Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
6medsM68NX.exe

Overview

General Information

Sample name:6medsM68NX.exe
renamed because original name is a hash value
Original sample name:6d7383506176b2d66904efea5dfee58a70ad683ee01d9bf6a49066a92ab81cf6.exe
Analysis ID:1529027
MD5:ef3b33eda19bdf6cc936b97f7e582f1d
SHA1:2f67db5fb6220c97ade8c9a016e0553af766efe3
SHA256:6d7383506176b2d66904efea5dfee58a70ad683ee01d9bf6a49066a92ab81cf6
Tags:AgentTeslaexeuser-adrian__luca
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Yara detected AgentTesla
Yara detected Telegram RAT
.NET source code contains potential unpacker
AI detected suspicious sample
Drops VBS files to the startup folder
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: WScript or CScript Dropper
Switches to a custom stack to bypass stack traces
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Yara detected Generic Downloader
Abnormal high CPU Usage
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Drops PE files
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
OS version to string mapping found (often used in BOTs)
PE file contains an invalid checksum
Potential key logger detected (key state polling based)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • 6medsM68NX.exe (PID: 1384 cmdline: "C:\Users\user\Desktop\6medsM68NX.exe" MD5: EF3B33EDA19BDF6CC936B97F7E582F1D)
    • xapp.exe (PID: 2456 cmdline: "C:\Users\user\Desktop\6medsM68NX.exe" MD5: EF3B33EDA19BDF6CC936B97F7E582F1D)
      • RegSvcs.exe (PID: 5108 cmdline: "C:\Users\user\Desktop\6medsM68NX.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • wscript.exe (PID: 1956 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xapp.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • xapp.exe (PID: 4220 cmdline: "C:\Users\user\AppData\Local\zero\xapp.exe" MD5: EF3B33EDA19BDF6CC936B97F7E582F1D)
      • RegSvcs.exe (PID: 3440 cmdline: "C:\Users\user\AppData\Local\zero\xapp.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot1749457201:AAGWIY2QPzrHZIumAIUsWjyRAEWcJrauccY/sendMessage"}

Threatname: Agenttesla

{"Exfil Mode": "Telegram", "Telegram Url": "https://api.telegram.org/bot1749457201:AAGWIY2QPzrHZIumAIUsWjyRAEWcJrauccY/sendDocumentsendMessage?chat_id=document"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.1483162721.0000000002AD0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
    00000005.00000002.1483162721.0000000002AD0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
      00000005.00000002.1483162721.0000000002AD0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000005.00000002.1483162721.0000000002AD0000.00000004.00001000.00020000.00000000.sdmpWindows_Trojan_AgentTesla_d3ac2b2funknownunknown
        • 0x310e0:$a3: MailAccountConfiguration
        • 0x310f9:$a5: SmtpAccountConfiguration
        • 0x310c0:$a8: set_BindingAccountConfiguration
        • 0x30015:$a11: get_securityProfile
        • 0x2feb6:$a12: get_useSeparateFolderTree
        • 0x3183b:$a13: get_DnsResolver
        • 0x302c5:$a14: get_archivingScope
        • 0x300ed:$a15: get_providerName
        • 0x32826:$a17: get_priority
        • 0x31dfa:$a18: get_advancedParameters
        • 0x311fa:$a19: get_disabledByRestriction
        • 0x2fc8c:$a20: get_LastAccessed
        • 0x3035f:$a21: get_avatarType
        • 0x31f11:$a22: get_signaturePresets
        • 0x30996:$a23: get_enableLog
        • 0x3016a:$a26: set_accountName
        • 0x3235c:$a27: set_InternalServerPort
        • 0x2f605:$a28: set_bindingConfigurationUID
        • 0x31ed7:$a29: set_IdnAddress
        • 0x326da:$a30: set_GuidMasterKey
        • 0x301c5:$a31: set_username
        00000005.00000002.1483162721.0000000002AD0000.00000004.00001000.00020000.00000000.sdmpMALWARE_Win_AgentTeslaV3AgentTeslaV3 infostealer payloadditekSHen
        • 0x30b9b:$s1: get_kbok
        • 0x314cf:$s2: get_CHoo
        • 0x32142:$s3: set_passwordIsSet
        • 0x30996:$s4: get_enableLog
        • 0x350fd:$s8: torbrowser
        • 0x33ad9:$s10: logins
        • 0x333ae:$s11: credential
        • 0x2fd7a:$g1: get_Clipboard
        • 0x2fd88:$g2: get_Keyboard
        • 0x2fd95:$g3: get_Password
        • 0x3137d:$g4: get_CtrlKeyDown
        • 0x3138d:$g5: get_ShiftKeyDown
        • 0x3139e:$g6: get_AltKeyDown
        Click to see the 29 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        5.2.xapp.exe.2ad0000.1.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
          5.2.xapp.exe.2ad0000.1.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            5.2.xapp.exe.2ad0000.1.unpackWindows_Trojan_AgentTesla_d3ac2b2funknownunknown
            • 0x2f2e0:$a3: MailAccountConfiguration
            • 0x2f2f9:$a5: SmtpAccountConfiguration
            • 0x2f2c0:$a8: set_BindingAccountConfiguration
            • 0x2e215:$a11: get_securityProfile
            • 0x2e0b6:$a12: get_useSeparateFolderTree
            • 0x2fa3b:$a13: get_DnsResolver
            • 0x2e4c5:$a14: get_archivingScope
            • 0x2e2ed:$a15: get_providerName
            • 0x30a26:$a17: get_priority
            • 0x2fffa:$a18: get_advancedParameters
            • 0x2f3fa:$a19: get_disabledByRestriction
            • 0x2de8c:$a20: get_LastAccessed
            • 0x2e55f:$a21: get_avatarType
            • 0x30111:$a22: get_signaturePresets
            • 0x2eb96:$a23: get_enableLog
            • 0x2e36a:$a26: set_accountName
            • 0x3055c:$a27: set_InternalServerPort
            • 0x2d805:$a28: set_bindingConfigurationUID
            • 0x300d7:$a29: set_IdnAddress
            • 0x308da:$a30: set_GuidMasterKey
            • 0x2e3c5:$a31: set_username
            5.2.xapp.exe.2ad0000.1.unpackMALWARE_Win_AgentTeslaV3AgentTeslaV3 infostealer payloadditekSHen
            • 0x2ed9b:$s1: get_kbok
            • 0x2f6cf:$s2: get_CHoo
            • 0x30342:$s3: set_passwordIsSet
            • 0x2eb96:$s4: get_enableLog
            • 0x332fd:$s8: torbrowser
            • 0x31cd9:$s10: logins
            • 0x315ae:$s11: credential
            • 0x2df7a:$g1: get_Clipboard
            • 0x2df88:$g2: get_Keyboard
            • 0x2df95:$g3: get_Password
            • 0x2f57d:$g4: get_CtrlKeyDown
            • 0x2f58d:$g5: get_ShiftKeyDown
            • 0x2f59e:$g6: get_AltKeyDown
            2.2.xapp.exe.a40000.1.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
              Click to see the 18 entries

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: WScript or CScript Dropper
              Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xapp.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xapp.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3504, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xapp.vbs" , ProcessId: 1956, ProcessName: wscript.exe
              Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
              Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xapp.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xapp.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3504, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xapp.vbs" , ProcessId: 1956, ProcessName: wscript.exe

              Data Obfuscation

              barindex
              Sigma detected: Drops script at startup location
              Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\zero\xapp.exe, ProcessId: 2456, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xapp.vbs

              Suricata Signatures

              No Suricata rule has matched

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Found malware configuration
              Source: 3.2.RegSvcs.exe.700000.0.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "Telegram", "Telegram Url": "https://api.telegram.org/bot1749457201:AAGWIY2QPzrHZIumAIUsWjyRAEWcJrauccY/sendDocumentsendMessage?chat_id=document"}
              Source: RegSvcs.exe.3440.6.memstrminMalware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot1749457201:AAGWIY2QPzrHZIumAIUsWjyRAEWcJrauccY/sendMessage"}
              Multi AV Scanner detection for dropped file
              Source: C:\Users\user\AppData\Local\zero\xapp.exeReversingLabs: Detection: 78%
              Multi AV Scanner detection for submitted file
              Source: 6medsM68NX.exeReversingLabs: Detection: 78%
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
              Machine Learning detection for dropped file
              Source: C:\Users\user\AppData\Local\zero\xapp.exeJoe Sandbox ML: detected
              Machine Learning detection for sample
              Source: 6medsM68NX.exeJoe Sandbox ML: detected
              Source: 6medsM68NX.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
              Source: Binary string: wntdll.pdbUGP source: xapp.exe, 00000002.00000003.1349529802.00000000046E0000.00000004.00001000.00020000.00000000.sdmp, xapp.exe, 00000002.00000003.1349376743.0000000004540000.00000004.00001000.00020000.00000000.sdmp, xapp.exe, 00000005.00000003.1478801459.00000000046E0000.00000004.00001000.00020000.00000000.sdmp, xapp.exe, 00000005.00000003.1479378148.0000000004540000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: wntdll.pdb source: xapp.exe, 00000002.00000003.1349529802.00000000046E0000.00000004.00001000.00020000.00000000.sdmp, xapp.exe, 00000002.00000003.1349376743.0000000004540000.00000004.00001000.00020000.00000000.sdmp, xapp.exe, 00000005.00000003.1478801459.00000000046E0000.00000004.00001000.00020000.00000000.sdmp, xapp.exe, 00000005.00000003.1479378148.0000000004540000.00000004.00001000.00020000.00000000.sdmp
              Source: C:\Users\user\Desktop\6medsM68NX.exeCode function: 0_2_00452492 FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_00452492
              Source: C:\Users\user\Desktop\6medsM68NX.exeCode function: 0_2_00442886 FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00442886
              Source: C:\Users\user\Desktop\6medsM68NX.exeCode function: 0_2_004788BD FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_004788BD
              Source: C:\Users\user\Desktop\6medsM68NX.exeCode function: 0_2_004339B6 GetFileAttributesW,FindFirstFileW,FindClose,0_2_004339B6
              Source: C:\Users\user\Desktop\6medsM68NX.exeCode function: 0_2_0045CAFA FindFirstFileW,FindNextFileW,FindClose,0_2_0045CAFA
              Source: C:\Users\user\Desktop\6medsM68NX.exeCode function: 0_2_00431A86 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00431A86
              Source: C:\Users\user\Desktop\6medsM68NX.exeCode function: 0_2_0044BD27 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,0_2_0044BD27
              Source: C:\Users\user\Desktop\6medsM68NX.exeCode function: 0_2_0045DE8F FindFirstFileW,FindClose,0_2_0045DE8F
              Source: C:\Users\user\Desktop\6medsM68NX.exeCode function: 0_2_0044BF8B _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_0044BF8B
              Source: C:\Users\user\AppData\Local\zero\xapp.exeCode function: 2_2_00452492 FindFirstFileW,Sleep,FindNextFileW,FindClose,2_2_00452492
              Source: C:\Users\user\AppData\Local\zero\xapp.exeCode function: 2_2_00442886 FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,2_2_00442886
              Source: C:\Users\user\AppData\Local\zero\xapp.exeCode function: 2_2_004788BD FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,2_2_004788BD
              Source: C:\Users\user\AppData\Local\zero\xapp.exeCode function: 2_2_004339B6 GetFileAttributesW,FindFirstFileW,FindClose,2_2_004339B6
              Source: C:\Users\user\AppData\Local\zero\xapp.exeCode function: 2_2_0045CAFA FindFirstFileW,FindNextFileW,FindClose,2_2_0045CAFA
              Source: C:\Users\user\AppData\Local\zero\xapp.exeCode function: 2_2_00431A86 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,2_2_00431A86
              Source: C:\Users\user\AppData\Local\zero\xapp.exeCode function: 2_2_0044BD27 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,2_2_0044BD27
              Source: C:\Users\user\AppData\Local\zero\xapp.exeCode function: 2_2_0045DE8F FindFirstFileW,FindClose,2_2_0045DE8F
              Source: C:\Users\user\AppData\Local\zero\xapp.exeCode function: 2_2_0044BF8B _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,2_2_0044BF8B
              Source: C:\Users\user\AppData\Local\zero\xapp.exeCode function: 5_2_00452492 FindFirstFileW,Sleep,FindNextFileW,FindClose,5_2_00452492
              Source: C:\Users\user\AppData\Local\zero\xapp.exeCode function: 5_2_00442886 FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,5_2_00442886
              Source: C:\Users\user\AppData\Local\zero\xapp.exeCode function: 5_2_004788BD FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,5_2_004788BD
              Source: C:\Users\user\AppData\Local\zero\xapp.exeCode function: 5_2_004339B6 GetFileAttributesW,FindFirstFileW,FindClose,5_2_004339B6
              Source: C:\Users\user\AppData\Local\zero\xapp.exeCode function: 5_2_0045CAFA FindFirstFileW,FindNextFileW,FindClose,5_2_0045CAFA
              Source: C:\Users\user\AppData\Local\zero\xapp.exeCode function: 5_2_00431A86 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,5_2_00431A86
              Source: C:\Users\user\AppData\Local\zero\xapp.exeCode function: 5_2_0044BD27 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,5_2_0044BD27
              Source: C:\Users\user\AppData\Local\zero\xapp.exeCode function: 5_2_0045DE8F FindFirstFileW,FindClose,5_2_0045DE8F
              Source: C:\Users\user\AppData\Local\zero\xapp.exeCode function: 5_2_0044BF8B _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,5_2_0044BF8B
              Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Jump to behavior
              Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Jump to behavior
              Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Jump to behavior
              Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Jump to behavior
              Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Jump to behavior
              Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\Jump to behavior

              Networking

              barindex
              Yara detected Generic Downloader
              Source: Yara matchFile source: 3.2.RegSvcs.exe.700000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.xapp.exe.a40000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.xapp.exe.2ad0000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000005.00000002.1483162721.0000000002AD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.1353677931.0000000000A40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: C:\Users\user\Desktop\6medsM68NX.exeCode function: 0_2_004422FE InternetQueryDataAvailable,InternetReadFile,0_2_004422FE
              Source: RegSvcs.exe, 00000003.00000002.1484021512.0000000002621000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3793217034.0000000002441000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
              Source: RegSvcs.exe, 00000006.00000002.3793217034.0000000002441000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://DynDns.comDynDNS
              Source: RegSvcs.exe, 00000006.00000002.3793217034.0000000002441000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mbKXcZ.com
              Source: RegSvcs.exe, 00000006.00000002.3793217034.0000000002441000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org%4
              Source: RegSvcs.exe, 00000006.00000002.3793217034.0000000002441000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
              Source: xapp.exe, 00000002.00000002.1353677931.0000000000A40000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1481806468.0000000000702000.00000040.80000000.00040000.00000000.sdmp, xapp.exe, 00000005.00000002.1483162721.0000000002AD0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot1749457201:AAGWIY2QPzrHZIumAIUsWjyRAEWcJrauccY/
              Source: RegSvcs.exe, 00000003.00000002.1484021512.0000000002621000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3793217034.0000000002441000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot1749457201:AAGWIY2QPzrHZIumAIUsWjyRAEWcJrauccY/sendDocumentdocument-----
              Source: xapp.exe, 00000002.00000002.1353677931.0000000000A40000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1481806468.0000000000702000.00000040.80000000.00040000.00000000.sdmp, xapp.exe, 00000005.00000002.1483162721.0000000002AD0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
              Source: RegSvcs.exe, 00000003.00000002.1484021512.0000000002621000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3793217034.0000000002441000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

              Key, Mouse, Clipboard, Microphone and Screen Capturing

              barindex
              Installs a global keyboard hook
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeJump to behavior
              Source: C:\Users\user\Desktop\6medsM68NX.exeCode function: 0_2_0045A10F OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_0045A10F
              Source: C:\Users\user\Desktop\6medsM68NX.exeCode function: 0_2_0045A10F OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_0045A10F
              Source: C:\Users\user\AppData\Local\zero\xapp.exeCode function: 2_2_0045A10F OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,2_2_0045A10F
              Source: C:\Users\user\AppData\Local\zero\xapp.exeCode function: 5_2_0045A10F OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,5_2_0045A10F
              Source: C:\Users\user\Desktop\6medsM68NX.exeCode function: 0_2_0046DCB4 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_0046DCB4
              Source: C:\Users\user\Desktop\6medsM68NX.exeCode function: 0_2_0044C37A GetKeyboardState,SetKeyboardState,PostMessageW,PostMessageW,SendInput,0_2_0044C37A
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
              Source: C:\Users\user\Desktop\6medsM68NX.exeCode function: 0_2_0047C81C SendMessageW,DefDlgProcW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,GetWindowLongW,SendMessageW,SendMessageW,SendMessageW,_wcsncpy,SendMessageW,SendMessageW,SendMessageW,InvalidateRect,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_0047C81C
              Source: C:\Users\user\AppData\Local\zero\xapp.exeCode function: 2_2_0047C81C SendMessageW,DefDlgProcW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,GetWindowLongW,SendMessageW,SendMessageW,SendMessageW,_wcsncpy,SendMessageW,SendMessageW,SendMessageW,InvalidateRect,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,2_2_0047C81C
              Source: C:\Users\user\AppData\Local\zero\xapp.exeCode function: 5_2_0047C81C SendMessageW,DefDlgProcW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,GetWindowLongW,SendMessageW,SendMessageW,SendMessageW,_wcsncpy,SendMessageW,SendMessageW,SendMessageW,InvalidateRect,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,5_2_0047C81C

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: 5.2.xapp.exe.2ad0000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
              Source: 5.2.xapp.exe.2ad0000.1.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
              Source: 2.2.xapp.exe.a40000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
              Source: 2.2.xapp.exe.a40000.1.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
              Source: 3.2.RegSvcs.exe.700000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
              Source: 3.2.RegSvcs.exe.700000.0.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
              Source: 2.2.xapp.exe.a40000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
              Source: 2.2.xapp.exe.a40000.1.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
              Source: 5.2.xapp.exe.2ad0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
              Source: 5.2.xapp.exe.2ad0000.1.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
              Source: 00000005.00000002.1483162721.0000000002AD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
              Source: 00000005.00000002.1483162721.0000000002AD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
              Source: 00000002.00000002.1353677931.0000000000A40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
              Source: 00000002.00000002.1353677931.0000000000A40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
              Source: 00000003.00000002.1481806468.0000000000702000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
              Source: 00000003.00000002.1484021512.0000000002621000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
              Source: 00000006.00000002.3793217034.0000000002441000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
              Source: Process Memory Space: xapp.exe PID: 2456, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
              Source: Process Memory Space: RegSvcs.exe PID: 5108, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
              Source: Process Memory Space: RegSvcs.exe PID: 5108, type: MEMORYSTRMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
              Source: Process Memory Space: xapp.exe PID: 4220, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
              Source: Process Memory Space: RegSvcs.exe PID: 3440, type: MEMORYSTRMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
              Windows Scripting host queries suspicious COM object (likely to drop second stage)
              Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess Stats: CPU usage > 49%
              Source: C:\Users\user\Desktop\6medsM68NX.exeCode function: 0_2_00431BE8: GetFullPathNameW,__swprintf,_wcslen,CreateDirectoryW,CreateFileW,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,0_2_00431BE8
              Source: C:\Users\user\Desktop\6medsM68NX.exeCode function: 0_2_00446313 DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,_wcsncpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00446313
              Source: C:\Users\user\Desktop\6medsM68NX.exeCode function: 0_2_004333BE GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,0_2_004333BE
              Source: C:\Users\user\AppData\Local\zero\xapp.exeCode function: 2_2_004333BE GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,2_2_004333BE
              Source: C:\Users\user\AppData\Local\zero\xapp.exeCode function: 5_2_004333BE GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,5_2_004333BE
              Source: C:\Users\user\Desktop\6medsM68NX.exeCode function: 0_2_004096A00_2_004096A0
              Source: C:\Users\user\Desktop\6medsM68NX.exeCode function: 0_2_0042200C0_2_0042200C
              Source: C:\Users\user\Desktop\6medsM68NX.exeCode function: 0_2_0041A2170_2_0041A217
              Source: C:\Users\user\Desktop\6medsM68NX.exeCode function: 0_2_004122160_2_00412216
              Source: C:\Users\user\Desktop\6medsM68NX.exeCode function: 0_2_0042435D0_2_0042435D
              Source: C:\Users\user\Desktop\6medsM68NX.exeCode function: 0_2_004033C00_2_004033C0
              Source: C:\Users\user\Desktop\6medsM68NX.exeCode function: 0_2_0044F4300_2_0044F430
              Source: C:\Users\user\Desktop\6medsM68NX.exeCode function: 0_2_004125E80_2_004125E8
              Source: C:\Users\user\Desktop\6medsM68NX.exeCode function: 0_2_0044663B0_2_0044663B
              Source: C:\Users\user\Desktop\6medsM68NX.exeCode function: 0_2_004138010_2_00413801
              Source: C:\Users\user\Desktop\6medsM68NX.exeCode function: 0_2_0042096F0_2_0042096F
              Source: C:\Users\user\Desktop\6medsM68NX.exeCode function: 0_2_004129D00_2_004129D0
              Source: C:\Users\user\Desktop\6medsM68NX.exeCode function: 0_2_004119E30_2_004119E3
              Source: C:\Users\user\Desktop\6medsM68NX.exeCode function: 0_2_0041C9AE0_2_0041C9AE
              Source: C:\Users\user\Desktop\6medsM68NX.exeCode function: 0_2_0047EA6F0_2_0047EA6F
              Source: C:\Users\user\Desktop\6medsM68NX.exeCode function: 0_2_0040FA100_2_0040FA10
              Source: C:\Users\user\Desktop\6medsM68NX.exeCode function: 0_2_0044EB5F0_2_0044EB5F
              Source: C:\Users\user\Desktop\6medsM68NX.exeCode function: 0_2_00423C810_2_00423C81
              Source: C:\Users\user\Desktop\6medsM68NX.exeCode function: 0_2_00411E780_2_00411E78
              Source: C:\Users\user\Desktop\6medsM68NX.exeCode function: 0_2_00442E0C0_2_00442E0C
              Source: C:\Users\user\Desktop\6medsM68NX.exeCode function: 0_2_00420EC00_2_00420EC0
              Source: C:\Users\user\Desktop\6medsM68NX.exeCode function: 0_2_0044CF170_2_0044CF17
              Source: C:\Users\user\Desktop\6medsM68NX.exeCode function: 0_2_03FC76400_2_03FC7640
              Source: C:\Users\user\AppData\Local\zero\xapp.exeCode function: 2_2_004096A02_2_004096A0
              Source: C:\Users\user\AppData\Local\zero\xapp.exeCode function: 2_2_0042200C2_2_0042200C
              Source: C:\Users\user\AppData\Local\zero\xapp.exeCode function: 2_2_0041A2172_2_0041A217
              Source: C:\Users\user\AppData\Local\zero\xapp.exeCode function: 2_2_004122162_2_00412216
              Source: C:\Users\user\AppData\Local\zero\xapp.exeCode function: 2_2_0042435D2_2_0042435D
              Source: C:\Users\user\AppData\Local\zero\xapp.exeCode function: 2_2_004033C02_2_004033C0
              Source: C:\Users\user\AppData\Local\zero\xapp.exeCode function: 2_2_0044F4302_2_0044F430
              Source: C:\Users\user\AppData\Local\zero\xapp.exeCode function: 2_2_004125E82_2_004125E8
              Source: C:\Users\user\AppData\Local\zero\xapp.exeCode function: 2_2_0044663B2_2_0044663B
              Source: C:\Users\user\AppData\Local\zero\xapp.exeCode function: 2_2_004138012_2_00413801
              Source: C:\Users\user\AppData\Local\zero\xapp.exeCode function: 2_2_0042096F2_2_0042096F
              Source: C:\Users\user\AppData\Local\zero\xapp.exeCode function: 2_2_004129D02_2_004129D0
              Source: C:\Users\user\AppData\Local\zero\xapp.exeCode function: 2_2_004119E32_2_004119E3
              Source: C:\Users\user\AppData\Local\zero\xapp.exeCode function: 2_2_0041C9AE2_2_0041C9AE
              Source: C:\Users\user\AppData\Local\zero\xapp.exeCode function: 2_2_0047EA6F2_2_0047EA6F
              Source: C:\Users\user\AppData\Local\zero\xapp.exeCode function: 2_2_0040FA102_2_0040FA10
              Source: C:\Users\user\AppData\Local\zero\xapp.exeCode function: 2_2_0044EB5F2_2_0044EB5F
              Source: C:\Users\user\AppData\Local\zero\xapp.exeCode function: 2_2_00423C812_2_00423C81
              Source: C:\Users\user\AppData\Local\zero\xapp.exeCode function: 2_2_00411E782_2_00411E78
              Source: C:\Users\user\AppData\Local\zero\xapp.exeCode function: 2_2_00442E0C2_2_00442E0C
              Source: C:\Users\user\AppData\Local\zero\xapp.exeCode function: 2_2_00420EC02_2_00420EC0
              Source: C:\Users\user\AppData\Local\zero\xapp.exeCode function: 2_2_0044CF172_2_0044CF17
              Source: C:\Users\user\AppData\Local\zero\xapp.exeCode function: 2_2_00444FD22_2_00444FD2
              Source: C:\Users\user\AppData\Local\zero\xapp.exeCode function: 2_2_041856402_2_04185640
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_024F4C843_2_024F4C84
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_024F5FC83_2_024F5FC8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_024F4C783_2_024F4C78
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_024F6CB03_2_024F6CB0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_024F5F613_2_024F5F61
              Source: C:\Users\user\AppData\Local\zero\xapp.exeCode function: 5_2_004096A05_2_004096A0
              Source: C:\Users\user\AppData\Local\zero\xapp.exeCode function: 5_2_0042200C5_2_0042200C
              Source: C:\Users\user\AppData\Local\zero\xapp.exeCode function: 5_2_0041A2175_2_0041A217
              Source: C:\Users\user\AppData\Local\zero\xapp.exeCode function: 5_2_004122165_2_00412216
              Source: C:\Users\user\AppData\Local\zero\xapp.exeCode function: 5_2_0042435D5_2_0042435D
              Source: C:\Users\user\AppData\Local\zero\xapp.exeCode function: 5_2_004033C05_2_004033C0
              Source: C:\Users\user\AppData\Local\zero\xapp.exeCode function: 5_2_0044F4305_2_0044F430
              Source: C:\Users\user\AppData\Local\zero\xapp.exeCode function: 5_2_004125E85_2_004125E8
              Source: C:\Users\user\AppData\Local\zero\xapp.exeCode function: 5_2_0044663B5_2_0044663B
              Source: C:\Users\user\AppData\Local\zero\xapp.exeCode function: 5_2_004138015_2_00413801
              Source: C:\Users\user\AppData\Local\zero\xapp.exeCode function: 5_2_0042096F5_2_0042096F
              Source: C:\Users\user\AppData\Local\zero\xapp.exeCode function: 5_2_004129D05_2_004129D0
              Source: C:\Users\user\AppData\Local\zero\xapp.exeCode function: 5_2_004119E35_2_004119E3
              Source: C:\Users\user\AppData\Local\zero\xapp.exeCode function: 5_2_0041C9AE5_2_0041C9AE
              Source: C:\Users\user\AppData\Local\zero\xapp.exeCode function: 5_2_0047EA6F5_2_0047EA6F
              Source: C:\Users\user\AppData\Local\zero\xapp.exeCode function: 5_2_0040FA105_2_0040FA10
              Source: C:\Users\user\AppData\Local\zero\xapp.exeCode function: 5_2_0044EB5F5_2_0044EB5F
              Source: C:\Users\user\AppData\Local\zero\xapp.exeCode function: 5_2_00423C815_2_00423C81
              Source: C:\Users\user\AppData\Local\zero\xapp.exeCode function: 5_2_00411E785_2_00411E78
              Source: C:\Users\user\AppData\Local\zero\xapp.exeCode function: 5_2_00442E0C5_2_00442E0C
              Source: C:\Users\user\AppData\Local\zero\xapp.exeCode function: 5_2_00420EC05_2_00420EC0
              Source: C:\Users\user\AppData\Local\zero\xapp.exeCode function: 5_2_0044CF175_2_0044CF17
              Source: C:\Users\user\AppData\Local\zero\xapp.exeCode function: 5_2_00444FD25_2_00444FD2
              Source: C:\Users\user\AppData\Local\zero\xapp.exeCode function: 5_2_040635F85_2_040635F8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_006200406_2_00620040
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0062DCD06_2_0062DCD0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0062BD186_2_0062BD18
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0062B7986_2_0062B798
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0062F2316_2_0062F231
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00628B706_2_00628B70
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_02254C846_2_02254C84
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_02255FC86_2_02255FC8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_02256CB06_2_02256CB0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_02255EE06_2_02255EE0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_05A45D286_2_05A45D28
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_05A4DCE06_2_05A4DCE0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_05A400406_2_05A40040
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_05A42FC06_2_05A42FC0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_05A4A7406_2_05A4A740
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_05A451BD6_2_05A451BD
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_05A471086_2_05A47108
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_05A452EF6_2_05A452EF
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_05A4520D6_2_05A4520D
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_05A452556_2_05A45255
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_05A400076_2_05A40007
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_05A48ED86_2_05A48ED8
              Source: C:\Users\user\Desktop\6medsM68NX.exeCode function: String function: 004115D7 appears 36 times
              Source: C:\Users\user\Desktop\6medsM68NX.exeCode function: String function: 00416C70 appears 39 times
              Source: C:\Users\user\Desktop\6medsM68NX.exeCode function: String function: 00445AE0 appears 65 times
              Source: C:\Users\user\AppData\Local\zero\xapp.exeCode function: String function: 0040E710 appears 44 times
              Source: C:\Users\user\AppData\Local\zero\xapp.exeCode function: String function: 00401B10 appears 50 times
              Source: C:\Users\user\AppData\Local\zero\xapp.exeCode function: String function: 00408F40 appears 38 times
              Source: C:\Users\user\AppData\Local\zero\xapp.exeCode function: String function: 004301F8 appears 36 times
              Source: C:\Users\user\AppData\Local\zero\xapp.exeCode function: String function: 004115D7 appears 72 times
              Source: C:\Users\user\AppData\Local\zero\xapp.exeCode function: String function: 00416C70 appears 78 times
              Source: C:\Users\user\AppData\Local\zero\xapp.exeCode function: String function: 004181F2 appears 42 times
              Source: C:\Users\user\AppData\Local\zero\xapp.exeCode function: String function: 00445AE0 appears 130 times
              Source: C:\Users\user\AppData\Local\zero\xapp.exeCode function: String function: 0041341F appears 36 times
              Source: C:\Users\user\AppData\Local\zero\xapp.exeCode function: String function: 00422240 appears 38 times
              Source: 6medsM68NX.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
              Source: 5.2.xapp.exe.2ad0000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
              Source: 5.2.xapp.exe.2ad0000.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
              Source: 2.2.xapp.exe.a40000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
              Source: 2.2.xapp.exe.a40000.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
              Source: 3.2.RegSvcs.exe.700000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
              Source: 3.2.RegSvcs.exe.700000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
              Source: 2.2.xapp.exe.a40000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
              Source: 2.2.xapp.exe.a40000.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
              Source: 5.2.xapp.exe.2ad0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
              Source: 5.2.xapp.exe.2ad0000.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
              Source: 00000005.00000002.1483162721.0000000002AD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
              Source: 00000005.00000002.1483162721.0000000002AD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
              Source: 00000002.00000002.1353677931.0000000000A40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
              Source: 00000002.00000002.1353677931.0000000000A40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
              Source: 00000003.00000002.1481806468.0000000000702000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
              Source: 00000003.00000002.1484021512.0000000002621000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
              Source: 00000006.00000002.3793217034.0000000002441000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
              Source: Process Memory Space: xapp.exe PID: 2456, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
              Source: Process Memory Space: RegSvcs.exe PID: 5108, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
              Source: Process Memory Space: RegSvcs.exe PID: 5108, type: MEMORYSTRMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
              Source: Process Memory Space: xapp.exe PID: 4220, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
              Source: Process Memory Space: RegSvcs.exe PID: 3440, type: MEMORYSTRMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
              Source: 2.2.xapp.exe.a40000.1.raw.unpack, B.csCryptographic APIs: 'TransformFinalBlock'
              Source: 2.2.xapp.exe.a40000.1.raw.unpack, B.csCryptographic APIs: 'TransformFinalBlock'
              Source: 2.2.xapp.exe.a40000.1.raw.unpack, B.csCryptographic APIs: 'TransformFinalBlock'
              Source: 2.2.xapp.exe.a40000.1.raw.unpack, B.csCryptographic APIs: 'TransformFinalBlock'
              Source: 2.2.xapp.exe.a40000.1.raw.unpack, B.csCryptographic APIs: 'TransformFinalBlock'
              Source: 2.2.xapp.exe.a40000.1.raw.unpack, B.csCryptographic APIs: 'TransformFinalBlock'
              Source: 2.2.xapp.exe.a40000.1.raw.unpack, B.csCryptographic APIs: 'TransformFinalBlock'
              Source: 2.2.xapp.exe.a40000.1.raw.unpack, B.csCryptographic APIs: 'TransformFinalBlock'
              Source: 2.2.xapp.exe.a40000.1.raw.unpack, B.csCryptographic APIs: 'CreateDecryptor', 'TransformBlock'
              Source: 2.2.xapp.exe.a40000.1.raw.unpack, B.csCryptographic APIs: 'TransformFinalBlock'
              Source: 2.2.xapp.exe.a40000.1.raw.unpack, B.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
              Source: 2.2.xapp.exe.a40000.1.raw.unpack, B.csCryptographic APIs: 'TransformFinalBlock'
              Source: 2.2.xapp.exe.a40000.1.raw.unpack, B.csCryptographic APIs: 'TransformFinalBlock'
              Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winEXE@10/3@0/0
              Source: C:\Users\user\Desktop\6medsM68NX.exeCode function: 0_2_0044AF6C GetLastError,FormatMessageW,0_2_0044AF6C
              Source: C:\Users\user\Desktop\6medsM68NX.exeCode function: 0_2_004333BE GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,0_2_004333BE
              Source: C:\Users\user\Desktop\6medsM68NX.exeCode function: 0_2_00464EAE OpenProcess,GetLastError,GetLastError,GetCurrentThread,OpenThreadToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,AdjustTokenPrivileges,GetLastError,OpenProcess,AdjustTokenPrivileges,CloseHandle,TerminateProcess,GetLastError,CloseHandle,0_2_00464EAE
              Source: C:\Users\user\AppData\Local\zero\xapp.exeCode function: 2_2_004333BE GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,2_2_004333BE
              Source: C:\Users\user\AppData\Local\zero\xapp.exeCode function: 2_2_00464EAE OpenProcess,GetLastError,GetLastError,GetCurrentThread,OpenThreadToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,AdjustTokenPrivileges,GetLastError,OpenProcess,AdjustTokenPrivileges,CloseHandle,TerminateProcess,GetLastError,CloseHandle,2_2_00464EAE
              Source: C:\Users\user\AppData\Local\zero\xapp.exeCode function: 5_2_004333BE GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,5_2_004333BE
              Source: C:\Users\user\AppData\Local\zero\xapp.exeCode function: 5_2_00464EAE OpenProcess,GetLastError,GetLastError,GetCurrentThread,OpenThreadToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,AdjustTokenPrivileges,GetLastError,OpenProcess,AdjustTokenPrivileges,CloseHandle,TerminateProcess,GetLastError,CloseHandle,5_2_00464EAE
              Source: C:\Users\user\Desktop\6medsM68NX.exeCode function: 0_2_0045D619 SetErrorMode,GetDiskFreeSpaceW,GetLastError,SetErrorMode,0_2_0045D619
              Source: C:\Users\user\Desktop\6medsM68NX.exeCode function: 0_2_004755C4 CreateToolhelp32Snapshot,Process32FirstW,__wsplitpath,_wcscat,__wcsicoll,Process32NextW,CloseHandle,0_2_004755C4
              Source: C:\Users\user\Desktop\6medsM68NX.exeCode function: 0_2_0047839D CoInitialize,CoCreateInstance,CoUninitialize,0_2_0047839D
              Source: C:\Users\user\Desktop\6medsM68NX.exeCode function: 0_2_0043305F __swprintf,__swprintf,__wcsicoll,FindResourceW,LoadResource,LockResource,FindResourceW,LoadResource,SizeofResource,LockResource,CreateIconFromResourceEx,0_2_0043305F
              Source: C:\Users\user\Desktop\6medsM68NX.exeFile created: C:\Users\user\AppData\Local\zeroJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: NULL
              Source: C:\Users\user\Desktop\6medsM68NX.exeFile created: C:\Users\user\AppData\Local\Temp\agelessJump to behavior
              Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xapp.vbs"
              Source: 6medsM68NX.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Users\user\Desktop\6medsM68NX.exeFile read: C:\Users\desktop.iniJump to behavior
              Source: C:\Users\user\Desktop\6medsM68NX.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: RegSvcs.exe, 00000006.00000002.3793217034.00000000027D5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
              Source: 6medsM68NX.exeReversingLabs: Detection: 78%
              Source: C:\Users\user\Desktop\6medsM68NX.exeFile read: C:\Users\user\Desktop\6medsM68NX.exeJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\6medsM68NX.exe "C:\Users\user\Desktop\6medsM68NX.exe"
              Source: C:\Users\user\Desktop\6medsM68NX.exeProcess created: C:\Users\user\AppData\Local\zero\xapp.exe "C:\Users\user\Desktop\6medsM68NX.exe"
              Source: C:\Users\user\AppData\Local\zero\xapp.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\6medsM68NX.exe"
              Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xapp.vbs"
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\zero\xapp.exe "C:\Users\user\AppData\Local\zero\xapp.exe"
              Source: C:\Users\user\AppData\Local\zero\xapp.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\zero\xapp.exe"
              Source: C:\Users\user\Desktop\6medsM68NX.exeProcess created: C:\Users\user\AppData\Local\zero\xapp.exe "C:\Users\user\Desktop\6medsM68NX.exe"Jump to behavior
              Source: C:\Users\user\AppData\Local\zero\xapp.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\6medsM68NX.exe"Jump to behavior
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\zero\xapp.exe "C:\Users\user\AppData\Local\zero\xapp.exe" Jump to behavior
              Source: C:\Users\user\AppData\Local\zero\xapp.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\zero\xapp.exe" Jump to behavior
              Source: C:\Users\user\Desktop\6medsM68NX.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\6medsM68NX.exeSection loaded: wsock32.dllJump to behavior
              Source: C:\Users\user\Desktop\6medsM68NX.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\Desktop\6medsM68NX.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\Desktop\6medsM68NX.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Users\user\Desktop\6medsM68NX.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Users\user\Desktop\6medsM68NX.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\Desktop\6medsM68NX.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\6medsM68NX.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\6medsM68NX.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\6medsM68NX.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\6medsM68NX.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\Desktop\6medsM68NX.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\Desktop\6medsM68NX.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\AppData\Local\zero\xapp.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\zero\xapp.exeSection loaded: wsock32.dllJump to behavior
              Source: C:\Users\user\AppData\Local\zero\xapp.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\AppData\Local\zero\xapp.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\AppData\Local\zero\xapp.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Users\user\AppData\Local\zero\xapp.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Users\user\AppData\Local\zero\xapp.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\AppData\Local\zero\xapp.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\AppData\Local\zero\xapp.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\AppData\Local\zero\xapp.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\zero\xapp.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: mlang.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Users\user\AppData\Local\zero\xapp.exeSection loaded: wsock32.dllJump to behavior
              Source: C:\Users\user\AppData\Local\zero\xapp.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\AppData\Local\zero\xapp.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\AppData\Local\zero\xapp.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Users\user\AppData\Local\zero\xapp.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Users\user\AppData\Local\zero\xapp.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\AppData\Local\zero\xapp.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\AppData\Local\zero\xapp.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\AppData\Local\zero\xapp.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\zero\xapp.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\6medsM68NX.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
              Source: 6medsM68NX.exeStatic file information: File size 1184203 > 1048576
              Source: Binary string: wntdll.pdbUGP source: xapp.exe, 00000002.00000003.1349529802.00000000046E0000.00000004.00001000.00020000.00000000.sdmp, xapp.exe, 00000002.00000003.1349376743.0000000004540000.00000004.00001000.00020000.00000000.sdmp, xapp.exe, 00000005.00000003.1478801459.00000000046E0000.00000004.00001000.00020000.00000000.sdmp, xapp.exe, 00000005.00000003.1479378148.0000000004540000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: wntdll.pdb source: xapp.exe, 00000002.00000003.1349529802.00000000046E0000.00000004.00001000.00020000.00000000.sdmp, xapp.exe, 00000002.00000003.1349376743.0000000004540000.00000004.00001000.00020000.00000000.sdmp, xapp.exe, 00000005.00000003.1478801459.00000000046E0000.00000004.00001000.00020000.00000000.sdmp, xapp.exe, 00000005.00000003.1479378148.0000000004540000.00000004.00001000.00020000.00000000.sdmp

              Data Obfuscation

              barindex
              .NET source code contains potential unpacker
              Source: 2.2.xapp.exe.a40000.1.raw.unpack, B.cs.Net Code: A System.Reflection.Assembly.Load(byte[])
              Source: 5.2.xapp.exe.2ad0000.1.raw.unpack, B.cs.Net Code: A System.Reflection.Assembly.Load(byte[])
              Source: C:\Users\user\Desktop\6medsM68NX.exeCode function: 0_2_0040EBD0 LoadLibraryA,GetProcAddress,0_2_0040EBD0
              Source: 6medsM68NX.exeStatic PE information: real checksum: 0xa961f should be: 0x1248f6
              Source: xapp.exe.0.drStatic PE information: real checksum: 0xa961f should be: 0x1248f6
              Source: C:\Users\user\Desktop\6medsM68NX.exeCode function: 0_2_00402654 push 8B0000B1h; iretd 0_2_00402659
              Source: C:\Users\user\Desktop\6medsM68NX.exeCode function: 0_2_00416CB5 push ecx; ret 0_2_00416CC8
              Source: C:\Users\user\AppData\Local\zero\xapp.exeCode function: 2_2_00416CB5 push ecx; ret 2_2_00416CC8
              Source: C:\Users\user\AppData\Local\zero\xapp.exeCode function: 5_2_00416CB5 push ecx; ret 5_2_00416CC8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_05A4F574 push 8B000004h; iretd 6_2_05A4F57E
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_05A45F40 pushfd ; retn 005Fh6_2_05A45F41
              Source: C:\Users\user\Desktop\6medsM68NX.exeFile created: C:\Users\user\AppData\Local\zero\xapp.exeJump to dropped file

              Boot Survival

              barindex
              Drops VBS files to the startup folder
              Source: C:\Users\user\AppData\Local\zero\xapp.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xapp.vbsJump to dropped file
              Source: C:\Users\user\AppData\Local\zero\xapp.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xapp.vbsJump to behavior
              Source: C:\Users\user\AppData\Local\zero\xapp.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xapp.vbsJump to behavior
              Source: C:\Users\user\Desktop\6medsM68NX.exeCode function: 0_2_0047A330 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_0047A330
              Source: C:\Users\user\Desktop\6medsM68NX.exeCode function: 0_2_00434418 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00434418
              Source: C:\Users\user\AppData\Local\zero\xapp.exeCode function: 2_2_0047A330 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,2_2_0047A330
              Source: C:\Users\user\AppData\Local\zero\xapp.exeCode function: 2_2_00434418 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,2_2_00434418
              Source: C:\Users\user\AppData\Local\zero\xapp.exeCode function: 5_2_0047A330 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,5_2_0047A330
              Source: C:\Users\user\AppData\Local\zero\xapp.exeCode function: 5_2_00434418 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,5_2_00434418
              Source: C:\Users\user\Desktop\6medsM68NX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\zero\xapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\zero\xapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion

              barindex
              Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
              Switches to a custom stack to bypass stack traces
              Source: C:\Users\user\AppData\Local\zero\xapp.exeAPI/Special instruction interceptor: Address: 4185264
              Source: C:\Users\user\AppData\Local\zero\xapp.exeAPI/Special instruction interceptor: Address: 406321C
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 2192Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 7639Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 1825Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 8016Jump to behavior
              Source: C:\Users\user\Desktop\6medsM68NX.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-73862
              Source: C:\Users\user\AppData\Local\zero\xapp.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
              Source: C:\Users\user\Desktop\6medsM68NX.exeAPI coverage: 3.9 %
              Source: C:\Users\user\AppData\Local\zero\xapp.exeAPI coverage: 3.6 %
              Source: C:\Users\user\AppData\Local\zero\xapp.exeAPI coverage: 3.5 %
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeLast function: Thread delayed
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeLast function: Thread delayed
              Source: C:\Users\user\Desktop\6medsM68NX.exeCode function: 0_2_00452492 FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_00452492
              Source: C:\Users\user\Desktop\6medsM68NX.exeCode function: 0_2_00442886 FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00442886
              Source: C:\Users\user\Desktop\6medsM68NX.exeCode function: 0_2_004788BD FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_004788BD
              Source: C:\Users\user\Desktop\6medsM68NX.exeCode function: 0_2_004339B6 GetFileAttributesW,FindFirstFileW,FindClose,0_2_004339B6
              Source: C:\Users\user\Desktop\6medsM68NX.exeCode function: 0_2_0045CAFA FindFirstFileW,FindNextFileW,FindClose,0_2_0045CAFA
              Source: C:\Users\user\Desktop\6medsM68NX.exeCode function: 0_2_00431A86 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00431A86
              Source: C:\Users\user\Desktop\6medsM68NX.exeCode function: 0_2_0044BD27 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,0_2_0044BD27
              Source: C:\Users\user\Desktop\6medsM68NX.exeCode function: 0_2_0045DE8F FindFirstFileW,FindClose,0_2_0045DE8F
              Source: C:\Users\user\Desktop\6medsM68NX.exeCode function: 0_2_0044BF8B _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_0044BF8B
              Source: C:\Users\user\AppData\Local\zero\xapp.exeCode function: 2_2_00452492 FindFirstFileW,Sleep,FindNextFileW,FindClose,2_2_00452492
              Source: C:\Users\user\AppData\Local\zero\xapp.exeCode function: 2_2_00442886 FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,2_2_00442886
              Source: C:\Users\user\AppData\Local\zero\xapp.exeCode function: 2_2_004788BD FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,2_2_004788BD
              Source: C:\Users\user\AppData\Local\zero\xapp.exeCode function: 2_2_004339B6 GetFileAttributesW,FindFirstFileW,FindClose,2_2_004339B6
              Source: C:\Users\user\AppData\Local\zero\xapp.exeCode function: 2_2_0045CAFA FindFirstFileW,FindNextFileW,FindClose,2_2_0045CAFA
              Source: C:\Users\user\AppData\Local\zero\xapp.exeCode function: 2_2_00431A86 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,2_2_00431A86
              Source: C:\Users\user\AppData\Local\zero\xapp.exeCode function: 2_2_0044BD27 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,2_2_0044BD27
              Source: C:\Users\user\AppData\Local\zero\xapp.exeCode function: 2_2_0045DE8F FindFirstFileW,FindClose,2_2_0045DE8F
              Source: C:\Users\user\AppData\Local\zero\xapp.exeCode function: 2_2_0044BF8B _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,2_2_0044BF8B
              Source: C:\Users\user\AppData\Local\zero\xapp.exeCode function: 5_2_00452492 FindFirstFileW,Sleep,FindNextFileW,FindClose,5_2_00452492
              Source: C:\Users\user\AppData\Local\zero\xapp.exeCode function: 5_2_00442886 FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,5_2_00442886
              Source: C:\Users\user\AppData\Local\zero\xapp.exeCode function: 5_2_004788BD FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,5_2_004788BD
              Source: C:\Users\user\AppData\Local\zero\xapp.exeCode function: 5_2_004339B6 GetFileAttributesW,FindFirstFileW,FindClose,5_2_004339B6
              Source: C:\Users\user\AppData\Local\zero\xapp.exeCode function: 5_2_0045CAFA FindFirstFileW,FindNextFileW,FindClose,5_2_0045CAFA
              Source: C:\Users\user\AppData\Local\zero\xapp.exeCode function: 5_2_00431A86 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,5_2_00431A86
              Source: C:\Users\user\AppData\Local\zero\xapp.exeCode function: 5_2_0044BD27 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,5_2_0044BD27
              Source: C:\Users\user\AppData\Local\zero\xapp.exeCode function: 5_2_0045DE8F FindFirstFileW,FindClose,5_2_0045DE8F
              Source: C:\Users\user\AppData\Local\zero\xapp.exeCode function: 5_2_0044BF8B _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,5_2_0044BF8B
              Source: C:\Users\user\Desktop\6medsM68NX.exeCode function: 0_2_0040E500 GetVersionExW,GetCurrentProcess,GetNativeSystemInfo,FreeLibrary,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,FreeLibrary,0_2_0040E500
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Jump to behavior
              Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Jump to behavior
              Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Jump to behavior
              Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Jump to behavior
              Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Jump to behavior
              Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\Jump to behavior
              Source: xapp.exe, 00000005.00000003.1480754607.00000000009C6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: r&Prod_VMware_SA
              Source: wscript.exe, 00000004.00000002.1470217786.00000252DA744000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
              Source: 6medsM68NX.exe, 00000000.00000002.1336895673.0000000000A62000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0E)
              Source: C:\Users\user\Desktop\6medsM68NX.exeAPI call chain: ExitProcess graph end nodegraph_0-73007
              Source: C:\Users\user\AppData\Local\zero\xapp.exeAPI call chain: ExitProcess graph end node
              Source: C:\Users\user\AppData\Local\zero\xapp.exeAPI call chain: ExitProcess graph end node
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00628438 LdrInitializeThunk,6_2_00628438
              Source: C:\Users\user\Desktop\6medsM68NX.exeCode function: 0_2_0045A370 BlockInput,0_2_0045A370
              Source: C:\Users\user\Desktop\6medsM68NX.exeCode function: 0_2_0040D590 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,GetForegroundWindow,ShellExecuteW,0_2_0040D590
              Source: C:\Users\user\Desktop\6medsM68NX.exeCode function: 0_2_0040EBD0 LoadLibraryA,GetProcAddress,0_2_0040EBD0
              Source: C:\Users\user\Desktop\6medsM68NX.exeCode function: 0_2_03FC7530 mov eax, dword ptr fs:[00000030h]0_2_03FC7530
              Source: C:\Users\user\Desktop\6medsM68NX.exeCode function: 0_2_03FC74D0 mov eax, dword ptr fs:[00000030h]0_2_03FC74D0
              Source: C:\Users\user\Desktop\6medsM68NX.exeCode function: 0_2_03FC5E90 mov eax, dword ptr fs:[00000030h]0_2_03FC5E90
              Source: C:\Users\user\AppData\Local\zero\xapp.exeCode function: 2_2_041854D0 mov eax, dword ptr fs:[00000030h]2_2_041854D0
              Source: C:\Users\user\AppData\Local\zero\xapp.exeCode function: 2_2_04185530 mov eax, dword ptr fs:[00000030h]2_2_04185530
              Source: C:\Users\user\AppData\Local\zero\xapp.exeCode function: 2_2_04183E90 mov eax, dword ptr fs:[00000030h]2_2_04183E90
              Source: C:\Users\user\AppData\Local\zero\xapp.exeCode function: 5_2_04063488 mov eax, dword ptr fs:[00000030h]5_2_04063488
              Source: C:\Users\user\AppData\Local\zero\xapp.exeCode function: 5_2_040634E8 mov eax, dword ptr fs:[00000030h]5_2_040634E8
              Source: C:\Users\user\AppData\Local\zero\xapp.exeCode function: 5_2_04061E48 mov eax, dword ptr fs:[00000030h]5_2_04061E48
              Source: C:\Users\user\Desktop\6medsM68NX.exeCode function: 0_2_004238DA __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,0_2_004238DA
              Source: C:\Users\user\Desktop\6medsM68NX.exeCode function: 0_2_0041F250 SetUnhandledExceptionFilter,0_2_0041F250
              Source: C:\Users\user\Desktop\6medsM68NX.exeCode function: 0_2_0041A208 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0041A208
              Source: C:\Users\user\Desktop\6medsM68NX.exeCode function: 0_2_00417DAA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00417DAA
              Source: C:\Users\user\AppData\Local\zero\xapp.exeCode function: 2_2_0041F250 SetUnhandledExceptionFilter,2_2_0041F250
              Source: C:\Users\user\AppData\Local\zero\xapp.exeCode function: 2_2_0041A208 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_0041A208
              Source: C:\Users\user\AppData\Local\zero\xapp.exeCode function: 2_2_00417DAA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_00417DAA
              Source: C:\Users\user\AppData\Local\zero\xapp.exeCode function: 5_2_0041F250 SetUnhandledExceptionFilter,5_2_0041F250
              Source: C:\Users\user\AppData\Local\zero\xapp.exeCode function: 5_2_0041A208 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_2_0041A208
              Source: C:\Users\user\AppData\Local\zero\xapp.exeCode function: 5_2_00417DAA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_00417DAA
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMemory allocated: page read and write | page guardJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Maps a DLL or memory area into another process
              Source: C:\Users\user\AppData\Local\zero\xapp.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and writeJump to behavior
              Source: C:\Users\user\AppData\Local\zero\xapp.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and writeJump to behavior
              Writes to foreign memory regions
              Source: C:\Users\user\AppData\Local\zero\xapp.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 556008Jump to behavior
              Source: C:\Users\user\AppData\Local\zero\xapp.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 22A008Jump to behavior
              Source: C:\Users\user\Desktop\6medsM68NX.exeCode function: 0_2_00436CD7 LogonUserW,0_2_00436CD7
              Source: C:\Users\user\Desktop\6medsM68NX.exeCode function: 0_2_0040D590 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,GetForegroundWindow,ShellExecuteW,0_2_0040D590
              Source: C:\Users\user\Desktop\6medsM68NX.exeCode function: 0_2_00434418 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00434418
              Source: C:\Users\user\Desktop\6medsM68NX.exeCode function: 0_2_0043333C __wcsicoll,mouse_event,__wcsicoll,mouse_event,0_2_0043333C
              Source: C:\Users\user\AppData\Local\zero\xapp.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\6medsM68NX.exe"Jump to behavior
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\zero\xapp.exe "C:\Users\user\AppData\Local\zero\xapp.exe" Jump to behavior
              Source: C:\Users\user\AppData\Local\zero\xapp.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\zero\xapp.exe" Jump to behavior
              Source: C:\Users\user\Desktop\6medsM68NX.exeCode function: 0_2_00446124 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_00446124
              Source: xapp.exeBinary or memory string: Shell_TrayWnd
              Source: 6medsM68NX.exe, xapp.exe.0.drBinary or memory string: JDASCRWINUPRWINDOWNLWINUPLWINDOWNSHIFTUPSHIFTDOWNALTUPALTDOWNCTRLUPCTRLDOWNMOUSE_XBUTTON2MOUSE_XBUTTON1MOUSE_MBUTTONMOUSE_RBUTTONMOUSE_LBUTTONLAUNCH_APP2LAUNCH_APP1LAUNCH_MEDIALAUNCH_MAILMEDIA_PLAY_PAUSEMEDIA_STOPMEDIA_PREVMEDIA_NEXTVOLUME_UPVOLUME_DOWNVOLUME_MUTEBROWSER_HOMEBROWSER_FAVORTIESBROWSER_SEARCHBROWSER_STOPBROWSER_REFRESHBROWSER_FORWARDBROWSER_BACKNUMPADENTERSLEEPRSHIFTLSHIFTRALTLALTRCTRLLCTRLAPPSKEYNUMPADDIVNUMPADDOTNUMPADSUBNUMPADADDNUMPADMULTNUMPAD9NUMPAD8NUMPAD7NUMPAD6NUMPAD5NUMPAD4NUMPAD3NUMPAD2NUMPAD1NUMPAD0CAPSLOCKPAUSEBREAKNUMLOCKSCROLLLOCKRWINLWINPRINTSCREENUPTABSPACERIGHTPGUPPGDNLEFTINSERTINSHOMEF12F11F10F9F8F7F6F5F4F3F2F1ESCAPEESCENTERENDDOWNDELETEDELBSBACKSPACEALTONOFF0%d%dShell_TrayWndExitScript Pausedblankinfoquestionstopwarning
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\6medsM68NX.exeCode function: 0_2_004720DB GetLocalTime,__swprintf,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,0_2_004720DB
              Source: C:\Users\user\AppData\Local\zero\xapp.exeCode function: 2_2_00472C3F GetUserNameW,2_2_00472C3F
              Source: C:\Users\user\Desktop\6medsM68NX.exeCode function: 0_2_0041E364 __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,0_2_0041E364
              Source: C:\Users\user\Desktop\6medsM68NX.exeCode function: 0_2_0040E500 GetVersionExW,GetCurrentProcess,GetNativeSystemInfo,FreeLibrary,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,FreeLibrary,0_2_0040E500
              Source: C:\Users\user\Desktop\6medsM68NX.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Stealing of Sensitive Information

              barindex
              Yara detected AgentTesla
              Source: Yara matchFile source: 5.2.xapp.exe.2ad0000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.xapp.exe.a40000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.700000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.xapp.exe.a40000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.xapp.exe.2ad0000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000005.00000002.1483162721.0000000002AD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.1353677931.0000000000A40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.1481806468.0000000000702000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.1484021512.0000000002621000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.3793217034.0000000002441000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: xapp.exe PID: 2456, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 5108, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: xapp.exe PID: 4220, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 3440, type: MEMORYSTR
              Yara detected Telegram RAT
              Source: Yara matchFile source: 00000003.00000002.1484021512.0000000002621000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.3793217034.0000000002441000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 5108, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 3440, type: MEMORYSTR
              Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
              Tries to harvest and steal browser information (history, passwords, etc)
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
              Tries to steal Mail credentials (via file / registry access)
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
              Source: xapp.exeBinary or memory string: WIN_XP
              Source: xapp.exe.0.drBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPWIN_2000InstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 8, 1USERPROFILEUSERDOMAINUSERDNSDOMAINDefaultGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYadvapi32.dllRegDeleteKeyExW+.-.+-\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]ISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXISTSEXPANDmsctls_statusbar321tooltips_class32AutoIt v3 GUI%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----&
              Source: xapp.exeBinary or memory string: WIN_XPe
              Source: xapp.exeBinary or memory string: WIN_VISTA
              Source: xapp.exeBinary or memory string: WIN_7
              Source: xapp.exeBinary or memory string: WIN_8
              Source: Yara matchFile source: 00000003.00000002.1484021512.0000000002621000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.3793217034.0000000002441000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 5108, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 3440, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Yara detected AgentTesla
              Source: Yara matchFile source: 5.2.xapp.exe.2ad0000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.xapp.exe.a40000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.700000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.xapp.exe.a40000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.xapp.exe.2ad0000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000005.00000002.1483162721.0000000002AD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.1353677931.0000000000A40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.1481806468.0000000000702000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.1484021512.0000000002621000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.3793217034.0000000002441000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: xapp.exe PID: 2456, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 5108, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: xapp.exe PID: 4220, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 3440, type: MEMORYSTR
              Yara detected Telegram RAT
              Source: Yara matchFile source: 00000003.00000002.1484021512.0000000002621000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.3793217034.0000000002441000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 5108, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 3440, type: MEMORYSTR
              Source: C:\Users\user\Desktop\6medsM68NX.exeCode function: 0_2_004652BE socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,0_2_004652BE
              Source: C:\Users\user\Desktop\6medsM68NX.exeCode function: 0_2_0040C360 RpcServerInqBindingHandle,0_2_0040C360
              Source: C:\Users\user\Desktop\6medsM68NX.exeCode function: 0_2_00476619 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_00476619
              Source: C:\Users\user\Desktop\6medsM68NX.exeCode function: 0_2_0046CEF3 OleInitialize,_wcslen,CreateBindCtx,MkParseDisplayName,CLSIDFromProgID,GetActiveObject,0_2_0046CEF3
              Source: C:\Users\user\AppData\Local\zero\xapp.exeCode function: 2_2_004652BE socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,2_2_004652BE
              Source: C:\Users\user\AppData\Local\zero\xapp.exeCode function: 2_2_00476619 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,2_2_00476619
              Source: C:\Users\user\AppData\Local\zero\xapp.exeCode function: 2_2_0046CEF3 OleInitialize,_wcslen,CreateBindCtx,MkParseDisplayName,CLSIDFromProgID,GetActiveObject,2_2_0046CEF3
              Source: C:\Users\user\AppData\Local\zero\xapp.exeCode function: 5_2_004652BE socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,5_2_004652BE
              Source: C:\Users\user\AppData\Local\zero\xapp.exeCode function: 5_2_00476619 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,5_2_00476619
              Source: C:\Users\user\AppData\Local\zero\xapp.exeCode function: 5_2_0046CEF3 OleInitialize,_wcslen,CreateBindCtx,MkParseDisplayName,CLSIDFromProgID,GetActiveObject,5_2_0046CEF3

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity Information111
              Scripting              		2
              Valid Accounts              		121
              Windows Management Instrumentation              		111
              Scripting              		1
              Exploitation for Privilege Escalation              		11
              Disable or Modify Tools              		1
              OS Credential Dumping              		2
              System Time Discovery              		Remote Services11
              Archive Collected Data              		1
              Ingress Tool Transfer              		Exfiltration Over Other Network Medium1
              System Shutdown/Reboot
              CredentialsDomainsDefault Accounts2
              Native API              		1
              DLL Side-Loading              		1
              DLL Side-Loading              		11
              Deobfuscate/Decode Files or Information              		121
              Input Capture              		1
              Account Discovery              		Remote Desktop Protocol1
              Data from Local System              		1
              Encrypted Channel              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAt2
              Valid Accounts              		2
              Valid Accounts              		2
              Obfuscated Files or Information              		1
              Credentials in Registry              		3
              File and Directory Discovery              		SMB/Windows Admin Shares1
              Email Collection              		SteganographyAutomated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCron2
              Registry Run Keys / Startup Folder              		21
              Access Token Manipulation              		1
              Software Packing              		NTDS128
              System Information Discovery              		Distributed Component Object Model121
              Input Capture              		Protocol ImpersonationTraffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script212
              Process Injection              		1
              DLL Side-Loading              		LSA Secrets331
              Security Software Discovery              		SSH4
              Clipboard Data              		Fallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts2
              Registry Run Keys / Startup Folder              		1
              Masquerading              		Cached Domain Credentials121
              Virtualization/Sandbox Evasion              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
              Valid Accounts              		DCSync2
              Process Discovery              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job121
              Virtualization/Sandbox Evasion              		Proc Filesystem11
              Application Window Discovery              		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
              Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt21
              Access Token Manipulation              		/etc/passwd and /etc/shadow1
              System Owner/User Discovery              		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
              IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron212
              Process Injection              		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 signatures2 2 Behavior Graph ID: 1529027 Sample: 6medsM68NX.exe Startdate: 08/10/2024 Architecture: WINDOWS Score: 100 28 Found malware configuration 2->28 30 Malicious sample detected (through community Yara rule) 2->30 32 Multi AV Scanner detection for submitted file 2->32 34 8 other signatures 2->34 7 6medsM68NX.exe 3 2->7         started        10 wscript.exe 1 2->10         started        process3 file4 24 C:\Users\user\AppData\Local\zero\xapp.exe, PE32 7->24 dropped 13 xapp.exe 1 7->13         started        46 Windows Scripting host queries suspicious COM object (likely to drop second stage) 10->46 17 xapp.exe 10->17         started        signatures5 process6 file7 26 C:\Users\user\AppData\Roaming\...\xapp.vbs, data 13->26 dropped 48 Multi AV Scanner detection for dropped file 13->48 50 Machine Learning detection for dropped file 13->50 52 Drops VBS files to the startup folder 13->52 54 Switches to a custom stack to bypass stack traces 13->54 19 RegSvcs.exe 2 13->19         started        56 Writes to foreign memory regions 17->56 58 Maps a DLL or memory area into another process 17->58 22 RegSvcs.exe 2 17->22         started        signatures8 process9 signatures10 36 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 19->36 38 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 22->38 40 Tries to steal Mail credentials (via file / registry access) 22->40 42 Tries to harvest and steal browser information (history, passwords, etc) 22->42 44 Installs a global keyboard hook 22->44

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              6medsM68NX.exe79%ReversingLabsWin32.Backdoor.XtremeRAT
              6medsM68NX.exe100%Joe Sandbox ML

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\Users\user\AppData\Local\zero\xapp.exe100%Joe Sandbox ML
              C:\Users\user\AppData\Local\zero\xapp.exe79%ReversingLabsWin32.Backdoor.XtremeRAT

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              No Antivirus matches

              Domains and IPs

              Contacted Domains

              No contacted domains info

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              http://127.0.0.1:HTTP/1.1RegSvcs.exe, 00000003.00000002.1484021512.0000000002621000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3793217034.0000000002441000.00000004.00000800.00020000.00000000.sdmpfalse
                		unknown
                https://api.ipify.org%GETMozilla/5.0RegSvcs.exe, 00000006.00000002.3793217034.0000000002441000.00000004.00000800.00020000.00000000.sdmpfalse
                  		unknown
                  http://DynDns.comDynDNSRegSvcs.exe, 00000006.00000002.3793217034.0000000002441000.00000004.00000800.00020000.00000000.sdmpfalse
                    		unknown
                    https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%haRegSvcs.exe, 00000003.00000002.1484021512.0000000002621000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3793217034.0000000002441000.00000004.00000800.00020000.00000000.sdmpfalse
                      		unknown
                      http://mbKXcZ.comRegSvcs.exe, 00000006.00000002.3793217034.0000000002441000.00000004.00000800.00020000.00000000.sdmpfalse
                        		unknown
                        https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipxapp.exe, 00000002.00000002.1353677931.0000000000A40000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1481806468.0000000000702000.00000040.80000000.00040000.00000000.sdmp, xapp.exe, 00000005.00000002.1483162721.0000000002AD0000.00000004.00001000.00020000.00000000.sdmpfalse
                          		unknown
                          https://api.ipify.org%4RegSvcs.exe, 00000006.00000002.3793217034.0000000002441000.00000004.00000800.00020000.00000000.sdmpfalse
                            		unknown
                            https://api.telegram.org/bot1749457201:AAGWIY2QPzrHZIumAIUsWjyRAEWcJrauccY/xapp.exe, 00000002.00000002.1353677931.0000000000A40000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1481806468.0000000000702000.00000040.80000000.00040000.00000000.sdmp, xapp.exe, 00000005.00000002.1483162721.0000000002AD0000.00000004.00001000.00020000.00000000.sdmptrue
                              		unknown
                              https://api.telegram.org/bot1749457201:AAGWIY2QPzrHZIumAIUsWjyRAEWcJrauccY/sendDocumentdocument-----RegSvcs.exe, 00000003.00000002.1484021512.0000000002621000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3793217034.0000000002441000.00000004.00000800.00020000.00000000.sdmpfalse
                                		unknown

                                World Map of Contacted IPs

                                No contacted IP infos

                                General Information

                                Joe Sandbox version:41.0.0 Charoite
                                Analysis ID:1529027
                                Start date and time:2024-10-08 15:22:45 +02:00
                                Joe Sandbox product:CloudBasic
                                Overall analysis duration:0h 9m 44s
                                Hypervisor based Inspection enabled:false
                                Report type:full
                                Cookbook file name:default.jbs
                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                Number of analysed new started processes analysed:11
                                Number of new started drivers analysed:0
                                Number of existing processes analysed:0
                                Number of existing drivers analysed:0
                                Number of injected processes analysed:0
                                Technologies:
                                • HCA enabled
                                • EGA enabled
                                • AMSI enabled
                                Analysis Mode:default
                                Analysis stop reason:Timeout
                                Sample name:6medsM68NX.exe
                                renamed because original name is a hash value
                                Original Sample Name:6d7383506176b2d66904efea5dfee58a70ad683ee01d9bf6a49066a92ab81cf6.exe
                                Detection:MAL
                                Classification:mal100.troj.spyw.expl.evad.winEXE@10/3@0/0
                                EGA Information:
                                • Successful, ratio: 100%
                                HCA Information:
                                • Successful, ratio: 99%
                                • Number of executed functions: 53
                                • Number of non-executed functions: 299
                                Cookbook Comments:
                                • Found application associated with file extension: .exe
                                • Override analysis time to 240000 for current running targets taking high CPU consumption

                                Warnings

                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                • Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
                                • Not all processes where analyzed, report is missing behavior information
                                • Report size exceeded maximum capacity and may have missing behavior information.
                                • Report size exceeded maximum capacity and may have missing disassembly code.
                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                • Report size getting too big, too many NtQueryValueKey calls found.
                                • VT rate limit hit for: 6medsM68NX.exe

                                Simulations

                                Behavior and APIs

                                TimeTypeDescription
                                09:23:46API Interceptor10037350x Sleep call for process: RegSvcs.exe modified
                                14:23:42AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xapp.vbs

                                Joe Sandbox View / Context

                                IPs

                                No context

                                Domains

                                No context

                                ASNs

                                No context

                                JA3 Fingerprints

                                No context

                                Dropped Files

                                No context

                                Created / dropped Files

                                C:\Users\user\AppData\Local\Temp\ageless

                                Download File
                                Process:C:\Users\user\Desktop\6medsM68NX.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):221184
                                Entropy (8bit):7.050908766976407
                                Encrypted:false
                                SSDEEP:6144:3NVz2wBO7sqKLBs6Fg6DYDhppROKr2m6eZ:3NV/esq0BRDsROKWeZ
                                MD5:144437FFCAE3247C92B89924A6A3EF77
                                SHA1:24E01F00E80FDB2180987CEC414124A108B4E4B1
                                SHA-256:E5182B75DFAB0C8CFF856F1164CF2B6223D4BA95C50EF1A73B5C7FEFB3CC7A5E
                                SHA-512:5C9335E6C3B647781DC7FE995552F80B22D4354207A30C9B3FB3C564A190B233E07EAAFB44609906859E2C11DABA61D6AFDCDACDC95CE0ADC02D821C5743744D
                                Malicious:false
                                Reputation:low
                                Preview:un.SZRZS7L56..HS.OK384RS.RZS3L56DYHSROK384RSYRZS3L56DYHSROK3.4RSWM.]3.<.e.I..n.[QGr#+==!R!.U%7&<&o)V.F'=y;4sw.f.)6,6|BF9.4RSYRZSc.56.XKS...R84RSYRZS.L77OXCSR.H38<RSYRZS.966DyHSROK384.SYrZS3N56@YHSROK3<4RSYRZS3.66D[HSROK3:4..YRJS3\56DYXSR_K384RSIRZS3L56DYHS.;H3k4RSY.YS{I56DYHSROK384RSYRZS3.66HYHSROK384RSYRZS3L56DYHSROK384RSYRZS3L56DYHSROK384RSYrZS;L56DYHSROK30.RS.RZS3L56DYHS|;.KL4RSm.YS3l56D.KSRMK384RSYRZS3L56dYH3|=8A[4RS.WZS3.66D_HSR.H384RSYRZS3L56.YH.|=._WWRSURZS3.66D[HSR.H384RSYRZS3L56.YH.ROK384RSYRZS3L56T,KSROK3p4RS[R_S..76..HSQOK3!4RUYRZS3L56DYHSROK384RSYRZS3L56DYHSROK384RSYRZS3L56Z[`RROA.&6zWYRPy.?36DS.RROO@?4RY.PZS7?=6DS.PROO@14RY.VZS7f56WiJS~OK394RBOYqH3K".EuJKYOL%.5~QNYZT+.4.FrJx.1J380=YYRPy |76hYHSPOK".?yHYUM.2`7.OYOE.Ng1/?RTA.[.1g7..'JSRK$884XyJbXS.L56GYHBDD`(83E.X~XK8L2 .XdQEDK4 .S.[yXx.266D]'_ROA.+.PSuRZS7L5'RRcHRH\.9.PKRR]E.M.4SRHTJ.J.:.Px.,^S3HZ;DYByA.I3.4RS\RZB%G.-D^_.ScI+34UE.SvQ$G51\.I.PdI..6Q{HRZY.^56NsHSA.I3.4RS_RZB%G.-D^_.ScI+34UE.SvQ$G51\.I.PdI..6z@YRPy |76hYHSUOK"

                                C:\Users\user\AppData\Local\zero\xapp.exe

                                Download File
                                Process:C:\Users\user\Desktop\6medsM68NX.exe
                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):1184203
                                Entropy (8bit):7.432609923283324
                                Encrypted:false
                                SSDEEP:24576:0RmJkcoQricOIQxiZY1iaae3Ut4xK9+UfLWYG6uwiQizOVEC0ZL:RJZoQrbTFZY1iaaYQ409XmZwnizOVa
                                MD5:EF3B33EDA19BDF6CC936B97F7E582F1D
                                SHA1:2F67DB5FB6220C97ADE8C9A016E0553AF766EFE3
                                SHA-256:6D7383506176B2D66904EFEA5DFEE58A70AD683EE01D9BF6A49066A92AB81CF6
                                SHA-512:975C729679891C2552D9F444A6F68F80CA122C6476599EFE1B257791695647577C7B003146EF5DD457EAD393D5DA42B74949A6AADB514D24847D5E4BCE1924E3
                                Malicious:true
                                Antivirus:
                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                • Antivirus: ReversingLabs, Detection: 79%
                                Reputation:low
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................1b.....P.)....Q.....y.....i.......}...N......d.....`.....m.....g....Rich............PE..L....%O..........#..................e....... ....@..........................0................@.......@.........................T.......xq........................................................................... ..D............................text............................... ..`.rdata....... ......................@..@.data...X........h..................@....rsrc...xq.......r...T..............@..@........................................................................................................................................................................................................................................................................................................................................................

                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xapp.vbs

                                Download File
                                Process:C:\Users\user\AppData\Local\zero\xapp.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):256
                                Entropy (8bit):3.402130149321381
                                Encrypted:false
                                SSDEEP:6:DMM8lfm3OOQdUfclgMsUEZ+lX1h/6nriIM8lfQVn:DsO+vNlgMsQ1imA2n
                                MD5:3B26CB6EC3EE07B5974ED98D2019F342
                                SHA1:4F59CBA2675295D63A1B8E7E5B3C863BB61ECFBC
                                SHA-256:75419F43D43A59928556FEFE3B7BA15C501FFB2F30DE492DE359DA69CF6A62DC
                                SHA-512:F3C28AA1206C213956A951E07111A97A2C806288AFBC04921477CC9FF73E476CCDCBF95A1820343FD9A140AC86004FE408EAD6AECD11828D0369780BC4477B76
                                Malicious:true
                                Reputation:low
                                Preview:S.e.t. .W.s.h.S.h.e.l.l. .=. .C.r.e.a.t.e.O.b.j.e.c.t.(.".W.S.c.r.i.p.t...S.h.e.l.l.".)...W.s.h.S.h.e.l.l...R.u.n. .".C.:.\.U.s.e.r.s.\.t.i.n.a.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.z.e.r.o.\.x.a.p.p...e.x.e.".,. .1...S.e.t. .W.s.h.S.h.e.l.l. .=. .N.o.t.h.i.n.g...

                                Static File Info

                                General

                                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                Entropy (8bit):7.432609923283324
                                TrID:
                                • Win32 Executable (generic) a (10002005/4) 99.96%
                                • Generic Win/DOS Executable (2004/3) 0.02%
                                • DOS Executable Generic (2002/1) 0.02%
                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                File name:6medsM68NX.exe
                                File size:1'184'203 bytes
                                MD5:ef3b33eda19bdf6cc936b97f7e582f1d
                                SHA1:2f67db5fb6220c97ade8c9a016e0553af766efe3
                                SHA256:6d7383506176b2d66904efea5dfee58a70ad683ee01d9bf6a49066a92ab81cf6
                                SHA512:975c729679891c2552d9f444a6f68f80ca122c6476599efe1b257791695647577c7b003146ef5dd457ead393d5da42b74949a6aadb514d24847d5e4bce1924e3
                                SSDEEP:24576:0RmJkcoQricOIQxiZY1iaae3Ut4xK9+UfLWYG6uwiQizOVEC0ZL:RJZoQrbTFZY1iaaYQ409XmZwnizOVa
                                TLSH:8A45D021B5C5B03EF2A222B1BE7AF779B63C65261326D1D723CC29211F5C7416B29723
                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........................1b.......P.).....Q.......y.......i..........}....N.......d.......`.......m.......g.....Rich............PE..L..

                                File Icon

                                Icon Hash:0000000000000000

                                Static PE Info

                                General

                                Entrypoint:0x4165c1
                                Entrypoint Section:.text
                                Digitally signed:false
                                Imagebase:0x400000
                                Subsystem:windows gui
                                Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                DLL Characteristics:TERMINAL_SERVER_AWARE
                                Time Stamp:0x4F25BAEC [Sun Jan 29 21:32:28 2012 UTC]
                                TLS Callbacks:
                                CLR (.Net) Version:
                                OS Version Major:5
                                OS Version Minor:0
                                File Version Major:5
                                File Version Minor:0
                                Subsystem Version Major:5
                                Subsystem Version Minor:0
                                Import Hash:d3bf8a7746a8d1ee8f6e5960c3f69378

                                Entrypoint Preview

                                Instruction
                                call 00007F77E8E167DBh
                                jmp 00007F77E8E0D64Eh
                                int3
                                int3
                                int3
                                int3
                                int3
                                push ebp
                                mov ebp, esp
                                push edi
                                push esi
                                mov esi, dword ptr [ebp+0Ch]
                                mov ecx, dword ptr [ebp+10h]
                                mov edi, dword ptr [ebp+08h]
                                mov eax, ecx
                                mov edx, ecx
                                add eax, esi
                                cmp edi, esi
                                jbe 00007F77E8E0D7CAh
                                cmp edi, eax
                                jc 00007F77E8E0D966h
                                cmp ecx, 00000080h
                                jc 00007F77E8E0D7DEh
                                cmp dword ptr [004A9724h], 00000000h
                                je 00007F77E8E0D7D5h
                                push edi
                                push esi
                                and edi, 0Fh
                                and esi, 0Fh
                                cmp edi, esi
                                pop esi
                                pop edi
                                jne 00007F77E8E0D7C7h
                                jmp 00007F77E8E0DBA2h
                                test edi, 00000003h
                                jne 00007F77E8E0D7D6h
                                shr ecx, 02h
                                and edx, 03h
                                cmp ecx, 08h
                                jc 00007F77E8E0D7EBh
                                rep movsd
                                jmp dword ptr [00416740h+edx*4]
                                mov eax, edi
                                mov edx, 00000003h
                                sub ecx, 04h
                                jc 00007F77E8E0D7CEh
                                and eax, 03h
                                add ecx, eax
                                jmp dword ptr [00416654h+eax*4]
                                jmp dword ptr [00416750h+ecx*4]
                                nop
                                jmp dword ptr [004166D4h+ecx*4]
                                nop
                                inc cx
                                add byte ptr [eax-4BFFBE9Ah], dl
                                inc cx
                                add byte ptr [ebx], ah
                                ror dword ptr [edx-75F877FAh], 1
                                inc esi
                                add dword ptr [eax+468A0147h], ecx
                                add al, cl
                                jmp 00007F77EB285FC7h
                                add esi, 03h
                                add edi, 03h
                                cmp ecx, 08h
                                jc 00007F77E8E0D78Eh
                                rep movsd
                                jmp dword ptr [00000000h+edx*4]

                                Rich Headers

                                Programming Language:
                                • [ C ] VS2010 SP1 build 40219
                                • [C++] VS2010 SP1 build 40219
                                • [ C ] VS2008 SP1 build 30729
                                • [IMP] VS2008 SP1 build 30729
                                • [ASM] VS2010 SP1 build 40219
                                • [RES] VS2010 SP1 build 40219
                                • [LNK] VS2010 SP1 build 40219

                                Data Directories

                                NameVirtual AddressVirtual Size Is in Section
                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IMPORT0x8d41c0x154.rdata
                                IMAGE_DIRECTORY_ENTRY_RESOURCE0xab0000x7178.rsrc
                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IAT0x820000x844.rdata
                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                Sections

                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                .text0x10000x8061c0x8080061ffce4768976fa0dd2a8f6a97b1417aFalse0.5583182605787937data6.684690148171278IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                .rdata0x820000xdfc00xe0000354bc5f2376b5e9a4a3ba38b682dff1False0.36085728236607145data4.799741132252136IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                .data0x900000x1a7580x68008033f5a38941b4685bc2299e78f31221False0.15324519230769232data2.1500715391677487IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                .rsrc0xab0000x71780x720016fa2f9010d9f1f3841a88d80df2801eFalse0.11811266447368421data3.2534480920221IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                Resources

                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                RT_ICON0xab4480x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                RT_ICON0xab5700x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                RT_ICON0xab6980x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                RT_ICON0xab7c00x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16384, resolution 3777 x 3777 px/mEnglishGreat Britain0.004251299008030231
                                RT_MENU0xaf9e80x50dataEnglishGreat Britain0.9
                                RT_DIALOG0xafa380xfcdataEnglishGreat Britain0.6507936507936508
                                RT_STRING0xafb380x530dataEnglishGreat Britain0.33960843373493976
                                RT_STRING0xb00680x690dataEnglishGreat Britain0.26964285714285713
                                RT_STRING0xb06f80x4d0dataEnglishGreat Britain0.36363636363636365
                                RT_STRING0xb0bc80x5fcdataEnglishGreat Britain0.3087467362924282
                                RT_STRING0xb11c80x65cdataEnglishGreat Britain0.34336609336609336
                                RT_STRING0xb18280x388dataEnglishGreat Britain0.377212389380531
                                RT_STRING0xb1bb00x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishUnited States0.502906976744186
                                RT_GROUP_ICON0xb1d080x14dataEnglishGreat Britain1.25
                                RT_GROUP_ICON0xb1d200x14dataEnglishGreat Britain1.15
                                RT_GROUP_ICON0xb1d380x14dataEnglishGreat Britain1.25
                                RT_GROUP_ICON0xb1d500x14dataEnglishGreat Britain1.25
                                RT_VERSION0xb1d680x19cdataEnglishGreat Britain0.5339805825242718
                                RT_MANIFEST0xb1f080x26cASCII text, with CRLF line terminatorsEnglishUnited States0.5145161290322581

                                Imports

                                DLLImport
                                WSOCK32.dll__WSAFDIsSet, setsockopt, ntohs, recvfrom, sendto, htons, select, listen, WSAStartup, bind, closesocket, connect, socket, send, WSACleanup, ioctlsocket, accept, WSAGetLastError, inet_addr, gethostbyname, gethostname, recv
                                VERSION.dllVerQueryValueW, GetFileVersionInfoW, GetFileVersionInfoSizeW
                                WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                COMCTL32.dllImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, ImageList_ReplaceIcon, ImageList_Create, InitCommonControlsEx, ImageList_Destroy
                                MPR.dllWNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W, WNetUseConnectionW
                                WININET.dllInternetReadFile, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetConnectW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetQueryOptionW, InternetQueryDataAvailable
                                PSAPI.DLLEnumProcesses, GetModuleBaseNameW, GetProcessMemoryInfo, EnumProcessModules
                                USERENV.dllCreateEnvironmentBlock, DestroyEnvironmentBlock, UnloadUserProfile, LoadUserProfileW
                                KERNEL32.dllHeapAlloc, Sleep, GetCurrentThreadId, RaiseException, MulDiv, GetVersionExW, GetSystemInfo, InterlockedIncrement, InterlockedDecrement, WideCharToMultiByte, lstrcpyW, MultiByteToWideChar, lstrlenW, lstrcmpiW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, DeleteFileW, FindNextFileW, MoveFileW, CopyFileW, CreateDirectoryW, RemoveDirectoryW, GetProcessHeap, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetLocalTime, CompareStringW, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionAndSpinCount, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, GetTempPathW, GetTempFileNameW, VirtualFree, FormatMessageW, GetExitCodeProcess, SetErrorMode, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, DeviceIoControl, SetFileAttributesW, GetShortPathNameW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetCurrentThread, GetProcessIoCounters, CreateProcessW, SetPriorityClass, LoadLibraryW, VirtualAlloc, LoadLibraryExW, HeapFree, WaitForSingleObject, CreateThread, DuplicateHandle, GetLastError, CloseHandle, GetCurrentProcess, GetProcAddress, LoadLibraryA, FreeLibrary, GetModuleFileNameW, GetFullPathNameW, SetCurrentDirectoryW, IsDebuggerPresent, GetCurrentDirectoryW, ExitProcess, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetTimeFormatW, GetDateFormatW, GetCommandLineW, GetStartupInfoW, IsProcessorFeaturePresent, HeapSize, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStringTypeW, HeapCreate, SetHandleCount, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, LCMapStringW, RtlUnwind, SetFilePointer, GetTimeZoneInformation, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetTickCount, HeapReAlloc, WriteConsoleW, SetEndOfFile, SetSystemPowerState, SetEnvironmentVariableA
                                USER32.dllGetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, ReleaseCapture, SetCapture, WindowFromPoint, LoadImageW, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, CheckMenuRadioItem, SetWindowPos, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, TranslateMessage, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, GetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, MessageBoxW, DefWindowProcW, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, GetMenuItemID, DispatchMessageW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, PeekMessageW, UnregisterHotKey, CharLowerBuffW, keybd_event, MonitorFromRect, GetWindowThreadProcessId
                                GDI32.dllDeleteObject, AngleArc, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, StrokePath, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, GetDeviceCaps, MoveToEx, DeleteDC, GetPixel, CreateDCW, Ellipse, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, LineTo
                                COMDLG32.dllGetSaveFileNameW, GetOpenFileNameW
                                ADVAPI32.dllRegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegCreateKeyExW, GetUserNameW, RegConnectRegistryW, CloseServiceHandle, UnlockServiceDatabase, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, InitializeSecurityDescriptor, InitializeAcl, GetLengthSid, CopySid, LogonUserW, LockServiceDatabase, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, GetAce, AddAce, SetSecurityDescriptorDacl, RegOpenKeyExW, RegQueryValueExW, AdjustTokenPrivileges, InitiateSystemShutdownExW, OpenSCManagerW, RegCloseKey
                                SHELL32.dllDragQueryPoint, ShellExecuteExW, SHGetFolderPathW, DragQueryFileW, SHEmptyRecycleBinW, SHBrowseForFolderW, SHFileOperationW, SHGetPathFromIDListW, SHGetDesktopFolder, SHGetMalloc, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
                                ole32.dllOleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CLSIDFromString, StringFromGUID2, CoInitialize, CoUninitialize, CoCreateInstance, CreateStreamOnHGlobal, CoTaskMemAlloc, CoTaskMemFree, ProgIDFromCLSID, OleInitialize, CreateBindCtx, CLSIDFromProgID, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket, OleUninitialize, IIDFromString
                                OLEAUT32.dllVariantChangeType, VariantCopyInd, DispCallFunc, CreateStdDispatch, CreateDispTypeInfo, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SysStringLen, SafeArrayAllocData, GetActiveObject, QueryPathOfRegTypeLib, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysAllocString, VariantCopy, VariantClear, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, OleLoadPicture, SafeArrayAccessData, VariantInit

                                Possible Origin

                                Language of compilation systemCountry where language is spokenMap
                                EnglishGreat Britain
                                EnglishUnited States

                                Network Behavior

                                No network behavior found

                                Statistics

                                CPU Usage

                                Click to jump to process

                                Memory Usage

                                Click to jump to process

                                High Level Behavior Distribution

                                Click to dive into process behavior distribution

                                Behavior

                                Click to jump to process

                                System Behavior

                                General

                                Target ID:0
                                Start time:09:23:37
                                Start date:08/10/2024
                                Path:C:\Users\user\Desktop\6medsM68NX.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Users\user\Desktop\6medsM68NX.exe"
                                Imagebase:0x400000
                                File size:1'184'203 bytes
                                MD5 hash:EF3B33EDA19BDF6CC936B97F7E582F1D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:low
                                Has exited:true

                                General

                                Target ID:2
                                Start time:09:23:38
                                Start date:08/10/2024
                                Path:C:\Users\user\AppData\Local\zero\xapp.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Users\user\Desktop\6medsM68NX.exe"
                                Imagebase:0x400000
                                File size:1'184'203 bytes
                                MD5 hash:EF3B33EDA19BDF6CC936B97F7E582F1D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000002.00000002.1353677931.0000000000A40000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000002.00000002.1353677931.0000000000A40000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.1353677931.0000000000A40000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 00000002.00000002.1353677931.0000000000A40000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                • Rule: MALWARE_Win_AgentTeslaV3, Description: AgentTeslaV3 infostealer payload, Source: 00000002.00000002.1353677931.0000000000A40000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                Antivirus matches:
                                • Detection: 100%, Joe Sandbox ML
                                • Detection: 79%, ReversingLabs
                                Reputation:low
                                Has exited:true

                                General

                                Target ID:3
                                Start time:09:23:39
                                Start date:08/10/2024
                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Users\user\Desktop\6medsM68NX.exe"
                                Imagebase:0x320000
                                File size:45'984 bytes
                                MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000003.00000002.1481806468.0000000000702000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.1481806468.0000000000702000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                • Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 00000003.00000002.1481806468.0000000000702000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.1484021512.0000000002621000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.1484021512.0000000002621000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000003.00000002.1484021512.0000000002621000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: MALWARE_Win_AgentTeslaV3, Description: AgentTeslaV3 infostealer payload, Source: 00000003.00000002.1484021512.0000000002621000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:4
                                Start time:09:23:51
                                Start date:08/10/2024
                                Path:C:\Windows\System32\wscript.exe
                                Wow64 process (32bit):false
                                Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xapp.vbs"
                                Imagebase:0x7ff66b0d0000
                                File size:170'496 bytes
                                MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                Has elevated privileges:false
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:5
                                Start time:09:23:51
                                Start date:08/10/2024
                                Path:C:\Users\user\AppData\Local\zero\xapp.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Users\user\AppData\Local\zero\xapp.exe"
                                Imagebase:0x400000
                                File size:1'184'203 bytes
                                MD5 hash:EF3B33EDA19BDF6CC936B97F7E582F1D
                                Has elevated privileges:false
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000005.00000002.1483162721.0000000002AD0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000005.00000002.1483162721.0000000002AD0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.1483162721.0000000002AD0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 00000005.00000002.1483162721.0000000002AD0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                • Rule: MALWARE_Win_AgentTeslaV3, Description: AgentTeslaV3 infostealer payload, Source: 00000005.00000002.1483162721.0000000002AD0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                Reputation:low
                                Has exited:true

                                General

                                Target ID:6
                                Start time:09:23:52
                                Start date:08/10/2024
                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Users\user\AppData\Local\zero\xapp.exe"
                                Imagebase:0x20000
                                File size:45'984 bytes
                                MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                Has elevated privileges:false
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.3793217034.0000000002441000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.3793217034.0000000002441000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000006.00000002.3793217034.0000000002441000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: MALWARE_Win_AgentTeslaV3, Description: AgentTeslaV3 infostealer payload, Source: 00000006.00000002.3793217034.0000000002441000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                Reputation:high
                                Has exited:false

                                Disassembly

                                Reset < >

                                  Execution Graph

                                  Execution Coverage:3.7%
                                  Dynamic/Decrypted Code Coverage:0.9%
                                  Signature Coverage:8.9%
                                  Total number of Nodes:1983
                                  Total number of Limit Nodes:36
                                  execution_graph 72433 4010e0 72436 401100 72433->72436 72435 4010f8 72437 401113 72436->72437 72438 401182 72437->72438 72439 401184 72437->72439 72440 40114c 72437->72440 72442 401120 72437->72442 72441 40112c DefWindowProcW 72438->72441 72474 401250 61 API calls __wctomb_s_l 72439->72474 72443 401151 72440->72443 72444 40119d 72440->72444 72441->72435 72442->72441 72481 401000 Shell_NotifyIconW __wctomb_s_l 72442->72481 72446 401219 72443->72446 72447 40115d 72443->72447 72449 4011a3 72444->72449 72450 42afb4 72444->72450 72446->72442 72453 401225 72446->72453 72451 401163 72447->72451 72452 42b01d 72447->72452 72448 401193 72448->72435 72449->72442 72459 4011b6 KillTimer 72449->72459 72460 4011db SetTimer RegisterWindowMessageW 72449->72460 72476 40f190 10 API calls 72450->72476 72456 42afe9 72451->72456 72457 40116c 72451->72457 72452->72441 72480 4370f4 52 API calls 72452->72480 72492 468b0e 74 API calls __wctomb_s_l 72453->72492 72478 40f190 10 API calls 72456->72478 72457->72442 72463 401174 72457->72463 72458 42b04f 72482 40e0c0 72458->72482 72475 401000 Shell_NotifyIconW __wctomb_s_l 72459->72475 72460->72448 72461 401204 CreatePopupMenu 72460->72461 72461->72435 72477 45fd57 65 API calls __wctomb_s_l 72463->72477 72468 4011c9 PostQuitMessage 72468->72435 72469 42afe4 72469->72448 72470 42b00e 72479 401a50 331 API calls 72470->72479 72473 42afdc 72473->72441 72473->72469 72474->72448 72475->72468 72476->72448 72477->72473 72478->72470 72479->72438 72480->72438 72481->72458 72483 40e0e7 __wctomb_s_l 72482->72483 72484 40e142 72483->72484 72485 42729f DestroyIcon 72483->72485 72486 40e184 72484->72486 72515 4341e6 63 API calls __wcsicoll 72484->72515 72485->72484 72488 40e1a0 Shell_NotifyIconW 72486->72488 72489 4272db Shell_NotifyIconW 72486->72489 72493 401b80 72488->72493 72491 40e1ba 72491->72438 72492->72469 72494 401b9c 72493->72494 72514 401c7e 72493->72514 72516 4013c0 72494->72516 72497 42722b LoadStringW 72500 427246 72497->72500 72498 401bb9 72521 402160 72498->72521 72535 40e0a0 72500->72535 72501 401bcd 72503 427258 72501->72503 72504 401bda 72501->72504 72539 40d200 52 API calls 2 library calls 72503->72539 72504->72500 72505 401be4 72504->72505 72534 40d200 52 API calls 2 library calls 72505->72534 72508 427267 72509 42727b 72508->72509 72511 401bf3 _wcscpy __wctomb_s_l _wcsncpy 72508->72511 72540 40d200 52 API calls 2 library calls 72509->72540 72513 401c62 Shell_NotifyIconW 72511->72513 72512 427289 72513->72514 72514->72491 72515->72486 72541 4115d7 72516->72541 72522 426daa 72521->72522 72523 40216b _wcslen 72521->72523 72579 40c600 72522->72579 72526 402180 72523->72526 72527 40219e 72523->72527 72525 426db5 72525->72501 72578 403bd0 52 API calls moneypunct 72526->72578 72529 4013a0 52 API calls 72527->72529 72531 4021a5 72529->72531 72530 402187 _memmove 72530->72501 72532 426db7 72531->72532 72533 4115d7 52 API calls 72531->72533 72533->72530 72534->72511 72536 40e0b2 72535->72536 72537 40e0a8 72535->72537 72536->72511 72585 403c30 52 API calls _memmove 72537->72585 72539->72508 72540->72512 72543 4115e1 _malloc 72541->72543 72544 4013e4 72543->72544 72547 4115fd std::exception::exception 72543->72547 72555 4135bb 72543->72555 72552 4013a0 72544->72552 72545 41163b 72570 4180af 46 API calls std::exception::operator= 72545->72570 72547->72545 72569 41130a 51 API calls __cinit 72547->72569 72548 411645 72571 418105 RaiseException 72548->72571 72551 411656 72553 4115d7 52 API calls 72552->72553 72554 4013a7 72553->72554 72554->72497 72554->72498 72556 413638 _malloc 72555->72556 72558 4135c9 _malloc 72555->72558 72577 417f77 46 API calls __getptd_noexit 72556->72577 72560 4135d4 72558->72560 72561 4135f7 RtlAllocateHeap 72558->72561 72564 413624 72558->72564 72567 413622 72558->72567 72560->72558 72572 418901 46 API calls __NMSG_WRITE 72560->72572 72573 418752 46 API calls 6 library calls 72560->72573 72574 411682 GetModuleHandleW GetProcAddress ExitProcess ___crtCorExitProcess 72560->72574 72561->72558 72562 413630 72561->72562 72562->72543 72575 417f77 46 API calls __getptd_noexit 72564->72575 72576 417f77 46 API calls __getptd_noexit 72567->72576 72569->72545 72570->72548 72571->72551 72572->72560 72573->72560 72575->72567 72576->72562 72577->72562 72578->72530 72580 40c619 72579->72580 72581 40c60a 72579->72581 72580->72525 72581->72580 72584 4026f0 52 API calls _memmove 72581->72584 72583 426d7a _memmove 72583->72525 72584->72583 72585->72536 72586 40bd20 72587 428194 72586->72587 72596 40bd2d 72586->72596 72588 40bd43 72587->72588 72590 4281bc 72587->72590 72592 4281b2 72587->72592 72608 45e987 86 API calls moneypunct 72590->72608 72607 40b510 VariantClear 72592->72607 72594 40bd37 72598 40bd50 72594->72598 72596->72594 72609 4531b1 85 API calls 5 library calls 72596->72609 72597 4281ba 72599 426cf1 72598->72599 72600 40bd63 72598->72600 72619 44cde9 52 API calls _memmove 72599->72619 72610 40bd80 72600->72610 72603 40bd73 72603->72588 72604 426cfc 72605 40e0a0 52 API calls 72604->72605 72606 426d02 72605->72606 72607->72597 72608->72596 72609->72594 72611 40bd8e 72610->72611 72618 40bdb7 _memmove 72610->72618 72612 40bded 72611->72612 72613 40bdad 72611->72613 72611->72618 72614 4115d7 52 API calls 72612->72614 72620 402f00 72613->72620 72616 40bdf6 72614->72616 72617 4115d7 52 API calls 72616->72617 72616->72618 72617->72618 72618->72603 72619->72604 72621 402f10 72620->72621 72622 402f0c 72620->72622 72623 4115d7 52 API calls 72621->72623 72624 4268c3 72621->72624 72622->72618 72625 402f51 moneypunct _memmove 72623->72625 72625->72618 72626 425ba2 72631 40e360 72626->72631 72628 425bb4 72647 41130a 51 API calls __cinit 72628->72647 72630 425bbe 72632 4115d7 52 API calls 72631->72632 72633 40e3ec GetModuleFileNameW 72632->72633 72648 413a0e 72633->72648 72635 40e421 _wcsncat 72651 413a9e 72635->72651 72638 4115d7 52 API calls 72639 40e45e _wcscpy 72638->72639 72654 40bc70 72639->72654 72643 40e4a9 72643->72628 72644 40e4a1 _wcscat _wcslen _wcsncpy 72644->72643 72645 401c90 52 API calls 72644->72645 72646 4115d7 52 API calls 72644->72646 72645->72644 72646->72644 72647->72630 72673 413801 72648->72673 72703 419efd 72651->72703 72655 4115d7 52 API calls 72654->72655 72656 40bc98 72655->72656 72657 4115d7 52 API calls 72656->72657 72658 40bca6 72657->72658 72659 40e4c0 72658->72659 72715 403350 72659->72715 72661 40e4cb RegOpenKeyExW 72662 427190 RegQueryValueExW 72661->72662 72663 40e4eb 72661->72663 72664 4271b0 72662->72664 72665 42721a RegCloseKey 72662->72665 72663->72644 72666 4115d7 52 API calls 72664->72666 72665->72644 72667 4271cb 72666->72667 72722 43652f 52 API calls 72667->72722 72669 4271d8 RegQueryValueExW 72670 4271f7 72669->72670 72672 42720e 72669->72672 72671 402160 52 API calls 72670->72671 72671->72672 72672->72665 72674 41381a 72673->72674 72675 41389e 72673->72675 72674->72675 72686 41388a 72674->72686 72695 419e30 46 API calls ___crtsetenv 72674->72695 72676 4139e8 72675->72676 72677 413a00 72675->72677 72700 417f77 46 API calls __getptd_noexit 72676->72700 72702 417f77 46 API calls __getptd_noexit 72677->72702 72680 4139ed 72701 417f25 10 API calls ___crtsetenv 72680->72701 72683 41396c 72683->72675 72684 413967 72683->72684 72687 41397a 72683->72687 72684->72635 72685 413929 72685->72675 72688 413945 72685->72688 72697 419e30 46 API calls ___crtsetenv 72685->72697 72686->72675 72694 413909 72686->72694 72696 419e30 46 API calls ___crtsetenv 72686->72696 72699 419e30 46 API calls ___crtsetenv 72687->72699 72688->72675 72688->72684 72690 41395b 72688->72690 72698 419e30 46 API calls ___crtsetenv 72690->72698 72694->72683 72694->72685 72695->72686 72696->72694 72697->72688 72698->72684 72699->72684 72700->72680 72701->72684 72702->72684 72704 419f13 72703->72704 72705 419f0e 72703->72705 72712 417f77 46 API calls __getptd_noexit 72704->72712 72705->72704 72708 419f2b 72705->72708 72709 40e454 72708->72709 72714 417f77 46 API calls __getptd_noexit 72708->72714 72709->72638 72711 419f18 72713 417f25 10 API calls ___crtsetenv 72711->72713 72712->72711 72713->72709 72714->72711 72716 403367 72715->72716 72717 403358 72715->72717 72718 4115d7 52 API calls 72716->72718 72717->72661 72719 403370 72718->72719 72720 4115d7 52 API calls 72719->72720 72721 40339e 72720->72721 72721->72661 72722->72669 72723 416454 72760 416c70 72723->72760 72725 416460 GetStartupInfoW 72726 416474 72725->72726 72761 419d5a HeapCreate 72726->72761 72728 4164cd 72729 4164d8 72728->72729 72845 41642b 46 API calls 3 library calls 72728->72845 72762 417c20 GetModuleHandleW 72729->72762 72732 4164de 72733 4164e9 __RTC_Initialize 72732->72733 72846 41642b 46 API calls 3 library calls 72732->72846 72781 41aaa1 GetStartupInfoW 72733->72781 72737 416503 GetCommandLineW 72794 41f584 GetEnvironmentStringsW 72737->72794 72741 416513 72800 41f4d6 GetModuleFileNameW 72741->72800 72743 41651d 72744 416528 72743->72744 72848 411924 46 API calls 3 library calls 72743->72848 72804 41f2a4 72744->72804 72747 41652e 72748 416539 72747->72748 72849 411924 46 API calls 3 library calls 72747->72849 72818 411703 72748->72818 72751 416541 72753 41654c __wwincmdln 72751->72753 72850 411924 46 API calls 3 library calls 72751->72850 72822 40d6b0 72753->72822 72756 41657c 72852 411906 46 API calls _doexit 72756->72852 72759 416581 _raise 72760->72725 72761->72728 72763 417c34 72762->72763 72764 417c3d GetProcAddress GetProcAddress GetProcAddress GetProcAddress 72762->72764 72853 4178ff 49 API calls _free 72763->72853 72768 417c87 TlsAlloc 72764->72768 72767 417c39 72767->72732 72769 417cd5 TlsSetValue 72768->72769 72770 417d96 72768->72770 72769->72770 72771 417ce6 __init_pointers 72769->72771 72770->72732 72854 418151 InitializeCriticalSectionAndSpinCount 72771->72854 72773 417d91 72862 4178ff 49 API calls _free 72773->72862 72775 417d2a 72775->72773 72855 416b49 72775->72855 72778 417d76 72861 41793c 46 API calls 4 library calls 72778->72861 72780 417d7e GetCurrentThreadId 72780->72770 72782 416b49 __calloc_crt 46 API calls 72781->72782 72784 41aabf 72782->72784 72783 4164f7 72783->72737 72847 411924 46 API calls 3 library calls 72783->72847 72784->72783 72785 41ac34 72784->72785 72787 416b49 __calloc_crt 46 API calls 72784->72787 72790 41abb4 72784->72790 72786 41ac6a GetStdHandle 72785->72786 72788 41acce SetHandleCount 72785->72788 72789 41ac7c GetFileType 72785->72789 72793 41aca2 InitializeCriticalSectionAndSpinCount 72785->72793 72786->72785 72787->72784 72788->72783 72789->72785 72790->72785 72791 41abe0 GetFileType 72790->72791 72792 41abeb InitializeCriticalSectionAndSpinCount 72790->72792 72791->72790 72791->72792 72792->72783 72792->72790 72793->72783 72793->72785 72795 41f595 72794->72795 72796 41f599 72794->72796 72795->72741 72872 416b04 72796->72872 72798 41f5bb _memmove 72799 41f5c2 FreeEnvironmentStringsW 72798->72799 72799->72741 72801 41f50b _wparse_cmdline 72800->72801 72802 416b04 __malloc_crt 46 API calls 72801->72802 72803 41f54e _wparse_cmdline 72801->72803 72802->72803 72803->72743 72805 41f2bc _wcslen 72804->72805 72807 41f2b4 72804->72807 72806 416b49 __calloc_crt 46 API calls 72805->72806 72810 41f2e0 _wcslen 72806->72810 72807->72747 72808 41f336 72879 413748 72808->72879 72810->72807 72810->72808 72811 416b49 __calloc_crt 46 API calls 72810->72811 72812 41f35c 72810->72812 72815 41f373 72810->72815 72878 41ef12 46 API calls ___crtsetenv 72810->72878 72811->72810 72813 413748 _free 46 API calls 72812->72813 72813->72807 72885 417ed3 72815->72885 72817 41f37f 72817->72747 72819 411711 __initterm_e __initp_misc_cfltcvt_tab __IsNonwritableInCurrentImage 72818->72819 72821 411750 __IsNonwritableInCurrentImage 72819->72821 72904 41130a 51 API calls __cinit 72819->72904 72821->72751 72823 42e2f3 72822->72823 72824 40d6cc 72822->72824 72905 408f40 72824->72905 72826 40d707 72909 40ebb0 72826->72909 72829 40d737 72912 411951 72829->72912 72834 40d751 72924 40f4e0 SystemParametersInfoW SystemParametersInfoW 72834->72924 72836 40d75f 72925 40d590 GetCurrentDirectoryW 72836->72925 72838 40d767 SystemParametersInfoW 72839 40d794 72838->72839 72840 40d78d FreeLibrary 72838->72840 72841 408f40 VariantClear 72839->72841 72840->72839 72842 40d79d 72841->72842 72843 408f40 VariantClear 72842->72843 72844 40d7a6 72843->72844 72844->72756 72851 4118da 46 API calls _doexit 72844->72851 72845->72729 72846->72733 72851->72756 72852->72759 72853->72767 72854->72775 72857 416b52 72855->72857 72858 416b8f 72857->72858 72859 416b70 Sleep 72857->72859 72863 41f677 72857->72863 72858->72773 72858->72778 72860 416b85 72859->72860 72860->72857 72860->72858 72861->72780 72862->72770 72864 41f683 72863->72864 72870 41f69e _malloc 72863->72870 72865 41f68f 72864->72865 72864->72870 72871 417f77 46 API calls __getptd_noexit 72865->72871 72867 41f6b1 HeapAlloc 72869 41f6d8 72867->72869 72867->72870 72868 41f694 72868->72857 72869->72857 72870->72867 72870->72869 72871->72868 72875 416b0d 72872->72875 72873 4135bb _malloc 45 API calls 72873->72875 72874 416b43 72874->72798 72875->72873 72875->72874 72876 416b24 Sleep 72875->72876 72877 416b39 72876->72877 72877->72874 72877->72875 72878->72810 72880 41377c __dosmaperr 72879->72880 72881 413753 RtlFreeHeap 72879->72881 72880->72807 72881->72880 72882 413768 72881->72882 72888 417f77 46 API calls __getptd_noexit 72882->72888 72884 41376e GetLastError 72884->72880 72889 417daa 72885->72889 72888->72884 72890 417dc9 __wctomb_s_l __call_reportfault 72889->72890 72891 417de7 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 72890->72891 72894 417eb5 __call_reportfault 72891->72894 72893 417ed1 GetCurrentProcess TerminateProcess 72893->72817 72895 41a208 72894->72895 72896 41a210 72895->72896 72897 41a212 IsDebuggerPresent 72895->72897 72896->72893 72903 41fe19 72897->72903 72900 421fd3 SetUnhandledExceptionFilter UnhandledExceptionFilter 72901 421ff8 GetCurrentProcess TerminateProcess 72900->72901 72902 421ff0 __call_reportfault 72900->72902 72901->72893 72902->72901 72903->72900 72904->72821 72907 408f48 moneypunct 72905->72907 72906 4265c7 VariantClear 72908 408f55 moneypunct 72906->72908 72907->72906 72907->72908 72908->72826 72965 40ebd0 72909->72965 72969 4182cb 72912->72969 72914 41195e 72976 4181f2 LeaveCriticalSection 72914->72976 72916 40d748 72917 4119b0 72916->72917 72918 4119d6 72917->72918 72919 4119bc 72917->72919 72918->72834 72919->72918 73011 417f77 46 API calls __getptd_noexit 72919->73011 72921 4119c6 73012 417f25 10 API calls ___crtsetenv 72921->73012 72923 4119d1 72923->72834 72924->72836 73013 401f20 72925->73013 72927 40d5b6 IsDebuggerPresent 72928 40d5c4 72927->72928 72929 42e1bb MessageBoxA 72927->72929 72930 42e1d4 72928->72930 72931 40d5e3 72928->72931 72929->72930 73184 403a50 52 API calls 3 library calls 72930->73184 73082 40f520 72931->73082 72935 40d5fd GetFullPathNameW 73094 401460 72935->73094 72937 40d63b 72938 42e231 SetCurrentDirectoryW 72937->72938 72940 40d643 72937->72940 72938->72940 72939 40d64c 73109 410390 GetSysColorBrush LoadCursorW LoadIconW LoadIconW LoadIconW 72939->73109 72940->72939 73185 432fee 6 API calls 72940->73185 72943 42e252 72943->72939 72945 42e25a GetModuleFileNameW 72943->72945 72948 42e274 72945->72948 72949 42e2cb GetForegroundWindow ShellExecuteW 72945->72949 72947 40d656 72950 40d669 72947->72950 72953 40e0c0 74 API calls 72947->72953 73186 401b10 72948->73186 72951 40d688 72949->72951 73117 4091e0 72950->73117 72958 40d692 SetCurrentDirectoryW 72951->72958 72953->72950 72958->72838 72959 42e28d 73193 40d200 52 API calls 2 library calls 72959->73193 72962 42e299 GetForegroundWindow ShellExecuteW 72963 42e2c6 72962->72963 72963->72951 72964 40ec00 LoadLibraryA GetProcAddress 72964->72829 72966 40d72e 72965->72966 72967 40ebd6 LoadLibraryA 72965->72967 72966->72829 72966->72964 72967->72966 72968 40ebe7 GetProcAddress 72967->72968 72968->72966 72970 4182e0 72969->72970 72971 4182f3 EnterCriticalSection 72969->72971 72977 418209 72970->72977 72971->72914 72973 4182e6 72973->72971 73004 411924 46 API calls 3 library calls 72973->73004 72976->72916 72978 418215 _raise 72977->72978 72979 418225 72978->72979 72980 41823d 72978->72980 73005 418901 46 API calls __NMSG_WRITE 72979->73005 72983 416b04 __malloc_crt 45 API calls 72980->72983 72988 41824b _raise 72980->72988 72982 41822a 73006 418752 46 API calls 6 library calls 72982->73006 72985 418256 72983->72985 72986 41825d 72985->72986 72987 41826c 72985->72987 73008 417f77 46 API calls __getptd_noexit 72986->73008 72991 4182cb __lock 45 API calls 72987->72991 72988->72973 72989 418231 73007 411682 GetModuleHandleW GetProcAddress ExitProcess ___crtCorExitProcess 72989->73007 72993 418273 72991->72993 72995 4182a6 72993->72995 72996 41827b InitializeCriticalSectionAndSpinCount 72993->72996 72999 413748 _free 45 API calls 72995->72999 72997 418297 72996->72997 72998 41828b 72996->72998 73010 4182c2 LeaveCriticalSection _doexit 72997->73010 73000 413748 _free 45 API calls 72998->73000 72999->72997 73002 418291 73000->73002 73009 417f77 46 API calls __getptd_noexit 73002->73009 73005->72982 73006->72989 73008->72988 73009->72997 73010->72988 73011->72921 73012->72923 73194 40e6e0 73013->73194 73015 401f31 73016 401f41 GetModuleFileNameW 73015->73016 73197 410100 73016->73197 73018 401f5c 73209 410960 73018->73209 73021 401b10 52 API calls 73022 401f81 73021->73022 73212 401980 73022->73212 73024 401f8e 73025 408f40 VariantClear 73024->73025 73026 401f9d 73025->73026 73027 401b10 52 API calls 73026->73027 73028 401fb4 73027->73028 73029 401980 53 API calls 73028->73029 73030 401fc3 73029->73030 73031 401b10 52 API calls 73030->73031 73032 401fd2 73031->73032 73220 40c2c0 73032->73220 73034 401fe1 73035 40bc70 52 API calls 73034->73035 73036 401ff3 73035->73036 73238 401a10 73036->73238 73038 401ffe 73245 4114ab 73038->73245 73041 428b05 73043 401a10 52 API calls 73041->73043 73042 402017 73044 4114ab __wcsicoll 58 API calls 73042->73044 73046 428b18 73043->73046 73045 402022 73044->73045 73045->73046 73047 40202d 73045->73047 73048 401a10 52 API calls 73046->73048 73049 4114ab __wcsicoll 58 API calls 73047->73049 73050 428b33 73048->73050 73051 402038 73049->73051 73053 428b3b GetModuleFileNameW 73050->73053 73052 402043 73051->73052 73051->73053 73054 4114ab __wcsicoll 58 API calls 73052->73054 73055 401a10 52 API calls 73053->73055 73058 40204e 73054->73058 73056 428b6c 73055->73056 73057 40e0a0 52 API calls 73056->73057 73059 428b7a 73057->73059 73060 428b90 _wcscpy 73058->73060 73063 401a10 52 API calls 73058->73063 73074 402092 73058->73074 73064 401a10 52 API calls 73059->73064 73068 401a10 52 API calls 73060->73068 73061 428bc6 73062 4020a3 73062->73061 73253 40e830 53 API calls 73062->73253 73066 402073 _wcscpy 73063->73066 73067 428b88 73064->73067 73072 401a10 52 API calls 73066->73072 73067->73060 73077 4020d0 73068->73077 73069 4020bb 73254 40cf00 53 API calls 73069->73254 73071 4020c6 73073 408f40 VariantClear 73071->73073 73072->73074 73073->73077 73074->73060 73074->73062 73075 402110 73079 408f40 VariantClear 73075->73079 73077->73075 73080 401a10 52 API calls 73077->73080 73255 40cf00 53 API calls 73077->73255 73256 40e6a0 53 API calls 73077->73256 73081 402120 moneypunct 73079->73081 73080->73077 73081->72927 73083 4295c9 __wctomb_s_l 73082->73083 73084 40f53c 73082->73084 73086 4295d9 GetOpenFileNameW 73083->73086 73930 410120 73084->73930 73086->73084 73088 40d5f5 73086->73088 73087 40f545 73934 4102b0 SHGetMalloc 73087->73934 73088->72935 73088->72937 73090 40f54c 73939 410190 GetFullPathNameW 73090->73939 73092 40f559 73950 40f570 73092->73950 74006 402400 73094->74006 73096 40146f 73099 428c29 _wcscat 73096->73099 74015 401500 73096->74015 73098 40147c 73098->73099 74023 40d440 73098->74023 73101 401489 73101->73099 73102 401491 GetFullPathNameW 73101->73102 73103 402160 52 API calls 73102->73103 73104 4014bb 73103->73104 73105 402160 52 API calls 73104->73105 73106 4014c8 73105->73106 73106->73099 73107 402160 52 API calls 73106->73107 73108 4014ee 73107->73108 73108->72937 73110 428361 73109->73110 73111 4103fc LoadImageW RegisterClassExW 73109->73111 74043 44395e EnumResourceNamesW LoadImageW 73110->74043 74042 410490 7 API calls 73111->74042 73114 40d651 73116 410570 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 73114->73116 73115 428368 73116->72947 73118 409202 73117->73118 73119 42d7ad 73117->73119 73175 409216 moneypunct 73118->73175 74306 410940 331 API calls 73118->74306 74309 45e737 90 API calls 3 library calls 73119->74309 73122 409386 73123 40939c 73122->73123 74307 40f190 10 API calls 73122->74307 73123->72951 73183 401000 Shell_NotifyIconW __wctomb_s_l 73123->73183 73125 4095b2 73125->73123 73127 4095bf 73125->73127 73126 409253 PeekMessageW 73126->73175 74308 401a50 331 API calls 73127->74308 73128 40d410 VariantClear 73128->73175 73130 42d8cd Sleep 73130->73175 73131 4095c6 LockWindowUpdate DestroyWindow GetMessageW 73131->73123 73134 4095f9 73131->73134 73133 42e13b 74327 40d410 VariantClear 73133->74327 73137 42e158 TranslateMessage DispatchMessageW GetMessageW 73134->73137 73137->73137 73138 42e188 73137->73138 73138->73123 73140 409567 PeekMessageW 73140->73175 73142 40e0a0 52 API calls 73142->73175 73143 46fdbf 108 API calls 73171 4094e0 73143->73171 73144 46f3c1 107 API calls 73144->73175 73146 42dcd2 WaitForSingleObject 73152 42dcf0 GetExitCodeProcess CloseHandle 73146->73152 73146->73175 73147 409551 TranslateMessage DispatchMessageW 73147->73140 73149 44c29d 52 API calls 73149->73171 73150 42dd3d Sleep 73150->73171 73151 47d33e 309 API calls 73151->73175 74316 40d410 VariantClear 73152->74316 73154 40c620 timeGetTime 73154->73171 73156 4094cf Sleep 73156->73171 73158 42d94d timeGetTime 74312 465124 53 API calls 73158->74312 73161 465124 53 API calls 73161->73171 73163 42dd89 CloseHandle 73163->73171 73165 42de19 GetExitCodeProcess CloseHandle 73165->73171 73168 42de88 Sleep 73168->73175 73171->73143 73171->73149 73171->73154 73171->73161 73171->73163 73171->73165 73171->73168 73171->73175 73178 401b10 52 API calls 73171->73178 73180 401980 53 API calls 73171->73180 73181 408f40 VariantClear 73171->73181 74313 45178a 54 API calls 73171->74313 74314 47d33e 331 API calls 73171->74314 74315 453bc6 54 API calls 73171->74315 74317 40d410 VariantClear 73171->74317 74318 443d19 67 API calls _wcslen 73171->74318 74319 4574b4 VariantClear 73171->74319 74320 403cd0 73171->74320 74324 4731e1 VariantClear 73171->74324 74325 4331a2 6 API calls 73171->74325 73174 45e737 90 API calls 73174->73175 73175->73122 73175->73126 73175->73128 73175->73130 73175->73133 73175->73140 73175->73142 73175->73144 73175->73146 73175->73147 73175->73150 73175->73151 73175->73156 73175->73158 73175->73171 73175->73174 73176 42e0cc VariantClear 73175->73176 73177 408f40 VariantClear 73175->73177 74044 4091b0 73175->74044 74102 40afa0 73175->74102 74128 408fc0 73175->74128 74163 408cc0 73175->74163 74177 4096a0 73175->74177 74304 40d150 TranslateAcceleratorW 73175->74304 74305 40d170 IsDialogMessageW GetClassLongW 73175->74305 74310 465124 53 API calls 73175->74310 74311 40c620 timeGetTime 73175->74311 74326 40e270 VariantClear moneypunct 73175->74326 73176->73175 73177->73175 73178->73171 73180->73171 73181->73171 73183->72951 73184->72937 73185->72943 73187 401b16 _wcslen 73186->73187 73188 4115d7 52 API calls 73187->73188 73191 401b63 73187->73191 73189 401b4b _memmove 73188->73189 73190 4115d7 52 API calls 73189->73190 73190->73191 73192 40d200 52 API calls 2 library calls 73191->73192 73192->72959 73193->72962 73195 40bc70 52 API calls 73194->73195 73196 40e6ee 73195->73196 73196->73015 73257 40f760 73197->73257 73200 410118 73200->73018 73202 42805d 73206 42806a 73202->73206 73313 431e58 73202->73313 73204 413748 _free 46 API calls 73205 428078 73204->73205 73207 431e58 82 API calls 73205->73207 73206->73204 73208 428084 73207->73208 73208->73018 73210 4115d7 52 API calls 73209->73210 73211 401f74 73210->73211 73211->73021 73213 4019a3 73212->73213 73214 401985 73212->73214 73213->73214 73215 4019b8 73213->73215 73217 40199f 73214->73217 73918 403e10 53 API calls 73214->73918 73919 403e10 53 API calls 73215->73919 73217->73024 73219 4019c4 73219->73024 73221 40c2c7 73220->73221 73222 40c30e 73220->73222 73225 40c2d3 73221->73225 73226 426c79 73221->73226 73223 40c315 73222->73223 73224 426c2b 73222->73224 73227 40c321 73223->73227 73228 426c5a 73223->73228 73230 426c4b 73224->73230 73231 426c2e 73224->73231 73920 403ea0 52 API calls __cinit 73225->73920 73925 4534e3 52 API calls 73226->73925 73921 403ea0 52 API calls __cinit 73227->73921 73924 4534e3 52 API calls 73228->73924 73923 4534e3 52 API calls 73230->73923 73237 40c2de 73231->73237 73922 4534e3 52 API calls 73231->73922 73237->73034 73237->73237 73239 401a30 73238->73239 73240 401a17 73238->73240 73242 402160 52 API calls 73239->73242 73241 401a2d 73240->73241 73926 403c30 52 API calls _memmove 73240->73926 73241->73038 73244 401a3d 73242->73244 73244->73038 73246 411523 73245->73246 73247 4114ba 73245->73247 73929 4113a8 58 API calls 3 library calls 73246->73929 73252 40200c 73247->73252 73927 417f77 46 API calls __getptd_noexit 73247->73927 73250 4114c6 73928 417f25 10 API calls ___crtsetenv 73250->73928 73252->73041 73252->73042 73253->73069 73254->73071 73255->73077 73256->73077 73317 40f6f0 73257->73317 73259 40f77b _strcat moneypunct 73325 40f850 73259->73325 73264 427c2a 73354 414d04 73264->73354 73266 40f7fc 73266->73264 73267 40f804 73266->73267 73341 414a46 73267->73341 73272 40f80e 73272->73200 73276 4528bd 73272->73276 73273 427c59 73360 414fe2 73273->73360 73275 427c79 73277 4150d1 _fseek 81 API calls 73276->73277 73278 452930 73277->73278 73860 452719 73278->73860 73281 452948 73281->73202 73282 414d04 __fread_nolock 61 API calls 73283 452966 73282->73283 73284 414d04 __fread_nolock 61 API calls 73283->73284 73285 452976 73284->73285 73286 414d04 __fread_nolock 61 API calls 73285->73286 73287 45298f 73286->73287 73288 414d04 __fread_nolock 61 API calls 73287->73288 73289 4529aa 73288->73289 73290 4150d1 _fseek 81 API calls 73289->73290 73291 4529c4 73290->73291 73292 4135bb _malloc 46 API calls 73291->73292 73293 4529cf 73292->73293 73294 4135bb _malloc 46 API calls 73293->73294 73295 4529db 73294->73295 73296 414d04 __fread_nolock 61 API calls 73295->73296 73297 4529ec 73296->73297 73298 44afef GetSystemTimeAsFileTime 73297->73298 73299 452a00 73298->73299 73300 452a36 73299->73300 73301 452a13 73299->73301 73303 452aa5 73300->73303 73304 452a3c 73300->73304 73302 413748 _free 46 API calls 73301->73302 73306 452a1c 73302->73306 73305 413748 _free 46 API calls 73303->73305 73866 44b1a9 73304->73866 73308 452aa3 73305->73308 73309 413748 _free 46 API calls 73306->73309 73308->73202 73311 452a25 73309->73311 73310 452a9d 73312 413748 _free 46 API calls 73310->73312 73311->73202 73312->73308 73314 431e64 73313->73314 73315 431e6a 73313->73315 73316 414a46 __fcloseall 82 API calls 73314->73316 73315->73206 73316->73315 73318 425de2 73317->73318 73322 40f6fc _wcslen 73317->73322 73318->73259 73319 40f710 WideCharToMultiByte 73320 40f756 73319->73320 73321 40f728 73319->73321 73320->73259 73323 4115d7 52 API calls 73321->73323 73322->73319 73324 40f735 WideCharToMultiByte 73323->73324 73324->73259 73327 40f85d __wctomb_s_l _strlen 73325->73327 73328 40f7ab 73327->73328 73373 414db8 73327->73373 73329 4149c2 73328->73329 73388 414904 73329->73388 73331 40f7e9 73331->73264 73332 40f5c0 73331->73332 73336 40f5cd _strcat __write_nolock _memmove 73332->73336 73333 414d04 __fread_nolock 61 API calls 73333->73336 73334 40f691 __tzset_nolock 73334->73266 73336->73333 73336->73334 73340 425d11 73336->73340 73476 4150d1 73336->73476 73337 4150d1 _fseek 81 API calls 73338 425d33 73337->73338 73339 414d04 __fread_nolock 61 API calls 73338->73339 73339->73334 73340->73337 73342 414a52 _raise 73341->73342 73343 414a64 73342->73343 73344 414a79 73342->73344 73616 417f77 46 API calls __getptd_noexit 73343->73616 73347 415471 __lock_file 47 API calls 73344->73347 73353 414a74 _raise 73344->73353 73346 414a69 73617 417f25 10 API calls ___crtsetenv 73346->73617 73348 414a92 73347->73348 73600 4149d9 73348->73600 73353->73272 73685 414c76 73354->73685 73356 414d1c 73357 44afef 73356->73357 73853 442c5a 73357->73853 73359 44b00d 73359->73273 73361 414fee _raise 73360->73361 73362 414ffa 73361->73362 73363 41500f 73361->73363 73857 417f77 46 API calls __getptd_noexit 73362->73857 73365 415471 __lock_file 47 API calls 73363->73365 73367 415017 73365->73367 73366 414fff 73858 417f25 10 API calls ___crtsetenv 73366->73858 73369 414e4e __ftell_nolock 51 API calls 73367->73369 73370 415024 73369->73370 73859 41503d LeaveCriticalSection LeaveCriticalSection _fprintf 73370->73859 73372 41500a _raise 73372->73275 73374 414dd6 73373->73374 73375 414deb 73373->73375 73384 417f77 46 API calls __getptd_noexit 73374->73384 73375->73374 73377 414df2 73375->73377 73386 41b91b 79 API calls 11 library calls 73377->73386 73378 414ddb 73385 417f25 10 API calls ___crtsetenv 73378->73385 73380 414e18 73383 414de6 73380->73383 73387 418f98 77 API calls 6 library calls 73380->73387 73383->73327 73384->73378 73385->73383 73386->73380 73387->73383 73391 414910 _raise 73388->73391 73389 414923 73444 417f77 46 API calls __getptd_noexit 73389->73444 73391->73389 73393 414951 73391->73393 73392 414928 73445 417f25 10 API calls ___crtsetenv 73392->73445 73407 41d4d1 73393->73407 73396 414956 73397 41496a 73396->73397 73398 41495d 73396->73398 73400 414992 73397->73400 73401 414972 73397->73401 73446 417f77 46 API calls __getptd_noexit 73398->73446 73424 41d218 73400->73424 73447 417f77 46 API calls __getptd_noexit 73401->73447 73406 414933 _raise @_EH4_CallFilterFunc@8 73406->73331 73408 41d4dd _raise 73407->73408 73409 4182cb __lock 46 API calls 73408->73409 73410 41d4eb 73409->73410 73411 41d567 73410->73411 73418 418209 __mtinitlocknum 46 API calls 73410->73418 73422 41d560 73410->73422 73452 4154b2 47 API calls __lock 73410->73452 73453 415520 LeaveCriticalSection LeaveCriticalSection _doexit 73410->73453 73412 416b04 __malloc_crt 46 API calls 73411->73412 73414 41d56e 73412->73414 73415 41d57c InitializeCriticalSectionAndSpinCount 73414->73415 73414->73422 73416 41d59c 73415->73416 73417 41d5af EnterCriticalSection 73415->73417 73421 413748 _free 46 API calls 73416->73421 73417->73422 73418->73410 73420 41d5f0 _raise 73420->73396 73421->73422 73449 41d5fb 73422->73449 73425 41d23a 73424->73425 73426 41d255 73425->73426 73438 41d26c __wopenfile 73425->73438 73458 417f77 46 API calls __getptd_noexit 73426->73458 73427 41d421 73430 41d47a 73427->73430 73431 41d48c 73427->73431 73429 41d25a 73459 417f25 10 API calls ___crtsetenv 73429->73459 73463 417f77 46 API calls __getptd_noexit 73430->73463 73455 422bf9 73431->73455 73435 41d47f 73464 417f25 10 API calls ___crtsetenv 73435->73464 73436 41499d 73448 4149b8 LeaveCriticalSection LeaveCriticalSection _fprintf 73436->73448 73438->73427 73438->73430 73460 41341f 58 API calls 2 library calls 73438->73460 73440 41d41a 73440->73427 73461 41341f 58 API calls 2 library calls 73440->73461 73442 41d439 73442->73427 73462 41341f 58 API calls 2 library calls 73442->73462 73444->73392 73445->73406 73446->73406 73447->73406 73448->73406 73454 4181f2 LeaveCriticalSection 73449->73454 73451 41d602 73451->73420 73452->73410 73453->73410 73454->73451 73465 422b35 73455->73465 73457 422c14 73457->73436 73458->73429 73459->73436 73460->73440 73461->73442 73462->73427 73463->73435 73464->73436 73467 422b41 _raise 73465->73467 73466 422b54 73468 417f77 ___crtsetenv 46 API calls 73466->73468 73467->73466 73469 422b8a 73467->73469 73470 422b59 73468->73470 73471 422400 __tsopen_nolock 109 API calls 73469->73471 73472 417f25 ___crtsetenv 10 API calls 73470->73472 73473 422ba4 73471->73473 73475 422b63 _raise 73472->73475 73474 422bcb __wsopen_helper LeaveCriticalSection 73473->73474 73474->73475 73475->73457 73477 4150dd _raise 73476->73477 73478 4150e9 73477->73478 73479 41510f 73477->73479 73507 417f77 46 API calls __getptd_noexit 73478->73507 73489 415471 73479->73489 73481 4150ee 73508 417f25 10 API calls ___crtsetenv 73481->73508 73488 4150f9 _raise 73488->73336 73490 415483 73489->73490 73491 4154a5 EnterCriticalSection 73489->73491 73490->73491 73493 41548b 73490->73493 73492 415117 73491->73492 73495 415047 73492->73495 73494 4182cb __lock 46 API calls 73493->73494 73494->73492 73496 415067 73495->73496 73497 415057 73495->73497 73502 415079 73496->73502 73510 414e4e 73496->73510 73565 417f77 46 API calls __getptd_noexit 73497->73565 73501 41505c 73509 415143 LeaveCriticalSection LeaveCriticalSection _fprintf 73501->73509 73527 41443c 73502->73527 73505 4150b9 73540 41e1f4 73505->73540 73507->73481 73508->73488 73509->73488 73511 414e61 73510->73511 73512 414e79 73510->73512 73566 417f77 46 API calls __getptd_noexit 73511->73566 73514 414139 __fseek_nolock 46 API calls 73512->73514 73516 414e80 73514->73516 73515 414e66 73567 417f25 10 API calls ___crtsetenv 73515->73567 73518 41e1f4 __write 51 API calls 73516->73518 73519 414e97 73518->73519 73520 414f09 73519->73520 73522 414ec9 73519->73522 73526 414e71 73519->73526 73568 417f77 46 API calls __getptd_noexit 73520->73568 73523 41e1f4 __write 51 API calls 73522->73523 73522->73526 73524 414f64 73523->73524 73525 41e1f4 __write 51 API calls 73524->73525 73524->73526 73525->73526 73526->73502 73528 414455 73527->73528 73532 414477 73527->73532 73529 414139 __fseek_nolock 46 API calls 73528->73529 73528->73532 73530 414470 73529->73530 73569 41b7b2 77 API calls 5 library calls 73530->73569 73533 414139 73532->73533 73534 414145 73533->73534 73535 41415a 73533->73535 73570 417f77 46 API calls __getptd_noexit 73534->73570 73535->73505 73537 41414a 73571 417f25 10 API calls ___crtsetenv 73537->73571 73539 414155 73539->73505 73541 41e200 _raise 73540->73541 73542 41e223 73541->73542 73543 41e208 73541->73543 73545 41e22f 73542->73545 73549 41e269 73542->73549 73592 417f8a 46 API calls __getptd_noexit 73543->73592 73594 417f8a 46 API calls __getptd_noexit 73545->73594 73547 41e20d 73593 417f77 46 API calls __getptd_noexit 73547->73593 73548 41e234 73595 417f77 46 API calls __getptd_noexit 73548->73595 73572 41ae56 73549->73572 73553 41e23c 73596 417f25 10 API calls ___crtsetenv 73553->73596 73554 41e26f 73556 41e291 73554->73556 73557 41e27d 73554->73557 73597 417f77 46 API calls __getptd_noexit 73556->73597 73582 41e17f 73557->73582 73558 41e215 _raise 73558->73501 73561 41e296 73598 417f8a 46 API calls __getptd_noexit 73561->73598 73562 41e289 73599 41e2c0 LeaveCriticalSection __unlock_fhandle 73562->73599 73565->73501 73566->73515 73567->73526 73568->73526 73569->73532 73570->73537 73571->73539 73573 41ae62 _raise 73572->73573 73574 41aebc 73573->73574 73575 4182cb __lock 46 API calls 73573->73575 73576 41aec1 EnterCriticalSection 73574->73576 73578 41aede _raise 73574->73578 73577 41ae8e 73575->73577 73576->73578 73579 41aeaa 73577->73579 73580 41ae97 InitializeCriticalSectionAndSpinCount 73577->73580 73578->73554 73581 41aeec ___lock_fhandle LeaveCriticalSection 73579->73581 73580->73579 73581->73574 73583 41aded __lseek_nolock 46 API calls 73582->73583 73584 41e18e 73583->73584 73585 41e1a4 SetFilePointer 73584->73585 73586 41e194 73584->73586 73587 41e1bb GetLastError 73585->73587 73590 41e1c3 73585->73590 73588 417f77 ___crtsetenv 46 API calls 73586->73588 73587->73590 73589 41e199 73588->73589 73589->73562 73590->73589 73591 417f9d __dosmaperr 46 API calls 73590->73591 73591->73589 73592->73547 73593->73558 73594->73548 73595->73553 73596->73558 73597->73561 73598->73562 73599->73558 73601 4149ea 73600->73601 73602 4149fe 73600->73602 73646 417f77 46 API calls __getptd_noexit 73601->73646 73605 41443c __flush 77 API calls 73602->73605 73614 4149fa 73602->73614 73604 4149ef 73647 417f25 10 API calls ___crtsetenv 73604->73647 73607 414a0a 73605->73607 73619 41d8c2 73607->73619 73610 414139 __fseek_nolock 46 API calls 73611 414a18 73610->73611 73623 41d7fe 73611->73623 73613 414a1e 73613->73614 73615 413748 _free 46 API calls 73613->73615 73618 414ab2 LeaveCriticalSection LeaveCriticalSection _fprintf 73614->73618 73615->73614 73616->73346 73617->73353 73618->73353 73620 414a12 73619->73620 73621 41d8d2 73619->73621 73620->73610 73621->73620 73622 413748 _free 46 API calls 73621->73622 73622->73620 73624 41d80a _raise 73623->73624 73625 41d812 73624->73625 73626 41d82d 73624->73626 73663 417f8a 46 API calls __getptd_noexit 73625->73663 73628 41d839 73626->73628 73631 41d873 73626->73631 73665 417f8a 46 API calls __getptd_noexit 73628->73665 73629 41d817 73664 417f77 46 API calls __getptd_noexit 73629->73664 73634 41ae56 ___lock_fhandle 48 API calls 73631->73634 73633 41d83e 73666 417f77 46 API calls __getptd_noexit 73633->73666 73638 41d879 73634->73638 73635 41d81f _raise 73635->73613 73637 41d846 73667 417f25 10 API calls ___crtsetenv 73637->73667 73640 41d893 73638->73640 73641 41d887 73638->73641 73668 417f77 46 API calls __getptd_noexit 73640->73668 73648 41d762 73641->73648 73644 41d88d 73669 41d8ba LeaveCriticalSection __unlock_fhandle 73644->73669 73646->73604 73647->73614 73670 41aded 73648->73670 73650 41d7c8 73683 41ad67 47 API calls 2 library calls 73650->73683 73651 41d772 73651->73650 73652 41d7a6 73651->73652 73654 41aded __lseek_nolock 46 API calls 73651->73654 73652->73650 73655 41aded __lseek_nolock 46 API calls 73652->73655 73657 41d79d 73654->73657 73658 41d7b2 CloseHandle 73655->73658 73656 41d7d0 73659 41d7f2 73656->73659 73684 417f9d 46 API calls 3 library calls 73656->73684 73660 41aded __lseek_nolock 46 API calls 73657->73660 73658->73650 73661 41d7be GetLastError 73658->73661 73659->73644 73660->73652 73661->73650 73663->73629 73664->73635 73665->73633 73666->73637 73667->73635 73668->73644 73669->73635 73671 41ae12 73670->73671 73672 41adfa 73670->73672 73675 417f8a __write 46 API calls 73671->73675 73676 41ae51 73671->73676 73673 417f8a __write 46 API calls 73672->73673 73674 41adff 73673->73674 73677 417f77 ___crtsetenv 46 API calls 73674->73677 73678 41ae23 73675->73678 73676->73651 73682 41ae07 73677->73682 73679 417f77 ___crtsetenv 46 API calls 73678->73679 73680 41ae2b 73679->73680 73681 417f25 ___crtsetenv 10 API calls 73680->73681 73681->73682 73682->73651 73683->73656 73684->73659 73686 414c82 _raise 73685->73686 73687 414cc3 73686->73687 73688 414cbb _raise 73686->73688 73690 414c96 __wctomb_s_l 73686->73690 73689 415471 __lock_file 47 API calls 73687->73689 73688->73356 73692 414ccb 73689->73692 73712 417f77 46 API calls __getptd_noexit 73690->73712 73698 414aba 73692->73698 73693 414cb0 73713 417f25 10 API calls ___crtsetenv 73693->73713 73699 414af2 73698->73699 73702 414ad8 __wctomb_s_l 73698->73702 73714 414cfa LeaveCriticalSection LeaveCriticalSection _fprintf 73699->73714 73700 414ae2 73765 417f77 46 API calls __getptd_noexit 73700->73765 73702->73699 73702->73700 73706 414b2d 73702->73706 73705 414c38 __wctomb_s_l 73768 417f77 46 API calls __getptd_noexit 73705->73768 73706->73699 73706->73705 73707 414139 __fseek_nolock 46 API calls 73706->73707 73715 41dfcc 73706->73715 73745 41d8f3 73706->73745 73767 41e0c2 46 API calls 3 library calls 73706->73767 73707->73706 73711 414ae7 73766 417f25 10 API calls ___crtsetenv 73711->73766 73712->73693 73713->73688 73714->73688 73716 41dfd8 _raise 73715->73716 73717 41dfe0 73716->73717 73720 41dffb 73716->73720 73838 417f8a 46 API calls __getptd_noexit 73717->73838 73719 41e007 73840 417f8a 46 API calls __getptd_noexit 73719->73840 73720->73719 73723 41e041 73720->73723 73721 41dfe5 73839 417f77 46 API calls __getptd_noexit 73721->73839 73726 41e063 73723->73726 73727 41e04e 73723->73727 73725 41e00c 73841 417f77 46 API calls __getptd_noexit 73725->73841 73730 41ae56 ___lock_fhandle 48 API calls 73726->73730 73843 417f8a 46 API calls __getptd_noexit 73727->73843 73733 41e069 73730->73733 73731 41e014 73842 417f25 10 API calls ___crtsetenv 73731->73842 73732 41e053 73844 417f77 46 API calls __getptd_noexit 73732->73844 73736 41e077 73733->73736 73737 41e08b 73733->73737 73735 41dfed _raise 73735->73706 73769 41da15 73736->73769 73845 417f77 46 API calls __getptd_noexit 73737->73845 73741 41e083 73847 41e0ba LeaveCriticalSection __unlock_fhandle 73741->73847 73742 41e090 73846 417f8a 46 API calls __getptd_noexit 73742->73846 73746 41d900 73745->73746 73749 41d915 73745->73749 73851 417f77 46 API calls __getptd_noexit 73746->73851 73748 41d905 73852 417f25 10 API calls ___crtsetenv 73748->73852 73751 41d94a 73749->73751 73759 41d910 73749->73759 73848 420603 73749->73848 73753 414139 __fseek_nolock 46 API calls 73751->73753 73754 41d95e 73753->73754 73755 41dfcc __read 59 API calls 73754->73755 73756 41d965 73755->73756 73757 414139 __fseek_nolock 46 API calls 73756->73757 73756->73759 73758 41d988 73757->73758 73758->73759 73760 414139 __fseek_nolock 46 API calls 73758->73760 73759->73706 73761 41d994 73760->73761 73761->73759 73762 414139 __fseek_nolock 46 API calls 73761->73762 73763 41d9a1 73762->73763 73764 414139 __fseek_nolock 46 API calls 73763->73764 73764->73759 73765->73711 73766->73699 73767->73706 73768->73711 73770 41da31 73769->73770 73771 41da4c 73769->73771 73772 417f8a __write 46 API calls 73770->73772 73773 41da5b 73771->73773 73775 41da7a 73771->73775 73774 41da36 73772->73774 73776 417f8a __write 46 API calls 73773->73776 73777 417f77 ___crtsetenv 46 API calls 73774->73777 73779 41da98 73775->73779 73791 41daac 73775->73791 73778 41da60 73776->73778 73792 41da3e 73777->73792 73781 417f77 ___crtsetenv 46 API calls 73778->73781 73782 417f8a __write 46 API calls 73779->73782 73780 41db02 73785 417f8a __write 46 API calls 73780->73785 73784 41da67 73781->73784 73783 41da9d 73782->73783 73786 417f77 ___crtsetenv 46 API calls 73783->73786 73787 417f25 ___crtsetenv 10 API calls 73784->73787 73788 41db07 73785->73788 73790 41daa4 73786->73790 73787->73792 73789 417f77 ___crtsetenv 46 API calls 73788->73789 73789->73790 73794 417f25 ___crtsetenv 10 API calls 73790->73794 73791->73780 73791->73792 73793 41dae1 73791->73793 73795 41db1b 73791->73795 73792->73741 73793->73780 73798 41daec ReadFile 73793->73798 73794->73792 73797 416b04 __malloc_crt 46 API calls 73795->73797 73799 41db31 73797->73799 73800 41dc17 73798->73800 73801 41df8f GetLastError 73798->73801 73804 41db59 73799->73804 73805 41db3b 73799->73805 73800->73801 73806 41dc2b 73800->73806 73802 41de16 73801->73802 73803 41df9c 73801->73803 73813 417f9d __dosmaperr 46 API calls 73802->73813 73817 41dd9b 73802->73817 73808 417f77 ___crtsetenv 46 API calls 73803->73808 73807 420494 __lseeki64_nolock 48 API calls 73804->73807 73809 417f77 ___crtsetenv 46 API calls 73805->73809 73806->73817 73818 41dc47 73806->73818 73821 41de5b 73806->73821 73810 41db67 73807->73810 73811 41dfa1 73808->73811 73812 41db40 73809->73812 73810->73798 73814 417f8a __write 46 API calls 73811->73814 73815 417f8a __write 46 API calls 73812->73815 73813->73817 73814->73817 73815->73792 73816 413748 _free 46 API calls 73816->73792 73817->73792 73817->73816 73819 41dcab ReadFile 73818->73819 73826 41dd28 73818->73826 73822 41dcc9 GetLastError 73819->73822 73829 41dcd3 73819->73829 73820 41ded0 ReadFile 73823 41deef GetLastError 73820->73823 73830 41def9 73820->73830 73821->73817 73821->73820 73822->73818 73822->73829 73823->73821 73823->73830 73824 41ddec MultiByteToWideChar 73824->73817 73825 41de10 GetLastError 73824->73825 73825->73802 73826->73817 73827 41dda3 73826->73827 73828 41dd96 73826->73828 73832 41dd60 73826->73832 73827->73832 73833 41ddda 73827->73833 73831 417f77 ___crtsetenv 46 API calls 73828->73831 73829->73818 73834 420494 __lseeki64_nolock 48 API calls 73829->73834 73830->73821 73835 420494 __lseeki64_nolock 48 API calls 73830->73835 73831->73817 73832->73824 73836 420494 __lseeki64_nolock 48 API calls 73833->73836 73834->73829 73835->73830 73837 41dde9 73836->73837 73837->73824 73838->73721 73839->73735 73840->73725 73841->73731 73842->73735 73843->73732 73844->73731 73845->73742 73846->73741 73847->73735 73849 416b04 __malloc_crt 46 API calls 73848->73849 73850 420618 73849->73850 73850->73751 73851->73748 73852->73759 73856 4148b3 GetSystemTimeAsFileTime __aulldiv 73853->73856 73855 442c6b 73855->73359 73856->73855 73857->73366 73858->73372 73859->73372 73864 45272f __tzset_nolock _wcscpy 73860->73864 73861 414d04 61 API calls __fread_nolock 73861->73864 73862 44afef GetSystemTimeAsFileTime 73862->73864 73863 4528a4 73863->73281 73863->73282 73864->73861 73864->73862 73864->73863 73865 4150d1 81 API calls _fseek 73864->73865 73865->73864 73867 44b1bc 73866->73867 73868 44b1ca 73866->73868 73869 4149c2 116 API calls 73867->73869 73870 44b1e1 73868->73870 73871 44b1d8 73868->73871 73872 4149c2 116 API calls 73868->73872 73869->73868 73901 4321a4 73870->73901 73871->73310 73874 44b2db 73872->73874 73874->73870 73876 44b2e9 73874->73876 73875 44b224 73877 44b253 73875->73877 73878 44b228 73875->73878 73879 44b2f6 73876->73879 73881 414a46 __fcloseall 82 API calls 73876->73881 73905 43213d 73877->73905 73880 44b235 73878->73880 73884 414a46 __fcloseall 82 API calls 73878->73884 73879->73310 73885 44b245 73880->73885 73888 414a46 __fcloseall 82 API calls 73880->73888 73881->73879 73883 44b25a 73886 44b260 73883->73886 73887 44b289 73883->73887 73884->73880 73885->73310 73889 44b26d 73886->73889 73891 414a46 __fcloseall 82 API calls 73886->73891 73915 44b0bf 87 API calls 73887->73915 73888->73885 73892 44b27d 73889->73892 73894 414a46 __fcloseall 82 API calls 73889->73894 73891->73889 73892->73310 73893 44b28f 73916 4320f8 46 API calls _free 73893->73916 73894->73892 73896 44b295 73897 44b2a2 73896->73897 73898 414a46 __fcloseall 82 API calls 73896->73898 73899 44b2b2 73897->73899 73900 414a46 __fcloseall 82 API calls 73897->73900 73898->73897 73899->73310 73900->73899 73902 4321b4 __tzset_nolock _memmove 73901->73902 73903 4321cb 73901->73903 73902->73875 73904 414d04 __fread_nolock 61 API calls 73903->73904 73904->73902 73906 4135bb _malloc 46 API calls 73905->73906 73907 432150 73906->73907 73908 4135bb _malloc 46 API calls 73907->73908 73909 432162 73908->73909 73910 4135bb _malloc 46 API calls 73909->73910 73911 432174 73910->73911 73913 432189 73911->73913 73917 4320f8 46 API calls _free 73911->73917 73913->73883 73914 432198 73914->73883 73915->73893 73916->73896 73917->73914 73918->73217 73919->73219 73920->73237 73921->73237 73922->73237 73923->73228 73924->73237 73925->73237 73926->73241 73927->73250 73928->73252 73929->73252 73979 410160 73930->73979 73932 41012f GetFullPathNameW 73933 410147 moneypunct 73932->73933 73933->73087 73935 4102cb SHGetDesktopFolder 73934->73935 73938 410333 _wcsncpy 73934->73938 73936 4102e0 _wcsncpy 73935->73936 73935->73938 73937 41031c SHGetPathFromIDListW 73936->73937 73936->73938 73937->73938 73938->73090 73940 4101bb 73939->73940 73944 425f4a 73939->73944 73941 410160 52 API calls 73940->73941 73943 4101c7 73941->73943 73942 4114ab __wcsicoll 58 API calls 73942->73944 73983 410200 52 API calls 2 library calls 73943->73983 73944->73942 73946 425f6e 73944->73946 73946->73092 73947 4101d6 73984 410200 52 API calls 2 library calls 73947->73984 73949 4101e9 73949->73092 73951 40f760 128 API calls 73950->73951 73952 40f584 73951->73952 73953 429335 73952->73953 73954 40f58c 73952->73954 73957 4528bd 118 API calls 73953->73957 73955 40f598 73954->73955 73956 429358 73954->73956 74002 4033c0 113 API calls 7 library calls 73955->74002 74003 434034 86 API calls _wprintf 73956->74003 73959 42934b 73957->73959 73962 429373 73959->73962 73963 42934f 73959->73963 73961 40f5b4 73961->73088 73966 4115d7 52 API calls 73962->73966 73965 431e58 82 API calls 73963->73965 73964 429369 73964->73962 73965->73956 73978 4293c5 moneypunct 73966->73978 73967 42959c 73968 413748 _free 46 API calls 73967->73968 73969 4295a5 73968->73969 73970 431e58 82 API calls 73969->73970 73971 4295b1 73970->73971 73975 401b10 52 API calls 73975->73978 73978->73967 73978->73975 73985 444af8 73978->73985 73988 402780 73978->73988 73996 4022d0 73978->73996 74004 44c7dd 64 API calls 3 library calls 73978->74004 74005 44b41c 52 API calls 73978->74005 73980 410167 _wcslen 73979->73980 73981 4115d7 52 API calls 73980->73981 73982 41017e _wcscpy 73981->73982 73982->73932 73983->73947 73984->73949 73986 4115d7 52 API calls 73985->73986 73987 444b27 _memmove 73986->73987 73987->73978 73989 402790 moneypunct _memmove 73988->73989 73990 402827 73988->73990 73991 4115d7 52 API calls 73989->73991 73992 4115d7 52 API calls 73990->73992 73993 402797 73991->73993 73992->73989 73994 4115d7 52 API calls 73993->73994 73995 4027bd 73993->73995 73994->73995 73995->73978 73997 4022e0 73996->73997 74000 40239d 73996->74000 73998 4115d7 52 API calls 73997->73998 73997->74000 74001 402320 moneypunct 73997->74001 73998->74001 73999 4115d7 52 API calls 73999->74001 74000->73978 74001->73999 74001->74000 74002->73961 74003->73964 74004->73978 74005->73978 74007 402417 74006->74007 74011 402539 moneypunct 74006->74011 74008 4115d7 52 API calls 74007->74008 74007->74011 74009 402443 74008->74009 74010 4115d7 52 API calls 74009->74010 74012 4024b4 74010->74012 74011->73096 74012->74011 74014 4022d0 52 API calls 74012->74014 74035 402880 95 API calls 2 library calls 74012->74035 74014->74012 74020 401566 74015->74020 74016 401794 74036 40e9a0 90 API calls 74016->74036 74019 4010a0 52 API calls 74019->74020 74020->74016 74020->74019 74022 40167a 74020->74022 74021 4017c0 74021->73098 74022->74021 74037 45e737 90 API calls 3 library calls 74022->74037 74024 40bc70 52 API calls 74023->74024 74033 40d451 74024->74033 74025 40d50f 74040 410600 52 API calls 74025->74040 74027 427c01 74041 45e737 90 API calls 3 library calls 74027->74041 74028 40e0a0 52 API calls 74028->74033 74030 401b10 52 API calls 74030->74033 74031 40d519 74031->73101 74033->74025 74033->74027 74033->74028 74033->74030 74033->74031 74038 40f310 53 API calls 74033->74038 74039 40d860 91 API calls 74033->74039 74035->74012 74036->74022 74037->74021 74038->74033 74039->74033 74040->74031 74041->74031 74042->73114 74043->73115 74045 42c5fe 74044->74045 74060 4091c6 74044->74060 74046 40bc70 52 API calls 74045->74046 74045->74060 74047 42c64e InterlockedIncrement 74046->74047 74048 42c665 74047->74048 74054 42c697 74047->74054 74050 42c672 InterlockedDecrement Sleep InterlockedIncrement 74048->74050 74048->74054 74049 42c737 InterlockedDecrement 74051 42c74a 74049->74051 74050->74048 74050->74054 74053 408f40 VariantClear 74051->74053 74052 42c731 74052->74049 74055 42c752 74053->74055 74054->74049 74054->74052 74328 408e80 74054->74328 74337 410c60 VariantClear moneypunct 74055->74337 74060->73175 74061 42c6db 74062 402160 52 API calls 74061->74062 74063 42c6e5 74062->74063 74333 45340c 85 API calls 74063->74333 74065 42c6f1 74334 40d200 52 API calls 2 library calls 74065->74334 74067 42c6fb 74335 465124 53 API calls 74067->74335 74069 42c715 74070 42c76a 74069->74070 74071 42c719 74069->74071 74072 401b10 52 API calls 74070->74072 74336 46fe32 VariantClear 74071->74336 74074 42c77e 74072->74074 74075 401980 53 API calls 74074->74075 74081 42c796 74075->74081 74076 42c812 74339 46fe32 VariantClear 74076->74339 74078 42c82a InterlockedDecrement 74340 46ff07 54 API calls 74078->74340 74080 42c864 74341 45e737 90 API calls 3 library calls 74080->74341 74081->74076 74081->74080 74338 40ba10 52 API calls 2 library calls 74081->74338 74082 42c9ec 74384 47d33e 331 API calls 74082->74384 74086 42c9fe 74385 46feb1 VariantClear VariantClear 74086->74385 74088 401980 53 API calls 74098 42c849 74088->74098 74089 408f40 VariantClear 74089->74098 74090 42ca08 74092 401b10 52 API calls 74090->74092 74091 402780 52 API calls 74091->74098 74094 42ca15 74092->74094 74093 408f40 VariantClear 74095 42c891 74093->74095 74096 40c2c0 52 API calls 74094->74096 74342 410c60 VariantClear moneypunct 74095->74342 74099 42c874 74096->74099 74098->74082 74098->74088 74098->74089 74098->74091 74343 40a780 74098->74343 74099->74093 74101 42ca59 74099->74101 74101->74101 74103 40afc4 74102->74103 74104 40b156 74102->74104 74105 40afd5 74103->74105 74106 42d1e3 74103->74106 74395 45e737 90 API calls 3 library calls 74104->74395 74110 40b11a moneypunct 74105->74110 74112 40a780 194 API calls 74105->74112 74396 45e737 90 API calls 3 library calls 74106->74396 74109 40b143 74109->73175 74110->74109 74399 45e737 90 API calls 3 library calls 74110->74399 74111 42d1f8 74116 408f40 VariantClear 74111->74116 74113 40b00a 74112->74113 74113->74111 74117 40b012 74113->74117 74115 42d4db 74115->74115 74116->74109 74118 40b04a 74117->74118 74119 42d231 VariantClear 74117->74119 74124 40b094 moneypunct 74117->74124 74121 40b05c moneypunct 74118->74121 74397 40e270 VariantClear moneypunct 74118->74397 74119->74121 74120 40b108 74120->74110 74398 40e270 VariantClear moneypunct 74120->74398 74121->74124 74126 4115d7 52 API calls 74121->74126 74122 42d45a VariantClear 74122->74110 74123 42d425 moneypunct 74123->74110 74123->74122 74124->74120 74124->74123 74126->74124 74129 408fff 74128->74129 74131 40900d 74128->74131 74400 403ea0 52 API calls __cinit 74129->74400 74133 42c3f6 74131->74133 74135 40a780 194 API calls 74131->74135 74136 42c44a 74131->74136 74138 42c47b 74131->74138 74140 42c4cb 74131->74140 74141 42c564 74131->74141 74144 42c548 74131->74144 74148 409112 74131->74148 74150 4090df 74131->74150 74152 42c528 74131->74152 74156 4090ea 74131->74156 74162 4090f2 moneypunct 74131->74162 74402 4534e3 52 API calls 74131->74402 74404 40c4e0 194 API calls 74131->74404 74403 45e737 90 API calls 3 library calls 74133->74403 74135->74131 74405 45e737 90 API calls 3 library calls 74136->74405 74406 451b42 61 API calls 74138->74406 74408 47faae 233 API calls 74140->74408 74145 408f40 VariantClear 74141->74145 74411 45e737 90 API calls 3 library calls 74144->74411 74145->74162 74146 42c491 74146->74162 74407 45e737 90 API calls 3 library calls 74146->74407 74147 42c4da 74147->74162 74409 45e737 90 API calls 3 library calls 74147->74409 74148->74144 74154 40912b 74148->74154 74150->74156 74157 408e80 VariantClear 74150->74157 74410 45e737 90 API calls 3 library calls 74152->74410 74154->74162 74401 403e10 53 API calls 74154->74401 74158 408f40 VariantClear 74156->74158 74157->74156 74158->74162 74160 40914b 74161 408f40 VariantClear 74160->74161 74161->74162 74162->73175 74412 408d90 74163->74412 74165 429778 74440 410c60 VariantClear moneypunct 74165->74440 74167 408cf9 74167->74165 74169 42976c 74167->74169 74171 408d2d 74167->74171 74168 429780 74439 45e737 90 API calls 3 library calls 74169->74439 74428 403d10 74171->74428 74174 408d71 moneypunct 74174->73175 74175 408f40 VariantClear 74176 408d45 moneypunct 74175->74176 74176->74174 74176->74175 74178 4096c6 _wcslen 74177->74178 74179 40a70c moneypunct _memmove 74178->74179 74180 4115d7 52 API calls 74178->74180 74183 4013a0 52 API calls 74179->74183 74181 4096fa _memmove 74180->74181 74182 4115d7 52 API calls 74181->74182 74185 40971b 74182->74185 74184 4297aa 74183->74184 74186 4115d7 52 API calls 74184->74186 74185->74179 74187 409749 CharUpperBuffW 74185->74187 74190 40976a moneypunct 74185->74190 74188 4297d1 _memmove 74186->74188 74187->74190 74741 45e737 90 API calls 3 library calls 74188->74741 74197 4097e5 moneypunct 74190->74197 74715 47dcbb 196 API calls 74190->74715 74192 408f40 VariantClear 74193 42ae92 74192->74193 74742 410c60 VariantClear moneypunct 74193->74742 74195 42aea4 74196 409aa2 74196->74188 74199 4115d7 52 API calls 74196->74199 74202 409afe 74196->74202 74197->74188 74197->74196 74198 40a689 74197->74198 74201 40c2c0 52 API calls 74197->74201 74210 429a46 VariantClear 74197->74210 74213 40a6af moneypunct _memmove 74197->74213 74214 408f40 VariantClear 74197->74214 74219 4115d7 52 API calls 74197->74219 74229 4299d9 74197->74229 74233 429abd 74197->74233 74241 40a780 194 API calls 74197->74241 74246 42a452 74197->74246 74716 40c4e0 194 API calls 74197->74716 74718 40ba10 52 API calls 2 library calls 74197->74718 74719 40e270 VariantClear moneypunct 74197->74719 74200 4115d7 52 API calls 74198->74200 74199->74202 74200->74213 74201->74197 74203 4115d7 52 API calls 74202->74203 74242 409b2a 74202->74242 74205 429d31 74203->74205 74204 429dbe 74209 429dd3 74204->74209 74724 40b400 VariantClear VariantClear moneypunct 74204->74724 74208 429d42 74205->74208 74720 44a801 52 API calls 74205->74720 74206 409fd2 74212 40a045 74206->74212 74264 42a3f5 74206->74264 74220 40e0a0 52 API calls 74208->74220 74270 409b4d moneypunct _memmove 74209->74270 74725 40e1c0 VariantClear moneypunct 74209->74725 74210->74197 74217 4115d7 52 API calls 74212->74217 74222 4115d7 52 API calls 74213->74222 74214->74197 74223 40a04c 74217->74223 74219->74197 74224 429d57 74220->74224 74222->74179 74228 40a0a7 74223->74228 74231 4091e0 317 API calls 74223->74231 74721 453443 52 API calls 74224->74721 74226 42a42f 74729 45e737 90 API calls 3 library calls 74226->74729 74248 40a0af 74228->74248 74730 40c790 VariantClear moneypunct 74228->74730 74232 408f40 VariantClear 74229->74232 74231->74228 74236 4299e2 74232->74236 74233->73175 74234 429d88 74722 453443 52 API calls 74234->74722 74717 410c60 VariantClear moneypunct 74236->74717 74241->74197 74242->74204 74242->74270 74723 40b400 VariantClear VariantClear moneypunct 74242->74723 74243 44a801 52 API calls 74243->74270 74245 408f40 VariantClear 74278 40a162 moneypunct _memmove 74245->74278 74246->74192 74247 402780 52 API calls 74247->74270 74249 40a11b 74248->74249 74250 42a4b4 VariantClear 74248->74250 74248->74278 74256 40a12d moneypunct 74249->74256 74731 40e270 VariantClear moneypunct 74249->74731 74250->74256 74251 40a780 194 API calls 74251->74270 74252 408e80 VariantClear 74252->74270 74254 401980 53 API calls 74254->74270 74255 4115d7 52 API calls 74255->74278 74256->74255 74256->74278 74257 408e80 VariantClear 74257->74278 74259 42a74d VariantClear 74259->74278 74260 41130a 51 API calls __cinit 74260->74270 74261 4115d7 52 API calls 74261->74270 74262 40a368 74263 42aad4 74262->74263 74272 40a397 74262->74272 74734 46fe90 VariantClear VariantClear moneypunct 74263->74734 74728 47390f VariantClear 74264->74728 74265 42a886 VariantClear 74265->74278 74266 42a7e4 VariantClear 74266->74278 74267 40a3ce 74282 40a3d9 moneypunct 74267->74282 74735 40b400 VariantClear VariantClear moneypunct 74267->74735 74269 409c95 74269->73175 74270->74179 74270->74206 74270->74226 74270->74243 74270->74247 74270->74251 74270->74252 74270->74254 74270->74260 74270->74261 74270->74264 74270->74269 74726 45f508 52 API calls 74270->74726 74727 403e10 53 API calls 74270->74727 74271 40e270 VariantClear 74271->74278 74272->74267 74297 40a42c moneypunct 74272->74297 74714 40b400 VariantClear VariantClear moneypunct 74272->74714 74275 42abaf 74280 42abd4 VariantClear 74275->74280 74288 40a4ee moneypunct 74275->74288 74276 4115d7 52 API calls 74276->74278 74277 4115d7 52 API calls 74281 42a5a6 VariantInit VariantCopy 74277->74281 74278->74245 74278->74257 74278->74259 74278->74262 74278->74263 74278->74265 74278->74266 74278->74271 74278->74276 74278->74277 74732 470870 52 API calls 74278->74732 74733 44ccf1 VariantClear moneypunct 74278->74733 74279 40a4dc 74279->74288 74737 40e270 VariantClear moneypunct 74279->74737 74280->74288 74281->74278 74284 42a5c6 VariantClear 74281->74284 74283 40a41a 74282->74283 74290 42ab44 VariantClear 74282->74290 74282->74297 74283->74297 74736 40e270 VariantClear moneypunct 74283->74736 74284->74278 74285 42ac4f 74291 42ac79 VariantClear 74285->74291 74295 40a546 moneypunct 74285->74295 74288->74285 74289 40a534 74288->74289 74289->74295 74738 40e270 VariantClear moneypunct 74289->74738 74290->74297 74291->74295 74292 42ad28 74298 42ad4e VariantClear 74292->74298 74303 40a583 moneypunct 74292->74303 74295->74292 74296 40a571 74295->74296 74296->74303 74739 40e270 VariantClear moneypunct 74296->74739 74297->74275 74297->74279 74298->74303 74300 40a650 moneypunct 74300->73175 74301 42ae0e VariantClear 74301->74303 74303->74300 74303->74301 74740 40e270 VariantClear moneypunct 74303->74740 74304->73175 74305->73175 74306->73175 74307->73125 74308->73131 74309->73175 74310->73175 74311->73175 74312->73175 74313->73171 74314->73171 74315->73171 74316->73171 74317->73171 74318->73171 74319->73171 74321 403cdf 74320->74321 74322 408f40 VariantClear 74321->74322 74323 403ce7 74322->74323 74323->73168 74324->73171 74325->73171 74326->73175 74327->73122 74329 408e94 74328->74329 74330 408e88 74328->74330 74332 45340c 85 API calls 74329->74332 74331 408f40 VariantClear 74330->74331 74331->74329 74332->74061 74333->74065 74334->74067 74335->74069 74336->74052 74337->74060 74338->74081 74339->74078 74340->74098 74341->74099 74342->74060 74344 40a7a6 74343->74344 74345 40ae8c 74343->74345 74347 4115d7 52 API calls 74344->74347 74386 41130a 51 API calls __cinit 74345->74386 74355 40a7c6 moneypunct _memmove 74347->74355 74348 40a86d 74349 40abd1 74348->74349 74351 40a878 moneypunct 74348->74351 74391 45e737 90 API calls 3 library calls 74349->74391 74350 408e80 VariantClear 74350->74355 74358 408f40 VariantClear 74351->74358 74359 40a884 moneypunct 74351->74359 74352 401b10 52 API calls 74352->74355 74354 42b791 VariantClear 74354->74355 74355->74348 74355->74349 74355->74350 74355->74352 74355->74354 74356 40bc10 53 API calls 74355->74356 74357 42ba2d VariantClear 74355->74357 74360 42b459 VariantClear 74355->74360 74361 42b6f6 VariantClear 74355->74361 74362 4115d7 52 API calls 74355->74362 74364 408cc0 187 API calls 74355->74364 74365 40e270 VariantClear 74355->74365 74366 4530c9 VariantClear 74355->74366 74368 42bbf5 74355->74368 74369 4115d7 52 API calls 74355->74369 74370 40b5f0 89 API calls 74355->74370 74372 42bb6a 74355->74372 74373 408f40 VariantClear 74355->74373 74379 42bc37 74355->74379 74387 45308a 53 API calls 74355->74387 74388 470870 52 API calls 74355->74388 74389 457f66 87 API calls __write_nolock 74355->74389 74390 472f47 127 API calls 74355->74390 74356->74355 74357->74355 74358->74351 74359->74098 74360->74355 74361->74355 74362->74355 74364->74355 74365->74355 74366->74355 74367 42bc5b 74367->74098 74392 45e737 90 API calls 3 library calls 74368->74392 74374 42b5b3 VariantInit VariantCopy 74369->74374 74370->74355 74394 44b92d VariantClear 74372->74394 74373->74355 74374->74355 74377 42b5d7 VariantClear 74374->74377 74377->74355 74393 45e737 90 API calls 3 library calls 74379->74393 74382 42bc48 74382->74372 74383 408f40 VariantClear 74382->74383 74383->74372 74384->74086 74385->74090 74386->74355 74387->74355 74388->74355 74389->74355 74390->74355 74391->74372 74392->74372 74393->74382 74394->74367 74395->74106 74396->74111 74397->74121 74398->74110 74399->74115 74400->74131 74401->74160 74402->74131 74403->74162 74404->74131 74405->74162 74406->74146 74407->74162 74408->74147 74409->74162 74410->74162 74411->74141 74413 4289d2 74412->74413 74414 408db3 74412->74414 74443 45e737 90 API calls 3 library calls 74413->74443 74441 40bec0 90 API calls 74414->74441 74417 4289e5 74444 45e737 90 API calls 3 library calls 74417->74444 74420 428a05 74421 408f40 VariantClear 74420->74421 74427 408e5a 74421->74427 74422 40a780 194 API calls 74425 408dc9 74422->74425 74423 408e64 74424 408f40 VariantClear 74423->74424 74424->74427 74425->74417 74425->74420 74425->74422 74425->74423 74426 408f40 VariantClear 74425->74426 74425->74427 74442 40ba10 52 API calls 2 library calls 74425->74442 74426->74425 74427->74167 74429 408f40 VariantClear 74428->74429 74430 403d20 74429->74430 74431 403cd0 VariantClear 74430->74431 74432 403d4d 74431->74432 74434 4013c0 52 API calls 74432->74434 74445 4755ad 74432->74445 74448 46e91c 74432->74448 74451 45e17d 74432->74451 74461 467897 74432->74461 74433 403d76 74433->74165 74433->74176 74434->74433 74439->74165 74440->74168 74441->74425 74442->74425 74443->74417 74444->74420 74505 475077 74445->74505 74447 4755c0 74447->74433 74611 46e785 74448->74611 74450 46e92f 74450->74433 74452 45e198 74451->74452 74453 45e19c 74452->74453 74454 45e1b8 74452->74454 74455 408f40 VariantClear 74453->74455 74456 45e1cc 74454->74456 74457 45e1db FindClose 74454->74457 74458 45e1a4 74455->74458 74459 44ae3e CloseHandle 74456->74459 74460 45e1d9 moneypunct 74456->74460 74457->74460 74458->74433 74459->74460 74460->74433 74462 4678bb 74461->74462 74463 467954 74462->74463 74708 45340c 85 API calls 74462->74708 74464 4115d7 52 API calls 74463->74464 74495 467964 74463->74495 74465 467989 74464->74465 74470 467995 74465->74470 74712 40da60 53 API calls 74465->74712 74467 4678f6 74469 413a0e __wsplitpath 46 API calls 74467->74469 74472 4678fc 74469->74472 74471 4533eb 85 API calls 74470->74471 74473 4679b7 74471->74473 74474 401b10 52 API calls 74472->74474 74475 40de40 60 API calls 74473->74475 74476 46790c 74474->74476 74477 4679c3 74475->74477 74709 40d200 52 API calls 2 library calls 74476->74709 74479 4679c7 GetLastError 74477->74479 74480 467a05 74477->74480 74482 403cd0 VariantClear 74479->74482 74483 467a2c 74480->74483 74484 467a4b 74480->74484 74481 467917 74481->74463 74710 4339fa GetFileAttributesW FindFirstFileW FindClose 74481->74710 74485 4679dc 74482->74485 74488 4115d7 52 API calls 74483->74488 74489 4115d7 52 API calls 74484->74489 74490 4679e6 74485->74490 74492 44ae3e CloseHandle 74485->74492 74487 467928 74487->74463 74493 46792f 74487->74493 74496 467a31 74488->74496 74491 467a49 74489->74491 74494 408f40 VariantClear 74490->74494 74500 408f40 VariantClear 74491->74500 74492->74490 74711 4335cd 56 API calls 3 library calls 74493->74711 74498 4679ed 74494->74498 74495->74433 74713 436299 52 API calls 2 library calls 74496->74713 74498->74433 74502 467a88 74500->74502 74501 467939 74501->74463 74503 408f40 VariantClear 74501->74503 74502->74433 74504 467947 74503->74504 74504->74463 74558 4533eb 74505->74558 74508 4750ee 74510 408f40 VariantClear 74508->74510 74509 475129 74562 4646e0 74509->74562 74516 4750f5 74510->74516 74512 47515e 74513 475162 74512->74513 74540 47518e 74512->74540 74514 408f40 VariantClear 74513->74514 74532 475169 74514->74532 74515 475357 74517 475365 74515->74517 74518 4754ea 74515->74518 74516->74447 74596 44b3ac 57 API calls 74517->74596 74602 464812 92 API calls 74518->74602 74522 4754fc 74523 475374 74522->74523 74525 475508 74522->74525 74575 430d31 74523->74575 74524 4533eb 85 API calls 74524->74540 74527 408f40 VariantClear 74525->74527 74530 47550f 74527->74530 74528 475388 74582 4577e9 74528->74582 74530->74532 74532->74447 74533 47539e 74590 410cfc 74533->74590 74534 475480 74536 408f40 VariantClear 74534->74536 74536->74532 74538 4753d4 74598 40e830 53 API calls 74538->74598 74539 4753b8 74597 45e737 90 API calls 3 library calls 74539->74597 74540->74515 74540->74524 74540->74534 74544 4754b5 74540->74544 74594 436299 52 API calls 2 library calls 74540->74594 74595 463ad5 64 API calls __wcsicoll 74540->74595 74543 4753c5 GetCurrentProcess TerminateProcess 74543->74538 74545 408f40 VariantClear 74544->74545 74545->74532 74546 4753e3 74556 475406 74546->74556 74599 40cf00 53 API calls 74546->74599 74547 475556 74547->74532 74552 47556e FreeLibrary 74547->74552 74549 4753f8 74600 46c43e 106 API calls 2 library calls 74549->74600 74552->74532 74555 408e80 VariantClear 74555->74556 74556->74547 74556->74555 74557 408f40 VariantClear 74556->74557 74601 40cf00 53 API calls 74556->74601 74603 44b3ac 57 API calls 74556->74603 74604 46c43e 106 API calls 2 library calls 74556->74604 74557->74556 74559 453404 74558->74559 74560 4533f8 74558->74560 74559->74508 74559->74509 74560->74559 74605 4531b1 85 API calls 5 library calls 74560->74605 74606 4536f7 53 API calls 74562->74606 74564 4646fc 74607 4426cd 59 API calls _wcslen 74564->74607 74566 464711 74568 40bc70 52 API calls 74566->74568 74574 46474b 74566->74574 74569 46472c 74568->74569 74608 461465 52 API calls _memmove 74569->74608 74571 464741 74572 40c600 52 API calls 74571->74572 74572->74574 74573 464793 74573->74512 74574->74573 74609 463ad5 64 API calls __wcsicoll 74574->74609 74576 430db2 74575->74576 74577 430d54 74575->74577 74576->74528 74578 4115d7 52 API calls 74577->74578 74581 430d74 74578->74581 74579 430da9 74579->74528 74580 4115d7 52 API calls 74580->74581 74581->74579 74581->74580 74583 457a84 74582->74583 74589 45780c _strcat moneypunct _wcslen _wcscpy 74582->74589 74583->74533 74584 45340c 85 API calls 74584->74589 74585 443006 57 API calls 74585->74589 74587 4135bb 46 API calls _malloc 74587->74589 74588 40f6f0 54 API calls 74588->74589 74589->74583 74589->74584 74589->74585 74589->74587 74589->74588 74610 44b3ac 57 API calls 74589->74610 74591 410d11 74590->74591 74592 410da9 VirtualProtect 74591->74592 74593 410d77 74591->74593 74592->74593 74593->74538 74593->74539 74594->74540 74595->74540 74596->74523 74597->74543 74598->74546 74599->74549 74600->74556 74601->74556 74602->74522 74603->74556 74604->74556 74605->74559 74606->74564 74607->74566 74608->74571 74609->74573 74610->74589 74612 46e7a2 74611->74612 74613 4115d7 52 API calls 74612->74613 74616 46e802 74612->74616 74614 46e7ad 74613->74614 74615 46e7b9 74614->74615 74659 40da60 53 API calls 74614->74659 74621 4533eb 85 API calls 74615->74621 74617 46e7e5 74616->74617 74624 46e82f 74616->74624 74618 408f40 VariantClear 74617->74618 74620 46e7ea 74618->74620 74620->74450 74622 46e7ca 74621->74622 74660 40de40 74622->74660 74623 46e8b5 74652 4680ed 74623->74652 74624->74623 74627 46e845 74624->74627 74631 4533eb 85 API calls 74627->74631 74629 46e7db 74629->74617 74672 44ae3e 74629->74672 74630 46e8bb 74656 443fbe 74630->74656 74640 46e84b 74631->74640 74632 46e87a 74675 4689f4 59 API calls 74632->74675 74634 46e883 74637 4013c0 52 API calls 74634->74637 74639 46e88f 74637->74639 74641 40e0a0 52 API calls 74639->74641 74640->74632 74640->74634 74643 46e899 74641->74643 74642 408f40 VariantClear 74650 46e881 74642->74650 74676 40d200 52 API calls 2 library calls 74643->74676 74645 46e911 74645->74450 74646 46e8a5 74677 4689f4 59 API calls 74646->74677 74649 46e903 74651 44ae3e CloseHandle 74649->74651 74650->74645 74678 40da20 74650->74678 74651->74645 74653 468100 74652->74653 74654 4680fa 74652->74654 74653->74630 74682 467ac4 55 API calls 2 library calls 74654->74682 74683 443e36 74656->74683 74658 443fd3 74658->74642 74658->74650 74659->74615 74661 40da20 CloseHandle 74660->74661 74662 40de4e 74661->74662 74690 40f110 74662->74690 74664 4264fa 74667 40de84 74699 40e080 SetFilePointerEx SetFilePointerEx 74667->74699 74669 40de8b 74700 40f160 SetFilePointerEx SetFilePointerEx WriteFile 74669->74700 74671 40de90 74671->74624 74671->74629 74673 44ae4b moneypunct 74672->74673 74702 443fdf 74672->74702 74673->74617 74675->74650 74676->74646 74677->74650 74679 40da37 74678->74679 74680 40da29 74678->74680 74679->74680 74681 40da3c CloseHandle 74679->74681 74680->74649 74681->74649 74682->74653 74686 443e19 74683->74686 74687 443e26 74686->74687 74688 443e32 WriteFile 74686->74688 74689 443db4 SetFilePointerEx SetFilePointerEx 74687->74689 74688->74658 74689->74688 74691 40f125 CreateFileW 74690->74691 74692 42630c 74690->74692 74694 40de74 74691->74694 74693 426311 CreateFileW 74692->74693 74692->74694 74693->74694 74695 426337 74693->74695 74694->74664 74698 40dea0 55 API calls moneypunct 74694->74698 74701 40df90 SetFilePointerEx SetFilePointerEx 74695->74701 74697 426342 74697->74694 74698->74667 74699->74669 74700->74671 74701->74697 74703 40da20 CloseHandle 74702->74703 74704 443feb 74703->74704 74707 4340db CloseHandle moneypunct 74704->74707 74706 444001 74706->74673 74707->74706 74708->74467 74709->74481 74710->74487 74711->74501 74712->74470 74713->74491 74714->74267 74715->74190 74716->74197 74717->74300 74718->74197 74719->74197 74720->74208 74721->74234 74722->74242 74723->74204 74724->74209 74725->74270 74726->74270 74727->74270 74728->74226 74729->74246 74730->74228 74731->74256 74732->74278 74733->74278 74734->74267 74735->74282 74736->74297 74737->74288 74738->74295 74739->74303 74740->74303 74741->74246 74742->74195 74743 42d154 74747 480a8d 74743->74747 74745 42d161 74746 480a8d 194 API calls 74745->74746 74746->74745 74748 480ae4 74747->74748 74749 480b26 74747->74749 74750 480aeb 74748->74750 74751 480b15 74748->74751 74752 40bc70 52 API calls 74749->74752 74753 480aee 74750->74753 74754 480b04 74750->74754 74780 4805bf 194 API calls 74751->74780 74776 480b2e 74752->74776 74753->74749 74756 480af3 74753->74756 74779 47fea2 194 API calls __itow_s 74754->74779 74778 47f135 194 API calls 74756->74778 74758 40e0a0 52 API calls 74758->74776 74761 408f40 VariantClear 74762 481156 74761->74762 74764 408f40 VariantClear 74762->74764 74763 480aff 74763->74761 74765 48115e 74764->74765 74765->74745 74766 480ff5 74786 45e737 90 API calls 3 library calls 74766->74786 74767 40e710 53 API calls 74767->74776 74768 401980 53 API calls 74768->74776 74770 40c2c0 52 API calls 74770->74776 74771 408e80 VariantClear 74771->74776 74772 40a780 194 API calls 74772->74776 74776->74758 74776->74763 74776->74766 74776->74767 74776->74768 74776->74770 74776->74771 74776->74772 74781 45377f 52 API calls 74776->74781 74782 45e951 53 API calls 74776->74782 74783 40e830 53 API calls 74776->74783 74784 47925f 53 API calls 74776->74784 74785 47fcff 194 API calls 74776->74785 74778->74763 74779->74763 74780->74763 74781->74776 74782->74776 74783->74776 74784->74776 74785->74776 74786->74763 74787 42b14b 74794 40bc10 74787->74794 74789 42b159 74790 4096a0 331 API calls 74789->74790 74791 42b177 74790->74791 74805 44b92d VariantClear 74791->74805 74793 42bc5b 74795 40bc24 74794->74795 74796 40bc17 74794->74796 74798 40bc2a 74795->74798 74799 40bc3c 74795->74799 74797 408e80 VariantClear 74796->74797 74800 40bc1f 74797->74800 74801 408e80 VariantClear 74798->74801 74802 4115d7 52 API calls 74799->74802 74800->74789 74803 40bc33 74801->74803 74804 40bc43 74802->74804 74803->74789 74804->74789 74805->74793 74806 425b2b 74811 40f000 74806->74811 74810 425b3a 74812 4115d7 52 API calls 74811->74812 74813 40f007 74812->74813 74814 4276ea 74813->74814 74820 40f030 74813->74820 74819 41130a 51 API calls __cinit 74819->74810 74821 40f039 74820->74821 74823 40f01a 74820->74823 74850 41130a 51 API calls __cinit 74821->74850 74824 40e500 74823->74824 74825 40bc70 52 API calls 74824->74825 74826 40e515 GetVersionExW 74825->74826 74827 402160 52 API calls 74826->74827 74828 40e557 74827->74828 74851 40e660 74828->74851 74835 427674 74838 4276c6 GetSystemInfo 74835->74838 74836 40e5e0 74840 4276d5 GetSystemInfo 74836->74840 74865 40efd0 74836->74865 74837 40e5cd GetCurrentProcess 74872 40ef20 LoadLibraryA GetProcAddress 74837->74872 74838->74840 74843 40e629 74869 40ef90 74843->74869 74846 40e641 FreeLibrary 74847 40e644 74846->74847 74848 40e653 FreeLibrary 74847->74848 74849 40e656 74847->74849 74848->74849 74849->74819 74850->74823 74852 40e667 74851->74852 74853 42761d 74852->74853 74854 40c600 52 API calls 74852->74854 74855 40e55c 74854->74855 74856 40e680 74855->74856 74857 40e687 74856->74857 74858 427616 74857->74858 74859 40c600 52 API calls 74857->74859 74860 40e566 74859->74860 74860->74835 74861 40ef60 74860->74861 74862 40e5c8 74861->74862 74863 40ef66 LoadLibraryA 74861->74863 74862->74836 74862->74837 74863->74862 74864 40ef77 GetProcAddress 74863->74864 74864->74862 74866 40e620 74865->74866 74867 40efd6 LoadLibraryA 74865->74867 74866->74838 74866->74843 74867->74866 74868 40efe7 GetProcAddress 74867->74868 74868->74866 74873 40efb0 LoadLibraryA GetProcAddress 74869->74873 74871 40e632 GetNativeSystemInfo 74871->74846 74871->74847 74872->74836 74873->74871 74874 3fc63d0 74888 3fc4050 74874->74888 74876 3fc6483 74891 3fc62c0 74876->74891 74878 3fc64ac CreateFileW 74880 3fc6500 74878->74880 74887 3fc64fb 74878->74887 74881 3fc6517 VirtualAlloc 74880->74881 74880->74887 74882 3fc6538 ReadFile 74881->74882 74881->74887 74883 3fc6553 74882->74883 74882->74887 74884 3fc50c0 12 API calls 74883->74884 74885 3fc656d 74884->74885 74886 3fc52c0 GetPEB GetPEB 74885->74886 74886->74887 74894 3fc74d0 GetPEB 74888->74894 74890 3fc46db 74890->74876 74892 3fc62c9 Sleep 74891->74892 74893 3fc62d7 74892->74893 74895 3fc74fa 74894->74895 74895->74890 74896 425b5e 74901 40c7f0 74896->74901 74900 425b6d 74936 40db10 52 API calls 74901->74936 74903 40c82a 74937 410ab0 6 API calls 74903->74937 74905 40c86d 74906 40bc70 52 API calls 74905->74906 74907 40c877 74906->74907 74908 40bc70 52 API calls 74907->74908 74909 40c881 74908->74909 74910 40bc70 52 API calls 74909->74910 74911 40c88b 74910->74911 74912 40bc70 52 API calls 74911->74912 74913 40c8d1 74912->74913 74914 40bc70 52 API calls 74913->74914 74915 40c991 74914->74915 74938 40d2c0 52 API calls 74915->74938 74917 40c99b 74939 40d0d0 53 API calls 74917->74939 74919 40c9c1 74920 40bc70 52 API calls 74919->74920 74921 40c9cb 74920->74921 74940 40e310 53 API calls 74921->74940 74923 40ca28 74924 408f40 VariantClear 74923->74924 74925 40ca30 74924->74925 74926 408f40 VariantClear 74925->74926 74927 40ca38 GetStdHandle 74926->74927 74928 429630 74927->74928 74929 40ca87 74927->74929 74928->74929 74930 429639 74928->74930 74935 41130a 51 API calls __cinit 74929->74935 74941 4432c0 57 API calls 74930->74941 74932 429641 74942 44b6ab CreateThread 74932->74942 74934 42964f CloseHandle 74934->74929 74935->74900 74936->74903 74937->74905 74938->74917 74939->74919 74940->74923 74941->74932 74942->74934 74943 44b5cb 58 API calls 74942->74943 74944 425b6f 74949 40dc90 74944->74949 74948 425b7e 74950 40bc70 52 API calls 74949->74950 74951 40dd03 74950->74951 74957 40f210 74951->74957 74953 40dd96 74955 40ddb7 74953->74955 74960 40dc00 52 API calls 2 library calls 74953->74960 74956 41130a 51 API calls __cinit 74955->74956 74956->74948 74961 40f250 RegOpenKeyExW 74957->74961 74959 40f230 74959->74953 74960->74953 74962 425e17 74961->74962 74963 40f275 RegQueryValueExW 74961->74963 74962->74959 74964 40f2c3 RegCloseKey 74963->74964 74965 40f298 74963->74965 74964->74959 74966 40f2a9 RegCloseKey 74965->74966 74967 425e1d 74965->74967 74966->74959

                                  Executed Functions

                                  Function 004096A0 Relevance: 33.9, APIs: 21, Instructions: 2413COMMON
                                  Download Yara Rule
                                  APIs
                                  • _wcslen.LIBCMT ref: 004096C1
                                    • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                  • _memmove.LIBCMT ref: 0040970C
                                    • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411626
                                    • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411640
                                    • Part of subcall function 004115D7: __CxxThrowException@8.LIBCMT ref: 00411651
                                  • CharUpperBuffW.USER32(?,?,?,?,?,?,?,00000000), ref: 00409753
                                  • _memmove.LIBCMT ref: 00409D96
                                  • _memmove.LIBCMT ref: 0040A6C4
                                  • _memmove.LIBCMT ref: 004297E5
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: _memmove$std::exception::exception$BuffCharException@8ThrowUpper_malloc_wcslen
                                  • String ID:
                                  • API String ID: 2383988440-0
                                  • Opcode ID: c80423eaff0593ad1daf6fa7b1063788de4f89018b33fd36f38930ce8cd7e028
                                  • Instruction ID: 3262ed4b583d717621f118bf118656dde374edbe3d76219253c131e703a2432c
                                  • Opcode Fuzzy Hash: c80423eaff0593ad1daf6fa7b1063788de4f89018b33fd36f38930ce8cd7e028
                                  • Instruction Fuzzy Hash: CD13BF706043109FD724DF25D480A2BB7E1BF89304F54896EE8869B392D739EC56CB9B
                                  Function 0040D590 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 144windowCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  • GetCurrentDirectoryW.KERNEL32(00000104,?), ref: 0040D5AA
                                    • Part of subcall function 00401F20: GetModuleFileNameW.KERNEL32(00000000,004A7F6C,00000104,?), ref: 00401F4C
                                    • Part of subcall function 00401F20: __wcsicoll.LIBCMT ref: 00402007
                                    • Part of subcall function 00401F20: __wcsicoll.LIBCMT ref: 0040201D
                                    • Part of subcall function 00401F20: __wcsicoll.LIBCMT ref: 00402033
                                    • Part of subcall function 00401F20: __wcsicoll.LIBCMT ref: 00402049
                                    • Part of subcall function 00401F20: _wcscpy.LIBCMT ref: 0040207C
                                  • IsDebuggerPresent.KERNEL32 ref: 0040D5B6
                                  • GetFullPathNameW.KERNEL32(004A7F6C,00000104,?,004A7F50,004A7F54), ref: 0040D625
                                    • Part of subcall function 00401460: GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 004014A5
                                  • SetCurrentDirectoryW.KERNEL32(?,00000001), ref: 0040D699
                                  • MessageBoxA.USER32(00000000,This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support.,00484C92,00000010), ref: 0042E1C9
                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 0042E238
                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 0042E268
                                  • GetForegroundWindow.USER32(runas,?,?,?,00000001), ref: 0042E2B2
                                  • ShellExecuteW.SHELL32(00000000), ref: 0042E2B9
                                    • Part of subcall function 00410390: GetSysColorBrush.USER32(0000000F), ref: 0041039B
                                    • Part of subcall function 00410390: LoadCursorW.USER32(00000000,00007F00), ref: 004103AA
                                    • Part of subcall function 00410390: LoadIconW.USER32(?,00000063), ref: 004103C0
                                    • Part of subcall function 00410390: LoadIconW.USER32(?,000000A4), ref: 004103D3
                                    • Part of subcall function 00410390: LoadIconW.USER32(?,000000A2), ref: 004103E6
                                    • Part of subcall function 00410390: LoadImageW.USER32(?,00000063,00000001,00000010,00000010,00000000), ref: 0041040E
                                    • Part of subcall function 00410390: RegisterClassExW.USER32(?), ref: 0041045D
                                    • Part of subcall function 00410570: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,?,00000000), ref: 004105A5
                                    • Part of subcall function 00410570: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,?,00000000), ref: 004105CE
                                    • Part of subcall function 00410570: ShowWindow.USER32(?,00000000), ref: 004105E4
                                    • Part of subcall function 00410570: ShowWindow.USER32(?,00000000), ref: 004105EE
                                    • Part of subcall function 0040E0C0: Shell_NotifyIconW.SHELL32(00000000,?), ref: 0040E1A7
                                  Strings
                                  • runas, xrefs: 0042E2AD, 0042E2DC
                                  • This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support., xrefs: 0042E1C2
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: LoadWindow$IconName__wcsicoll$CurrentDirectory$CreateFileFullModulePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__wcscpy
                                  • String ID: This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support.$runas
                                  • API String ID: 2495805114-3383388033
                                  • Opcode ID: a40813cb8be74a7845095afbf10676f30eabccecee99da57b5cbcca8d29a6aad
                                  • Instruction ID: d8104b1e62918721d1641daf81013a976a0e8d4b3b5b72af0edf1e1af392be53
                                  • Opcode Fuzzy Hash: a40813cb8be74a7845095afbf10676f30eabccecee99da57b5cbcca8d29a6aad
                                  • Instruction Fuzzy Hash: A3513B71A48201AFD710B7E1AC45BEE3B689B59714F4049BFF905672D2CBBC4A88C72D
                                  Function 0040E500 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 157COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1904 40e500-40e57c call 40bc70 GetVersionExW call 402160 call 40e660 call 40e680 1913 40e582-40e583 1904->1913 1914 427674-427679 1904->1914 1917 40e585-40e596 1913->1917 1918 40e5ba-40e5cb call 40ef60 1913->1918 1915 427683-427686 1914->1915 1916 42767b-427681 1914->1916 1921 427693-427696 1915->1921 1922 427688-427691 1915->1922 1920 4276b4-4276be 1916->1920 1923 427625-427629 1917->1923 1924 40e59c-40e59f 1917->1924 1931 40e5ec-40e60c 1918->1931 1932 40e5cd-40e5e6 GetCurrentProcess call 40ef20 1918->1932 1933 4276c6-4276ca GetSystemInfo 1920->1933 1921->1920 1930 427698-4276a8 1921->1930 1922->1920 1926 427636-427640 1923->1926 1927 42762b-427631 1923->1927 1928 40e5a5-40e5ae 1924->1928 1929 427654-427657 1924->1929 1926->1918 1927->1918 1935 40e5b4 1928->1935 1936 427645-42764f 1928->1936 1929->1918 1934 42765d-42766f 1929->1934 1937 4276b0 1930->1937 1938 4276aa-4276ae 1930->1938 1940 40e612-40e623 call 40efd0 1931->1940 1941 4276d5-4276df GetSystemInfo 1931->1941 1932->1931 1947 40e5e8 1932->1947 1933->1941 1934->1918 1935->1918 1936->1918 1937->1920 1938->1920 1940->1933 1946 40e629-40e63f call 40ef90 GetNativeSystemInfo 1940->1946 1950 40e641-40e642 FreeLibrary 1946->1950 1951 40e644-40e651 1946->1951 1947->1931 1950->1951 1952 40e653-40e654 FreeLibrary 1951->1952 1953 40e656-40e65d 1951->1953 1952->1953
                                  APIs
                                  • GetVersionExW.KERNEL32(?), ref: 0040E52A
                                    • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                    • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                  • GetCurrentProcess.KERNEL32(?), ref: 0040E5D4
                                  • GetNativeSystemInfo.KERNELBASE(?), ref: 0040E632
                                  • FreeLibrary.KERNEL32(?), ref: 0040E642
                                  • FreeLibrary.KERNEL32(?), ref: 0040E654
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: FreeLibrary$CurrentInfoNativeProcessSystemVersion_memmove_wcslen
                                  • String ID: 0SH
                                  • API String ID: 3363477735-851180471
                                  • Opcode ID: f8f98c37c4406a4215dc85d7f2641c0e713eb1a411c42a342b42510fc6581298
                                  • Instruction ID: 6dc39e8e7f592ebea2fdbb3e4710260bd4e3e134fe0a85e77c096ec086c2d55c
                                  • Opcode Fuzzy Hash: f8f98c37c4406a4215dc85d7f2641c0e713eb1a411c42a342b42510fc6581298
                                  • Instruction Fuzzy Hash: E361C170908656EECB10CFA9D84429DFBB0BF19308F54496ED404A3B42D379E969CB9A
                                  Function 0040EBD0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadLibraryA.KERNELBASE(uxtheme.dll,0040EBB5,0040D72E), ref: 0040EBDB
                                  • GetProcAddress.KERNEL32(00000000,IsThemeActive), ref: 0040EBED
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: AddressLibraryLoadProc
                                  • String ID: IsThemeActive$uxtheme.dll
                                  • API String ID: 2574300362-3542929980
                                  • Opcode ID: d24d5e89e243abfb53b7c80675e6652b9f125c078b3c3d01997506936a79e34d
                                  • Instruction ID: d0aec1e7cdd3fc231052cfb2f432bc7d0e698e699ac1f50efe2d89ca8b78c0bc
                                  • Opcode Fuzzy Hash: d24d5e89e243abfb53b7c80675e6652b9f125c078b3c3d01997506936a79e34d
                                  • Instruction Fuzzy Hash: D6D0C7B49407039AD7305F71C91871B76E47B50751F104C3DF946A1294DB7CD040D768
                                  Function 004091E0 Relevance: 44.6, APIs: 22, Strings: 3, Instructions: 837windowsleepCOMMON
                                  Download Yara Rule
                                  APIs
                                  • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00409266
                                  • Sleep.KERNEL32(0000000A,?), ref: 004094D1
                                  • TranslateMessage.USER32(?), ref: 00409556
                                  • DispatchMessageW.USER32(?), ref: 00409561
                                  • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00409574
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: Message$Peek$DispatchSleepTranslate
                                  • String ID: @GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE
                                  • API String ID: 1762048999-758534266
                                  • Opcode ID: f501adada9997479f36eff97a8dbeac7b9e74cdaa6692d9ba2f3cae751283df7
                                  • Instruction ID: 6221a9036d09df45d33125ba93b856da71e554157a22c4cdc10a0b2ba1356448
                                  • Opcode Fuzzy Hash: f501adada9997479f36eff97a8dbeac7b9e74cdaa6692d9ba2f3cae751283df7
                                  • Instruction Fuzzy Hash: EF62E370608341AFD724DF25C884BABF7A4BF85304F14492FF94597292D778AC89CB9A
                                  Function 00401F20 Relevance: 24.7, APIs: 8, Strings: 6, Instructions: 214COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  • GetModuleFileNameW.KERNEL32(00000000,004A7F6C,00000104,?), ref: 00401F4C
                                    • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                    • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                  • __wcsicoll.LIBCMT ref: 00402007
                                  • __wcsicoll.LIBCMT ref: 0040201D
                                  • __wcsicoll.LIBCMT ref: 00402033
                                    • Part of subcall function 004114AB: __wcsicmp_l.LIBCMT ref: 0041152B
                                  • __wcsicoll.LIBCMT ref: 00402049
                                  • _wcscpy.LIBCMT ref: 0040207C
                                  • GetModuleFileNameW.KERNEL32(00000000,004A7F6C,00000104), ref: 00428B5B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: __wcsicoll$FileModuleName$__wcsicmp_l_memmove_wcscpy_wcslen
                                  • String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$CMDLINE$CMDLINERAW
                                  • API String ID: 3948761352-1609664196
                                  • Opcode ID: 27c0ee8d5e07ffa73b3ecf85f0a0f7e742300051f6853106ad547b3ced8c3f3f
                                  • Instruction ID: a67d1fff980de619c7b08a01c822048bbc87f212fdb5160913ca6de555091b2a
                                  • Opcode Fuzzy Hash: 27c0ee8d5e07ffa73b3ecf85f0a0f7e742300051f6853106ad547b3ced8c3f3f
                                  • Instruction Fuzzy Hash: 0E718571D0021A9ACB10EBA1DD456EE7774AF54308F40843FF905772D1EBBC6A49CB99
                                  Function 0040E360 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 151COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                    • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 0040E3FF
                                  • __wsplitpath.LIBCMT ref: 0040E41C
                                    • Part of subcall function 00413A0E: __wsplitpath_helper.LIBCMT ref: 00413A50
                                  • _wcsncat.LIBCMT ref: 0040E433
                                  • __wmakepath.LIBCMT ref: 0040E44F
                                    • Part of subcall function 00413A9E: __wmakepath_s.LIBCMT ref: 00413AB4
                                    • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411626
                                    • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411640
                                    • Part of subcall function 004115D7: __CxxThrowException@8.LIBCMT ref: 00411651
                                  • _wcscpy.LIBCMT ref: 0040E487
                                    • Part of subcall function 0040E4C0: RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,?,?,0040E4A1), ref: 0040E4DD
                                  • _wcscat.LIBCMT ref: 00427541
                                  • _wcslen.LIBCMT ref: 00427551
                                  • _wcslen.LIBCMT ref: 00427562
                                  • _wcscat.LIBCMT ref: 0042757C
                                  • _wcsncpy.LIBCMT ref: 004275BC
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: _wcscat_wcslenstd::exception::exception$Exception@8FileModuleNameOpenThrow__wmakepath__wmakepath_s__wsplitpath__wsplitpath_helper_malloc_wcscpy_wcsncat_wcsncpy
                                  • String ID: Include$\
                                  • API String ID: 3173733714-3429789819
                                  • Opcode ID: 319b33b76db705e9c7f26a1fcfbfbea2712403a0e0e393e117160b8853bc2a6c
                                  • Instruction ID: e70d120923bcd55e0c09bdb97153e7c20ea4c8242d515b2096525f9594b4aeca
                                  • Opcode Fuzzy Hash: 319b33b76db705e9c7f26a1fcfbfbea2712403a0e0e393e117160b8853bc2a6c
                                  • Instruction Fuzzy Hash: 9851DAB1504301ABE314EF66DC8589BBBE4FB8D304F40493EF589972A1E7749944CB5E
                                  Function 004528BD Relevance: 19.7, APIs: 13, Instructions: 173COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  • _fseek.LIBCMT ref: 0045292B
                                    • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 0045273E
                                    • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 00452780
                                    • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 0045279E
                                    • Part of subcall function 00452719: _wcscpy.LIBCMT ref: 004527D2
                                    • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 004527E2
                                    • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 00452800
                                    • Part of subcall function 00452719: _wcscpy.LIBCMT ref: 00452831
                                  • __fread_nolock.LIBCMT ref: 00452961
                                  • __fread_nolock.LIBCMT ref: 00452971
                                  • __fread_nolock.LIBCMT ref: 0045298A
                                  • __fread_nolock.LIBCMT ref: 004529A5
                                  • _fseek.LIBCMT ref: 004529BF
                                  • _malloc.LIBCMT ref: 004529CA
                                  • _malloc.LIBCMT ref: 004529D6
                                  • __fread_nolock.LIBCMT ref: 004529E7
                                  • _free.LIBCMT ref: 00452A17
                                  • _free.LIBCMT ref: 00452A20
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: __fread_nolock$_free_fseek_malloc_wcscpy
                                  • String ID:
                                  • API String ID: 1255752989-0
                                  • Opcode ID: dcee285f3eb4ed07ece3e5bb349529478d219aecda09341451d4e57d6f047cda
                                  • Instruction ID: f7ea06a446360153d9086f7ce944ba4ee1a7a4a6ab52c1fb03413739877f8e55
                                  • Opcode Fuzzy Hash: dcee285f3eb4ed07ece3e5bb349529478d219aecda09341451d4e57d6f047cda
                                  • Instruction Fuzzy Hash: B95111F1900218AFDB60DF65DC81B9A77B9EF88304F0085AEF50CD7241E675AA84CF59
                                  Function 00452719 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 147COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: __fread_nolock$_fseek_wcscpy
                                  • String ID: FILE
                                  • API String ID: 3888824918-3121273764
                                  • Opcode ID: b4a6abdb64f38c8defcee882be961308622b799a5cba7293a02d79de09a932e7
                                  • Instruction ID: d9efd4ed024b2b159ad8c10c4a9bf0fd337e36d0f3dc2ca46923192c63d65648
                                  • Opcode Fuzzy Hash: b4a6abdb64f38c8defcee882be961308622b799a5cba7293a02d79de09a932e7
                                  • Instruction Fuzzy Hash: DC4196B2910204BBEB20EBD5DC81FEF7379AF88704F14455EFA0497281F6799684CBA5
                                  Function 00410490 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 56windowregistryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  • GetSysColorBrush.USER32(0000000F), ref: 004104C3
                                  • RegisterClassExW.USER32(00000030), ref: 004104ED
                                  • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 004104FE
                                  • InitCommonControlsEx.COMCTL32(004A90E8), ref: 0041051B
                                  • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 0041052B
                                  • LoadIconW.USER32(00400000,000000A9), ref: 00410542
                                  • ImageList_ReplaceIcon.COMCTL32(00A665A8,000000FF,00000000), ref: 00410552
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                  • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                  • API String ID: 2914291525-1005189915
                                  • Opcode ID: d6ae890ac616c70b0adde597a8f502ff5fb08519606e77913bb64844803ac3e9
                                  • Instruction ID: 324008788ca11066222c16167fc5b3db855b21205033cf9bff29629ff6c43806
                                  • Opcode Fuzzy Hash: d6ae890ac616c70b0adde597a8f502ff5fb08519606e77913bb64844803ac3e9
                                  • Instruction Fuzzy Hash: 6221F7B1900218AFDB40DFA4E988B9DBFB4FB09710F10862EFA15A6390D7B40544CF99
                                  Function 00410390 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 76windowregistryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  • GetSysColorBrush.USER32(0000000F), ref: 0041039B
                                  • LoadCursorW.USER32(00000000,00007F00), ref: 004103AA
                                  • LoadIconW.USER32(?,00000063), ref: 004103C0
                                  • LoadIconW.USER32(?,000000A4), ref: 004103D3
                                  • LoadIconW.USER32(?,000000A2), ref: 004103E6
                                  • LoadImageW.USER32(?,00000063,00000001,00000010,00000010,00000000), ref: 0041040E
                                  • RegisterClassExW.USER32(?), ref: 0041045D
                                    • Part of subcall function 00410490: GetSysColorBrush.USER32(0000000F), ref: 004104C3
                                    • Part of subcall function 00410490: RegisterClassExW.USER32(00000030), ref: 004104ED
                                    • Part of subcall function 00410490: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 004104FE
                                    • Part of subcall function 00410490: InitCommonControlsEx.COMCTL32(004A90E8), ref: 0041051B
                                    • Part of subcall function 00410490: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 0041052B
                                    • Part of subcall function 00410490: LoadIconW.USER32(00400000,000000A9), ref: 00410542
                                    • Part of subcall function 00410490: ImageList_ReplaceIcon.COMCTL32(00A665A8,000000FF,00000000), ref: 00410552
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                  • String ID: #$0$AutoIt v3
                                  • API String ID: 423443420-4155596026
                                  • Opcode ID: c82d51e411665b6a3a3e76d1a8d87b49acf25a0f72c8993ed2556b78267af7e8
                                  • Instruction ID: fa3beea58d24b169a793a749875a715f65b9999dd8e8f54869ce90ead7ff89b0
                                  • Opcode Fuzzy Hash: c82d51e411665b6a3a3e76d1a8d87b49acf25a0f72c8993ed2556b78267af7e8
                                  • Instruction Fuzzy Hash: 31212AB1E55214AFD720DFA9ED45B9EBBB8BB4C700F00447AFA08A7290D7B559408B98
                                  Function 0040A780 Relevance: 16.6, APIs: 8, Strings: 1, Instructions: 881COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: _malloc
                                  • String ID: Default
                                  • API String ID: 1579825452-753088835
                                  • Opcode ID: 4baf5ca2405be5455ac24bb95f1fa40f153dd1d14dcfbbf3cadbb4c6cd5c85f8
                                  • Instruction ID: a673259d86369fb9501a746496732cc59a2062e12c9a0651055f0cdb6904a52b
                                  • Opcode Fuzzy Hash: 4baf5ca2405be5455ac24bb95f1fa40f153dd1d14dcfbbf3cadbb4c6cd5c85f8
                                  • Instruction Fuzzy Hash: 13729DB06043019FD714DF25D481A2BB7E5EF85314F14882EE986AB391D738EC56CB9B
                                  Function 0040F5C0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 125COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1954 40f5c0-40f5cf call 422240 1957 40f5d0-40f5e8 1954->1957 1957->1957 1958 40f5ea-40f613 call 413650 call 410e60 1957->1958 1963 40f614-40f633 call 414d04 1958->1963 1966 40f691 1963->1966 1967 40f635-40f63c 1963->1967 1970 40f696-40f69c 1966->1970 1968 40f660-40f674 call 4150d1 1967->1968 1969 40f63e 1967->1969 1974 40f679-40f67c 1968->1974 1971 40f640 1969->1971 1973 40f642-40f650 1971->1973 1975 40f652-40f655 1973->1975 1976 40f67e-40f68c 1973->1976 1974->1963 1977 40f65b-40f65e 1975->1977 1978 425d1e-425d3e call 4150d1 call 414d04 1975->1978 1979 40f68e-40f68f 1976->1979 1980 40f69f-40f6ad 1976->1980 1977->1968 1977->1971 1991 425d43-425d5f call 414d30 1978->1991 1979->1975 1981 40f6b4-40f6c2 1980->1981 1982 40f6af-40f6b2 1980->1982 1984 425d16 1981->1984 1985 40f6c8-40f6d6 1981->1985 1982->1975 1984->1978 1987 425d05-425d0b 1985->1987 1988 40f6dc-40f6df 1985->1988 1987->1973 1990 425d11 1987->1990 1988->1975 1990->1984 1991->1970
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: __fread_nolock_fseek_memmove_strcat
                                  • String ID: AU3!$EA06
                                  • API String ID: 1268643489-2658333250
                                  • Opcode ID: 344840b9fdfdbe4b30e8dbd48a4dc96b4183e4050995daab1dbb295d1862c352
                                  • Instruction ID: 581a58983a44a30c9dde9fea67fd4d6d070b0eb534c71953d0d39c84ae2506d9
                                  • Opcode Fuzzy Hash: 344840b9fdfdbe4b30e8dbd48a4dc96b4183e4050995daab1dbb295d1862c352
                                  • Instruction Fuzzy Hash: A541EF3160414CABCB21DF64D891FFD3B749B15304F2808BFF581A7692EA79A58AC754
                                  Function 00401100 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136windowtimeregistryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1994 401100-401111 1995 401113-401119 1994->1995 1996 401179-401180 1994->1996 1998 401144-40114a 1995->1998 1999 40111b-40111e 1995->1999 1996->1995 1997 401182 1996->1997 2002 40112c-401141 DefWindowProcW 1997->2002 2000 401184-40118e call 401250 1998->2000 2001 40114c-40114f 1998->2001 1999->1998 2003 401120-401126 1999->2003 2011 401193-40119a 2000->2011 2004 401151-401157 2001->2004 2005 40119d 2001->2005 2003->2002 2007 42b038-42b03f 2003->2007 2008 401219-40121f 2004->2008 2009 40115d 2004->2009 2012 4011a3-4011a9 2005->2012 2013 42afb4-42afc5 call 40f190 2005->2013 2007->2002 2010 42b045-42b059 call 401000 call 40e0c0 2007->2010 2008->2003 2016 401225-42b06d call 468b0e 2008->2016 2014 401163-401166 2009->2014 2015 42b01d-42b024 2009->2015 2010->2002 2012->2003 2019 4011af 2012->2019 2013->2011 2021 42afe9-42b018 call 40f190 call 401a50 2014->2021 2022 40116c-401172 2014->2022 2015->2002 2020 42b02a-42b033 call 4370f4 2015->2020 2016->2011 2019->2003 2026 4011b6-4011d8 KillTimer call 401000 PostQuitMessage 2019->2026 2027 4011db-401202 SetTimer RegisterWindowMessageW 2019->2027 2020->2002 2021->2002 2022->2003 2030 401174-42afde call 45fd57 2022->2030 2027->2011 2028 401204-401216 CreatePopupMenu 2027->2028 2030->2002 2045 42afe4 2030->2045 2045->2011
                                  APIs
                                  • DefWindowProcW.USER32(?,?,?,?,?,?,?,004010F8,?,?,?), ref: 00401136
                                  • KillTimer.USER32(?,00000001,?), ref: 004011B9
                                  • PostQuitMessage.USER32(00000000), ref: 004011CB
                                  • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 004011E5
                                  • RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,004010F8,?,?,?), ref: 004011F0
                                  • CreatePopupMenu.USER32 ref: 00401204
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                  • String ID: TaskbarCreated
                                  • API String ID: 129472671-2362178303
                                  • Opcode ID: cce8c5a03ea04b09f31441a39b36d20ef7a6309a2ce36e618d98c5e601e7cd17
                                  • Instruction ID: c871ea33cf18a3cc9178abcaf30b48d6b70312a550ef0fd47f6a389c1f0ea6f4
                                  • Opcode Fuzzy Hash: cce8c5a03ea04b09f31441a39b36d20ef7a6309a2ce36e618d98c5e601e7cd17
                                  • Instruction Fuzzy Hash: 1E417932B0420497DB28DB68EC85BBE3355E759320F10493FFA11AB6F1C67D9850879E
                                  Function 004115D7 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 41COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 2046 4115d7-4115df 2047 4115ee-4115f9 call 4135bb 2046->2047 2050 4115e1-4115ec call 411988 2047->2050 2051 4115fb-4115fc 2047->2051 2050->2047 2054 4115fd-41160e 2050->2054 2055 411610-41163b call 417fc0 call 41130a 2054->2055 2056 41163c-411656 call 4180af call 418105 2054->2056 2055->2056
                                  APIs
                                  • _malloc.LIBCMT ref: 004115F1
                                    • Part of subcall function 004135BB: __FF_MSGBANNER.LIBCMT ref: 004135D4
                                    • Part of subcall function 004135BB: __NMSG_WRITE.LIBCMT ref: 004135DB
                                    • Part of subcall function 004135BB: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,004115F6,?,00401BAC,?,?,?), ref: 00413600
                                  • std::exception::exception.LIBCMT ref: 00411626
                                  • std::exception::exception.LIBCMT ref: 00411640
                                  • __CxxThrowException@8.LIBCMT ref: 00411651
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: std::exception::exception$AllocateException@8HeapThrow_malloc
                                  • String ID: ,*H$4*H$@fI
                                  • API String ID: 615853336-1459471987
                                  • Opcode ID: 221d40d7984faa14442154e9f969528898a85ced6d82758f7c2d656e85d04d6d
                                  • Instruction ID: 1677ae912bb9c86ef767233b76c14da205579da8f33ef274bedc9cd0e4e1b94c
                                  • Opcode Fuzzy Hash: 221d40d7984faa14442154e9f969528898a85ced6d82758f7c2d656e85d04d6d
                                  • Instruction Fuzzy Hash: C5F0F9716001196BCB24AB56DC01AEE7AA5AB40708F15002FF904951A1CBB98AC2875D
                                  Function 03FC4970 Relevance: 10.7, APIs: 7, Instructions: 151fileCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 2065 3fc4970-3fc49c2 call 3fc4870 CreateFileW 2068 3fc49cb-3fc49d8 2065->2068 2069 3fc49c4-3fc49c6 2065->2069 2072 3fc49da-3fc49e6 2068->2072 2073 3fc49eb-3fc4a02 VirtualAlloc 2068->2073 2070 3fc4b24-3fc4b28 2069->2070 2072->2070 2074 3fc4a0b-3fc4a31 CreateFileW 2073->2074 2075 3fc4a04-3fc4a06 2073->2075 2077 3fc4a55-3fc4a6f ReadFile 2074->2077 2078 3fc4a33-3fc4a50 2074->2078 2075->2070 2079 3fc4a71-3fc4a8e 2077->2079 2080 3fc4a93-3fc4a97 2077->2080 2078->2070 2079->2070 2081 3fc4ab8-3fc4acf WriteFile 2080->2081 2082 3fc4a99-3fc4ab6 2080->2082 2085 3fc4afa-3fc4b1f CloseHandle VirtualFree 2081->2085 2086 3fc4ad1-3fc4af8 2081->2086 2082->2070 2085->2070 2086->2070
                                  APIs
                                  • CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 03FC49B5
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1338198860.0000000003FC4000.00000040.00000020.00020000.00000000.sdmp, Offset: 03FC4000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3fc4000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: CreateFile
                                  • String ID:
                                  • API String ID: 823142352-0
                                  • Opcode ID: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
                                  • Instruction ID: 348891b1cc6a8bd2fd75ba41fd305c249fe154bdfbcfd3802638c2f350452ac9
                                  • Opcode Fuzzy Hash: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
                                  • Instruction Fuzzy Hash: C8514E75A60249FBDF20DFA4CD59FDEB7B8AF48701F108548F60AEA280CA749644CB64
                                  Function 0040E4C0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 79registryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 2095 40e4c0-40e4e5 call 403350 RegOpenKeyExW 2098 427190-4271ae RegQueryValueExW 2095->2098 2099 40e4eb-40e4f0 2095->2099 2100 4271b0-4271f5 call 4115d7 call 43652f RegQueryValueExW 2098->2100 2101 42721a-42722a RegCloseKey 2098->2101 2106 427210-427219 call 436508 2100->2106 2107 4271f7-42720e call 402160 2100->2107 2106->2101 2107->2106
                                  APIs
                                  • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,?,?,0040E4A1), ref: 0040E4DD
                                  • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,0040E4A1,00000000,?,?,?,0040E4A1), ref: 004271A6
                                  • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,0040E4A1,?,00000000,?,?,?,?,0040E4A1), ref: 004271ED
                                  • RegCloseKey.ADVAPI32(?,?,?,?,0040E4A1), ref: 0042721E
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: QueryValue$CloseOpen
                                  • String ID: Include$Software\AutoIt v3\AutoIt
                                  • API String ID: 1586453840-614718249
                                  • Opcode ID: 413bff81f872addaca3d9ad162024b649ce289641a3285436bc7eb0a5f7ce606
                                  • Instruction ID: d6672e68ffeed78ba434be4ce119fa1e10800d5a5bf196f8e2f41644cb46c1f5
                                  • Opcode Fuzzy Hash: 413bff81f872addaca3d9ad162024b649ce289641a3285436bc7eb0a5f7ce606
                                  • Instruction Fuzzy Hash: CF21D871780204BBDB14EBF4ED46FAF737CEB54700F10055EB605E7281EAB5AA008768
                                  Function 00410570 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 43COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 2112 410570-4105f1 CreateWindowExW * 2 ShowWindow * 2
                                  APIs
                                  • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,?,00000000), ref: 004105A5
                                  • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,?,00000000), ref: 004105CE
                                  • ShowWindow.USER32(?,00000000), ref: 004105E4
                                  • ShowWindow.USER32(?,00000000), ref: 004105EE
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: Window$CreateShow
                                  • String ID: AutoIt v3$edit
                                  • API String ID: 1584632944-3779509399
                                  • Opcode ID: b28a7d78b19f48c216133de275d8b0452446851dd496b073adb1022152ad6d67
                                  • Instruction ID: 021b1916d714280a6beb379f8f8b29d81737bdb93309e58067b2166fb7f1837a
                                  • Opcode Fuzzy Hash: b28a7d78b19f48c216133de275d8b0452446851dd496b073adb1022152ad6d67
                                  • Instruction Fuzzy Hash: 29F01771BE43107BF6B0A764AC43F5A2698A758F65F31083BB700BB5D0E1E4B8408B9C
                                  Function 00401B80 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 91windowCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 2113 401b80-401b96 2114 401b9c-401bb3 call 4013c0 2113->2114 2115 401c7e-401c84 2113->2115 2118 42722b-42723b LoadStringW 2114->2118 2119 401bb9-401bd4 call 402160 2114->2119 2121 427246-427253 call 40e0a0 2118->2121 2124 427258-427275 call 40d200 call 4348de 2119->2124 2125 401bda-401bde 2119->2125 2129 401bf3-401c79 call 412f40 call 412fba call 411567 Shell_NotifyIconW call 402250 2121->2129 2124->2129 2137 42727b-42728f call 40d200 call 4348de 2124->2137 2125->2121 2127 401be4-401bee call 40d200 2125->2127 2127->2129 2129->2115
                                  APIs
                                  • LoadStringW.USER32(?,00000065,?,0000007F), ref: 0042723B
                                    • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                    • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                  • _wcsncpy.LIBCMT ref: 00401C41
                                  • _wcscpy.LIBCMT ref: 00401C5D
                                  • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00401C6F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: IconLoadNotifyShell_String_memmove_wcscpy_wcslen_wcsncpy
                                  • String ID: Line:
                                  • API String ID: 1874344091-1585850449
                                  • Opcode ID: 71d679a4a9352c46b300ee00bac0ebd609a16659c7848ecadc14a4878baa23f7
                                  • Instruction ID: 22c0e507134e40740d6fd31dbafdd21c3b8ff828be9a92102ab360472f74cad7
                                  • Opcode Fuzzy Hash: 71d679a4a9352c46b300ee00bac0ebd609a16659c7848ecadc14a4878baa23f7
                                  • Instruction Fuzzy Hash: EB31A1715083459BD320EB61DC45BDA77E8BF85318F04093EF588931E1E7B8AA49C75E
                                  Function 0040F250 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 66registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegOpenKeyExW.KERNELBASE(00000004,Control Panel\Mouse,00000000,00000001,00000004,00000004), ref: 0040F267
                                  • RegQueryValueExW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000002,00000000), ref: 0040F28E
                                  • RegCloseKey.KERNELBASE(?), ref: 0040F2B5
                                  • RegCloseKey.ADVAPI32(?), ref: 0040F2C9
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: Close$OpenQueryValue
                                  • String ID: Control Panel\Mouse
                                  • API String ID: 1607946009-824357125
                                  • Opcode ID: 0a2ddf5dd10fc63f6e19eedc2563a5e53f3783e3c799d68c1c3a3a1866560054
                                  • Instruction ID: a31ac2e1b7deaa2d1d9e7506379341dce8fcd1dacbe24dc49005ae4a0027d3ba
                                  • Opcode Fuzzy Hash: 0a2ddf5dd10fc63f6e19eedc2563a5e53f3783e3c799d68c1c3a3a1866560054
                                  • Instruction Fuzzy Hash: 91118C76640108AFCB10CFA8ED459EFB7BCEF59300B1089AAF908C3210E6759A11DBA4
                                  Function 004102B0 Relevance: 7.6, APIs: 5, Instructions: 87COMMON
                                  Download Yara Rule
                                  APIs
                                  • SHGetMalloc.SHELL32(0040F54C), ref: 004102BD
                                  • SHGetDesktopFolder.SHELL32(?,004A90E8), ref: 004102D2
                                  • _wcsncpy.LIBCMT ref: 004102ED
                                  • SHGetPathFromIDListW.SHELL32(?,?), ref: 00410327
                                  • _wcsncpy.LIBCMT ref: 00410340
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: _wcsncpy$DesktopFolderFromListMallocPath
                                  • String ID:
                                  • API String ID: 3170942423-0
                                  • Opcode ID: bfe3e3032d26ed5990890659b1503a19068975a9e613434ef85ace480ecdfa96
                                  • Instruction ID: 8627f7bfe00d67ecf541507c27de0d1a6b0c746b93627a891ac6cfe5d1469166
                                  • Opcode Fuzzy Hash: bfe3e3032d26ed5990890659b1503a19068975a9e613434ef85ace480ecdfa96
                                  • Instruction Fuzzy Hash: 4B219475A00619ABCB14DBA4DC84DEFB37DEF88700F108599F909D7210E674EE45DBA4
                                  Function 03FC63D0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 150fileCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 03FC62C0: Sleep.KERNELBASE(000001F4), ref: 03FC62D1
                                  • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 03FC64EF
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1338198860.0000000003FC4000.00000040.00000020.00020000.00000000.sdmp, Offset: 03FC4000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3fc4000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: CreateFileSleep
                                  • String ID: 84RSYRZS3L56DYHSROK3
                                  • API String ID: 2694422964-319158054
                                  • Opcode ID: cd32777cc519ba6b9f19fbaf42ea420266d026ec5a774b65ee3350875c8df3f5
                                  • Instruction ID: d1e08d4f63c60f752a64a1e2f2969ba26ffacfd00f932edc79cb605aa9657e66
                                  • Opcode Fuzzy Hash: cd32777cc519ba6b9f19fbaf42ea420266d026ec5a774b65ee3350875c8df3f5
                                  • Instruction Fuzzy Hash: 6851A531D54289EAEF11DBA4C814BEEBB79AF05300F14459DE218BB2C1D7B91B48CBA5
                                  Function 0040BD80 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 93COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: _memmove
                                  • String ID: Error:
                                  • API String ID: 4104443479-232661952
                                  • Opcode ID: 20a21836adb2195423de36251fb93945767d574b7418eb2d4267c7510a98c7d8
                                  • Instruction ID: 2c658176ab693071ca67d4d31bd2fe4acf4d59654e7b744331f3a235cb1e2e29
                                  • Opcode Fuzzy Hash: 20a21836adb2195423de36251fb93945767d574b7418eb2d4267c7510a98c7d8
                                  • Instruction Fuzzy Hash: 0D3191716006059FC324DF29C881AA7B3E6EF84314B24853FE95AC7791EB79E941CBD8
                                  Function 0040F520 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetOpenFileNameW.COMDLG32(?), ref: 0042961B
                                    • Part of subcall function 00410120: GetFullPathNameW.KERNEL32(00000000,00000104,004A7F6C,0040F545,004A7F6C,004A90E8,004A7F6C,?,0040F545), ref: 0041013C
                                    • Part of subcall function 004102B0: SHGetMalloc.SHELL32(0040F54C), ref: 004102BD
                                    • Part of subcall function 004102B0: SHGetDesktopFolder.SHELL32(?,004A90E8), ref: 004102D2
                                    • Part of subcall function 004102B0: _wcsncpy.LIBCMT ref: 004102ED
                                    • Part of subcall function 004102B0: SHGetPathFromIDListW.SHELL32(?,?), ref: 00410327
                                    • Part of subcall function 004102B0: _wcsncpy.LIBCMT ref: 00410340
                                    • Part of subcall function 00410190: GetFullPathNameW.KERNEL32(?,00000104,?,?,?), ref: 004101AB
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: NamePath$Full_wcsncpy$DesktopFileFolderFromListMallocOpen
                                  • String ID: X$pWH
                                  • API String ID: 85490731-941433119
                                  • Opcode ID: 1b62eedeb2ba23f3a12794f4d72c3fd3ac9c0abd578206ca8986e50026ca9cbc
                                  • Instruction ID: b6f0e4d7e30e2857a1e9cc165fafff24640ac0dd2e9829c062eaf90218724cbe
                                  • Opcode Fuzzy Hash: 1b62eedeb2ba23f3a12794f4d72c3fd3ac9c0abd578206ca8986e50026ca9cbc
                                  • Instruction Fuzzy Hash: 1F118AB0A00244ABDB11EFD9DC457DEBBF95F45304F14842AE504AB392D7FD08498BA9
                                  Function 03FC5050 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41processCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateProcessW.KERNELBASE(?,00000000), ref: 03FC5095
                                  • ExitProcess.KERNEL32(00000000), ref: 03FC50B4
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1338198860.0000000003FC4000.00000040.00000020.00020000.00000000.sdmp, Offset: 03FC4000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3fc4000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: Process$CreateExit
                                  • String ID: D
                                  • API String ID: 126409537-2746444292
                                  • Opcode ID: e5dfa926c3cfd43f8158a8dca75bcf8ff518f9dd03fead9f205cfafa536a5c87
                                  • Instruction ID: 341d5863c815bb81215c642eaacf15dc7b0064cace487646ba92d83eb45942b5
                                  • Opcode Fuzzy Hash: e5dfa926c3cfd43f8158a8dca75bcf8ff518f9dd03fead9f205cfafa536a5c87
                                  • Instruction Fuzzy Hash: 5BF0EC7699424DABDB60DFE0CD49FEE777CBF04701F148508FA0ADA184DA78D6088BA1
                                  Function 00475077 Relevance: 4.9, APIs: 3, Instructions: 390COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 7af5e299b258df5e9c9a2551ed0e7af6e1d4c875de24c7fdf76d77545964eae0
                                  • Instruction ID: 8c99b1ef877cebc7a747b8a97cc81d83a07aa3771b44d3adc2ea031a64448d8d
                                  • Opcode Fuzzy Hash: 7af5e299b258df5e9c9a2551ed0e7af6e1d4c875de24c7fdf76d77545964eae0
                                  • Instruction Fuzzy Hash: CEF18C716043019FC700DF29C884A5AB7E5FF88318F14C95EF9998B392D7B9E945CB86
                                  Function 00414ABA Relevance: 4.7, APIs: 3, Instructions: 160COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: __filbuf__getptd_noexit__read_memcpy_s
                                  • String ID:
                                  • API String ID: 1794320848-0
                                  • Opcode ID: b5af9ce9d8135965a8c163c1359f1833c669f36246c0dfec509ee2915f8c5eb0
                                  • Instruction ID: 2f36134af58cf06217a4581a57f76d3547d7b7b98d7afe96428f3577b7504850
                                  • Opcode Fuzzy Hash: b5af9ce9d8135965a8c163c1359f1833c669f36246c0dfec509ee2915f8c5eb0
                                  • Instruction Fuzzy Hash: 6C51E631A01208DBCB249F69C9446DFB7B1AFC0364F25826BE43597290E378EED1CB59
                                  Function 0040E0C0 Relevance: 4.6, APIs: 3, Instructions: 82windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • Shell_NotifyIconW.SHELL32(00000000,?), ref: 0040E1A7
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: IconNotifyShell_
                                  • String ID:
                                  • API String ID: 1144537725-0
                                  • Opcode ID: 02018e3f435d091181cdea07546ede041b4d96144d17d916b2823846d4297506
                                  • Instruction ID: eb3a406907b17a2fb372061a5351d340f380801689ea858bebf243c914dbfa85
                                  • Opcode Fuzzy Hash: 02018e3f435d091181cdea07546ede041b4d96144d17d916b2823846d4297506
                                  • Instruction Fuzzy Hash: 16318F70608701DFD320CF25D855797BBE4BB85314F000C3EE5AA87391E7B8A958CB5A
                                  Function 0043213D Relevance: 4.5, APIs: 3, Instructions: 38COMMON
                                  Download Yara Rule
                                  APIs
                                  • _malloc.LIBCMT ref: 0043214B
                                    • Part of subcall function 004135BB: __FF_MSGBANNER.LIBCMT ref: 004135D4
                                    • Part of subcall function 004135BB: __NMSG_WRITE.LIBCMT ref: 004135DB
                                    • Part of subcall function 004135BB: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,004115F6,?,00401BAC,?,?,?), ref: 00413600
                                  • _malloc.LIBCMT ref: 0043215D
                                  • _malloc.LIBCMT ref: 0043216F
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: _malloc$AllocateHeap
                                  • String ID:
                                  • API String ID: 680241177-0
                                  • Opcode ID: ab61ccc74db86e6fcdeb904a32b1d9569ed7ac6f88b96914968634a5dd1a0039
                                  • Instruction ID: dac51259f70ca5acf95ac1b1a30df86389447b5c3122b5fc7e5239b6c816f1c7
                                  • Opcode Fuzzy Hash: ab61ccc74db86e6fcdeb904a32b1d9569ed7ac6f88b96914968634a5dd1a0039
                                  • Instruction Fuzzy Hash: A0F0E273200B142AD2206A6A6DC1BE7B39ADBD4765F00403FFB058A206DAE9988542EC
                                  Function 0040F570 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 247COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0040F760: _strcat.LIBCMT ref: 0040F786
                                  • _free.LIBCMT ref: 004295A0
                                    • Part of subcall function 004033C0: GetCurrentDirectoryW.KERNEL32(00000104,?,?), ref: 00403451
                                    • Part of subcall function 004033C0: GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 00403467
                                    • Part of subcall function 004033C0: __wsplitpath.LIBCMT ref: 00403492
                                    • Part of subcall function 004033C0: _wcscpy.LIBCMT ref: 004034A7
                                    • Part of subcall function 004033C0: _wcscat.LIBCMT ref: 004034BC
                                    • Part of subcall function 004033C0: SetCurrentDirectoryW.KERNEL32(?), ref: 004034CC
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: CurrentDirectory$FullNamePath__wsplitpath_free_strcat_wcscat_wcscpy
                                  • String ID: >>>AUTOIT SCRIPT<<<
                                  • API String ID: 3938964917-2806939583
                                  • Opcode ID: 54ef76e4734de236163cd7b280f05d5101af8392224d903fd41af02c4ea86240
                                  • Instruction ID: c8289cc7cde30cfde4dff3f83c8481f20f860a5b07fa540731426c520eca24fb
                                  • Opcode Fuzzy Hash: 54ef76e4734de236163cd7b280f05d5101af8392224d903fd41af02c4ea86240
                                  • Instruction Fuzzy Hash: 9A919171A00219ABCF04EFA5D8819EE7774BF48314F50452EF915B7391D778EA06CBA8
                                  Function 00410100 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40COMMON
                                  Download Yara Rule
                                  Strings
                                  • >>>AUTOIT NO CMDEXECUTE<<<, xrefs: 0042804F
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: _strcat
                                  • String ID: >>>AUTOIT NO CMDEXECUTE<<<
                                  • API String ID: 1765576173-2684727018
                                  • Opcode ID: 9cf7010eca5106026e95a37c4c4993c7a48cbbbd0f5b26026c251fe95f3d7589
                                  • Instruction ID: e645463cc19bd0c1a49bcabea2d674544a6c2f3c5714d62cb3526a870e150300
                                  • Opcode Fuzzy Hash: 9cf7010eca5106026e95a37c4c4993c7a48cbbbd0f5b26026c251fe95f3d7589
                                  • Instruction Fuzzy Hash: FBF090B390020D768B00F6E6D942CEFB37C9985704B5006AFA905B3152EA79EA0987B6
                                  Function 0040AFA0 Relevance: 3.3, APIs: 2, Instructions: 258COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: ClearVariant
                                  • String ID:
                                  • API String ID: 1473721057-0
                                  • Opcode ID: 30fb1b5656a8e298aebe1b45ed9f9297ed51282c110b4441b4c64d109fdc6671
                                  • Instruction ID: 76271617df0236ab3ccd2777984eb13d60b28668e4953fb9a85eec064aa2abc3
                                  • Opcode Fuzzy Hash: 30fb1b5656a8e298aebe1b45ed9f9297ed51282c110b4441b4c64d109fdc6671
                                  • Instruction Fuzzy Hash: F891A370A00204DFDB14DF65D884AAAB3B5EF09304F24C56BE915AB391D739EC41CBAE
                                  Function 00467897 Relevance: 3.2, APIs: 2, Instructions: 170COMMON
                                  Download Yara Rule
                                  APIs
                                  • __wsplitpath.LIBCMT ref: 004678F7
                                    • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                  • GetLastError.KERNEL32(00000000,00000000), ref: 004679C7
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: ErrorLast__wsplitpath_malloc
                                  • String ID:
                                  • API String ID: 4163294574-0
                                  • Opcode ID: b7e2b2e067b321cb14cd8dd870a284e502ce9d37bff932640fd458450c7e1011
                                  • Instruction ID: 5ded281afda408fdcd401bf2365ceabb828b89a129c607e264fb1023d06c7d2e
                                  • Opcode Fuzzy Hash: b7e2b2e067b321cb14cd8dd870a284e502ce9d37bff932640fd458450c7e1011
                                  • Instruction Fuzzy Hash: FB5126712083018BD710EF75C881A5BB3E5AF84318F044A6EF9559B381EB39ED09CB97
                                  Function 0040F760 Relevance: 3.1, APIs: 2, Instructions: 92COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0040F6F0: _wcslen.LIBCMT ref: 0040F705
                                    • Part of subcall function 0040F6F0: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,?,00454478,?,00000000,?,?), ref: 0040F71E
                                    • Part of subcall function 0040F6F0: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,?,00000000,?,?,?,?), ref: 0040F747
                                  • _strcat.LIBCMT ref: 0040F786
                                    • Part of subcall function 0040F850: _strlen.LIBCMT ref: 0040F858
                                    • Part of subcall function 0040F850: _sprintf.LIBCMT ref: 0040F9AE
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: ByteCharMultiWide$_sprintf_strcat_strlen_wcslen
                                  • String ID:
                                  • API String ID: 3199840319-0
                                  • Opcode ID: 49a3294527d5b305cfbd6c685c74412098d504eb7a2552fd7b1e5b305baf6987
                                  • Instruction ID: aac9d08775c2cbfae45fd546c2dd5c585d34072f6b495fb7426f91ad36779b1c
                                  • Opcode Fuzzy Hash: 49a3294527d5b305cfbd6c685c74412098d504eb7a2552fd7b1e5b305baf6987
                                  • Instruction Fuzzy Hash: 7B2148B260825027D724EF3A9C82A6EF2D4AF85304F14893FF555C22C2F738D554879A
                                  Function 0040D6B0 Relevance: 3.1, APIs: 2, Instructions: 74COMMON
                                  Download Yara Rule
                                  APIs
                                  • SystemParametersInfoW.USER32(00002001,00000000,?,00000002), ref: 0040D779
                                  • FreeLibrary.KERNEL32(?), ref: 0040D78E
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: FreeInfoLibraryParametersSystem
                                  • String ID:
                                  • API String ID: 3403648963-0
                                  • Opcode ID: 1bcd72a0122d59f5f1ef4a441970033eb21b1c6439336685a4482ae7c853bb59
                                  • Instruction ID: 5fcdf068f8d8459ddaa7ea8882eac3df2259875866eaebb33036fc29c92b3e87
                                  • Opcode Fuzzy Hash: 1bcd72a0122d59f5f1ef4a441970033eb21b1c6439336685a4482ae7c853bb59
                                  • Instruction Fuzzy Hash: BB2184719083019FC300DF5ADC8190ABBE4FB84358F40493FF988A7392D735D9458B9A
                                  Function 0040F110 Relevance: 3.1, APIs: 2, Instructions: 51fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,0040DE74,?,00000001,?,00403423,?), ref: 0040F13A
                                  • CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,0040DE74,?,00000001,?,00403423,?), ref: 00426326
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: CreateFile
                                  • String ID:
                                  • API String ID: 823142352-0
                                  • Opcode ID: 01c8104855b6be3cf9f3f51c38ffad3c9237c0860841684a852cd2675ef3d23e
                                  • Instruction ID: 8a88c5525f76e0b0fff62cf48ad84dc7055e673dbb4ccc29545257d8619b8f55
                                  • Opcode Fuzzy Hash: 01c8104855b6be3cf9f3f51c38ffad3c9237c0860841684a852cd2675ef3d23e
                                  • Instruction Fuzzy Hash: 16011D70784310BAF2305A68DD0BF5266546B45B24F20473ABBE5BE2D1D2F86885870C
                                  Function 00414A46 Relevance: 3.0, APIs: 2, Instructions: 32COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00417F77: __getptd_noexit.LIBCMT ref: 00417F77
                                  • __lock_file.LIBCMT ref: 00414A8D
                                    • Part of subcall function 00415471: __lock.LIBCMT ref: 00415496
                                  • __fclose_nolock.LIBCMT ref: 00414A98
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                                  • String ID:
                                  • API String ID: 2800547568-0
                                  • Opcode ID: a5ee4eb6f63f5c531cf15d6f0d52328148e0080a1a420ce895dcb566fcff73ac
                                  • Instruction ID: d9443fdd3ee0a3059f5d17ec53abbfe2105cc8a5d10ddad395bff0ae1f283336
                                  • Opcode Fuzzy Hash: a5ee4eb6f63f5c531cf15d6f0d52328148e0080a1a420ce895dcb566fcff73ac
                                  • Instruction Fuzzy Hash: EEF0F6308417019AD710AB7588027EF37A09F41379F22864FA061961D1C73C85C29B5D
                                  Function 00414FE2 Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                  Download Yara Rule
                                  APIs
                                  • __lock_file.LIBCMT ref: 00415012
                                  • __ftell_nolock.LIBCMT ref: 0041501F
                                    • Part of subcall function 00417F77: __getptd_noexit.LIBCMT ref: 00417F77
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: __ftell_nolock__getptd_noexit__lock_file
                                  • String ID:
                                  • API String ID: 2999321469-0
                                  • Opcode ID: 5d7fd30e9bb4e6974f03027405c635b91b5e55acacb14f372dcacdb3af77c648
                                  • Instruction ID: e3e7bc223609ce985a1750c66bb322057640979a4505571362f253753ce4bf01
                                  • Opcode Fuzzy Hash: 5d7fd30e9bb4e6974f03027405c635b91b5e55acacb14f372dcacdb3af77c648
                                  • Instruction Fuzzy Hash: 64F03030900605EADB107FB5DD027EE3B70AF443A8F20825BB0259A0E1DB7C8AC29A59
                                  Function 03FC50C0 Relevance: 1.6, APIs: 1, Instructions: 147COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 03FC4930: GetFileAttributesW.KERNELBASE(?), ref: 03FC493B
                                  • CreateDirectoryW.KERNELBASE(?,00000000), ref: 03FC51C2
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1338198860.0000000003FC4000.00000040.00000020.00020000.00000000.sdmp, Offset: 03FC4000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3fc4000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: AttributesCreateDirectoryFile
                                  • String ID:
                                  • API String ID: 3401506121-0
                                  • Opcode ID: e5902b82d91f39c31843cfef21d3947296acfc3567ae6cd3c796b1e28c50f254
                                  • Instruction ID: 96f5522b29a8f40e6b272e61d083f80335dfee0758f1822f835984cdbbf2c7d8
                                  • Opcode Fuzzy Hash: e5902b82d91f39c31843cfef21d3947296acfc3567ae6cd3c796b1e28c50f254
                                  • Instruction Fuzzy Hash: 7A519531921249A6DF14DFB1DD14BEFB379EF48300F108568EA09AB180EB35EB44CBA5
                                  Function 00402F00 Relevance: 1.6, APIs: 1, Instructions: 104COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: _memmove
                                  • String ID:
                                  • API String ID: 4104443479-0
                                  • Opcode ID: 224a1bccd0668171228bffd00b4e167e84225026459a60d9317a1c29c8a59c26
                                  • Instruction ID: 6397ebbfaf442e519c955e074037b65107783079284990db5ef0c3dd021860ed
                                  • Opcode Fuzzy Hash: 224a1bccd0668171228bffd00b4e167e84225026459a60d9317a1c29c8a59c26
                                  • Instruction Fuzzy Hash: 36317371E00209EBDF009F52E9866AEFBF4FF40740F2189BED855E2650E7389990D759
                                  Function 00402780 Relevance: 1.6, APIs: 1, Instructions: 101COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: _memmove
                                  • String ID:
                                  • API String ID: 4104443479-0
                                  • Opcode ID: 8b2818c8434b9a070bb7a9b9dd55d4aa8d61190f7c46d4f62081b3e0e63eee4f
                                  • Instruction ID: 412edbf2df7bf8c64f36b821a583ca4e96a0f18e0b9aed18a790d0e499aeb9a1
                                  • Opcode Fuzzy Hash: 8b2818c8434b9a070bb7a9b9dd55d4aa8d61190f7c46d4f62081b3e0e63eee4f
                                  • Instruction Fuzzy Hash: 60319CB9600A21EFC714DF19C580A62F7E0FF08310B14C57ADA89CB795E774E892CB99
                                  Function 00410CFC Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: ProtectVirtual
                                  • String ID:
                                  • API String ID: 544645111-0
                                  • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                  • Instruction ID: 21b87f0337b3904faf2e49e7d89a80b8c5538d611ad57d97d778efbd48141229
                                  • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                  • Instruction Fuzzy Hash: 8131F770A00105DBC718DF88E590AAAF7B1FB49310B6486A6E409CF355DB78EDC1CBD9
                                  Function 00408F40 Relevance: 1.6, APIs: 1, Instructions: 71COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e5559574dc10eca8e97d8025a500eef8ee7d185e3c773571fee143e03780f234
                                  • Instruction ID: 427b4a632c312742ac0951887501238d3178a51c37fde1d0fd35c98815df3d2a
                                  • Opcode Fuzzy Hash: e5559574dc10eca8e97d8025a500eef8ee7d185e3c773571fee143e03780f234
                                  • Instruction Fuzzy Hash: 21119674200201ABDB249F36D984E26B3A5AF45304B244D2FF9C5D7790DB7CE881DB5E
                                  Function 0045E17D Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 35b7bc891c26268d2cb6d46035521dde4ecfc0337a7d2d2d45483da740e67eee
                                  • Instruction ID: fe3c5e01fee558804f1d0cd68762aa03bf47037873853bda5dcd607d85013340
                                  • Opcode Fuzzy Hash: 35b7bc891c26268d2cb6d46035521dde4ecfc0337a7d2d2d45483da740e67eee
                                  • Instruction Fuzzy Hash: 2D118B352046019FDB10DF69D884E96B3E9AF8A314F14856EFD298B362CB35FC41CB95
                                  Function 00444AF8 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                  • _memmove.LIBCMT ref: 00444B34
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: _malloc_memmove
                                  • String ID:
                                  • API String ID: 1183979061-0
                                  • Opcode ID: 5456aa698ccb66e472ad2dc6bdf94112e2600af6ff6d776df7a489d92d6f0097
                                  • Instruction ID: 1ab6fe9f530497837eb86deb75815884a9af672873ccf792f11a5e6f6739e6df
                                  • Opcode Fuzzy Hash: 5456aa698ccb66e472ad2dc6bdf94112e2600af6ff6d776df7a489d92d6f0097
                                  • Instruction Fuzzy Hash: E0016D3220410AAFD714DF2CC882DA7B3EDEF88318711492FE996C7251EA74F9508B94
                                  Function 00414C76 Relevance: 1.5, APIs: 1, Instructions: 40COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: __lock_file
                                  • String ID:
                                  • API String ID: 3031932315-0
                                  • Opcode ID: 9d46abaf5bc0bef18357e8259ddf310e5220bee08d011669e2131a09b3543261
                                  • Instruction ID: 324047821ed349453e17c5e7f52af34d31ade4ebcb64e32b23ce3c6ad3b356a0
                                  • Opcode Fuzzy Hash: 9d46abaf5bc0bef18357e8259ddf310e5220bee08d011669e2131a09b3543261
                                  • Instruction Fuzzy Hash: FF011E71801219EBCF21AFA5C8028DF7B71AF44764F11851BF824551A1E7398AE2DBD9
                                  Function 00443E36 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • WriteFile.KERNELBASE(?,?,?,?,00000000,?,?,?,004263D0,?,00487ACC,00000003,0040DE90,?,?,00000001), ref: 00443E54
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: FileWrite
                                  • String ID:
                                  • API String ID: 3934441357-0
                                  • Opcode ID: 873a582ac05df194872d3361efdc1b64d97226b1633050e8059638026df5ad0f
                                  • Instruction ID: f8d6e32d6ecef3e6c51c5ea05c7ff41eb941b2b6d152ec47b845c679c5cedb0e
                                  • Opcode Fuzzy Hash: 873a582ac05df194872d3361efdc1b64d97226b1633050e8059638026df5ad0f
                                  • Instruction Fuzzy Hash: 6BE01276100318ABDB10DF98D844FDA77BCEF48765F10891AFA048B200C7B4EA908BE4
                                  Function 03FC4930 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetFileAttributesW.KERNELBASE(?), ref: 03FC493B
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1338198860.0000000003FC4000.00000040.00000020.00020000.00000000.sdmp, Offset: 03FC4000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3fc4000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: AttributesFile
                                  • String ID:
                                  • API String ID: 3188754299-0
                                  • Opcode ID: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
                                  • Instruction ID: 7b3d4930b11babd2059ba986ca5d883e3e66a6004078d7b085f140ef741afb02
                                  • Opcode Fuzzy Hash: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
                                  • Instruction Fuzzy Hash: BAE08632D6925BDBC711CAA9CA246A9F3A8D705320F104759E839C3580D53099409754
                                  Function 03FC4900 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetFileAttributesW.KERNELBASE(?), ref: 03FC490B
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1338198860.0000000003FC4000.00000040.00000020.00020000.00000000.sdmp, Offset: 03FC4000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3fc4000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: AttributesFile
                                  • String ID:
                                  • API String ID: 3188754299-0
                                  • Opcode ID: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
                                  • Instruction ID: dcb89f2af18b84487b839b94ea6071cdf528d2990b5b6c2b6dce6028cdfd94bc
                                  • Opcode Fuzzy Hash: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
                                  • Instruction Fuzzy Hash: EED0A73195920DEBCB20CFB5AD049DAB7ACD705321F004759FD15C3280D5319A409750
                                  Function 004149C2 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: __wfsopen
                                  • String ID:
                                  • API String ID: 197181222-0
                                  • Opcode ID: b5c1dd7f54315c70b952dff0fe33ec93e52da603c388fdf08d18a597afa050f6
                                  • Instruction ID: b34ddb7a850719c89311ce964fc9f65e9e9400c6a390d5c1cbb008c3125e494a
                                  • Opcode Fuzzy Hash: b5c1dd7f54315c70b952dff0fe33ec93e52da603c388fdf08d18a597afa050f6
                                  • Instruction Fuzzy Hash: 82C092B244020C77CF112A93EC02F9A3F1E9BC0764F058021FB1C1A162AA77EAA19689
                                  Function 0040DA20 Relevance: 1.3, APIs: 1, Instructions: 22COMMON
                                  Download Yara Rule
                                  APIs
                                  • CloseHandle.KERNELBASE(?,?,00426FBF), ref: 0040DA3D
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: CloseHandle
                                  • String ID:
                                  • API String ID: 2962429428-0
                                  • Opcode ID: 4893ac657bcef9b9334a0355bd28ce0f0291ef024a1c9f1561977d8c5be9d70a
                                  • Instruction ID: 552ddd844a8bbede063c80161f66c4637379340f91e2bb70a518b226642b2913
                                  • Opcode Fuzzy Hash: 4893ac657bcef9b9334a0355bd28ce0f0291ef024a1c9f1561977d8c5be9d70a
                                  • Instruction Fuzzy Hash: B9E045B4A04B008BC6308F5BE444416FBF8EEE46203108E1FD4A6C2A64C3B4A1498F50
                                  Function 03FC62BC Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON
                                  Download Yara Rule
                                  APIs
                                  • Sleep.KERNELBASE(000001F4), ref: 03FC62D1
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1338198860.0000000003FC4000.00000040.00000020.00020000.00000000.sdmp, Offset: 03FC4000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3fc4000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: Sleep
                                  • String ID:
                                  • API String ID: 3472027048-0
                                  • Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                                  • Instruction ID: c77e837b6631fedbe75fc27a8a4555c3b96299a6c17cd61a83afde3cdc5dea8f
                                  • Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                                  • Instruction Fuzzy Hash: 15E0BF7498410EEFDB00EFE8D6496DE7BB8EF04302F1005A5FD05D7680DB319E548A66
                                  Function 03FC62C0 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                                  Download Yara Rule
                                  APIs
                                  • Sleep.KERNELBASE(000001F4), ref: 03FC62D1
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1338198860.0000000003FC4000.00000040.00000020.00020000.00000000.sdmp, Offset: 03FC4000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3fc4000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: Sleep
                                  • String ID:
                                  • API String ID: 3472027048-0
                                  • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                  • Instruction ID: 00e5e19383df2ab65294756d7671b522984204c1167788ef1023ba672b95121f
                                  • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                  • Instruction Fuzzy Hash: FCE0E67498410EDFDB00EFF8D6496DE7FB4EF04302F1001A5FD01D2280D6319D508A62

                                  Non-executed Functions

                                  Function 0047C81C Relevance: 74.2, APIs: 40, Strings: 2, Instructions: 674windowkeyboardCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0047C8E1
                                  • DefDlgProcW.USER32(?,0000004E,?,?), ref: 0047C8FC
                                  • GetKeyState.USER32(00000011), ref: 0047C92D
                                  • GetKeyState.USER32(00000009), ref: 0047C936
                                  • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0047C949
                                  • GetKeyState.USER32(00000010), ref: 0047C953
                                  • GetWindowLongW.USER32(00000002,000000F0), ref: 0047C967
                                  • SendMessageW.USER32(00000002,0000110A,00000009,00000000), ref: 0047C993
                                  • SendMessageW.USER32(00000002,0000113E,00000000,?), ref: 0047C9B6
                                  • _wcsncpy.LIBCMT ref: 0047CA29
                                  • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0047CA5A
                                  • SendMessageW.USER32 ref: 0047CA7F
                                  • InvalidateRect.USER32(?,00000000,00000001), ref: 0047CADF
                                  • SendMessageW.USER32(?,00001030,?,0047EA68), ref: 0047CB84
                                  • ImageList_SetDragCursorImage.COMCTL32(00A665A8,00000000,00000000,00000000), ref: 0047CB9B
                                  • ImageList_BeginDrag.COMCTL32(00A665A8,00000000,000000F8,000000F0), ref: 0047CBAC
                                  • SetCapture.USER32(?), ref: 0047CBB6
                                  • ClientToScreen.USER32(?,?), ref: 0047CC17
                                  • ImageList_DragEnter.COMCTL32(00000000,?,?,?,?), ref: 0047CC26
                                  • ReleaseCapture.USER32 ref: 0047CC3A
                                  • GetCursorPos.USER32(?), ref: 0047CC72
                                  • ScreenToClient.USER32(?,?), ref: 0047CC80
                                  • SendMessageW.USER32(?,00001012,00000000,?), ref: 0047CCE6
                                  • SendMessageW.USER32 ref: 0047CD12
                                  • SendMessageW.USER32(?,00001111,00000000,?), ref: 0047CD53
                                  • SendMessageW.USER32 ref: 0047CD80
                                  • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0047CD99
                                  • SendMessageW.USER32(?,0000110B,00000009,?), ref: 0047CDAA
                                  • GetCursorPos.USER32(?), ref: 0047CDC8
                                  • ScreenToClient.USER32(?,?), ref: 0047CDD6
                                  • GetParent.USER32(00000000), ref: 0047CDF7
                                  • SendMessageW.USER32(?,00001012,00000000,?), ref: 0047CE60
                                  • SendMessageW.USER32 ref: 0047CE93
                                  • ClientToScreen.USER32(?,?), ref: 0047CEEE
                                  • TrackPopupMenuEx.USER32(?,00000000,?,?,009A1AF8,00000000,?,?,?,?), ref: 0047CF1C
                                  • SendMessageW.USER32(?,00001111,00000000,?), ref: 0047CF46
                                  • SendMessageW.USER32 ref: 0047CF6B
                                  • ClientToScreen.USER32(?,?), ref: 0047CFB5
                                  • TrackPopupMenuEx.USER32(?,00000080,?,?,009A1AF8,00000000,?,?,?,?), ref: 0047CFE6
                                  • GetWindowLongW.USER32(?,000000F0), ref: 0047D086
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: MessageSend$ClientScreen$Image$CursorDragList_State$CaptureLongMenuPopupTrackWindow$BeginEnterInvalidateParentProcRectRelease_wcsncpy
                                  • String ID: @GUI_DRAGID$F
                                  • API String ID: 3100379633-4164748364
                                  • Opcode ID: 2b9e17ba3223fb7b4804536e302a42d427f78481ee09a8534aafb1e4469c1a6d
                                  • Instruction ID: 980357f173c9be8e312ccaa606797ee7157b6525bda81ee0817efdfc4c954517
                                  • Opcode Fuzzy Hash: 2b9e17ba3223fb7b4804536e302a42d427f78481ee09a8534aafb1e4469c1a6d
                                  • Instruction Fuzzy Hash: F842AD706043419FD714DF28C884FABB7A5FF89700F14865EFA489B291C7B8E846CB5A
                                  Function 00434418 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 133keyboardthreadwindowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetForegroundWindow.USER32 ref: 00434420
                                  • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00434446
                                  • IsIconic.USER32(?), ref: 0043444F
                                  • ShowWindow.USER32(?,00000009), ref: 0043445C
                                  • SetForegroundWindow.USER32(?), ref: 0043446A
                                  • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00434481
                                  • GetCurrentThreadId.KERNEL32 ref: 00434485
                                  • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00434493
                                  • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 004344A2
                                  • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 004344A8
                                  • AttachThreadInput.USER32(00000000,?,00000001), ref: 004344B1
                                  • SetForegroundWindow.USER32(00000000), ref: 004344B7
                                  • MapVirtualKeyW.USER32(00000012,00000000), ref: 004344C6
                                  • keybd_event.USER32(00000012,00000000), ref: 004344CF
                                  • MapVirtualKeyW.USER32(00000012,00000000), ref: 004344DD
                                  • keybd_event.USER32(00000012,00000000), ref: 004344E6
                                  • MapVirtualKeyW.USER32(00000012,00000000), ref: 004344F4
                                  • keybd_event.USER32(00000012,00000000), ref: 004344FD
                                  • MapVirtualKeyW.USER32(00000012,00000000), ref: 0043450B
                                  • keybd_event.USER32(00000012,00000000), ref: 00434514
                                  • SetForegroundWindow.USER32(00000000), ref: 0043451E
                                  • AttachThreadInput.USER32(00000000,?,00000000), ref: 0043453F
                                  • AttachThreadInput.USER32(00000000,00000000,00000000), ref: 00434545
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: ThreadWindow$AttachInput$ForegroundVirtualkeybd_event$Process$CurrentFindIconicShow
                                  • String ID: Shell_TrayWnd
                                  • API String ID: 2889586943-2988720461
                                  • Opcode ID: 8fb90041bee2e10260771149cd23f534c9f7767a381d567acbe6a88cba9e6a8e
                                  • Instruction ID: 0b42b206f44700a00bd4aa1610e9651ae8f7722fee000eb3c659fd44b6abead8
                                  • Opcode Fuzzy Hash: 8fb90041bee2e10260771149cd23f534c9f7767a381d567acbe6a88cba9e6a8e
                                  • Instruction Fuzzy Hash: AD416272640218BFE7205BA4DE4AFBE7B6CDB58B11F10442EFA01EA1D0D6F458419BA9
                                  Function 00446313 Relevance: 37.0, APIs: 17, Strings: 4, Instructions: 234processCOMMON
                                  Download Yara Rule
                                  APIs
                                  • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 0044638E
                                  • CloseHandle.KERNEL32(?), ref: 004463A0
                                  • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 004463B8
                                  • GetProcessWindowStation.USER32 ref: 004463D1
                                  • SetProcessWindowStation.USER32(00000000), ref: 004463DB
                                  • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 004463F7
                                  • _wcslen.LIBCMT ref: 00446498
                                    • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                  • _wcsncpy.LIBCMT ref: 004464C0
                                  • LoadUserProfileW.USERENV(?,00000020), ref: 004464D9
                                  • CreateEnvironmentBlock.USERENV(?,?,00000000), ref: 004464F3
                                  • CreateProcessAsUserW.ADVAPI32(?,00000000,00000000,00000000,00000000,?,?,?,?,000F01FF,00000400), ref: 00446522
                                  • UnloadUserProfile.USERENV(?,?), ref: 00446555
                                  • CloseWindowStation.USER32(00000000), ref: 0044656C
                                  • CloseDesktop.USER32(?), ref: 0044657A
                                  • SetProcessWindowStation.USER32(?), ref: 00446588
                                  • CloseHandle.KERNEL32(?), ref: 00446592
                                  • DestroyEnvironmentBlock.USERENV(?), ref: 004465A9
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: StationWindow$CloseProcess$User$BlockCreateDesktopEnvironmentHandleOpenProfile$DestroyDuplicateLoadTokenUnload_malloc_wcslen_wcsncpy
                                  • String ID: $@OH$default$winsta0
                                  • API String ID: 3324942560-3791954436
                                  • Opcode ID: 4d1d68c1aea3dabcf030405aafb24e1344eb51be90ba82aa3e7b9bd6ceeac822
                                  • Instruction ID: a255b9755a473e3b45922b0ee48cea4cb67e1360e8ecd59b8ab49ad27cdc7b44
                                  • Opcode Fuzzy Hash: 4d1d68c1aea3dabcf030405aafb24e1344eb51be90ba82aa3e7b9bd6ceeac822
                                  • Instruction Fuzzy Hash: A28180B0A00209ABEF10CFA5DD4AFAF77B8AF49704F05455EF914A7284D778D901CB69
                                  Function 0046DCB4 Relevance: 36.2, APIs: 24, Instructions: 247clipboardCOMMON
                                  Download Yara Rule
                                  APIs
                                  • OpenClipboard.USER32(?), ref: 0046DCE7
                                  • IsClipboardFormatAvailable.USER32(0000000D), ref: 0046DCF5
                                  • GetClipboardData.USER32(0000000D), ref: 0046DD01
                                  • CloseClipboard.USER32 ref: 0046DD0D
                                  • GlobalLock.KERNEL32(00000000), ref: 0046DD37
                                  • CloseClipboard.USER32 ref: 0046DD41
                                  • IsClipboardFormatAvailable.USER32(00000001), ref: 0046DD81
                                  • GetClipboardData.USER32(00000001), ref: 0046DD8D
                                  • CloseClipboard.USER32 ref: 0046DD99
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: Clipboard$Close$AvailableDataFormat$GlobalLockOpen
                                  • String ID:
                                  • API String ID: 15083398-0
                                  • Opcode ID: 5d52f7a8e2fbd0ab087c8c139685d9916ac200a5779b15fccd04bfb456a25eb2
                                  • Instruction ID: c6f05cb0c77453757aa6b00544986da50a17ac1627668c5aecb5782462309948
                                  • Opcode Fuzzy Hash: 5d52f7a8e2fbd0ab087c8c139685d9916ac200a5779b15fccd04bfb456a25eb2
                                  • Instruction Fuzzy Hash: CE81B072704201ABD310EF65DD8AB5EB7A8FF94315F00482EF605E72D1EB74E905879A
                                  Function 0044BD27 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 178filestringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00410120: GetFullPathNameW.KERNEL32(00000000,00000104,004A7F6C,0040F545,004A7F6C,004A90E8,004A7F6C,?,0040F545), ref: 0041013C
                                    • Part of subcall function 00433908: __wsplitpath.LIBCMT ref: 0043392E
                                    • Part of subcall function 00433908: __wsplitpath.LIBCMT ref: 00433950
                                    • Part of subcall function 00433908: __wcsicoll.LIBCMT ref: 00433974
                                    • Part of subcall function 00433998: GetFileAttributesW.KERNEL32(?), ref: 0043399F
                                  • _wcscat.LIBCMT ref: 0044BD94
                                  • _wcscat.LIBCMT ref: 0044BDBD
                                  • __wsplitpath.LIBCMT ref: 0044BDEA
                                  • FindFirstFileW.KERNEL32(?,?), ref: 0044BE02
                                  • _wcscpy.LIBCMT ref: 0044BE71
                                  • _wcscat.LIBCMT ref: 0044BE83
                                  • _wcscat.LIBCMT ref: 0044BE95
                                  • lstrcmpiW.KERNEL32(?,?), ref: 0044BEC1
                                  • DeleteFileW.KERNEL32(?), ref: 0044BED3
                                  • MoveFileW.KERNEL32(?,?), ref: 0044BEF3
                                  • CopyFileW.KERNEL32(?,?,00000000), ref: 0044BF0A
                                  • DeleteFileW.KERNEL32(?), ref: 0044BF15
                                  • CopyFileW.KERNEL32(?,?,00000000), ref: 0044BF2C
                                  • FindClose.KERNEL32(00000000), ref: 0044BF33
                                  • MoveFileW.KERNEL32(?,?), ref: 0044BF4F
                                  • FindNextFileW.KERNEL32(00000000,00000010), ref: 0044BF64
                                  • FindClose.KERNEL32(00000000), ref: 0044BF7C
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: File$Find_wcscat$__wsplitpath$CloseCopyDeleteMove$AttributesFirstFullNameNextPath__wcsicoll_wcscpylstrcmpi
                                  • String ID: \*.*
                                  • API String ID: 2188072990-1173974218
                                  • Opcode ID: c24caf0b266a53f5e7acd00b30f5ede1e5d756040c77aa0fe23e7167681731b8
                                  • Instruction ID: 72a2fd59153234373391f972af8bc7e503bf673df65afccb4f4ecee040a4f935
                                  • Opcode Fuzzy Hash: c24caf0b266a53f5e7acd00b30f5ede1e5d756040c77aa0fe23e7167681731b8
                                  • Instruction Fuzzy Hash: E25167B2408384AAD734DB50DC45EDF73E9AFC8304F544E1EF68982141EB75D249CBA6
                                  Function 004788BD Relevance: 28.2, APIs: 13, Strings: 3, Instructions: 217timefileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • FindFirstFileW.KERNEL32(00000000,?,?), ref: 004788E4
                                  • FindClose.KERNEL32(00000000), ref: 00478924
                                  • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00478949
                                  • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00478961
                                  • FileTimeToSystemTime.KERNEL32(?,?), ref: 00478989
                                  • __swprintf.LIBCMT ref: 004789D3
                                  • __swprintf.LIBCMT ref: 00478A1D
                                  • __swprintf.LIBCMT ref: 00478A4B
                                  • __swprintf.LIBCMT ref: 00478A79
                                    • Part of subcall function 0041329B: __flsbuf.LIBCMT ref: 00413314
                                    • Part of subcall function 0041329B: __flsbuf.LIBCMT ref: 0041332C
                                  • __swprintf.LIBCMT ref: 00478AA7
                                  • __swprintf.LIBCMT ref: 00478AD5
                                  • __swprintf.LIBCMT ref: 00478B03
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem
                                  • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                                  • API String ID: 999945258-2428617273
                                  • Opcode ID: 438ad41bdba169d6dbcdf3912f97c2a8dc3502a0945a742a170651836116907f
                                  • Instruction ID: 8fd0730747e081185947bc4026d2fd3d0a29cbe563c255e8678d3cf3417a7967
                                  • Opcode Fuzzy Hash: 438ad41bdba169d6dbcdf3912f97c2a8dc3502a0945a742a170651836116907f
                                  • Instruction Fuzzy Hash: 32719772204300ABC310EF55CC85FAFB7E9AF88705F504D2FF645962D1E6B9E944875A
                                  Function 004033C0 Relevance: 26.6, APIs: 11, Strings: 4, Instructions: 359COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                    • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                  • GetCurrentDirectoryW.KERNEL32(00000104,?,?), ref: 00403451
                                  • GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 00403467
                                  • __wsplitpath.LIBCMT ref: 00403492
                                    • Part of subcall function 00413A0E: __wsplitpath_helper.LIBCMT ref: 00413A50
                                  • _wcscpy.LIBCMT ref: 004034A7
                                  • _wcscat.LIBCMT ref: 004034BC
                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 004034CC
                                    • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                    • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411626
                                    • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411640
                                    • Part of subcall function 004115D7: __CxxThrowException@8.LIBCMT ref: 00411651
                                    • Part of subcall function 00403AF0: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,?,?,?,0040355C,?,?,?,00000010), ref: 00403B08
                                    • Part of subcall function 00403AF0: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,?,?,00000010), ref: 00403B41
                                  • _wcscpy.LIBCMT ref: 004035A0
                                  • _wcslen.LIBCMT ref: 00403623
                                  • _wcslen.LIBCMT ref: 0040367D
                                  Strings
                                  • _, xrefs: 0040371C
                                  • #include depth exceeded. Make sure there are no recursive includes, xrefs: 00428200
                                  • Error opening the file, xrefs: 00428231
                                  • Unterminated string, xrefs: 00428348
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: _wcslen$ByteCharCurrentDirectoryMultiWide_wcscpystd::exception::exception$Exception@8FullNamePathThrow__wsplitpath__wsplitpath_helper_malloc_memmove_wcscat
                                  • String ID: #include depth exceeded. Make sure there are no recursive includes$Error opening the file$Unterminated string$_
                                  • API String ID: 3393021363-188983378
                                  • Opcode ID: ce77724faf1e7fbc9fcf9b1a922f2907e035de924d79ec5656a8af7ae9668c55
                                  • Instruction ID: 51a390cb75b153cc6cab8b26b712b327f6f81406d0e69f910df9a3585dc9283e
                                  • Opcode Fuzzy Hash: ce77724faf1e7fbc9fcf9b1a922f2907e035de924d79ec5656a8af7ae9668c55
                                  • Instruction Fuzzy Hash: CCD105B1508341AAD710EF64D841AEFBBE8AF85304F404C2FF98553291DB79DA49C7AB
                                  Function 00431A86 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 139fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • FindFirstFileW.KERNEL32(?,?), ref: 00431AAA
                                  • GetFileAttributesW.KERNEL32(?), ref: 00431AE7
                                  • SetFileAttributesW.KERNEL32(?,?), ref: 00431AFD
                                  • FindNextFileW.KERNEL32(00000000,?), ref: 00431B0F
                                  • FindClose.KERNEL32(00000000), ref: 00431B20
                                  • FindClose.KERNEL32(00000000), ref: 00431B34
                                  • FindFirstFileW.KERNEL32(*.*,?), ref: 00431B4F
                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 00431B96
                                  • SetCurrentDirectoryW.KERNEL32(0048AB30), ref: 00431BBA
                                  • FindNextFileW.KERNEL32(00000000,00000010), ref: 00431BC2
                                  • FindClose.KERNEL32(00000000), ref: 00431BCD
                                  • FindClose.KERNEL32(00000000), ref: 00431BDB
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
                                  • String ID: *.*
                                  • API String ID: 1409584000-438819550
                                  • Opcode ID: 375c8f5163c02f9b34b1ce4408ff1b09f98ffe2d72fc8025119183882b6461df
                                  • Instruction ID: b696eadadcb8a1627fc7fa6feda0e6e57aab690e04623b9265854ab7309d24dd
                                  • Opcode Fuzzy Hash: 375c8f5163c02f9b34b1ce4408ff1b09f98ffe2d72fc8025119183882b6461df
                                  • Instruction Fuzzy Hash: CE41D8726002046BC700EF65DC45EAFB3ACAE89311F04592FF954C3190E7B8E519C7A9
                                  Function 00431BE8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 116COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 00431C09
                                  • __swprintf.LIBCMT ref: 00431C2E
                                  • _wcslen.LIBCMT ref: 00431C3A
                                  • CreateDirectoryW.KERNEL32(?,00000000), ref: 00431C67
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: CreateDirectoryFullNamePath__swprintf_wcslen
                                  • String ID: :$\$\??\%s
                                  • API String ID: 2192556992-3457252023
                                  • Opcode ID: e3674d1d1678aa5b2072ca287ea13c599f7f343b69fea712d52b9408e430d9c0
                                  • Instruction ID: 5b8928ca783b893dacbf0721098a8616f59dd17613a34138e213b27d6ec4c177
                                  • Opcode Fuzzy Hash: e3674d1d1678aa5b2072ca287ea13c599f7f343b69fea712d52b9408e430d9c0
                                  • Instruction Fuzzy Hash: EE413E726403186BD720DB54DC45FDFB3BCFF58710F00859AFA0896191EBB49A548BD8
                                  Function 004720DB Relevance: 21.4, APIs: 11, Strings: 1, Instructions: 377timeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetLocalTime.KERNEL32(?), ref: 004722A2
                                  • __swprintf.LIBCMT ref: 004722B9
                                  • SHGetFolderPathW.SHELL32(00000000,00000026,00000000,00000000,0048BF68), ref: 004724EC
                                  • SHGetFolderPathW.SHELL32(00000000,0000002B,00000000,00000000,0048BF68), ref: 00472506
                                  • SHGetFolderPathW.SHELL32(00000000,00000005,00000000,00000000,0048BF68), ref: 00472520
                                  • SHGetFolderPathW.SHELL32(00000000,00000023,00000000,00000000,0048BF68), ref: 0047253A
                                  • SHGetFolderPathW.SHELL32(00000000,00000019,00000000,00000000,0048BF68), ref: 00472554
                                  • SHGetFolderPathW.SHELL32(00000000,0000002E,00000000,00000000,0048BF68), ref: 0047256E
                                  • SHGetFolderPathW.SHELL32(00000000,0000001F,00000000,00000000,0048BF68), ref: 00472588
                                  • SHGetFolderPathW.SHELL32(00000000,00000017,00000000,00000000,0048BF68), ref: 004725A2
                                  • SHGetFolderPathW.SHELL32(00000000,00000016,00000000,00000000,0048BF68), ref: 004725BC
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: FolderPath$LocalTime__swprintf
                                  • String ID: %.3d
                                  • API String ID: 3337348382-986655627
                                  • Opcode ID: e729fe0eecd02e77c5ee8deaec4c56456965897f8b2a75efd2bc4ea0d4b88c57
                                  • Instruction ID: 0d137f706e98bab13a4a4c7fcb7914b07bdb7c22a72ec07ab57cd4d47a51df83
                                  • Opcode Fuzzy Hash: e729fe0eecd02e77c5ee8deaec4c56456965897f8b2a75efd2bc4ea0d4b88c57
                                  • Instruction Fuzzy Hash: A6C1EC326101185BD710FBA1DD8AFEE7328EB44701F5045BFF909A60C2DBB99B598F64
                                  Function 00442886 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 135fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • FindFirstFileW.KERNEL32(?,?), ref: 004428A8
                                  • FindNextFileW.KERNEL32(00000000,?), ref: 0044290B
                                  • FindClose.KERNEL32(00000000), ref: 0044291C
                                  • FindClose.KERNEL32(00000000), ref: 00442930
                                  • FindFirstFileW.KERNEL32(*.*,?), ref: 0044294D
                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 0044299C
                                  • SetCurrentDirectoryW.KERNEL32(0048AB30), ref: 004429BF
                                  • FindNextFileW.KERNEL32(00000000,00000010), ref: 004429C9
                                  • FindClose.KERNEL32(00000000), ref: 004429D4
                                    • Part of subcall function 00433C08: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00433C2A
                                  • FindClose.KERNEL32(00000000), ref: 004429E2
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
                                  • String ID: *.*
                                  • API String ID: 2640511053-438819550
                                  • Opcode ID: 8a47bb142582fb369a588aeabde8b58686abdf3d8367fad8d2448c9b03ae91f1
                                  • Instruction ID: 696d482812dd8bff2d9106dd2d2144e175b5fe2258968c3fd44c1969776f6f9a
                                  • Opcode Fuzzy Hash: 8a47bb142582fb369a588aeabde8b58686abdf3d8367fad8d2448c9b03ae91f1
                                  • Instruction Fuzzy Hash: AD410AB2A001186BDB10EBA5ED45FEF73689F89321F50465BFD0493280D6B8DE558BB8
                                  Function 004333BE Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 86shutdownCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentProcess.KERNEL32(00000028,?), ref: 004333CE
                                  • OpenProcessToken.ADVAPI32(00000000), ref: 004333D5
                                  • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004333EA
                                  • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 0043340E
                                  • GetLastError.KERNEL32 ref: 00433414
                                  • ExitWindowsEx.USER32(?,00000000), ref: 00433437
                                  • InitiateSystemShutdownExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,?), ref: 00433466
                                  • SetSystemPowerState.KERNEL32(00000001,00000000), ref: 00433479
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: ProcessSystemToken$AdjustCurrentErrorExitInitiateLastLookupOpenPowerPrivilegePrivilegesShutdownStateValueWindows
                                  • String ID: SeShutdownPrivilege
                                  • API String ID: 2938487562-3733053543
                                  • Opcode ID: e998af62085c6697935ed50d35c6a1543144275e53dff9101095b3913992069c
                                  • Instruction ID: ad32a9094aef850e2966724807b7d50af50c82f056daff98c21d8f44207777ad
                                  • Opcode Fuzzy Hash: e998af62085c6697935ed50d35c6a1543144275e53dff9101095b3913992069c
                                  • Instruction Fuzzy Hash: F221C971640205ABF7108FA4EC4EF7FB3ACE708702F144569FE09D51D1D6BA5D408765
                                  Function 00446124 Relevance: 16.7, APIs: 11, Instructions: 182COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00436E2B: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 00436E45
                                    • Part of subcall function 00436E2B: GetLastError.KERNEL32(?,00000000,?), ref: 00436E4F
                                    • Part of subcall function 00436E2B: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 00436E75
                                    • Part of subcall function 00436DF7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00436E12
                                  • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 0044618A
                                  • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 004461BE
                                  • GetLengthSid.ADVAPI32(?), ref: 004461D0
                                  • GetAce.ADVAPI32(?,00000000,?), ref: 0044620D
                                  • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00446229
                                  • GetLengthSid.ADVAPI32(?), ref: 00446241
                                  • GetLengthSid.ADVAPI32(?,00000008,?), ref: 0044626A
                                  • CopySid.ADVAPI32(00000000), ref: 00446271
                                  • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 004462A3
                                  • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 004462C5
                                  • SetUserObjectSecurity.USER32(?,00000004,?), ref: 004462D8
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: Security$DescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
                                  • String ID:
                                  • API String ID: 1255039815-0
                                  • Opcode ID: cf498e736c0040d611dc61921388a4e783ba54ad69564fff20abd6321b712b19
                                  • Instruction ID: cbecfdc94e872455e881353a2ef69e95113e06a92746e25f2a634f38edc45108
                                  • Opcode Fuzzy Hash: cf498e736c0040d611dc61921388a4e783ba54ad69564fff20abd6321b712b19
                                  • Instruction Fuzzy Hash: C251BC71A00209BBEB10EFA1CD84EEFB778BF49704F01855EF515A7241D6B8DA05CB69
                                  Function 0043305F Relevance: 16.6, APIs: 11, Instructions: 122COMMON
                                  Download Yara Rule
                                  APIs
                                  • __swprintf.LIBCMT ref: 00433073
                                  • __swprintf.LIBCMT ref: 00433085
                                  • __wcsicoll.LIBCMT ref: 00433092
                                  • FindResourceW.KERNEL32(?,?,0000000E), ref: 004330A5
                                  • LoadResource.KERNEL32(?,00000000), ref: 004330BD
                                  • LockResource.KERNEL32(00000000), ref: 004330CA
                                  • FindResourceW.KERNEL32(?,?,00000003), ref: 004330F7
                                  • LoadResource.KERNEL32(?,00000000), ref: 00433105
                                  • SizeofResource.KERNEL32(?,00000000), ref: 00433114
                                  • LockResource.KERNEL32(?), ref: 00433120
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: Resource$FindLoadLock__swprintf$Sizeof__wcsicoll
                                  • String ID:
                                  • API String ID: 1158019794-0
                                  • Opcode ID: b140e135c5f727b40d296f2f4b3108eaeb1a217ee9fa6a28346dce69b8385e70
                                  • Instruction ID: 48d2d5a3af9b637b7fc6f2c6b5a7fdd3517197a5f8dc2ef3994740021b7ed835
                                  • Opcode Fuzzy Hash: b140e135c5f727b40d296f2f4b3108eaeb1a217ee9fa6a28346dce69b8385e70
                                  • Instruction Fuzzy Hash: C741F1322002146BDB10EF65EC84FAB37ADEB89321F00846BFD01C6245E779DA51C7A8
                                  Function 0045A10F Relevance: 16.6, APIs: 11, Instructions: 120clipboardmemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                  • String ID:
                                  • API String ID: 1737998785-0
                                  • Opcode ID: bc1c5a0e04e7211697dd638385d424d337038878635646daacac479226a8eb74
                                  • Instruction ID: d84b136cee2c902db59abfe4f82a3f409d39725fe24efd6a62fd8a04edebb5dd
                                  • Opcode Fuzzy Hash: bc1c5a0e04e7211697dd638385d424d337038878635646daacac479226a8eb74
                                  • Instruction Fuzzy Hash: 334114726001119FC310EFA5EC89B5EB7A4FF54315F00856EF909EB3A1EB75A941CB88
                                  Function 0045D619 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 107COMMON
                                  Download Yara Rule
                                  APIs
                                  • SetErrorMode.KERNEL32(00000001), ref: 0045D627
                                  • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,?), ref: 0045D6B5
                                  • GetLastError.KERNEL32 ref: 0045D6BF
                                  • SetErrorMode.KERNEL32(00000000,?), ref: 0045D751
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: Error$Mode$DiskFreeLastSpace
                                  • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                  • API String ID: 4194297153-14809454
                                  • Opcode ID: 7585e308607772b0055f7746bf91c511cc03d2319b95ee688ecb5d1da683c46d
                                  • Instruction ID: 1f300c266cb1daf6abeae651b696e439ee3a0372042695327ab67fb83666ce96
                                  • Opcode Fuzzy Hash: 7585e308607772b0055f7746bf91c511cc03d2319b95ee688ecb5d1da683c46d
                                  • Instruction Fuzzy Hash: FE418235D00209DFCB10EFA5C884A9DB7B4FF48315F10846BE905AB352D7799A85CB69
                                  Function 0044EB5F Relevance: 12.9, APIs: 3, Strings: 4, Instructions: 643COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: _memmove$_strncmp
                                  • String ID: @oH$\$^$h
                                  • API String ID: 2175499884-3701065813
                                  • Opcode ID: 988809b36a944a9929e300e154a4cfc85b4d4f50dea7e6e4a67b5f519bc2876c
                                  • Instruction ID: 796dcd1322dc9123c5f4e5533c800aedaabe8dca19c5b95ba0af32eff2573e22
                                  • Opcode Fuzzy Hash: 988809b36a944a9929e300e154a4cfc85b4d4f50dea7e6e4a67b5f519bc2876c
                                  • Instruction Fuzzy Hash: 4242E170E04249CFEB14CF69C8806AEBBF2FF85304F2481AAD856AB351D7399946CF55
                                  Function 004652BE Relevance: 12.1, APIs: 8, Instructions: 97networkCOMMON
                                  Download Yara Rule
                                  APIs
                                  • socket.WSOCK32(00000002,00000001,00000006,00000000), ref: 0046530D
                                  • WSAGetLastError.WSOCK32(00000000), ref: 0046531C
                                  • bind.WSOCK32(00000000,?,00000010), ref: 00465356
                                  • WSAGetLastError.WSOCK32(00000000), ref: 00465363
                                  • closesocket.WSOCK32(00000000,00000000), ref: 00465377
                                  • listen.WSOCK32(00000000,00000005), ref: 00465381
                                  • WSAGetLastError.WSOCK32(00000000), ref: 004653A9
                                  • closesocket.WSOCK32(00000000,00000000), ref: 004653BD
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: ErrorLast$closesocket$bindlistensocket
                                  • String ID:
                                  • API String ID: 540024437-0
                                  • Opcode ID: 56b395d1b7441155ee1d78469f99a9871a9e2360f64803e3ab449944eb02724f
                                  • Instruction ID: 689f190a2b8ca197395c4559ba4ec64c13dad074e2778b61c05f6be918bdb8b0
                                  • Opcode Fuzzy Hash: 56b395d1b7441155ee1d78469f99a9871a9e2360f64803e3ab449944eb02724f
                                  • Instruction Fuzzy Hash: A8319331200500ABD310EF25DD89B6EB7A8EF44725F10866EF855E73D1DBB4AC818B99
                                  Function 0044663B Relevance: 11.4, APIs: 1, Strings: 5, Instructions: 895COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: ERCP$VUUU$VUUU$VUUU$XjH
                                  • API String ID: 0-2872873767
                                  • Opcode ID: 34fecdbc504fccc055e136d4951117c2a740426f4eee1b738e863fbded63ce7f
                                  • Instruction ID: d175e7d0ae6fb3d700f9da8fb6b70819649eb02c4ceaf458d011f7582104736e
                                  • Opcode Fuzzy Hash: 34fecdbc504fccc055e136d4951117c2a740426f4eee1b738e863fbded63ce7f
                                  • Instruction Fuzzy Hash: D772D871A042198BEF24CF58C8807AEB7F1EB42314F25829BD859A7380D7799DC5CF5A
                                  Function 004755C4 Relevance: 10.6, APIs: 7, Instructions: 148processCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateToolhelp32Snapshot.KERNEL32 ref: 00475608
                                  • Process32FirstW.KERNEL32(00000000,0000022C), ref: 00475618
                                  • __wsplitpath.LIBCMT ref: 00475644
                                    • Part of subcall function 00413A0E: __wsplitpath_helper.LIBCMT ref: 00413A50
                                  • _wcscat.LIBCMT ref: 00475657
                                  • __wcsicoll.LIBCMT ref: 0047567B
                                  • Process32NextW.KERNEL32(00000000,?), ref: 004756AB
                                  • CloseHandle.KERNEL32(00000000), ref: 004756BA
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wcsicoll__wsplitpath__wsplitpath_helper_wcscat
                                  • String ID:
                                  • API String ID: 2547909840-0
                                  • Opcode ID: 9e44ac92eedd99fdf3f2932738b6949334d3f24a3592eb41664da5fdf167909f
                                  • Instruction ID: 52239f647ae7113ca4c6e3167181772f82882466072c53a1302db900a9aecbbd
                                  • Opcode Fuzzy Hash: 9e44ac92eedd99fdf3f2932738b6949334d3f24a3592eb41664da5fdf167909f
                                  • Instruction Fuzzy Hash: B3518671900618ABDB10DF55CD85FDE77B8EF44704F1084AAF509AB282DA75AF84CF68
                                  Function 00452492 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 128filesleepCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                    • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                  • FindFirstFileW.KERNEL32(?,?), ref: 004524DF
                                  • Sleep.KERNEL32(0000000A), ref: 0045250B
                                  • FindNextFileW.KERNEL32(?,?), ref: 004525E9
                                  • FindClose.KERNEL32(?), ref: 004525FF
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: Find$File$CloseFirstNextSleep_memmove_wcslen
                                  • String ID: *.*$\VH
                                  • API String ID: 2786137511-2657498754
                                  • Opcode ID: 952b61541a12346a9a2631e93aef0720ba9757898c7ad2f9180af277910d7a38
                                  • Instruction ID: de376bcde865418ddd8e10142a6165d1fec8b8ecf5afc9fd422e88b207ce0255
                                  • Opcode Fuzzy Hash: 952b61541a12346a9a2631e93aef0720ba9757898c7ad2f9180af277910d7a38
                                  • Instruction Fuzzy Hash: 37417F7190021DABDB14DF64CD58AEE77B4AF49305F14445BEC09A3281E678EE49CB98
                                  Function 0041A208 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 58COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • IsDebuggerPresent.KERNEL32 ref: 00421FC1
                                  • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00421FD6
                                  • UnhandledExceptionFilter.KERNEL32(pqI), ref: 00421FE1
                                  • GetCurrentProcess.KERNEL32(C0000409), ref: 00421FFD
                                  • TerminateProcess.KERNEL32(00000000), ref: 00422004
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                                  • String ID: pqI
                                  • API String ID: 2579439406-2459173057
                                  • Opcode ID: 25dc777f16e4295b66819c01749bb17431433dcbcd396824bac5e12fb106518c
                                  • Instruction ID: 2caf929301e55fbdfba35cdc3931bb3174c20cf3198a7c5bb5494214f042e870
                                  • Opcode Fuzzy Hash: 25dc777f16e4295b66819c01749bb17431433dcbcd396824bac5e12fb106518c
                                  • Instruction Fuzzy Hash: 9E21CDB45392059FCB50DF65FE456483BA4BB68304F5005BBF90987371E7B969818F0D
                                  Function 0043333C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 40COMMON
                                  Download Yara Rule
                                  APIs
                                  • __wcsicoll.LIBCMT ref: 00433349
                                  • mouse_event.USER32(00000800,00000000,00000000,00000078,00000000), ref: 0043335F
                                  • __wcsicoll.LIBCMT ref: 00433375
                                  • mouse_event.USER32(00000800,00000000,00000000,00000088,00000000), ref: 0043338B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: __wcsicollmouse_event
                                  • String ID: DOWN
                                  • API String ID: 1033544147-711622031
                                  • Opcode ID: 3af7a305a716ba131119f47d61043d9bc75f7fbd5de0530911e4e2de0579c383
                                  • Instruction ID: c5effa3e7e2998e6ee15a8e10ce6e2e5d36a5fc043d4170c53cc9f091e4fe068
                                  • Opcode Fuzzy Hash: 3af7a305a716ba131119f47d61043d9bc75f7fbd5de0530911e4e2de0579c383
                                  • Instruction Fuzzy Hash: 78F0A0726846103AF80026947C02EFB334C9B26767F004023FE0CD1280EA59290557BD
                                  Function 0044C37A Relevance: 7.6, APIs: 5, Instructions: 145windowkeyboardCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetKeyboardState.USER32(?), ref: 0044C3D2
                                  • SetKeyboardState.USER32(00000080), ref: 0044C3F6
                                  • PostMessageW.USER32(00000000,00000101,?,?), ref: 0044C43A
                                  • PostMessageW.USER32(00000000,00000105,?,?), ref: 0044C472
                                  • SendInput.USER32(00000001,?,0000001C), ref: 0044C4FF
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: KeyboardMessagePostState$InputSend
                                  • String ID:
                                  • API String ID: 3031425849-0
                                  • Opcode ID: 0ab52cc7f1a00f618f34bf6b1006ae93bda3478e58ada741bb1ac89fd44d8d1c
                                  • Instruction ID: ca9f4cb769efad0e1be190fe8763212e5a79bd7c4ee8908ff6f5a5d8a4a0dc9b
                                  • Opcode Fuzzy Hash: 0ab52cc7f1a00f618f34bf6b1006ae93bda3478e58ada741bb1ac89fd44d8d1c
                                  • Instruction Fuzzy Hash: 4D415D755001082AEB109FA9DCD5BFFBB68AF96320F04815BFD8456283C378D9518BF8
                                  Function 00476619 Relevance: 7.6, APIs: 5, Instructions: 140networkCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00465225: inet_addr.WSOCK32(?), ref: 00465249
                                  • socket.WSOCK32(00000002,00000002,00000011,?,00000000), ref: 0047666F
                                  • WSAGetLastError.WSOCK32(00000000), ref: 00476692
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: ErrorLastinet_addrsocket
                                  • String ID:
                                  • API String ID: 4170576061-0
                                  • Opcode ID: beba4ad3326242fe02a37a331f69581919bdb462f679bf8c0e3d41d719e28549
                                  • Instruction ID: b6cffcacb6afaf0b8cd9bee7f3c7ce362d61c656181a10c6507bcc72ef542d5a
                                  • Opcode Fuzzy Hash: beba4ad3326242fe02a37a331f69581919bdb462f679bf8c0e3d41d719e28549
                                  • Instruction Fuzzy Hash: 604129326002005BD710EF39DC86F5A73D59F44728F15866FF944AB3C2DABAEC418799
                                  Function 0047A330 Relevance: 7.6, APIs: 5, Instructions: 71windowCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0046F3C1: IsWindow.USER32(00000000), ref: 0046F3F1
                                  • IsWindowVisible.USER32 ref: 0047A368
                                  • IsWindowEnabled.USER32 ref: 0047A378
                                  • GetForegroundWindow.USER32(?,?,?,00000001), ref: 0047A385
                                  • IsIconic.USER32 ref: 0047A393
                                  • IsZoomed.USER32 ref: 0047A3A1
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                  • String ID:
                                  • API String ID: 292994002-0
                                  • Opcode ID: 0a48a302b729025e65be405b7f5f19fe679dbad6397f14c7d9a4bdd7ec3e43df
                                  • Instruction ID: 143e3079ffab126fd184b85051f6534cdea6adf6d01d93e69c1b4810180b6228
                                  • Opcode Fuzzy Hash: 0a48a302b729025e65be405b7f5f19fe679dbad6397f14c7d9a4bdd7ec3e43df
                                  • Instruction Fuzzy Hash: 8F11A2322001119BE3219F2ADC05B9FB798AF80715F15842FF849E7250DBB8E85187A9
                                  Function 0047839D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 228comCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 004426CD: _wcslen.LIBCMT ref: 004426F9
                                  • CoInitialize.OLE32(00000000), ref: 00478442
                                  • CoCreateInstance.OLE32(00482A08,00000000,00000001,004828A8,?), ref: 0047845B
                                  • CoUninitialize.OLE32 ref: 0047863C
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: CreateInitializeInstanceUninitialize_wcslen
                                  • String ID: .lnk
                                  • API String ID: 886957087-24824748
                                  • Opcode ID: a78490bbd6710ed4fb80770143ba5b6b6d69e34379d2ac1719b679a46047f49b
                                  • Instruction ID: cf4755465b87a828534c2837f83e1451e93ee4f6fe559e45c0b7480b45348b92
                                  • Opcode Fuzzy Hash: a78490bbd6710ed4fb80770143ba5b6b6d69e34379d2ac1719b679a46047f49b
                                  • Instruction Fuzzy Hash: 17816D70344301AFD210EB54CC82F5AB3E5AFC8B18F10896EF658DB2D1DAB5E945CB96
                                  Function 0044F430 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 458COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: _memmove
                                  • String ID: U$\
                                  • API String ID: 4104443479-100911408
                                  • Opcode ID: 8409e1e1a3b6e8568ef346b3eec2e6609d783923d36277a6c09bfee55c093031
                                  • Instruction ID: 961864e7757f6edfa256f53df2fe8495351bb1c33360f7104140ceff5b52ad59
                                  • Opcode Fuzzy Hash: 8409e1e1a3b6e8568ef346b3eec2e6609d783923d36277a6c09bfee55c093031
                                  • Instruction Fuzzy Hash: 7002A070E002499FEF28CF69C4907AEBBF2AF95304F2481AED45297381D7396D4ACB55
                                  Function 0045CAFA Relevance: 4.6, APIs: 3, Instructions: 130fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • FindFirstFileW.KERNEL32(00000000,?,?), ref: 0045CB1F
                                  • FindNextFileW.KERNEL32(00000000,?), ref: 0045CB7C
                                  • FindClose.KERNEL32(00000000,00000001,00000000), ref: 0045CBAB
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: Find$File$CloseFirstNext
                                  • String ID:
                                  • API String ID: 3541575487-0
                                  • Opcode ID: b82a98c6df9a243ef4fbf3c667c5144d50f68704456ba494e21579813087d3e5
                                  • Instruction ID: f333144462bda28c064cc07c1e05bb1389ec512a64b809c533c1c3d7cc497df0
                                  • Opcode Fuzzy Hash: b82a98c6df9a243ef4fbf3c667c5144d50f68704456ba494e21579813087d3e5
                                  • Instruction Fuzzy Hash: 6741DF716003019FC710EF69D881A9BB3E5FF89315F108A6EE9698B351DB75F844CB94
                                  Function 004339B6 Relevance: 4.5, APIs: 3, Instructions: 28fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetFileAttributesW.KERNEL32(?,00000000), ref: 004339C7
                                  • FindFirstFileW.KERNEL32(?,?), ref: 004339D8
                                  • FindClose.KERNEL32(00000000), ref: 004339EB
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: FileFind$AttributesCloseFirst
                                  • String ID:
                                  • API String ID: 48322524-0
                                  • Opcode ID: 957631a30c41d6cd228e989780156951a90b63876f33aac8b2b1d3c9657f363e
                                  • Instruction ID: b419dbaef297d354eb99830e4178f101d1a7f75c7260f3cbf0392e7d05c3e8e7
                                  • Opcode Fuzzy Hash: 957631a30c41d6cd228e989780156951a90b63876f33aac8b2b1d3c9657f363e
                                  • Instruction Fuzzy Hash: 22E092328145189B8610AA78AC0D4EE779CDF0A236F100B56FE38C21E0D7B49A9047DA
                                  Function 00442E0C Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 69COMMON
                                  Download Yara Rule
                                  APIs
                                  • __time64.LIBCMT ref: 00442E1E
                                    • Part of subcall function 004148B3: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,00430E3E,00000000,?,?,00441E36,?,00000001), ref: 004148BE
                                    • Part of subcall function 004148B3: __aulldiv.LIBCMT ref: 004148DE
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: Time$FileSystem__aulldiv__time64
                                  • String ID: @uJ
                                  • API String ID: 2893107130-1268412911
                                  • Opcode ID: f8baac42c5f25f74c7dd853c159356035b8e1d829a17ed988ba9b2caf3e3cd55
                                  • Instruction ID: d38707ff02ce459d0d249ce09c4ef886a5fe37698b82f7f0427e65daa233e585
                                  • Opcode Fuzzy Hash: f8baac42c5f25f74c7dd853c159356035b8e1d829a17ed988ba9b2caf3e3cd55
                                  • Instruction Fuzzy Hash: CB21A2335605108BF320CF37CC01652B7E7EBE5310F358A69E4A5973D1DAB96906CB98
                                  Function 004422FE Relevance: 3.1, APIs: 2, Instructions: 89networkfileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • InternetQueryDataAvailable.WININET(?,?,00000000,00000000), ref: 0044231E
                                  • InternetReadFile.WININET(?,00000000,?,?), ref: 00442356
                                    • Part of subcall function 004422CB: GetLastError.KERNEL32 ref: 004422E1
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: Internet$AvailableDataErrorFileLastQueryRead
                                  • String ID:
                                  • API String ID: 901099227-0
                                  • Opcode ID: b48fbef154557e42056369557a390c5e15e1cd9efc8ac9760c34eb316c367bda
                                  • Instruction ID: 2cb050104b41b6b223ad4d4b8d529f91c68f3ac810c45c6f1fc1690b5501c343
                                  • Opcode Fuzzy Hash: b48fbef154557e42056369557a390c5e15e1cd9efc8ac9760c34eb316c367bda
                                  • Instruction Fuzzy Hash: B32174752002047BFB10DE26DC41FAB73A8EB54765F40C42BFE059A141D6B8E5458BA5
                                  Function 0040C360 Relevance: 2.6, Strings: 2, Instructions: 69COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: _memmove_wcslen
                                  • String ID: Exit$Script Paused
                                  • API String ID: 2754939106-2163292816
                                  • Opcode ID: 1361716759e7692655054e09e1f9ca6c6622165b0ec59e7ea16ed709fbf81315
                                  • Instruction ID: e1aa3db6c28832e2723146f338ab520c8ce4fdfb15a9870ee7eb1ba1d953282a
                                  • Opcode Fuzzy Hash: 1361716759e7692655054e09e1f9ca6c6622165b0ec59e7ea16ed709fbf81315
                                  • Instruction Fuzzy Hash: FB31A0B99052508FC380EF2AAC94515BFE1F7AB3543A4813ED4099B3B1DF3818408B9D
                                  Function 0047EA6F Relevance: 2.0, APIs: 1, Instructions: 502COMMON
                                  Download Yara Rule
                                  APIs
                                  • DefDlgProcW.USER32(?,?,?,?), ref: 0047EA9E
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: Proc
                                  • String ID:
                                  • API String ID: 2346855178-0
                                  • Opcode ID: abcbf0d1afc1a497e280cfdffd4bd47b828388575322d1f456f5668f6881d692
                                  • Instruction ID: f892bfb12232205f5f58103f0897237a3558493ed3735c4837d976d353c396a9
                                  • Opcode Fuzzy Hash: abcbf0d1afc1a497e280cfdffd4bd47b828388575322d1f456f5668f6881d692
                                  • Instruction Fuzzy Hash: 82B1167330C1182DF218A6AABC81EFF679CD7C5779B10863FF248C55C2D62B5821A1B9
                                  Function 0045A370 Relevance: 1.5, APIs: 1, Instructions: 24keyboardCOMMON
                                  Download Yara Rule
                                  APIs
                                  • BlockInput.USER32(00000001), ref: 0045A38B
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: BlockInput
                                  • String ID:
                                  • API String ID: 3456056419-0
                                  • Opcode ID: 458ede1686394d551c7eb4c8b41db034409c2976cc7efd11918dc51f9e1a79d5
                                  • Instruction ID: ec784d9e1adcb2c5bdb0852901797f150ca91aa996cd98963819779bf85d9a24
                                  • Opcode Fuzzy Hash: 458ede1686394d551c7eb4c8b41db034409c2976cc7efd11918dc51f9e1a79d5
                                  • Instruction Fuzzy Hash: D8E0DF352002029FC300EF66C84495AB7E8EF94368F10883EFD45D7341EA74E80087A6
                                  Function 00436CD7 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                  Download Yara Rule
                                  APIs
                                  • LogonUserW.ADVAPI32(?,?,?,?,00000000,?), ref: 00436CF9
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: LogonUser
                                  • String ID:
                                  • API String ID: 1244722697-0
                                  • Opcode ID: 58321df28e67eb099ee318ec18723cdf01b8a378577a77c5fc1e9d8837392bcc
                                  • Instruction ID: 7208d1371e48addad7a82bf776aec5a394cd9d1c10cc53d221989696c058f8f6
                                  • Opcode Fuzzy Hash: 58321df28e67eb099ee318ec18723cdf01b8a378577a77c5fc1e9d8837392bcc
                                  • Instruction Fuzzy Hash: 4DE0ECB626460EAFDB04CF68DC42EBF37ADA749710F004618BA16D7280C670E911CA74
                                  Function 0041F250 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                  Download Yara Rule
                                  APIs
                                  • SetUnhandledExceptionFilter.KERNEL32(Function_0001F20E), ref: 0041F255
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: ExceptionFilterUnhandled
                                  • String ID:
                                  • API String ID: 3192549508-0
                                  • Opcode ID: c60cc95176153529ac13be9fefe03fec559109ed9a450e1086cc56a024ff5f26
                                  • Instruction ID: fb0c5f5a3ae0de1c345b26270a1521b23addb5e119a177cdcf8b78f668196b28
                                  • Opcode Fuzzy Hash: c60cc95176153529ac13be9fefe03fec559109ed9a450e1086cc56a024ff5f26
                                  • Instruction Fuzzy Hash: 8190027625150157470417705E1964925905B5960275108BA6D11C8564DAA98089A619
                                  Function 0042200C Relevance: 1.4, Strings: 1, Instructions: 180COMMONLIBRARYCODE
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: N@
                                  • API String ID: 0-1509896676
                                  • Opcode ID: 92e9a144b7047ce14b539b05f6d9118c1a7fbc1d7368d7adfc1bc9e5646efcc8
                                  • Instruction ID: 433aa61276291b0397d7e0efaabfbd78b7095b9e612e68cb1662ee3b8c9c8781
                                  • Opcode Fuzzy Hash: 92e9a144b7047ce14b539b05f6d9118c1a7fbc1d7368d7adfc1bc9e5646efcc8
                                  • Instruction Fuzzy Hash: 48618E71A003259FCB18CF48D584AAEBBF2FF84310F5AC1AED9095B361C7B59955CB88
                                  Function 0040FA10 Relevance: .6, Instructions: 607COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 9ccd90b163c6adb52abe1d2335d475eb1e8f24fdd15ffb4383e0e414a09222a9
                                  • Instruction ID: 421b1f2eadcb2952f8febc08502f38db6b120a980ad90a3a21cdce547adf9c29
                                  • Opcode Fuzzy Hash: 9ccd90b163c6adb52abe1d2335d475eb1e8f24fdd15ffb4383e0e414a09222a9
                                  • Instruction Fuzzy Hash: 132270B7E5151A9BDB08CE95CC415D9B3A3BBC832471F9129D819E7305EE78BA078BC0
                                  Function 004129D0 Relevance: .4, Instructions: 355COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f02dcea883d10451d84a59732baab65edb0b568fbd8ca007beb23fa60eef1400
                                  • Instruction ID: 2bcfc4213c201322ab01e918109ed7ba488288358e1fe6702c600853dbf8b640
                                  • Opcode Fuzzy Hash: f02dcea883d10451d84a59732baab65edb0b568fbd8ca007beb23fa60eef1400
                                  • Instruction Fuzzy Hash: 9CC1B473D0E6B3058B35466D45182BFFE626E91B8031FC392DDD03F399C22AADA196D4
                                  Function 004125E8 Relevance: .3, Instructions: 349COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 0c69e47d847606dd43a020a10b245ffd8c98205713db3c8f796c6159738d0b06
                                  • Instruction ID: 7014f9c6c4bb04029b5f83a2624c32223adacf072d8c068e18a9ecb8bc3ae66d
                                  • Opcode Fuzzy Hash: 0c69e47d847606dd43a020a10b245ffd8c98205713db3c8f796c6159738d0b06
                                  • Instruction Fuzzy Hash: 04C1A473D1A6B2058B36476D05182BFFE626E91B8031FC3D6CCD03F299C22AAD9596D4
                                  Function 00412216 Relevance: .3, Instructions: 332COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 21018234ac6c65dce347e9eb3c09d9e563dc327998c84d170fb29f747537f1fa
                                  • Instruction ID: 878ae001d8650add2b069b622ec184fb54f95ec25c04ba16196e518284591b6f
                                  • Opcode Fuzzy Hash: 21018234ac6c65dce347e9eb3c09d9e563dc327998c84d170fb29f747537f1fa
                                  • Instruction Fuzzy Hash: FBC19473D0A6B2068B36476D05582BFFE626E91B8131FC3D2CCD03F299C22AAD9595D4
                                  Function 00411E78 Relevance: .3, Instructions: 326COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 21b74c51e355f1ada917146b454bba93dbff062365e48e41ecc74cc68dac6f4d
                                  • Instruction ID: 1be110723fa64262e89d0aec0a1a20255c1bae91910aebb39a61821022ff9223
                                  • Opcode Fuzzy Hash: 21b74c51e355f1ada917146b454bba93dbff062365e48e41ecc74cc68dac6f4d
                                  • Instruction Fuzzy Hash: 55B1B533D0A6B3058736836D05582BFFE626E91B8031FC396CDD03F399C62AAD9295D4
                                  Function 004594E9 Relevance: 79.2, APIs: 41, Strings: 4, Instructions: 490filewindowcomCOMMON
                                  Download Yara Rule
                                  APIs
                                  • DeleteObject.GDI32(?), ref: 0045953B
                                  • DeleteObject.GDI32(?), ref: 00459551
                                  • DestroyWindow.USER32(?), ref: 00459563
                                  • GetDesktopWindow.USER32 ref: 00459581
                                  • GetWindowRect.USER32(00000000), ref: 00459588
                                  • SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 0045969E
                                  • AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 004596AC
                                  • CreateWindowExW.USER32(?,AutoIt v3,00000000,?,88C00000,00000002,00000007,?,?,?,00000000,00000000), ref: 004596E8
                                  • GetClientRect.USER32(00000000,?), ref: 004596F8
                                  • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,?,00000000,00000000,00000000), ref: 0045973B
                                  • CreateFileW.KERNEL32(00000000,000001F4,80000000,00000000,00000000,00000003,00000000,00000000), ref: 00459760
                                  • GetFileSize.KERNEL32(00000000,00000000), ref: 0045977B
                                  • GlobalAlloc.KERNEL32(00000002,00000000), ref: 00459786
                                  • GlobalLock.KERNEL32(00000000), ref: 0045978F
                                  • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0045979E
                                  • GlobalUnlock.KERNEL32(00000000), ref: 004597A5
                                  • CloseHandle.KERNEL32(00000000), ref: 004597AC
                                  • CreateStreamOnHGlobal.OLE32(00000000,00000001,000001F4), ref: 004597B9
                                  • OleLoadPicture.OLEAUT32(000001F4,00000000,00000000,004829F8,00000000), ref: 004597D0
                                  • GlobalFree.KERNEL32(00000000), ref: 004597E2
                                  • CopyImage.USER32(50000001,00000000,00000000,00000000,00002000), ref: 0045980E
                                  • SendMessageW.USER32(00000000,00000172,00000000,50000001), ref: 00459831
                                  • SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020), ref: 00459857
                                  • ShowWindow.USER32(?,00000004), ref: 00459865
                                  • CreateWindowExW.USER32(00000000,static,00000000,000001F4,50000001,0000000B,0000000B,?,?,?,00000000,00000000), ref: 004598AF
                                  • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 004598C3
                                  • GetStockObject.GDI32(00000011), ref: 004598CD
                                  • SelectObject.GDI32(00000000,00000000), ref: 004598D5
                                  • GetTextFaceW.GDI32(00000000,00000040,?), ref: 004598E5
                                  • GetDeviceCaps.GDI32(00000000,0000005A), ref: 004598EE
                                  • DeleteDC.GDI32(00000000), ref: 004598F8
                                  • _wcslen.LIBCMT ref: 00459916
                                  • _wcscpy.LIBCMT ref: 0045993A
                                  • CreateFontW.GDI32(?,00000000,00000000,00000000,00000190,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 004599DB
                                  • SendMessageW.USER32(00000000,00000030,00000000,00000001), ref: 004599EF
                                  • GetDC.USER32(00000000), ref: 004599FC
                                  • SelectObject.GDI32(00000000,?), ref: 00459A0C
                                  • SelectObject.GDI32(00000000,00000007), ref: 00459A37
                                  • ReleaseDC.USER32(00000000,00000000), ref: 00459A42
                                  • MoveWindow.USER32(00000000,0000000B,?,?,00000190,00000001), ref: 00459A5F
                                  • ShowWindow.USER32(?,00000004,?,00000000,00000000,00000000,00000190,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00459A6D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: Window$Create$Object$Global$Rect$DeleteFileSelect$MessageSendShow$AdjustAllocCapsClientCloseCopyDesktopDestroyDeviceFaceFontFreeHandleImageLoadLockMovePictureReadReleaseSizeStockStreamTextUnlock_wcscpy_wcslen
                                  • String ID: $AutoIt v3$DISPLAY$static
                                  • API String ID: 4040870279-2373415609
                                  • Opcode ID: 6d6993f212ed0893db9275c3f84f169bec7eeddded5228c42ae13acbc858d7fb
                                  • Instruction ID: 0470743097681e939cd033c9659fc80dd101af82a4c7fdd8c03ae3a829a790b9
                                  • Opcode Fuzzy Hash: 6d6993f212ed0893db9275c3f84f169bec7eeddded5228c42ae13acbc858d7fb
                                  • Instruction Fuzzy Hash: 92027D71600204EFDB14DF64CD89FAE7BB9BB48305F108569FA05AB292D7B4ED05CB68
                                  Function 004417BF Relevance: 49.8, APIs: 33, Instructions: 275COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetSysColor.USER32(00000012), ref: 0044181E
                                  • SetTextColor.GDI32(?,?), ref: 00441826
                                  • GetSysColorBrush.USER32(0000000F), ref: 0044183D
                                  • GetSysColor.USER32(0000000F), ref: 00441849
                                  • SetBkColor.GDI32(?,?), ref: 00441864
                                  • SelectObject.GDI32(?,?), ref: 00441874
                                  • InflateRect.USER32(?,000000FF,000000FF), ref: 004418AA
                                  • GetSysColor.USER32(00000010), ref: 004418B2
                                  • CreateSolidBrush.GDI32(00000000), ref: 004418B9
                                  • FrameRect.USER32(?,?,00000000), ref: 004418CA
                                  • DeleteObject.GDI32(?), ref: 004418D5
                                  • InflateRect.USER32(?,000000FE,000000FE), ref: 0044192F
                                  • FillRect.USER32(?,?,?), ref: 00441970
                                    • Part of subcall function 004308EF: GetSysColor.USER32(0000000E), ref: 00430913
                                    • Part of subcall function 004308EF: SetTextColor.GDI32(?,00000000), ref: 0043091B
                                    • Part of subcall function 004308EF: GetSysColorBrush.USER32(0000000F), ref: 0043094E
                                    • Part of subcall function 004308EF: GetSysColor.USER32(0000000F), ref: 00430959
                                    • Part of subcall function 004308EF: GetSysColor.USER32(00000011), ref: 00430979
                                    • Part of subcall function 004308EF: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0043098B
                                    • Part of subcall function 004308EF: SelectObject.GDI32(?,00000000), ref: 0043099C
                                    • Part of subcall function 004308EF: SetBkColor.GDI32(?,?), ref: 004309A6
                                    • Part of subcall function 004308EF: SelectObject.GDI32(?,?), ref: 004309B4
                                    • Part of subcall function 004308EF: InflateRect.USER32(?,000000FF,000000FF), ref: 004309D9
                                    • Part of subcall function 004308EF: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 004309F4
                                    • Part of subcall function 004308EF: GetWindowLongW.USER32(?,000000F0), ref: 00430A09
                                    • Part of subcall function 004308EF: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00430A29
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: Color$Rect$Object$BrushInflateSelect$CreateText$DeleteFillFrameLongMessageRoundSendSolidWindow
                                  • String ID:
                                  • API String ID: 69173610-0
                                  • Opcode ID: fbb8d870229eb44a1def9ba3881ac6b42e654f1da7cb1ff5097cb3e0d6ff825e
                                  • Instruction ID: 7a723b7ebc9985c742df47702d768576d0729d4f0beaa2415310c4eb73739e4f
                                  • Opcode Fuzzy Hash: fbb8d870229eb44a1def9ba3881ac6b42e654f1da7cb1ff5097cb3e0d6ff825e
                                  • Instruction Fuzzy Hash: 76B15BB1508301AFD304DF64DD88A6FB7F8FB88720F104A2DF996922A0D774E945CB66
                                  Function 004590BD Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 291windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • DestroyWindow.USER32(?), ref: 004590F2
                                  • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 004591AF
                                  • SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 004591EF
                                  • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 00459200
                                  • CreateWindowExW.USER32(00000008,AutoIt v3,00000000,?,88C00000,?,?,?,00000001,?,00000000,00000000), ref: 00459242
                                  • GetClientRect.USER32(00000000,?), ref: 0045924E
                                  • CreateWindowExW.USER32(00000000,static,00000000,?,50000000,?,00000004,00000500,00000018,?,00000000,00000000), ref: 00459290
                                  • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 004592A2
                                  • GetStockObject.GDI32(00000011), ref: 004592AC
                                  • SelectObject.GDI32(00000000,00000000), ref: 004592B4
                                  • GetTextFaceW.GDI32(00000000,00000040,?), ref: 004592C4
                                  • GetDeviceCaps.GDI32(00000000,0000005A), ref: 004592CD
                                  • DeleteDC.GDI32(00000000), ref: 004592D6
                                  • CreateFontW.GDI32(?,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 0045931C
                                  • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00459334
                                  • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,?,00000000,00000000,00000000), ref: 0045936E
                                  • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00459382
                                  • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00459393
                                  • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,?,00000000,00000000,00000000), ref: 004593C8
                                  • GetStockObject.GDI32(00000011), ref: 004593D3
                                  • SendMessageW.USER32(?,00000030,00000000), ref: 004593E3
                                  • ShowWindow.USER32(?,00000004,?,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 004593EE
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                  • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                                  • API String ID: 2910397461-517079104
                                  • Opcode ID: 7a94e82ab5e7eba8c21ff2ad013f2909889a905bd0bc04285d9267b4528ddb10
                                  • Instruction ID: c5562805fc82c6770b180505aab83e69ed0b4cba248239bed49a3b83ebf26fc7
                                  • Opcode Fuzzy Hash: 7a94e82ab5e7eba8c21ff2ad013f2909889a905bd0bc04285d9267b4528ddb10
                                  • Instruction Fuzzy Hash: 71A18371B40214BFEB14DF64CD8AFAE7769AB44711F208529FB05BB2D1D6B4AD00CB68
                                  Function 00403A20 Relevance: 45.7, APIs: 14, Strings: 12, Instructions: 238COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: __wcsnicmp
                                  • String ID: #NoAutoIt3Execute$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#requireadmin$Cannot parse #include$Unterminated group of comments
                                  • API String ID: 1038674560-3360698832
                                  • Opcode ID: 23f0f58ea95d18462155f90075fe93dcb11182f556a84baaa607307f542fa917
                                  • Instruction ID: 9c7d50a5cd0ee83047e92bfb3361563e61671b380f2e7b4b5fccf758bfaba57c
                                  • Opcode Fuzzy Hash: 23f0f58ea95d18462155f90075fe93dcb11182f556a84baaa607307f542fa917
                                  • Instruction Fuzzy Hash: B5610670701621B7D711AE219C42FAF335C9F50705F50442BFE05AA286FB7DEE8686AE
                                  Function 00430737 Relevance: 43.6, APIs: 29, Instructions: 108COMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadCursorW.USER32(00000000,00007F89), ref: 00430754
                                  • SetCursor.USER32(00000000), ref: 0043075B
                                  • LoadCursorW.USER32(00000000,00007F8A), ref: 0043076C
                                  • SetCursor.USER32(00000000), ref: 00430773
                                  • LoadCursorW.USER32(00000000,00007F03), ref: 00430784
                                  • SetCursor.USER32(00000000), ref: 0043078B
                                  • LoadCursorW.USER32(00000000,00007F8B), ref: 0043079C
                                  • SetCursor.USER32(00000000), ref: 004307A3
                                  • LoadCursorW.USER32(00000000,00007F01), ref: 004307B4
                                  • SetCursor.USER32(00000000), ref: 004307BB
                                  • LoadCursorW.USER32(00000000,00007F88), ref: 004307CC
                                  • SetCursor.USER32(00000000), ref: 004307D3
                                  • LoadCursorW.USER32(00000000,00007F86), ref: 004307E4
                                  • SetCursor.USER32(00000000), ref: 004307EB
                                  • LoadCursorW.USER32(00000000,00007F83), ref: 004307FC
                                  • SetCursor.USER32(00000000), ref: 00430803
                                  • LoadCursorW.USER32(00000000,00007F85), ref: 00430814
                                  • SetCursor.USER32(00000000), ref: 0043081B
                                  • LoadCursorW.USER32(00000000,00007F82), ref: 0043082C
                                  • SetCursor.USER32(00000000), ref: 00430833
                                  • LoadCursorW.USER32(00000000,00007F84), ref: 00430844
                                  • SetCursor.USER32(00000000), ref: 0043084B
                                  • LoadCursorW.USER32(00000000,00007F04), ref: 0043085C
                                  • SetCursor.USER32(00000000), ref: 00430863
                                  • LoadCursorW.USER32(00000000,00007F02), ref: 00430874
                                  • SetCursor.USER32(00000000), ref: 0043087B
                                  • SetCursor.USER32(00000000), ref: 00430887
                                  • LoadCursorW.USER32(00000000,00007F00), ref: 00430898
                                  • SetCursor.USER32(00000000), ref: 0043089F
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: Cursor$Load
                                  • String ID:
                                  • API String ID: 1675784387-0
                                  • Opcode ID: c7473186da6a924b3206e1e01d9541ab2871430d40d1833d6e341d2f3415b8bd
                                  • Instruction ID: ada3a8d1d263842f4cf6b5ed80e179871947c4c62c163598e9ab22da256eac1d
                                  • Opcode Fuzzy Hash: c7473186da6a924b3206e1e01d9541ab2871430d40d1833d6e341d2f3415b8bd
                                  • Instruction Fuzzy Hash: AF3101729C8205B7EA546BE0BE1DF5D3618AB28727F004836F309B54D09AF551509B6D
                                  Function 004308EF Relevance: 42.2, APIs: 28, Instructions: 200windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetSysColor.USER32(0000000E), ref: 00430913
                                  • SetTextColor.GDI32(?,00000000), ref: 0043091B
                                  • GetSysColor.USER32(00000012), ref: 00430933
                                  • SetTextColor.GDI32(?,?), ref: 0043093B
                                  • GetSysColorBrush.USER32(0000000F), ref: 0043094E
                                  • GetSysColor.USER32(0000000F), ref: 00430959
                                  • CreateSolidBrush.GDI32(?), ref: 00430962
                                  • GetSysColor.USER32(00000011), ref: 00430979
                                  • CreatePen.GDI32(00000000,00000001,00743C00), ref: 0043098B
                                  • SelectObject.GDI32(?,00000000), ref: 0043099C
                                  • SetBkColor.GDI32(?,?), ref: 004309A6
                                  • SelectObject.GDI32(?,?), ref: 004309B4
                                  • InflateRect.USER32(?,000000FF,000000FF), ref: 004309D9
                                  • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 004309F4
                                  • GetWindowLongW.USER32(?,000000F0), ref: 00430A09
                                  • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00430A29
                                  • GetWindowTextW.USER32(00000000,00000000,?), ref: 00430A5A
                                  • InflateRect.USER32(?,000000FD,000000FD), ref: 00430A86
                                  • DrawFocusRect.USER32(?,?), ref: 00430A91
                                  • GetSysColor.USER32(00000011), ref: 00430A9F
                                  • SetTextColor.GDI32(?,00000000), ref: 00430AA7
                                  • DrawTextW.USER32(?,?,000000FF,?,00000105), ref: 00430ABC
                                  • SelectObject.GDI32(?,?), ref: 00430AD0
                                  • DeleteObject.GDI32(00000105), ref: 00430ADC
                                  • SelectObject.GDI32(?,?), ref: 00430AE3
                                  • DeleteObject.GDI32(?), ref: 00430AE9
                                  • SetTextColor.GDI32(?,?), ref: 00430AF0
                                  • SetBkColor.GDI32(?,?), ref: 00430AFB
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: Color$ObjectText$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                  • String ID:
                                  • API String ID: 1582027408-0
                                  • Opcode ID: 550e896c7567608c30fce12d6ed7134b72d55419159f0474b5285c649df46e98
                                  • Instruction ID: b12033eb3fa9204049de4d7caedd8dcf025edfa44633034d6aae7949f8ecba99
                                  • Opcode Fuzzy Hash: 550e896c7567608c30fce12d6ed7134b72d55419159f0474b5285c649df46e98
                                  • Instruction Fuzzy Hash: 6F713071900209BFDB04DFA8DD88EAEBBB9FF48710F104619F915A7290D774A941CFA8
                                  Function 0046B9D7 Relevance: 40.7, APIs: 17, Strings: 6, Instructions: 415registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046BAE6
                                  • RegCreateKeyExW.ADVAPI32(?,?,00000000,00484EA8,00000000,?,00000000,?,?,?), ref: 0046BB40
                                  • RegCloseKey.ADVAPI32(?,00000001,00000000,00000000,00000000), ref: 0046BB8A
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: CloseConnectCreateRegistry
                                  • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                  • API String ID: 3217815495-966354055
                                  • Opcode ID: c70c32215588f8ec8bb03fc6aa478a266b625616447da64362da41b73b816162
                                  • Instruction ID: 14c723365299aea1e32a80c9e2d98689f85295d348ed372ee81e16963ac3f886
                                  • Opcode Fuzzy Hash: c70c32215588f8ec8bb03fc6aa478a266b625616447da64362da41b73b816162
                                  • Instruction Fuzzy Hash: BCE18171604200ABD710EF65C885F1BB7E8EF88704F14895EB949DB352D739ED41CBA9
                                  Function 004565B2 Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 291windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCursorPos.USER32(?), ref: 004566AE
                                  • GetDesktopWindow.USER32 ref: 004566C3
                                  • GetWindowRect.USER32(00000000), ref: 004566CA
                                  • GetWindowLongW.USER32(?,000000F0), ref: 00456722
                                  • GetWindowLongW.USER32(?,000000F0), ref: 00456735
                                  • DestroyWindow.USER32(?), ref: 00456746
                                  • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00456794
                                  • SendMessageW.USER32(00000000,00000432,00000000,0000002C), ref: 004567B2
                                  • SendMessageW.USER32(?,00000418,00000000,?), ref: 004567C6
                                  • SendMessageW.USER32(?,00000439,00000000,0000002C), ref: 004567D6
                                  • SendMessageW.USER32(?,00000421,?,?), ref: 004567F6
                                  • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 0045680C
                                  • IsWindowVisible.USER32(?), ref: 0045682C
                                  • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00456848
                                  • SendMessageW.USER32(?,00000411,00000001,0000002C), ref: 0045685C
                                  • GetWindowRect.USER32(?,?), ref: 00456873
                                  • MonitorFromPoint.USER32(?,00000001,00000002), ref: 00456891
                                  • GetMonitorInfoW.USER32(00000000,?), ref: 004568A9
                                  • CopyRect.USER32(?,?), ref: 004568BE
                                  • SendMessageW.USER32(?,00000412,00000000), ref: 00456914
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: MessageSendWindow$Rect$LongMonitor$CopyCreateCursorDesktopDestroyFromInfoPointVisible
                                  • String ID: ($,$tooltips_class32
                                  • API String ID: 225202481-3320066284
                                  • Opcode ID: d36279d6046af7916fa8cb53b873a9c87cdaa8c87180e7b1c59dea88ca998a74
                                  • Instruction ID: fcdb4dd5bfb9c4cfeeadc9569793f3eee26ed74f2078e1bfb0220ba6a1b85fea
                                  • Opcode Fuzzy Hash: d36279d6046af7916fa8cb53b873a9c87cdaa8c87180e7b1c59dea88ca998a74
                                  • Instruction Fuzzy Hash: 4CB17170A00205AFDB54DFA4CD85BAEB7B4BF48304F10895DE919BB282D778A949CB58
                                  Function 00471BC9 Relevance: 35.3, APIs: 18, Strings: 2, Instructions: 313windowtimeCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                  • GetWindowRect.USER32(?,?), ref: 00471CF7
                                  • GetClientRect.USER32(?,?), ref: 00471D05
                                  • GetSystemMetrics.USER32(00000007), ref: 00471D0D
                                  • GetSystemMetrics.USER32(00000008), ref: 00471D20
                                  • GetSystemMetrics.USER32(00000004), ref: 00471D42
                                  • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00471D71
                                  • GetSystemMetrics.USER32(00000007), ref: 00471D79
                                  • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00471DA3
                                  • GetSystemMetrics.USER32(00000008), ref: 00471DAB
                                  • GetSystemMetrics.USER32(00000004), ref: 00471DCF
                                  • SetRect.USER32(?,00000000,00000000,?,?), ref: 00471DEE
                                  • AdjustWindowRectEx.USER32(?,?,00000000,00000040), ref: 00471DFF
                                  • CreateWindowExW.USER32(00000040,AutoIt v3 GUI,?,?,?,?,?,?,?,00000000,00400000,00000000), ref: 00471E35
                                  • SetWindowLongW.USER32(00000000,000000EB,?), ref: 00471E6E
                                  • GetClientRect.USER32(?,?), ref: 00471E8A
                                  • GetStockObject.GDI32(00000011), ref: 00471EA6
                                  • SendMessageW.USER32(?,00000030,00000000), ref: 00471EB2
                                  • SetTimer.USER32(00000000,00000000,00000028,00462986), ref: 00471ED9
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: System$Metrics$Rect$Window$ClientInfoParameters$AdjustCreateLongMessageObjectSendStockTimer_malloc
                                  • String ID: @$AutoIt v3 GUI
                                  • API String ID: 867697134-3359773793
                                  • Opcode ID: d466945cffb50a7196a7867ec3c7573785653ff52612d7c288cf7d01b72dc8e8
                                  • Instruction ID: 8cf5fd9e7b0abf2f472dad9b41bae804ea9cb1b32c1b51d65689880f1cfe2d6c
                                  • Opcode Fuzzy Hash: d466945cffb50a7196a7867ec3c7573785653ff52612d7c288cf7d01b72dc8e8
                                  • Instruction Fuzzy Hash: 7DC17F71A402059FDB14DFA8DD85BAF77B4FB58714F10862EFA09A7290DB78A840CB58
                                  Function 00433A13 Relevance: 35.2, APIs: 15, Strings: 5, Instructions: 196COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: _wcscat$FileInfoVersion$QuerySizeValue__wcsicoll_wcscpy_wcslen_wcsncpy
                                  • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                  • API String ID: 1503153545-1459072770
                                  • Opcode ID: 76acf26b61918e0ebafe3e9c460c5efedcc98b6992261bc6c4f6588f91b2aee1
                                  • Instruction ID: bf9a9138137c8e48d15734b0b0bf1383f69a7efb75f9ce998fc77f2ad016157b
                                  • Opcode Fuzzy Hash: 76acf26b61918e0ebafe3e9c460c5efedcc98b6992261bc6c4f6588f91b2aee1
                                  • Instruction Fuzzy Hash: D551F672A402043BD610BB269C43EFFB36C9F49715F10055FFE09A6242EA7DEA5183AD
                                  Function 00469296 Relevance: 33.4, APIs: 6, Strings: 13, Instructions: 116COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: __wcsicoll$__wcsnicmp
                                  • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:$pQH
                                  • API String ID: 790654849-32604322
                                  • Opcode ID: 29d435e902b015a153743909057decd258383f7606cc46ad0233eead686698a2
                                  • Instruction ID: c91e69f26a1c2718e03151092e39642ccf44f92bf630fd0466772f198d10bc2a
                                  • Opcode Fuzzy Hash: 29d435e902b015a153743909057decd258383f7606cc46ad0233eead686698a2
                                  • Instruction Fuzzy Hash: CA317731A0420966DB10FAA2DD46BAE736C9F15315F20053BBD00BB2D5E7BC6E4587AE
                                  Function 00455A89 Relevance: 31.9, APIs: 21, Instructions: 395COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 7b3c0986a6774ad4839bdf3b3ab280162fe8917d12771473e04c5712f0602a0a
                                  • Instruction ID: 62dae473257cc2caee0a49c5626d46440081d624880130feb25903cd50123649
                                  • Opcode Fuzzy Hash: 7b3c0986a6774ad4839bdf3b3ab280162fe8917d12771473e04c5712f0602a0a
                                  • Instruction Fuzzy Hash: 84C128727002046BE724CFA8DC46FAFB7A4EF55311F00416AFA05DA2C1EBB99909C795
                                  Function 00452AC7 Relevance: 31.8, APIs: 21, Instructions: 343COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00442C5A: __time64.LIBCMT ref: 00442C66
                                  • _fseek.LIBCMT ref: 00452B3B
                                  • __wsplitpath.LIBCMT ref: 00452B9B
                                  • _wcscpy.LIBCMT ref: 00452BB0
                                  • _wcscat.LIBCMT ref: 00452BC5
                                  • __wsplitpath.LIBCMT ref: 00452BEF
                                  • _wcscat.LIBCMT ref: 00452C07
                                  • _wcscat.LIBCMT ref: 00452C1C
                                  • __fread_nolock.LIBCMT ref: 00452C53
                                  • __fread_nolock.LIBCMT ref: 00452C64
                                  • __fread_nolock.LIBCMT ref: 00452C83
                                  • __fread_nolock.LIBCMT ref: 00452C94
                                  • __fread_nolock.LIBCMT ref: 00452CB5
                                  • __fread_nolock.LIBCMT ref: 00452CC6
                                  • __fread_nolock.LIBCMT ref: 00452CD7
                                  • __fread_nolock.LIBCMT ref: 00452CE8
                                    • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 0045273E
                                    • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 00452780
                                    • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 0045279E
                                    • Part of subcall function 00452719: _wcscpy.LIBCMT ref: 004527D2
                                    • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 004527E2
                                    • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 00452800
                                    • Part of subcall function 00452719: _wcscpy.LIBCMT ref: 00452831
                                  • __fread_nolock.LIBCMT ref: 00452D78
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: __fread_nolock$_wcscat_wcscpy$__wsplitpath$__time64_fseek
                                  • String ID:
                                  • API String ID: 2054058615-0
                                  • Opcode ID: 0fea368d492e8b0ff51cb8fd7897a71ebf5dc00d39f6f8cf48bc83bd06102a16
                                  • Instruction ID: 04d0e47ed4a2b248740d2851a73093f1b496c65d3ae4d984919b8c0089c9d159
                                  • Opcode Fuzzy Hash: 0fea368d492e8b0ff51cb8fd7897a71ebf5dc00d39f6f8cf48bc83bd06102a16
                                  • Instruction Fuzzy Hash: 6FC14EB2508340ABD720DF65D881EEFB7E8EFC9704F40492FF68987241E6759548CB66
                                  Function 0044870C Relevance: 31.8, APIs: 17, Strings: 1, Instructions: 311COMMON
                                  Download Yara Rule
                                  APIs
                                  • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 004487BD
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: Window
                                  • String ID: 0
                                  • API String ID: 2353593579-4108050209
                                  • Opcode ID: b0df0e29545e706fc7615ccb9c436c62dbee4145767baabea16aca18bd76baa2
                                  • Instruction ID: 06508bea8339de1511a48146ac1d08a96458f0089f80555ee302a354f7131a6f
                                  • Opcode Fuzzy Hash: b0df0e29545e706fc7615ccb9c436c62dbee4145767baabea16aca18bd76baa2
                                  • Instruction Fuzzy Hash: 35B18BB0204341ABF324CF24CC89BABBBE4FB89744F14491EF591962D1DBB8A845CB59
                                  Function 0044A032 Relevance: 31.7, APIs: 21, Instructions: 198windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetSysColor.USER32(0000000F), ref: 0044A05E
                                  • GetClientRect.USER32(?,?), ref: 0044A0D1
                                  • SendMessageW.USER32(?,00001328,00000000,?), ref: 0044A0E9
                                  • GetWindowDC.USER32(?), ref: 0044A0F6
                                  • GetPixel.GDI32(00000000,?,?), ref: 0044A108
                                  • ReleaseDC.USER32(?,?), ref: 0044A11B
                                  • GetSysColor.USER32(0000000F), ref: 0044A131
                                  • GetWindowLongW.USER32(?,000000F0), ref: 0044A140
                                  • GetSysColor.USER32(0000000F), ref: 0044A14F
                                  • GetSysColor.USER32(00000005), ref: 0044A15B
                                  • GetWindowDC.USER32(?), ref: 0044A1BE
                                  • GetPixel.GDI32(00000000,00000000,00000000), ref: 0044A1CB
                                  • GetPixel.GDI32(00000000,?,00000000), ref: 0044A1E4
                                  • GetPixel.GDI32(00000000,00000000,?), ref: 0044A1FD
                                  • GetPixel.GDI32(00000000,?,?), ref: 0044A21D
                                  • ReleaseDC.USER32(?,00000000), ref: 0044A229
                                  • SetBkColor.GDI32(?,00000000), ref: 0044A24C
                                  • GetSysColor.USER32(00000008), ref: 0044A265
                                  • SetTextColor.GDI32(?,00000000), ref: 0044A270
                                  • SetBkMode.GDI32(?,00000001), ref: 0044A282
                                  • GetStockObject.GDI32(00000005), ref: 0044A28A
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: Color$Pixel$Window$Release$ClientLongMessageModeObjectRectSendStockText
                                  • String ID:
                                  • API String ID: 1744303182-0
                                  • Opcode ID: e73dd003506282a75ec33c48a00615cd632731ac0e25c139f5641f86d6275693
                                  • Instruction ID: 0380b5c53d8a23173c1b90063483f03488caaf4f58ae5d2001aea5c06c56dff4
                                  • Opcode Fuzzy Hash: e73dd003506282a75ec33c48a00615cd632731ac0e25c139f5641f86d6275693
                                  • Instruction Fuzzy Hash: E6612531140101ABE7109F78CC88BAB7764FB46320F14876AFD659B3D0DBB49C529BAA
                                  Function 00417C20 Relevance: 29.9, APIs: 12, Strings: 5, Instructions: 109libraryloadermemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,004164DE), ref: 00417C28
                                  • __mtterm.LIBCMT ref: 00417C34
                                    • Part of subcall function 004178FF: TlsFree.KERNEL32(00000017,00417D96,?,004164DE), ref: 0041792A
                                    • Part of subcall function 004178FF: DeleteCriticalSection.KERNEL32(00000000,00000000,00410E44,?,00417D96,?,004164DE), ref: 004181B8
                                    • Part of subcall function 004178FF: _free.LIBCMT ref: 004181BB
                                    • Part of subcall function 004178FF: DeleteCriticalSection.KERNEL32(00000017,00410E44,?,00417D96,?,004164DE), ref: 004181E2
                                  • GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00417C4A
                                  • GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00417C57
                                  • GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00417C64
                                  • GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00417C71
                                  • TlsAlloc.KERNEL32(?,004164DE), ref: 00417CC1
                                  • TlsSetValue.KERNEL32(00000000,?,004164DE), ref: 00417CDC
                                  • __init_pointers.LIBCMT ref: 00417CE6
                                  • __calloc_crt.LIBCMT ref: 00417D54
                                  • GetCurrentThreadId.KERNEL32 ref: 00417D80
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: AddressProc$CriticalDeleteSection$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__mtterm_free
                                  • String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
                                  • API String ID: 4163708885-3819984048
                                  • Opcode ID: b664ad2f65df639e4a6a12b7ff6e2ff430dd15d20f416fce335d42a987fa1153
                                  • Instruction ID: ca22d9d2e1075830452d52834408fe47c465c3b6ac2468b12672dd77d4d5938c
                                  • Opcode Fuzzy Hash: b664ad2f65df639e4a6a12b7ff6e2ff430dd15d20f416fce335d42a987fa1153
                                  • Instruction Fuzzy Hash: D5315A75808710DECB10AF75BD0865A3EB8BB60764B12093FE914932B0DB7D8881CF9C
                                  Function 0046E1A6 Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 231COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: >>>AUTOIT SCRIPT<<<$\
                                  • API String ID: 0-1896584978
                                  • Opcode ID: 0f644335f765ba1f090fa429f6a047d8548bdb555fde32e118ce45ae114b4fa6
                                  • Instruction ID: daa296ce3da71eb1ea4b2d74bac6de3536c6b190185545f0361092b1072d42a3
                                  • Opcode Fuzzy Hash: 0f644335f765ba1f090fa429f6a047d8548bdb555fde32e118ce45ae114b4fa6
                                  • Instruction Fuzzy Hash: 4081B9B1900204ABCB20EB61CD85FDB73ED9F54304F40859EF505AB142EA39EA85CB99
                                  Function 0046ED8E Relevance: 26.7, APIs: 6, Strings: 9, Instructions: 471COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                    • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                  • GetForegroundWindow.USER32(?,?,?,?,?,?,?), ref: 0046EE79
                                  • GetForegroundWindow.USER32(?,?,?,?,?,?), ref: 0046F265
                                  • IsWindow.USER32(?), ref: 0046F29A
                                  • GetDesktopWindow.USER32 ref: 0046F356
                                  • EnumChildWindows.USER32(00000000), ref: 0046F35D
                                  • EnumWindows.USER32(0046130D,?), ref: 0046F365
                                    • Part of subcall function 00445AE0: _wcslen.LIBCMT ref: 00445AF0
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: Window$EnumForegroundWindows_wcslen$ChildDesktop_memmove
                                  • String ID: ACTIVE$ALL$CLASS$HANDLE$INSTANCE$LAST$REGEXPCLASS$REGEXPTITLE$TITLE
                                  • API String ID: 329138477-1919597938
                                  • Opcode ID: 7eb0f3ae9a0304a5d069b7ca5d1222961736e80184ced8954434bc01324a9774
                                  • Instruction ID: 15289122aec5319afe5b60ce0d71565fabc5791e0031d8771947120ab82528ab
                                  • Opcode Fuzzy Hash: 7eb0f3ae9a0304a5d069b7ca5d1222961736e80184ced8954434bc01324a9774
                                  • Instruction Fuzzy Hash: 83F10B714143019BDB00FF61D885AAFB3A4BF85308F44496FF94567282E779E909CBA7
                                  Function 004341E6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 91windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: __wcsicoll$IconLoad
                                  • String ID: blank$info$question$stop$warning
                                  • API String ID: 2485277191-404129466
                                  • Opcode ID: 90066845996854fde84de619c40f1fe09919dc61d56db525c82daa747bae1459
                                  • Instruction ID: a4c8356a5cb7371e963c7ba7671977edd7eb5cf64b0a9c0e84f2fcb3e6131cad
                                  • Opcode Fuzzy Hash: 90066845996854fde84de619c40f1fe09919dc61d56db525c82daa747bae1459
                                  • Instruction Fuzzy Hash: 9121A732B4021566DB00AB65BC05FEF3358DB98762F040837FA05E2282E3A9A52093BD
                                  Function 00454639 Relevance: 25.7, APIs: 17, Instructions: 199windowtimeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadIconW.USER32(?,00000063), ref: 0045464C
                                  • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 0045465E
                                  • SetWindowTextW.USER32(?,?), ref: 00454678
                                  • GetDlgItem.USER32(?,000003EA), ref: 00454690
                                  • SetWindowTextW.USER32(00000000,?), ref: 00454697
                                  • GetDlgItem.USER32(?,000003E9), ref: 004546A8
                                  • SetWindowTextW.USER32(00000000,?), ref: 004546AF
                                  • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 004546D1
                                  • SendDlgItemMessageW.USER32(?,000003E9,000000C5,?,00000000), ref: 004546EB
                                  • GetWindowRect.USER32(?,?), ref: 004546F5
                                  • SetWindowTextW.USER32(?,?), ref: 00454765
                                  • GetDesktopWindow.USER32 ref: 0045476F
                                  • GetWindowRect.USER32(00000000), ref: 00454776
                                  • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 004547C4
                                  • GetClientRect.USER32(?,?), ref: 004547D2
                                  • PostMessageW.USER32(?,00000005,00000000,00000080), ref: 004547FC
                                  • SetTimer.USER32(?,0000040A,?,00000000), ref: 0045483F
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
                                  • String ID:
                                  • API String ID: 3869813825-0
                                  • Opcode ID: 7299b5a8a54a0497ad48b5c2470d2d1877852c465202323cb5b3bdfcc53dc08d
                                  • Instruction ID: 23cbb84c7db07f79204f7fb68ef1a354279dd66d41dce19f663d7a5246859b32
                                  • Opcode Fuzzy Hash: 7299b5a8a54a0497ad48b5c2470d2d1877852c465202323cb5b3bdfcc53dc08d
                                  • Instruction Fuzzy Hash: 06619D75A00705ABD720DFA8CE89F6FB7F8AB48705F00491DEA46A7290D778E944CB54
                                  Function 004649A3 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 395COMMON
                                  Download Yara Rule
                                  APIs
                                  • _wcslen.LIBCMT ref: 00464B28
                                  • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00464B38
                                  • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00464B60
                                  • _wcslen.LIBCMT ref: 00464C28
                                  • GetCurrentDirectoryW.KERNEL32(00000000,00000000,?), ref: 00464C3C
                                  • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00464C64
                                  • _wcslen.LIBCMT ref: 00464CBA
                                  • _wcslen.LIBCMT ref: 00464CD0
                                  • _wcslen.LIBCMT ref: 00464CEF
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: _wcslen$Directory$CurrentSystem
                                  • String ID: D
                                  • API String ID: 1914653954-2746444292
                                  • Opcode ID: 44be7054643fd4ba856d6b2e359bfbfbb3de9f7e14d5395c76b411fe07bee919
                                  • Instruction ID: cb0983c86ca1fa87ccea60adda1cf5635047c5df12380c224dcb23d097980814
                                  • Opcode Fuzzy Hash: 44be7054643fd4ba856d6b2e359bfbfbb3de9f7e14d5395c76b411fe07bee919
                                  • Instruction Fuzzy Hash: 98E101716043409BD710EF65C845B6BB7E4AFC4308F148D2EF98987392EB39E945CB9A
                                  Function 0045CD1E Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 215COMMON
                                  Download Yara Rule
                                  APIs
                                  • _wcsncpy.LIBCMT ref: 0045CE39
                                  • __wsplitpath.LIBCMT ref: 0045CE78
                                  • _wcscat.LIBCMT ref: 0045CE8B
                                  • _wcscat.LIBCMT ref: 0045CE9E
                                  • GetCurrentDirectoryW.KERNEL32(00000104,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CEB2
                                  • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,00000104,?), ref: 0045CEC5
                                    • Part of subcall function 00433998: GetFileAttributesW.KERNEL32(?), ref: 0043399F
                                  • GetFileAttributesW.KERNEL32(?,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CF05
                                  • SetFileAttributesW.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CF1D
                                  • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CF2E
                                  • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CF3F
                                  • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CF53
                                  • _wcscpy.LIBCMT ref: 0045CF61
                                  • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CFA4
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: CurrentDirectory$AttributesFile$_wcscat$__wsplitpath_wcscpy_wcsncpy
                                  • String ID: *.*
                                  • API String ID: 1153243558-438819550
                                  • Opcode ID: 28b8a1e182566b38844f77773a79acdc9f60bea9bca2776be04cde59cc8a5d2f
                                  • Instruction ID: eacc2f87ca0c49a88fd160cf35c0ab61f7b8ac52d7ffc0430f804bda47b2a69a
                                  • Opcode Fuzzy Hash: 28b8a1e182566b38844f77773a79acdc9f60bea9bca2776be04cde59cc8a5d2f
                                  • Instruction Fuzzy Hash: F071D572900208AEDB24DB54CCC5AEEB7B5AB44305F1489ABE805D7242D67C9ECDCB99
                                  Function 0044B98C Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 80COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: __wcsicoll
                                  • String ID: LEFT$MAIN$MENU$MIDDLE$PRIMARY$RIGHT$SECONDARY
                                  • API String ID: 3832890014-4202584635
                                  • Opcode ID: 95885f1eddacfd63033607ac838e89683eff4e7941016429c0898dbf95f86d61
                                  • Instruction ID: 3b59ed03df0c76d23b576b9f0bbd6b5c96606bf3e4c0b80e5c93e428ec3f30be
                                  • Opcode Fuzzy Hash: 95885f1eddacfd63033607ac838e89683eff4e7941016429c0898dbf95f86d61
                                  • Instruction Fuzzy Hash: AB117772A4422512E91072657C03BFF219CCF1177AF14487BF90DE5A82FB4EDA9541ED
                                  Function 0046A07E Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 253windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • PostMessageW.USER32(?,00000112,0000F060,00000000), ref: 0046A0C9
                                  • GetFocus.USER32 ref: 0046A0DD
                                  • GetDlgCtrlID.USER32(00000000), ref: 0046A0E8
                                  • PostMessageW.USER32(?,00000111,?,00000000), ref: 0046A13C
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: MessagePost$CtrlFocus
                                  • String ID: 0
                                  • API String ID: 1534620443-4108050209
                                  • Opcode ID: d1db05db4fd2a56646a253bb82972057caa917eb73d061b61dca20a17b51d953
                                  • Instruction ID: bf3f5449e9a8ba554bb586fd0597798874618ae7c394ba8af81d11134a55f14d
                                  • Opcode Fuzzy Hash: d1db05db4fd2a56646a253bb82972057caa917eb73d061b61dca20a17b51d953
                                  • Instruction Fuzzy Hash: 9791AD71604711AFE710CF14D884BABB7A4FB85314F004A1EF991A7381E7B9D895CBAB
                                  Function 004557E0 Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 220COMMON
                                  Download Yara Rule
                                  APIs
                                  • DestroyWindow.USER32(?), ref: 004558E3
                                  • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00400000,00000000), ref: 0045592C
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: Window$CreateDestroy
                                  • String ID: ,$tooltips_class32
                                  • API String ID: 1109047481-3856767331
                                  • Opcode ID: ae2d9903759a545ce0c494cdefa096f9672d9422e9f4a365a31b4f6ccc33a5ca
                                  • Instruction ID: 3e2a402d8ef05c983ab6a33f0f0d51d253aadf8c8a2d9d50fdabec1795fb524a
                                  • Opcode Fuzzy Hash: ae2d9903759a545ce0c494cdefa096f9672d9422e9f4a365a31b4f6ccc33a5ca
                                  • Instruction Fuzzy Hash: AE71AD71650208AFE720CF58DC84FBA77B8FB59310F20851AFD45AB391DA74AD46CB98
                                  Function 00468B0E Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 207windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetMenuItemInfoW.USER32(?,00000007,00000000,00000030), ref: 00468BB1
                                  • GetMenuItemCount.USER32(?), ref: 00468C45
                                  • DeleteMenu.USER32(?,00000005,00000000,?,?,?), ref: 00468CD9
                                  • DeleteMenu.USER32(?,00000004,00000000,?,?), ref: 00468CE2
                                  • DeleteMenu.USER32(00000000,00000006,00000000,?,00000004,00000000,?,?), ref: 00468CEB
                                  • DeleteMenu.USER32(?,00000003,00000000,?,00000004,00000000,?,?), ref: 00468CF4
                                  • GetMenuItemCount.USER32 ref: 00468CFD
                                  • SetMenuItemInfoW.USER32(?,00000004,00000000,00000030), ref: 00468D35
                                  • GetCursorPos.USER32(?), ref: 00468D3F
                                  • SetForegroundWindow.USER32(?), ref: 00468D49
                                  • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,?,00000003,00000000,?,00000004,00000000,?,?), ref: 00468D5F
                                  • PostMessageW.USER32(?,00000000,00000000,00000000), ref: 00468D6C
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow
                                  • String ID: 0
                                  • API String ID: 1441871840-4108050209
                                  • Opcode ID: 12c28d3332ad221b92e3a636ba418a85e822d4b5186b1920d2f56c44304fb3db
                                  • Instruction ID: 6d2915cdebcc0779354c8c01805c07fba6dcd836026253be2713676dcba25ca6
                                  • Opcode Fuzzy Hash: 12c28d3332ad221b92e3a636ba418a85e822d4b5186b1920d2f56c44304fb3db
                                  • Instruction Fuzzy Hash: F571A0B0644300BBE720DB58CC45F5AB7A4AF85724F20470EF5656B3D1DBB8B8448B2A
                                  Function 00460879 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 136windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetModuleHandleW.KERNEL32(00000000,00000066,?,00000FFF,00000010,00000001,?,?,00427F75,?,0000138C,?,00000001,?,?,?), ref: 004608A9
                                  • LoadStringW.USER32(00000000,?,00427F75,?), ref: 004608B0
                                    • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                    • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                  • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,?,00427F75,?,0000138C,?,00000001,?,?,?,?,?,00000000), ref: 004608D0
                                  • LoadStringW.USER32(00000000,?,00427F75,?), ref: 004608D7
                                  • __swprintf.LIBCMT ref: 00460915
                                  • __swprintf.LIBCMT ref: 0046092D
                                  • _wprintf.LIBCMT ref: 004609E1
                                  • MessageBoxW.USER32(00000000,?,?,00011010), ref: 004609FA
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: HandleLoadModuleString__swprintf$Message_memmove_wcslen_wprintf
                                  • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                  • API String ID: 3631882475-2268648507
                                  • Opcode ID: 34748020dcaf007b6c88f6c4c4dd7bf7ecfb2d58ebabdf7d9dae9be74c8fa7b1
                                  • Instruction ID: 03c51728676f919c2e33c8c13cfd5c1cee97c3d48cab2dbcdd3400b30208eb52
                                  • Opcode Fuzzy Hash: 34748020dcaf007b6c88f6c4c4dd7bf7ecfb2d58ebabdf7d9dae9be74c8fa7b1
                                  • Instruction Fuzzy Hash: F5416071900209ABDB00FB91CD46AEF7778AF44314F44447AF50577192EA786E45CBA9
                                  Function 0046163E Relevance: 21.3, APIs: 11, Strings: 1, Instructions: 294windowtimeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetClassNameW.USER32(?,?,00000100), ref: 00461678
                                  • _wcslen.LIBCMT ref: 00461683
                                  • __swprintf.LIBCMT ref: 00461721
                                  • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00461794
                                  • GetClassNameW.USER32(?,?,00000400), ref: 00461811
                                  • GetDlgCtrlID.USER32(?), ref: 00461869
                                  • GetWindowRect.USER32(?,?), ref: 004618A4
                                  • GetParent.USER32(?), ref: 004618C3
                                  • ScreenToClient.USER32(00000000), ref: 004618CA
                                  • GetClassNameW.USER32(?,?,00000100), ref: 00461941
                                  • GetWindowTextW.USER32(?,?,00000400), ref: 0046197E
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_wcslen
                                  • String ID: %s%u
                                  • API String ID: 1899580136-679674701
                                  • Opcode ID: 766f23a74968ff95f09f311a42cbe987384f70ffc1712f5abd724c40a01aa324
                                  • Instruction ID: 362d1c13b2509f288ecdbc272899e32e1bd8f20a7ba75cfa55bfcaf2deda5cb5
                                  • Opcode Fuzzy Hash: 766f23a74968ff95f09f311a42cbe987384f70ffc1712f5abd724c40a01aa324
                                  • Instruction Fuzzy Hash: 1DA1B2715043019FDB10DF55C884BAB73A8FF84314F08896EFD899B255E738E94ACBA6
                                  Function 0045FD57 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 227windowsleepCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetMenuItemInfoW.USER32(?,FFFFFFFF,00000000,00000030), ref: 0045FDDB
                                  • SetMenuItemInfoW.USER32(00000008,00000004,00000000,00000030), ref: 0045FE14
                                  • Sleep.KERNEL32(000001F4,?,FFFFFFFF,00000000,00000030,?,?,?,?,?,?), ref: 0045FE26
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: InfoItemMenu$Sleep
                                  • String ID: 0
                                  • API String ID: 1196289194-4108050209
                                  • Opcode ID: c65cffcb0b41bccfc2e749f507a7067f69681543840726e93d819a57ffaed043
                                  • Instruction ID: 163fe6e236f433162160dce37f71c375d73f8c96772172175a1e07f10d517f7e
                                  • Opcode Fuzzy Hash: c65cffcb0b41bccfc2e749f507a7067f69681543840726e93d819a57ffaed043
                                  • Instruction Fuzzy Hash: 12710172500244ABDB20CF55EC49FAFBBA8EB95316F00842FFD0197292C374A94DCB69
                                  Function 004313CA Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetDC.USER32(00000000), ref: 0043143E
                                  • CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 0043144F
                                  • CreateCompatibleDC.GDI32(00000000), ref: 00431459
                                  • SelectObject.GDI32(00000000,?), ref: 00431466
                                  • StretchBlt.GDI32(00000000,00000000,00000000,?,?,?,?,?,?,?,00CC0020), ref: 004314CC
                                  • GetDIBits.GDI32(00000000,?,00000000,00000000,00000000,?,00000000), ref: 00431505
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: CompatibleCreate$BitmapBitsObjectSelectStretch
                                  • String ID: (
                                  • API String ID: 3300687185-3887548279
                                  • Opcode ID: 54198b849531af9165e9bec096bf8ea3e4974b91d89a9c814b262d795432971a
                                  • Instruction ID: 70523424e9a4c52fdd53d867b9eeb1eac2d89839f103c71a78559f5a5eece38f
                                  • Opcode Fuzzy Hash: 54198b849531af9165e9bec096bf8ea3e4974b91d89a9c814b262d795432971a
                                  • Instruction Fuzzy Hash: 63514971A00209AFDB14CF98C884FAFBBB8EF49310F10891DFA5997290D774A940CBA4
                                  Function 0045DA73 Relevance: 21.1, APIs: 4, Strings: 8, Instructions: 141COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 004536F7: CharLowerBuffW.USER32(?,?), ref: 0045370C
                                    • Part of subcall function 00445AE0: _wcslen.LIBCMT ref: 00445AF0
                                  • GetDriveTypeW.KERNEL32 ref: 0045DB32
                                  • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0045DB78
                                  • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0045DBB3
                                  • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0045DBED
                                    • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                    • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: SendString$_wcslen$BuffCharDriveLowerType_memmove
                                  • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                  • API String ID: 1976180769-4113822522
                                  • Opcode ID: a85f7e6fea3b256bd08f49877ae03d0a36a67fa55ca674d77d79428d7feae10a
                                  • Instruction ID: 81dc6b2e9a5b1b7ac5bd11c7175921e379baf9e0c2b27e14ed053c07c028f3b1
                                  • Opcode Fuzzy Hash: a85f7e6fea3b256bd08f49877ae03d0a36a67fa55ca674d77d79428d7feae10a
                                  • Instruction Fuzzy Hash: 75516E715043049FD710EF21C981B5EB3E4BF88304F14896FF995AB292D7B8E909CB5A
                                  Function 00432A10 Relevance: 21.1, APIs: 14, Instructions: 140timeCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: _wcslen$_wcsncpy$LocalTime__fassign
                                  • String ID:
                                  • API String ID: 461458858-0
                                  • Opcode ID: 26761b0a7209b856481a9ddbc8736091f87f92f0ac2320453e44697a96ade7e6
                                  • Instruction ID: 9848deb76f2cd1bd94a84263f46e444e1138d8b87e7a9916e51222e649cc75ea
                                  • Opcode Fuzzy Hash: 26761b0a7209b856481a9ddbc8736091f87f92f0ac2320453e44697a96ade7e6
                                  • Instruction Fuzzy Hash: B1417372D10204B6CF10EFA5C946ADFF3B8DF49314F90885BE909E3121F6B4E65583A9
                                  Function 0043009D Relevance: 21.1, APIs: 14, Instructions: 134filecommemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 004300C3
                                  • GetFileSize.KERNEL32(00000000,00000000), ref: 004300DE
                                  • GlobalAlloc.KERNEL32(00000002,00000000), ref: 004300E9
                                  • GlobalLock.KERNEL32(00000000), ref: 004300F6
                                  • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00430105
                                  • GlobalUnlock.KERNEL32(00000000), ref: 0043010C
                                  • CloseHandle.KERNEL32(00000000), ref: 00430113
                                  • CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 00430120
                                  • OleLoadPicture.OLEAUT32(?,00000000,00000000,004829F8,?), ref: 0043013E
                                  • GlobalFree.KERNEL32(00000000), ref: 00430150
                                  • GetObjectW.GDI32(?,00000018,?), ref: 00430177
                                  • CopyImage.USER32(?,00000000,?,?,00002000), ref: 004301A8
                                  • DeleteObject.GDI32(?), ref: 004301D0
                                  • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 004301E7
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: Global$File$CreateObject$AllocCloseCopyDeleteFreeHandleImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                  • String ID:
                                  • API String ID: 3969911579-0
                                  • Opcode ID: fd1addb57dfcb9cf3c81a7192785a12cb72203be8d3c1966912b6329e8233f20
                                  • Instruction ID: 40287395d2d29e4935595b2baf4d6657c54b4003bec4d35786bf86d2452689d1
                                  • Opcode Fuzzy Hash: fd1addb57dfcb9cf3c81a7192785a12cb72203be8d3c1966912b6329e8233f20
                                  • Instruction Fuzzy Hash: 41414C75600208AFDB10DF64DD88FAE77B8EF48711F108659FA05AB290D7B5AD01CB68
                                  Function 00433493 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 84networkCOMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: _wcscpy$Cleanup$Startup_memmove_strcatgethostbynamegethostnameinet_ntoa
                                  • String ID: 0.0.0.0
                                  • API String ID: 1965227024-3771769585
                                  • Opcode ID: fae7ff6cb08d49b7abbddf1c7acdf758c3bbd000e7fec019eac0b45bea4aa72c
                                  • Instruction ID: 28916de6e65f37ac85efecafd260a3a31c9a3caf28ae6c56f7260ddb0d4b80cb
                                  • Opcode Fuzzy Hash: fae7ff6cb08d49b7abbddf1c7acdf758c3bbd000e7fec019eac0b45bea4aa72c
                                  • Instruction Fuzzy Hash: 4F213A32A00114BBC710AF65DC05EEF736CEF99716F0045AFF90993151EEB99A8187E8
                                  Function 0045F56D Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 78COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                    • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                  • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0045F5D5
                                  • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0045F5EC
                                  • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0045F5FE
                                  • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0045F611
                                  • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0045F61E
                                  • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0045F634
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: SendString$_memmove_wcslen
                                  • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                  • API String ID: 369157077-1007645807
                                  • Opcode ID: f963851227cb2bcafec7df3ef8778280fda42e08bc5c03876a4728c3ed9f2a05
                                  • Instruction ID: e81aaa69409cfefceaf3864659f825962b2ddf67c6d06b6a861a29a56a66176d
                                  • Opcode Fuzzy Hash: f963851227cb2bcafec7df3ef8778280fda42e08bc5c03876a4728c3ed9f2a05
                                  • Instruction Fuzzy Hash: 7F21A83168021D66E720FB95DC46FFE7368AF40700F20087BFA14B71D1DAB4A949879D
                                  Function 00445BE4 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 77windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetParent.USER32 ref: 00445BF8
                                  • GetClassNameW.USER32(00000000,?,00000100), ref: 00445C0D
                                  • __wcsicoll.LIBCMT ref: 00445C33
                                  • __wcsicoll.LIBCMT ref: 00445C4F
                                  • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00445CA9
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: __wcsicoll$ClassMessageNameParentSend
                                  • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                  • API String ID: 3125838495-3381328864
                                  • Opcode ID: 17bab07e815737d0aecd422002c3b7a0f260523ca91fc6be5302b60c0052203b
                                  • Instruction ID: b9a51c7f116d0e73852bd225d20f6d8bcb5f39b8f57bd3164038c04ed7d94027
                                  • Opcode Fuzzy Hash: 17bab07e815737d0aecd422002c3b7a0f260523ca91fc6be5302b60c0052203b
                                  • Instruction Fuzzy Hash: C6110AB1E447017BFE10BA659D46EBB339C9B54B11F00051BFE44D7242F6ACA94147A9
                                  Function 004491B9 Relevance: 19.7, APIs: 13, Instructions: 246windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SendMessageW.USER32(?,?,000000FF,?), ref: 004492A4
                                  • SendMessageW.USER32(?,?,00000000,00000000), ref: 004492B7
                                  • CharNextW.USER32(?,?,?,000000FF,?), ref: 004492E9
                                  • SendMessageW.USER32(?,?,00000000,00000000), ref: 00449301
                                  • SendMessageW.USER32(?,?,00000000,?), ref: 00449332
                                  • SendMessageW.USER32(?,?,000000FF,?), ref: 00449349
                                  • SendMessageW.USER32(?,?,00000000,00000000), ref: 0044935C
                                  • SendMessageW.USER32(?,00000402,?), ref: 00449399
                                  • SendMessageW.USER32(?,000000C2,00000001,?), ref: 0044940D
                                  • SendMessageW.USER32(?,00001002,00000000,?), ref: 00449477
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: MessageSend$CharNext
                                  • String ID:
                                  • API String ID: 1350042424-0
                                  • Opcode ID: 0066c399e5a393c923680e2e66105d8530035c3b09cc99687380ea8ee93f4497
                                  • Instruction ID: 867fdc7b80e212b75fe5daf06e5219747a853435bb2a874e280223eddbea68d3
                                  • Opcode Fuzzy Hash: 0066c399e5a393c923680e2e66105d8530035c3b09cc99687380ea8ee93f4497
                                  • Instruction Fuzzy Hash: 5B81D535A00119BBEB10CF85DD80FFFB778FB55720F10825AFA14AA280D7B99D4197A4
                                  Function 00478656 Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 197COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 004536F7: CharLowerBuffW.USER32(?,?), ref: 0045370C
                                    • Part of subcall function 00445AE0: _wcslen.LIBCMT ref: 00445AF0
                                  • GetDriveTypeW.KERNEL32(?), ref: 004787B9
                                  • _wcscpy.LIBCMT ref: 004787E5
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: BuffCharDriveLowerType_wcscpy_wcslen
                                  • String ID: \VH$a$all$cdrom$fixed$network$ramdisk$removable$unknown
                                  • API String ID: 3052893215-2127371420
                                  • Opcode ID: d2cef25e8da5c5e3ff62787a2d5bf57075b394b4544bde345958b2b0489681b6
                                  • Instruction ID: 541bc2b2506c052d744bcb7e7e177e26c036821b53f5a58429f0f0853ea8de24
                                  • Opcode Fuzzy Hash: d2cef25e8da5c5e3ff62787a2d5bf57075b394b4544bde345958b2b0489681b6
                                  • Instruction Fuzzy Hash: 4761C1716443018BD700EF14CC85B9BB7D4AB84348F14892FF949AB382DB79E94987AB
                                  Function 0045E737 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 163COMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadStringW.USER32(?,00000066,?,00000FFF), ref: 0045E77F
                                    • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                    • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                  • LoadStringW.USER32(?,?,?,00000FFF), ref: 0045E7A0
                                  • __swprintf.LIBCMT ref: 0045E7F7
                                  • _wprintf.LIBCMT ref: 0045E8B3
                                  • _wprintf.LIBCMT ref: 0045E8D7
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: LoadString_wprintf$__swprintf_memmove_wcslen
                                  • String ID: Error: $%s (%d) : ==> %s:$%s (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                  • API String ID: 2295938435-2354261254
                                  • Opcode ID: bb058454d561a71d3962b6834df81d7638d9abf9c215052f6de6d44e2e152ebf
                                  • Instruction ID: 453f5dd12ee62c270a242db3517b58e8b6225e49c0ff470bc5072f32437c925c
                                  • Opcode Fuzzy Hash: bb058454d561a71d3962b6834df81d7638d9abf9c215052f6de6d44e2e152ebf
                                  • Instruction Fuzzy Hash: 6A519E71A10219ABDB14EB91CC85EEF7778AF44314F14407EF90477292DB78AE49CBA8
                                  Function 004531B1 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 160COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: __swprintf_wcscpy$__i64tow__itow
                                  • String ID: %.15g$0x%p$False$True
                                  • API String ID: 3038501623-2263619337
                                  • Opcode ID: dbd07ee36d68efbdb82b47f6bbdb5a558a403895529f1bd62c5843a789ef215e
                                  • Instruction ID: fd507a47f7d2c8f7f5848ea17d112ce969af4838d766d220e6d3988dad71e25c
                                  • Opcode Fuzzy Hash: dbd07ee36d68efbdb82b47f6bbdb5a558a403895529f1bd62c5843a789ef215e
                                  • Instruction Fuzzy Hash: 264108729001005BDB10EF75DC42FAAB364EF55306F0445ABFE09CB242EA39DA48C79A
                                  Function 0045E538 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 154COMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadStringW.USER32(?,00000066,?,00000FFF), ref: 0045E580
                                    • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                    • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                  • LoadStringW.USER32(?,00000072,?,00000FFF), ref: 0045E59F
                                  • __swprintf.LIBCMT ref: 0045E5F6
                                  • _wprintf.LIBCMT ref: 0045E6A3
                                  • _wprintf.LIBCMT ref: 0045E6C7
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: LoadString_wprintf$__swprintf_memmove_wcslen
                                  • String ID: Error: $%s (%d) : ==> %s:$%s (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                  • API String ID: 2295938435-8599901
                                  • Opcode ID: c66a723599ffab058b3f3cea1f0729b04811ebb293e3d225dd53f192e4035716
                                  • Instruction ID: ff3e2b23dced8a629e5b21f12e79e468b5cd48208a3d74017576322ff0354a8f
                                  • Opcode Fuzzy Hash: c66a723599ffab058b3f3cea1f0729b04811ebb293e3d225dd53f192e4035716
                                  • Instruction Fuzzy Hash: 9A519171D00109ABDB14EBA1C845EEF7778EF44304F50847EF91477292EA78AE49CBA8
                                  Function 00443B61 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 99sleepwindowtimeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • timeGetTime.WINMM ref: 00443B67
                                    • Part of subcall function 0040C620: timeGetTime.WINMM(0042DD5D), ref: 0040C620
                                  • Sleep.KERNEL32(0000000A), ref: 00443B9F
                                  • FindWindowExW.USER32(?,00000000,BUTTON,00000000), ref: 00443BC8
                                  • SetActiveWindow.USER32(?), ref: 00443BEC
                                  • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00443BFC
                                  • SendMessageW.USER32(?,00000010,00000000,00000000), ref: 00443C22
                                  • Sleep.KERNEL32(000000FA), ref: 00443C2D
                                  • IsWindow.USER32(?), ref: 00443C3A
                                  • EndDialog.USER32(?,00000000), ref: 00443C4C
                                    • Part of subcall function 004439C1: GetWindowThreadProcessId.USER32(?,00000000), ref: 004439E4
                                    • Part of subcall function 004439C1: GetCurrentThreadId.KERNEL32 ref: 004439EB
                                    • Part of subcall function 004439C1: AttachThreadInput.USER32(00000000), ref: 004439F2
                                  • EnumThreadWindows.USER32(00000000,Function_00033D09,00000000), ref: 00443C6B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: ThreadWindow$MessageSendSleepTimetime$ActiveAttachCurrentDialogEnumFindInputProcessWindows
                                  • String ID: BUTTON
                                  • API String ID: 1834419854-3405671355
                                  • Opcode ID: 0b90b562b2b8ddd8d32d3d53e67965f547c0866e24595f66544518a968b379f6
                                  • Instruction ID: 3c6370bb7d17ad47abda0b7088cfd3672c19e1ca6c3f529de1b12449ce3ad6f8
                                  • Opcode Fuzzy Hash: 0b90b562b2b8ddd8d32d3d53e67965f547c0866e24595f66544518a968b379f6
                                  • Instruction Fuzzy Hash: 6B31E676784200BFE3349F74FD99F5A3B58AB55B22F10083AF600EA2A1D6B5A441876C
                                  Function 00454014 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 93windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,?,?,?,?,0042820D,?,?,?,#include depth exceeded. Make sure there are no recursive includes,?), ref: 00454039
                                  • LoadStringW.USER32(00000000), ref: 00454040
                                    • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                    • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                  • _wprintf.LIBCMT ref: 00454074
                                  • __swprintf.LIBCMT ref: 004540A3
                                  • MessageBoxW.USER32(00000000,?,?,00011010), ref: 0045410F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: HandleLoadMessageModuleString__swprintf_memmove_wcslen_wprintf
                                  • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                                  • API String ID: 455036304-4153970271
                                  • Opcode ID: 0cc89bd23a2e2e53ac7bb2b5ed0e913a3f1e972501752cb0da19f3bd95e8304c
                                  • Instruction ID: e2f14448b15a7dab571624068eda089460c560eca1c8ebe4dd0daaccfe0aa2c5
                                  • Opcode Fuzzy Hash: 0cc89bd23a2e2e53ac7bb2b5ed0e913a3f1e972501752cb0da19f3bd95e8304c
                                  • Instruction Fuzzy Hash: 3B31E872B0011997CB00EF95CD069AE3378AF88714F50445EFA0877282D678AE45C7A9
                                  Function 00467C8E Relevance: 18.3, APIs: 12, Instructions: 310COMMON
                                  Download Yara Rule
                                  APIs
                                  • SafeArrayAccessData.OLEAUT32(0000007F,?), ref: 00467D63
                                  • SafeArrayAccessData.OLEAUT32(0000007F,0000007F), ref: 00467DDC
                                  • SafeArrayGetVartype.OLEAUT32(0000007F,?), ref: 00467E71
                                  • SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00467E9D
                                  • _memmove.LIBCMT ref: 00467EB8
                                  • SafeArrayUnaccessData.OLEAUT32(00000000), ref: 00467EC1
                                  • SafeArrayAccessData.OLEAUT32(0000007F,?), ref: 00467EDE
                                  • _memmove.LIBCMT ref: 00467F6C
                                  • SafeArrayAccessData.OLEAUT32(0000007F,?), ref: 00467FC1
                                  • SafeArrayUnaccessData.OLEAUT32(00000004), ref: 00467FAB
                                    • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411626
                                    • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411640
                                    • Part of subcall function 004115D7: __CxxThrowException@8.LIBCMT ref: 00411651
                                  • SafeArrayUnaccessData.OLEAUT32(00479A50), ref: 00467E48
                                    • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                  • SafeArrayUnaccessData.OLEAUT32(00479A50), ref: 00468030
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: ArraySafe$Data$Access$Unaccess$_memmovestd::exception::exception$Exception@8ThrowVartype_malloc
                                  • String ID:
                                  • API String ID: 2170234536-0
                                  • Opcode ID: aa00afaeb95d016149156b33273ce501c4b0800cd775f7336c4c4d99d01e60ec
                                  • Instruction ID: 6369f5c3f22445f0d5bf5c4520e4337682cbd46778e63a39b460943b9460954a
                                  • Opcode Fuzzy Hash: aa00afaeb95d016149156b33273ce501c4b0800cd775f7336c4c4d99d01e60ec
                                  • Instruction Fuzzy Hash: 26B124716042059FD700CF59D884BAEB7B5FF88308F24856EEA05DB351EB3AD845CB6A
                                  Function 00453C57 Relevance: 18.2, APIs: 12, Instructions: 190keyboardCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetKeyboardState.USER32(?), ref: 00453CE0
                                  • SetKeyboardState.USER32(?), ref: 00453D3B
                                  • GetAsyncKeyState.USER32(000000A0), ref: 00453D5E
                                  • GetKeyState.USER32(000000A0), ref: 00453D75
                                  • GetAsyncKeyState.USER32(000000A1), ref: 00453DA4
                                  • GetKeyState.USER32(000000A1), ref: 00453DB5
                                  • GetAsyncKeyState.USER32(00000011), ref: 00453DE1
                                  • GetKeyState.USER32(00000011), ref: 00453DEF
                                  • GetAsyncKeyState.USER32(00000012), ref: 00453E18
                                  • GetKeyState.USER32(00000012), ref: 00453E26
                                  • GetAsyncKeyState.USER32(0000005B), ref: 00453E4F
                                  • GetKeyState.USER32(0000005B), ref: 00453E5D
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: State$Async$Keyboard
                                  • String ID:
                                  • API String ID: 541375521-0
                                  • Opcode ID: a3f88cab2abdfc68c44a637c7b6f2bd83c4aa3bfdff3a706604d8f1b20d6ef18
                                  • Instruction ID: 009fbf1908f75ed0a62addf5985db529f64a747a45b1090b1102dc3b9208550d
                                  • Opcode Fuzzy Hash: a3f88cab2abdfc68c44a637c7b6f2bd83c4aa3bfdff3a706604d8f1b20d6ef18
                                  • Instruction Fuzzy Hash: BC61DD3190478829FB329F6488057EBBBF45F12346F08459ED9C2162C3D7AC6B4CCB65
                                  Function 004357B7 Relevance: 18.2, APIs: 12, Instructions: 184COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetDlgItem.USER32(?,00000001), ref: 004357DB
                                  • GetWindowRect.USER32(00000000,?), ref: 004357ED
                                  • MoveWindow.USER32(?,0000000A,?,?,?,00000000), ref: 00435857
                                  • GetDlgItem.USER32(?,00000002), ref: 0043586A
                                  • GetWindowRect.USER32(00000000,?), ref: 0043587C
                                  • MoveWindow.USER32(?,?,00000000,?,00000001,00000000), ref: 004358CE
                                  • GetDlgItem.USER32(?,000003E9), ref: 004358DC
                                  • GetWindowRect.USER32(00000000,?), ref: 004358EE
                                  • MoveWindow.USER32(?,0000000A,00000000,?,?,00000000), ref: 00435933
                                  • GetDlgItem.USER32(?,000003EA), ref: 00435941
                                  • MoveWindow.USER32(00000000,0000000A,0000000A,?,-000000FB,00000000), ref: 0043595A
                                  • InvalidateRect.USER32(?,00000000,00000001), ref: 00435967
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: Window$ItemMoveRect$Invalidate
                                  • String ID:
                                  • API String ID: 3096461208-0
                                  • Opcode ID: 5d52927da84fb547f57ff0a94c85d4d7e4cc3ec4f802ea2f498aab0433028225
                                  • Instruction ID: 6af1b44a8b8b1dd3dfd8c00d901dfbe31295268d39f582813a56aed3f3dd18d2
                                  • Opcode Fuzzy Hash: 5d52927da84fb547f57ff0a94c85d4d7e4cc3ec4f802ea2f498aab0433028225
                                  • Instruction Fuzzy Hash: 7C515FB1B00609ABCB18DF68CD95AAEB7B9EF88310F148529F905E7390E774ED008B54
                                  Function 00433784 Relevance: 18.1, APIs: 12, Instructions: 119COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: _wcscat_wcscpy$__wsplitpath$_wcschr
                                  • String ID:
                                  • API String ID: 136442275-0
                                  • Opcode ID: 6cac6aaee55c93d52b89e688f8fbcd2468be5ec8bb4ca81dd5968faf06821e55
                                  • Instruction ID: 55d98b2249b58b9b89d53d2d63704957c70a659fb5fc0040d5683289e7d9fa4f
                                  • Opcode Fuzzy Hash: 6cac6aaee55c93d52b89e688f8fbcd2468be5ec8bb4ca81dd5968faf06821e55
                                  • Instruction Fuzzy Hash: C24174B381021C66CB24EB55CC41DEE737DAB98705F0085DEB60963141EA796BC8CFA5
                                  Function 00467408 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 308COMMON
                                  Download Yara Rule
                                  APIs
                                  • _wcsncpy.LIBCMT ref: 00467490
                                  • _wcsncpy.LIBCMT ref: 004674BC
                                    • Part of subcall function 00410160: _wcslen.LIBCMT ref: 00410162
                                    • Part of subcall function 00410160: _wcscpy.LIBCMT ref: 00410182
                                  • _wcstok.LIBCMT ref: 004674FF
                                    • Part of subcall function 00413EB8: __getptd.LIBCMT ref: 00413EBE
                                  • _wcstok.LIBCMT ref: 004675B2
                                  • GetOpenFileNameW.COMDLG32(00000058), ref: 00467774
                                  • _wcslen.LIBCMT ref: 00467793
                                  • _wcscpy.LIBCMT ref: 00467641
                                    • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                    • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                  • _wcslen.LIBCMT ref: 004677BD
                                  • GetSaveFileNameW.COMDLG32(00000058), ref: 00467807
                                    • Part of subcall function 00461465: _memmove.LIBCMT ref: 004614F8
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: _wcslen$FileName_memmove_wcscpy_wcsncpy_wcstok$OpenSave__getptd
                                  • String ID: X
                                  • API String ID: 3104067586-3081909835
                                  • Opcode ID: bae8ec41c075a4f6a2b7e9f416d910fa80a531229cf5203f8bd385032f306646
                                  • Instruction ID: 683e1e2944aeccc99b179fad4e52216d38d827d7da526ed866e93360804c4864
                                  • Opcode Fuzzy Hash: bae8ec41c075a4f6a2b7e9f416d910fa80a531229cf5203f8bd385032f306646
                                  • Instruction Fuzzy Hash: 69C1C5306083009BD310FF65C985A5FB7E4AF84318F108D2EF559972A2EB78ED45CB9A
                                  Function 0046CB5F Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 304comCOMMON
                                  Download Yara Rule
                                  APIs
                                  • OleInitialize.OLE32(00000000), ref: 0046CBC7
                                  • CLSIDFromProgID.OLE32(?,?), ref: 0046CBDF
                                  • CLSIDFromString.OLE32(?,?), ref: 0046CBF1
                                  • CoCreateInstance.OLE32(?,?,00000005,00482998,?), ref: 0046CC56
                                  • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000), ref: 0046CCCA
                                  • _wcslen.LIBCMT ref: 0046CDB0
                                  • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 0046CE33
                                  • CoTaskMemFree.OLE32(?), ref: 0046CE42
                                  • CoSetProxyBlanket.OLE32(?,?,?,?,?,?,?,00000800), ref: 0046CE85
                                    • Part of subcall function 00468070: VariantInit.OLEAUT32(00000000), ref: 004680B0
                                    • Part of subcall function 00468070: VariantCopy.OLEAUT32(00000000,00479A50), ref: 004680BA
                                    • Part of subcall function 00468070: VariantClear.OLEAUT32 ref: 004680C7
                                  Strings
                                  • NULL Pointer assignment, xrefs: 0046CEA6
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: Variant$CreateFromInitializeInstance$BlanketClearCopyFreeInitProgProxySecurityStringTask_wcslen
                                  • String ID: NULL Pointer assignment
                                  • API String ID: 440038798-2785691316
                                  • Opcode ID: 58df38d68bb8b0de8b452a242e06650ce93d7fbbb76e65ad7c2ec0be56c62684
                                  • Instruction ID: 7aab634462a7dbcbf958abac95e41bd58996b502d0213671d322085b5631b432
                                  • Opcode Fuzzy Hash: 58df38d68bb8b0de8b452a242e06650ce93d7fbbb76e65ad7c2ec0be56c62684
                                  • Instruction Fuzzy Hash: 74B13FB1D00229AFDB10DFA5CC85FEEB7B8EF48700F10855AF909A7281EB745A45CB95
                                  Function 00461014 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 255COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetClassNameW.USER32(?,?,00000400), ref: 00461056
                                  • GetWindowTextW.USER32(?,?,00000400), ref: 00461092
                                  • _wcslen.LIBCMT ref: 004610A3
                                  • CharUpperBuffW.USER32(?,00000000), ref: 004610B1
                                  • GetClassNameW.USER32(?,?,00000400), ref: 00461124
                                  • GetWindowTextW.USER32(?,?,00000400), ref: 0046115D
                                  • GetClassNameW.USER32(?,?,00000400), ref: 004611A1
                                  • GetClassNameW.USER32(?,?,00000400), ref: 004611D9
                                  • GetWindowRect.USER32(?,?), ref: 00461248
                                    • Part of subcall function 00436299: _memmove.LIBCMT ref: 004362D9
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: ClassName$Window$Text$BuffCharRectUpper_memmove_wcslen
                                  • String ID: ThumbnailClass
                                  • API String ID: 4136854206-1241985126
                                  • Opcode ID: d083942efa6e299b81e87f64ddc190b4296276633e8192dbc1e7cc466e4535cb
                                  • Instruction ID: 9bdbaadfe46dce382da1609a4111f175dadd43cf518d3c7fb815d390e9d71813
                                  • Opcode Fuzzy Hash: d083942efa6e299b81e87f64ddc190b4296276633e8192dbc1e7cc466e4535cb
                                  • Instruction Fuzzy Hash: D991F3715043009FCB14DF51C881BAB77A8EF89719F08895FFD84A6252E738E946CBA7
                                  Function 00458651 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 135registryshareCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                    • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                  • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00458721
                                  • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 0045873E
                                  • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?), ref: 0045875C
                                  • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?), ref: 0045878A
                                  • CLSIDFromString.OLE32(?,?), ref: 004587B3
                                  • RegCloseKey.ADVAPI32(000001FE), ref: 004587BF
                                  • RegCloseKey.ADVAPI32(?), ref: 004587C5
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_wcslen
                                  • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                  • API String ID: 600699880-22481851
                                  • Opcode ID: cfc91adc3568b3696bc93f198b4a86b184f94eddf56cabac594ca02b2fd0747b
                                  • Instruction ID: 095cb2d92039a6881e8bf561e9cb0619f72fc8c68408713302cc045b8cca0367
                                  • Opcode Fuzzy Hash: cfc91adc3568b3696bc93f198b4a86b184f94eddf56cabac594ca02b2fd0747b
                                  • Instruction Fuzzy Hash: 58415275D0020DABCB04EBA4DC45ADE77B8EF48304F10846EE914B7291EF78A909CB94
                                  Function 00450C41 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 122COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: DestroyWindow
                                  • String ID: static
                                  • API String ID: 3375834691-2160076837
                                  • Opcode ID: d780a762e7facdedeb15ece3d926807f2c32385f8c9501599d87c18bab5c95b9
                                  • Instruction ID: e571488c54e010bbe3192cf51c39f0d33963e2fa0fa89bc12fd4c8100c345edb
                                  • Opcode Fuzzy Hash: d780a762e7facdedeb15ece3d926807f2c32385f8c9501599d87c18bab5c95b9
                                  • Instruction Fuzzy Hash: 2C41B375200205ABDB149F64DC85FEB33A8EF89725F20472AFA15E72C0D7B4E841CB68
                                  Function 0045D94B Relevance: 17.6, APIs: 3, Strings: 7, Instructions: 88COMMON
                                  Download Yara Rule
                                  APIs
                                  • SetErrorMode.KERNEL32(00000001), ref: 0045D959
                                  • GetDriveTypeW.KERNEL32(?,?), ref: 0045D9AB
                                  • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045DA4B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: ErrorMode$DriveType
                                  • String ID: CDROM$Fixed$Network$RAMDisk$Removable$Unknown$\VH
                                  • API String ID: 2907320926-3566645568
                                  • Opcode ID: d176aaa606c69a21fa64de5f54fcf515c340d5c4a7f23c4320f7b4e4ff292d02
                                  • Instruction ID: 8c6a7395db7573f60177d60b7e789de744ab79b943898383e565048f237880a7
                                  • Opcode Fuzzy Hash: d176aaa606c69a21fa64de5f54fcf515c340d5c4a7f23c4320f7b4e4ff292d02
                                  • Instruction Fuzzy Hash: B7316E35A042049BCB10FFA9C48595EB771FF88315B1088ABFD05AB392C739DD45CB6A
                                  Function 00470928 Relevance: 16.7, APIs: 11, Instructions: 166windowtimeCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00430003: InvalidateRect.USER32(?,00000000,00000001), ref: 00430091
                                  • DestroyAcceleratorTable.USER32(?), ref: 0047094A
                                  • ImageList_Destroy.COMCTL32(?), ref: 004709AD
                                  • ImageList_Destroy.COMCTL32(?), ref: 004709C5
                                  • ImageList_Destroy.COMCTL32(?), ref: 004709D5
                                  • DeleteObject.GDI32(?), ref: 00470A04
                                  • DestroyIcon.USER32(?), ref: 00470A1C
                                  • DeleteObject.GDI32(?), ref: 00470A34
                                  • DestroyWindow.USER32(?), ref: 00470A4C
                                  • DestroyIcon.USER32(?), ref: 00470A73
                                  • DestroyIcon.USER32(?), ref: 00470A81
                                  • KillTimer.USER32(00000000,00000000), ref: 00470B00
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: Destroy$IconImageList_$DeleteObject$AcceleratorInvalidateKillRectTableTimerWindow
                                  • String ID:
                                  • API String ID: 1237572874-0
                                  • Opcode ID: 4ee17edbf3fbf185c7a1b530a933687592c26a3f705ddbb244818e4a2882b4b3
                                  • Instruction ID: 3938066daea6daae9dc0c39577387909b3bcb8112bd91d3310d64c2ecda3814a
                                  • Opcode Fuzzy Hash: 4ee17edbf3fbf185c7a1b530a933687592c26a3f705ddbb244818e4a2882b4b3
                                  • Instruction Fuzzy Hash: 24616874601201CFE714DF65DD94FAA77B8FB6A304B54856EE6098B3A2CB38EC41CB58
                                  Function 00479362 Relevance: 16.6, APIs: 11, Instructions: 147memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,00000000,004795FD), ref: 00479380
                                  • SafeArrayAllocData.OLEAUT32(004795FD), ref: 004793CF
                                  • VariantInit.OLEAUT32(?), ref: 004793E1
                                  • SafeArrayAccessData.OLEAUT32(004795FD,?), ref: 00479402
                                  • VariantCopy.OLEAUT32(?,?), ref: 00479461
                                  • SafeArrayUnaccessData.OLEAUT32(004795FD), ref: 00479474
                                  • VariantClear.OLEAUT32(?), ref: 00479489
                                  • SafeArrayDestroyData.OLEAUT32(004795FD), ref: 004794AE
                                  • SafeArrayDestroyDescriptor.OLEAUT32(004795FD), ref: 004794B8
                                  • VariantClear.OLEAUT32(?), ref: 004794CA
                                  • SafeArrayDestroyDescriptor.OLEAUT32(004795FD), ref: 004794E7
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                  • String ID:
                                  • API String ID: 2706829360-0
                                  • Opcode ID: 604ca7338ef7579289b82c182b4992e50dced26e61eee24e9e1f7f7e4088d468
                                  • Instruction ID: 8c269571b42c1441f814514f03b92edd351012a73d8239c9f379a0a89e1b4ae1
                                  • Opcode Fuzzy Hash: 604ca7338ef7579289b82c182b4992e50dced26e61eee24e9e1f7f7e4088d468
                                  • Instruction Fuzzy Hash: F6515E76A00119ABCB00DFA5DD849DEB7B9FF88704F10856EE905A7241DB749E06CBA4
                                  Function 004447E0 Relevance: 16.6, APIs: 11, Instructions: 130keyboardCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetKeyboardState.USER32(?), ref: 0044480E
                                  • GetAsyncKeyState.USER32(000000A0), ref: 00444899
                                  • GetKeyState.USER32(000000A0), ref: 004448AA
                                  • GetAsyncKeyState.USER32(000000A1), ref: 004448C8
                                  • GetKeyState.USER32(000000A1), ref: 004448D9
                                  • GetAsyncKeyState.USER32(00000011), ref: 004448F5
                                  • GetKeyState.USER32(00000011), ref: 00444903
                                  • GetAsyncKeyState.USER32(00000012), ref: 0044491F
                                  • GetKeyState.USER32(00000012), ref: 0044492D
                                  • GetAsyncKeyState.USER32(0000005B), ref: 00444949
                                  • GetKeyState.USER32(0000005B), ref: 00444958
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: State$Async$Keyboard
                                  • String ID:
                                  • API String ID: 541375521-0
                                  • Opcode ID: 9fce1f5b3a66d3eff563dda32bd6bc0484776d74d04e18c21d6e4f8d76764453
                                  • Instruction ID: 827c2ee343902556a703916e37c968ecd50c133e95067caf6822082f003788d3
                                  • Opcode Fuzzy Hash: 9fce1f5b3a66d3eff563dda32bd6bc0484776d74d04e18c21d6e4f8d76764453
                                  • Instruction Fuzzy Hash: 27412B34A047C969FF31A6A4C8043A7BBA16FA1314F04805FD5C5477C1DBED99C8C7A9
                                  Function 00470B6C Relevance: 16.6, APIs: 11, Instructions: 125COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: InitVariant$_malloc_wcscpy_wcslen
                                  • String ID:
                                  • API String ID: 3413494760-0
                                  • Opcode ID: b3fce9f732112990bbb163bb6abadbd830b92813f31b22ad1e38064008f16c53
                                  • Instruction ID: 93a03e1dde4748921c3f7e50244c45dc9774a8ad470eaa8d68eb3f4e8808ad8d
                                  • Opcode Fuzzy Hash: b3fce9f732112990bbb163bb6abadbd830b92813f31b22ad1e38064008f16c53
                                  • Instruction Fuzzy Hash: 33414BB260070AAFC754DF69C880A86BBE8FF48314F00862AE619C7750D775E564CBE5
                                  Function 0044EDCC Relevance: 16.2, APIs: 3, Strings: 6, Instructions: 472COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: _strncmp
                                  • String ID: '$DEFINE$\$`$h$h
                                  • API String ID: 909875538-3708680428
                                  • Opcode ID: c0119b86fdbff93204f49aa9905b13b9b84c98abe9b4d8f4a229c1acd795ed82
                                  • Instruction ID: 816ce89e9d314c50cae2ff635e2dae77420ade2a81b985ada7b38a9c48760da0
                                  • Opcode Fuzzy Hash: c0119b86fdbff93204f49aa9905b13b9b84c98abe9b4d8f4a229c1acd795ed82
                                  • Instruction Fuzzy Hash: C502B470A042498FEF14CF69C9906AEBBF2FF85304F2481AED8459B341D7399946CB55
                                  Function 004542ED Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 271libraryloaderCOMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: AddressProc_free_malloc$_strcat_strlen
                                  • String ID: AU3_FreeVar
                                  • API String ID: 2634073740-771828931
                                  • Opcode ID: b7b62cf44ead268743cea15c23fa0702c80810b5d7796ec40f0430e9877b9643
                                  • Instruction ID: 8d08e60933d1045585c44e473594da8d0bbfd8a8652ecee4fcef853dc29158a1
                                  • Opcode Fuzzy Hash: b7b62cf44ead268743cea15c23fa0702c80810b5d7796ec40f0430e9877b9643
                                  • Instruction Fuzzy Hash: 00B1ADB4A00206DFCB00DF55C880A6AB7A5FF88319F2485AEED058F352D739ED95CB94
                                  Function 0046C5FA Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 208comCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CoInitialize.OLE32 ref: 0046C63A
                                  • CoUninitialize.OLE32 ref: 0046C645
                                    • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                    • Part of subcall function 0044CB87: CreateDispTypeInfo.OLEAUT32(?,00000800,?), ref: 0044CBD4
                                    • Part of subcall function 0044CB87: CreateStdDispatch.OLEAUT32(00000000,?,?,?), ref: 0044CBF4
                                  • CLSIDFromProgID.OLE32(00000000,?), ref: 0046C694
                                  • CLSIDFromString.OLE32(00000000,?), ref: 0046C6A4
                                  • CoCreateInstance.OLE32(?,00000000,00000017,00482998,?), ref: 0046C6CD
                                  • IIDFromString.OLE32(?,?), ref: 0046C705
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: CreateFrom$String$DispDispatchInfoInitializeInstanceProgTypeUninitialize_malloc
                                  • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                  • API String ID: 2294789929-1287834457
                                  • Opcode ID: 4dfaed0549f409efa28524cf643488acd2e6b782f2d71f2a42dfc1cbbaa944b5
                                  • Instruction ID: adb6a6f601bf1a612e569d1fac1689f55b30b767fcafa950e0578031a668eb85
                                  • Opcode Fuzzy Hash: 4dfaed0549f409efa28524cf643488acd2e6b782f2d71f2a42dfc1cbbaa944b5
                                  • Instruction Fuzzy Hash: B861BC712043019FD710EF21D885B7BB3E8FB84715F10891EF9859B241E779E909CBAA
                                  Function 004710F1 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 157windowCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00456391: GetCursorPos.USER32(?), ref: 004563A6
                                    • Part of subcall function 00456391: ScreenToClient.USER32(?,?), ref: 004563C3
                                    • Part of subcall function 00456391: GetAsyncKeyState.USER32(?), ref: 00456400
                                    • Part of subcall function 00456391: GetAsyncKeyState.USER32(?), ref: 00456410
                                  • DefDlgProcW.USER32(?,00000205,?,?), ref: 00471145
                                  • ImageList_DragLeave.COMCTL32(00000000), ref: 00471163
                                  • ImageList_EndDrag.COMCTL32 ref: 00471169
                                  • ReleaseCapture.USER32 ref: 0047116F
                                  • SetWindowTextW.USER32(?,00000000), ref: 00471206
                                  • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00471216
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: AsyncDragImageList_State$CaptureClientCursorLeaveMessageProcReleaseScreenSendTextWindow
                                  • String ID: @GUI_DRAGFILE$@GUI_DROPID
                                  • API String ID: 2483343779-2107944366
                                  • Opcode ID: 0c0f1ff16893fa866466cf5bd33a163e2c592d09522a7afef5934b76f638d362
                                  • Instruction ID: f70d9246110d4513cc5ea0640624bfdb04bec8758509bedf4130776013c57ff9
                                  • Opcode Fuzzy Hash: 0c0f1ff16893fa866466cf5bd33a163e2c592d09522a7afef5934b76f638d362
                                  • Instruction Fuzzy Hash: D751E5706002109FD700EF59CC85BAF77A5FB89310F004A6EF945A72E2DB789D45CBAA
                                  Function 004505F0 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 147windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 004506A0
                                  • SendMessageW.USER32(00000000,00001036,00000000,?), ref: 004506B4
                                  • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 004506D5
                                  • _wcslen.LIBCMT ref: 00450720
                                  • _wcscat.LIBCMT ref: 00450733
                                  • SendMessageW.USER32(?,00001057,00000000,?), ref: 0045074C
                                  • SendMessageW.USER32(?,00001061,?,?), ref: 0045077E
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: MessageSend$Window_wcscat_wcslen
                                  • String ID: -----$SysListView32
                                  • API String ID: 4008455318-3975388722
                                  • Opcode ID: ffec743b0eb36e838b163f32d05296d45530ca8b23685d337e61e8ea6b23e255
                                  • Instruction ID: d83f74bd31ff7b91e94eebeff09b40632409ca0fd113a8de7250d6f1aa6a1b31
                                  • Opcode Fuzzy Hash: ffec743b0eb36e838b163f32d05296d45530ca8b23685d337e61e8ea6b23e255
                                  • Instruction Fuzzy Hash: 9C51D470500308ABDB24CF64CD89FEE77A5EF98304F10065EF944A72C2D3B99959CB58
                                  Function 00433D9E Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 107COMMON
                                  Download Yara Rule
                                  APIs
                                  • EnumProcesses.PSAPI(?,00000800,?,?,00443D49,?,?,?,004A8178), ref: 00433DBB
                                  • OpenProcess.KERNEL32(00000410,00000000,?,?,?,004A8178), ref: 00433E19
                                  • EnumProcessModules.PSAPI(00000000,?,00000004,?), ref: 00433E2C
                                  • GetModuleBaseNameW.PSAPI(00000000,?,?,00000104), ref: 00433E43
                                  • __wsplitpath.LIBCMT ref: 00433E6D
                                  • _wcscat.LIBCMT ref: 00433E80
                                  • __wcsicoll.LIBCMT ref: 00433E90
                                  • CloseHandle.KERNEL32(00000000), ref: 00433EC8
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: EnumProcess$BaseCloseHandleModuleModulesNameOpenProcesses__wcsicoll__wsplitpath_wcscat
                                  • String ID: I=D
                                  • API String ID: 2903788889-2605949546
                                  • Opcode ID: e2a61d30099513a4b86aa9445ff639564bac9cad2a304c62a227ff9d1443cd16
                                  • Instruction ID: 36098e5712afd53b5e3c4de91d69c0015cf2cbbc5c01d2287a97767e02e0faf1
                                  • Opcode Fuzzy Hash: e2a61d30099513a4b86aa9445ff639564bac9cad2a304c62a227ff9d1443cd16
                                  • Instruction Fuzzy Hash: 05319376600108AFDB11CFA4CD85EEF73B9AF8C701F10419AFA0987250DB75AB85CBA4
                                  Function 00469BF3 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 88windowCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                    • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                  • SendMessageW.USER32(00000000,0000018C,000000FF,00000000), ref: 00469C73
                                  • GetDlgCtrlID.USER32(00000000), ref: 00469C84
                                  • GetParent.USER32 ref: 00469C98
                                  • SendMessageW.USER32(00000000,?,00000111), ref: 00469C9F
                                  • GetDlgCtrlID.USER32(00000000), ref: 00469CA5
                                  • GetParent.USER32 ref: 00469CBC
                                  • SendMessageW.USER32(00000000,?,00000111,?), ref: 00469CC3
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: MessageSend$CtrlParent$_memmove_wcslen
                                  • String ID: ComboBox$ListBox
                                  • API String ID: 2360848162-1403004172
                                  • Opcode ID: 7a27601cbaa80f740c595597d901cdf30e8ed390f6d586fa417b55efe09de5c4
                                  • Instruction ID: b77daa4920d68b7dc7b38413de7e2b04daab878370679d8231203fb1b5b646ea
                                  • Opcode Fuzzy Hash: 7a27601cbaa80f740c595597d901cdf30e8ed390f6d586fa417b55efe09de5c4
                                  • Instruction Fuzzy Hash: 0121E7716001187BDB00AB69CC85ABF779CEB85320F00855BFA149B2D1D6B8D845C7A5
                                  Function 00469DF3 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 87windowCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                    • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                  • SendMessageW.USER32(00000186,00000186,?,00000000), ref: 00469E71
                                  • GetDlgCtrlID.USER32(00000000), ref: 00469E82
                                  • GetParent.USER32 ref: 00469E96
                                  • SendMessageW.USER32(00000000,?,00000111), ref: 00469E9D
                                  • GetDlgCtrlID.USER32(00000000), ref: 00469EA3
                                  • GetParent.USER32 ref: 00469EBA
                                  • SendMessageW.USER32(00000000,?,00000111,?), ref: 00469EC1
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: MessageSend$CtrlParent$_memmove_wcslen
                                  • String ID: ComboBox$ListBox
                                  • API String ID: 2360848162-1403004172
                                  • Opcode ID: 986fe2d2ad3502a89dd9d9f189f0f45c93be64f12821e5ba271ad6af13960510
                                  • Instruction ID: 3a0c9dd1fa5fd4c1d1a647422213a645dfa1e4764d365342f395b6f430504e68
                                  • Opcode Fuzzy Hash: 986fe2d2ad3502a89dd9d9f189f0f45c93be64f12821e5ba271ad6af13960510
                                  • Instruction Fuzzy Hash: D121F7716001187BDB00ABA9CC85BBF77ACEB85310F00855FFA44EB2D5D6B8DC4587A5
                                  Function 0045DC4C Relevance: 15.2, APIs: 10, Instructions: 190COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: _wcscpy$FolderUninitialize$BrowseDesktopFromInitializeListMallocPath
                                  • String ID:
                                  • API String ID: 262282135-0
                                  • Opcode ID: 6572a5b0ab20a3b352b20f616e179ebe31bc85c3400954ff5f88a0c3e804af97
                                  • Instruction ID: f209a7e015878e5ef66622a864ec89938c936514b9877fb167e893f071c19078
                                  • Opcode Fuzzy Hash: 6572a5b0ab20a3b352b20f616e179ebe31bc85c3400954ff5f88a0c3e804af97
                                  • Instruction Fuzzy Hash: 25718275900208AFCB14EF95C9849DEB7B9EF88304F00899AE9099B312D735EE45CF64
                                  Function 00448123 Relevance: 15.2, APIs: 10, Instructions: 187windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 004481A8
                                  • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 004481AB
                                  • GetWindowLongW.USER32(?,000000F0), ref: 004481CF
                                  • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004481F2
                                  • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00448266
                                  • SendMessageW.USER32(?,00001074,?,00000007), ref: 004482B4
                                  • SendMessageW.USER32(?,00001057,00000000,00000000), ref: 004482CF
                                  • SendMessageW.USER32(?,0000101D,00000001,00000000), ref: 004482F1
                                  • SendMessageW.USER32(?,0000101E,00000001,?), ref: 00448308
                                  • SendMessageW.USER32(?,00001008,?,00000007), ref: 00448320
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: MessageSend$LongWindow
                                  • String ID:
                                  • API String ID: 312131281-0
                                  • Opcode ID: 6a3a0ce9ab1f2311975bf00a061da1b0f9e556c56634a45a126b5d9c196b7e2c
                                  • Instruction ID: c7c5d5d6f9bf0949bb943eac7ac5a8ec30049dd2ce11923e35461b50cec8bdb0
                                  • Opcode Fuzzy Hash: 6a3a0ce9ab1f2311975bf00a061da1b0f9e556c56634a45a126b5d9c196b7e2c
                                  • Instruction Fuzzy Hash: 97617C70A00208AFEB10DF94DC81FEE77B9FF49714F10429AF914AB291DBB5AA41CB54
                                  Function 00448D62 Relevance: 15.2, APIs: 10, Instructions: 174windowCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 004413AA: DeleteObject.GDI32(?), ref: 0044140B
                                  • SendMessageW.USER32(753E23D0,00001001,00000000,?), ref: 00448E16
                                  • SendMessageW.USER32(753E23D0,00001026,00000000,?), ref: 00448E25
                                    • Part of subcall function 00441432: CreateSolidBrush.GDI32(?), ref: 0044147E
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: MessageSend$BrushCreateDeleteObjectSolid
                                  • String ID:
                                  • API String ID: 3771399671-0
                                  • Opcode ID: 36703352345276820fdd923f04099b07a85a16fcace37fcd15d9f96d3dbdb764
                                  • Instruction ID: 7c26134f999fedcb31daf2d1c178305a5bad5d5d588b7e0560cc3c70a69cf84e
                                  • Opcode Fuzzy Hash: 36703352345276820fdd923f04099b07a85a16fcace37fcd15d9f96d3dbdb764
                                  • Instruction Fuzzy Hash: C7511570300214ABF720DF24DC85FAE77A9EF14724F10491EFA59AB291CB79E9498B18
                                  Function 00434621 Relevance: 15.1, APIs: 10, Instructions: 98threadCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentThreadId.KERNEL32 ref: 00434643
                                  • GetForegroundWindow.USER32(00000000), ref: 00434655
                                  • GetWindowThreadProcessId.USER32(00000000), ref: 0043465C
                                  • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 00434671
                                  • GetWindowThreadProcessId.USER32(?,?), ref: 0043467F
                                  • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 00434698
                                  • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 004346A6
                                  • AttachThreadInput.USER32(00000000,00000000,00000000), ref: 004346F3
                                  • AttachThreadInput.USER32(00000000,00000000,00000000), ref: 00434707
                                  • AttachThreadInput.USER32(00000000,00000000,00000000), ref: 00434712
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                  • String ID:
                                  • API String ID: 2156557900-0
                                  • Opcode ID: 67cee910062edc5350ae4d2b9d1366d6ad4b01d413104696f98c87e4c7643c1b
                                  • Instruction ID: 33c2ceff45d8cb0672f592c0823183733d26e7ad7419b63083ab10cfbc882f35
                                  • Opcode Fuzzy Hash: 67cee910062edc5350ae4d2b9d1366d6ad4b01d413104696f98c87e4c7643c1b
                                  • Instruction Fuzzy Hash: 98313EB2600204BFDB11DF69DC859AEB7A9FB9A310F00552AF905D7250E778AD40CB6C
                                  Function 0046943F Relevance: 14.3, APIs: 2, Strings: 6, Instructions: 287COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                  • API String ID: 0-1603158881
                                  • Opcode ID: b2205c720eb57eaa9acd20c5cdad8c47631596d61f09c649adc7dd6ac6f1094b
                                  • Instruction ID: 400245e8055df5988f0e80dfbae95eacb55e3b8a933f722a5dc1e2c8929bf265
                                  • Opcode Fuzzy Hash: b2205c720eb57eaa9acd20c5cdad8c47631596d61f09c649adc7dd6ac6f1094b
                                  • Instruction Fuzzy Hash: FAA162B5800204ABDF00EF61D8C1BEA3368AF54349F58857BEC096B146EB7D6909D77A
                                  Function 004485CB Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 109windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateMenu.USER32 ref: 00448603
                                  • SetMenu.USER32(?,00000000), ref: 00448613
                                  • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00448697
                                  • IsMenu.USER32(?), ref: 004486AB
                                  • CreatePopupMenu.USER32 ref: 004486B5
                                  • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 004486EC
                                  • DrawMenuBar.USER32 ref: 004486F5
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: Menu$CreateItem$DrawInfoInsertPopup
                                  • String ID: 0
                                  • API String ID: 161812096-4108050209
                                  • Opcode ID: 5f9c542d8f07ae56d95057f828c3334b95156dd137b7db0efda9360fb5a3d221
                                  • Instruction ID: 1651b4fd0bf3e4e6d8e032b2651979207be8780685d2f09cc615cc8e1c1775d8
                                  • Opcode Fuzzy Hash: 5f9c542d8f07ae56d95057f828c3334b95156dd137b7db0efda9360fb5a3d221
                                  • Instruction Fuzzy Hash: 9D418B75A01209AFEB40DF98D884ADEB7B4FF49314F10815EED189B340DB74A851CFA8
                                  Function 0047679F Relevance: 13.8, APIs: 9, Instructions: 307COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: dfbce8e1a613c74e072c21ad89e7d3e14579d4917e2b3053f757fec35ca8a5d3
                                  • Instruction ID: 0df76164974c5272bb459d6cb57aadea20bc0786d7edd9cc69ce034119999088
                                  • Opcode Fuzzy Hash: dfbce8e1a613c74e072c21ad89e7d3e14579d4917e2b3053f757fec35ca8a5d3
                                  • Instruction Fuzzy Hash: 10A1CE726083009FD310EF65D886B5BB3E9EBC4718F108E2EF559E7281D679E804CB96
                                  Function 004561DA Relevance: 13.7, APIs: 9, Instructions: 164COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b2351d13dc7e01734d52893050a6426585663f8e33c7fb02d488baa67b0c7faf
                                  • Instruction ID: d12da5a9263b129e99c802cec43d72d92cc496201e336192e500ad81068e5f87
                                  • Opcode Fuzzy Hash: b2351d13dc7e01734d52893050a6426585663f8e33c7fb02d488baa67b0c7faf
                                  • Instruction Fuzzy Hash: D7519C70600305ABEB20DF69CC81F9B77A8AB08715F50462AFE05DB3C1E7B5E8588B58
                                  Function 00453893 Relevance: 13.7, APIs: 9, Instructions: 158filestringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00410120: GetFullPathNameW.KERNEL32(00000000,00000104,004A7F6C,0040F545,004A7F6C,004A90E8,004A7F6C,?,0040F545), ref: 0041013C
                                    • Part of subcall function 00433998: GetFileAttributesW.KERNEL32(?), ref: 0043399F
                                  • lstrcmpiW.KERNEL32(?,?), ref: 00453900
                                  • MoveFileW.KERNEL32(?,?), ref: 00453932
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: File$AttributesFullMoveNamePathlstrcmpi
                                  • String ID:
                                  • API String ID: 978794511-0
                                  • Opcode ID: e7576e1258f6bbb5b55b57ee2c4336deeb121e8720ac0ec1c8be93e036d3feb8
                                  • Instruction ID: 27746a5f3a3ee1b1e58f24b17d6851fe0efcb48f315c8e59f2eb92c6bb7fc6f1
                                  • Opcode Fuzzy Hash: e7576e1258f6bbb5b55b57ee2c4336deeb121e8720ac0ec1c8be93e036d3feb8
                                  • Instruction Fuzzy Hash: 295155B2C0021996CF20EFA1DD45BEEB379AF44305F0445DEEA0DA3101EB79AB98CB55
                                  Function 00441165 Relevance: 13.6, APIs: 9, Instructions: 142COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: dd945b6e1d8e8d9855cf24d2d3706bb91709aa24080d3beeb23df65cd9890c42
                                  • Instruction ID: 5433ce91f60fc94fc18d391a2a535eeaa569d09d9a52eba385401fd30cec28f3
                                  • Opcode Fuzzy Hash: dd945b6e1d8e8d9855cf24d2d3706bb91709aa24080d3beeb23df65cd9890c42
                                  • Instruction Fuzzy Hash: 5B41C4322142405AF3619B6DFCC4BEBBB98FBA6324F10056FF185E55A0C3EA74C58769
                                  Function 00445E52 Relevance: 13.6, APIs: 9, Instructions: 69sleepkeyboardwindowCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00445AA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00445AC7
                                    • Part of subcall function 00445AA7: GetCurrentThreadId.KERNEL32 ref: 00445ACE
                                    • Part of subcall function 00445AA7: AttachThreadInput.USER32(00000000), ref: 00445AD5
                                  • MapVirtualKeyW.USER32(00000025,00000000), ref: 00445E6F
                                  • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00445E88
                                  • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 00445E96
                                  • MapVirtualKeyW.USER32(00000025,00000000), ref: 00445E9C
                                  • PostMessageW.USER32(00000000,00000100,00000027,00000000), ref: 00445EBD
                                  • Sleep.KERNEL32(00000000), ref: 00445ECB
                                  • MapVirtualKeyW.USER32(00000025,00000000), ref: 00445ED1
                                  • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00445EE6
                                  • Sleep.KERNEL32(00000000,?,00000101,00000027,00000000), ref: 00445EEE
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                                  • String ID:
                                  • API String ID: 2014098862-0
                                  • Opcode ID: 5ca03ddf5c5627d7609a553b695717aade5f72ce3845e2189486292beca2fa90
                                  • Instruction ID: 3cb45b36699f005c3339592b7719367c9fd6f04972b18b3a4454280c1561912d
                                  • Opcode Fuzzy Hash: 5ca03ddf5c5627d7609a553b695717aade5f72ce3845e2189486292beca2fa90
                                  • Instruction Fuzzy Hash: 44115671390300BBF6209B959D8AF5A775DEB98B11F20490DFB80AB1C1C5F5A4418B7C
                                  Function 00432704 Relevance: 13.5, APIs: 9, Instructions: 42COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: ClearVariant
                                  • String ID:
                                  • API String ID: 1473721057-0
                                  • Opcode ID: 3e0aaa4ed6ce8b6007e7bdda37da77eca1e161273c17b4dd860825949f7c6934
                                  • Instruction ID: 82c0e5a8bed1f7f82a0371e607e4af2e63fad7cf90771a3a9635cac59f663638
                                  • Opcode Fuzzy Hash: 3e0aaa4ed6ce8b6007e7bdda37da77eca1e161273c17b4dd860825949f7c6934
                                  • Instruction Fuzzy Hash: C301ECB6000B486AD630E7B9DC84FD7B7ED6B85600F018E1DE69A82514DA75F188CB64
                                  Function 0044F0B3 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 389COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: _memmove$_memcmp
                                  • String ID: '$\$h
                                  • API String ID: 2205784470-1303700344
                                  • Opcode ID: b142f59b2296442f2f65cbc20b4c9604eb51a9c16c8aaf0febd8f469beae5ca2
                                  • Instruction ID: e67660c870af743a7fabfec7c4e9e8b186464fd05e4f656457aecd1ba61caca8
                                  • Opcode Fuzzy Hash: b142f59b2296442f2f65cbc20b4c9604eb51a9c16c8aaf0febd8f469beae5ca2
                                  • Instruction Fuzzy Hash: 5CE1C070A002498FDB18CFA9D8806BEFBF2FF89304F28816ED84697341D778A945CB54
                                  Function 0045EA0F Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 325timeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • VariantInit.OLEAUT32(00000000), ref: 0045EA56
                                  • VariantCopy.OLEAUT32(00000000), ref: 0045EA60
                                  • VariantClear.OLEAUT32 ref: 0045EA6D
                                  • VariantTimeToSystemTime.OLEAUT32 ref: 0045EC06
                                  • __swprintf.LIBCMT ref: 0045EC33
                                  • VariantInit.OLEAUT32(00000000), ref: 0045ECEE
                                  Strings
                                  • %4d%02d%02d%02d%02d%02d, xrefs: 0045EC2D
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: Variant$InitTime$ClearCopySystem__swprintf
                                  • String ID: %4d%02d%02d%02d%02d%02d
                                  • API String ID: 2441338619-1568723262
                                  • Opcode ID: 35eb9c3aeff660f135fd63a8918d5c45c4a90ea0b18b9c33d96ad8571bc730e4
                                  • Instruction ID: 6ef9d3a4897ddb850998a39013325e9d2daf595bbef4806ea59c93c68b265cd6
                                  • Opcode Fuzzy Hash: 35eb9c3aeff660f135fd63a8918d5c45c4a90ea0b18b9c33d96ad8571bc730e4
                                  • Instruction Fuzzy Hash: F8A10873A0061487CB209F5AE48066AF7B0FF84721F1485AFED849B341C736AD99D7E5
                                  Function 004091B0 Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 324sleepCOMMON
                                  Download Yara Rule
                                  APIs
                                  • InterlockedIncrement.KERNEL32(004A7F04), ref: 0042C659
                                  • InterlockedDecrement.KERNEL32(004A7F04), ref: 0042C677
                                  • Sleep.KERNEL32(0000000A), ref: 0042C67F
                                  • InterlockedIncrement.KERNEL32(004A7F04), ref: 0042C68A
                                  • InterlockedDecrement.KERNEL32(004A7F04), ref: 0042C73C
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: Interlocked$DecrementIncrement$Sleep
                                  • String ID: @COM_EVENTOBJ
                                  • API String ID: 327565842-2228938565
                                  • Opcode ID: ca0223daa9e96e83c575322b086aef175ea6f60956e985fc72e5b4b432ff0b62
                                  • Instruction ID: 079f2a2c733a9a3e151bbe14bd9981fb61a061d6167fc58a91b905d371dd4d86
                                  • Opcode Fuzzy Hash: ca0223daa9e96e83c575322b086aef175ea6f60956e985fc72e5b4b432ff0b62
                                  • Instruction Fuzzy Hash: 18D1D271A002198FDB10EF94C985BEEB7B0FF45304F60856AE5057B392D778AE46CB98
                                  Function 00401CB0 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 240COMMON
                                  Download Yara Rule
                                  APIs
                                  • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00401D06
                                  • DestroyWindow.USER32(?), ref: 00426F50
                                  • UnregisterHotKey.USER32(?), ref: 00426F77
                                  • FreeLibrary.KERNEL32(?), ref: 0042701F
                                  • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00427050
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: Free$DestroyLibrarySendStringUnregisterVirtualWindow
                                  • String ID: close all
                                  • API String ID: 4174999648-3243417748
                                  • Opcode ID: 4fd900de9a28da208b58a3ba22ecdd4c26f042792ef41b4fe823b5ed5eb78ac9
                                  • Instruction ID: 89fc9d45334329c88beddca7a6314a06ce6e15860ee53b488cbf8147960762b2
                                  • Opcode Fuzzy Hash: 4fd900de9a28da208b58a3ba22ecdd4c26f042792ef41b4fe823b5ed5eb78ac9
                                  • Instruction Fuzzy Hash: 9BA1C174710212CFC710EF15C985B5AF3A8BF48304F5045AEE909672A2CB78BD96CF99
                                  Function 0044AA86 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 174networkCOMMON
                                  Download Yara Rule
                                  APIs
                                  • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0044AAC5
                                  • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0044AAFA
                                  • InternetQueryOptionW.WININET(00000000,0000001F,00000000,00001000), ref: 0044AB5E
                                  • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0044AB74
                                  • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0044AB83
                                  • HttpQueryInfoW.WININET(00000000,00000005,?,00001000,00000000), ref: 0044ABBB
                                    • Part of subcall function 004422CB: GetLastError.KERNEL32 ref: 004422E1
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: HttpInternet$OptionQueryRequest$ConnectErrorInfoLastOpenSend
                                  • String ID:
                                  • API String ID: 1291720006-3916222277
                                  • Opcode ID: 91fdcc8e85295173cca015a6521aec32459a41892940df1d160b2f6c73229ea3
                                  • Instruction ID: 89538bfc19842651326e528327905a39262a83d8aa3acd63c003c629d13479a9
                                  • Opcode Fuzzy Hash: 91fdcc8e85295173cca015a6521aec32459a41892940df1d160b2f6c73229ea3
                                  • Instruction Fuzzy Hash: FA51B1756403087BF710DF56DC86FEBB7A8FB88715F00851EFB0196281D7B8A5148BA8
                                  Function 0045FBAC Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 147windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetMenuItemInfoW.USER32(?,FFFFFFFF,00000000,00000030), ref: 0045FC48
                                  • IsMenu.USER32(?), ref: 0045FC5F
                                  • CreatePopupMenu.USER32 ref: 0045FC97
                                  • GetMenuItemCount.USER32(?), ref: 0045FCFD
                                  • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 0045FD26
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: Menu$Item$CountCreateInfoInsertPopup
                                  • String ID: 0$2
                                  • API String ID: 93392585-3793063076
                                  • Opcode ID: f01c363b391305104942df3bb39f3e86dedaf87795108832ec1df4cdc4019c53
                                  • Instruction ID: a5f6d3c146e885c54ead74f35c39eec4acd60bc9fc93d28bc39e3d14768ea649
                                  • Opcode Fuzzy Hash: f01c363b391305104942df3bb39f3e86dedaf87795108832ec1df4cdc4019c53
                                  • Instruction Fuzzy Hash: B55192719002099BDB11DF69D888BAF7BB4BB44319F14853EEC15DB282D3B8984CCB66
                                  Function 004352C2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 114COMMON
                                  Download Yara Rule
                                  APIs
                                  • SafeArrayAccessData.OLEAUT32(?,?), ref: 004352E6
                                  • VariantClear.OLEAUT32(?), ref: 00435320
                                  • SafeArrayUnaccessData.OLEAUT32(?), ref: 00435340
                                  • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00435373
                                  • VariantClear.OLEAUT32(?), ref: 004353B3
                                  • SafeArrayUnaccessData.OLEAUT32(?), ref: 004353F6
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: ArrayDataSafeVariant$ClearUnaccess$AccessChangeType
                                  • String ID: crts
                                  • API String ID: 586820018-3724388283
                                  • Opcode ID: 545d374044e3945891266c858ffc3b068b1e43ab9a1ba77500f3c10b34ab4cdf
                                  • Instruction ID: e94501f388d0d73ced66c0aa9444ce68fa972137b9c89e1913ae9ea64c05cbbc
                                  • Opcode Fuzzy Hash: 545d374044e3945891266c858ffc3b068b1e43ab9a1ba77500f3c10b34ab4cdf
                                  • Instruction Fuzzy Hash: DE418BB5200208EBDB10CF1CD884A9AB7B5FF9C314F20852AEE49CB351E775E911CBA4
                                  Function 0044BBD2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 105filestringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00410120: GetFullPathNameW.KERNEL32(00000000,00000104,004A7F6C,0040F545,004A7F6C,004A90E8,004A7F6C,?,0040F545), ref: 0041013C
                                  • lstrcmpiW.KERNEL32(?,?), ref: 0044BC09
                                  • MoveFileW.KERNEL32(?,?), ref: 0044BC3F
                                  • _wcscat.LIBCMT ref: 0044BCAF
                                  • _wcslen.LIBCMT ref: 0044BCBB
                                  • _wcslen.LIBCMT ref: 0044BCD1
                                  • SHFileOperationW.SHELL32(?), ref: 0044BD17
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: File_wcslen$FullMoveNameOperationPath_wcscatlstrcmpi
                                  • String ID: \*.*
                                  • API String ID: 2326526234-1173974218
                                  • Opcode ID: dfa273c9728ae0aa44cf40aad3cddd2261aca17058b0337a789aafef13e29e40
                                  • Instruction ID: cfb238852dc788c6f4e4306d35388aa956c556a9525b71239849112dc74cb112
                                  • Opcode Fuzzy Hash: dfa273c9728ae0aa44cf40aad3cddd2261aca17058b0337a789aafef13e29e40
                                  • Instruction Fuzzy Hash: 5C3184B1800219AACF14EFB1DC85ADEB3B5AF48304F5095EEE90997211EB35D748CB98
                                  Function 004335CD Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 90COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00433244: _wcsncpy.LIBCMT ref: 0043325C
                                  • _wcslen.LIBCMT ref: 004335F2
                                  • GetFileAttributesW.KERNEL32(?), ref: 0043361C
                                  • GetLastError.KERNEL32 ref: 0043362B
                                  • CreateDirectoryW.KERNEL32(?,00000000), ref: 0043363F
                                  • _wcsrchr.LIBCMT ref: 00433666
                                    • Part of subcall function 004335CD: CreateDirectoryW.KERNEL32(?,00000000), ref: 004336A7
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: CreateDirectory$AttributesErrorFileLast_wcslen_wcsncpy_wcsrchr
                                  • String ID: \
                                  • API String ID: 321622961-2967466578
                                  • Opcode ID: bb0dad1fe383a450cc5ca78da39c882eba2540a6c71c70dd25c8590f96c38e52
                                  • Instruction ID: 66c6ecc179b40ab72a0151a8d865592f5e80cbeaaa2383c239fb12261b929cf9
                                  • Opcode Fuzzy Hash: bb0dad1fe383a450cc5ca78da39c882eba2540a6c71c70dd25c8590f96c38e52
                                  • Instruction Fuzzy Hash: C72129719013146ADF30AF25AC06BEB73AC9B05715F10569AFD18C2241E6799A888BE9
                                  Function 0044C7DD Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 88COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: __wcsnicmp
                                  • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                  • API String ID: 1038674560-2734436370
                                  • Opcode ID: 8f8f9edfa5db0492502b932a8328ea4ae50c7534afe07431ae24ccbcd5f30aff
                                  • Instruction ID: d05ed79ef8649e951018b8bbb1c2d61e3c33a7345c6b0b1fc41c187b8edaa79f
                                  • Opcode Fuzzy Hash: 8f8f9edfa5db0492502b932a8328ea4ae50c7534afe07431ae24ccbcd5f30aff
                                  • Instruction Fuzzy Hash: 1221003365151066E72176199C82FDBB3989FA5314F04442BFE049B242D26EF99A83E9
                                  Function 00434034 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 49windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetModuleHandleW.KERNEL32(00000000,004A90E8,?,00000100,?,004A7F6C), ref: 00434057
                                  • LoadStringW.USER32(00000000), ref: 00434060
                                  • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00434075
                                  • LoadStringW.USER32(00000000), ref: 00434078
                                  • _wprintf.LIBCMT ref: 004340A1
                                  • MessageBoxW.USER32(00000000,?,?,00011010), ref: 004340B9
                                  Strings
                                  • %s (%d) : ==> %s: %s %s, xrefs: 0043409C
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: HandleLoadModuleString$Message_wprintf
                                  • String ID: %s (%d) : ==> %s: %s %s
                                  • API String ID: 3648134473-3128320259
                                  • Opcode ID: 5806584fae846cee426602f55e287a2c1afdddb79e6f9c87a69d5249cd46d2cb
                                  • Instruction ID: 3f99f1473d628bc1a501e0113e735bb0cc043e2cca9b2706ac47da9b95460e2a
                                  • Opcode Fuzzy Hash: 5806584fae846cee426602f55e287a2c1afdddb79e6f9c87a69d5249cd46d2cb
                                  • Instruction Fuzzy Hash: EB016CB26903187EE710E754DD06FFA376CEBC4B11F00459AB708A61C49AF469848BB5
                                  Function 0041793C Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 40COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • GetModuleHandleW.KERNEL32(KERNEL32.DLL,0048D148,00000008,00417A44,00000000,00000000,?,004115F6,?,00401BAC,?,?,?), ref: 0041794D
                                  • __lock.LIBCMT ref: 00417981
                                    • Part of subcall function 004182CB: __mtinitlocknum.LIBCMT ref: 004182E1
                                    • Part of subcall function 004182CB: __amsg_exit.LIBCMT ref: 004182ED
                                    • Part of subcall function 004182CB: EnterCriticalSection.KERNEL32(004115F6,004115F6,?,00417986,0000000D,?,004115F6,?,00401BAC,?,?,?), ref: 004182F5
                                  • InterlockedIncrement.KERNEL32(FF00482A), ref: 0041798E
                                  • __lock.LIBCMT ref: 004179A2
                                  • ___addlocaleref.LIBCMT ref: 004179C0
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: __lock$CriticalEnterHandleIncrementInterlockedModuleSection___addlocaleref__amsg_exit__mtinitlocknum
                                  • String ID: KERNEL32.DLL$pI
                                  • API String ID: 637971194-197072765
                                  • Opcode ID: de2ab6b473c2d5586c9f362b8c2f57dc22cd34abb7029a86a899895714b74b87
                                  • Instruction ID: a50d44c6e21ae10dfe2421e8c890a682036196f235240147777d58dc068d601e
                                  • Opcode Fuzzy Hash: de2ab6b473c2d5586c9f362b8c2f57dc22cd34abb7029a86a899895714b74b87
                                  • Instruction Fuzzy Hash: A401A171404B00EFD720AF66C90A78DBBF0AF50324F20890FE496536A1CBB8A684CB5D
                                  Function 0046822A Relevance: 12.3, APIs: 8, Instructions: 267COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: _memmove$_malloc
                                  • String ID:
                                  • API String ID: 1938898002-0
                                  • Opcode ID: ed671e0929b530e8a80a3994f14b14e6c4fa5d49d1ff8bec0f484948025a4d18
                                  • Instruction ID: bb51e0d14dcfee45c4d36839732496dc4400bff611838f67d83ec86e680bb9ef
                                  • Opcode Fuzzy Hash: ed671e0929b530e8a80a3994f14b14e6c4fa5d49d1ff8bec0f484948025a4d18
                                  • Instruction Fuzzy Hash: FC81CB726001195BDB00EF66DC42AFF7368EF84318F040A6FFD04A7282EE7D995587A9
                                  Function 00448D38 Relevance: 12.2, APIs: 8, Instructions: 165windowCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 004413AA: DeleteObject.GDI32(?), ref: 0044140B
                                  • SendMessageW.USER32(753E23D0,00001001,00000000,?), ref: 00448E16
                                  • SendMessageW.USER32(753E23D0,00001026,00000000,?), ref: 00448E25
                                    • Part of subcall function 00441432: CreateSolidBrush.GDI32(?), ref: 0044147E
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: MessageSend$BrushCreateDeleteObjectSolid
                                  • String ID:
                                  • API String ID: 3771399671-0
                                  • Opcode ID: 66a9d50f8c9d6af755a83d84fc10a8c9f79f913464eba51571b63e3dd0d935a7
                                  • Instruction ID: 7a731ed810a83f1ebb4df5e1cc4d29f9b75a103154dfe2ed632c3d1cef216bf4
                                  • Opcode Fuzzy Hash: 66a9d50f8c9d6af755a83d84fc10a8c9f79f913464eba51571b63e3dd0d935a7
                                  • Instruction Fuzzy Hash: 72513970204244AFF720DF24CC85FAE7BB9AF15314F10495EFA999B292CB79E549CB18
                                  Function 00434EC4 Relevance: 12.1, APIs: 8, Instructions: 115memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SysAllocString.OLEAUT32(00000000), ref: 00434EE8
                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00434F0B
                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00434F37
                                  • SysAllocString.OLEAUT32(00000000), ref: 00434F3E
                                  • SysAllocString.OLEAUT32(?), ref: 00434F64
                                  • SysFreeString.OLEAUT32(?), ref: 00434F6D
                                  • StringFromGUID2.OLE32(?,?,00000028), ref: 00434FA8
                                  • SysAllocString.OLEAUT32(?), ref: 00434FB6
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                  • String ID:
                                  • API String ID: 3761583154-0
                                  • Opcode ID: 077a930adce2e2e575ae573d9966b00f654a320f8e1671167757538259768175
                                  • Instruction ID: 62a2b3f98caf240b0b87dceec1cde1b3ad41479520e9ab1bd59fe61f77259947
                                  • Opcode Fuzzy Hash: 077a930adce2e2e575ae573d9966b00f654a320f8e1671167757538259768175
                                  • Instruction Fuzzy Hash: A631A5327001186BC710AB99EC49FEFB7A8EB8C731F14427BFA09D7290DA759844C7A4
                                  Function 0044B489 Relevance: 12.1, APIs: 8, Instructions: 102fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • InterlockedExchange.KERNEL32(?,000001F5), ref: 0044B4A7
                                    • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                  • ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 0044B4DA
                                  • EnterCriticalSection.KERNEL32(?), ref: 0044B4F7
                                  • _memmove.LIBCMT ref: 0044B555
                                  • _memmove.LIBCMT ref: 0044B578
                                  • LeaveCriticalSection.KERNEL32(?), ref: 0044B587
                                  • ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 0044B5A3
                                  • InterlockedExchange.KERNEL32(?,000001F6), ref: 0044B5B8
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterLeave_malloc
                                  • String ID:
                                  • API String ID: 2737351978-0
                                  • Opcode ID: c49c3180d4577c37a1564da55573a5370bada98f09f15d951758cfc7caeaac8d
                                  • Instruction ID: 70cbfa243a2dcbaabd352bc30cb9c3ad46017a318630e818b765f133545e4983
                                  • Opcode Fuzzy Hash: c49c3180d4577c37a1564da55573a5370bada98f09f15d951758cfc7caeaac8d
                                  • Instruction Fuzzy Hash: 4F41BC71900308EFDB20DF55D984EAFB7B8EF48704F10896EF54696650D7B4EA80CB58
                                  Function 00415214 Relevance: 12.1, APIs: 8, Instructions: 66threadCOMMON
                                  Download Yara Rule
                                  APIs
                                  • ___set_flsgetvalue.LIBCMT ref: 0041523A
                                  • __calloc_crt.LIBCMT ref: 00415246
                                  • __getptd.LIBCMT ref: 00415253
                                  • CreateThread.KERNEL32(00000000,?,004151BB,00000000,00000004,00000000), ref: 0041527A
                                  • ResumeThread.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 0041528A
                                  • GetLastError.KERNEL32(?,?,?,?,?,00000000), ref: 00415295
                                  • _free.LIBCMT ref: 0041529E
                                  • __dosmaperr.LIBCMT ref: 004152A9
                                    • Part of subcall function 00417F77: __getptd_noexit.LIBCMT ref: 00417F77
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: Thread$CreateErrorLastResume___set_flsgetvalue__calloc_crt__dosmaperr__getptd__getptd_noexit_free
                                  • String ID:
                                  • API String ID: 3638380555-0
                                  • Opcode ID: 75aec11f1c25db1a83b42845bb08a83361ad021f560e0ff3c611ac6fdc7cb8ab
                                  • Instruction ID: 1ae632b5747f25178f06b1f704b10109f3b838f12a9538f44878b4cc3517b2ff
                                  • Opcode Fuzzy Hash: 75aec11f1c25db1a83b42845bb08a83361ad021f560e0ff3c611ac6fdc7cb8ab
                                  • Instruction Fuzzy Hash: 31110A33105B00ABD2102BB69C45ADB37A4DF85734B24065FF924862D1CA7C98814AAD
                                  Function 0046C84C Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 308COMMON
                                  Download Yara Rule
                                  APIs
                                  • VariantInit.OLEAUT32(?), ref: 0046C96E
                                    • Part of subcall function 00451B42: GetLastError.KERNEL32(?,?,00000000), ref: 00451BA0
                                    • Part of subcall function 00451B42: VariantCopy.OLEAUT32(?,?), ref: 00451BF8
                                    • Part of subcall function 00451B42: VariantCopy.OLEAUT32(?,?), ref: 00451C0E
                                    • Part of subcall function 00451B42: VariantCopy.OLEAUT32(?,?), ref: 00451C27
                                    • Part of subcall function 00451B42: VariantClear.OLEAUT32(?), ref: 00451CA1
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: Variant$Copy$ClearErrorInitLast
                                  • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                  • API String ID: 3207048006-625585964
                                  • Opcode ID: ca4782e3f1b8c357821c68e66e95b499971d8adc7301cf0feb6afda3dd37ffd4
                                  • Instruction ID: 684ba17e2c3ca727561f7970afa8535519679aefa5cdc663b381c32651820a10
                                  • Opcode Fuzzy Hash: ca4782e3f1b8c357821c68e66e95b499971d8adc7301cf0feb6afda3dd37ffd4
                                  • Instruction Fuzzy Hash: F6A19472600209ABDB10DF99DCC1EFEB3B9FB84714F10852EF604A7281E7B59D458BA5
                                  Function 00465489 Relevance: 10.8, APIs: 7, Instructions: 281networkmemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • WSAStartup.WSOCK32(00000101,?), ref: 00465559
                                    • Part of subcall function 0045F645: WideCharToMultiByte.KERNEL32(00000000,00000000,5004C483,D29EE858,00000000,00000000,00000000,00000000,?,?,?,00467B75,?,00473BB8,00473BB8,?), ref: 0045F661
                                  • inet_addr.WSOCK32(?,00000000,?,?), ref: 0046559B
                                  • gethostbyname.WSOCK32(?), ref: 004655A6
                                  • GlobalAlloc.KERNEL32(00000040,00000040), ref: 0046561C
                                  • _memmove.LIBCMT ref: 004656CA
                                  • GlobalFree.KERNEL32(00000000), ref: 0046575C
                                  • WSACleanup.WSOCK32 ref: 00465762
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: Global$AllocByteCharCleanupFreeMultiStartupWide_memmovegethostbynameinet_addr
                                  • String ID:
                                  • API String ID: 2945290962-0
                                  • Opcode ID: b73dd2c417b7ad13d51beda6076b83dea337e616a356c7a57e90c36d1df505c0
                                  • Instruction ID: 472bd1bc5547e678c188051989a3a6c7a671c7751f2ff3ad056c489052ad9926
                                  • Opcode Fuzzy Hash: b73dd2c417b7ad13d51beda6076b83dea337e616a356c7a57e90c36d1df505c0
                                  • Instruction Fuzzy Hash: CAA19E72604300AFD310EF65C981F5FB7E8AF88704F544A1EF64597291E778E905CB9A
                                  Function 004404E8 Relevance: 10.8, APIs: 7, Instructions: 271windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetSystemMetrics.USER32(0000000F), ref: 00440527
                                  • MoveWindow.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00440763
                                  • SendMessageW.USER32(?,00000142,00000000,0000FFFF), ref: 00440782
                                  • InvalidateRect.USER32(?,00000000,00000001), ref: 004407A5
                                  • SendMessageW.USER32(?,00000469,?,00000000), ref: 004407DA
                                  • ShowWindow.USER32(?,00000000,?,00000469,?,00000000), ref: 004407FD
                                  • DefDlgProcW.USER32(?,00000005,?,?), ref: 00440817
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: MessageSendWindow$InvalidateMetricsMoveProcRectShowSystem
                                  • String ID:
                                  • API String ID: 1457242333-0
                                  • Opcode ID: d4bac657e1d3c25226f3662cee365975ebc34d7204b8b764d69e27e9e2fa035e
                                  • Instruction ID: 469fbb3f3db71b9324cb07d082b932f31bc4dcc79b85a5821822f518eef070f3
                                  • Opcode Fuzzy Hash: d4bac657e1d3c25226f3662cee365975ebc34d7204b8b764d69e27e9e2fa035e
                                  • Instruction Fuzzy Hash: 0BB19F71600619EFEB14CF68C984BAFBBF1FF48301F15851AEA5597280D738BA61CB54
                                  Function 0046B6AB Relevance: 10.8, APIs: 7, Instructions: 258registryCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                    • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                  • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046B799
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: ConnectRegistry_memmove_wcslen
                                  • String ID:
                                  • API String ID: 15295421-0
                                  • Opcode ID: af9aed33993baa0a6bbf415c0be9acaad95f35a4fb003459e4997ac6d107bcf3
                                  • Instruction ID: 8aea567fc0405534ed4901798b67d501f7e0ea7b8d3e81485b6dc33093e60a2a
                                  • Opcode Fuzzy Hash: af9aed33993baa0a6bbf415c0be9acaad95f35a4fb003459e4997ac6d107bcf3
                                  • Instruction Fuzzy Hash: 96A170B12043019FD710EF65CC85B1BB7E8EF85304F14892EF6859B291DB78E945CB9A
                                  Function 0044734F Relevance: 10.7, APIs: 7, Instructions: 210COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0044719B: DeleteObject.GDI32(00000000), ref: 004471D8
                                    • Part of subcall function 0044719B: ExtCreatePen.GDI32(?,?,?,00000000,00000000), ref: 00447218
                                    • Part of subcall function 0044719B: SelectObject.GDI32(?,00000000), ref: 00447228
                                    • Part of subcall function 0044719B: BeginPath.GDI32(?), ref: 0044723D
                                    • Part of subcall function 0044719B: SelectObject.GDI32(?,00000000), ref: 00447266
                                  • Ellipse.GDI32(?,?,FFFFFFFE,00000000,00000000), ref: 004474C4
                                  • MoveToEx.GDI32(?,?,FFFFFFFE,00000000), ref: 004474D4
                                  • AngleArc.GDI32(?,?,FFFFFFFE,00000000), ref: 0044750F
                                  • LineTo.GDI32(?,?,FFFFFFFE), ref: 00447518
                                  • CloseFigure.GDI32(?), ref: 0044751F
                                  • SetPixel.GDI32(?,?,FFFFFFFE,00000000), ref: 0044752E
                                  • Rectangle.GDI32(?,?,FFFFFFFE,00000000), ref: 0044754A
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: Object$Select$AngleBeginCloseCreateDeleteEllipseFigureLineMovePathPixelRectangle
                                  • String ID:
                                  • API String ID: 4082120231-0
                                  • Opcode ID: 7999c5ddb42d2811e8fcb41125d4db3c21d66abb345ae56e6caae54fa290efb2
                                  • Instruction ID: e674395c2b36b0b5590bf657e4107f8d2570055e184bc57fe517c57e0a53fcaf
                                  • Opcode Fuzzy Hash: 7999c5ddb42d2811e8fcb41125d4db3c21d66abb345ae56e6caae54fa290efb2
                                  • Instruction Fuzzy Hash: 36713CB4904109EFEB04CF94C884EBEBBB9EF85310F24855AE9156B341D774AE42CBA5
                                  Function 0046B280 Relevance: 10.7, APIs: 7, Instructions: 196registryCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                    • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                    • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                  • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046B3A6
                                  • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?), ref: 0046B3D2
                                  • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 0046B3FD
                                  • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0046B430
                                  • RegCloseKey.ADVAPI32(?,000000FF,00000000), ref: 0046B459
                                  • RegCloseKey.ADVAPI32(?,?,00000000), ref: 0046B492
                                  • RegCloseKey.ADVAPI32(?), ref: 0046B49D
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: Close$ConnectEnumOpenRegistryValue_malloc_memmove_wcslen
                                  • String ID:
                                  • API String ID: 2027346449-0
                                  • Opcode ID: 2b9cac7d06e9b3c82fe541c1c7e321d1f48fab5647307c3a769b9fb80d6ae4cb
                                  • Instruction ID: e744fe3a0f0af3658e2b80b3541497a384b181c150b1b14c88f03688e4e42502
                                  • Opcode Fuzzy Hash: 2b9cac7d06e9b3c82fe541c1c7e321d1f48fab5647307c3a769b9fb80d6ae4cb
                                  • Instruction Fuzzy Hash: 92613D71218301ABD304EF65C985E6BB7A8FFC8704F008A2EF945D7281DB75E945CBA6
                                  Function 0047A66E Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                    • Part of subcall function 0046F3C1: IsWindow.USER32(00000000), ref: 0046F3F1
                                  • GetMenu.USER32 ref: 0047A703
                                  • GetMenuItemCount.USER32(00000000), ref: 0047A74F
                                  • GetMenuStringW.USER32(00000000,?,?,00007FFF,00000400), ref: 0047A783
                                  • _wcslen.LIBCMT ref: 0047A79E
                                  • GetMenuItemID.USER32(00000000,?), ref: 0047A7E0
                                  • GetSubMenu.USER32(00000000,?), ref: 0047A7F2
                                  • PostMessageW.USER32(?,00000111,?,00000000), ref: 0047A884
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: Menu$Item$CountMessagePostStringWindow_malloc_wcslen
                                  • String ID:
                                  • API String ID: 3257027151-0
                                  • Opcode ID: c981ea3ceee1feb4f68cdf1bad830475cd4f783826951488cb1c5ff232b53bc9
                                  • Instruction ID: 02f8ada5611b6a2978ded3aa89f74167ce8c021908d800e5e23178b580333db3
                                  • Opcode Fuzzy Hash: c981ea3ceee1feb4f68cdf1bad830475cd4f783826951488cb1c5ff232b53bc9
                                  • Instruction Fuzzy Hash: AA51FA71504301ABD310EF25DC81B9FB7E8FF88314F108A2EF989A7241D779E95487A6
                                  Function 0046D230 Relevance: 10.7, APIs: 7, Instructions: 170networkCOMMON
                                  Download Yara Rule
                                  APIs
                                  • select.WSOCK32(00000000,?,00000000,00000000,?), ref: 0046D3D3
                                  • WSAGetLastError.WSOCK32(00000000), ref: 0046D3E4
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: ErrorLastselect
                                  • String ID:
                                  • API String ID: 215497628-0
                                  • Opcode ID: a2339aeea388287f00fab5c9ba0e4a7d07c2007cb3e616b5232981a1bd598a56
                                  • Instruction ID: fadcceb5308e48970113ceaff65c18732520a09434288b0a98514d96d8681c7b
                                  • Opcode Fuzzy Hash: a2339aeea388287f00fab5c9ba0e4a7d07c2007cb3e616b5232981a1bd598a56
                                  • Instruction Fuzzy Hash: 65510772E001046BD710EF69DC85FAEB3A8EB94320F14856EF905D7381EA35DD41C7A5
                                  Function 004443FC Relevance: 10.7, APIs: 7, Instructions: 170windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetParent.USER32(?), ref: 0044443B
                                  • GetKeyboardState.USER32(?), ref: 00444450
                                  • SetKeyboardState.USER32(?), ref: 004444A4
                                  • PostMessageW.USER32(?,00000101,00000010,?), ref: 004444D4
                                  • PostMessageW.USER32(?,00000101,00000011,?), ref: 004444F5
                                  • PostMessageW.USER32(?,00000101,00000012,?), ref: 00444541
                                  • PostMessageW.USER32(?,00000101,0000005B,?), ref: 00444566
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: MessagePost$KeyboardState$Parent
                                  • String ID:
                                  • API String ID: 87235514-0
                                  • Opcode ID: 4481168041494e1849bbb8b05fe85edf3de4190132d6f0e43f59e21d2d662a19
                                  • Instruction ID: 8f44bbd55e3387c5fecf3766ecc31f273ddc6601011f0052083f6d8a5cbafb33
                                  • Opcode Fuzzy Hash: 4481168041494e1849bbb8b05fe85edf3de4190132d6f0e43f59e21d2d662a19
                                  • Instruction Fuzzy Hash: 2051D6A05047D53AFB3682748846BA7BFE42F86704F08868BE1D5559C3D3ECE994CB68
                                  Function 004445F4 Relevance: 10.7, APIs: 7, Instructions: 170windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetParent.USER32(?), ref: 00444633
                                  • GetKeyboardState.USER32(?), ref: 00444648
                                  • SetKeyboardState.USER32(?), ref: 0044469C
                                  • PostMessageW.USER32(?,00000100,00000010,?), ref: 004446C9
                                  • PostMessageW.USER32(?,00000100,00000011,?), ref: 004446E7
                                  • PostMessageW.USER32(?,00000100,00000012,?), ref: 00444730
                                  • PostMessageW.USER32(?,00000100,0000005B,?), ref: 00444752
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: MessagePost$KeyboardState$Parent
                                  • String ID:
                                  • API String ID: 87235514-0
                                  • Opcode ID: 988eb571eba6180a4ec7f7c38e49780efe397f424a6b2059308ac6c1f0666447
                                  • Instruction ID: 3b822c4357a53f38689f34ecdfb8cd013e642acfd09065eaf4f6fa9230d15588
                                  • Opcode Fuzzy Hash: 988eb571eba6180a4ec7f7c38e49780efe397f424a6b2059308ac6c1f0666447
                                  • Instruction Fuzzy Hash: 7451D4B05047D139F73692688C45BA7BFD86B8B304F08868FF1D5156C2D3ACB895CB69
                                  Function 0047DDC2 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 170COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: __snwprintf__wcsicoll_wcscpy
                                  • String ID: , $$AUTOITCALLVARIABLE%d$CALLARGARRAY
                                  • API String ID: 1729044348-3025626884
                                  • Opcode ID: 4b9553ffb05bb61a93765f5dfb1e0a66324b60b4a152289245f0c89c86547163
                                  • Instruction ID: fa375d034fa7217e9d4d929611683fd4ef9c76ca58110cba6d833e9902d6ecd0
                                  • Opcode Fuzzy Hash: 4b9553ffb05bb61a93765f5dfb1e0a66324b60b4a152289245f0c89c86547163
                                  • Instruction Fuzzy Hash: 5D5184719002099BCB10EF51C982AEFB779EF84308F10856BF905B7281D779AE45CBE9
                                  Function 0044982A Relevance: 10.6, APIs: 7, Instructions: 135COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 3e9aeaa8e8d9a9efa26880ce8322a829618f36bb2b0e75f2f32cf9c77c57eef6
                                  • Instruction ID: 5d193f65ffce5f3a1406795a0d9a37a93f2f4887bdc9b14e5c8c629f49d9966a
                                  • Opcode Fuzzy Hash: 3e9aeaa8e8d9a9efa26880ce8322a829618f36bb2b0e75f2f32cf9c77c57eef6
                                  • Instruction Fuzzy Hash: 0A413871900114ABE710DF58CC84FAF7765EB46320F14826EF858AB3C1C7745D02EB98
                                  Function 0044882A Relevance: 10.6, APIs: 7, Instructions: 130windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 004488BD
                                  • SendMessageW.USER32(?,00000469,?,00000000), ref: 004488D3
                                  • EnableWindow.USER32(?,00000000), ref: 00448B5C
                                  • EnableWindow.USER32(?,00000001), ref: 00448B72
                                  • ShowWindow.USER32(?,00000000), ref: 00448BE8
                                  • ShowWindow.USER32(?,00000004), ref: 00448BF4
                                  • EnableWindow.USER32(?,00000001), ref: 00448C09
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: Window$Enable$Show$MessageMoveSend
                                  • String ID:
                                  • API String ID: 896007046-0
                                  • Opcode ID: 487afd455632248a3d509b30b3d46b8f07dcfb1983bcccedac1426ad742150ab
                                  • Instruction ID: 578be1c3660e2fd518c7beccd973f741d6ce186f3db94e5441c29ef1e5fc56da
                                  • Opcode Fuzzy Hash: 487afd455632248a3d509b30b3d46b8f07dcfb1983bcccedac1426ad742150ab
                                  • Instruction Fuzzy Hash: 5F419D742003809FF724DB24C894BAB77E0FF96305F18446EF5859B291DB78A845CB59
                                  Function 00440D98 Relevance: 10.6, APIs: 7, Instructions: 119windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00440DB8
                                  • GetWindowLongW.USER32(?,000000F0), ref: 00440DFA
                                  • GetWindowLongW.USER32(?,000000F0), ref: 00440E3A
                                  • SendMessageW.USER32(009A1AF8,000000F1,00000000,00000000), ref: 00440E6E
                                  • SendMessageW.USER32(009A1AF8,000000F1,00000001,00000000), ref: 00440E9A
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: MessageSend$LongWindow
                                  • String ID:
                                  • API String ID: 312131281-0
                                  • Opcode ID: 8e011b54ce9cde448a93fe9bb8036a6d541319eb6c66cabd8f3e8fc2f85cf438
                                  • Instruction ID: 2c169baf4234265a3f6c05f50e500cf46f5ce099e15a3d3a23704bf731ec4cbe
                                  • Opcode Fuzzy Hash: 8e011b54ce9cde448a93fe9bb8036a6d541319eb6c66cabd8f3e8fc2f85cf438
                                  • Instruction Fuzzy Hash: 944189342402119FE720CF58DDC4F2A77A1FF9A710F6049A9E2119B3A1CB74ACA2CB58
                                  Function 00448AB2 Relevance: 10.6, APIs: 7, Instructions: 98windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SendMessageW.USER32(?,00000401,?,00000000), ref: 00448AC9
                                  • GetFocus.USER32 ref: 00448ACF
                                  • EnableWindow.USER32(?,00000000), ref: 00448B5C
                                  • EnableWindow.USER32(?,00000001), ref: 00448B72
                                  • ShowWindow.USER32(?,00000000), ref: 00448BE8
                                  • ShowWindow.USER32(?,00000004), ref: 00448BF4
                                  • EnableWindow.USER32(?,00000001), ref: 00448C09
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: Window$Enable$Show$FocusMessageSend
                                  • String ID:
                                  • API String ID: 3429747543-0
                                  • Opcode ID: 611a307e80107d343a79f7fc2cfd1bfbec1158008c6b2b7743f92638a6db6fc0
                                  • Instruction ID: 6f3afe48a64986b2df7f4b22be5166ca64fe0b5af1f2aee4406df3dc20f3ce1d
                                  • Opcode Fuzzy Hash: 611a307e80107d343a79f7fc2cfd1bfbec1158008c6b2b7743f92638a6db6fc0
                                  • Instruction Fuzzy Hash: F331C4706043805BF7248F24CCC8BAFB7D4FB95305F08491EF581A6291DBBCA845CB59
                                  Function 00401250 Relevance: 10.6, APIs: 7, Instructions: 86windowtimeCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00401B80: _wcsncpy.LIBCMT ref: 00401C41
                                    • Part of subcall function 00401B80: _wcscpy.LIBCMT ref: 00401C5D
                                    • Part of subcall function 00401B80: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00401C6F
                                  • KillTimer.USER32(?,?,?,?,?), ref: 004012D3
                                  • SetTimer.USER32(?,?,000002EE,00000000), ref: 004012E2
                                  • Shell_NotifyIconW.SHELL32(?,000003A8), ref: 0042730F
                                  • Shell_NotifyIconW.SHELL32(?,000003A8), ref: 00427363
                                  • Shell_NotifyIconW.SHELL32(?,000003A8), ref: 004273AE
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: IconNotifyShell_$Timer$Kill_wcscpy_wcsncpy
                                  • String ID:
                                  • API String ID: 3300667738-0
                                  • Opcode ID: 4b14c7d07e087387f8a3c98a8cd4bd71866d27c85158e2001d1b6fa40e2d0dfa
                                  • Instruction ID: ad6fff92b80ef16b1053521cf30c66606da497e43c90b6e238f917110e524b22
                                  • Opcode Fuzzy Hash: 4b14c7d07e087387f8a3c98a8cd4bd71866d27c85158e2001d1b6fa40e2d0dfa
                                  • Instruction Fuzzy Hash: AF31EA70604259BFDB16CB24DC55BEAFBBCBB02304F0000EAF58CA3291C7741A95CB9A
                                  Function 0045D448 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 83COMMON
                                  Download Yara Rule
                                  APIs
                                  • SetErrorMode.KERNEL32(00000001), ref: 0045D459
                                  • GetVolumeInformationW.KERNEL32(?,?,000000FF,?,?,?,?,000000FF,?), ref: 0045D4CF
                                  • __swprintf.LIBCMT ref: 0045D4E9
                                  • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D52D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: ErrorMode$InformationVolume__swprintf
                                  • String ID: %lu$\VH
                                  • API String ID: 3164766367-2432546070
                                  • Opcode ID: 886de82fe176795aba7bdb97f378ec25336d41d961a023bcb5d27bbb6add7ed5
                                  • Instruction ID: a5bcfc38f1a54d16d783223dfbe865d4bc924dff4e6617147b97584b2165572c
                                  • Opcode Fuzzy Hash: 886de82fe176795aba7bdb97f378ec25336d41d961a023bcb5d27bbb6add7ed5
                                  • Instruction Fuzzy Hash: 11317171A00209AFCB14EF95DD85EAEB7B8FF48304F1084AAF905A7291D774EA45CB94
                                  Function 00450B7C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00450BE7
                                  • SendMessageW.USER32(00000000,00000409,00000000,FF000000), ref: 00450BF8
                                  • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00450C06
                                  • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00450C17
                                  • SendMessageW.USER32(00000000,00000404,00000001,00000000), ref: 00450C25
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: MessageSend
                                  • String ID: Msctls_Progress32
                                  • API String ID: 3850602802-3636473452
                                  • Opcode ID: bde72abdda352e35c3e71b9276821fa19048fea6f3879b5342d5f34549d04d22
                                  • Instruction ID: 3e9a69ee1b5e3cb2ffa50bc712587bba9ef5757239c838e11c91c46d95a842ac
                                  • Opcode Fuzzy Hash: bde72abdda352e35c3e71b9276821fa19048fea6f3879b5342d5f34549d04d22
                                  • Instruction Fuzzy Hash: 7A21667135030477EB20DEA9DC82F97B3AD9F94B24F21460AFB54A72D1C5B5F8418B58
                                  Function 00433DF5 Relevance: 10.6, APIs: 7, Instructions: 69COMMON
                                  Download Yara Rule
                                  APIs
                                  • OpenProcess.KERNEL32(00000410,00000000,?,?,?,004A8178), ref: 00433E19
                                  • EnumProcessModules.PSAPI(00000000,?,00000004,?), ref: 00433E2C
                                  • GetModuleBaseNameW.PSAPI(00000000,?,?,00000104), ref: 00433E43
                                  • __wsplitpath.LIBCMT ref: 00433E6D
                                    • Part of subcall function 00413A0E: __wsplitpath_helper.LIBCMT ref: 00413A50
                                  • _wcscat.LIBCMT ref: 00433E80
                                  • __wcsicoll.LIBCMT ref: 00433E90
                                  • CloseHandle.KERNEL32(00000000), ref: 00433EC8
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: Process$BaseCloseEnumHandleModuleModulesNameOpen__wcsicoll__wsplitpath__wsplitpath_helper_wcscat
                                  • String ID:
                                  • API String ID: 135935984-0
                                  • Opcode ID: b9dd60fc789600814193b10c203562de5ce45e1fa765f6932a0e1556b25623f2
                                  • Instruction ID: 66738fc5919b7c3a3c7c4a311c48fd84e22d6c2a66b6279363cc5d51ef299119
                                  • Opcode Fuzzy Hash: b9dd60fc789600814193b10c203562de5ce45e1fa765f6932a0e1556b25623f2
                                  • Instruction Fuzzy Hash: 832180B6500118AFDB11CF90CD85EEEB379EB8C700F10459AFA0997150DA75AA85CBA4
                                  Function 0041F6F9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • _malloc.LIBCMT ref: 0041F707
                                    • Part of subcall function 004135BB: __FF_MSGBANNER.LIBCMT ref: 004135D4
                                    • Part of subcall function 004135BB: __NMSG_WRITE.LIBCMT ref: 004135DB
                                    • Part of subcall function 004135BB: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,004115F6,?,00401BAC,?,?,?), ref: 00413600
                                  • _free.LIBCMT ref: 0041F71A
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: AllocateHeap_free_malloc
                                  • String ID: [B
                                  • API String ID: 1020059152-632041663
                                  • Opcode ID: a147dbbc68d3dd3311601ddf04658a1c9df9f8119054b67091eb48bbc5a1b0d2
                                  • Instruction ID: 066e14217b5799beb7557260d36092b09813ce611e9d099bbd870b86b34de80c
                                  • Opcode Fuzzy Hash: a147dbbc68d3dd3311601ddf04658a1c9df9f8119054b67091eb48bbc5a1b0d2
                                  • Instruction Fuzzy Hash: 0211EB32454615AACB213F75EC086DB3BA49F443A5B20053BF824CA2D1DB7C88C7C7AC
                                  Function 00413D7F Relevance: 10.6, APIs: 7, Instructions: 63threadCOMMON
                                  Download Yara Rule
                                  APIs
                                  • ___set_flsgetvalue.LIBCMT ref: 00413DA4
                                  • __calloc_crt.LIBCMT ref: 00413DB0
                                  • __getptd.LIBCMT ref: 00413DBD
                                  • CreateThread.KERNEL32(?,?,00413D1A,00000000,?,?), ref: 00413DF4
                                  • GetLastError.KERNEL32(?,?,?,?,?,00000000), ref: 00413DFE
                                  • _free.LIBCMT ref: 00413E07
                                  • __dosmaperr.LIBCMT ref: 00413E12
                                    • Part of subcall function 00417F77: __getptd_noexit.LIBCMT ref: 00417F77
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: CreateErrorLastThread___set_flsgetvalue__calloc_crt__dosmaperr__getptd__getptd_noexit_free
                                  • String ID:
                                  • API String ID: 155776804-0
                                  • Opcode ID: 9a8a6ace70da3d00e2637234252d24079791dfe2cea1a90c5afbc93b71b6aba3
                                  • Instruction ID: a8fa495ec3ad1bcc0d525816251f0ff308f4c172cb7463a6c3574dd724ca7d0d
                                  • Opcode Fuzzy Hash: 9a8a6ace70da3d00e2637234252d24079791dfe2cea1a90c5afbc93b71b6aba3
                                  • Instruction Fuzzy Hash: 8E11E9321087066FD7107FA6DC459DB3BE8DF04775B20042FF91586292DB79D99186AC
                                  Function 00436C6E Relevance: 10.5, APIs: 7, Instructions: 49threadCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00436B19: GetProcessHeap.KERNEL32(00000008,0000000C,00436C79), ref: 00436B1D
                                    • Part of subcall function 00436B19: HeapAlloc.KERNEL32(00000000), ref: 00436B24
                                  • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002), ref: 00436C88
                                  • GetCurrentProcess.KERNEL32(?,00000000), ref: 00436C91
                                  • DuplicateHandle.KERNEL32(00000000,?,00000000), ref: 00436C9A
                                  • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00000000), ref: 00436CA6
                                  • GetCurrentProcess.KERNEL32(?,00000000,?,00000000), ref: 00436CAF
                                  • DuplicateHandle.KERNEL32(00000000,?,00000000,?,00000000), ref: 00436CB2
                                  • CreateThread.KERNEL32(00000000,00000000,Function_00036C2B,00000000,00000000,00000000), ref: 00436CCA
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                  • String ID:
                                  • API String ID: 1957940570-0
                                  • Opcode ID: 3f80535c3287afe012eec8eac85a3d96c91e040866ec74b6355b9bdb3dfb6838
                                  • Instruction ID: 99b39fe8e7f3ac854e5c8e3994335d5d6f6ef2f737fc2b72a46a077924210789
                                  • Opcode Fuzzy Hash: 3f80535c3287afe012eec8eac85a3d96c91e040866ec74b6355b9bdb3dfb6838
                                  • Instruction Fuzzy Hash: A301E6753403047BD620EB65DC96F5B775CEB89B50F114819FA04DB1D1C6B5E8008B78
                                  Function 00413D1A Relevance: 10.5, APIs: 7, Instructions: 34threadCOMMON
                                  Download Yara Rule
                                  APIs
                                  • ___set_flsgetvalue.LIBCMT ref: 00413D20
                                    • Part of subcall function 004178AE: TlsGetValue.KERNEL32(?,00417A07,?,004115F6,?,00401BAC,?,?,?), ref: 004178B7
                                    • Part of subcall function 004178AE: TlsSetValue.KERNEL32(00000000,?,004115F6,?,00401BAC,?,?,?), ref: 004178D8
                                  • ___fls_getvalue@4.LIBCMT ref: 00413D2B
                                    • Part of subcall function 0041788E: TlsGetValue.KERNEL32(?,?,00413D30,00000000), ref: 0041789C
                                  • ___fls_setvalue@8.LIBCMT ref: 00413D3E
                                  • GetLastError.KERNEL32(00000000,?,00000000), ref: 00413D47
                                  • ExitThread.KERNEL32 ref: 00413D4E
                                  • GetCurrentThreadId.KERNEL32 ref: 00413D54
                                  • __freefls@4.LIBCMT ref: 00413D74
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: Value$Thread$CurrentErrorExitLast___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4
                                  • String ID:
                                  • API String ID: 259663610-0
                                  • Opcode ID: a6f8f3d0a20f5c796c32073770e32d9df078d3112ed711158995b20890782f5b
                                  • Instruction ID: 675159a2c5a9d795bd3e19fa90b6febf5cd616b5876767659bafc4934cd781b8
                                  • Opcode Fuzzy Hash: a6f8f3d0a20f5c796c32073770e32d9df078d3112ed711158995b20890782f5b
                                  • Instruction Fuzzy Hash: 0DF0FF75504700AFC704BF72D9498CE7BB9AF48349720846EB80987222DA3DD9C2DBA9
                                  Function 0043028B Relevance: 9.3, APIs: 6, Instructions: 255COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetClientRect.USER32(?,?), ref: 004302E6
                                  • GetWindowRect.USER32(00000000,?), ref: 00430316
                                  • GetClientRect.USER32(?,?), ref: 00430364
                                  • GetSystemMetrics.USER32(0000000F), ref: 004303B1
                                  • GetWindowRect.USER32(?,?), ref: 004303C3
                                  • ScreenToClient.USER32(?,?), ref: 004303EC
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: Rect$Client$Window$MetricsScreenSystem
                                  • String ID:
                                  • API String ID: 3220332590-0
                                  • Opcode ID: b722cec4de1de3fe17d9867fbb91cd497d3f089f761d48fb585960e999a4a017
                                  • Instruction ID: e4235e81f7515d2978e088f6fadb01cec8eb5fe04dcc4a3bbd5a83ea815e8f28
                                  • Opcode Fuzzy Hash: b722cec4de1de3fe17d9867fbb91cd497d3f089f761d48fb585960e999a4a017
                                  • Instruction Fuzzy Hash: 13A14875A0070A9BCB10CFA8C594BEFB7B1FF58314F00961AE9A9E7350E734AA44CB54
                                  Function 004577E9 Relevance: 9.2, APIs: 6, Instructions: 217COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: _malloc_wcslen$_strcat_wcscpy
                                  • String ID:
                                  • API String ID: 1612042205-0
                                  • Opcode ID: 1b9af233a2167b707cd0fb77bd31ffbeeda7ae7db272e33850c6ed6ee2362a10
                                  • Instruction ID: da8a40d04f443fc8bffa22af6bb0a7b3fb41b3e40a14b17b7fca75945af8e81c
                                  • Opcode Fuzzy Hash: 1b9af233a2167b707cd0fb77bd31ffbeeda7ae7db272e33850c6ed6ee2362a10
                                  • Instruction Fuzzy Hash: 40914A74604205EFCB10DF98D4C09A9BBA5FF48305B60C66AEC0A8B35AD738EE55CBD5
                                  Function 0044F1D3 Relevance: 9.2, APIs: 2, Strings: 3, Instructions: 422COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: _memmove_strncmp
                                  • String ID: >$U$\
                                  • API String ID: 2666721431-237099441
                                  • Opcode ID: 22f22e1ac28dc69493aec85f3eea1e1d82883446f00fc80900d5fd24c0790888
                                  • Instruction ID: 902f5a6c35c0d49260658601fd29bdf8c292b60929ab84f6d376942388b5a00c
                                  • Opcode Fuzzy Hash: 22f22e1ac28dc69493aec85f3eea1e1d82883446f00fc80900d5fd24c0790888
                                  • Instruction Fuzzy Hash: 8DF1B170A00249CFEB14CFA9C8906AEFBF1FF89304F2485AED845A7341D779A946CB55
                                  Function 0044C514 Relevance: 9.2, APIs: 6, Instructions: 163windowkeyboardCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetKeyboardState.USER32(?), ref: 0044C570
                                  • SetKeyboardState.USER32(00000080), ref: 0044C594
                                  • PostMessageW.USER32(?,00000100,?,?), ref: 0044C5D5
                                  • PostMessageW.USER32(?,00000104,?,?), ref: 0044C60D
                                  • PostMessageW.USER32(?,00000102,?,00000001), ref: 0044C62F
                                  • SendInput.USER32(00000001,?,0000001C), ref: 0044C6C2
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: MessagePost$KeyboardState$InputSend
                                  • String ID:
                                  • API String ID: 2221674350-0
                                  • Opcode ID: 253f2b6e14f8b29283c151e9eff2603b50f4fedb3541a599f467ca45a100d6c4
                                  • Instruction ID: 625ea0eb49cc588760ebb6bc0eb208289033378f73eea84c13a2ca11a8b118cf
                                  • Opcode Fuzzy Hash: 253f2b6e14f8b29283c151e9eff2603b50f4fedb3541a599f467ca45a100d6c4
                                  • Instruction Fuzzy Hash: D1514A725001187AEB109FA99C81BFFBB68AF9E311F44815BFD8496242C379D941CBA8
                                  Function 00444BFC Relevance: 9.2, APIs: 6, Instructions: 163COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: _wcscpy$_wcscat
                                  • String ID:
                                  • API String ID: 2037614760-0
                                  • Opcode ID: d8b18b1f5d4952a0fc5752811c1295952a1c4566f52136af492825f039622e45
                                  • Instruction ID: 99b1098f8f7a3a84d55f117cb3556dd5d93458401dda30520ad7f1c57b96c0d6
                                  • Opcode Fuzzy Hash: d8b18b1f5d4952a0fc5752811c1295952a1c4566f52136af492825f039622e45
                                  • Instruction Fuzzy Hash: 0741357190011466DB34EF5998C1BFF7368EFE6314F84455FFC4287212DB2DAA92C2A9
                                  Function 00451B42 Relevance: 9.1, APIs: 6, Instructions: 144memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetLastError.KERNEL32(?,?,00000000), ref: 00451BA0
                                  • VariantCopy.OLEAUT32(?,?), ref: 00451BF8
                                  • VariantCopy.OLEAUT32(?,?), ref: 00451C0E
                                  • VariantCopy.OLEAUT32(?,?), ref: 00451C27
                                  • VariantClear.OLEAUT32(?), ref: 00451CA1
                                  • SysAllocString.OLEAUT32(00000000), ref: 00451CBA
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: Variant$Copy$AllocClearErrorLastString
                                  • String ID:
                                  • API String ID: 960795272-0
                                  • Opcode ID: 218b2f6110521206867dfa84a42cd28f2b67ec3390fd0729a790b06cd777bcc7
                                  • Instruction ID: e234943060a9aef7ccdf580943a4f321f6ba3cfb1df2bc58669f78ff50eabc4c
                                  • Opcode Fuzzy Hash: 218b2f6110521206867dfa84a42cd28f2b67ec3390fd0729a790b06cd777bcc7
                                  • Instruction Fuzzy Hash: C751AE719042099FCB14DF65CC84BAAB7B4FF48300F14856EED05A7361DB79AE45CBA8
                                  Function 00447BA8 Relevance: 9.1, APIs: 6, Instructions: 119COMMON
                                  Download Yara Rule
                                  APIs
                                  • BeginPaint.USER32(00000000,?), ref: 00447BDF
                                  • GetWindowRect.USER32(?,?), ref: 00447C5D
                                  • ScreenToClient.USER32(?,?), ref: 00447C7B
                                  • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00447C8E
                                  • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00447CD5
                                  • EndPaint.USER32(?,?), ref: 00447D13
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: Paint$BeginClientRectRectangleScreenViewportWindow
                                  • String ID:
                                  • API String ID: 4189319755-0
                                  • Opcode ID: 0de1757924998e3fd5473b1ac31060e8ba53e31114793872216692834f921a18
                                  • Instruction ID: 4e3fb435071a661ad846631c1082d1486cc319c76cae6976ccfd06e2d512f03c
                                  • Opcode Fuzzy Hash: 0de1757924998e3fd5473b1ac31060e8ba53e31114793872216692834f921a18
                                  • Instruction Fuzzy Hash: DC417F706042019FE310DF14D8C4F7B7BA8EB86724F14466EF9A487391CB74A806CB69
                                  Function 0044900D Relevance: 9.1, APIs: 6, Instructions: 111windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SendMessageW.USER32(?,00001024,00000000,00000000), ref: 0044908B
                                  • SendMessageW.USER32(?,00000409,00000000,?), ref: 0044909F
                                  • SendMessageW.USER32(?,0000111E,00000000,00000000), ref: 004490B3
                                  • InvalidateRect.USER32(?,00000000,00000001,?,0000111E,00000000,00000000,?,00000409,00000000,?), ref: 004490C9
                                  • GetWindowLongW.USER32(?,000000F0), ref: 004490D4
                                  • SetWindowLongW.USER32(?,000000F0,00000000), ref: 004490E1
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: MessageSend$LongWindow$InvalidateRect
                                  • String ID:
                                  • API String ID: 1976402638-0
                                  • Opcode ID: 2001084b9f030ce18b996af9061ac6ceee4bb7592284355317d8a12df4a6bddd
                                  • Instruction ID: 8674d855734444f977eaeabaa32478bd653fbe911923e0a4a3d3eb28cec46bd0
                                  • Opcode Fuzzy Hash: 2001084b9f030ce18b996af9061ac6ceee4bb7592284355317d8a12df4a6bddd
                                  • Instruction Fuzzy Hash: 2531E135240104AFF724CF48DC89FBB77B9EB49320F10851AFA559B290CA79AD41DB69
                                  Function 00440A0D Relevance: 9.1, APIs: 6, Instructions: 111windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • ShowWindow.USER32(?,00000000), ref: 00440A8A
                                  • EnableWindow.USER32(?,00000000), ref: 00440AAF
                                  • ShowWindow.USER32(?,00000000), ref: 00440B18
                                  • ShowWindow.USER32(?,00000004), ref: 00440B2B
                                  • EnableWindow.USER32(?,00000001), ref: 00440B50
                                  • SendMessageW.USER32(?,0000130C,?,00000000), ref: 00440B75
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: Window$Show$Enable$MessageSend
                                  • String ID:
                                  • API String ID: 642888154-0
                                  • Opcode ID: 7c24049b1d37fdb6142be8766dc22fb93f1068172a9e83c57f7795f596ff73c7
                                  • Instruction ID: a5db896fb2ae06c85211a956f566d4ff66a2da6af11bfa2c2b637766cd700386
                                  • Opcode Fuzzy Hash: 7c24049b1d37fdb6142be8766dc22fb93f1068172a9e83c57f7795f596ff73c7
                                  • Instruction Fuzzy Hash: F4413C346003409FEB25CF24C588BA67BE1FF55304F1885AAEB599B3A1CB78A851CB58
                                  Function 0047974B Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 349COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: Variant$Copy$ClearErrorLast
                                  • String ID: NULL Pointer assignment$Not an Object type
                                  • API String ID: 2487901850-572801152
                                  • Opcode ID: bb0f7491a1d8fcb1a9e92f7a9394b8a60bc93380917bfa262315a66d62baea93
                                  • Instruction ID: 7224d39ad4dd36db717bb7decd6d6f3456075e50b8db1d036073f09e8ed5fad7
                                  • Opcode Fuzzy Hash: bb0f7491a1d8fcb1a9e92f7a9394b8a60bc93380917bfa262315a66d62baea93
                                  • Instruction Fuzzy Hash: 70C1AFB1A00209ABDF14DF98C881FEEB7B9EB44304F10C55EE909AB341D7799D85CBA5
                                  Function 00448804 Relevance: 9.1, APIs: 6, Instructions: 92windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SendMessageW.USER32(?,000000F1,?,00000000), ref: 0044881F
                                  • EnableWindow.USER32(?,00000000), ref: 00448B5C
                                  • EnableWindow.USER32(?,00000001), ref: 00448B72
                                  • ShowWindow.USER32(?,00000000), ref: 00448BE8
                                  • ShowWindow.USER32(?,00000004), ref: 00448BF4
                                  • EnableWindow.USER32(?,00000001), ref: 00448C09
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: Window$Enable$Show$MessageSend
                                  • String ID:
                                  • API String ID: 1871949834-0
                                  • Opcode ID: 24295af7dc8a36502def6d29e9c9bc5dd9332af4054e76ab47d27171ed2ecc38
                                  • Instruction ID: ab733961f10eda6fa12bc0977b233c6b2b6736debfa9bed553c9f015fe8cd40e
                                  • Opcode Fuzzy Hash: 24295af7dc8a36502def6d29e9c9bc5dd9332af4054e76ab47d27171ed2ecc38
                                  • Instruction Fuzzy Hash: 6931B3B17443815BF7258E24CCC4BAFB7D0EB95345F08482EF58196291DBAC9845C75A
                                  Function 00441078 Relevance: 9.1, APIs: 6, Instructions: 86COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b4f5e70efc1acb4fe019c63046a51222323f6892fbde794835cc8a87d9f58231
                                  • Instruction ID: c6101d665a98d140be62f029472ab7f8db1b0ce4c02a7c647e8453833b83309f
                                  • Opcode Fuzzy Hash: b4f5e70efc1acb4fe019c63046a51222323f6892fbde794835cc8a87d9f58231
                                  • Instruction Fuzzy Hash: 5F21B672204110ABEB108F699C85B6F7798EB49370F24463BF625C62E0DB74D8C1C76D
                                  Function 0044389A Relevance: 9.1, APIs: 6, Instructions: 76COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00410160: _wcslen.LIBCMT ref: 00410162
                                    • Part of subcall function 00410160: _wcscpy.LIBCMT ref: 00410182
                                  • _wcslen.LIBCMT ref: 004438CD
                                  • _wcslen.LIBCMT ref: 004438E6
                                  • _wcstok.LIBCMT ref: 004438F8
                                  • _wcslen.LIBCMT ref: 0044390C
                                  • GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 0044391A
                                  • _wcstok.LIBCMT ref: 00443931
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: _wcslen$_wcstok$ExtentPoint32Text_wcscpy
                                  • String ID:
                                  • API String ID: 3632110297-0
                                  • Opcode ID: 5ca99eab14a2200aefa90245e429ddeb3cf04e0f88646427c0d38f27a71423b2
                                  • Instruction ID: d12b8bce329459066c03420e1b0c57cf331e6d1a2def9435cce8fb2ce1fb425a
                                  • Opcode Fuzzy Hash: 5ca99eab14a2200aefa90245e429ddeb3cf04e0f88646427c0d38f27a71423b2
                                  • Instruction Fuzzy Hash: 9621B072900305ABDB10AF559C82AAFB7F8FF48711F64482EF95993301E678EA5087A5
                                  Function 004331A2 Relevance: 9.1, APIs: 6, Instructions: 64sleepCOMMON
                                  Download Yara Rule
                                  APIs
                                  • Sleep.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331B9
                                  • QueryPerformanceCounter.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331D4
                                  • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331DE
                                  • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331E6
                                  • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331F0
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: PerformanceQuery$CounterSleep$Frequency
                                  • String ID:
                                  • API String ID: 2833360925-0
                                  • Opcode ID: 454a0f1f7a5b9dabfe1a5840f9ecaff855ca9224c6d53cc9b14a46810094a05c
                                  • Instruction ID: f8c058edd9890a080c9b5d5c764251204f1987641da473bf5ecf7e3e358c806a
                                  • Opcode Fuzzy Hash: 454a0f1f7a5b9dabfe1a5840f9ecaff855ca9224c6d53cc9b14a46810094a05c
                                  • Instruction Fuzzy Hash: 1911B632D0011DABCF00DFD9EA489EEB778FF49722F1145AAED04A6204DB755A01CBA4
                                  Function 00447275 Relevance: 9.0, APIs: 6, Instructions: 50COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0044719B: DeleteObject.GDI32(00000000), ref: 004471D8
                                    • Part of subcall function 0044719B: ExtCreatePen.GDI32(?,?,?,00000000,00000000), ref: 00447218
                                    • Part of subcall function 0044719B: SelectObject.GDI32(?,00000000), ref: 00447228
                                    • Part of subcall function 0044719B: BeginPath.GDI32(?), ref: 0044723D
                                    • Part of subcall function 0044719B: SelectObject.GDI32(?,00000000), ref: 00447266
                                  • MoveToEx.GDI32(?,?,?,00000000), ref: 004472A0
                                  • LineTo.GDI32(?,?,?), ref: 004472AC
                                  • MoveToEx.GDI32(?,?,?,00000000), ref: 004472BA
                                  • LineTo.GDI32(?,?,?), ref: 004472C6
                                  • EndPath.GDI32(?), ref: 004472D6
                                  • StrokePath.GDI32(?), ref: 004472E4
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: ObjectPath$LineMoveSelect$BeginCreateDeleteStroke
                                  • String ID:
                                  • API String ID: 372113273-0
                                  • Opcode ID: 31eeda2ce056db83d926a779f5beead5a54a2e657b8e2367e9d837ae160c277d
                                  • Instruction ID: 9972a7b2ea06d4c5ad2b855a17b8a9a0d98d12ec42d2644493c4a69bc6448ed6
                                  • Opcode Fuzzy Hash: 31eeda2ce056db83d926a779f5beead5a54a2e657b8e2367e9d837ae160c277d
                                  • Instruction Fuzzy Hash: 7701BC76101214BBE3119B44ED8DFDF7B6CEF4A710F104259FA01A629187F42A02CBBD
                                  Function 0044CC51 Relevance: 9.0, APIs: 6, Instructions: 50COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetDC.USER32(00000000), ref: 0044CC6D
                                  • GetDeviceCaps.GDI32(00000000,00000058), ref: 0044CC78
                                  • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0044CC84
                                  • ReleaseDC.USER32(00000000,00000000), ref: 0044CC90
                                  • MulDiv.KERNEL32(000009EC,?,?), ref: 0044CCA8
                                  • MulDiv.KERNEL32(000009EC,?,?), ref: 0044CCB9
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: CapsDevice$Release
                                  • String ID:
                                  • API String ID: 1035833867-0
                                  • Opcode ID: 30463c625ccaefc53399fcb5a1d51c2b4aa5fdcbff3641f1d403fc7908ff7e54
                                  • Instruction ID: 48d0fedbc9b5ed1f8cca1220e36c4d83aa6571d18a2c693a8c9b468b660f0fbb
                                  • Opcode Fuzzy Hash: 30463c625ccaefc53399fcb5a1d51c2b4aa5fdcbff3641f1d403fc7908ff7e54
                                  • Instruction Fuzzy Hash: 60015276240214BFFB009F95DD89F5A7BACFF54751F14802EFF089B240D6B098008BA4
                                  Function 00417082 Relevance: 9.0, APIs: 6, Instructions: 47COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • __getptd.LIBCMT ref: 0041708E
                                    • Part of subcall function 00417A69: __getptd_noexit.LIBCMT ref: 00417A6C
                                    • Part of subcall function 00417A69: __amsg_exit.LIBCMT ref: 00417A79
                                  • __amsg_exit.LIBCMT ref: 004170AE
                                  • __lock.LIBCMT ref: 004170BE
                                  • InterlockedDecrement.KERNEL32(?), ref: 004170DB
                                  • _free.LIBCMT ref: 004170EE
                                  • InterlockedIncrement.KERNEL32(009A2CB8), ref: 00417106
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
                                  • String ID:
                                  • API String ID: 3470314060-0
                                  • Opcode ID: 80714434994c9102abdbbcfc383ede657addd51ae4f203e3d2298efcf25a3187
                                  • Instruction ID: d92c7102fc6d098775a0f5363b9b5483e5b10d08a1c29475ed017091780ded1e
                                  • Opcode Fuzzy Hash: 80714434994c9102abdbbcfc383ede657addd51ae4f203e3d2298efcf25a3187
                                  • Instruction Fuzzy Hash: 3301AD32905711ABC721ABA698497DE7BB0AB04724F15416BF950A7381CB3CAAC1CFDD
                                  Function 0044B63B Relevance: 9.0, APIs: 6, Instructions: 40synchronizationthreadCOMMON
                                  Download Yara Rule
                                  APIs
                                  • InterlockedExchange.KERNEL32(?,?), ref: 0044B655
                                  • EnterCriticalSection.KERNEL32(?), ref: 0044B666
                                  • TerminateThread.KERNEL32(?,000001F6), ref: 0044B674
                                  • WaitForSingleObject.KERNEL32(?,000003E8,?,000001F6), ref: 0044B682
                                    • Part of subcall function 00432614: CloseHandle.KERNEL32(00000000,00000000,?,0044B68E,00000000,?,000003E8,?,000001F6), ref: 00432622
                                  • InterlockedExchange.KERNEL32(?,000001F6), ref: 0044B697
                                  • LeaveCriticalSection.KERNEL32(?), ref: 0044B69E
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                  • String ID:
                                  • API String ID: 3495660284-0
                                  • Opcode ID: 80b6dccbd1e5d9cd8e45b8a26e63ab1859993381d971fdb3943588aa16a91346
                                  • Instruction ID: c0d5b59c8b9084ef0a5212f46b36de0b3fb5a8468090cd03c061fc2099eb7203
                                  • Opcode Fuzzy Hash: 80b6dccbd1e5d9cd8e45b8a26e63ab1859993381d971fdb3943588aa16a91346
                                  • Instruction Fuzzy Hash: A8F0AF72141201BBD210AB64EE8CDAFB77CFF88311F40092AFA0192560CBB4E420CBB6
                                  Function 00410AB0 Relevance: 9.0, APIs: 6, Instructions: 40keyboardCOMMON
                                  Download Yara Rule
                                  APIs
                                  • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00410AE8
                                  • MapVirtualKeyW.USER32(00000010,00000000), ref: 00410AF0
                                  • MapVirtualKeyW.USER32(000000A0,00000000), ref: 00410AFB
                                  • MapVirtualKeyW.USER32(000000A1,00000000), ref: 00410B06
                                  • MapVirtualKeyW.USER32(00000011,00000000), ref: 00410B0E
                                  • MapVirtualKeyW.USER32(00000012,00000000), ref: 00410B16
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: Virtual
                                  • String ID:
                                  • API String ID: 4278518827-0
                                  • Opcode ID: c23d3b718cf4e8061cd741903dec6eccba5b4b0418601ad509713896de31bf0c
                                  • Instruction ID: ec5b0e47a8727e2ef01e8325cfcf1e1c5a721ad9102a6d662b709b351e7b749c
                                  • Opcode Fuzzy Hash: c23d3b718cf4e8061cd741903dec6eccba5b4b0418601ad509713896de31bf0c
                                  • Instruction Fuzzy Hash: 79016770106B88ADD3309F668C84B47FFF8EF95704F01491DD1D507A52C6B5A84CCB69
                                  Function 004151BB Relevance: 9.0, APIs: 6, Instructions: 29threadCOMMON
                                  Download Yara Rule
                                  APIs
                                  • ___set_flsgetvalue.LIBCMT ref: 004151C0
                                    • Part of subcall function 004178AE: TlsGetValue.KERNEL32(?,00417A07,?,004115F6,?,00401BAC,?,?,?), ref: 004178B7
                                    • Part of subcall function 004178AE: TlsSetValue.KERNEL32(00000000,?,004115F6,?,00401BAC,?,?,?), ref: 004178D8
                                  • ___fls_getvalue@4.LIBCMT ref: 004151CB
                                    • Part of subcall function 0041788E: TlsGetValue.KERNEL32(?,?,00413D30,00000000), ref: 0041789C
                                  • ___fls_setvalue@8.LIBCMT ref: 004151DD
                                  • GetLastError.KERNEL32(00000000,?,00000000), ref: 004151E6
                                  • ExitThread.KERNEL32 ref: 004151ED
                                  • __freefls@4.LIBCMT ref: 00415209
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: Value$ErrorExitLastThread___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4
                                  • String ID:
                                  • API String ID: 442100245-0
                                  • Opcode ID: 3ee415d2c127bcf6c5e710345aa78d19554ad97a0662bc484850007a9fc41a8b
                                  • Instruction ID: 28e435cdead01fd65333368df2891c86ea6a44e569ea48f613a140ff37384f5b
                                  • Opcode Fuzzy Hash: 3ee415d2c127bcf6c5e710345aa78d19554ad97a0662bc484850007a9fc41a8b
                                  • Instruction Fuzzy Hash: FEF01975544700AFC704BF76C54D9CE7BB99F94349720845EB80887222DA3CD8C2C669
                                  Function 0045F790 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 216windowCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00410160: _wcslen.LIBCMT ref: 00410162
                                    • Part of subcall function 00410160: _wcscpy.LIBCMT ref: 00410182
                                  • GetMenuItemInfoW.USER32(?,00000000), ref: 0045F85C
                                  • _wcslen.LIBCMT ref: 0045F94A
                                  • SetMenuItemInfoW.USER32(00000011,00000000,00000000,?), ref: 0045F9AE
                                    • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                  • SetMenuDefaultItem.USER32(00000000,000000FF,00000000,?,00000000), ref: 0045F9CA
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: ItemMenu$Info_wcslen$Default_malloc_wcscpy
                                  • String ID: 0
                                  • API String ID: 621800784-4108050209
                                  • Opcode ID: ba56779765e6f71d67f6246429d0af9e67b9def047912433c0c15b7e926c8fa5
                                  • Instruction ID: 8916cda2fcff4f3da81aa675480f1736598f59ba0f795e6899437ff2d0190f01
                                  • Opcode Fuzzy Hash: ba56779765e6f71d67f6246429d0af9e67b9def047912433c0c15b7e926c8fa5
                                  • Instruction Fuzzy Hash: E061EDB1604301AAD710EF69D885B6B77A4AF99315F04493FF98087292E7BCD84CC79B
                                  Function 00478172 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 176COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                    • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                  • SetErrorMode.KERNEL32 ref: 004781CE
                                  • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 00478387
                                    • Part of subcall function 00433998: GetFileAttributesW.KERNEL32(?), ref: 0043399F
                                  • SetErrorMode.KERNEL32(?), ref: 00478270
                                  • SetErrorMode.KERNEL32(?), ref: 00478340
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: ErrorMode$AttributesFile_memmove_wcslen
                                  • String ID: \VH
                                  • API String ID: 3884216118-234962358
                                  • Opcode ID: 178592a45c440348c39a3b7bd59973aab5981f95bb0f1257baca06643fcd57b5
                                  • Instruction ID: 3f1cdca54a202f1bd1938e87a451cd9606667cca5306a7eaf6ab6c0a6d737147
                                  • Opcode Fuzzy Hash: 178592a45c440348c39a3b7bd59973aab5981f95bb0f1257baca06643fcd57b5
                                  • Instruction Fuzzy Hash: F9619F715043019BC310EF25C585A5BB7E0BFC8708F04896EFA996B392CB76ED45CB96
                                  Function 00448480 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 107windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00448539
                                  • IsMenu.USER32(?), ref: 0044854D
                                  • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 0044859B
                                  • DrawMenuBar.USER32 ref: 004485AF
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: Menu$Item$DrawInfoInsert
                                  • String ID: 0
                                  • API String ID: 3076010158-4108050209
                                  • Opcode ID: 1799694fe08fa7a149e3e917ddeca428ef12783b8609c92dee7a023332204936
                                  • Instruction ID: 7b58e0297b022ec9ba855d833b0382692745775969200e6848d17b537ef0d45f
                                  • Opcode Fuzzy Hash: 1799694fe08fa7a149e3e917ddeca428ef12783b8609c92dee7a023332204936
                                  • Instruction Fuzzy Hash: 1F417975A00209AFEB10DF55D884B9FB7B5FF59300F14852EE9059B390DB74A845CFA8
                                  Function 00469CDB Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 100windowCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                    • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                  • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00469D69
                                  • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00469D7C
                                  • SendMessageW.USER32(?,00000189,00000000,00000000), ref: 00469DAC
                                    • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                    • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: MessageSend$_memmove_wcslen
                                  • String ID: ComboBox$ListBox
                                  • API String ID: 1589278365-1403004172
                                  • Opcode ID: 4395ff4c2c8cdf0c8fa99ec605851f177d12593d5a8a66f2884a0b9051c55526
                                  • Instruction ID: b025c67d46b61e1fa51b41144ded2117d8c1ab71acdc4e5cb50a5164a05e923b
                                  • Opcode Fuzzy Hash: 4395ff4c2c8cdf0c8fa99ec605851f177d12593d5a8a66f2884a0b9051c55526
                                  • Instruction Fuzzy Hash: 8D31287160010477DB10BB69CC45BEF775C9F86324F10852FF918AB2D1DABC9E4583A6
                                  Function 00443442 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 93COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: Handle
                                  • String ID: nul
                                  • API String ID: 2519475695-2873401336
                                  • Opcode ID: efdaae6ab43bf4356d88622121a7e42c7f624cc6de1d12637521731ec53ca4c5
                                  • Instruction ID: 058e2060cb23de8d889deff533ab301820a4ae088d702658d54b05e79d5a48de
                                  • Opcode Fuzzy Hash: efdaae6ab43bf4356d88622121a7e42c7f624cc6de1d12637521731ec53ca4c5
                                  • Instruction Fuzzy Hash: 84319571500204ABEB20DF68DC46BEB77A8EF04721F104A4EFD50973D1E7B59A50CBA5
                                  Function 0044334F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 92COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetStdHandle.KERNEL32(000000F6), ref: 0044337D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: Handle
                                  • String ID: nul
                                  • API String ID: 2519475695-2873401336
                                  • Opcode ID: 97b946d9a765a46b1e85699804a5cf49c651f34dfecb3a2317456e71fe30ed78
                                  • Instruction ID: 7fb8f1e98e57093f7bc771e71f756598ee5282d4f5ffeaa4ddc08f3ab3272662
                                  • Opcode Fuzzy Hash: 97b946d9a765a46b1e85699804a5cf49c651f34dfecb3a2317456e71fe30ed78
                                  • Instruction Fuzzy Hash: 05219331600204ABE720DF689C49FAB77A8EF55731F20474EFDA0972D0EBB59A50C795
                                  Function 00440C49 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 91COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: SysAnimate32
                                  • API String ID: 0-1011021900
                                  • Opcode ID: 8caf53187f6e77aecacb49307b2e697766faa1bc511b1160dce697a174d3407c
                                  • Instruction ID: b1a10ecfd0a3fc3d2af2854cd73c9de1262d8b9fd4b2252518a975ef6c54cff1
                                  • Opcode Fuzzy Hash: 8caf53187f6e77aecacb49307b2e697766faa1bc511b1160dce697a174d3407c
                                  • Instruction Fuzzy Hash: 0D21C975600205ABFB149EA9EC81FAB73DCEB95324F20471BF711972C0D279EC518768
                                  Function 00461554 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 74windowCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                    • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                    • Part of subcall function 0043646A: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00436489
                                    • Part of subcall function 0043646A: GetWindowThreadProcessId.USER32(?,00000000), ref: 0043649C
                                    • Part of subcall function 0043646A: GetCurrentThreadId.KERNEL32 ref: 004364A3
                                    • Part of subcall function 0043646A: AttachThreadInput.USER32(00000000), ref: 004364AA
                                  • GetFocus.USER32 ref: 0046157B
                                    • Part of subcall function 004364B5: GetParent.USER32(?), ref: 004364C3
                                    • Part of subcall function 004364B5: GetParent.USER32(?), ref: 004364CF
                                  • GetClassNameW.USER32(?,?,00000100), ref: 004615C4
                                  • EnumChildWindows.USER32(?,Function_00045B98,?), ref: 004615EF
                                  • __swprintf.LIBCMT ref: 00461608
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: Thread$Parent$AttachChildClassCurrentEnumFocusInputMessageNameProcessSendTimeoutWindowWindows__swprintf_memmove_wcslen
                                  • String ID: %s%d
                                  • API String ID: 2645982514-1110647743
                                  • Opcode ID: 964dbc2a73d3b51658c129c0940897b8911b785c40af9afe88b96a44e5c449bd
                                  • Instruction ID: 8eac61321038dbd32bfe14263504560db7c98c8fbeeeb2eb49a46d34c9d63f73
                                  • Opcode Fuzzy Hash: 964dbc2a73d3b51658c129c0940897b8911b785c40af9afe88b96a44e5c449bd
                                  • Instruction Fuzzy Hash: 272180756007096BD610AF69DC89FAF73A8FB88704F00841FF918A7241DAB8A9418B69
                                  Function 00462A31 Relevance: 7.7, APIs: 5, Instructions: 227COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 0beeaaa579c9339ee211e6c40176bce708d39a94b7630d2852c1f2343b6e5e4f
                                  • Instruction ID: b0f148a0463f8e77612455c4d0488571574065cadd758f34d18f988e9301810f
                                  • Opcode Fuzzy Hash: 0beeaaa579c9339ee211e6c40176bce708d39a94b7630d2852c1f2343b6e5e4f
                                  • Instruction Fuzzy Hash: 2A819F74600604BFEB24CF95C994FBB7B68EF59350F10804EF8959B341E6B8AC45CB6A
                                  Function 004757A7 Relevance: 7.7, APIs: 5, Instructions: 220COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentProcessId.KERNEL32(?), ref: 0047584D
                                  • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0047585B
                                  • GetProcessIoCounters.KERNEL32(00000000,?), ref: 0047587F
                                  • CloseHandle.KERNEL32(00000000), ref: 00475A4D
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: Process$CloseCountersCurrentHandleOpen
                                  • String ID:
                                  • API String ID: 3488606520-0
                                  • Opcode ID: ce4ed15879a0d4705bc9675b55154bd71a0022cbb1f9dd3a70cee976304ba055
                                  • Instruction ID: 747e8e91012d04cc7bcfbda4f2b49d0ca9967bea8b965680eccea6cdbc9dea0c
                                  • Opcode Fuzzy Hash: ce4ed15879a0d4705bc9675b55154bd71a0022cbb1f9dd3a70cee976304ba055
                                  • Instruction Fuzzy Hash: 82817170A047029FD310DF65C981B4BBBE1BF84704F10892EF6999B3D2DA75E944CB96
                                  Function 0046B4CF Relevance: 7.7, APIs: 5, Instructions: 157registryCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                    • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                                  • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046B5B5
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: ConnectRegistry_memmove_wcslen
                                  • String ID:
                                  • API String ID: 15295421-0
                                  • Opcode ID: d8d3d6a2cecaed762a510ed52f320a3b4f5546c74b9e94ec6e10ba7928b5d5b3
                                  • Instruction ID: 481e56be03c4cee60d8ca92471cfa4b3875eab78bcfcbf7fb961631f720e0f99
                                  • Opcode Fuzzy Hash: d8d3d6a2cecaed762a510ed52f320a3b4f5546c74b9e94ec6e10ba7928b5d5b3
                                  • Instruction Fuzzy Hash: 7D515F71208301ABD304EF65C885E5BB7A8FF88704F10892EB54597291D774E945CBA6
                                  Function 00464812 Relevance: 7.6, APIs: 5, Instructions: 145libraryloaderCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadLibraryW.KERNEL32(00000000,?,?,?), ref: 0046485D
                                  • GetProcAddress.KERNEL32(?,?), ref: 004648F7
                                  • GetProcAddress.KERNEL32(?,00000000), ref: 00464916
                                  • GetProcAddress.KERNEL32(?,?), ref: 0046495A
                                  • FreeLibrary.KERNEL32(?,?,?,?), ref: 0046497C
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: AddressProc$Library$FreeLoad
                                  • String ID:
                                  • API String ID: 2449869053-0
                                  • Opcode ID: 178b694003ef1c8c6ddf6c03964e3c93f4f33891ff2eeadba8088ba5e41252f8
                                  • Instruction ID: 8919579e2c9fc9b2d94c4928dd3202a5bdd7863bc063e44bf2a6fba2f1eed130
                                  • Opcode Fuzzy Hash: 178b694003ef1c8c6ddf6c03964e3c93f4f33891ff2eeadba8088ba5e41252f8
                                  • Instruction Fuzzy Hash: 2351BF756002049FCB00EFA4C985A9EB7B4EF88304F14856EFD05AB392DB79ED45CB99
                                  Function 00456391 Relevance: 7.6, APIs: 5, Instructions: 130keyboardCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCursorPos.USER32(?), ref: 004563A6
                                  • ScreenToClient.USER32(?,?), ref: 004563C3
                                  • GetAsyncKeyState.USER32(?), ref: 00456400
                                  • GetAsyncKeyState.USER32(?), ref: 00456410
                                  • GetWindowLongW.USER32(?,000000F0), ref: 00456466
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: AsyncState$ClientCursorLongScreenWindow
                                  • String ID:
                                  • API String ID: 3539004672-0
                                  • Opcode ID: 47775ca2c9d3ed855d965de7f9cc13cd0d0477b61ed95063c4b58fcc2d2fd159
                                  • Instruction ID: 60090bce41a6de58f2ab96a8453d1e3558661e38fd0c916b19f374a884add038
                                  • Opcode Fuzzy Hash: 47775ca2c9d3ed855d965de7f9cc13cd0d0477b61ed95063c4b58fcc2d2fd159
                                  • Instruction Fuzzy Hash: 49414C74504204BBDB24CF65C884EEFBBB8EB46326F60464EFC6593281CB34A944CB68
                                  Function 0047D40F Relevance: 7.6, APIs: 5, Instructions: 120sleepCOMMON
                                  Download Yara Rule
                                  APIs
                                  • InterlockedIncrement.KERNEL32(004A7F04), ref: 0047D438
                                  • InterlockedDecrement.KERNEL32(004A7F04), ref: 0047D44D
                                  • Sleep.KERNEL32(0000000A), ref: 0047D455
                                  • InterlockedIncrement.KERNEL32(004A7F04), ref: 0047D460
                                  • InterlockedDecrement.KERNEL32(004A7F04), ref: 0047D56A
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: Interlocked$DecrementIncrement$Sleep
                                  • String ID:
                                  • API String ID: 327565842-0
                                  • Opcode ID: a05157aca8d30d558f467c32ec822d8ac937f36e77973d55cccdaa836f381863
                                  • Instruction ID: e00c67d4cb89bf1d5311357fb713975cbca1e0cfcee7190b0451066ade77f289
                                  • Opcode Fuzzy Hash: a05157aca8d30d558f467c32ec822d8ac937f36e77973d55cccdaa836f381863
                                  • Instruction Fuzzy Hash: CC412571A002055FEB10DF65CD84AEE7774EF45304B10852EF609A7351E738EE46CB99
                                  Function 0045C3C1 Relevance: 7.6, APIs: 5, Instructions: 118COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetPrivateProfileSectionW.KERNEL32(00000000,?,?,00007FFF), ref: 0045C44F
                                  • GetPrivateProfileSectionW.KERNEL32(00000000,00000003,?,00000003), ref: 0045C477
                                  • WritePrivateProfileSectionW.KERNEL32(00000000,00000003,?), ref: 0045C4C3
                                  • WritePrivateProfileStringW.KERNEL32(00000000,?,00000000,00000000), ref: 0045C4E7
                                  • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 0045C4F6
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: PrivateProfile$SectionWrite$String
                                  • String ID:
                                  • API String ID: 2832842796-0
                                  • Opcode ID: a5613791a7b7745f301c2db32c82459f4eb77f00fff265897707edd8741bbf57
                                  • Instruction ID: 1eb5009190fa999c36a74edd43b7bd9b51adbc8f8691a9c3f5840d50e9073e8b
                                  • Opcode Fuzzy Hash: a5613791a7b7745f301c2db32c82459f4eb77f00fff265897707edd8741bbf57
                                  • Instruction Fuzzy Hash: D1413075A00209BFDB10EFA1DC85FAAB7A8BF44305F10855EF9049B292DA79EE44CB54
                                  Function 00441C7B Relevance: 7.6, APIs: 5, Instructions: 108registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?), ref: 00441CA9
                                  • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00441CDD
                                  • RegCloseKey.ADVAPI32(?), ref: 00441CFE
                                  • RegDeleteKeyW.ADVAPI32(?,?), ref: 00441D40
                                  • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00441D6E
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: Enum$CloseDeleteOpen
                                  • String ID:
                                  • API String ID: 2095303065-0
                                  • Opcode ID: d2ce045a3c5b7a9f88abc7d1956311aab30076c6419bcb4202e5cbde6d6cad15
                                  • Instruction ID: 7ca4c7ada97503ad9332fce322fe5d5fc03c2789ff93db080e75f28165cdf273
                                  • Opcode Fuzzy Hash: d2ce045a3c5b7a9f88abc7d1956311aab30076c6419bcb4202e5cbde6d6cad15
                                  • Instruction Fuzzy Hash: 69317CB2940108BAEB10DBD4DC85FFEB77CEB49304F04456EF605A7241D774AA858BA8
                                  Function 00436A0B Relevance: 7.6, APIs: 5, Instructions: 103COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetWindowRect.USER32(?,?), ref: 00436A24
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: RectWindow
                                  • String ID:
                                  • API String ID: 861336768-0
                                  • Opcode ID: d215e6d8dffd18d1ffc2da0b67cce38d66530bec6329dda4924901d83a0034d3
                                  • Instruction ID: 0a42da3bb0701689e96ef39581243ed39d97d4ba46bd7cd8c1f057aae640e0d3
                                  • Opcode Fuzzy Hash: d215e6d8dffd18d1ffc2da0b67cce38d66530bec6329dda4924901d83a0034d3
                                  • Instruction Fuzzy Hash: E531EA7160021EAFDB00DF68D988AAE77A5EB49324F11C62AFD24E7380D774EC11CB90
                                  Function 00449555 Relevance: 7.6, APIs: 5, Instructions: 96windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SendMessageW.USER32 ref: 00449598
                                    • Part of subcall function 00430626: _wcspbrk.LIBCMT ref: 00430636
                                  • SendMessageW.USER32(?,00001074,?,?), ref: 004495F8
                                  • _wcslen.LIBCMT ref: 0044960D
                                  • _wcslen.LIBCMT ref: 0044961A
                                  • SendMessageW.USER32(?,00001074,?,?), ref: 0044964E
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: MessageSend$_wcslen$_wcspbrk
                                  • String ID:
                                  • API String ID: 1856069659-0
                                  • Opcode ID: eb2345d78995945919f1fca8909d98cd083db74a4e9b61e28a7ea2bcab757230
                                  • Instruction ID: 683be220b4a5e9d86ccbf412c3bd2f13dbb60120779f28b1c577ab6eeef24407
                                  • Opcode Fuzzy Hash: eb2345d78995945919f1fca8909d98cd083db74a4e9b61e28a7ea2bcab757230
                                  • Instruction Fuzzy Hash: 77318F71A00218ABEB20DF59DC80BDFB374FF94314F10466AFA0497280E7B59D958B94
                                  Function 004478AC Relevance: 7.6, APIs: 5, Instructions: 96windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCursorPos.USER32(?), ref: 004478E2
                                  • TrackPopupMenuEx.USER32(00000000,00000000,?,?,?,00000000), ref: 004478FC
                                  • DefDlgProcW.USER32(?,0000007B,?,?), ref: 0044791D
                                  • GetCursorPos.USER32(00000000), ref: 0044796A
                                  • TrackPopupMenuEx.USER32(?,00000000,00000000,?,?,00000000), ref: 00447991
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: CursorMenuPopupTrack$Proc
                                  • String ID:
                                  • API String ID: 1300944170-0
                                  • Opcode ID: 3a0c1b1e924032964aae082f89503a6e76aba0c647238f1368234d9f75c94910
                                  • Instruction ID: 8079d3ea29232e2d8a780d7c6517a0c600664366e77620ab1eef72d1e193e80f
                                  • Opcode Fuzzy Hash: 3a0c1b1e924032964aae082f89503a6e76aba0c647238f1368234d9f75c94910
                                  • Instruction Fuzzy Hash: EF31CF75600108AFE724CF59DC88FABB768EB89310F20455AF94587391C775AC53CBA8
                                  Function 004479A0 Relevance: 7.6, APIs: 5, Instructions: 96COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetClientRect.USER32(?,?), ref: 004479CC
                                  • GetCursorPos.USER32(?), ref: 004479D7
                                  • ScreenToClient.USER32(?,?), ref: 004479F3
                                  • WindowFromPoint.USER32(?,?), ref: 00447A34
                                  • DefDlgProcW.USER32(?,00000020,?,?), ref: 00447AAD
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: Client$CursorFromPointProcRectScreenWindow
                                  • String ID:
                                  • API String ID: 1822080540-0
                                  • Opcode ID: 0f9a8e9b3e4e036e66763aee309a2391e7a5810cceb8633c4940fa55a949c157
                                  • Instruction ID: a7e7621e8492875af53c289f1ad187460d50aec5ad556b3834d9a5cb4abdf121
                                  • Opcode Fuzzy Hash: 0f9a8e9b3e4e036e66763aee309a2391e7a5810cceb8633c4940fa55a949c157
                                  • Instruction Fuzzy Hash: B831A2741082029FE710DF69D884D7FB7A4FB89314F144A1EF850D7291D774E946CBA6
                                  Function 00447BF1 Relevance: 7.6, APIs: 5, Instructions: 95COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetWindowRect.USER32(?,?), ref: 00447C5D
                                  • ScreenToClient.USER32(?,?), ref: 00447C7B
                                  • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00447C8E
                                  • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00447CD5
                                  • EndPaint.USER32(?,?), ref: 00447D13
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: ClientPaintRectRectangleScreenViewportWindow
                                  • String ID:
                                  • API String ID: 659298297-0
                                  • Opcode ID: 9df24dda7700d3462e91b7be9c0077b8f1985bebde9900174ed076ebcab1caeb
                                  • Instruction ID: 3c0582d8bc81ba5dadaaf244cb1f1d3939805113443e317e1f98b5bdeebaec33
                                  • Opcode Fuzzy Hash: 9df24dda7700d3462e91b7be9c0077b8f1985bebde9900174ed076ebcab1caeb
                                  • Instruction Fuzzy Hash: C33161706043019FE310CF25D8C8F7B7BE8EB86724F144A6EF9A5872A1C774A845DB69
                                  Function 004487EA Relevance: 7.6, APIs: 5, Instructions: 89COMMON
                                  Download Yara Rule
                                  APIs
                                  • EnableWindow.USER32(?,00000000), ref: 00448B5C
                                  • EnableWindow.USER32(?,00000001), ref: 00448B72
                                  • ShowWindow.USER32(?,00000000), ref: 00448BE8
                                  • ShowWindow.USER32(?,00000004), ref: 00448BF4
                                  • EnableWindow.USER32(?,00000001), ref: 00448C09
                                    • Part of subcall function 00440D98: SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00440DB8
                                    • Part of subcall function 00440D98: GetWindowLongW.USER32(?,000000F0), ref: 00440DFA
                                    • Part of subcall function 00440D98: GetWindowLongW.USER32(?,000000F0), ref: 00440E3A
                                    • Part of subcall function 00440D98: SendMessageW.USER32(009A1AF8,000000F1,00000000,00000000), ref: 00440E6E
                                    • Part of subcall function 00440D98: SendMessageW.USER32(009A1AF8,000000F1,00000001,00000000), ref: 00440E9A
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: Window$EnableMessageSend$LongShow
                                  • String ID:
                                  • API String ID: 142311417-0
                                  • Opcode ID: 426854c6b9cbeb660193a9c091743316caa306963ba13d8f93245475b3a006f2
                                  • Instruction ID: c941ec4e4e3d0536419715940b2668e48b64c275bb9f23e9dd6fd7b29375311a
                                  • Opcode Fuzzy Hash: 426854c6b9cbeb660193a9c091743316caa306963ba13d8f93245475b3a006f2
                                  • Instruction Fuzzy Hash: DE21F7B17443805BF7258E24CCC4BAFB7D0EF56345F08482EF98196391DBACA885C75A
                                  Function 004550FC Relevance: 7.6, APIs: 5, Instructions: 78COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: cfa96c7b92ceffa4878489be5d10f88277f639196488ca8149908940c9a32487
                                  • Instruction ID: af34b986bc09d21a6a739d25b45c5a22770885c200d938a8bd6fc5fff5094107
                                  • Opcode Fuzzy Hash: cfa96c7b92ceffa4878489be5d10f88277f639196488ca8149908940c9a32487
                                  • Instruction Fuzzy Hash: 5921AE75200600DBC710EF29E9D496B77B9EF49362B00466EFE5197392DB34EC09CB69
                                  Function 00445870 Relevance: 7.6, APIs: 5, Instructions: 78windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • IsWindowVisible.USER32(?), ref: 00445879
                                  • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00445893
                                  • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 004458CD
                                  • _wcslen.LIBCMT ref: 004458FB
                                  • CharUpperBuffW.USER32(00000000,00000000), ref: 00445905
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen
                                  • String ID:
                                  • API String ID: 3087257052-0
                                  • Opcode ID: f69ffadf962ece00da2d3b786a5ca76815724ee7e4437aac7967cccaf73e78c3
                                  • Instruction ID: ced771b0f23340e5f55e8fdbc4e1763ce6d97a07fd0b425722e47bce61cb145a
                                  • Opcode Fuzzy Hash: f69ffadf962ece00da2d3b786a5ca76815724ee7e4437aac7967cccaf73e78c3
                                  • Instruction Fuzzy Hash: F51136726009017BFB10AB25DC06F9FB78CAF65360F04403AF909D7241EB69ED5983A9
                                  Function 004653C8 Relevance: 7.6, APIs: 5, Instructions: 72networkCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00465225: inet_addr.WSOCK32(?), ref: 00465249
                                  • socket.WSOCK32(00000002,00000001,00000006,00000000), ref: 004653FE
                                  • WSAGetLastError.WSOCK32(00000000), ref: 0046540D
                                  • connect.WSOCK32(00000000,?,00000010), ref: 00465446
                                  • WSAGetLastError.WSOCK32(00000000), ref: 0046546D
                                  • closesocket.WSOCK32(00000000,00000000), ref: 00465481
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: ErrorLast$closesocketconnectinet_addrsocket
                                  • String ID:
                                  • API String ID: 245547762-0
                                  • Opcode ID: 4a364c3b246f50765ea579ebeb5236c2c367babb38bf5793ee33ccca847a6907
                                  • Instruction ID: 0a95abeaf907522bb910ccff47ca5b8cdb65f95d12881c86cce1eb50970c9d0a
                                  • Opcode Fuzzy Hash: 4a364c3b246f50765ea579ebeb5236c2c367babb38bf5793ee33ccca847a6907
                                  • Instruction Fuzzy Hash: E921F032200510ABD310EF29DC49F6EB7E8EF44725F008A6FF844E72D1DBB4A8418B99
                                  Function 0044719B Relevance: 7.6, APIs: 5, Instructions: 70COMMON
                                  Download Yara Rule
                                  APIs
                                  • DeleteObject.GDI32(00000000), ref: 004471D8
                                  • ExtCreatePen.GDI32(?,?,?,00000000,00000000), ref: 00447218
                                  • SelectObject.GDI32(?,00000000), ref: 00447228
                                  • BeginPath.GDI32(?), ref: 0044723D
                                  • SelectObject.GDI32(?,00000000), ref: 00447266
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: Object$Select$BeginCreateDeletePath
                                  • String ID:
                                  • API String ID: 2338827641-0
                                  • Opcode ID: 2b4904aa023ab9776d85036867689c5727337e5a2013c968bceed19ab76b7b02
                                  • Instruction ID: fd3aca4fc88a528095528039be3f852d236b7ebb9f74560e76bd8f11b15fbd2f
                                  • Opcode Fuzzy Hash: 2b4904aa023ab9776d85036867689c5727337e5a2013c968bceed19ab76b7b02
                                  • Instruction Fuzzy Hash: 92214F71905204AFEB10DF689D48A9E7FACFB16310F14466BF910D32A1DBB49C85CBAD
                                  Function 00434582 Relevance: 7.6, APIs: 5, Instructions: 61sleepCOMMON
                                  Download Yara Rule
                                  APIs
                                  • Sleep.KERNEL32(00000000), ref: 00434598
                                  • QueryPerformanceCounter.KERNEL32(?), ref: 004345B5
                                  • Sleep.KERNEL32(00000000), ref: 004345D4
                                  • QueryPerformanceCounter.KERNEL32(?), ref: 004345DE
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: CounterPerformanceQuerySleep
                                  • String ID:
                                  • API String ID: 2875609808-0
                                  • Opcode ID: e7bcee6603ab5961272028a34fb999977f673cbbb9fa03059816f244ade9b228
                                  • Instruction ID: a92d15520113c221d818f77e193bed66bb4dcccdbbd961c90b57f37ba003579f
                                  • Opcode Fuzzy Hash: e7bcee6603ab5961272028a34fb999977f673cbbb9fa03059816f244ade9b228
                                  • Instruction Fuzzy Hash: 37118232D0011DA7CF00EF99DD49AEEBB78FF99721F00456AEE4473240DA3465618BE9
                                  Function 00460C01 Relevance: 7.5, APIs: 5, Instructions: 48windowtimeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetDlgItem.USER32(?,000003E9), ref: 00460C17
                                  • GetWindowTextW.USER32(00000000,?,00000100), ref: 00460C2E
                                  • MessageBeep.USER32(00000000), ref: 00460C46
                                  • KillTimer.USER32(?,0000040A), ref: 00460C68
                                  • EndDialog.USER32(?,00000001), ref: 00460C83
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: BeepDialogItemKillMessageTextTimerWindow
                                  • String ID:
                                  • API String ID: 3741023627-0
                                  • Opcode ID: 1f18e2cfcdf944224a2d79a82bd846e8569cbd7b4094970ae8d1428a0e6a4617
                                  • Instruction ID: 069ac2582a8c3c153a507cef710a9e07e91c6f457c78871e3a9641c65eda6ae6
                                  • Opcode Fuzzy Hash: 1f18e2cfcdf944224a2d79a82bd846e8569cbd7b4094970ae8d1428a0e6a4617
                                  • Instruction Fuzzy Hash: AB01DD315403086BE7349B54EE8DBDB737CFB14705F00465FB645921C0E7F4A9948B95
                                  Function 0042FD29 Relevance: 7.5, APIs: 5, Instructions: 36COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: Path$ObjectStroke$DeleteFillSelect
                                  • String ID:
                                  • API String ID: 2625713937-0
                                  • Opcode ID: d1b587dd721dc2c7258c81d6469637db7768a45f5ba7f0175e0776e0e6e6c26f
                                  • Instruction ID: 382768f54733291aaafbd4c53fc5fd67df7ff3e11fccf1fbf51b229105ba29ed
                                  • Opcode Fuzzy Hash: d1b587dd721dc2c7258c81d6469637db7768a45f5ba7f0175e0776e0e6e6c26f
                                  • Instruction Fuzzy Hash: B3F036751125109BD3519F28FD4875E3B68E747321F94423AEA15923F0CB785449CB6D
                                  Function 00417803 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • __getptd.LIBCMT ref: 0041780F
                                    • Part of subcall function 00417A69: __getptd_noexit.LIBCMT ref: 00417A6C
                                    • Part of subcall function 00417A69: __amsg_exit.LIBCMT ref: 00417A79
                                  • __getptd.LIBCMT ref: 00417826
                                  • __amsg_exit.LIBCMT ref: 00417834
                                  • __lock.LIBCMT ref: 00417844
                                  • __updatetlocinfoEx_nolock.LIBCMT ref: 00417858
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
                                  • String ID:
                                  • API String ID: 938513278-0
                                  • Opcode ID: 82c9f3bbc84dc287df7640515fd49376d4ae64643407e313ceafc36016311655
                                  • Instruction ID: 276dd8d19a6a3be70f37c916a71154ef36d62806621923b96dbf7b6e4fe89171
                                  • Opcode Fuzzy Hash: 82c9f3bbc84dc287df7640515fd49376d4ae64643407e313ceafc36016311655
                                  • Instruction Fuzzy Hash: 6DF09632A4C7009AD721BBA6940B7DD33B0AF10768F11415FF541572D2CB6C59C1CB9D
                                  Function 00413D0E Relevance: 7.5, APIs: 5, Instructions: 24threadCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 004118F0: _doexit.LIBCMT ref: 004118FC
                                  • ___set_flsgetvalue.LIBCMT ref: 00413D20
                                    • Part of subcall function 004178AE: TlsGetValue.KERNEL32(?,00417A07,?,004115F6,?,00401BAC,?,?,?), ref: 004178B7
                                    • Part of subcall function 004178AE: TlsSetValue.KERNEL32(00000000,?,004115F6,?,00401BAC,?,?,?), ref: 004178D8
                                  • ___fls_getvalue@4.LIBCMT ref: 00413D2B
                                    • Part of subcall function 0041788E: TlsGetValue.KERNEL32(?,?,00413D30,00000000), ref: 0041789C
                                  • ___fls_setvalue@8.LIBCMT ref: 00413D3E
                                  • GetLastError.KERNEL32(00000000,?,00000000), ref: 00413D47
                                  • ExitThread.KERNEL32 ref: 00413D4E
                                  • GetCurrentThreadId.KERNEL32 ref: 00413D54
                                  • __freefls@4.LIBCMT ref: 00413D74
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: Value$Thread$CurrentErrorExitLast___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4_doexit
                                  • String ID:
                                  • API String ID: 2403457894-0
                                  • Opcode ID: 20cce849b0c51a5c00e20c35783146c720bf18a6b0a2527f17bda4bbe7e89b53
                                  • Instruction ID: 99982f4671f9afe760f134679f3a1374bf557b67af872bc9692f731b59fefeca
                                  • Opcode Fuzzy Hash: 20cce849b0c51a5c00e20c35783146c720bf18a6b0a2527f17bda4bbe7e89b53
                                  • Instruction Fuzzy Hash: 1AE04F318443056B8F013BB39C1E8CF363C9E0434AB20082ABE1493112DA2C99C1C6BE
                                  Function 004151AF Relevance: 7.5, APIs: 5, Instructions: 22threadCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 004118F0: _doexit.LIBCMT ref: 004118FC
                                  • ___set_flsgetvalue.LIBCMT ref: 004151C0
                                    • Part of subcall function 004178AE: TlsGetValue.KERNEL32(?,00417A07,?,004115F6,?,00401BAC,?,?,?), ref: 004178B7
                                    • Part of subcall function 004178AE: TlsSetValue.KERNEL32(00000000,?,004115F6,?,00401BAC,?,?,?), ref: 004178D8
                                  • ___fls_getvalue@4.LIBCMT ref: 004151CB
                                    • Part of subcall function 0041788E: TlsGetValue.KERNEL32(?,?,00413D30,00000000), ref: 0041789C
                                  • ___fls_setvalue@8.LIBCMT ref: 004151DD
                                  • GetLastError.KERNEL32(00000000,?,00000000), ref: 004151E6
                                  • ExitThread.KERNEL32 ref: 004151ED
                                  • __freefls@4.LIBCMT ref: 00415209
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: Value$ErrorExitLastThread___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4_doexit
                                  • String ID:
                                  • API String ID: 4247068974-0
                                  • Opcode ID: 3508d61e785490a8cfc18c63a66594c600054726567160c295e9e14b5a274e31
                                  • Instruction ID: 3b3fb4cf1982b2ada2e5851f983e2cc6228237abb2dca353483d11accd99f00a
                                  • Opcode Fuzzy Hash: 3508d61e785490a8cfc18c63a66594c600054726567160c295e9e14b5a274e31
                                  • Instruction Fuzzy Hash: E5E0B631848705AECB013BB29D1E9DF3A799E54749B20082ABE1492122EE6C88D1C669
                                  Function 0044F405 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 302COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: )$U$\
                                  • API String ID: 0-3705770531
                                  • Opcode ID: 028001eb2bff774db3903015b7fa80ce6d69291786b8857f67b928b721b55690
                                  • Instruction ID: d0f1885598f34d5f764b4f2a5794ec4e3d7857f6dac93f6e146ba8491093b400
                                  • Opcode Fuzzy Hash: 028001eb2bff774db3903015b7fa80ce6d69291786b8857f67b928b721b55690
                                  • Instruction Fuzzy Hash: 83C1C074A00249CFEB24CF69C5806AEBBF2FF85304F2481ABD8569B351D739994ACF15
                                  Function 0046E48D Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 263comCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 004426CD: _wcslen.LIBCMT ref: 004426F9
                                  • CoInitialize.OLE32(00000000), ref: 0046E505
                                  • CoCreateInstance.OLE32(00482A08,00000000,00000001,004828A8,?), ref: 0046E51E
                                  • CoUninitialize.OLE32 ref: 0046E53D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: CreateInitializeInstanceUninitialize_wcslen
                                  • String ID: .lnk
                                  • API String ID: 886957087-24824748
                                  • Opcode ID: 275befd32e5b5cb51e2fc879a9ecc6bbb724afd33f596a1e549e31a6ffdfd8c7
                                  • Instruction ID: 2644725dabb75134900838bfbf7f9974cf5b6b8c274c659ea1b0544ab4b4cf98
                                  • Opcode Fuzzy Hash: 275befd32e5b5cb51e2fc879a9ecc6bbb724afd33f596a1e549e31a6ffdfd8c7
                                  • Instruction Fuzzy Hash: A6A1CB756042019FC700EF65C980E5BB7E9AFC8308F108A5EF9859B392DB35EC45CBA6
                                  Function 0044E180 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: _memmove
                                  • String ID: \
                                  • API String ID: 4104443479-2967466578
                                  • Opcode ID: 236e1e21dc65edc907fd0526d8e82b29cd887e6a6cae6abce2d2318f267918b8
                                  • Instruction ID: 90b25fc4546a2c21e21e7939c456fa175a28996bec6c3309f7edcf8d77039fcb
                                  • Opcode Fuzzy Hash: 236e1e21dc65edc907fd0526d8e82b29cd887e6a6cae6abce2d2318f267918b8
                                  • Instruction Fuzzy Hash: 8AB1C270D04289CFEF15CFA9C8807AEBBB2BF55308F28419ED451AB381D7795946CB1A
                                  Function 0044E189 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: _memmove
                                  • String ID: \
                                  • API String ID: 4104443479-2967466578
                                  • Opcode ID: aaea77048b6460e77790bc9063151364371e311f89c51572a31744d174c5d814
                                  • Instruction ID: 47d8400a167da4587eb122393216330e55bf30386b581c043e0675457d4a745f
                                  • Opcode Fuzzy Hash: aaea77048b6460e77790bc9063151364371e311f89c51572a31744d174c5d814
                                  • Instruction Fuzzy Hash: F1B1C270D04289CFEF15CFA9C8807AEBBB2BF55308F28419ED451AB381D7795946CB1A
                                  Function 0044E199 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 260COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: _memmove
                                  • String ID: \
                                  • API String ID: 4104443479-2967466578
                                  • Opcode ID: 51371dbcd6d614fdce5bfd4d2520a50a5cfc61004088100711ab8bbb78939718
                                  • Instruction ID: 4d1558bed40bbae7f26d93592334ac0d2c658ca85fbb7fec499742c135aa7d63
                                  • Opcode Fuzzy Hash: 51371dbcd6d614fdce5bfd4d2520a50a5cfc61004088100711ab8bbb78939718
                                  • Instruction Fuzzy Hash: E5A1C270D04289CFEF15CFA9C8807AEBBB2BF55308F28419ED441AB381D7795946CB1A
                                  Function 0046A6E1 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 241COMMON
                                  Download Yara Rule
                                  Strings
                                  • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 0046A75B
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: _memmovestd::exception::exception$Exception@8Throw_malloc_wcslen
                                  • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                                  • API String ID: 708495834-557222456
                                  • Opcode ID: 0835c6591df01f69715f5e8aca6b92cd03353c77de4b2b2244ddd74c7a14709d
                                  • Instruction ID: 9c514e09f8cb76db8ae150367893d7536957bb5c5403f45e3580b17af89e858a
                                  • Opcode Fuzzy Hash: 0835c6591df01f69715f5e8aca6b92cd03353c77de4b2b2244ddd74c7a14709d
                                  • Instruction Fuzzy Hash: 7C917F711087009FC310EF65C88186BB7E8AF89314F148D2FF595672A2E778E919CB9B
                                  Function 0043659E Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 162windowCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00434319: WriteProcessMemory.KERNEL32(?,?,?,?,00000000), ref: 0043434A
                                  • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 004365EF
                                    • Part of subcall function 004342DD: ReadProcessMemory.KERNEL32(?,?,?,?,00000000), ref: 0043430E
                                    • Part of subcall function 004343AD: GetWindowThreadProcessId.USER32(?,?), ref: 004343E0
                                    • Part of subcall function 004343AD: OpenProcess.KERNEL32(00000438,00000000,?), ref: 004343F1
                                    • Part of subcall function 004343AD: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004), ref: 00434408
                                  • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0043665F
                                  • SendMessageW.USER32(00000000,00001111,00000000,00000000), ref: 004366DF
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                  • String ID: @
                                  • API String ID: 4150878124-2766056989
                                  • Opcode ID: 6104cbe5d4ae3c4c99a3306f76968d572a7f9f5d55716afa725ed0ba86ca2a2d
                                  • Instruction ID: 60a9f40d71a87185ad744a771aacdfc79ad0a16393efc777ae91d2f205fac39b
                                  • Opcode Fuzzy Hash: 6104cbe5d4ae3c4c99a3306f76968d572a7f9f5d55716afa725ed0ba86ca2a2d
                                  • Instruction Fuzzy Hash: 0D51B972A00218ABCB10DFA5DD42FDEB778EFC9304F00459AFA05EB180D6B4BA45CB65
                                  Function 0044EDAC Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 162COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: _memmove
                                  • String ID: \$^$h
                                  • API String ID: 4104443479-3224561352
                                  • Opcode ID: 3ad0d7372450da1a089cce05d5b76b63ad7fbddfe74fa277bcae2c6c581cef2a
                                  • Instruction ID: e23fcb8882e096e74594c4078241bb4ea8d91210f71a07bc2928ab6795bd9baf
                                  • Opcode Fuzzy Hash: 3ad0d7372450da1a089cce05d5b76b63ad7fbddfe74fa277bcae2c6c581cef2a
                                  • Instruction Fuzzy Hash: FA519370E002099FDF18CFA5C980AAEB7F2BF89304F28826AD405AB355D7795E45CB55
                                  Function 0044F137 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 161COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: _memmove
                                  • String ID: \$]$h
                                  • API String ID: 4104443479-3262404753
                                  • Opcode ID: 176a597a96dcd2a70b70cc410daef71b144e937b03d0c11d284d361abdce2453
                                  • Instruction ID: f8aecd1968ad4f88b1990a67d2c0a139cd5c037738d7fdf96801fcbc28408ccb
                                  • Opcode Fuzzy Hash: 176a597a96dcd2a70b70cc410daef71b144e937b03d0c11d284d361abdce2453
                                  • Instruction Fuzzy Hash: 97518470E00209DFDF18CFA5C980AAEB7F2BF85304F29826AD405AB355D7385D45CB55
                                  Function 00457C53 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 158COMMON
                                  Download Yara Rule
                                  APIs
                                  • ShellExecuteExW.SHELL32(0000003C), ref: 00457D67
                                    • Part of subcall function 00410160: _wcslen.LIBCMT ref: 00410162
                                    • Part of subcall function 00410160: _wcscpy.LIBCMT ref: 00410182
                                  • CloseHandle.KERNEL32(?), ref: 00457E09
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: CloseExecuteHandleShell_wcscpy_wcslen
                                  • String ID: <$@
                                  • API String ID: 2417854910-1426351568
                                  • Opcode ID: 456975d6943100b9bccf6a944bdff1bb50055e47ea808eda8884d41227499f4e
                                  • Instruction ID: b88a15a70aa0ad5f6f29005b2a8070d35214d1ef645994392ec84fe4d9ca6df0
                                  • Opcode Fuzzy Hash: 456975d6943100b9bccf6a944bdff1bb50055e47ea808eda8884d41227499f4e
                                  • Instruction Fuzzy Hash: C751D3719002089BDB10EFA1D985AAFB7B4EF44309F10446EED05AB352DB79ED49CB94
                                  Function 0044A856 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122networkCOMMON
                                  Download Yara Rule
                                  APIs
                                  • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0044A87A
                                  • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0044A8C9
                                  • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0044A901
                                    • Part of subcall function 004422CB: GetLastError.KERNEL32 ref: 004422E1
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: Http$ErrorInfoInternetLastOpenQueryRequestSend
                                  • String ID:
                                  • API String ID: 3705125965-3916222277
                                  • Opcode ID: 0ee13e9a60eb6ba6c748d714ed0ce9e8e081c7518857538375ec5b6ad63af0be
                                  • Instruction ID: d28fa13b4dde737238ce5dcfaacd3c540a76458eeabd88e5a6b3f8614e5f537b
                                  • Opcode Fuzzy Hash: 0ee13e9a60eb6ba6c748d714ed0ce9e8e081c7518857538375ec5b6ad63af0be
                                  • Instruction Fuzzy Hash: DB310B76A802047AE720EF56DC42FDFB7A8EBD9710F00851FFA0097281D6B5550987AC
                                  Function 0045FA41 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetMenuItemInfoW.USER32 ref: 0045FAC4
                                  • DeleteMenu.USER32(?,?,00000000), ref: 0045FB15
                                  • DeleteMenu.USER32(00000000,?,00000000), ref: 0045FB68
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: Menu$Delete$InfoItem
                                  • String ID: 0
                                  • API String ID: 135850232-4108050209
                                  • Opcode ID: 44596b6c283006d3404d95c3e5e16104138b05286e513df4f299336d423ce3c8
                                  • Instruction ID: 2caf7e1b7ae413ca61a5456c92b2eab9e90ede26a48057f627e29f4096114103
                                  • Opcode Fuzzy Hash: 44596b6c283006d3404d95c3e5e16104138b05286e513df4f299336d423ce3c8
                                  • Instruction Fuzzy Hash: CC41D2B1604201ABD710CF25CC45F17B7A9AF84315F148A2EFDA49B2C2D378E849CBA6
                                  Function 004507B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                  Download Yara Rule
                                  APIs
                                  • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013), ref: 0045085F
                                  • GetWindowLongW.USER32(?,000000F0), ref: 0045087D
                                  • SetWindowLongW.USER32(?,000000F0,00000000), ref: 0045088E
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: Window$Long
                                  • String ID: SysTreeView32
                                  • API String ID: 847901565-1698111956
                                  • Opcode ID: 6654344cdbbec2ecb5663208c63790126aca218b871aedcbee15bef271784643
                                  • Instruction ID: 2f6c96d6d770cdd7f6b01965cae739f5ffbb06f7b8c4bfc7c6bf121f6b9a1f40
                                  • Opcode Fuzzy Hash: 6654344cdbbec2ecb5663208c63790126aca218b871aedcbee15bef271784643
                                  • Instruction Fuzzy Hash: 34418D75500205ABEB10DF29DC84FEB33A8FB49325F20471AF865972D1D778E895CBA8
                                  Function 00434B02 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 108libraryloaderCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadLibraryA.KERNEL32(?), ref: 00434B10
                                  • GetProcAddress.KERNEL32(?,AU3_GetPluginDetails), ref: 00434B88
                                  • FreeLibrary.KERNEL32(?), ref: 00434B9F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: Library$AddressFreeLoadProc
                                  • String ID: AU3_GetPluginDetails
                                  • API String ID: 145871493-4132174516
                                  • Opcode ID: 525874d34911f66d3e6dd89a42f64d0fb8abb6a055dcd3ee386d4a3c405b38ac
                                  • Instruction ID: fc8523f5daf935d660d2a9c884068eb8da3e2fc1adb06f3317e0194b47a185ca
                                  • Opcode Fuzzy Hash: 525874d34911f66d3e6dd89a42f64d0fb8abb6a055dcd3ee386d4a3c405b38ac
                                  • Instruction Fuzzy Hash: C24107B9600605EFC710DF59D8C0E9AF7A5FF89304B1082AAEA1A8B311D735FD52CB95
                                  Function 00450D6B Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 102windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00450DFD
                                  • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00450E16
                                  • SendMessageW.USER32(?,00001002,00000000,?), ref: 00450E3E
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: MessageSend$Window
                                  • String ID: SysMonthCal32
                                  • API String ID: 2326795674-1439706946
                                  • Opcode ID: aa3fdffd2c37c9d1283d502314bb1f920e47acbbfa02c8d10baeab348a12d0cc
                                  • Instruction ID: 97bf4b40409f6c90460d1384a7672ac630dd7a2161d32aee0dcf483843136ede
                                  • Opcode Fuzzy Hash: aa3fdffd2c37c9d1283d502314bb1f920e47acbbfa02c8d10baeab348a12d0cc
                                  • Instruction Fuzzy Hash: A93195752002046BDB10DEA9DC85FEB73BDEB9C724F104619FA24A72C1D6B4FC558B64
                                  Function 004509D8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 97COMMON
                                  Download Yara Rule
                                  APIs
                                  • DestroyWindow.USER32(00000000), ref: 00450A2F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: DestroyWindow
                                  • String ID: msctls_updown32
                                  • API String ID: 3375834691-2298589950
                                  • Opcode ID: ede3ba3c4388c74c76a3cd747824982d62f6d25d37162a4df1ebcaa7ffb6df4e
                                  • Instruction ID: fccd3fcc05e4e2aaf5990a1cc96ccc3c6d01ef6560d5fec67e6c7c3c5f699695
                                  • Opcode Fuzzy Hash: ede3ba3c4388c74c76a3cd747824982d62f6d25d37162a4df1ebcaa7ffb6df4e
                                  • Instruction Fuzzy Hash: 213182767402056FE710DF58EC81FAB3368FF99710F10411AFA009B282C7B5AC96C7A8
                                  Function 0044DC13 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 95COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: _memmove
                                  • String ID: $<
                                  • API String ID: 4104443479-428540627
                                  • Opcode ID: 6c7976b20de454da7fe1266d8cf8ce191b2ccd068f9cf911d6d19d23786630cd
                                  • Instruction ID: e8c4ca86f7ae52158d8313b00b6d431508e51e3fea12eaab667d4a9530e7d8b8
                                  • Opcode Fuzzy Hash: 6c7976b20de454da7fe1266d8cf8ce191b2ccd068f9cf911d6d19d23786630cd
                                  • Instruction Fuzzy Hash: A331EF30D04258DEFF25CFAAC9847EEBBB1AF11310F18419AD455A7382D7789E48CB25
                                  Function 0045D78F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77COMMON
                                  Download Yara Rule
                                  APIs
                                  • SetErrorMode.KERNEL32(00000001), ref: 0045D79D
                                  • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?,?), ref: 0045D812
                                  • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D85C
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: ErrorMode$DiskFreeSpace
                                  • String ID: \VH
                                  • API String ID: 1682464887-234962358
                                  • Opcode ID: 02922531bbe1fdf38ecd1c48401d7894eac39f8171a3426d51aa67f0eafe79b3
                                  • Instruction ID: ae55674c87016058c86dc8d4ad6f5a536cd264dc70ae423c542bf2f5a0a67e7a
                                  • Opcode Fuzzy Hash: 02922531bbe1fdf38ecd1c48401d7894eac39f8171a3426d51aa67f0eafe79b3
                                  • Instruction Fuzzy Hash: C9316F75E002089FCB00EFA5D985A9DBBB4FF48314F1080AAE904AB351CB75EE05CB94
                                  Function 0045D86D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77COMMON
                                  Download Yara Rule
                                  APIs
                                  • SetErrorMode.KERNEL32(00000001), ref: 0045D87B
                                  • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?,?), ref: 0045D8F0
                                  • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D93A
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: ErrorMode$DiskFreeSpace
                                  • String ID: \VH
                                  • API String ID: 1682464887-234962358
                                  • Opcode ID: 657bf3a7bf4e4b0879eb54f11f0d4a47d1274a72e537d3786cc0042974389a76
                                  • Instruction ID: e5212c229d9c2069cdfe567d9572a18bb695f81ecf44ad0a977260396f8f3e20
                                  • Opcode Fuzzy Hash: 657bf3a7bf4e4b0879eb54f11f0d4a47d1274a72e537d3786cc0042974389a76
                                  • Instruction Fuzzy Hash: E6316D75E002089FCB00EFA5D984A9EBBB4FF48314F1084AAE904AB351CB35DE05CB94
                                  Function 0045D36D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 75COMMON
                                  Download Yara Rule
                                  APIs
                                  • SetErrorMode.KERNEL32(00000001), ref: 0045D37E
                                  • GetVolumeInformationW.KERNEL32(?,?,000000FF,?,?,?,?,000000FF,?), ref: 0045D3F4
                                  • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D437
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: ErrorMode$InformationVolume
                                  • String ID: \VH
                                  • API String ID: 2507767853-234962358
                                  • Opcode ID: 3e53e890434f9ea80ffb8b8b8863db28d9ef5c2317443d22617d365319ccab8e
                                  • Instruction ID: 9072e4f9bd6fffdf4d5f5b526d3ef1379cf95bcdbb04681c41660468616ecd75
                                  • Opcode Fuzzy Hash: 3e53e890434f9ea80ffb8b8b8863db28d9ef5c2317443d22617d365319ccab8e
                                  • Instruction Fuzzy Hash: E5213075A002099FC714EF95CD85EAEB7B8FF88300F1084AAE905A73A1D774EA45CB54
                                  Function 0045D53E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 75COMMON
                                  Download Yara Rule
                                  APIs
                                  • SetErrorMode.KERNEL32(00000001), ref: 0045D55C
                                  • GetVolumeInformationW.KERNEL32(?,?,000000FF,?,?,?,?,000000FF,?), ref: 0045D5D2
                                  • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D608
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: ErrorMode$InformationVolume
                                  • String ID: \VH
                                  • API String ID: 2507767853-234962358
                                  • Opcode ID: d1fa58eff2fbb7cc6c51b85e489fdb3630b63cb8eb333212ecdab13a3ad88969
                                  • Instruction ID: 5d1496e5fec29648c5677f840c6a5ff7f703137340fc9510fe584f3610dc7e3a
                                  • Opcode Fuzzy Hash: d1fa58eff2fbb7cc6c51b85e489fdb3630b63cb8eb333212ecdab13a3ad88969
                                  • Instruction Fuzzy Hash: 88218271A00209AFC714EF95C885EAEB7B4FF48300F0084AEF505A72A1D774E905CB58
                                  Function 00450ACC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00450B3B
                                  • SendMessageW.USER32(00000000,00000406,00000000,00640000), ref: 00450B51
                                  • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00450B5F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: MessageSend
                                  • String ID: msctls_trackbar32
                                  • API String ID: 3850602802-1010561917
                                  • Opcode ID: b7bd052b599063d2228b5cfe26d5df8f76e43bb35df486dd72efd91b953fbf0c
                                  • Instruction ID: cc80dcb7cd3031ad5716ab9229ca2671b5dcb2452333e47e40e099fef7a03d8b
                                  • Opcode Fuzzy Hash: b7bd052b599063d2228b5cfe26d5df8f76e43bb35df486dd72efd91b953fbf0c
                                  • Instruction Fuzzy Hash: 301196757403197BEB109EA8DC81FDB339CAB58B64F204216FA10A72C1D6B4FC5187A8
                                  Function 00435215 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 71COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                  • CLSIDFromString.OLE32(?,00000000), ref: 00435236
                                  • SafeArrayAccessData.OLEAUT32(?,?), ref: 00435285
                                  • SafeArrayUnaccessData.OLEAUT32(?), ref: 004352B4
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: ArrayDataSafe$AccessFromStringUnaccess_malloc
                                  • String ID: crts
                                  • API String ID: 943502515-3724388283
                                  • Opcode ID: 1c951fdfbdf5c5f88c618ab4611406fe4b678f9348836ee2954194ca176c3974
                                  • Instruction ID: ec3ec3aa447b477297a9cb7ebc6a7fbeb91602aa87849f29064a6671b92f781e
                                  • Opcode Fuzzy Hash: 1c951fdfbdf5c5f88c618ab4611406fe4b678f9348836ee2954194ca176c3974
                                  • Instruction Fuzzy Hash: EC213876600A009FC714CF8AE444D97FBE8EF98760714C46AEA49CB721D334E851CB94
                                  Function 0045D2C7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58COMMON
                                  Download Yara Rule
                                  APIs
                                  • SetErrorMode.KERNEL32(00000001), ref: 0045D2D2
                                  • SetVolumeLabelW.KERNEL32(?,00000000), ref: 0045D331
                                  • SetErrorMode.KERNEL32(?), ref: 0045D35C
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: ErrorMode$LabelVolume
                                  • String ID: \VH
                                  • API String ID: 2006950084-234962358
                                  • Opcode ID: 06ec5ceac71ab965c19bbe619e509a4f86e9865fc889b709aa917be6b1aab059
                                  • Instruction ID: 93ef07912bcba266d24f4400c0aa25f887f93b2782b8649f9ae8f5902fc9f078
                                  • Opcode Fuzzy Hash: 06ec5ceac71ab965c19bbe619e509a4f86e9865fc889b709aa917be6b1aab059
                                  • Instruction Fuzzy Hash: 10115175900105DFCB00EFA5D94499EBBB4FF48315B1084AAEC09AB352D774ED45CBA5
                                  Function 004496E9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55windowCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                  • GetMenuItemInfoW.USER32 ref: 00449727
                                  • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00449751
                                  • DrawMenuBar.USER32 ref: 00449761
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: Menu$InfoItem$Draw_malloc
                                  • String ID: 0
                                  • API String ID: 772068139-4108050209
                                  • Opcode ID: 1167fa92614d233b3003e6fb28f1152d6dc9f7ab2b98f531c98f2f78594b2958
                                  • Instruction ID: eb12e692e9d899ed3776fa10421b592e4983edb38958d2313c52402e3f8558b6
                                  • Opcode Fuzzy Hash: 1167fa92614d233b3003e6fb28f1152d6dc9f7ab2b98f531c98f2f78594b2958
                                  • Instruction Fuzzy Hash: 7711A3B1A10208AFEB10DF55DC49BAFB774EF85314F0041AEFA098B250DB759944DFA5
                                  Function 004312CC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadLibraryA.KERNEL32(ICMP.DLL), ref: 004312DE
                                  • GetProcAddress.KERNEL32(00000000,IcmpCloseHandle), ref: 004312F0
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: AddressLibraryLoadProc
                                  • String ID: ICMP.DLL$IcmpCloseHandle
                                  • API String ID: 2574300362-3530519716
                                  • Opcode ID: 21a2acdac0ba1e2d746e72dbff1012e7ad80fb0484e1fffebf05da08cb8a0c44
                                  • Instruction ID: fe30dd6f995ef3e52e92cf139519288d45b371df6a06e7fbbc01cfddaae6e452
                                  • Opcode Fuzzy Hash: 21a2acdac0ba1e2d746e72dbff1012e7ad80fb0484e1fffebf05da08cb8a0c44
                                  • Instruction Fuzzy Hash: 89E01275500316DFDB105F66D80564B77DCDB14751F10482AFD45E2A51DBB8D48087E8
                                  Function 004312FE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadLibraryA.KERNEL32(ICMP.DLL), ref: 00431310
                                  • GetProcAddress.KERNEL32(00000000,IcmpCreateFile), ref: 00431322
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: AddressLibraryLoadProc
                                  • String ID: ICMP.DLL$IcmpCreateFile
                                  • API String ID: 2574300362-275556492
                                  • Opcode ID: c8e81b458e49d693ad0b98c25d1a2273645c6015ec642ff3830cff94addfde50
                                  • Instruction ID: 95e0d00128142f820e0a83de5ed484af687323a382b0c693d148963e73e99334
                                  • Opcode Fuzzy Hash: c8e81b458e49d693ad0b98c25d1a2273645c6015ec642ff3830cff94addfde50
                                  • Instruction Fuzzy Hash: E3E0C270400306EFD7107FA5D81464A77E8DB08310F104C2AFC40A2650C7B8D48087A8
                                  Function 0043129A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadLibraryA.KERNEL32(ICMP.DLL), ref: 004312AC
                                  • GetProcAddress.KERNEL32(00000000,IcmpSendEcho), ref: 004312BE
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: AddressLibraryLoadProc
                                  • String ID: ICMP.DLL$IcmpSendEcho
                                  • API String ID: 2574300362-58917771
                                  • Opcode ID: 8463976e88658be12d547e53f001863c36b7eb8c5d8a0eb88088b9b0d7e59d79
                                  • Instruction ID: f6e067919a3be2c94262fb81e38fb1c28335358536499f04279aa6303c0198c7
                                  • Opcode Fuzzy Hash: 8463976e88658be12d547e53f001863c36b7eb8c5d8a0eb88088b9b0d7e59d79
                                  • Instruction Fuzzy Hash: ADE0C2B0400706DFC7105F65D80465B77D8DB04321F10482BFD80E2610C7B8E48087A8
                                  Function 00430C7F Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadLibraryA.KERNEL32(advapi32.dll), ref: 00430C91
                                  • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00430CA3
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: AddressLibraryLoadProc
                                  • String ID: RegDeleteKeyExW$advapi32.dll
                                  • API String ID: 2574300362-4033151799
                                  • Opcode ID: d4a2309a593705586ca0189df29ebf11fe16cb5b9b4952fb03c76dd6ffec2ddb
                                  • Instruction ID: e1e112c22781e886f83f7ab60c8bc672304d94c0271b2a691c2b6ddb7eb549cd
                                  • Opcode Fuzzy Hash: d4a2309a593705586ca0189df29ebf11fe16cb5b9b4952fb03c76dd6ffec2ddb
                                  • Instruction Fuzzy Hash: 3FE0C2B0440315AFCB106F6AD95460B7BD89B14321F10583BF980E2600C7B8E88087B8
                                  Function 00430DC1 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadLibraryA.KERNEL32(kernel32.dll), ref: 00430DD3
                                  • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00430DE5
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: AddressLibraryLoadProc
                                  • String ID: GetSystemWow64DirectoryW$kernel32.dll
                                  • API String ID: 2574300362-1816364905
                                  • Opcode ID: 14bf9b0efbe06d93ad9dae09c2ad7cadeb51a6503e8f45336d859f06d84a08d6
                                  • Instruction ID: 24515a708fc6b3a38513646dac5635f6d90a943ae1c03eade4216686bbe3791e
                                  • Opcode Fuzzy Hash: 14bf9b0efbe06d93ad9dae09c2ad7cadeb51a6503e8f45336d859f06d84a08d6
                                  • Instruction Fuzzy Hash: 51E0127154070A9BD7105FA5E91878A77D8DB14751F10882AFD45E2650D7B8E480C7BC
                                  Function 00430E7B Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadLibraryA.KERNEL32(kernel32.dll), ref: 00430E8D
                                  • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00430E9F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: AddressLibraryLoadProc
                                  • String ID: GetModuleHandleExW$kernel32.dll
                                  • API String ID: 2574300362-199464113
                                  • Opcode ID: 264f8e721adbed0a0a4958d5ac8267ac8e19a3b8732fd2a865be9a36fa944cb5
                                  • Instruction ID: 757376e69a8637ab8385673bd519a3d20b1bca35ee4978b7889da1ae4d413b5b
                                  • Opcode Fuzzy Hash: 264f8e721adbed0a0a4958d5ac8267ac8e19a3b8732fd2a865be9a36fa944cb5
                                  • Instruction Fuzzy Hash: 4AE01271540706DFD7105F65D91964B77D8DF18762F104C2AFD85E2650D7B8E48087AC
                                  Function 00451D2B Relevance: 6.4, APIs: 4, Instructions: 405COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 6f77df26dc74fc40ac7bf47809af4b9178697b073442c11c01de5ef3306f6c16
                                  • Instruction ID: c5df29d3d24fc858ebdc5227190e2e918b6fbc7f8fe9fd347d916346834f6d96
                                  • Opcode Fuzzy Hash: 6f77df26dc74fc40ac7bf47809af4b9178697b073442c11c01de5ef3306f6c16
                                  • Instruction Fuzzy Hash: 66E17F75600209AFCB04DF98C880EAEB7B9FF88714F10859AE909DB351D775EE45CBA0
                                  Function 00479500 Relevance: 6.2, APIs: 4, Instructions: 162memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • VariantInit.OLEAUT32(?), ref: 0047950F
                                  • SysAllocString.OLEAUT32(00000000), ref: 004795D8
                                  • VariantCopy.OLEAUT32(?,?), ref: 0047960F
                                  • VariantClear.OLEAUT32(?), ref: 00479650
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: Variant$AllocClearCopyInitString
                                  • String ID:
                                  • API String ID: 2808897238-0
                                  • Opcode ID: d4078b498bd58c38c4ff211c6799319bb2158b2b01decc8b4cd966ad5c1122ff
                                  • Instruction ID: 372c40b5ecffa4d340e825e49f449287305c7189bb1404562c27c74c4f1437f4
                                  • Opcode Fuzzy Hash: d4078b498bd58c38c4ff211c6799319bb2158b2b01decc8b4cd966ad5c1122ff
                                  • Instruction Fuzzy Hash: 8251C436600209A6C700FF3AD8815DAB764EF84315F50863FFD0897252DB78DA1997EA
                                  Function 0046993E Relevance: 6.1, APIs: 4, Instructions: 149windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SendMessageW.USER32(00000000,0000110A,00000004,?), ref: 00469990
                                  • __itow.LIBCMT ref: 004699CD
                                    • Part of subcall function 00461C4A: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 00461CC2
                                  • SendMessageW.USER32(00000000,0000110A,00000001,?), ref: 00469A3D
                                  • __itow.LIBCMT ref: 00469A97
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: MessageSend$__itow
                                  • String ID:
                                  • API String ID: 3379773720-0
                                  • Opcode ID: f450223117ea95bfee34014d9d84978b58918b7dbb146b9b64e9adf8c20a5af9
                                  • Instruction ID: c5a9f548720e127460bbd30f9c4a1142764b372a0404ca0a71d180b9b8c9b2b0
                                  • Opcode Fuzzy Hash: f450223117ea95bfee34014d9d84978b58918b7dbb146b9b64e9adf8c20a5af9
                                  • Instruction Fuzzy Hash: E8415671A002096BDB14EF95D981AEF77BC9F58314F00405EFA0567281E7789E46CBE9
                                  Function 004499DB Relevance: 6.1, APIs: 4, Instructions: 145COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetWindowRect.USER32(?,?), ref: 00449A4A
                                  • ScreenToClient.USER32(?,?), ref: 00449A80
                                  • MoveWindow.USER32(?,?,?,?,?,00000001), ref: 00449AEC
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: Window$ClientMoveRectScreen
                                  • String ID:
                                  • API String ID: 3880355969-0
                                  • Opcode ID: d0f348dd6b8999688d199205b3412f9258e7834e979bdc0e5f61431c3cd0f715
                                  • Instruction ID: 772f2e9a8c44c8b90650fefa000f178a1b73e5e444e4323f54854131c67d2362
                                  • Opcode Fuzzy Hash: d0f348dd6b8999688d199205b3412f9258e7834e979bdc0e5f61431c3cd0f715
                                  • Instruction Fuzzy Hash: 5A517C70A00249AFEB14CF68D8C1AAB77B6FF58314F10822EF91597390D774AD90DB98
                                  Function 0041415F Relevance: 6.1, APIs: 4, Instructions: 130COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: __flsbuf__flush__getptd_noexit__write_memmove
                                  • String ID:
                                  • API String ID: 2782032738-0
                                  • Opcode ID: b31e9d6d4fc57bcba7966bec51b765adca5e1eea9d7940e8138ef5a4af09ff03
                                  • Instruction ID: 72632960f292c6e9309c64fc9b7016af72cb639159fa0dd3c9cf05ee08d0b78d
                                  • Opcode Fuzzy Hash: b31e9d6d4fc57bcba7966bec51b765adca5e1eea9d7940e8138ef5a4af09ff03
                                  • Instruction Fuzzy Hash: CB41D531A00715ABDB248FA5C8486DFBBB5AFD0364F24856EF42597680D778DDC1CB48
                                  Function 00441672 Relevance: 6.1, APIs: 4, Instructions: 116windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • ClientToScreen.USER32(00000000,?), ref: 0044169A
                                  • GetWindowRect.USER32(?,?), ref: 00441722
                                  • PtInRect.USER32(?,?,?), ref: 00441734
                                  • MessageBeep.USER32(00000000), ref: 004417AD
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: Rect$BeepClientMessageScreenWindow
                                  • String ID:
                                  • API String ID: 1352109105-0
                                  • Opcode ID: efc75fb8ed246b6ad65f2e8b456486d9870e0f063911f7aa846460c85c9d1d50
                                  • Instruction ID: 3e4d0a9d31bb6386801ef6381a7f0d6bf168684d8964ff5a195b0ca439f55e04
                                  • Opcode Fuzzy Hash: efc75fb8ed246b6ad65f2e8b456486d9870e0f063911f7aa846460c85c9d1d50
                                  • Instruction Fuzzy Hash: 5141A539A002049FE714DF54D884E6AB7B5FF95721F1482AED9158B360DB34AC81CB94
                                  Function 0045D1AF Relevance: 6.1, APIs: 4, Instructions: 103fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateHardLinkW.KERNEL32(00000000,?,00000000,?,00000000), ref: 0045D248
                                  • GetLastError.KERNEL32(?,00000000), ref: 0045D26C
                                  • DeleteFileW.KERNEL32(00000000,?,?,00000000), ref: 0045D28C
                                  • CreateHardLinkW.KERNEL32(00000000,?,00000000,00000000,00000000,?,00000000), ref: 0045D2AA
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: CreateHardLink$DeleteErrorFileLast
                                  • String ID:
                                  • API String ID: 3321077145-0
                                  • Opcode ID: 49223ed515fb619a5bee3fab41eec0f0b951464039ac7af7222e30fa4423140a
                                  • Instruction ID: 6818256dd78c2cb29ac0ce267de24fb792dca3a41353b59757f5ace631f71379
                                  • Opcode Fuzzy Hash: 49223ed515fb619a5bee3fab41eec0f0b951464039ac7af7222e30fa4423140a
                                  • Instruction Fuzzy Hash: DC318DB1A00201EBDB10EFB5C945A1ABBE8AF45319F10885EFC44AB343CB79ED45CB94
                                  Function 0042083F Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00420873
                                  • __isleadbyte_l.LIBCMT ref: 004208A6
                                  • MultiByteToWideChar.KERNEL32(BBDAE900,00000009,?,000001AC,00000000,00000000,?,?,?,0042D7C1,?,00000000), ref: 004208D7
                                  • MultiByteToWideChar.KERNEL32(BBDAE900,00000009,?,00000001,00000000,00000000,?,?,?,0042D7C1,?,00000000), ref: 00420945
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                  • String ID:
                                  • API String ID: 3058430110-0
                                  • Opcode ID: 6122c04dd5dc57efc0e5b6c0779ec963bae9ccf891294cd495d8fd5d7cdcec1f
                                  • Instruction ID: f6550d230e50e909e13d2a99824cc28569674f7a7b9e5ef0daa2e7ce22e82e6e
                                  • Opcode Fuzzy Hash: 6122c04dd5dc57efc0e5b6c0779ec963bae9ccf891294cd495d8fd5d7cdcec1f
                                  • Instruction Fuzzy Hash: D731E231B00265EFDB20EF65E884AAF3BE5BF00310F55496AE4658B292D734CD80DB98
                                  Function 0045039B Relevance: 6.1, APIs: 4, Instructions: 102COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetParent.USER32(?), ref: 004503C8
                                  • DefDlgProcW.USER32(?,00000138,?,?), ref: 00450417
                                  • DefDlgProcW.USER32(?,00000133,?,?), ref: 00450466
                                  • DefDlgProcW.USER32(?,00000134,?,?), ref: 00450497
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: Proc$Parent
                                  • String ID:
                                  • API String ID: 2351499541-0
                                  • Opcode ID: 953005dfd523491bc8661b2d189c1fe3a1d27544861a9947cd3b684206b02ae0
                                  • Instruction ID: 48835c6935d03606f494e5d0f95072c3389227be5880c4b08380f2331de9f088
                                  • Opcode Fuzzy Hash: 953005dfd523491bc8661b2d189c1fe3a1d27544861a9947cd3b684206b02ae0
                                  • Instruction Fuzzy Hash: F231B73A2001046BD720CF18DC94DAB7719EF97335B14461BFA298B3D3CB759856C769
                                  Function 00442A83 Relevance: 6.1, APIs: 4, Instructions: 87windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00442AC9
                                  • TranslateMessage.USER32(?), ref: 00442B01
                                  • DispatchMessageW.USER32(?), ref: 00442B0B
                                  • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00442B21
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: Message$Peek$DispatchTranslate
                                  • String ID:
                                  • API String ID: 1795658109-0
                                  • Opcode ID: 36eab9d42bd73f6f728abf92f57c3db94032fb3fd80da71d70c6aa8f6f72699a
                                  • Instruction ID: 5e5183f3b0572ad37d893cec5a7cf9421d6c1ddc4b80b1975d6d8daaa3c1acd1
                                  • Opcode Fuzzy Hash: 36eab9d42bd73f6f728abf92f57c3db94032fb3fd80da71d70c6aa8f6f72699a
                                  • Instruction Fuzzy Hash: 012126719583469AFB30DF649D85FB7BBA8CB24314F40407BF91097281EAB86848C769
                                  Function 0047438B Relevance: 6.1, APIs: 4, Instructions: 83COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetForegroundWindow.USER32 ref: 0047439C
                                    • Part of subcall function 004439C1: GetWindowThreadProcessId.USER32(?,00000000), ref: 004439E4
                                    • Part of subcall function 004439C1: GetCurrentThreadId.KERNEL32 ref: 004439EB
                                    • Part of subcall function 004439C1: AttachThreadInput.USER32(00000000), ref: 004439F2
                                  • GetCaretPos.USER32(?), ref: 004743B2
                                  • ClientToScreen.USER32(00000000,?), ref: 004743E8
                                  • GetForegroundWindow.USER32 ref: 004743EE
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                  • String ID:
                                  • API String ID: 2759813231-0
                                  • Opcode ID: f13b499454a1a1822ca13fc8ae6b328d463f7326d10c65fcbffa9176c03fd335
                                  • Instruction ID: 29594bdffde582d62cf8cb535202cb0f6e37f5c0e74140e0e8dac686a3932322
                                  • Opcode Fuzzy Hash: f13b499454a1a1822ca13fc8ae6b328d463f7326d10c65fcbffa9176c03fd335
                                  • Instruction Fuzzy Hash: 2F21AC71A00305ABD710EF75CC86B9E77B9AF44708F14446EF644BB2C2DBF9A9408BA5
                                  Function 004494A5 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00430626: _wcspbrk.LIBCMT ref: 00430636
                                  • SendMessageW.USER32(?,00001002,00000000,?), ref: 00449477
                                  • SendMessageW.USER32(?,00001060,00000000,00000004), ref: 00449507
                                  • _wcslen.LIBCMT ref: 00449519
                                  • _wcslen.LIBCMT ref: 00449526
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: MessageSend_wcslen$_wcspbrk
                                  • String ID:
                                  • API String ID: 2886238975-0
                                  • Opcode ID: cda1f7e16000b3d6f1552df2769fac91363fb93f1f54a3f578086acf89ecf69d
                                  • Instruction ID: 7d4d19c59aaf55394df3596c947b25f6969e765268ec3300c5285dc4bbf20b28
                                  • Opcode Fuzzy Hash: cda1f7e16000b3d6f1552df2769fac91363fb93f1f54a3f578086acf89ecf69d
                                  • Instruction Fuzzy Hash: F7213A76B00208A6E730DF55ED81BEFB368EBA0310F10416FFF0896240E6794D55C799
                                  Function 0046888B Relevance: 6.1, APIs: 4, Instructions: 80COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: __setmode$DebugOutputString_fprintf
                                  • String ID:
                                  • API String ID: 1792727568-0
                                  • Opcode ID: 1ad8d8d19ebad69fc12c553a92627abd23c9aa4f6f7f42f57f8396caf8494ece
                                  • Instruction ID: 94d91137fd77379d51e6296772f15362c7f2cf1f8b16651245aa9cc134f84072
                                  • Opcode Fuzzy Hash: 1ad8d8d19ebad69fc12c553a92627abd23c9aa4f6f7f42f57f8396caf8494ece
                                  • Instruction Fuzzy Hash: 5411A1B2D0020477DB107BB69C469AF7B2C8B55728F04416EF91573243E97C6A4947AB
                                  Function 0047A26A Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0046F3C1: IsWindow.USER32(00000000), ref: 0046F3F1
                                  • GetWindowLongW.USER32(?,000000EC), ref: 0047A2DF
                                  • SetWindowLongW.USER32(?,000000EC,00000000), ref: 0047A2FA
                                  • SetWindowLongW.USER32(?,000000EC,00000000), ref: 0047A312
                                  • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002,?,000000EC,00000000,?,000000EC,?,00000001), ref: 0047A321
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: Window$Long$AttributesLayered
                                  • String ID:
                                  • API String ID: 2169480361-0
                                  • Opcode ID: 53dc7990cfeb01f65bcc542d15cac6368a2c86d5c8ae23ecc65d9f578e391a7a
                                  • Instruction ID: 4b457c036b32d13d4d6aa44b7b333d7b15c6210fa1ac615a770d46c951a2b689
                                  • Opcode Fuzzy Hash: 53dc7990cfeb01f65bcc542d15cac6368a2c86d5c8ae23ecc65d9f578e391a7a
                                  • Instruction Fuzzy Hash: E321C3322045146BD310AB19EC45F9BB798EF81334F20862BF859E72D1C779A855C7AC
                                  Function 00434CC9 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 75stringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00434C09: lstrlenW.KERNEL32(?), ref: 00434C1C
                                    • Part of subcall function 00434C09: lstrcpyW.KERNEL32(00000000,?), ref: 00434C44
                                    • Part of subcall function 00434C09: lstrcmpiW.KERNEL32(00000000,00000000), ref: 00434C78
                                  • lstrlenW.KERNEL32(?), ref: 00434CF6
                                    • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                  • lstrcpyW.KERNEL32(00000000,?), ref: 00434D1E
                                  • lstrcmpiW.KERNEL32(00000002,cdecl), ref: 00434D64
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: lstrcmpilstrcpylstrlen$_malloc
                                  • String ID: cdecl
                                  • API String ID: 3850814276-3896280584
                                  • Opcode ID: 21c69cf6c29ea855f725dfe2a9cb2720d4b8dbea94fc3a7d57af4f6d050de3c2
                                  • Instruction ID: b4b7f9d7485e9dcc41445171e378d0673d7e4b3d8a31a27b28546bfa00bfc119
                                  • Opcode Fuzzy Hash: 21c69cf6c29ea855f725dfe2a9cb2720d4b8dbea94fc3a7d57af4f6d050de3c2
                                  • Instruction Fuzzy Hash: 1521D276200301ABD710AF25DC45AEBB3A9FF99354F10583FF90687250EB39E945C7A9
                                  Function 0046D402 Relevance: 6.1, APIs: 4, Instructions: 73networkCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0045F645: WideCharToMultiByte.KERNEL32(00000000,00000000,5004C483,D29EE858,00000000,00000000,00000000,00000000,?,?,?,00467B75,?,00473BB8,00473BB8,?), ref: 0045F661
                                  • gethostbyname.WSOCK32(?,00000000,?,?), ref: 0046D42D
                                  • WSAGetLastError.WSOCK32(00000000), ref: 0046D439
                                  • _memmove.LIBCMT ref: 0046D475
                                  • inet_ntoa.WSOCK32(?), ref: 0046D481
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: ByteCharErrorLastMultiWide_memmovegethostbynameinet_ntoa
                                  • String ID:
                                  • API String ID: 2502553879-0
                                  • Opcode ID: c217391507a75a633327f3eae623a7fb2dd57c89b178c2547ebfa016f7fa05d4
                                  • Instruction ID: 24c3f219ec43f49587972b4c28f02db1d16d05b11a5808876a7c02c26e676da9
                                  • Opcode Fuzzy Hash: c217391507a75a633327f3eae623a7fb2dd57c89b178c2547ebfa016f7fa05d4
                                  • Instruction Fuzzy Hash: A7216F769001046BC700FBA6DD85C9FB7BCEF48318B10486BFC01B7241DA39EE058BA5
                                  Function 00448C3C Relevance: 6.1, APIs: 4, Instructions: 72windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SendMessageW.USER32 ref: 00448C69
                                  • GetWindowLongW.USER32(?,000000EC), ref: 00448C91
                                  • SendMessageW.USER32(?,0000104C,00000000,?), ref: 00448CCA
                                  • SendMessageW.USER32(?,0000102B,00000000,?), ref: 00448D13
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: MessageSend$LongWindow
                                  • String ID:
                                  • API String ID: 312131281-0
                                  • Opcode ID: aa9ba785652a5e2d68973233cc9ee5be9ec2ae113b50a66827928a68bf1dc890
                                  • Instruction ID: 9d65767971b32091eca868ce8e4b461936feaca2c152e776436a997c982fc1ac
                                  • Opcode Fuzzy Hash: aa9ba785652a5e2d68973233cc9ee5be9ec2ae113b50a66827928a68bf1dc890
                                  • Instruction Fuzzy Hash: 782186711193009BE3209F18DD88B9FB7E4FBD5325F140B1EF994962D0DBB58448C755
                                  Function 00458A61 Relevance: 6.1, APIs: 4, Instructions: 71networkCOMMON
                                  Download Yara Rule
                                  APIs
                                  • select.WSOCK32(00000000,?,00000000,00000000,?), ref: 00458ABD
                                  • __WSAFDIsSet.WSOCK32(00000000,00000001), ref: 00458ACF
                                  • accept.WSOCK32(00000000,00000000,00000000), ref: 00458ADE
                                  • WSAGetLastError.WSOCK32(00000000), ref: 00458B03
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: ErrorLastacceptselect
                                  • String ID:
                                  • API String ID: 385091864-0
                                  • Opcode ID: feb2d603c895e760471213290e220df4c8c9e23c071c6cdae6f1f3a6ceb811dc
                                  • Instruction ID: 6dce411450cb473f00463c700f03c36a20fe0f69cdcaeecb298670ce0bdbd9a3
                                  • Opcode Fuzzy Hash: feb2d603c895e760471213290e220df4c8c9e23c071c6cdae6f1f3a6ceb811dc
                                  • Instruction Fuzzy Hash: 032192716002049FD714EF69DD45BAAB7E8EB94310F10866EF988DB380DBB4A9808B94
                                  Function 004368A0 Relevance: 6.1, APIs: 4, Instructions: 69windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SendMessageW.USER32(?,000000B0,?,?), ref: 004368C2
                                  • SendMessageW.USER32(?,000000C9,?,00000000), ref: 004368D5
                                  • SendMessageW.USER32(?,000000C9,?,00000000), ref: 004368EC
                                  • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00436904
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: MessageSend
                                  • String ID:
                                  • API String ID: 3850602802-0
                                  • Opcode ID: 236e71af2ab5509716104e28957e7b962cfbcf4ba6a1ba9531cfd5eb7baefe48
                                  • Instruction ID: 15055718653181d31d708d6839b45d2b231db9ad4f5f2f8f789da6f3b04ac486
                                  • Opcode Fuzzy Hash: 236e71af2ab5509716104e28957e7b962cfbcf4ba6a1ba9531cfd5eb7baefe48
                                  • Instruction Fuzzy Hash: A7111275640208BFDB10DF68DC85F9AB7E8EF98750F11815AFD48DB340D6B1A9418FA0
                                  Function 004301F8 Relevance: 6.1, APIs: 4, Instructions: 57windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00400000,00000000), ref: 00430242
                                  • GetStockObject.GDI32(00000011), ref: 00430258
                                  • SendMessageW.USER32(00000000,00000030,00000000), ref: 00430262
                                  • ShowWindow.USER32(00000000,00000000), ref: 0043027D
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: Window$CreateMessageObjectSendShowStock
                                  • String ID:
                                  • API String ID: 1358664141-0
                                  • Opcode ID: ad6f98361a8c00dabf9f53bae98ff29a7c8ddeda354316ac2ad0817ad8c48d31
                                  • Instruction ID: 87b955557270564ac2446a75def7de819d41fbc8528d619d8765837e6f615a12
                                  • Opcode Fuzzy Hash: ad6f98361a8c00dabf9f53bae98ff29a7c8ddeda354316ac2ad0817ad8c48d31
                                  • Instruction Fuzzy Hash: BD115172600504ABD755CF99DC59FDBB769AF8DB10F148319BA08932A0D774EC41CBA8
                                  Function 00443C87 Relevance: 6.1, APIs: 4, Instructions: 57synchronizationthreadwindowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentThreadId.KERNEL32 ref: 00443CA6
                                  • MessageBoxW.USER32(?,?,?,?), ref: 00443CDC
                                  • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00443CF2
                                  • CloseHandle.KERNEL32(00000000), ref: 00443CF9
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: CloseCurrentHandleMessageObjectSingleThreadWait
                                  • String ID:
                                  • API String ID: 2880819207-0
                                  • Opcode ID: 229c650092e78496607f1920186e21dd31435e443465a7f1ce6d350790d3a3c2
                                  • Instruction ID: e6f874550e00e623fb34483f391c95d80eb5f5bc6ce026338450b862d26ff76c
                                  • Opcode Fuzzy Hash: 229c650092e78496607f1920186e21dd31435e443465a7f1ce6d350790d3a3c2
                                  • Instruction Fuzzy Hash: 48112572804114ABD710CF68ED08ADF3FACDF99721F10026AFC0493381D6B09A1083E9
                                  Function 00430B87 Relevance: 6.1, APIs: 4, Instructions: 53COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetWindowRect.USER32(?,?), ref: 00430BA2
                                  • ScreenToClient.USER32(?,?), ref: 00430BC1
                                  • ScreenToClient.USER32(?,?), ref: 00430BE2
                                  • InvalidateRect.USER32(?,?,?,?,?), ref: 00430BFB
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: ClientRectScreen$InvalidateWindow
                                  • String ID:
                                  • API String ID: 357397906-0
                                  • Opcode ID: ae0d0d06dcef6ed583fb9704f0ef5e529f18a40629d10526419e4a4e3dd97404
                                  • Instruction ID: ace0395ef2957b48f9d17fb026497d1a369c9e3160b5fb36bd9a4683c33ce433
                                  • Opcode Fuzzy Hash: ae0d0d06dcef6ed583fb9704f0ef5e529f18a40629d10526419e4a4e3dd97404
                                  • Instruction Fuzzy Hash: 561174B9D00209AFCB14DF98C8849AEFBB9FF98310F10855EE855A3304D774AA41CFA0
                                  Function 00433908 Relevance: 6.0, APIs: 4, Instructions: 50COMMON
                                  Download Yara Rule
                                  APIs
                                  • __wsplitpath.LIBCMT ref: 0043392E
                                    • Part of subcall function 00413A0E: __wsplitpath_helper.LIBCMT ref: 00413A50
                                  • __wsplitpath.LIBCMT ref: 00433950
                                  • __wcsicoll.LIBCMT ref: 00433974
                                  • __wcsicoll.LIBCMT ref: 0043398A
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: __wcsicoll__wsplitpath$__wsplitpath_helper
                                  • String ID:
                                  • API String ID: 1187119602-0
                                  • Opcode ID: 68e3b32a9464b28f7030a0941ccdc911afb24839bc46986435f1213a6174ca5b
                                  • Instruction ID: cee1712abd0eced5cc96ea34974ed2185298bb9760f8079e64959bf12be8e646
                                  • Opcode Fuzzy Hash: 68e3b32a9464b28f7030a0941ccdc911afb24839bc46986435f1213a6174ca5b
                                  • Instruction Fuzzy Hash: 650121B2C0011DAACB14DF95DC41DEEB37CAB48314F04869EA60956040EA759BD88FE4
                                  Function 00421E33 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                  • String ID:
                                  • API String ID: 3016257755-0
                                  • Opcode ID: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
                                  • Instruction ID: fa6d01852bb983edeafff486d0019367465e9530caf48e469f9bea5953271079
                                  • Opcode Fuzzy Hash: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
                                  • Instruction Fuzzy Hash: FE11727250005DFBCF125E85EC41CEE3F22BB28394B9A8416FE1858131C73AC9B1AB85
                                  Function 00434963 Relevance: 6.0, APIs: 4, Instructions: 46COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: _wcslen$_malloc_wcscat_wcscpy
                                  • String ID:
                                  • API String ID: 1597257046-0
                                  • Opcode ID: 3c6fc8acff7e2f2e7aee9de07fb73a2c390eddda5e8305f0b40f95221864db4e
                                  • Instruction ID: 3a313011a65081929a098f39c1c59cfda42f2cbb237f2651e2b7e76e77134880
                                  • Opcode Fuzzy Hash: 3c6fc8acff7e2f2e7aee9de07fb73a2c390eddda5e8305f0b40f95221864db4e
                                  • Instruction Fuzzy Hash: 40016271200604BFC714EB66D885EABF3EDEFC9354B00852EFA168B651DB39E841C764
                                  Function 0041F584 Relevance: 6.0, APIs: 4, Instructions: 41COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetEnvironmentStringsW.KERNEL32(00000000,00416513), ref: 0041F587
                                  • __malloc_crt.LIBCMT ref: 0041F5B6
                                  • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0041F5C3
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: EnvironmentStrings$Free__malloc_crt
                                  • String ID:
                                  • API String ID: 237123855-0
                                  • Opcode ID: 07fe547740a9b68c76983245d8bba65816afc234b1fe2171e551a8e4c438482c
                                  • Instruction ID: d6a98a4ee5591e13f27bf8bfb2f7094eea62761642478a01f8f101a8eeefaa10
                                  • Opcode Fuzzy Hash: 07fe547740a9b68c76983245d8bba65816afc234b1fe2171e551a8e4c438482c
                                  • Instruction Fuzzy Hash: D1F08277505220BB8A25BF35BC458DB277ADAD536531A443BF407C3206F66C8ECB82B9
                                  Function 0044B5E8 Relevance: 6.0, APIs: 4, Instructions: 37COMMON
                                  Download Yara Rule
                                  APIs
                                  • EnterCriticalSection.KERNEL32(?), ref: 0044B5F5
                                  • InterlockedExchange.KERNEL32(?,?), ref: 0044B603
                                  • LeaveCriticalSection.KERNEL32(?), ref: 0044B61A
                                  • LeaveCriticalSection.KERNEL32(?), ref: 0044B62C
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: CriticalSection$Leave$EnterExchangeInterlocked
                                  • String ID:
                                  • API String ID: 2223660684-0
                                  • Opcode ID: f874c154f8023f3ba0c2945d1949571bb5db8163ed48ea6956c7f1527a392a8b
                                  • Instruction ID: 403f3527bf09fa8cde02bf077099102ce48e3ba47acdf7e4c6f4aa39df9fcef1
                                  • Opcode Fuzzy Hash: f874c154f8023f3ba0c2945d1949571bb5db8163ed48ea6956c7f1527a392a8b
                                  • Instruction Fuzzy Hash: 78F05E36241104AF96145F59FD488EBB3ACEBE96317005A3FE5418361087A6E845CBB5
                                  Function 004472F1 Relevance: 6.0, APIs: 4, Instructions: 35COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0044719B: DeleteObject.GDI32(00000000), ref: 004471D8
                                    • Part of subcall function 0044719B: ExtCreatePen.GDI32(?,?,?,00000000,00000000), ref: 00447218
                                    • Part of subcall function 0044719B: SelectObject.GDI32(?,00000000), ref: 00447228
                                    • Part of subcall function 0044719B: BeginPath.GDI32(?), ref: 0044723D
                                    • Part of subcall function 0044719B: SelectObject.GDI32(?,00000000), ref: 00447266
                                  • MoveToEx.GDI32(?,?,?,00000000), ref: 00447317
                                  • LineTo.GDI32(?,?,?), ref: 00447326
                                  • EndPath.GDI32(?), ref: 00447336
                                  • StrokePath.GDI32(?), ref: 00447344
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: ObjectPath$Select$BeginCreateDeleteLineMoveStroke
                                  • String ID:
                                  • API String ID: 2783949968-0
                                  • Opcode ID: 4ed419099ee229fcfe9d8e0d6407f17218ff084d459cc4b150d2894610f6bb04
                                  • Instruction ID: af9b10de2b5e1f20f757a647655db97b0f5a8bbb123370319d9b3a4020b10ea9
                                  • Opcode Fuzzy Hash: 4ed419099ee229fcfe9d8e0d6407f17218ff084d459cc4b150d2894610f6bb04
                                  • Instruction Fuzzy Hash: EBF06770105258BBE721AF54ED4EFAF3B9CAB06310F108119FE01622D1C7B86A02CBA9
                                  Function 0043646A Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00436489
                                  • GetWindowThreadProcessId.USER32(?,00000000), ref: 0043649C
                                  • GetCurrentThreadId.KERNEL32 ref: 004364A3
                                  • AttachThreadInput.USER32(00000000), ref: 004364AA
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                                  • String ID:
                                  • API String ID: 2710830443-0
                                  • Opcode ID: 1738b650cb43453f600e53b83a6833ccb1a076b1e6f33d9371cddf7c9876f8ab
                                  • Instruction ID: 8dfc3faa83ebd232c18032ab1719f084f6ac8c8028b438e2b3a9de4cfe148046
                                  • Opcode Fuzzy Hash: 1738b650cb43453f600e53b83a6833ccb1a076b1e6f33d9371cddf7c9876f8ab
                                  • Instruction Fuzzy Hash: 61F06D7168470477EB209BA09D0EFDF379CAB18B11F10C41ABB04BA0C0C6F8B50087AD
                                  Function 00436C2B Relevance: 6.0, APIs: 4, Instructions: 29synchronizationCOMMON
                                  Download Yara Rule
                                  APIs
                                  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00436C38
                                  • UnloadUserProfile.USERENV(?,?,?,000000FF), ref: 00436C46
                                  • CloseHandle.KERNEL32(?,?,000000FF), ref: 00436C56
                                  • CloseHandle.KERNEL32(?,?,000000FF), ref: 00436C5B
                                    • Part of subcall function 00436BA9: GetProcessHeap.KERNEL32(00000000,?), ref: 00436BB6
                                    • Part of subcall function 00436BA9: HeapFree.KERNEL32(00000000), ref: 00436BBD
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                  • String ID:
                                  • API String ID: 146765662-0
                                  • Opcode ID: b977b2fe1054b7dcb1d3ac6099765c2a2cefd6419b68de81ef4d64d3a5db7b42
                                  • Instruction ID: 8fc8aea04bb3fa9100768a89291620bc24087d812574934f99790ad9b639e1d9
                                  • Opcode Fuzzy Hash: b977b2fe1054b7dcb1d3ac6099765c2a2cefd6419b68de81ef4d64d3a5db7b42
                                  • Instruction Fuzzy Hash: D9E0C97A510215ABC720EBA6DC48C5BB7ACEF99330311892EFD9683750DA74F840CFA4
                                  Function 0041514D Relevance: 6.0, APIs: 4, Instructions: 16threadCOMMON
                                  Download Yara Rule
                                  APIs
                                  • __getptd_noexit.LIBCMT ref: 00415150
                                    • Part of subcall function 004179F0: GetLastError.KERNEL32(?,?,00417F7C,00413644,?,?,004115F6,?,00401BAC,?,?,?), ref: 004179F4
                                    • Part of subcall function 004179F0: ___set_flsgetvalue.LIBCMT ref: 00417A02
                                    • Part of subcall function 004179F0: __calloc_crt.LIBCMT ref: 00417A16
                                    • Part of subcall function 004179F0: GetCurrentThreadId.KERNEL32 ref: 00417A46
                                    • Part of subcall function 004179F0: SetLastError.KERNEL32(00000000,?,004115F6,?,00401BAC,?,?,?), ref: 00417A5E
                                  • CloseHandle.KERNEL32(?,?,0041519B), ref: 00415164
                                  • __freeptd.LIBCMT ref: 0041516B
                                  • ExitThread.KERNEL32 ref: 00415173
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: ErrorLastThread$CloseCurrentExitHandle___set_flsgetvalue__calloc_crt__freeptd__getptd_noexit
                                  • String ID:
                                  • API String ID: 1454798553-0
                                  • Opcode ID: 061228abfcaf70d0abda61f2bc5ea784a59968e7eaac298a3a03e2daddecc56e
                                  • Instruction ID: f82a1693998e09e6351869d5e4a2ded823041337c12103c56f11d560ed0c89ab
                                  • Opcode Fuzzy Hash: 061228abfcaf70d0abda61f2bc5ea784a59968e7eaac298a3a03e2daddecc56e
                                  • Instruction Fuzzy Hash: BCD0A732805E10A7C122273D5C0DBDF26655F40735B140B09FC25872D1CBACDDC143AC
                                  Function 0042F373 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 370COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: _strncmp
                                  • String ID: Q\E
                                  • API String ID: 909875538-2189900498
                                  • Opcode ID: 065ac9b34865f8fc92d580161c5db786cff1d7033ea8ce1a4bef46ec8c054806
                                  • Instruction ID: ec78d02982e52cebfc3c5ce94050df53d12509a5c8006a296af1ac46f88178f7
                                  • Opcode Fuzzy Hash: 065ac9b34865f8fc92d580161c5db786cff1d7033ea8ce1a4bef46ec8c054806
                                  • Instruction Fuzzy Hash: 34C1A070A04279ABDF318E58A4507ABBBB5AF59310FE441BFD8D493341D2784D8ACB89
                                  Function 00460D41 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 277comCOMMON
                                  Download Yara Rule
                                  APIs
                                  • OleSetContainedObject.OLE32(00000000,00000001), ref: 00460F3E
                                    • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                    • Part of subcall function 00445660: OleSetContainedObject.OLE32(?,00000000), ref: 004456DD
                                    • Part of subcall function 00451B42: GetLastError.KERNEL32(?,?,00000000), ref: 00451BA0
                                    • Part of subcall function 00451B42: VariantCopy.OLEAUT32(?,?), ref: 00451BF8
                                    • Part of subcall function 00451B42: VariantCopy.OLEAUT32(?,?), ref: 00451C0E
                                    • Part of subcall function 00451B42: VariantCopy.OLEAUT32(?,?), ref: 00451C27
                                    • Part of subcall function 00451B42: VariantClear.OLEAUT32(?), ref: 00451CA1
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: Variant$Copy$ContainedObject$ClearErrorLast_malloc
                                  • String ID: AutoIt3GUI$Container
                                  • API String ID: 2652923123-3941886329
                                  • Opcode ID: 662e4c56437cfc6d97a34dfd7b47562ea5a254ee8eeedf1ae9933f7f1d1523bc
                                  • Instruction ID: 68a0a4eee7c61d0b7a6187be62517e39d581686f9474de6139c94a20f06104f0
                                  • Opcode Fuzzy Hash: 662e4c56437cfc6d97a34dfd7b47562ea5a254ee8eeedf1ae9933f7f1d1523bc
                                  • Instruction Fuzzy Hash: 68A15D746006059FDB10DF69C881B6BB7E4FF88704F24896AEA09CB351EB75E841CB65
                                  Function 0044F3F4 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 185COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: _memmove_strncmp
                                  • String ID: U$\
                                  • API String ID: 2666721431-100911408
                                  • Opcode ID: a4fdddafd13fd2658ce45903ac35fff56edfd8920f85f030d52c4513684e2ed7
                                  • Instruction ID: d3eef72359a6f1828d14317ef8b56b8bfbdd52bf5bc7584d89ae5f72f5b530e1
                                  • Opcode Fuzzy Hash: a4fdddafd13fd2658ce45903ac35fff56edfd8920f85f030d52c4513684e2ed7
                                  • Instruction Fuzzy Hash: 13718F70E00245CFEF24CFA9C9906AEFBF2AF99304F24826ED445A7345D778A946CB15
                                  Function 00467215 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 181shareCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00410160: _wcslen.LIBCMT ref: 00410162
                                    • Part of subcall function 00410160: _wcscpy.LIBCMT ref: 00410182
                                  • __wcsnicmp.LIBCMT ref: 00467288
                                  • WNetUseConnectionW.MPR(00000000,?,00000000,?,00000000,?,00000000,?), ref: 0046732E
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: Connection__wcsnicmp_wcscpy_wcslen
                                  • String ID: LPT
                                  • API String ID: 3035604524-1350329615
                                  • Opcode ID: df00d6e4b866e053a8717e7cd00b83b505630e9b2d4c108cf88e8e3b58e1c49d
                                  • Instruction ID: cd88b7ab87c5f5a0ce5478f82160e7cdfa8c7cefd9f65e810a8a3337a25aa570
                                  • Opcode Fuzzy Hash: df00d6e4b866e053a8717e7cd00b83b505630e9b2d4c108cf88e8e3b58e1c49d
                                  • Instruction Fuzzy Hash: FB51E675A04204ABDB10DF54CC81FAFB7B5AB84708F10855EF905AB381E778EE85CB99
                                  Function 0044F082 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 161COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: _memmove
                                  • String ID: \$h
                                  • API String ID: 4104443479-677774858
                                  • Opcode ID: a8076df7cf2e4be12816d18a067c44a6d5606508540493043604d0ea2b9ab827
                                  • Instruction ID: de34c7bb2fe7d28e42aef252d9636822906cf09101983ade98a7172327fa6e04
                                  • Opcode Fuzzy Hash: a8076df7cf2e4be12816d18a067c44a6d5606508540493043604d0ea2b9ab827
                                  • Instruction Fuzzy Hash: F551A370E002098FDF18CFA9C980AAEB7F2BFC9304F28826AD405AB345D7389D45CB55
                                  Function 0043999F Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: _memcmp
                                  • String ID: &
                                  • API String ID: 2931989736-1010288
                                  • Opcode ID: a81d5415846f9cf6a42c700ef8b5aeadd08d018be41d214ef7d3fe054b701e0f
                                  • Instruction ID: 5cd53615f07abd051f481cac668b43ae4088e938354b3ed51608dfeeaf990cc9
                                  • Opcode Fuzzy Hash: a81d5415846f9cf6a42c700ef8b5aeadd08d018be41d214ef7d3fe054b701e0f
                                  • Instruction Fuzzy Hash: EC517BB1A0011A9FDB18CF95D891ABFB7B5FF88300F14915AE815A7344D278AE42CBA4
                                  Function 0044D3D5 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: _memmove
                                  • String ID: \
                                  • API String ID: 4104443479-2967466578
                                  • Opcode ID: 59d63d8f709c00c8b633315d640480ed85dcad38184220530ca382b626518ab4
                                  • Instruction ID: e0e732097d18f8f10327b86eac3a97b4532b2e4be511d275227a7a0ca48fbcca
                                  • Opcode Fuzzy Hash: 59d63d8f709c00c8b633315d640480ed85dcad38184220530ca382b626518ab4
                                  • Instruction Fuzzy Hash: 2451C570E002498FEF24CFA9C8902AEFBB2BF95314F28826BD45597385D7395D86CB45
                                  Function 004667E1 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 114networkCOMMON
                                  Download Yara Rule
                                  APIs
                                  • _wcslen.LIBCMT ref: 00466825
                                  • InternetCrackUrlW.WININET(?,00000000,?), ref: 0046682F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: CrackInternet_wcslen
                                  • String ID: |
                                  • API String ID: 596671847-2343686810
                                  • Opcode ID: 629f28f3e202f2691df4b53306abf03f6cbb1f7e83fd6186c7c4399916927608
                                  • Instruction ID: c4ea99685e293915e64884ba1c360efc28696701351dc191072b09a6dd262d67
                                  • Opcode Fuzzy Hash: 629f28f3e202f2691df4b53306abf03f6cbb1f7e83fd6186c7c4399916927608
                                  • Instruction Fuzzy Hash: B1415076E10209ABDB00EFA5D881BEEB7B8FF58314F00002AE604A7291D7757916CBE5
                                  Function 0044835A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 99windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SendMessageW.USER32(?,00001132,00000000,?), ref: 00448446
                                  • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 0044845F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: MessageSend
                                  • String ID: '
                                  • API String ID: 3850602802-1997036262
                                  • Opcode ID: 21874a52306f08f821648492a7afc6200e27140433d35547b734f0a4523aa872
                                  • Instruction ID: ddf1801fc3b7a37e921bcadc6f33ff454999d78e89978ed9e0859c1643e2593c
                                  • Opcode Fuzzy Hash: 21874a52306f08f821648492a7afc6200e27140433d35547b734f0a4523aa872
                                  • Instruction Fuzzy Hash: 46418E71A002099FDB04CF98D880AEEB7B5FF59300F14816EED04AB341DB756952CFA5
                                  Function 0040F850 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 89COMMON
                                  Download Yara Rule
                                  APIs
                                  • _strlen.LIBCMT ref: 0040F858
                                    • Part of subcall function 0040F880: _memmove.LIBCMT ref: 0040F8C9
                                    • Part of subcall function 0040F880: _memmove.LIBCMT ref: 0040F8E3
                                  • _sprintf.LIBCMT ref: 0040F9AE
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: _memmove$_sprintf_strlen
                                  • String ID: %02X
                                  • API String ID: 1921645428-436463671
                                  • Opcode ID: 767cb60b44986bc828a60f9d0ec6f7d4d26665b5612a1b4657e1e4afb2f114d1
                                  • Instruction ID: e5a937a20bc973e7022889ba35624413ac66f4a4f80aeb0e2d5e31f1d02bff57
                                  • Opcode Fuzzy Hash: 767cb60b44986bc828a60f9d0ec6f7d4d26665b5612a1b4657e1e4afb2f114d1
                                  • Instruction Fuzzy Hash: 3E21287270021436D724B66E8C82FDAB39CAF55744F50007FF501A76C1EABCBA1983AD
                                  Function 00451006 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0045109A
                                  • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004510A8
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: MessageSend
                                  • String ID: Combobox
                                  • API String ID: 3850602802-2096851135
                                  • Opcode ID: 1b8a1482498e59a9e674e96fd5fabaeacd2ddbb1f8abcd0cc85bd7074ae773d5
                                  • Instruction ID: 528d1b292af097fd122ed4be4541c74d7578eb88e117dd2fe935d7ad7cd5862b
                                  • Opcode Fuzzy Hash: 1b8a1482498e59a9e674e96fd5fabaeacd2ddbb1f8abcd0cc85bd7074ae773d5
                                  • Instruction Fuzzy Hash: 0A21A5716102096BEB10DE68DC85FDB3398EB59734F20431AFA24A72D1D3B9EC958768
                                  Function 00451321 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetWindowTextLengthW.USER32(00000000), ref: 0045134A
                                  • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 0045135A
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: LengthMessageSendTextWindow
                                  • String ID: edit
                                  • API String ID: 2978978980-2167791130
                                  • Opcode ID: 458bf78cb5436efb918afa53a1743a3d6784074bbf07c1e17ba5dfdf6e920bd9
                                  • Instruction ID: 5a0e340068a0ba28dc4d1c90c86d8b7761b767731f3a1bde811fb9e5560a91dc
                                  • Opcode Fuzzy Hash: 458bf78cb5436efb918afa53a1743a3d6784074bbf07c1e17ba5dfdf6e920bd9
                                  • Instruction Fuzzy Hash: BB2190761102056BEB108F68D894FEB33ADEB89339F10471AFD64D36E1C279DC458B68
                                  Function 00476CA4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72sleepCOMMON
                                  Download Yara Rule
                                  APIs
                                  • Sleep.KERNEL32(00000000), ref: 00476CB0
                                  • GlobalMemoryStatusEx.KERNEL32 ref: 00476CC3
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: GlobalMemorySleepStatus
                                  • String ID: @
                                  • API String ID: 2783356886-2766056989
                                  • Opcode ID: e336f3d3cf010bdb765bf3cd25e4316ec625df5f035adc8ff92848a8f4c166eb
                                  • Instruction ID: 7847cb5f82098321599ebf91c79b9dffd15eff11c36c925ad8cec94a5f412430
                                  • Opcode Fuzzy Hash: e336f3d3cf010bdb765bf3cd25e4316ec625df5f035adc8ff92848a8f4c166eb
                                  • Instruction Fuzzy Hash: 67217130508F0497C211BF6AAC4AB5E7BB8AF84B15F01886DF9C8A14D1DF745528C76F
                                  Function 00465225 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61networkCOMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: htonsinet_addr
                                  • String ID: 255.255.255.255
                                  • API String ID: 3832099526-2422070025
                                  • Opcode ID: bffbf838f8b6926ef71edb3efae5563a838ccfa537518f0e0f8b175b1623bbd9
                                  • Instruction ID: fb726eff09ff94cff080b531f734a3fd27281744828c6f3d0166551fa69e616e
                                  • Opcode Fuzzy Hash: bffbf838f8b6926ef71edb3efae5563a838ccfa537518f0e0f8b175b1623bbd9
                                  • Instruction Fuzzy Hash: 5211E732600304ABCF10DF69EC85FAA73A8EF45324F04455BF9049B392D635E4518B59
                                  Function 0044256C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59networkCOMMON
                                  Download Yara Rule
                                  APIs
                                  • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 004425F8
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: InternetOpen
                                  • String ID: <local>
                                  • API String ID: 2038078732-4266983199
                                  • Opcode ID: 84bf365b150010c194f632228c20f1475d6fe654e04a12f862fc2198fde258ef
                                  • Instruction ID: 93d8b03a482712ff69e4757b1f2b0d1c201104d099b6cd2898bf81ba059b6d15
                                  • Opcode Fuzzy Hash: 84bf365b150010c194f632228c20f1475d6fe654e04a12f862fc2198fde258ef
                                  • Instruction Fuzzy Hash: 9311C270680710BAF720CB548E62FBA77E8BB24B01F50844BF9429B6C0D6F4B944D7A9
                                  Function 0044CE43 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54COMMON
                                  Download Yara Rule
                                  APIs
                                  • SafeArrayCreateVector.OLEAUT32(00000013,00000000), ref: 0044CE78
                                  • _memmove.LIBCMT ref: 0044CE9F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: ArrayCreateSafeVector_memmove
                                  • String ID: crts
                                  • API String ID: 564309351-3724388283
                                  • Opcode ID: 7e754992b260b6e72dbf0ba7770114a121c02481734c5380321d1baa9379aa27
                                  • Instruction ID: ae18a0e6088bde325f2b8f87e65bbb2aaade0ee39655e70765b31d945e00dc0b
                                  • Opcode Fuzzy Hash: 7e754992b260b6e72dbf0ba7770114a121c02481734c5380321d1baa9379aa27
                                  • Instruction Fuzzy Hash: 7B0122B390010CABD700DF5AEC41E9B77A8EB84300F00412BFA08D7241EB31EA52C7E0
                                  Function 004321A4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: __fread_nolock_memmove
                                  • String ID: EA06
                                  • API String ID: 1988441806-3962188686
                                  • Opcode ID: e45c56eab20c3bcfe4a359df8a9ba3729120cfe0f4e9d091ae644268b7df8977
                                  • Instruction ID: b3ef0f2836274d974f80c1c05754fec17bf4118f678989acdc9742ef3c25ced0
                                  • Opcode Fuzzy Hash: e45c56eab20c3bcfe4a359df8a9ba3729120cfe0f4e9d091ae644268b7df8977
                                  • Instruction Fuzzy Hash: 7D014971904228ABCF18DB99DC56EFEBBF49F55301F00859EF59793281D578A708CBA0
                                  Function 00442BB4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: _memmove
                                  • String ID: u,D
                                  • API String ID: 4104443479-3858472334
                                  • Opcode ID: a09dc1741948e98e7df597fac067bc9d4c41fa761799cf9fa5b02ea5b7d8fd51
                                  • Instruction ID: 1e149f93898fe9afff494952afced4f728167d7c2cca3c00b97e401526751dc1
                                  • Opcode Fuzzy Hash: a09dc1741948e98e7df597fac067bc9d4c41fa761799cf9fa5b02ea5b7d8fd51
                                  • Instruction Fuzzy Hash: 4FF04C722007045AE3149E6ADC41FD7B7ECDBD8714F50442EF74997241E1B8A9858764
                                  Function 00401B10 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMON
                                  Download Yara Rule
                                  APIs
                                  • _wcslen.LIBCMT ref: 00401B11
                                    • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                  • _memmove.LIBCMT ref: 00401B57
                                    • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411626
                                    • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411640
                                    • Part of subcall function 004115D7: __CxxThrowException@8.LIBCMT ref: 00411651
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: std::exception::exception$Exception@8Throw_malloc_memmove_wcslen
                                  • String ID: @EXITCODE
                                  • API String ID: 2734553683-3436989551
                                  • Opcode ID: b6d17f11840b334af4eb2c0dc4703dd6ec7fe6b5974f9b569570c14fa5f7c58b
                                  • Instruction ID: 16ac7666fc6b8d0cd4c8082de1062d74cbdf630d8e5b0a9ec9a55ac2b86b5c72
                                  • Opcode Fuzzy Hash: b6d17f11840b334af4eb2c0dc4703dd6ec7fe6b5974f9b569570c14fa5f7c58b
                                  • Instruction Fuzzy Hash: D5F0CDF2B00641AFD720DB36DC02B6775E49B84308F04883EA24BC6795FA7DE4828B14
                                  Function 0044CDE9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: _memmove
                                  • String ID: Error:
                                  • API String ID: 4104443479-232661952
                                  • Opcode ID: 47c0561e29c226fab9e20f11d30fc4033f42905d42d91430649e8e798f40a5ad
                                  • Instruction ID: e6e9f2aa443a554b8bda50df2a041f2c42dbd20d32390c21629c974d0e28b4a3
                                  • Opcode Fuzzy Hash: 47c0561e29c226fab9e20f11d30fc4033f42905d42d91430649e8e798f40a5ad
                                  • Instruction Fuzzy Hash: 2101EFB6200115ABC704DF49D981D6AF7A9FF88710708855AF819CB302D774FD20CBA4
                                  Function 00442651 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22networkCOMMON
                                  Download Yara Rule
                                  APIs
                                  • InternetCloseHandle.WININET(?), ref: 00442663
                                  • InternetCloseHandle.WININET ref: 00442668
                                    • Part of subcall function 004319AC: WaitForSingleObject.KERNEL32(aeB,?,?,00442688,aeB,00002710,?,?,00426561,?,?,0040F19D), ref: 004319BD
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: CloseHandleInternet$ObjectSingleWait
                                  • String ID: aeB
                                  • API String ID: 857135153-906807131
                                  • Opcode ID: c8224cb77d174d98af0e1b6511dcd9cd22ae279780c4dc09588970c0e039578a
                                  • Instruction ID: 0fa74210230a71b56b5a48e3a0e63043fcf8dca502afcbd281d0c2380f7acdeb
                                  • Opcode Fuzzy Hash: c8224cb77d174d98af0e1b6511dcd9cd22ae279780c4dc09588970c0e039578a
                                  • Instruction Fuzzy Hash: 46E0E67650071467D310AF9ADC00B4BF7DC9F95724F11482FEA4497650C6B5B4408BA4
                                  Function 00441BE8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00441BFE
                                  • PostMessageW.USER32(00000000), ref: 00441C05
                                    • Part of subcall function 004331A2: Sleep.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331B9
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: FindMessagePostSleepWindow
                                  • String ID: Shell_TrayWnd
                                  • API String ID: 529655941-2988720461
                                  • Opcode ID: 45e518b183cc50fc9cae19d0f51122c68363ee0c98c893ad2541c3bd761d7025
                                  • Instruction ID: aba4e04af0122a293c2d26b46e7c49f9db856b5fc79b6d6ac13cebee95b63d36
                                  • Opcode Fuzzy Hash: 45e518b183cc50fc9cae19d0f51122c68363ee0c98c893ad2541c3bd761d7025
                                  • Instruction Fuzzy Hash: EFD0A772BC13013BFA6077745D0FF8B66145B14711F000C3A7B42E61C1D4F8E4018758
                                  Function 00441C20 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00441C2A
                                  • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00441C3D
                                    • Part of subcall function 004331A2: Sleep.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331B9
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: FindMessagePostSleepWindow
                                  • String ID: Shell_TrayWnd
                                  • API String ID: 529655941-2988720461
                                  • Opcode ID: 2c92ce268d6dea70ed1d9c93ac972332f86dd545b3a9023bb22b3be85c6f7e29
                                  • Instruction ID: e91d5bd0f3095d95abf168919443ed1e5ef8457e9bc9ee6dadeb2d3358a759b2
                                  • Opcode Fuzzy Hash: 2c92ce268d6dea70ed1d9c93ac972332f86dd545b3a9023bb22b3be85c6f7e29
                                  • Instruction Fuzzy Hash: 61D0A772B843017BFA6077745D0FF8B66145B14711F000C3A7B46A61C1D4F8D4018758
                                  Function 00431E1F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetTempPathW.KERNEL32(00000104,?), ref: 00431E34
                                  • GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00431E4C
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: Temp$FileNamePath
                                  • String ID: aut
                                  • API String ID: 3285503233-3010740371
                                  • Opcode ID: b5938d8baa24fa8bd6c9fd2b7d62684d192cfd552bf23c00763a11c17351aebe
                                  • Instruction ID: 5bfe3c05d54daaccf8cad0b894ff223c4051d717a215ac0b7ff4b7edb98d8c84
                                  • Opcode Fuzzy Hash: b5938d8baa24fa8bd6c9fd2b7d62684d192cfd552bf23c00763a11c17351aebe
                                  • Instruction Fuzzy Hash: A8D05EB95403086BD324EB90ED4EFA9777CE744700F508AE9BE14461D1AAF06A54CBE9
                                  Function 004370C3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 8windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 004370D1
                                    • Part of subcall function 004118DA: _doexit.LIBCMT ref: 004118E6
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1336030779.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1336000827.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336101200.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336462167.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336483975.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336502993.00000000004A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1336536038.00000000004AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_6medsM68NX.jbxd
                                  Similarity
                                  • API ID: Message_doexit
                                  • String ID: AutoIt$Error allocating memory.
                                  • API String ID: 1993061046-4017498283
                                  • Opcode ID: a805162a0f5c9c87f8277766c6d2ca4cce7c6123580b1b409358537ccd51af94
                                  • Instruction ID: aa36ec6b1cc278624b5c670a1a0522bf80bf1016c56dd6686bcadf549e8ac499
                                  • Opcode Fuzzy Hash: a805162a0f5c9c87f8277766c6d2ca4cce7c6123580b1b409358537ccd51af94
                                  • Instruction Fuzzy Hash: F1B092323C030627E50437910D0BF9D26003B64F02F220C067324280D204C90090131D