d41e6609bc6a49a98ed8a277c803ccea3aff1c3707888ea81dd4a5fe05b7ed59
            • Instruction Fuzzy Hash: B2514F75A00245EFCF20DF69C880AAE7BB6FF55360F108659F9659B290D730ED82CB90
            Function 00ABC410 Relevance: 6.1, APIs: 4, Instructions: 130windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 00ABC462
            • __itow.LIBCMT ref: 00ABC49C
              • Part of subcall function 00ABC6E8: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 00ABC753
            • SendMessageW.USER32(?,0000110A,00000001,?), ref: 00ABC505
            • __itow.LIBCMT ref: 00ABC55A
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: MessageSend$__itow
            • String ID:
            • API String ID: 3379773720-0
            • Opcode ID: 9d4d8478dd7e43b775d1c6ec5f717572ff4c9a25061a04e87931ec7fd8746e6f
            • Instruction ID: e472c608771c166aac8af26759762e308723dd1fefde583ae4505394cdb2574c
            • Opcode Fuzzy Hash: 9d4d8478dd7e43b775d1c6ec5f717572ff4c9a25061a04e87931ec7fd8746e6f
            • Instruction Fuzzy Hash: 5941F871A00209AFDF25FF64C956FEE7BB9AF49720F000059F905A3282DB709A45CBA1
            Function 00AC390C Relevance: 6.1, APIs: 4, Instructions: 112keyboardwindowCOMMON
            Download Yara Rule
            APIs
            • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00AC3966
            • SetKeyboardState.USER32(00000080,?,00000001), ref: 00AC3982
            • PostMessageW.USER32(00000000,00000102,?,00000001), ref: 00AC39EF
            • SendInput.USER32(00000001,?,0000001C,00000000,?,00000001), ref: 00AC3A4D
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: KeyboardState$InputMessagePostSend
            • String ID:
            • API String ID: 432972143-0
            • Opcode ID: 290b6622a477fee5e70599604ef52c6ca802f8842b4109cfdbdc18061e61a94b
            • Instruction ID: 543a176fe65b74c659feff3e133936b3caf39d6bef2b8d6bdfa352cdfad0a58e
            • Opcode Fuzzy Hash: 290b6622a477fee5e70599604ef52c6ca802f8842b4109cfdbdc18061e61a94b
            • Instruction Fuzzy Hash: 7E412772A04208AEEF308B648815FFDBBB5AB59310F05815EE4C1A72C1CBB58E85D765
            Function 00ACE698 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON
            Download Yara Rule
            APIs
            • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00ACE742
            • GetLastError.KERNEL32(?,00000000), ref: 00ACE768
            • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00ACE78D
            • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00ACE7B9
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: CreateHardLink$DeleteErrorFileLast
            • String ID:
            • API String ID: 3321077145-0
            • Opcode ID: 2d9098547f652ed2f948c178b2aa2d3e7c9b6e437a98df43f4e7041bf3e12137
            • Instruction ID: 0976d49c03158e76bd3738b665a4151f534949d8e333a1634f1714d9d4714acb
            • Opcode Fuzzy Hash: 2d9098547f652ed2f948c178b2aa2d3e7c9b6e437a98df43f4e7041bf3e12137
            • Instruction Fuzzy Hash: 464102396006109FCF11EF55CA45A5EBBE5FF99720B098498E946AF3A2CB30FD00DB91
            Function 00AEB544 Relevance: 6.1, APIs: 4, Instructions: 108COMMON
            Download Yara Rule
            APIs
            • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00AEB5D1
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: InvalidateRect
            • String ID:
            • API String ID: 634782764-0
            • Opcode ID: 89442f42f03bf5d5d18233b25efa34878adc8c4b188cdef4bb5b8250682d2001
            • Instruction ID: 9b763074825ec601c987bfb2bcc756b1da88075a6153bf8b645de08d83efd0c7
            • Opcode Fuzzy Hash: 89442f42f03bf5d5d18233b25efa34878adc8c4b188cdef4bb5b8250682d2001
            • Instruction Fuzzy Hash: E731BE74621284BBEF209F5ACC8DFAA7765EB06350F644502FA52E72E1CB30E9409B71
            Function 00AED7DE Relevance: 6.1, APIs: 4, Instructions: 105windowCOMMON
            Download Yara Rule
            APIs
            • ClientToScreen.USER32(?,?), ref: 00AED807
            • GetWindowRect.USER32(?,?), ref: 00AED87D
            • PtInRect.USER32(?,?,00AEED5A), ref: 00AED88D
            • MessageBeep.USER32(00000000), ref: 00AED8FE
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: Rect$BeepClientMessageScreenWindow
            • String ID:
            • API String ID: 1352109105-0
            • Opcode ID: 2fa85c47106222058e90469303877223436ee28ff9a0fa0461265133acd47598
            • Instruction ID: 773e08982af9cc49e595a95482069a2b538569d6ee1b9cf7675632413773d0ee
            • Opcode Fuzzy Hash: 2fa85c47106222058e90469303877223436ee28ff9a0fa0461265133acd47598
            • Instruction Fuzzy Hash: 2641CC75A00298DFCF11DF9AC884BA9BBF5FF49350F1981A9E814CB2A1DB30E941CB41
            Function 00AC3A61 Relevance: 6.1, APIs: 4, Instructions: 104keyboardwindowCOMMON
            Download Yara Rule
            APIs
            • GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 00AC3AB8
            • SetKeyboardState.USER32(00000080,?,00008000), ref: 00AC3AD4
            • PostMessageW.USER32(00000000,00000101,00000000,?), ref: 00AC3B34
            • SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 00AC3B92
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: KeyboardState$InputMessagePostSend
            • String ID:
            • API String ID: 432972143-0
            • Opcode ID: 1caf61569266b2bae075ff93fe6730d76042925af7915fb1dabbc9c61d434018
            • Instruction ID: bb7fff59534c5fb1e11f98d987f322fe09250dccaba3ec601e448b97dd07fee8
            • Opcode Fuzzy Hash: 1caf61569266b2bae075ff93fe6730d76042925af7915fb1dabbc9c61d434018
            • Instruction Fuzzy Hash: 4D316672A00258AEEF309BA48C19FFE7BB59B55310F06815EE482A32D1CB758F45C761
            Function 00AB4004 Relevance: 6.1, APIs: 4, Instructions: 96COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00AB4038
            • __isleadbyte_l.LIBCMT ref: 00AB4066
            • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 00AB4094
            • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 00AB40CA
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
            • String ID:
            • API String ID: 3058430110-0
            • Opcode ID: 404080ef4be128e00447de4f6da0f1b367d2d29427f5409f0ec2beaa192a022a
            • Instruction ID: 28b711310f614ffd17c367b246e10f9d5481cb5c321699276803550ff0c8981e
            • Opcode Fuzzy Hash: 404080ef4be128e00447de4f6da0f1b367d2d29427f5409f0ec2beaa192a022a
            • Instruction Fuzzy Hash: 7A31D030600256AFDB21AF74C844BFA7BB9FF49310F158028EA618B0E3E735D890DB90
            Function 00AE7CA5 Relevance: 6.1, APIs: 4, Instructions: 93COMMON
            Download Yara Rule
            APIs
            • GetForegroundWindow.USER32 ref: 00AE7CB9
              • Part of subcall function 00AC5F55: GetWindowThreadProcessId.USER32(?,00000000), ref: 00AC5F6F
              • Part of subcall function 00AC5F55: GetCurrentThreadId.KERNEL32 ref: 00AC5F76
              • Part of subcall function 00AC5F55: AttachThreadInput.USER32(00000000,?,00AC781F), ref: 00AC5F7D
            • GetCaretPos.USER32(?), ref: 00AE7CCA
            • ClientToScreen.USER32(00000000,?), ref: 00AE7D03
            • GetForegroundWindow.USER32 ref: 00AE7D09
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
            • String ID:
            • API String ID: 2759813231-0
            • Opcode ID: ed4eea4f8b2d86f507af7bd1f2db571db274eb18146f6a76e344592485eecec8
            • Instruction ID: 988db4785eb2fc74a9f3e291fc8ad67d3b6835168ef4be233a64ff9df0df1a92
            • Opcode Fuzzy Hash: ed4eea4f8b2d86f507af7bd1f2db571db274eb18146f6a76e344592485eecec8
            • Instruction Fuzzy Hash: 79311E72E00108AFDB01EFA9D9859EFBBF9EF54314B11846AF815E3211DA319E45CBA0
            Function 00AEF1D7 Relevance: 6.1, APIs: 4, Instructions: 80windowCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00A9B34E: GetWindowLongW.USER32(?,000000EB), ref: 00A9B35F
            • GetCursorPos.USER32(?), ref: 00AEF211
            • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00AFE4C0,?,?,?,?,?), ref: 00AEF226
            • GetCursorPos.USER32(?), ref: 00AEF270
            • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00AFE4C0,?,?,?), ref: 00AEF2A6
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: Cursor$LongMenuPopupProcTrackWindow
            • String ID:
            • API String ID: 2864067406-0
            • Opcode ID: ad53d43b79f396424862c0b9817005e5e8d942ddd3bb78e20a0632e40b2d8d7d
            • Instruction ID: 601a3dec6b36d1309b0bf0d940f36e9b6fae5cd866e8ab6d02350a3cb2ae2d5f
            • Opcode Fuzzy Hash: ad53d43b79f396424862c0b9817005e5e8d942ddd3bb78e20a0632e40b2d8d7d
            • Instruction Fuzzy Hash: 38219139600058AFDB159F99DC58EEE7BB5FF0A710F044469FA054B2A1D7309D51DB60
            Function 00AD431C Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON
            Download Yara Rule
            APIs
            • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00AD4358
              • Part of subcall function 00AD43E2: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00AD4401
              • Part of subcall function 00AD43E2: InternetCloseHandle.WININET(00000000), ref: 00AD449E
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: Internet$CloseConnectHandleOpen
            • String ID:
            • API String ID: 1463438336-0
            • Opcode ID: c3aabcfc837586fdc4c727c0b99b2e7f9f87e8b68adb131f3bd9ade678285b4f
            • Instruction ID: bbdd28643caeca55c63fc03e049a7a243d1c10d6616a890083702fcfa9a1f10a
            • Opcode Fuzzy Hash: c3aabcfc837586fdc4c727c0b99b2e7f9f87e8b68adb131f3bd9ade678285b4f
            • Instruction Fuzzy Hash: CE219235204A05BFDB129F649C00FBBB7B9FF58710F14401BBA569B790DB71D821A790
            Function 00AE8A37 Relevance: 6.1, APIs: 4, Instructions: 69COMMON
            Download Yara Rule
            APIs
            • GetWindowLongW.USER32(?,000000EC), ref: 00AE8AA6
            • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00AE8AC0
            • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00AE8ACE
            • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00AE8ADC
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: Window$Long$AttributesLayered
            • String ID:
            • API String ID: 2169480361-0
            • Opcode ID: e9dd5d05ab1c55513225f2cba3c5e95b8b54a310bcb7dbb72517e980c5527e0d
            • Instruction ID: 310c1f21b2b097d834652bf8234d329e539c11ff939c1fd1f99a55359bb752fe
            • Opcode Fuzzy Hash: e9dd5d05ab1c55513225f2cba3c5e95b8b54a310bcb7dbb72517e980c5527e0d
            • Instruction Fuzzy Hash: 6E119D31305111AFDB04AB69CD05FBE77A9BF95360F19412AF92AD72E2DF74AC008B94
            Function 00AD8A7F Relevance: 6.1, APIs: 4, Instructions: 69networkCOMMON
            Download Yara Rule
            APIs
            • select.WSOCK32(00000000,00000001,00000000,00000000,?), ref: 00AD8AE0
            • __WSAFDIsSet.WSOCK32(00000000,00000001), ref: 00AD8AF2
            • accept.WSOCK32(00000000,00000000,00000000), ref: 00AD8AFF
            • WSAGetLastError.WSOCK32(00000000), ref: 00AD8B16
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: ErrorLastacceptselect
            • String ID:
            • API String ID: 385091864-0
            • Opcode ID: f83d36517468bee4a657cfed989d752e9a5e9ffa0cd7cc3a27f642cbf9fa2cac
            • Instruction ID: f912f796e2475166924fcdad17cc0129ae06da1d0b269973bbcf06239cbe3bb1
            • Opcode Fuzzy Hash: f83d36517468bee4a657cfed989d752e9a5e9ffa0cd7cc3a27f642cbf9fa2cac
            • Instruction Fuzzy Hash: A1216372A00124AFC7119F69C985A9EBBFCEF59350F00816AF84AD7291DB74DE418F90
            Function 00AC0AA6 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00AC1E68: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,00AC0ABB,?,?,?,00AC187A,00000000,000000EF,00000119,?,?), ref: 00AC1E77
              • Part of subcall function 00AC1E68: lstrcpyW.KERNEL32(00000000,?), ref: 00AC1E9D
              • Part of subcall function 00AC1E68: lstrcmpiW.KERNEL32(00000000,?,00AC0ABB,?,?,?,00AC187A,00000000,000000EF,00000119,?,?), ref: 00AC1ECE
            • lstrlenW.KERNEL32(?,00000002,?,?,?,?,00AC187A,00000000,000000EF,00000119,?,?,00000000), ref: 00AC0AD4
            • lstrcpyW.KERNEL32(00000000,?), ref: 00AC0AFA
            • lstrcmpiW.KERNEL32(00000002,cdecl,?,00AC187A,00000000,000000EF,00000119,?,?,00000000), ref: 00AC0B2E
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: lstrcmpilstrcpylstrlen
            • String ID: cdecl
            • API String ID: 4031866154-3896280584
            • Opcode ID: 991e3c227cbc9a1b95f0bed88ac697421fb7962a433668b66f98229c6350ad76
            • Instruction ID: 0fab60d2a5bd2a7978f744519f195fcd6c8ecea6a9e73354e5bffc5ac0d48ae9
            • Opcode Fuzzy Hash: 991e3c227cbc9a1b95f0bed88ac697421fb7962a433668b66f98229c6350ad76
            • Instruction Fuzzy Hash: A9118E3A200305EFDB25AF64DC45E7A77B8FF49354B81406AE906CB2A0EB719850C7A0
            Function 00AB2F96 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • _free.LIBCMT ref: 00AB2FB5
              • Part of subcall function 00AA395C: __FF_MSGBANNER.LIBCMT ref: 00AA3973
              • Part of subcall function 00AA395C: __NMSG_WRITE.LIBCMT ref: 00AA397A
              • Part of subcall function 00AA395C: RtlAllocateHeap.NTDLL(013D0000,00000000,00000001,00000001,00000000,?,?,00A9F507,?,0000000E), ref: 00AA399F
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: AllocateHeap_free
            • String ID:
            • API String ID: 614378929-0
            • Opcode ID: 7edd4c5f2e9cd45e4909c481f1f92517a7384401d92bd5ff7548ddddc76ef209
            • Instruction ID: 460a09a8e60ed94a221dea4d70da48f32718c9e0cef0e3ead26e1825c16e8436
            • Opcode Fuzzy Hash: 7edd4c5f2e9cd45e4909c481f1f92517a7384401d92bd5ff7548ddddc76ef209
            • Instruction Fuzzy Hash: F011A332509216ABDF213FB4AD057BA3BACAF55370F204526F9499B1D2DF34CD509B90
            Function 00A9EB83 Relevance: 6.1, APIs: 4, Instructions: 65timewindowCOMMON
            Download Yara Rule
            APIs
            • _memset.LIBCMT ref: 00A9EBB2
              • Part of subcall function 00A851AF: _memset.LIBCMT ref: 00A8522F
              • Part of subcall function 00A851AF: _wcscpy.LIBCMT ref: 00A85283
              • Part of subcall function 00A851AF: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00A85293
            • KillTimer.USER32(?,00000001,?,?), ref: 00A9EC07
            • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00A9EC16
            • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00AF3C88
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
            • String ID:
            • API String ID: 1378193009-0
            • Opcode ID: 905367d2fdd128a8daa6162dbda093f8baa96bc285e05a53a63166c1637865db
            • Instruction ID: 306b9289928935fc3ad68fefb04af39398d9b5373fe6ae8ae807813b822dff8c
            • Opcode Fuzzy Hash: 905367d2fdd128a8daa6162dbda093f8baa96bc285e05a53a63166c1637865db
            • Instruction Fuzzy Hash: EF21D771904784AFEB32DB68C859BF7BFFC9B11308F04048DE68E57282C7746A898B51
            Function 00AC058F Relevance: 6.1, APIs: 4, Instructions: 64registryCOMMON
            Download Yara Rule
            APIs
            • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 00AC05AC
            • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00AC05C7
            • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00AC05DD
            • FreeLibrary.KERNEL32(?), ref: 00AC0632
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: Type$FileFreeLibraryLoadModuleNameRegister
            • String ID:
            • API String ID: 3137044355-0
            • Opcode ID: 8debbd720914b0481e4d5b31cc0ad45cf9ff5940fa04e709c4e0d24bc67aa070
            • Instruction ID: 19a9a51290d99c374b939559b9ca095e0a9396c2aa9f331ce9eada9d957df28c
            • Opcode Fuzzy Hash: 8debbd720914b0481e4d5b31cc0ad45cf9ff5940fa04e709c4e0d24bc67aa070
            • Instruction Fuzzy Hash: 1C215971900209EFDB20CF95DC88FDABBB8EB50700F01846DA516A7150EBB0EA559B50
            Function 00AC6713 Relevance: 6.1, APIs: 4, Instructions: 64fileCOMMON
            Download Yara Rule
            APIs
            • CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 00AC6733
            • _memset.LIBCMT ref: 00AC6754
            • DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 00AC67A6
            • CloseHandle.KERNEL32(00000000), ref: 00AC67AF
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: CloseControlCreateDeviceFileHandle_memset
            • String ID:
            • API String ID: 1157408455-0
            • Opcode ID: d62a47d6132beca7ed723d7f1c0e80b6254599274a97874bcccb661f7f4a4806
            • Instruction ID: 17599b216eec7fee6059a788afa270e29199524af4ee8655502027847d5f71f4
            • Opcode Fuzzy Hash: d62a47d6132beca7ed723d7f1c0e80b6254599274a97874bcccb661f7f4a4806
            • Instruction Fuzzy Hash: 411106729012287AE7209BA5AC4DFABBABCEF44764F10459AF504E71C0D6744E808BA4
            Function 00AD0533 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: BrowseFolderFromListPathUninitialize_memset
            • String ID:
            • API String ID: 339692624-0
            • Opcode ID: 88abe8096fada4b3b22cb6d5f11e05adffd95a2cbc36312ebfc94b3f95af2d22
            • Instruction ID: 2181f68191b0f25269fb96696ab6a4cddbea6c802a519bf029e980640e34a68a
            • Opcode Fuzzy Hash: 88abe8096fada4b3b22cb6d5f11e05adffd95a2cbc36312ebfc94b3f95af2d22
            • Instruction Fuzzy Hash: 9D21EA71D0061D9BCB11EFA4DC88ADEBBB9BF88315F04806AE409E7251EB349A85CF54
            Function 00ABB1CC Relevance: 6.1, APIs: 4, Instructions: 63memoryCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00ABAA62: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00ABAA79
              • Part of subcall function 00ABAA62: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00ABAA83
              • Part of subcall function 00ABAA62: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00ABAA92
              • Part of subcall function 00ABAA62: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00ABAA99
              • Part of subcall function 00ABAA62: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00ABAAAF
            • GetLengthSid.ADVAPI32(?,00000000,00ABADE4,?,?), ref: 00ABB21B
            • GetProcessHeap.KERNEL32(00000008,00000000), ref: 00ABB227
            • HeapAlloc.KERNEL32(00000000), ref: 00ABB22E
            • CopySid.ADVAPI32(?,00000000,?), ref: 00ABB247
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: Heap$AllocInformationProcessToken$CopyErrorLastLength
            • String ID:
            • API String ID: 4217664535-0
            • Opcode ID: d0f15a4110a46a3f6192b4334f5dbd52adcda8ffa2c3471b09abf84441e769b0
            • Instruction ID: 1089e75f4c236bb6847a949b6cf8967eefd0b9d00f674376dd2c9391208423c0
            • Opcode Fuzzy Hash: d0f15a4110a46a3f6192b4334f5dbd52adcda8ffa2c3471b09abf84441e769b0
            • Instruction Fuzzy Hash: AE11CE71A10205EFCB04DF98CC95AEEB7BDEF94304F14802DE942A7252DB71AE44CB20
            Function 00ABB478 Relevance: 6.1, APIs: 4, Instructions: 58windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(?,000000B0,?,?), ref: 00ABB498
            • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00ABB4AA
            • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00ABB4C0
            • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00ABB4DB
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: MessageSend
            • String ID:
            • API String ID: 3850602802-0
            • Opcode ID: 71d82a57097cf30aa6c6d0648b973b7021803c04716b12646e5fb1f344da1351
            • Instruction ID: 861862cd9241044ecc19ddb729659e725060b8a30d2529cf3481baca808b9037
            • Opcode Fuzzy Hash: 71d82a57097cf30aa6c6d0648b973b7021803c04716b12646e5fb1f344da1351
            • Instruction Fuzzy Hash: D5112A7A900218FFDB11DFA9C985EDDBBB8FB08710F204091E604B7295D771AE11DBA4
            Function 00A9B55D Relevance: 6.1, APIs: 4, Instructions: 56COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00A9B34E: GetWindowLongW.USER32(?,000000EB), ref: 00A9B35F
            • DefDlgProcW.USER32(?,00000020,?,00000000), ref: 00A9B5A5
            • GetClientRect.USER32(?,?), ref: 00AFE69A
            • GetCursorPos.USER32(?), ref: 00AFE6A4
            • ScreenToClient.USER32(?,?), ref: 00AFE6AF
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: Client$CursorLongProcRectScreenWindow
            • String ID:
            • API String ID: 4127811313-0
            • Opcode ID: d4fc033fe5a23c0bb6c584a1a5582b778128b703f08feb44708b683635b0b1fb
            • Instruction ID: a34d1e93bde3666b99bf70c3255e390ec8332c4629c49694fbab5e6200a67a47
            • Opcode Fuzzy Hash: d4fc033fe5a23c0bb6c584a1a5582b778128b703f08feb44708b683635b0b1fb
            • Instruction Fuzzy Hash: 4911F535A10029BFCF10DF98DE459AE77B9EB19304F510455F902E7150D734AA91CBB1
            Function 00AC732B Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON
            Download Yara Rule
            APIs
            • GetCurrentThreadId.KERNEL32 ref: 00AC7352
            • MessageBoxW.USER32(?,?,?,?), ref: 00AC7385
            • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00AC739B
            • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00AC73A2
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: CloseCurrentHandleMessageObjectSingleThreadWait
            • String ID:
            • API String ID: 2880819207-0
            • Opcode ID: 2650783df9716bdc3f76477609909260b625b0997632dbba4a4b2a4f077cb240
            • Instruction ID: fdead6915410cc0af730708f6e434e9f930c89c3b82ff09bdfcb21a8265467af
            • Opcode Fuzzy Hash: 2650783df9716bdc3f76477609909260b625b0997632dbba4a4b2a4f077cb240
            • Instruction Fuzzy Hash: 2711E5B6A04254BBC7029BA8DC05F9E7BE9AB45320F044319F921E3291DAB08A009BA0
            Function 00A9D17C Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON
            Download Yara Rule
            APIs
            • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00A9D1BA
            • GetStockObject.GDI32(00000011), ref: 00A9D1CE
            • SendMessageW.USER32(00000000,00000030,00000000), ref: 00A9D1D8
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: CreateMessageObjectSendStockWindow
            • String ID:
            • API String ID: 3970641297-0
            • Opcode ID: 1e8e3bb22d3169b2bd53eecc03087969521bb694cdf60ff72497d9dc8a80ac09
            • Instruction ID: 533637787918257c69406d7d438e99920fbcd6dac49ee4fef0a191d01295a962
            • Opcode Fuzzy Hash: 1e8e3bb22d3169b2bd53eecc03087969521bb694cdf60ff72497d9dc8a80ac09
            • Instruction Fuzzy Hash: A611C073601509BFEF024F94DC50EEABBA9FF19364F144201FA1552060CB31DDA0DBA0
            Function 00AB4DF2 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
            • String ID:
            • API String ID: 3016257755-0
            • Opcode ID: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
            • Instruction ID: 8be1e3f149ec33d114c320dcd58721e9085add3714c3e678431bab2a23369f85
            • Opcode Fuzzy Hash: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
            • Instruction Fuzzy Hash: 9901483240014ABBCF125F94DD118EE3F6BBB1C350B588555FA2859132D336DAB2AB81
            Function 00AA7452 Relevance: 6.0, APIs: 4, Instructions: 47COMMONLIBRARYCODE
            Download Yara Rule
            APIs
              • Part of subcall function 00AA7A0D: __getptd_noexit.LIBCMT ref: 00AA7A0E
            • __lock.LIBCMT ref: 00AA748F
            • InterlockedDecrement.KERNEL32(?), ref: 00AA74AC
            • _free.LIBCMT ref: 00AA74BF
            • InterlockedIncrement.KERNEL32(013E1A78), ref: 00AA74D7
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: Interlocked$DecrementIncrement__getptd_noexit__lock_free
            • String ID:
            • API String ID: 2704283638-0
            • Opcode ID: 0b0eb857e2218c0e59c6f8e7e1ecf8a07ddb23f2f951f8c56608aef8f26a3ef5
            • Instruction ID: 3e345849e3f01582f123406422fc0afea6dbb5c7ea5c2da95122a9b34a50f10e
            • Opcode Fuzzy Hash: 0b0eb857e2218c0e59c6f8e7e1ecf8a07ddb23f2f951f8c56608aef8f26a3ef5
            • Instruction Fuzzy Hash: E8019232909B21ABC712AF649E4976EBBB0BF0A721F254019F864A76D0CB345941CFD6
            Function 00AA7A94 Relevance: 6.0, APIs: 4, Instructions: 41COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • __lock.LIBCMT ref: 00AA7AD8
              • Part of subcall function 00AA7CF4: __mtinitlocknum.LIBCMT ref: 00AA7D06
              • Part of subcall function 00AA7CF4: EnterCriticalSection.KERNEL32(00000000,?,00AA7ADD,0000000D), ref: 00AA7D1F
            • InterlockedIncrement.KERNEL32(?), ref: 00AA7AE5
            • __lock.LIBCMT ref: 00AA7AF9
            • ___addlocaleref.LIBCMT ref: 00AA7B17
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: __lock$CriticalEnterIncrementInterlockedSection___addlocaleref__mtinitlocknum
            • String ID:
            • API String ID: 1687444384-0
            • Opcode ID: 0ed91422b9972e2397f7048b6bd76ca0546eef6d7db2938045ecfe321c2d5682
            • Instruction ID: 790fd038923b51a7c85dd6a65977d9c4a855d703ded9e41c5d1d2904b7dacd01
            • Opcode Fuzzy Hash: 0ed91422b9972e2397f7048b6bd76ca0546eef6d7db2938045ecfe321c2d5682
            • Instruction Fuzzy Hash: 20016D72504B009FD721DF75CA0674ABBF0EF51325F20894EE49A976E0CB70A640CF11
            Function 00AEE32E Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON
            Download Yara Rule
            APIs
            • _memset.LIBCMT ref: 00AEE33D
            • _memset.LIBCMT ref: 00AEE34C
            • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00B43D00,00B43D44), ref: 00AEE37B
            • CloseHandle.KERNEL32 ref: 00AEE38D
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: _memset$CloseCreateHandleProcess
            • String ID:
            • API String ID: 3277943733-0
            • Opcode ID: eee97871e51af9f60c1dab95c6c00256f48252992c4dc55a70626774e2862580
            • Instruction ID: 3b63135f2a8053e87a91661443ed467a46912ffff1c584f6ba76a37c0560c107
            • Opcode Fuzzy Hash: eee97871e51af9f60c1dab95c6c00256f48252992c4dc55a70626774e2862580
            • Instruction Fuzzy Hash: 66F05EF6940314BBE2105B65AC45F777EECEB16B58F044431BE08DB1E2DB759F0096A8
            Function 00AEEA6A Relevance: 6.0, APIs: 4, Instructions: 31COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00A9AF83: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 00A9AFE3
              • Part of subcall function 00A9AF83: SelectObject.GDI32(?,00000000), ref: 00A9AFF2
              • Part of subcall function 00A9AF83: BeginPath.GDI32(?), ref: 00A9B009
              • Part of subcall function 00A9AF83: SelectObject.GDI32(?,00000000), ref: 00A9B033
            • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 00AEEA8E
            • LineTo.GDI32(00000000,?,?), ref: 00AEEA9B
            • EndPath.GDI32(00000000), ref: 00AEEAAB
            • StrokePath.GDI32(00000000), ref: 00AEEAB9
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
            • String ID:
            • API String ID: 1539411459-0
            • Opcode ID: 2105309b5e26bbb8f5c74039ca27af27db3aa9f5a0a1a5fd25719356480d6e75
            • Instruction ID: 703fd127a5ed2dce109f5d1bfbcb7d5544c9a1be379ce5e74b93b380d458d09c
            • Opcode Fuzzy Hash: 2105309b5e26bbb8f5c74039ca27af27db3aa9f5a0a1a5fd25719356480d6e75
            • Instruction Fuzzy Hash: F3F08231005259BBDB129F98ED0DFCE3F59AF26311F044105FE15660E18B749651CBD5
            Function 00ABC82D Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON
            Download Yara Rule
            APIs
            • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00ABC84A
            • GetWindowThreadProcessId.USER32(?,00000000), ref: 00ABC85D
            • GetCurrentThreadId.KERNEL32 ref: 00ABC864
            • AttachThreadInput.USER32(00000000), ref: 00ABC86B
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
            • String ID:
            • API String ID: 2710830443-0
            • Opcode ID: c36b58cc7e66e250dcfe41e37325910ee106c1fc1399a1277fd0dd61ff429fec
            • Instruction ID: 301a8aafb41abd7d88627ccd0c7fad727844474f9e9734248a27f2e0c4c75685
            • Opcode Fuzzy Hash: c36b58cc7e66e250dcfe41e37325910ee106c1fc1399a1277fd0dd61ff429fec
            • Instruction Fuzzy Hash: 8DE0E57154122476DB115FE1DC0DEDB7F5CEF157B1F408015B60D96491CA72C581D7E0
            Function 00ABB0CD Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
            Download Yara Rule
            APIs
            • GetCurrentThread.KERNEL32 ref: 00ABB0D6
            • OpenThreadToken.ADVAPI32(00000000,?,?,?,00ABAC9D), ref: 00ABB0DD
            • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00ABAC9D), ref: 00ABB0EA
            • OpenProcessToken.ADVAPI32(00000000,?,?,?,00ABAC9D), ref: 00ABB0F1
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: CurrentOpenProcessThreadToken
            • String ID:
            • API String ID: 3974789173-0
            • Opcode ID: 6a9661d31da8dc344d1e84c6bc4516becf4190e84723e000656b9dd9296e722a
            • Instruction ID: 2bd18a9d5ded1b44e14f1d0ab15f1c6bed36b2c15984485cc3ca1725bd12c706
            • Opcode Fuzzy Hash: 6a9661d31da8dc344d1e84c6bc4516becf4190e84723e000656b9dd9296e722a
            • Instruction Fuzzy Hash: 31E086726012119BD7206FF15C0CB973BACEF65791F018818F245D70C0EF748401C760
            Function 00A9B47D Relevance: 6.0, APIs: 4, Instructions: 22COMMON
            Download Yara Rule
            APIs
            • GetSysColor.USER32(00000008), ref: 00A9B496
            • SetTextColor.GDI32(?,000000FF), ref: 00A9B4A0
            • SetBkMode.GDI32(?,00000001), ref: 00A9B4B5
            • GetStockObject.GDI32(00000005), ref: 00A9B4BD
            • GetWindowDC.USER32(?,00000000), ref: 00AFDE2B
            • GetPixel.GDI32(00000000,00000000,00000000), ref: 00AFDE38
            • GetPixel.GDI32(00000000,?,00000000), ref: 00AFDE51
            • GetPixel.GDI32(00000000,00000000,?), ref: 00AFDE6A
            • GetPixel.GDI32(00000000,?,?), ref: 00AFDE8A
            • ReleaseDC.USER32(?,00000000), ref: 00AFDE95
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
            • String ID:
            • API String ID: 1946975507-0
            • Opcode ID: e28481847b4ea3aed09dd00ecc4e6dd850306587cbe6a557bff8b0ccee0a41d0
            • Instruction ID: 16a558eca18140cab0514f4ba3dae58dc93adf0cc893afb5fb74108eaf95546b
            • Opcode Fuzzy Hash: e28481847b4ea3aed09dd00ecc4e6dd850306587cbe6a557bff8b0ccee0a41d0
            • Instruction Fuzzy Hash: 14E0ED31100244AADF225BA4EC0DBE87F11AB65339F14C666FB69690E1CB718591DB11
            Function 00AFB29A Relevance: 6.0, APIs: 4, Instructions: 20COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: CapsDesktopDeviceReleaseWindow
            • String ID:
            • API String ID: 2889604237-0
            • Opcode ID: 91dac934ab5754a09940e877b88c099706482bd9394d371ec13341a3d992790f
            • Instruction ID: 22545b183824ee74291c3a8b66ed111494509aba0a4046db8f153d4e331e322a
            • Opcode Fuzzy Hash: 91dac934ab5754a09940e877b88c099706482bd9394d371ec13341a3d992790f
            • Instruction Fuzzy Hash: 7FE046B1200204EFEB005FB0C848A6E7BF8EB5C360F11C80AFD5A8B290DF7598808B50
            Function 00ABB2D4 Relevance: 6.0, APIs: 4, Instructions: 20synchronizationCOMMON
            Download Yara Rule
            APIs
            • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00ABB2DF
            • UnloadUserProfile.USERENV(?,?), ref: 00ABB2EB
            • CloseHandle.KERNEL32(?), ref: 00ABB2F4
            • CloseHandle.KERNEL32(?), ref: 00ABB2FC
              • Part of subcall function 00ABAB24: GetProcessHeap.KERNEL32(00000000,?,00ABA848), ref: 00ABAB2B
              • Part of subcall function 00ABAB24: HeapFree.KERNEL32(00000000), ref: 00ABAB32
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
            • String ID:
            • API String ID: 146765662-0
            • Opcode ID: 34a7a8112862ae9fe58c5decc513c258b9bd293ebbd2747bbd13d906d65c99f9
            • Instruction ID: a2af112edd855f40a5f1b35ec23892980380d3080bff442537143b73fa48278d
            • Opcode Fuzzy Hash: 34a7a8112862ae9fe58c5decc513c258b9bd293ebbd2747bbd13d906d65c99f9
            • Instruction Fuzzy Hash: 39E0EC3A104005BFCB012FE5EC08859FFBAFFA83213109621F625825B1CF32A871EB95
            Function 00AFB2AE Relevance: 6.0, APIs: 4, Instructions: 19COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: CapsDesktopDeviceReleaseWindow
            • String ID:
            • API String ID: 2889604237-0
            • Opcode ID: 3f065ed7b4ea294421842649daa7c226e99f02c47547238b3d71b53fd4658f8d
            • Instruction ID: a30da7ef578c78736fc71772ba2a071a930265088edfdb5bb36d0091b5ea9966
            • Opcode Fuzzy Hash: 3f065ed7b4ea294421842649daa7c226e99f02c47547238b3d71b53fd4658f8d
            • Instruction Fuzzy Hash: 16E046B1600200EFDF005FB0C84862D7BE8EB5C350F118809F95E8B2A0DF7A98408B00
            Function 00ABDCDF Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 240comCOMMON
            Download Yara Rule
            APIs
            • OleSetContainedObject.OLE32(?,00000001), ref: 00ABDEAA
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: ContainedObject
            • String ID: AutoIt3GUI$Container
            • API String ID: 3565006973-3941886329
            • Opcode ID: dffaacb7aa1d9363cca0c4b7f9ab0860c064f28101ea5a2a312f0b3af05dd3b7
            • Instruction ID: 5ee9ffe9235a48cc47ccdb227647f5cbbb1825bebdc8898b1c6a8f86924ffeb1
            • Opcode Fuzzy Hash: dffaacb7aa1d9363cca0c4b7f9ab0860c064f28101ea5a2a312f0b3af05dd3b7
            • Instruction Fuzzy Hash: 3A9128706006019FDB14DF64C884BAABBF9FF49714F24856DF94ACB292EB71E841CB60
            Function 00A9BCC9 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 143sleepCOMMON
            Download Yara Rule
            APIs
            • Sleep.KERNEL32(00000000), ref: 00A9BCDA
            • GlobalMemoryStatusEx.KERNEL32 ref: 00A9BCF3
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: GlobalMemorySleepStatus
            • String ID: @
            • API String ID: 2783356886-2766056989
            • Opcode ID: 8cb9f75828f7fa30fc102d2cc6f76ab6bc217e4832e566544198197f707f5bf6
            • Instruction ID: 3e4e5e87800795087f2e994589eb1a6e01372b6fa2a2efa2f763b6604db7f132
            • Opcode Fuzzy Hash: 8cb9f75828f7fa30fc102d2cc6f76ab6bc217e4832e566544198197f707f5bf6
            • Instruction Fuzzy Hash: 99513471509744ABE720AF54ED86BAFBBE8FF94354F41484EF1C8420A2DF7085A8C752
            Function 00ACC56D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 137COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00A844ED: __fread_nolock.LIBCMT ref: 00A8450B
            • _wcscmp.LIBCMT ref: 00ACC65D
            • _wcscmp.LIBCMT ref: 00ACC670
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: _wcscmp$__fread_nolock
            • String ID: FILE
            • API String ID: 4029003684-3121273764
            • Opcode ID: 934138ef4f8fb6edeec9c6e83fa7e323e157caa37ae613fa5d7ea8e698f0591a
            • Instruction ID: 0e2a926f49c46b83a68810848eca450c34546fdf6b264c8eb369e14905d40704
            • Opcode Fuzzy Hash: 934138ef4f8fb6edeec9c6e83fa7e323e157caa37ae613fa5d7ea8e698f0591a
            • Instruction Fuzzy Hash: 3C41C472A0020ABBDF20ABA4DD42FEF77B9AF49714F010469F605EB181D7759A04CB65
            Function 00AEA76A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(?,00001132,00000000,?), ref: 00AEA85A
            • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00AEA86F
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: MessageSend
            • String ID: '
            • API String ID: 3850602802-1997036262
            • Opcode ID: 1a230461b1d21e1adaf5c72ffbb3ac5ea3691beec5d5d7953c0764b3b9fa5a2e
            • Instruction ID: 3bc097dfa44f8ffa9948d0c4b089066cae2f810da06e07c6f4768683dd42881a
            • Opcode Fuzzy Hash: 1a230461b1d21e1adaf5c72ffbb3ac5ea3691beec5d5d7953c0764b3b9fa5a2e
            • Instruction Fuzzy Hash: AD411874E013499FDB14CFA9C880BDA7BB9FB19300F11006AE909EB381D770A942CFA1
            Function 00AD5180 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96networkCOMMON
            Download Yara Rule
            APIs
            • _memset.LIBCMT ref: 00AD5190
            • InternetCrackUrlW.WININET(?,00000000,00000000,?), ref: 00AD51C6
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: CrackInternet_memset
            • String ID: |
            • API String ID: 1413715105-2343686810
            • Opcode ID: 7b91c351cbd5abd72d856f5ba3e32abcfa8aba21a8915021b13b24e2559e61e8
            • Instruction ID: b4489567540eadbfbf5a36ecb3464b377e28f5bdaabd4ad9d565fd9a9f35d67a
            • Opcode Fuzzy Hash: 7b91c351cbd5abd72d856f5ba3e32abcfa8aba21a8915021b13b24e2559e61e8
            • Instruction Fuzzy Hash: 3E310A71C00119ABCF11EFA4CD85AEE7FB9FF14750F10011AF815A6266EB31AA56DFA0
            Function 00AE975A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
            Download Yara Rule
            APIs
            • DestroyWindow.USER32(?,?,?,?), ref: 00AE980E
            • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00AE984A
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: Window$DestroyMove
            • String ID: static
            • API String ID: 2139405536-2160076837
            • Opcode ID: 4ae2703e4a0cf68e796c35e08bf5f5912ff1c82ffbc2a7b1bec3deab7ffe05a4
            • Instruction ID: 94bc1381c92e0d5e5e0821a10edd23a46e3a00a17640f0f2d090b335a831c997
            • Opcode Fuzzy Hash: 4ae2703e4a0cf68e796c35e08bf5f5912ff1c82ffbc2a7b1bec3deab7ffe05a4
            • Instruction Fuzzy Hash: 40318D71110644AEEB109F79CC80BFB73A9FF59760F108619F9A9C71A0DB31AC81CB60
            Function 00AD658B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 83COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: __snwprintf
            • String ID: , $$AUTOITCALLVARIABLE%d
            • API String ID: 2391506597-2584243854
            • Opcode ID: 7c86d17adbf2ce6d1be202171344a7439c9f2b5f368a02ef41bf02f4f480d10c
            • Instruction ID: 5a42add9f287299d850cd1dee61632ebe59393af9bf8f25167f42bdd91bc1dd9
            • Opcode Fuzzy Hash: 7c86d17adbf2ce6d1be202171344a7439c9f2b5f368a02ef41bf02f4f480d10c
            • Instruction Fuzzy Hash: D4217171A00218AFCF14FFA4CD82EEE77B5AF45740F1404AAF505AB291DB70EA55CBA1
            Function 00AE93CF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00AE945C
            • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00AE9467
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: MessageSend
            • String ID: Combobox
            • API String ID: 3850602802-2096851135
            • Opcode ID: e092f5c3871aab4f9fba3dfe0193b19d63ec1c760dc5eef04c39122b893cedc9
            • Instruction ID: d24f95d6f7747729588cff0d9a7ff0ece29834f69190828701b66d39fbedb483
            • Opcode Fuzzy Hash: e092f5c3871aab4f9fba3dfe0193b19d63ec1c760dc5eef04c39122b893cedc9
            • Instruction Fuzzy Hash: 061182713107496FEF11DF55DC80EBB376EEB583A4F104129F9199B2E0D6719C528760
            Function 00AE98FE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00A9D17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00A9D1BA
              • Part of subcall function 00A9D17C: GetStockObject.GDI32(00000011), ref: 00A9D1CE
              • Part of subcall function 00A9D17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 00A9D1D8
            • GetWindowRect.USER32(00000000,?), ref: 00AE9968
            • GetSysColor.USER32(00000012), ref: 00AE9982
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: Window$ColorCreateMessageObjectRectSendStock
            • String ID: static
            • API String ID: 1983116058-2160076837
            • Opcode ID: 490961d9f17aaf67ecbb47623812a54ec7de94d3dfa1fc0aea731418be895a50
            • Instruction ID: d79e9e0b9b333fe10c32973bb8c6081876043a56480b5a99f9a78139c6f64515
            • Opcode Fuzzy Hash: 490961d9f17aaf67ecbb47623812a54ec7de94d3dfa1fc0aea731418be895a50
            • Instruction Fuzzy Hash: 78113772620209AFDF04DFB8CC45AEA7BB8FB08344F014A29F955E3261E735E850DB60
            Function 00AE9617 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
            Download Yara Rule
            APIs
            • GetWindowTextLengthW.USER32(00000000), ref: 00AE9699
            • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00AE96A8
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: LengthMessageSendTextWindow
            • String ID: edit
            • API String ID: 2978978980-2167791130
            • Opcode ID: fa4182931c5b9fbc4f37cd75a652e0c6b0a614cf60f48ee970c2d04ae3d7438b
            • Instruction ID: f26d62b976b2c77376dc512ede2caa76ec6788e682d11acbf5ef20a375df8587
            • Opcode Fuzzy Hash: fa4182931c5b9fbc4f37cd75a652e0c6b0a614cf60f48ee970c2d04ae3d7438b
            • Instruction Fuzzy Hash: 69118C71500288ABEF119FA9DC40EEB3B6EEB15378F504716F965971E0C735DC909760
            Function 00AC5262 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62windowCOMMON
            Download Yara Rule
            APIs
            • _memset.LIBCMT ref: 00AC52D5
            • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00AC52F4
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: InfoItemMenu_memset
            • String ID: 0
            • API String ID: 2223754486-4108050209
            • Opcode ID: d3cfed5f2cd09159eafb5cccebb561a1399243e7babad91f49fb328de18baf1a
            • Instruction ID: f7339f8cac5c6158651454f6bf98ba97cf2b9ddb6a73ae1b3197bfaf5c0db7cc
            • Opcode Fuzzy Hash: d3cfed5f2cd09159eafb5cccebb561a1399243e7babad91f49fb328de18baf1a
            • Instruction Fuzzy Hash: CC11D076E01654ABDB20DBA8D904F9977F8AB46790F060029F942EB290D7B0BE84C790
            Function 00AD4D9F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61networkCOMMON
            Download Yara Rule
            APIs
            • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00AD4DF5
            • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00AD4E1E
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: Internet$OpenOption
            • String ID: <local>
            • API String ID: 942729171-4266983199
            • Opcode ID: 1d59949d289a10a3b23c15f9d2defd3c6582df197bb3123bec2a6bfed1d758c0
            • Instruction ID: 26760b06cbd8f589dbd4dce27bc335a640215f20e0de90111aef3da684d19148
            • Opcode Fuzzy Hash: 1d59949d289a10a3b23c15f9d2defd3c6582df197bb3123bec2a6bfed1d758c0
            • Instruction Fuzzy Hash: 27117C70501221BBDB258FA1C889FFBFBB9FF1A755F10822BF59696280D7705980C6E0
            Function 00ADA82C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52networkCOMMON
            Download Yara Rule
            APIs
            • inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 00ADA84E
            • htons.WSOCK32(00000000,?,00000000), ref: 00ADA88B
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: htonsinet_addr
            • String ID: 255.255.255.255
            • API String ID: 3832099526-2422070025
            • Opcode ID: cc1fa4b13970c061a8d5df9580c033ef960c1e000e105b9ca80f3ff9a044859f
            • Instruction ID: 1bb09e255c5136bef6b0c4571abe7c5e7aa842718a27c6e3f53ddfd23558168f
            • Opcode Fuzzy Hash: cc1fa4b13970c061a8d5df9580c033ef960c1e000e105b9ca80f3ff9a044859f
            • Instruction Fuzzy Hash: 6501D275200304ABCB11AFA8C896FADB3B4EF64724F10846BF9169B3D1DB71E8059752
            Function 00ABB781 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00ABB7EF
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: MessageSend
            • String ID: ComboBox$ListBox
            • API String ID: 3850602802-1403004172
            • Opcode ID: ab1486f6ef98853ea44b08df68b98bf760095c8768e4867f5a2289c02eef8eb9
            • Instruction ID: da462b00b9d67efcd93745ee3ba3647f96d79480c89603c6db29460434fd5382
            • Opcode Fuzzy Hash: ab1486f6ef98853ea44b08df68b98bf760095c8768e4867f5a2289c02eef8eb9
            • Instruction Fuzzy Hash: C501DF75651118ABCB04FBA4CD529FE33BDBF46360B14061DF462A72D2EFB559088BB0
            Function 00ABB67D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(?,00000180,00000000,?), ref: 00ABB6EB
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: MessageSend
            • String ID: ComboBox$ListBox
            • API String ID: 3850602802-1403004172
            • Opcode ID: a8715592e010b9be7b067f161b35dd6691cb9f7a31660cbf819f522bf769420d
            • Instruction ID: 150c6d82df5671a452deaf9aebf8a41a559937b200760518b34ed3f4da6cd4ee
            • Opcode Fuzzy Hash: a8715592e010b9be7b067f161b35dd6691cb9f7a31660cbf819f522bf769420d
            • Instruction Fuzzy Hash: FA016D75A41108ABCB14FBA4CA63AFE73BC9F15344F100029B542B32D2EBA55E189BB5
            Function 00ABB700 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(?,00000182,?,00000000), ref: 00ABB76C
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: MessageSend
            • String ID: ComboBox$ListBox
            • API String ID: 3850602802-1403004172
            • Opcode ID: fb6d8a4b8abe8bba1e0b6029350737e648942f6b14cc738ae67177c5c715d3ed
            • Instruction ID: e54e4061a6fb85504259ba5a05101891fa4b2d4ac2a849c4f0a61d0288cd1da9
            • Opcode Fuzzy Hash: fb6d8a4b8abe8bba1e0b6029350737e648942f6b14cc738ae67177c5c715d3ed
            • Instruction Fuzzy Hash: 8601AD75A41104ABCB00FBA4CA02AFE73AC9F05344F200019B442B3193EFA55E098BB5
            Function 00AC7744 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: ClassName_wcscmp
            • String ID: #32770
            • API String ID: 2292705959-463685578
            • Opcode ID: 16b49445b557dfe4b55223c15e8ac86dd62f1955ef4a23e9b83f38a030826b17
            • Instruction ID: d6fb71424472523909eaca4d911b840b4d7bd3709da30b4c67709b49fd9714ea
            • Opcode Fuzzy Hash: 16b49445b557dfe4b55223c15e8ac86dd62f1955ef4a23e9b83f38a030826b17
            • Instruction Fuzzy Hash: 8BE09277A042292BD710ABA5DC0AE8BFBECAB52B64F01005AB905E3081DA60A60187D4
            Function 00ABA631 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON
            Download Yara Rule
            APIs
            • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00ABA63F
              • Part of subcall function 00AA13F1: _doexit.LIBCMT ref: 00AA13FB
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: Message_doexit
            • String ID: AutoIt$Error allocating memory.
            • API String ID: 1993061046-4017498283
            • Opcode ID: b29456feb89b15f3fa11447e89a2d4f8e7de8910407d83e0bdf8a3d4e9860a21
            • Instruction ID: 0fcdc4885e81e4f0982fd809e5492254cf383bd086afbc475c6d7d655a16dc82
            • Opcode Fuzzy Hash: b29456feb89b15f3fa11447e89a2d4f8e7de8910407d83e0bdf8a3d4e9860a21
            • Instruction Fuzzy Hash: A2D05B313C472837D61437E87D17FC5768C8B15B51F144065BB0D9A5D24DD3958042E9
            Function 00AFAE86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
            Download Yara Rule
            APIs
            • GetSystemDirectoryW.KERNEL32(?), ref: 00AFACC0
            • FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 00AFAEBD
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: DirectoryFreeLibrarySystem
            • String ID: WIN_XPe
            • API String ID: 510247158-3257408948
            • Opcode ID: 0beada3ae8887ef85696bec660a63596d3f2952abb7e1f87a7763eacb35811a8
            • Instruction ID: f9bfde2b7cf42a1c2aa375a61a03907a5fb9885b9837413fdfda0265bab2cb98
            • Opcode Fuzzy Hash: 0beada3ae8887ef85696bec660a63596d3f2952abb7e1f87a7763eacb35811a8
            • Instruction Fuzzy Hash: A4E0C9B0C005499FCB12DBE5D9449ECB7B8AB68301F548086F296B6660DB705A85DF22
            Function 00AE8698 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
            Download Yara Rule
            APIs
            • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00AE86A2
            • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00AE86B5
              • Part of subcall function 00AC7A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00AC7AD0
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: FindMessagePostSleepWindow
            • String ID: Shell_TrayWnd
            • API String ID: 529655941-2988720461
            • Opcode ID: 5b50a684f39687cb6eb443c096ed5198b8c0d46994aeeea6c60d304fa01c6584
            • Instruction ID: c50941a4d78924f40b9b22ae373004ce181622f8438a6ad345a0e23360f57668
            • Opcode Fuzzy Hash: 5b50a684f39687cb6eb443c096ed5198b8c0d46994aeeea6c60d304fa01c6584
            • Instruction Fuzzy Hash: 7BD01271384314BBE76867B09C0FFCB7A58AB24B51F110819B749AB1D0CDE1E940CB54
            Function 00AE86CC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
            Download Yara Rule
            APIs
            • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00AE86E2
            • PostMessageW.USER32(00000000), ref: 00AE86E9
              • Part of subcall function 00AC7A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00AC7AD0
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1703065728.0000000000A81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A80000, based on PE: true
            • Associated: 00000000.00000002.1703052580.0000000000A80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B0D000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703103127.0000000000B2E000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703137359.0000000000B3A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B44000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B85000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1703151792.0000000000B96000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_a80000_PO#38595.jbxd
            Similarity
            • API ID: FindMessagePostSleepWindow
            • String ID: Shell_TrayWnd
            • API String ID: 529655941-2988720461
            • Opcode ID: fd8dfce7802ca5b7df81f8a60703611c4beade877d0232152de49ef10c115f42
            • Instruction ID: 58227652b5330ccdfc884f69affe757db9eca8896cb876a5bc78d5543958cc0c
            • Opcode Fuzzy Hash: fd8dfce7802ca5b7df81f8a60703611c4beade877d0232152de49ef10c115f42
            • Instruction Fuzzy Hash: A7D0C9713853146BE66867B09C0BFCA7A58AB24B51F510819B645AB1D0C9A1A9408B54