Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1561652
MD5:a00d324c74f00710ced44b8c7f1a3561
SHA1:218364f5e378c73877815755538d99250bbef5e5
SHA256:86935c2a69aa7096890dd8b72291170dfd9a5d7b22f3a83e70b6e7afcc2d75d7
Tags:exeuser-Bitsight
Infos:

Detection

Score:10
Range:0 - 100
Whitelisted:false
Confidence:60%

Signatures

AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to communicate with device drivers
Contains functionality to get notified if a device is plugged in / out
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Enables debug privileges
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
One or more processes crash
PE file contains sections with non-standard names
Potential key logger detected (key state polling based)
Queries the installation date of Windows
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 1200 cmdline: "C:\Users\user\Desktop\file.exe" MD5: A00D324C74F00710CED44B8C7F1A3561)
    • WerFault.exe (PID: 2700 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1200 -s 1460 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: file.exeStatic PE information: certificate valid
Source: file.exeStatic PE information: DYNAMIC_BASE, FORCE_INTEGRITY, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: Binary string: Taskmgr.pdbUGP source: file.exe
Source: Binary string: Taskmgr.pdb source: file.exe
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00651502 EnterCriticalSection,UnregisterDeviceNotification,GetLastError,CloseHandle,0_2_00651502
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005DF0B3 memset,FindClose,SHGetSpecialFolderPathW,FindFirstFileW,GetProcessHeap,HeapFree,FindNextFileW,FindClose,GetLastError,GetCurrentThreadId,GetLastError,GetProcessHeap,HeapFree,GetCurrentThreadId,GetCurrentThreadId,GetProcessHeap,HeapFree,0_2_005DF0B3
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0064AF6F GetLogicalDriveStringsW,QueryDosDeviceW,GetLastError,_wcsnicmp,0_2_0064AF6F
Source: Amcache.hve.4.drString found in binary or memory: http://upx.sf.net
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00658620 CreateStreamOnHGlobal,GetCurrentThreadId,GetCurrentThreadId,GetCurrentThreadId,GetCurrentThreadId,OpenClipboard,GetLastError,GetCurrentThreadId,EmptyClipboard,GetHGlobalFromStream,GetCurrentThreadId,SetClipboardData,CloseClipboard,0_2_00658620
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00658620 CreateStreamOnHGlobal,GetCurrentThreadId,GetCurrentThreadId,GetCurrentThreadId,GetCurrentThreadId,OpenClipboard,GetLastError,GetCurrentThreadId,EmptyClipboard,GetHGlobalFromStream,GetCurrentThreadId,SetClipboardData,CloseClipboard,0_2_00658620
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00646DB2 CreateStreamOnHGlobal,GetCurrentThreadId,GetProcessHeap,HeapAlloc,GetCurrentThreadId,GetProcessHeap,HeapAlloc,GetCurrentThreadId,SendMessageW,SendMessageW,SendMessageW,memset,SendMessageW,GetCurrentThreadId,GetCurrentThreadId,GetCurrentThreadId,GetCurrentThreadId,GetCurrentThreadId,SendMessageW,SendMessageW,memset,SendMessageW,SendMessageW,OpenClipboard,GetLastError,GetCurrentThreadId,GetCurrentThreadId,GetCurrentThreadId,GetCurrentThreadId,GetCurrentThreadId,GetCurrentThreadId,EmptyClipboard,GetHGlobalFromStream,GetCurrentThreadId,SetClipboardData,CloseClipboard,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,0_2_00646DB2
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00609855 LdrInitializeThunk,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,RegGetValueW,RegOpenKeyExW,RegDeleteValueW,RegCloseKey,GetCurrentThreadId,GetCurrentThreadId,LdrInitializeThunk,LdrInitializeThunk,RegGetValueW,GetCurrentThreadId,RegSetValueExW,GetCurrentThreadId,RegCloseKey,0_2_00609855
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005E7700 memset,memset,?GetHWND@NativeHWNDHost@DirectUI@@QAEPAUHWND__@@XZ,ForwardGadgetMessage,GetKeyState,GetKeyState,SendMessageW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,GetKeyState,LdrInitializeThunk,GetKeyState,SetFocus,0_2_005E7700
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0060D05C NtQuerySystemInformation,0_2_0060D05C
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0064B0AA NtQueryInformationProcess,CloseHandle,RtlNtStatusToDosError,GetCurrentThreadId,0_2_0064B0AA
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005E81C1 NtQueryInformationToken,memset,NtQueryInformationToken,RtlInitUnicodeString,RtlCompareUnicodeString,RtlNtStatusToDosErrorNoTeb,RtlNtStatusToDosErrorNoTeb,HeapFree,0_2_005E81C1
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005EE397 NtQuerySystemInformation,RtlNtStatusToDosError,EnterCriticalSection,GetCurrentThreadId,LeaveCriticalSection,0_2_005EE397
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005F1410 LdrInitializeThunk,GetCurrentThread,NtQueryInformationThread,RtlNtStatusToDosError,GetCurrentThreadId,LdrInitializeThunk,GetCurrentThread,NtQueryInformationThread,RtlNtStatusToDosError,GetCurrentThreadId,EnterCriticalSection,LeaveCriticalSection,EnterCriticalSection,LeaveCriticalSection,GetCurrentThreadId,GetCurrentThreadId,__aulldiv,GetCurrentThreadId,GetCurrentThreadId,VDMEnumProcessWOW,SysFreeString,SysAllocString,GetCurrentThreadId,LdrInitializeThunk,QueueUserWorkItem,SetEvent,PostMessageW,0_2_005F1410
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005F26F0 NtQuerySystemInformation,RtlNtStatusToDosError,SysFreeString,SysAllocString,GetCurrentThreadId,SysFreeString,SysAllocString,GetCurrentThreadId,GetCurrentThreadId,CompareStringOrdinal,CompareStringOrdinal,SysFreeString,SysAllocString,GetCurrentThreadId,SysFreeString,SysAllocString,GetCurrentThreadId,memset,GetVersionExW,GetLastError,GetCurrentThreadId,GetCurrentThreadId,EnterCriticalSection,LeaveCriticalSection,GetCurrentThreadId,EnterCriticalSection,LeaveCriticalSection,EnterCriticalSection,LdrInitializeThunk,LdrInitializeThunk,memset,GetVersionExW,GetLastError,_ftol2,LeaveCriticalSection,0_2_005F26F0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005E19FF PcwCreateQuery,RtlInitUnicodeString,RtlInitUnicodeString,PcwAddQueryItem,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,PcwCreateQuery,RtlInitUnicodeString,RtlInitUnicodeString,PcwAddQueryItem,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,NtQueryTimerResolution,GetCurrentThreadId,GetCurrentThreadId,GetCurrentThreadId,GetCurrentThreadId,GetCurrentThreadId,GetCurrentThreadId,GetCurrentThreadId,GetCurrentThreadId,RtlNtStatusToDosError,GetCurrentThreadId,0_2_005E19FF
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005EDBE6 NtQuerySystemInformation,RtlNtStatusToDosError,0_2_005EDBE6
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005F5C20 CompareStringOrdinal,OpenProcess,GetLastError,GetCurrentThreadId,NtQueryInformationProcess,RtlNtStatusToDosError,GetCurrentThreadId,CloseHandle,0_2_005F5C20
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0060ECED NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,ReadProcessMemory,RtlNtStatusToDosError,GetCurrentThreadId,GetCurrentThreadId,GetLastError,GetCurrentThreadId,GetLastError,GetCurrentThreadId,GetLastError,0_2_0060ECED
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005EDD90 NtQuerySystemInformation,RtlNtStatusToDosError,0_2_005EDD90
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005EC040 memset,NtQuerySystemInformation,GetPhysicallyInstalledSystemMemory,EnterCriticalSection,LeaveCriticalSection,GetProcessHeap,HeapFree,RtlNtStatusToDosError,RtlNtStatusToDosError,GetLastError,0_2_005EC040
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006500A8 LdrInitializeThunk,GetCurrentThread,NtQueryInformationThread,RtlNtStatusToDosError,GetCurrentThreadId,0_2_006500A8
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0061D198 ZwQueryWnfStateData,0_2_0061D198
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00613290 NtQuerySystemInformationEx,RtlNtStatusToDosError,0_2_00613290
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0065B3BC GetCurrentThreadId,LdrInitializeThunk,NtQuerySystemInformation,GetCurrentThreadId,GetCurrentThreadId,GetCurrentThreadId,0_2_0065B3BC
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0066D463 DuplicateHandle,GetLastError,GetCurrentThreadId,NtQueryObject,RtlNtStatusToDosError,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,GetCurrentThreadId,GetCurrentThreadId,CloseHandle,0_2_0066D463
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0061D477 NtPowerInformation,RtlNtStatusToDosError,0_2_0061D477
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005EC4F0 EnterCriticalSection,GetCurrentThreadId,VDMEnumProcessWOW,SetEvent,WaitForSingleObject,LeaveCriticalSection,NtQuerySystemInformation,RtlNtStatusToDosError,PostMessageW,0_2_005EC4F0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0064E4B9 GetCurrentThreadId,NtSetInformationProcess,RtlNtStatusToDosError,GetCurrentThreadId,0_2_0064E4B9
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006595C2 memset,NtQuerySystemInformation,RtlNtStatusToDosError,GetCurrentThreadId,NtQuerySystemInformation,RtlNtStatusToDosError,GetCurrentThreadId,0_2_006595C2
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005E36C1 ZwQueryWnfStateData,ZwQueryWnfStateData,GetProcAddress,0_2_005E36C1
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005EB69F NtOpenFile,RtlNtStatusToDosError,SetLastError,0_2_005EB69F
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0061B719 GetLogicalProcessorInformationEx,GetLastError,LocalAlloc,GetLogicalProcessorInformationEx,GetLastError,LocalAlloc,NtPowerInformation,LocalFree,RtlNumberOfSetBitsUlongPtr,LocalFree,0_2_0061B719
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0066D71A DuplicateHandle,GetLastError,NtQueryInformationFile,RtlNtStatusToDosError,GetFileType,CloseHandle,0_2_0066D71A
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0066A7FB NtSetInformationFile,0_2_0066A7FB
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005E28C4 PcwCreateQuery,RtlInitUnicodeString,RtlInitUnicodeString,PcwAddQueryItem,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,NtQueryTimerResolution,GetCurrentThreadId,GetCurrentThreadId,GetCurrentThreadId,GetCurrentThreadId,GetCurrentThreadId,RtlNtStatusToDosError,GetCurrentThreadId,0_2_005E28C4
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00631989 memset,LdrInitializeThunk,EtwCheckCoverage,NtSetInformationProcess,GetLastError,CloseHandle,LdrInitializeThunk,NtQueryInformationProcess,LdrInitializeThunk,CloseHandle,0_2_00631989
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0064CA3E NtQueryInformationProcess,RtlNtStatusToDosError,0_2_0064CA3E
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00613B5C NtQuerySystemInformation,RtlNtStatusToDosError,0_2_00613B5C
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00677C33 NtQueryInformationToken,NtQueryInformationToken,0_2_00677C33
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00624C00 GetCurrentThreadId,GetCurrentThreadId,NtQuerySystemInformation,0_2_00624C00
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005EECAF NtQuerySystemInformation,RtlNtStatusToDosError,EnterCriticalSection,GetCurrentThreadId,GetCurrentThreadId,SetEvent,0_2_005EECAF
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005FBDE3 NtQuerySystemInformation,GetDurationFormatEx,0_2_005FBDE3
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0066CE2C GetCurrentProcessId,OpenProcess,GetLastError,GetCurrentThreadId,LdrInitializeThunk,NtQuerySystemInformation,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,RtlNtStatusToDosError,GetCurrentThreadId,GetCurrentThreadId,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,CloseHandle,0_2_0066CE2C
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005EBE88 NtQuerySystemInformation,GetProcessHeap,HeapAlloc,NtQuerySystemInformation,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,0_2_005EBE88
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0064BE8F GetProcessHeap,HeapAlloc,GetCurrentThreadId,memset,NtQueryInformationProcess,RtlNtStatusToDosError,GetCurrentThreadId,NtQueryInformationProcess,GetProcessHeap,HeapFree,RtlNtStatusToDosError,GetCurrentThreadId,0_2_0064BE8F
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0065AF3D NtQuerySystemInformation,RtlNtStatusToDosError,GetCurrentThreadId,NtQuerySystemInformation,RtlNtStatusToDosError,GetCurrentThreadId,GetCurrentThreadId,GetCurrentThreadId,GetCurrentThreadId,GetCurrentThreadId,GetCurrentThreadId,GetCurrentThreadId,GetCurrentThreadId,0_2_0065AF3D
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0064FFD4 GetCurrentThreadId,NtQueryInformationProcess,CloseHandle,RtlNtStatusToDosError,GetCurrentThreadId,0_2_0064FFD4
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005EB300: memset,DeviceIoControl,CloseHandle,SetLastError,SetLastError,GetLastError,CloseHandle,SetLastError,0_2_005EB300
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005F14100_2_005F1410
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0060A6300_2_0060A630
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005F26F00_2_005F26F0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0060BABC0_2_0060BABC
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0065F0260_2_0065F026
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005F81B00_2_005F81B0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0064B2100_2_0064B210
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0062A4BF0_2_0062A4BF
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005CA6320_2_005CA632
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006196B00_2_006196B0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0064D7470_2_0064D747
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006108400_2_00610840
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005F99AA0_2_005F99AA
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00659B000_2_00659B00
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0061EC660_2_0061EC66
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005E9C400_2_005E9C40
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0065FCFB0_2_0065FCFB
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0061FDFA0_2_0061FDFA
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005E2DB00_2_005E2DB0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005EDE200_2_005EDE20
Source: C:\Users\user\Desktop\file.exeCode function: String function: 0060068C appears 50 times
Source: C:\Users\user\Desktop\file.exeCode function: String function: 0061B9D0 appears 78 times
Source: C:\Users\user\Desktop\file.exeCode function: String function: 006428F8 appears 124 times
Source: C:\Users\user\Desktop\file.exeCode function: String function: 005F7A70 appears 36 times
Source: C:\Users\user\Desktop\file.exeCode function: String function: 005E9AE8 appears 1002 times
Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1200 -s 1460
Source: file.exeBinary or memory string: OriginalFilename vs file.exe
Source: file.exe, 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameTaskmgr.exej% vs file.exe
Source: file.exe, 00000000.00000002.2452938841.00000000060D0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRuntimeBroker.exej% vs file.exe
Source: file.exe, 00000000.00000000.2038868847.0000000000696000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameTaskmgr.exej% vs file.exe
Source: file.exeBinary or memory string: OriginalFilenameTaskmgr.exej% vs file.exe
Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: file.exeBinary string: %s (%d)CBExpandoButtonImageCBExpandoButtonImageTextCpuChartTitleNumaCpuChartTitleLogicalRateLabelCpuDPA_Createbcrypt.dllsidebar_disk_name_%ddashSidebarEntrydashSidebarEntryViewer%s\Device\%sdashSidebarMemoryChart
Source: file.exeBinary string: F\device\mup\WdcAppHistoryMonitor::GetColumnTexth:mm:ssWdcAppHistoryMonitor::UpdateInitializeWdcAppHistoryMonitor::_ReconcileImmersiveApplicationWdcAppHistoryMonitor::_ReconcileSingleAppPackageWdcAppHistoryMonitor::_ReconcileMultiAppPackageWdcAppHistoryMonitor::_GetPackageIconPathAppXManifest.xmlLogoWdcAppHistoryMonitor::_GetIconAndBackgroundColorForApplicationWdcAppHistoryMonitor::_CreateAppHistoryEntryWdcAppHistoryMonitor::_CreateApplicationEntryWdcAppHistoryMonitor::_CreateAndInitIconItemWdcAppHistoryMonitor::_SetIconWdcAppHistoryMonitor::_SetStackedIconWdcAppHistoryMonitor::_GetDwmDosPath%s%s\dwm.exeWdcAppHistoryMonitor::_AddDesktopItemEntry%windir%\system32\svchost.exeWdcAppHistoryMonitor::_AddAppMappingKeyByKeyWdcAppHistoryMonitor::_MapAndGetPackageNameKeyWdcAppHistoryMonitor::_MapAndGetSpecialItemEntrySystem\System interruptssvchost.exe [Uninstalled AppsRemote running AppsWdcAppHistoryMonitor::_MapAndGetDesktopItemEntryWdcAppHistoryMonitor::_CheckAndProcessShortExePathsWdcAppHistoryMonitor::_AddAppMappingKeyWdcAppHistoryMonitor::_RemoveAppMappingKeyByPrimarykeyWdcAppHistoryMonitor::_IsImmersiveApplicationInstallDateSoftware\Microsoft\Windows NT\CurrentVersionLastUpdateTextWdcAppHistoryMonitor::_RefreshLastUpdatedTextWdcAppHistoryMonitor::_RetireOldUsageDataWdcAppHistoryMonitor::_RegisterForSrumDataWdcAppHistoryMonitor::_ProcessNetworkSrumRecordWdcAppHistoryMonitor::_UpdateServiceMappingWdcAppHistoryMonitor::_GetServiceExePathWdcAppHistoryMonitor::_ProcessCpuSrumRecordWdcAppHistoryMonitor::_ProcessNotificationsSrumRecordAppHistoryStringCache::InitializeAppHistoryStringCache::AddI
Source: classification engineClassification label: clean10.evad.winEXE@2/5@0/0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005F80B1 FormatMessageW,GetLastError,0_2_005F80B1
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00614D39 GetProcessHeap,HeapAlloc,GetCurrentProcess,OpenProcessToken,AdjustTokenPrivileges,CloseHandle,GetProcessHeap,HeapFree,GetCurrentThreadId,GetLastError,GetCurrentThreadId,GetLastError,GetCurrentThreadId,0_2_00614D39
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00603169 CoCreateInstance,GetCurrentThreadId,GetCurrentThreadId,GetComputerNameW,GetLastError,GetCurrentThreadId,GetCurrentThreadId,LookupAccountNameLocalW,GetLastError,GetProcessHeap,HeapAlloc,GetCurrentThreadId,LookupAccountNameLocalW,GetLastError,GetCurrentThreadId,ConvertSidToStringSidW,GetLastError,GetCurrentThreadId,GetCurrentThreadId,GetProcessHeap,HeapFree,LocalFree,0_2_00603169
Source: C:\Users\user\Desktop\file.exeMutant created: \Sessions\1\BaseNamedObjects\Local\TM.750ce7b0-e5fd-454f-9fad-2f66513dfa1b
Source: C:\Users\user\Desktop\file.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1200:64:WilError_02
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1200
Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\e910683c-5a33-452c-a804-9511b4f78957Jump to behavior
Source: file.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1200 -s 1460
Source: C:\Users\user\Desktop\file.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: credui.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: duser.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: dui70.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: vdmdbg.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: pdh.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: dxgi.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: d3d11.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: d3d12.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: networkuxbroker.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: srumapi.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: atlthunk.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: winsta.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: windows.ui.immersive.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: windowscodecs.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: slc.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: sppc.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: tiledatarepository.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: staterepository.core.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: windows.staterepository.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: actxprxy.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: oleacc.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{09c5dd34-009d-40fa-bcb9-0165ad0c15d4}\InProcServer32Jump to behavior
Source: C:\Users\user\Desktop\file.exeWindow found: window name: SysTabControl32Jump to behavior
Source: file.exeStatic PE information: certificate valid
Source: initial sampleStatic PE information: Valid certificate with Microsoft Issuer
Source: file.exeStatic file information: File size 1278832 > 1048576
Source: file.exeStatic PE information: More than 200 imports for DUI70.dll
Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: file.exeStatic PE information: DYNAMIC_BASE, FORCE_INTEGRITY, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: Taskmgr.pdbUGP source: file.exe
Source: Binary string: Taskmgr.pdb source: file.exe
Source: file.exeStatic PE information: section name: .imrsiv
Source: file.exeStatic PE information: section name: .didat
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00618149 push ecx; ret 0_2_0061815C
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0061811D push ecx; ret 0_2_00618130
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005C4C00 push esp; iretd 0_2_005C4C11
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005C4C38 push esp; iretd 0_2_005C4C39
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0060A630 LoadIconW,SendMessageW,SetTimer,LdrInitializeThunk,GetClientRect,SetWindowPos,LdrInitializeThunk,IsIconic,LdrInitializeThunk,ShowWindow,GetCurrentThreadId,GetFocus,IsWindow,SetFocus,?GetKeyFocusedElement@HWNDElement@DirectUI@@SGPAVElement@2@XZ,SetFocus,LdrInitializeThunk,PostMessageW,DestroyWindow,DestroyWindow,PostQuitMessage,ShowWindow,ShowWindow,GetCurrentThreadId,GetCurrentThreadId,GetCurrentThreadId,GetCurrentThreadId,GetCurrentThreadId,GetCurrentThreadId,GetCurrentThreadId,GetCurrentThreadId,CheckMenuItem,GetCurrentThreadId,CheckMenuItem,PostMessageW,GetTickCount64,GetCurrentThreadId,KillTimer,GetCurrentThreadId,GetCurrentThreadId,OpenIcon,SetForegroundWindow,SetWindowPos,PostMessageW,PostMessageW,IsWindowEnabled,DefWindowProcW,GetTickCount64,0_2_0060A630
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0066C466 IsIconic,ShowWindowAsync,GetLastActivePopup,IsWindow,GetWindowLongW,ShowWindow,SwitchToThisWindow,MessageBeep,0_2_0066C466
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0060B558 LdrInitializeThunk,IsIconic,PostMessageW,0_2_0060B558
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0060B59A IsIconic,IsZoomed,IsZoomed,GetWindowRect,EqualRect,CopyRect,GetWindowRect,EqualRect,CopyRect,GetCurrentThreadId,RegSetValueExW,GetCurrentThreadId,RegCloseKey,0_2_0060B59A
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006658B0 IsIconic,ShowWindowAsync,SetWindowPos,AllowSetForegroundWindow,SetForegroundWindow,0_2_006658B0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00615CA4 IsZoomed,IsIconic,GetWindowRect,GetWindowRect,0_2_00615CA4
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0066CE2C GetCurrentProcessId,OpenProcess,GetLastError,GetCurrentThreadId,LdrInitializeThunk,NtQuerySystemInformation,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,RtlNtStatusToDosError,GetCurrentThreadId,GetCurrentThreadId,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,CloseHandle,0_2_0066CE2C
Source: C:\Users\user\Desktop\file.exeAPI coverage: 4.6 %
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005DF0B3 memset,FindClose,SHGetSpecialFolderPathW,FindFirstFileW,GetProcessHeap,HeapFree,FindNextFileW,FindClose,GetLastError,GetCurrentThreadId,GetLastError,GetProcessHeap,HeapFree,GetCurrentThreadId,GetCurrentThreadId,GetProcessHeap,HeapFree,0_2_005DF0B3
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0064AF6F GetLogicalDriveStringsW,QueryDosDeviceW,GetLastError,_wcsnicmp,0_2_0064AF6F
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0061BA0F GetSystemInfo,LocalAlloc,LocalFree,0_2_0061BA0F
Source: Amcache.hve.4.drBinary or memory string: VMware
Source: file.exeBinary or memory string: Hyper-V Dynamic Memory Integration Service
Source: Amcache.hve.4.drBinary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.4.drBinary or memory string: vmci.syshbin
Source: Amcache.hve.4.drBinary or memory string: VMware, Inc.
Source: Amcache.hve.4.drBinary or memory string: VMware20,1hbin@
Source: Amcache.hve.4.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.4.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.4.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.drBinary or memory string: vmci.sys
Source: Amcache.hve.4.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.4.drBinary or memory string: vmci.syshbin`
Source: Amcache.hve.4.drBinary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.4.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: file.exeBinary or memory string: ImageList_RemoveImageList_ReplaceIconImageList_CreateImageList_DestroyWdcLoadStringExWdcExpandMemoryWdcExpandingCallWdcExpandVariablesTmGetDescriptionFromVersionInfoTmGetDescriptionFromVersionInfoEx\StringFileInfo\04090000\%sTmGetStringFromVersionInfoTmGetProcessCommandLine :TmCheckSpecialProcessWdcProcessMonitor::CreateEntryWdcProcessMonitor::GetImageNameWdcGetProcessCriticalWdcProcessMonitor::GetCreateTimeWdcProcessMonitor::GetCriticalWdcProcessMonitor::ListUpdateWdcProcessMonitor::_CreateHangDetectionThreadWdcProcessMonitor::ResolveImageIconWdcProcessMonitor::ResolveImageDescriptionWdcProcessMonitor::ResolveImageNameWdcProcessMonitor::InitializePCWQueryWdcProcessMonitor::UpdateQueryWdcProcessMonitor::UpdateAllProcessCpuUsage: %fAllProcessCycleUsage: %fWdcProcessMonitor::_TmGetProcessUserNameWdcProcessMonitor::_AddUserNameForSidWdcProcessMonitor::ProcessSetIsElevatedWdcProcessMonitor::GetProcessPriorityWdcProcessMonitor::ProcessToggleUACWdcProcessMonitor::LoadProcessorAffinityWdcProcessMonitor::GetCurrentAffinityWdcServiceCache::_InitBackgroundThreadWdcServiceMonitor::CreateEntrybase\diagnosis\pdui\atm\main\service.cppWdcServiceMonitor::UpdateServiceState Change: DevQueryStateAbortedUPDATE:Remove: %sWdcDiskMonitor::AddDiskRegisterDiskInterfaceToHwnd failed at %dWdcDiskMonitor::GetDiskNumberWdcDiskMonitor::GetVolumeNameWdcDiskMonitor::ShouldIncludeDiskWdcDiskMonitor::EnumerateDiskExtentsWdcDiskMonitor::GetDiskExtentsWdcDiskMonitor::GetDriveInfoUnregisterDeviceNotification failed at %dWdcDiskMonitor::ClearDiskWdcDiskMonitor::QueryWdcDiskMonitor::CloneDriveInfoWdcDiskMonitor::GetCurrentDisksWdcDiskMonitor::CloseDiskHandleWdcDiskMonitor::IsVHDWdcDiskMonitor::GetDiskCapacityTmExpandMemoryWdcCpuMonitor::InitializePCWQueryTmQueryPcwCounterWdcCpuMonitor::UpdateQueryWdcCpuMonitor::GetNumaNodesCpusWdcCpuMonitor::QueryTmProcessorFrequency::_InitGroupInfoTmProcessorFrequency::_InitProcessorInfoTmProcessorFrequency::_GetProcessorFrequencyDistributionTmProcessorFrequency::_GetInstantaneousCpuSpeedCRUMPCHelper::PCHelperInitializebase\diagnosis\pdui\atm\main\rumdatasrcs.cppCRUMPCHelper::QueryCRUMPCHelper::UpdateFSUtilizationCRUMPCHelper::UpdateProcessorUtilizationCRUMAPIHelper::InitializeSrumCRUMAPIHelper::SrumThreadCRUMHelper::RUMHelperInitializeCRUMHelper::CalcSysDiskMetricsCRUMHelper::CalcSysNetMetricsCRUMHelper::AddProcDataCRUMHelper::GetProcResUsagebase\diagnosis\pdui\atm\main\network.cppWdcNetworkMonitor::PerInstanceDataRetrieveWdcNetworkMonitor::GetAdapterInfoWdcNetworkMonitor::QueryWdcMemoryMonitor::UpdateVMQuerybase\diagnosis\pdui\atm\main\memory.cppWdcMemoryMonitor::InitializePCWQueryHyper-V Dynamic Memory Integration ServiceMicrosoft HvWdcErrorMessageGetProcessWaitChainAsyncPopulateWaitTreeOnPostGetWaitChainTreeView_GetCheckedProcessCountInitializeMRTResourceManagerresources.priMrtGetThreadPreferredUILanguageNameMrtCreateOverrideResourceContextTmGetLocalizedLogoPathTmCombinePathDUI_GetElementScreenBoundsTmFormatMessageDUI_GetElementBoundsSoftware\Mi
Source: Amcache.hve.4.drBinary or memory string: VMware20,1
Source: Amcache.hve.4.drBinary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.4.drBinary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.4.drBinary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.4.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.4.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.4.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.4.drBinary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.4.drBinary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.4.drBinary or memory string: VMware Virtual RAM
Source: Amcache.hve.4.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.4.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005E82FE GetThreadUILanguage,LdrInitializeThunk,GetLocaleInfoW,0_2_005E82FE
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0061913D IsDebuggerPresent,0_2_0061913D
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005E7A66 ActivateActCtx,ActivateActCtx,OutputDebugStringA,GetLastError,0_2_005E7A66
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0066CE2C GetCurrentProcessId,OpenProcess,GetLastError,GetCurrentThreadId,LdrInitializeThunk,NtQuerySystemInformation,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,RtlNtStatusToDosError,GetCurrentThreadId,GetCurrentThreadId,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,CloseHandle,0_2_0066CE2C
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005E81C1 mov ecx, dword ptr fs:[00000030h]0_2_005E81C1
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005E8298 mov eax, dword ptr fs:[00000030h]0_2_005E8298
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005E82D4 mov eax, dword ptr fs:[00000030h]0_2_005E82D4
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00603169 CoCreateInstance,GetCurrentThreadId,GetCurrentThreadId,GetComputerNameW,GetLastError,GetCurrentThreadId,GetCurrentThreadId,LookupAccountNameLocalW,GetLastError,GetProcessHeap,HeapAlloc,GetCurrentThreadId,LookupAccountNameLocalW,GetLastError,GetCurrentThreadId,ConvertSidToStringSidW,GetLastError,GetCurrentThreadId,GetCurrentThreadId,GetProcessHeap,HeapFree,LocalFree,0_2_00603169
Source: C:\Users\user\Desktop\file.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006179A0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_006179A0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005E9B97 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,GetLastError,GetLastError,0_2_005E9B97
Source: file.exeBinary or memory string: base\diagnosis\pdui\atm\main\tmutils.cppWdcInitializeCriticalSectionGetProcessAppContainerSidTmHeatTextbase\diagnosis\pdui\atm\main\colheader.cppSortArrowSortAscendingContendSortAscendingSortDescendingContendSortDescendingAtmColumnHeader::_UpdateSortArrowHeatMapCumulativeAtmColumnHeader::UpdateSysUtilizationColumns%d:%I64uAtmViewItem::InitializeParentColumnViewExpandoImageWrapperTmFirstColumnAtmViewItem::InitializeChildColumnTmColStatusTextTmLeafIconAtmViewItem::UpdateParentRowAtmViewItem::UpdateSuspendedStatusAtmViewItem::SetVisibilityAndToolTipAtmViewItem::UpdateChildCountTmViewRowAtmViewItem::UpdateChildRowTmRowIconAtmViewItem::CreateSmallViewItemFromDataAtmViewItem::CreateChildViewItemFromDataAtmViewItem::SetIconTmColHeaderContendTmColHeaderResourceValueClassWhiteContendResourceValueClassColHeaderTextContendTmExpandoTmAppViewItemTmUsersChildViewItembase\diagnosis\pdui\atm\main\tmsmallview.cppTmSmallViewTmSmallViewItembase\diagnosis\pdui\atm\main\tmlowmemoryview.cppTmLowMemoryViewTmLowMemoryViewItemTmSpecialProcesses::InitProcessPaths%windir%\Explorer.exe%windir%\system32\PickerHost.exe%WINDIR%\ImmersiveControlPanel\SystemSettings.exeMicrosoftEdgeCP.exeMicrosoftEdge.exeMicrosoftEdgeSH.exeMicrosoftEdgeDevtools.exeMicrosoftEdgeBCHost.exeWindows.WARP.JITService.exechrome.exefirefox.exeopera.exeiexplore.exevivaldi.exebrave.exetor.exemaxthon.exeepic.exepalemoon.exeApp_MonitorWdcApplicationsMonitor::CreateEntryWdcApplicationsMonitor::UpdateInitializeWdcApplicationsMonitor::GetMemoryPercentageWdcApplicationsMonitor::ResolveImagePublisher_DesktopWdcApplicationsMonitor::ResolveImageFriendlyNameTabWindowClassWindows.UI.Core.CoreWindowMicrosoft EdgeWindows.WARP.JITServiceS-1-15-2-3624051433-2125758914-1423191267-1740899205-1073925389-3782572162-737981194-1821068571-1793888307-623627345-1529106238S-1-15-2-3624051433-2125758914-1423191267-1740899205-1073925389-3782572162-737981194-1206159417-1570029349-2913729690-1184509225S-1-15-2-3624051433-2125758914-1423191267-1740899205-1073925389-3782572162-737981194-3513710562-3729412521-1863153555-1462103995S-1-15-2-3624051433-2125758914-1423191267-1740899205-1073925389-3782572162-737981194-3859068477-1314311106-1651661491-1685393560S-1-15-2-3624051433-2125758914-1423191267-1740899205-1073925389-3782572162-737981194-4043415302-551583165-304772019-4009825106S-1-15-2-3624051433-2125758914-1423191267-1740899205-1073925389-3782572162-737981194-1618978223-3991232872-53169767-3645722245S-1-15-2-3624051433-2125758914-1423191267-1740899205-1073925389-3782572162-737981194-4256926629-1688279915-2739229046-3928706915S-1-15-2-3624051433-2125758914-1423191267-1740899205-1073925389-3782572162-737981194-2385269614-3243675-834220592-3047885450S-1-15-2-3624051433-2125758914-1423191267-1740899205-1073925389-3782572162-737981194-355265979-2879959831-980936148-1241729999WdcApplicationsMonitor::ResolveImageFriendlyName_DesktopWdcApplicationsMonitor::ResolveImageNameWdcApplicationsMonitor::IsCriticalProcessWdcApplicationsMonitor::_CalcP
Source: file.exeBinary or memory string: Shell_TrayWnd
Source: C:\Users\user\Desktop\file.exeCode function: GetThreadUILanguage,LdrInitializeThunk,GetLocaleInfoW,0_2_005E82FE
Source: C:\Users\user\Desktop\file.exeCode function: GetCurrentProcessId,ProcessIdToSessionId,GetLocaleInfoEx,GetLocaleInfoEx,GetLocaleInfoEx,GetLocaleInfoEx,LdrInitializeThunk,GetKeyState,GetLastError,GetLastError,GetLastError,GetLastError,GetKeyState,GetKeyState,0_2_00602F63
Source: C:\Users\user\Desktop\file.exeCode function: memset,LdrInitializeThunk,LdrInitializeThunk,GetLocaleInfoW,_wtoi,GetProcessHeap,HeapAlloc,GetLastError,GetCurrentThreadId,0_2_005E5640
Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion InstallDateJump to behavior
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005E25E0 GetSystemTime,MsgWaitForMultipleObjectsEx,PeekMessageW,WaitForSingleObject,TranslateMessage,DispatchMessageW,CoUninitialize,GetCurrentThreadId,GetCurrentThreadId,GetCurrentThreadId,GetCurrentThreadId,GetLastError,0_2_005E25E0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00603169 CoCreateInstance,GetCurrentThreadId,GetCurrentThreadId,GetComputerNameW,GetLastError,GetCurrentThreadId,GetCurrentThreadId,LookupAccountNameLocalW,GetLastError,GetProcessHeap,HeapAlloc,GetCurrentThreadId,LookupAccountNameLocalW,GetLastError,GetCurrentThreadId,ConvertSidToStringSidW,GetLastError,GetCurrentThreadId,GetCurrentThreadId,GetProcessHeap,HeapFree,LocalFree,0_2_00603169
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005F26F0 NtQuerySystemInformation,RtlNtStatusToDosError,SysFreeString,SysAllocString,GetCurrentThreadId,SysFreeString,SysAllocString,GetCurrentThreadId,GetCurrentThreadId,CompareStringOrdinal,CompareStringOrdinal,SysFreeString,SysAllocString,GetCurrentThreadId,SysFreeString,SysAllocString,GetCurrentThreadId,memset,GetVersionExW,GetLastError,GetCurrentThreadId,GetCurrentThreadId,EnterCriticalSection,LeaveCriticalSection,GetCurrentThreadId,EnterCriticalSection,LeaveCriticalSection,EnterCriticalSection,LdrInitializeThunk,LdrInitializeThunk,memset,GetVersionExW,GetLastError,_ftol2,LeaveCriticalSection,0_2_005F26F0
Source: Amcache.hve.4.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.4.drBinary or memory string: msmpeng.exe
Source: Amcache.hve.4.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.4.drBinary or memory string: MsMpEng.exe
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00604549 ?CreateElement@DUIXmlParser@DirectUI@@QAEJPBGPAVElement@2@1PAKPAPAV32@@Z,GetCurrentThreadId,?SetID@Element@DirectUI@@QAEJPBG@Z,GetCurrentThreadId,StrToID,?FindDescendent@Element@DirectUI@@QAEPAV12@G@Z,GetCurrentThreadId,?SetID@Element@DirectUI@@QAEJPBG@Z,GetCurrentThreadId,?SetAccDesc@Element@DirectUI@@QAEJPBG@Z,GetCurrentThreadId,?AddListener@Element@DirectUI@@QAEJPAUIElementListener@2@@Z,GetCurrentThreadId,?Add@Element@DirectUI@@QAEJPAV12@@Z,GetCurrentThreadId,GetCurrentThreadId,StrToID,?FindDescendent@Element@DirectUI@@QAEPAV12@G@Z,GetCurrentThreadId,SysFreeString,SysAllocString,GetCurrentThreadId,GetCurrentThreadId,GetProcessHeap,HeapAlloc,GetCurrentThreadId,GetCurrentThreadId,GetProcessHeap,HeapFree,GetCurrentThreadId,GetCurrentThreadId,StrToID,?FindDescendent@Element@DirectUI@@QAEPAV12@G@Z,?SetID@Element@DirectUI@@QAEJPBG@Z,GetCurrentThreadId,GetCurrentThreadId,StrToID,?FindDescendent@Element@DirectUI@@QAEPAV12@G@Z,?SetLayoutPos@Element@DirectUI@@QAEJH@Z,?SetLayoutPos@Element@DirectUI@@QAEJH@Z,?SetLayoutPos@Element@DirectUI@@QAEJH@Z,?SetLayoutPos@Element@DirectUI@@QAEJH@Z,?SetLayoutPos@Element@DirectUI@@QAEJH@Z,?Destroy@Element@DirectUI@@QAEJ_N@Z,?Destroy@Element@DirectUI@@QAEJ_N@Z,0_2_00604549
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005EA843 StrToID,?FindDescendent@Element@DirectUI@@QAEPAV12@G@Z,?GetLayoutPos@Element@DirectUI@@QAEHXZ,?SetContentString@Element@DirectUI@@QAEJPBG@Z,?SetLayoutPos@Element@DirectUI@@QAEJH@Z,?AddListener@Element@DirectUI@@QAEJPAUIElementListener@2@@Z,?GetLayoutPos@Element@DirectUI@@QAEHXZ,?SetLayoutPos@Element@DirectUI@@QAEJH@Z,?RemoveListener@Element@DirectUI@@QAEXPAUIElementListener@2@@Z,?SetWidth@Element@DirectUI@@QAEJH@Z,0_2_005EA843
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00613991 StrToID,?FindDescendent@Element@DirectUI@@QAEPAV12@G@Z,?CreateElement@DUIXmlParser@DirectUI@@QAEJPBGPAVElement@2@1PAKPAPAV32@@Z,?Add@Element@DirectUI@@QAEJPAV12@@Z,StrToID,?FindDescendent@Element@DirectUI@@QAEPAV12@G@Z,?CreateElement@DUIXmlParser@DirectUI@@QAEJPBGPAVElement@2@1PAKPAPAV32@@Z,?Add@Element@DirectUI@@QAEJPAV12@@Z,StrToID,?FindDescendent@Element@DirectUI@@QAEPAV12@G@Z,?CreateElement@DUIXmlParser@DirectUI@@QAEJPBGPAVElement@2@1PAKPAPAV32@@Z,?AddListener@Element@DirectUI@@QAEJPAUIElementListener@2@@Z,?Add@Element@DirectUI@@QAEJPAV12@@Z,GetCurrentThreadId,GetCurrentThreadId,GetCurrentThreadId,GetCurrentThreadId,GetCurrentThreadId,GetCurrentThreadId,GetCurrentThreadId,GetCurrentThreadId,GetCurrentThreadId,?Destroy@Element@DirectUI@@QAEJ_N@Z,0_2_00613991
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005FED39 ?CreateElement@DUIXmlParser@DirectUI@@QAEJPBGPAVElement@2@1PAKPAPAV32@@Z,?SetID@Element@DirectUI@@QAEJPBG@Z,?SetAccDesc@Element@DirectUI@@QAEJPBG@Z,?SetAccName@Element@DirectUI@@QAEJPBG@Z,StrToID,?FindDescendent@Element@DirectUI@@QAEPAV12@G@Z,?SetID@Element@DirectUI@@QAEJPBG@Z,StrToID,?FindDescendent@Element@DirectUI@@QAEPAV12@G@Z,StrToID,?FindDescendent@Element@DirectUI@@QAEPAV12@G@Z,StrToID,?FindDescendent@Element@DirectUI@@QAEPAV12@G@Z,?AddListener@Element@DirectUI@@QAEJPAUIElementListener@2@@Z,?Add@Element@DirectUI@@QAEJPAV12@@Z,?SetContentString@Element@DirectUI@@QAEJPBG@Z,?SetAccName@Element@DirectUI@@QAEJPBG@Z,0_2_005FED39
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00611DCC PathIsNetworkPathW,SHParseDisplayName,SHBindToParent,StrRetToBufW,ILFree,0_2_00611DCC
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00605D89 StrToID,?FindDescendent@Element@DirectUI@@QAEPAV12@G@Z,StrToID,?FindDescendent@Element@DirectUI@@QAEPAV12@G@Z,GetCurrentThreadId,GetCurrentThreadId,StrToID,?FindDescendent@Element@DirectUI@@QAEPAV12@G@Z,StrToID,?FindDescendent@Element@DirectUI@@QAEPAV12@G@Z,StrToID,?FindDescendent@Element@DirectUI@@QAEPAV12@G@Z,?GetParent@Element@DirectUI@@QAEPAV12@XZ,?GetParent@Element@DirectUI@@QAEPAV12@XZ,?AddListener@Element@DirectUI@@QAEJPAUIElementListener@2@@Z,?AddListener@Element@DirectUI@@QAEJPAUIElementListener@2@@Z,StrToID,?FindDescendent@Element@DirectUI@@QAEPAV12@G@Z,?AddListener@Element@DirectUI@@QAEJPAUIElementListener@2@@Z,0_2_00605D89

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading		1
Access Token Manipulation		1
Virtualization/Sandbox Evasion		1
Input Capture		1
System Time Discovery		Remote Services1
Input Capture		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts2
Process Injection		1
Access Token Manipulation		LSASS Memory61
Security Software Discovery		Remote Desktop Protocol1
Archive Collected Data		Junk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
DLL Side-Loading		2
Process Injection		Security Account Manager1
Virtualization/Sandbox Evasion		SMB/Windows Admin Shares2
Clipboard Data		SteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Deobfuscate/Decode Files or Information		NTDS2
Process Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
Obfuscated Files or Information		LSA Secrets1
Peripheral Device Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
DLL Side-Loading		Cached Domain Credentials1
Application Window Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync1
Account Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem1
System Owner/User Discovery		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow2
File and Directory Discovery		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing24
System Information Discovery		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1561652 Sample: file.exe Startdate: 24/11/2024 Architecture: WINDOWS Score: 10 5 file.exe 2->5         started        process3 7 WerFault.exe 19 16 5->7         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
file.exe0%ReversingLabs
file.exe0%VirustotalBrowse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://upx.sf.netAmcache.hve.4.drfalse
    		high

    World Map of Contacted IPs

    No contacted IP infos

    General Information

    Joe Sandbox version:41.0.0 Charoite
    Analysis ID:1561652
    Start date and time:2024-11-24 03:21:05 +01:00
    Joe Sandbox product:CloudBasic
    Overall analysis duration:0h 4m 39s
    Hypervisor based Inspection enabled:false
    Report type:full
    Cookbook file name:default.jbs
    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
    Number of analysed new started processes analysed:8
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • HCA enabled
    • EGA enabled
    • AMSI enabled
    Analysis Mode:default
    Analysis stop reason:Timeout
    Sample name:file.exe
    Detection:CLEAN
    Classification:clean10.evad.winEXE@2/5@0/0
    EGA Information:
    • Successful, ratio: 100%
    HCA Information:
    • Successful, ratio: 92%
    • Number of executed functions: 100
    • Number of non-executed functions: 279
    Cookbook Comments:
    • Found application associated with file extension: .exe

    Warnings

    • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
    • Excluded IPs from analysis (whitelisted): 20.42.65.92
    • Excluded domains from analysis (whitelisted): onedsblobprdeus17.eastus.cloudapp.azure.com, ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
    • Report size exceeded maximum capacity and may have missing disassembly code.
    • Report size getting too big, too many NtOpenKeyEx calls found.
    • Report size getting too big, too many NtProtectVirtualMemory calls found.
    • Report size getting too big, too many NtQueryValueKey calls found.

    Simulations

    Behavior and APIs

    TimeTypeDescription
    21:21:55API Interceptor1x Sleep call for process: file.exe modified
    21:22:36API Interceptor1x Sleep call for process: WerFault.exe modified

    Joe Sandbox View / Context

    IPs

    No context

    Domains

    No context

    ASNs

    No context

    JA3 Fingerprints

    No context

    Dropped Files

    No context

    Created / dropped Files

    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_3524697aa2453b3e919c4615a9f9b77b6fec82a_95c5483c_7625f84b-010b-4c55-8b33-ee1b0c902343\Report.wer

    Download File
    Process:C:\Windows\SysWOW64\WerFault.exe
    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
    Category:dropped
    Size (bytes):65536
    Entropy (8bit):1.1035727105549051
    Encrypted:false
    SSDEEP:192:EMBYqSEvCPAL0BU/7E3jwxriQ4jzuiFTZ24IO8bB:JYnGCXBU/AjuWzuiFTY4IO8l
    MD5:2248E64483CD78130FAA7C3C4A9A25DC
    SHA1:CE491D7935015FE708015804EC41895DD8231A7D
    SHA-256:C12491731196E4E650455A24431FAF81446BBF7AC3BEFC37490C4E1F12C763D2
    SHA-512:238B00503C6B2E4C038A2049C97834C202FD434AFE757AA00972845A6B506F63A4F8801E720A55D4B55C76B23C7D2099FE54ACEE5E318F4AC97D0DE73772548A
    Malicious:false
    Reputation:low
    Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.6.8.8.8.5.1.7.1.1.4.5.6.4.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.6.8.8.8.5.1.8.3.9.5.8.1.0.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.6.2.5.f.8.4.b.-.0.1.0.b.-.4.c.5.5.-.8.b.3.3.-.e.e.1.b.0.c.9.0.2.3.4.3.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.0.b.e.d.b.f.4.-.f.9.4.9.-.4.6.a.0.-.8.0.e.f.-.1.a.9.3.5.4.7.f.e.e.b.b.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.f.i.l.e...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.T.a.s.k.m.g.r...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.4.b.0.-.0.0.0.1.-.0.0.1.4.-.8.5.5.8.-.b.f.a.1.1.7.3.e.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.3.d.b.c.9.0.7.3.9.a.6.c.1.d.e.0.1.7.6.c.2.e.a.5.c.9.b.8.c.0.7.d.0.0.0.0.0.9.0.4.!.0.0.0.0.2.1.8.3.6.4.f.5.e.3.7.8.c.7.3.8.7.7.8.1.5.7.5.5.5.3.8.d.9.9.2.5.0.b.b.e.f.5.e.5.!.f.

    C:\ProgramData\Microsoft\Windows\WER\Temp\WER32F8.tmp.dmp

    Download File
    Process:C:\Windows\SysWOW64\WerFault.exe
    File Type:Mini DuMP crash report, 14 streams, Sun Nov 24 02:21:58 2024, 0x1205a4 type
    Category:dropped
    Size (bytes):131438
    Entropy (8bit):1.9538403487498193
    Encrypted:false
    SSDEEP:384:ma+ce/xdhr6/UVVefzBl9OmOEKk32JoQ6XQ8bO3aiUdlGh/grIojv/hYRY6Uqts:maRyxdV6/UVVefVl6Y293srI6qU
    MD5:448B9A9068ABA8F7B9ADDCA31859CB34
    SHA1:59D7F2AEF9383FA58F7109C4BCB3A8BAEE3B7420
    SHA-256:1C1AC17D0F987D5A137DDD7EF61513F2D13A339C605DE7C9C111E197531C7C7F
    SHA-512:4E60F63DD7122C84880AFBF391C4DE08AE8C9FF5FB223D5F2692CA61D09ED0EC03612DBBF8DD21D477BF38B59146B336264F5773CB219F10722768EE6A046E89
    Malicious:false
    Reputation:low
    Preview:MDMP..a..... ........Bg............t...............|............Y..........T.......8...........T...........h9..............t'..........`)..............................................................................eJ.......)......GenuineIntel............T............Bg.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

    C:\ProgramData\Microsoft\Windows\WER\Temp\WER36F0.tmp.WERInternalMetadata.xml

    Download File
    Process:C:\Windows\SysWOW64\WerFault.exe
    File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
    Category:dropped
    Size (bytes):8342
    Entropy (8bit):3.694521687604444
    Encrypted:false
    SSDEEP:192:R6l7wVeJJCI6MD6YEIbSU9oM9/gmfBvZcfprw89bE0sfivsm:R6lXJj6o6YEESU9ougmfJZcfEnfw
    MD5:595EA366A26A49CA25269861C9A1DE3F
    SHA1:AFF4FB35E8FA597D0CC54E9ADE85D6C0F6CDCF1A
    SHA-256:771070711D909B7535F6A4B1F975E97C7D66A6F8DAE23FDBA6A5F1D37FFA499B
    SHA-512:19CA7D0ECBC19839C8C08A8957B0FA7522085D2BFED28D3881291734C8787F318C1EEC674C640B9CBD1FE3EDDB146D90796F51EBA58E15B12EDC930A5D80153C
    Malicious:false
    Reputation:low
    Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.2.0.0.<./.P.i.

    C:\ProgramData\Microsoft\Windows\WER\Temp\WER3730.tmp.xml

    Download File
    Process:C:\Windows\SysWOW64\WerFault.exe
    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
    Category:dropped
    Size (bytes):4642
    Entropy (8bit):4.4544441946460855
    Encrypted:false
    SSDEEP:48:cvIwWl8zsEJg77aI9n0WpW8VY0Ym8M4JlkF8+q8j14pLbBHd:uIjfCI7Ft7VIJT7pLbBHd
    MD5:CEC43769A37DB74CAD14D1055B9AEF1A
    SHA1:46CD519ADBD00026F8AD64CA85DEA7D6B00D5D46
    SHA-256:1C8A8DD91895D097B127CF17E140AFCE282C6E249239B66C2FFE67C3F202519D
    SHA-512:D4063239F42A9378D622568F37F2E34FDAF16A9FF174DA6FD6C3A797FB6E903ACEA87E7D5847E3B684AEC41D722D1C430A23FD48FAD49B6692206F3FDF0997B6
    Malicious:false
    Reputation:low
    Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="601524" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

    C:\Windows\appcompat\Programs\Amcache.hve

    Download File
    Process:C:\Windows\SysWOW64\WerFault.exe
    File Type:MS Windows registry file, NT/2000 or above
    Category:dropped
    Size (bytes):1835008
    Entropy (8bit):4.4219442689957384
    Encrypted:false
    SSDEEP:6144:xSvfpi6ceLP/9skLmb0OTxWSPHaJG8nAgeMZMMhA2fX4WABlEnN20uhiTw:IvloTxW+EZMM6DFy403w
    MD5:51B3D5190F5FD2D2DA0DD250DACECBCA
    SHA1:7426E2B00BA838D8ADA3B878C630796D7516D0A1
    SHA-256:3E859C7339284ACC2FB317DE33DABFB83CE60A26B2FC4DD418468E77D6F952E8
    SHA-512:C374C6EB81FB4F57541935214D3674EC16C9A425ACB56E662A35F1BDBF0191CFAC35E010AC20F57A8D339945B8CFF49C7FB4188527BBC8B9251E1AABC69D2DFD
    Malicious:false
    Reputation:low
    Preview:regf>...>....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.&...>.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

    Static File Info

    General

    File type:PE32 executable (GUI) Intel 80386, for MS Windows
    Entropy (8bit):6.4110720048107375
    TrID:
    • Win32 Executable (generic) a (10002005/4) 99.96%
    • Generic Win/DOS Executable (2004/3) 0.02%
    • DOS Executable Generic (2002/1) 0.02%
    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
    File name:file.exe
    File size:1'278'832 bytes
    MD5:a00d324c74f00710ced44b8c7f1a3561
    SHA1:218364f5e378c73877815755538d99250bbef5e5
    SHA256:86935c2a69aa7096890dd8b72291170dfd9a5d7b22f3a83e70b6e7afcc2d75d7
    SHA512:5c37f908bed65f88707f1f6d837690c3f088d46d2bddf589ce9207daf500e446bbb3293fd9f673ed320d19a8cda47032742bef132eb46827c9b6e03f1d1269db
    SSDEEP:24576:x8Bq2LeSLFQJI+SyTna8Sw89UHKEiyq9fizOdt1yCUaOBe7q4DmU/:3LapNEq9fiKuCUace7q4d/
    TLSH:46458E01FBA4C050E2F314711AFEAA28516D3E61D7A0D5EFA254BA6D7CB17C0B93A317
    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......4...p...p...p...y...........{.......P.......z.......U...p...........&.......q.......q...Richp...........PE..L....e"W...........

    File Icon

    Icon Hash:2be8ec204109f55c

    Static PE Info

    General

    Entrypoint:0x457980
    Entrypoint Section:.text
    Digitally signed:true
    Imagebase:0x400000
    Subsystem:windows gui
    Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
    DLL Characteristics:DYNAMIC_BASE, FORCE_INTEGRITY, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
    Time Stamp:0x572265EB [Thu Apr 28 19:35:07 2016 UTC]
    TLS Callbacks:
    CLR (.Net) Version:
    OS Version Major:10
    OS Version Minor:0
    File Version Major:10
    File Version Minor:0
    Subsystem Version Major:10
    Subsystem Version Minor:0
    Import Hash:920f3aec5a928b966c39ee8ce6687bf6

    Authenticode Signature

    Signature Valid:true
    Signature Issuer:CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
    Signature Validation Error:The operation completed successfully
    Error Number:0
    Not Before, Not After
    • 04/03/2020 19:30:39 03/03/2021 19:30:39
    Subject Chain
    • CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
    Version:3
    Thumbprint MD5:7AB25ECD787C07B0984E7F1885C52907
    Thumbprint SHA-1:A4341B9FD50FB9964283220A36A1EF6F6FAA7840
    Thumbprint SHA-256:26FADD5610BB56E43D61A21B42A146C6A4568D8FC21DB5D78E70BE0AC390E9C3
    Serial:3300000266BD1580EFA75CD6D3000000000266

    Entrypoint Preview

    Instruction
    call 00007F13A50C3945h
    jmp 00007F13A50C302Eh
    int3
    int3
    int3
    int3
    int3
    int3
    cmp ecx, dword ptr [004C2A88h]
    jne 00007F13A50C32A5h
    retn 0000h
    jmp 00007F13A50C32CFh
    mov edi, edi
    push ebp
    mov ebp, esp
    push 00000000h
    call dword ptr [004CB98Ch]
    push dword ptr [ebp+08h]
    call dword ptr [004CB984h]
    push C0000409h
    call dword ptr [004CBB08h]
    push eax
    call dword ptr [004CBAECh]
    pop ebp
    ret
    mov edi, edi
    push ebp
    mov ebp, esp
    sub esp, 00000324h
    mov dword ptr [004C58B8h], eax
    mov dword ptr [004C58B4h], ecx
    mov dword ptr [004C58B0h], edx
    mov dword ptr [004C58ACh], ebx
    mov dword ptr [004C58A8h], esi
    mov dword ptr [004C58A4h], edi
    mov word ptr [004C58D0h], ss
    mov word ptr [004C58C4h], cs
    mov word ptr [004C58A0h], ds
    mov word ptr [004C589Ch], es
    mov word ptr [004C5898h], fs
    mov word ptr [004C5894h], gs
    pushfd
    pop dword ptr [004C58C8h]
    mov eax, dword ptr [ebp+00h]
    mov dword ptr [004C58BCh], eax
    mov eax, dword ptr [ebp+04h]
    mov dword ptr [004C58C0h], eax
    lea eax, dword ptr [ebp+08h]
    mov dword ptr [004C58CCh], eax
    mov eax, dword ptr [ebp-00000324h]

    Rich Headers

    Programming Language:
    • [IMP] VS2008 SP1 build 30729

    Data Directories

    NameVirtual AddressVirtual Size Is in Section
    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_IMPORT0xcbeec0x5b4.idata
    IMAGE_DIRECTORY_ENTRY_RESOURCE0xd60000x58540.rsrc
    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
    IMAGE_DIRECTORY_ENTRY_SECURITY0x1336000x4d70.reloc
    IMAGE_DIRECTORY_ENTRY_BASERELOC0x12f0000xd65c.reloc
    IMAGE_DIRECTORY_ENTRY_DEBUG0x140800x54.text
    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
    IMAGE_DIRECTORY_ENTRY_TLS0x42700x18.text
    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x3e980xa4.text
    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_IAT0xcb0000xee8.idata
    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0xb87f40x440.text
    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

    Sections

    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
    .text0x10000xb88f00xb8a009440c7e05010945838e572ae085d0211False0.4859671208530806data6.465462884913329IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    .imrsiv0xba0000x40x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
    .data0xbb0000xf69c0xa800034e7849f553a0af3576d5d136e078a9False0.11149088541666667data3.8410781628570563IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
    .idata0xcb0000x9c460x9e001a4df76c185a2d6fed147342bbbe7767False0.31222804588607594data5.835443354367716IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
    .didat0xd50000x2040x400d1dc29d5350096b234cadc4e20adebc0False0.2880859375data2.138663897085913IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
    .rsrc0xd60000x585400x58600adee2f64718a55c63deff8ff859c620cFalse0.367944439533239data5.5013997336000005IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
    .reloc0x12f0000xd65c0xd80027720cfe7c829074aba45d4d82de3da4False0.6928891782407407data6.772651648203255IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

    Resources

    NameRVASizeTypeLanguageCountryZLIB Complexity
    MUI0x12e4280x118dataEnglishUnited States0.6
    PNG0x12dcd00x3a1PNG image data, 2 x 32, 8-bit/color RGB, non-interlacedEnglishUnited States0.61248654467169
    PNG0x12e0780x3aaPNG image data, 2 x 32, 8-bit/color RGBA, non-interlacedEnglishUnited States0.6183368869936035
    PNG0x12bf080x1d2PNG image data, 16 x 16, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0236051502145922
    PNG0x12c0e00x1cbPNG image data, 16 x 16, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0239651416122004
    PNG0x12c2b00x1d0PNG image data, 16 x 16, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0237068965517242
    PNG0x12c4800x1baPNG image data, 16 x 16, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0248868778280542
    PNG0x12c6400x1d2PNG image data, 16 x 16, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0236051502145922
    PNG0x12c9a80xb3PNG image data, 61 x 40, 8-bit/color RGB, non-interlacedEnglishUnited States0.9050279329608939
    PNG0x12c8180x18fPNG image data, 16 x 16, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0275689223057645
    PNG0x12ca600x3b6PNG image data, 8 x 45, 8-bit/color RGB, non-interlacedEnglishUnited States0.6231578947368421
    PNG0x12ce180x39bPNG image data, 8 x 1, 8-bit/color RGB, non-interlacedEnglishUnited States0.6045503791982665
    PNG0x12d1b80x3bcPNG image data, 8 x 45, 8-bit/color RGB, non-interlacedEnglishUnited States0.6307531380753139
    PNG0x12d5780x3a1PNG image data, 2 x 32, 8-bit/color RGB, non-interlacedEnglishUnited States0.61248654467169
    PNG0x12d9200x3aaPNG image data, 2 x 32, 8-bit/color RGBA, non-interlacedEnglishUnited States0.6194029850746269
    UIFILE0x11a2880xeffcdataEnglishUnited States0.2009408164594049
    UIFILE0x1140a80x61e0dataEnglishUnited States0.26987547892720304
    WEVT_TEMPLATE0xd83b00x726edataEnglishUnited States0.23182221615347853
    RT_BITMAP0x12bea80x60Device independent bitmap graphic, 1 x 14 x 24, image size 56, resolution 2835 x 2835 px/mEnglishUnited States0.34375
    RT_ICON0xdf9b00xa68Device independent bitmap graphic, 64 x 128 x 4, image size 2048EnglishUnited States0.29842342342342343
    RT_ICON0xe04180x668Device independent bitmap graphic, 48 x 96 x 4, image size 1152EnglishUnited States0.3323170731707317
    RT_ICON0xe0a800x4c8Device independent bitmap graphic, 40 x 80 x 4, image size 800EnglishUnited States0.3161764705882353
    RT_ICON0xe0f480x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512EnglishUnited States0.41935483870967744
    RT_ICON0xe12300x1e8Device independent bitmap graphic, 24 x 48 x 4, image size 288EnglishUnited States0.45901639344262296
    RT_ICON0xe14180x1a8Device independent bitmap graphic, 20 x 40 x 4, image size 240EnglishUnited States0.4363207547169811
    RT_ICON0xe15c00x128Device independent bitmap graphic, 16 x 32 x 4, image size 128EnglishUnited States0.5
    RT_ICON0xe16e80x1628Device independent bitmap graphic, 64 x 128 x 8, image size 4096, 256 important colorsEnglishUnited States0.5401974612129761
    RT_ICON0xe2d100xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsEnglishUnited States0.5919509594882729
    RT_ICON0xe3bb80xba8Device independent bitmap graphic, 40 x 80 x 8, image size 1600, 256 important colorsEnglishUnited States0.5955093833780161
    RT_ICON0xe47600x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishUnited States0.7220216606498195
    RT_ICON0xe50080x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsEnglishUnited States0.5483870967741935
    RT_ICON0xe56d00x608Device independent bitmap graphic, 20 x 40 x 8, image size 400, 256 important colorsEnglishUnited States0.27979274611398963
    RT_ICON0xe5cd80x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishUnited States0.2695086705202312
    RT_ICON0xe62400x9490PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9874053428691628
    RT_ICON0xef6d00x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896EnglishUnited States0.41999291450165327
    RT_ICON0xf38f80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.4649377593360996
    RT_ICON0xf5ea00x1a68Device independent bitmap graphic, 40 x 80 x 32, image size 6720EnglishUnited States0.45710059171597633
    RT_ICON0xf79080x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.5565196998123827
    RT_ICON0xf89b00x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400EnglishUnited States0.5245901639344263
    RT_ICON0xf93380x6b8Device independent bitmap graphic, 20 x 40 x 32, image size 1680EnglishUnited States0.2569767441860465
    RT_ICON0xf99f00x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.42641843971631205
    RT_ICON0xf9f980x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsEnglishUnited States0.28859447004608296
    RT_ICON0xfa6600x608Device independent bitmap graphic, 20 x 40 x 8, image size 400, 256 important colorsEnglishUnited States0.29857512953367876
    RT_ICON0xfac680x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishUnited States0.21315028901734104
    RT_ICON0xfb1d00x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400EnglishUnited States0.2709016393442623
    RT_ICON0xfbb580x6b8Device independent bitmap graphic, 20 x 40 x 32, image size 1680EnglishUnited States0.32732558139534884
    RT_ICON0xfc2100x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.30939716312056736
    RT_ICON0xfc6d80x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsEnglishUnited States0.6566820276497696
    RT_ICON0xfcda00x608Device independent bitmap graphic, 20 x 40 x 8, image size 400, 256 important colorsEnglishUnited States0.633419689119171
    RT_ICON0xfd3a80x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishUnited States0.48265895953757226
    RT_ICON0xfd9100x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400EnglishUnited States0.5504098360655738
    RT_ICON0xfe2980x6b8Device independent bitmap graphic, 20 x 40 x 32, image size 1680EnglishUnited States0.688953488372093
    RT_ICON0xfe9500x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.7065602836879432
    RT_ICON0xfee180x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsEnglishUnited States0.4642857142857143
    RT_ICON0xff4e00x608Device independent bitmap graphic, 20 x 40 x 8, image size 400, 256 important colorsEnglishUnited States0.44689119170984454
    RT_ICON0xffae80x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishUnited States0.39234104046242774
    RT_ICON0x1000500x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400EnglishUnited States0.39467213114754096
    RT_ICON0x1009d80x6b8Device independent bitmap graphic, 20 x 40 x 32, image size 1680EnglishUnited States0.4459302325581395
    RT_ICON0x1010900x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.5195035460992907
    RT_ICON0x1015580x1e8Device independent bitmap graphic, 24 x 48 x 4, image size 288EnglishUnited States0.19467213114754098
    RT_ICON0x1017400x1a8Device independent bitmap graphic, 20 x 40 x 4, image size 240EnglishUnited States0.22641509433962265
    RT_ICON0x1018e80x128Device independent bitmap graphic, 16 x 32 x 4, image size 128EnglishUnited States0.2972972972972973
    RT_ICON0x101a100x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsEnglishUnited States0.15552995391705068
    RT_ICON0x1020d80x608Device independent bitmap graphic, 20 x 40 x 8, image size 400, 256 important colorsEnglishUnited States0.16839378238341968
    RT_ICON0x1026e00x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishUnited States0.1329479768786127
    RT_ICON0x102c480x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400EnglishUnited States0.2532786885245902
    RT_ICON0x1035d00x6b8Device independent bitmap graphic, 20 x 40 x 32, image size 1680EnglishUnited States0.31453488372093025
    RT_ICON0x103c880x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.30939716312056736
    RT_ICON0x1041780x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512EnglishUnited States0.32526881720430106
    RT_ICON0x1044600x1e8Device independent bitmap graphic, 24 x 48 x 4, image size 288EnglishUnited States0.4036885245901639
    RT_ICON0x1046480x128Device independent bitmap graphic, 16 x 32 x 4, image size 128EnglishUnited States0.48986486486486486
    RT_ICON0x1047700x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishUnited States0.6782490974729242
    RT_ICON0x1050180x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsEnglishUnited States0.6336405529953917
    RT_ICON0x1056e00x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishUnited States0.46604046242774566
    RT_ICON0x105c480x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.4343339587242026
    RT_ICON0x106cf00x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400EnglishUnited States0.514344262295082
    RT_ICON0x1076780x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.5833333333333334
    RT_ICON0x107b680x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsEnglishUnited States0.1923963133640553
    RT_ICON0x1082300x608Device independent bitmap graphic, 20 x 40 x 8, image size 400, 256 important colorsEnglishUnited States0.12564766839378239
    RT_ICON0x1088380x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishUnited States0.17052023121387283
    RT_ICON0x108da00x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400EnglishUnited States0.25040983606557377
    RT_ICON0x1097280x6b8Device independent bitmap graphic, 20 x 40 x 32, image size 1680EnglishUnited States0.18313953488372092
    RT_ICON0x109de00x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.28634751773049644
    RT_ICON0x10a2a80x1e8Device independent bitmap graphic, 24 x 48 x 4, image size 288EnglishUnited States0.13319672131147542
    RT_ICON0x10a4900x1a8Device independent bitmap graphic, 20 x 40 x 4, image size 240EnglishUnited States0.14858490566037735
    RT_ICON0x10a6380x128Device independent bitmap graphic, 16 x 32 x 4, image size 128EnglishUnited States0.20945945945945946
    RT_ICON0x10a7600x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsEnglishUnited States0.3554147465437788
    RT_ICON0x10ae280x608Device independent bitmap graphic, 20 x 40 x 8, image size 400, 256 important colorsEnglishUnited States0.39831606217616583
    RT_ICON0x10b4300x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishUnited States0.440028901734104
    RT_ICON0x10b9980x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400EnglishUnited States0.020901639344262295
    RT_ICON0x10c3200x6b8Device independent bitmap graphic, 20 x 40 x 32, image size 1680EnglishUnited States0.027906976744186046
    RT_ICON0x10c9d80x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.03723404255319149
    RT_ICON0x10cec80x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsEnglishUnited States0.201036866359447
    RT_ICON0x10d5900x608Device independent bitmap graphic, 20 x 40 x 8, image size 400, 256 important colorsEnglishUnited States0.17487046632124353
    RT_ICON0x10db980x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishUnited States0.16618497109826588
    RT_ICON0x10e1000x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400EnglishUnited States0.19221311475409836
    RT_ICON0x10ea880x6b8Device independent bitmap graphic, 20 x 40 x 32, image size 1680EnglishUnited States0.17383720930232557
    RT_ICON0x10f1400x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.22340425531914893
    RT_ICON0x10f6080x358Device independent bitmap graphic, 16 x 24 x 32, image size 816EnglishUnited States0.12850467289719625
    RT_ICON0x10f9780x358Device independent bitmap graphic, 16 x 24 x 32, image size 816EnglishUnited States0.13200934579439252
    RT_ICON0x10fce80x358Device independent bitmap graphic, 16 x 24 x 32, image size 816EnglishUnited States0.13200934579439252
    RT_ICON0x1100580x358Device independent bitmap graphic, 16 x 24 x 32, image size 816EnglishUnited States0.12967289719626168
    RT_ICON0x1103c80x358Device independent bitmap graphic, 16 x 24 x 32, image size 816EnglishUnited States0.1308411214953271
    RT_ICON0x1107380x358Device independent bitmap graphic, 16 x 24 x 32, image size 816EnglishUnited States0.1191588785046729
    RT_ICON0x110aa80x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.06382978723404255
    RT_ICON0x110f280x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.06914893617021277
    RT_ICON0x1113a80x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.06826241134751773
    RT_ICON0x1118280x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.06826241134751773
    RT_ICON0x111ca80x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.06826241134751773
    RT_ICON0x1121280x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.06914893617021277
    RT_ICON0x1125a80x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.0673758865248227
    RT_ICON0x112a280x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.06826241134751773
    RT_ICON0x112ea80x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.0673758865248227
    RT_ICON0x1133280x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.06914893617021277
    RT_ICON0x1137a80x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.06382978723404255
    RT_ICON0x113c280x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.054078014184397165
    RT_ICON0x1292880x1e8Device independent bitmap graphic, 24 x 48 x 4, image size 288EnglishUnited States0.5573770491803278
    RT_ICON0x1294700x1a8Device independent bitmap graphic, 20 x 40 x 4, image size 240EnglishUnited States0.535377358490566
    RT_ICON0x1296180x128Device independent bitmap graphic, 16 x 32 x 4, image size 128EnglishUnited States0.5743243243243243
    RT_ICON0x1297400x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsEnglishUnited States0.8168202764976958
    RT_ICON0x129e080x608Device independent bitmap graphic, 20 x 40 x 8, image size 400, 256 important colorsEnglishUnited States0.7370466321243523
    RT_ICON0x12a4100x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishUnited States0.5339595375722543
    RT_ICON0x12a9780x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400EnglishUnited States0.659016393442623
    RT_ICON0x12b3000x6b8Device independent bitmap graphic, 20 x 40 x 32, image size 1680EnglishUnited States0.7552325581395349
    RT_ICON0x12b9b80x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.6648936170212766
    RT_GROUP_ICON0xf9e580x13adataEnglishUnited States0.5445859872611465
    RT_GROUP_ICON0xfc6780x5adataEnglishUnited States0.7666666666666667
    RT_GROUP_ICON0xfedb80x5adataEnglishUnited States0.7777777777777778
    RT_GROUP_ICON0x1014f80x5adataEnglishUnited States0.7777777777777778
    RT_GROUP_ICON0x1040f00x84dataEnglishUnited States0.6742424242424242
    RT_GROUP_ICON0x107ae00x84dataEnglishUnited States0.6742424242424242
    RT_GROUP_ICON0x10a2480x5adataEnglishUnited States0.7888888888888889
    RT_GROUP_ICON0x10f9600x14dataEnglishUnited States1.25
    RT_GROUP_ICON0x10fcd00x14dataEnglishUnited States1.25
    RT_GROUP_ICON0x1100400x14dataEnglishUnited States1.25
    RT_GROUP_ICON0x1103b00x14dataEnglishUnited States1.25
    RT_GROUP_ICON0x1107200x14dataEnglishUnited States1.25
    RT_GROUP_ICON0x110a900x14dataEnglishUnited States1.25
    RT_GROUP_ICON0x10ce400x84dataEnglishUnited States0.6893939393939394
    RT_GROUP_ICON0x10f5a80x5adataEnglishUnited States0.7888888888888889
    RT_GROUP_ICON0x12be200x84dataEnglishUnited States0.6818181818181818
    RT_GROUP_ICON0x110f100x14dataEnglishUnited States1.25
    RT_GROUP_ICON0x1113900x14dataEnglishUnited States1.25
    RT_GROUP_ICON0x1118100x14dataEnglishUnited States1.25
    RT_GROUP_ICON0x111c900x14dataEnglishUnited States1.25
    RT_GROUP_ICON0x1121100x14dataEnglishUnited States1.25
    RT_GROUP_ICON0x1125900x14dataEnglishUnited States1.25
    RT_GROUP_ICON0x112a100x14dataEnglishUnited States1.25
    RT_GROUP_ICON0x112e900x14dataEnglishUnited States1.25
    RT_GROUP_ICON0x1133100x14dataEnglishUnited States1.25
    RT_GROUP_ICON0x1137900x14dataEnglishUnited States1.25
    RT_GROUP_ICON0x113c100x14dataEnglishUnited States1.25
    RT_GROUP_ICON0x1140900x14dataEnglishUnited States1.25
    RT_VERSION0xdf6200x38cdataEnglishUnited States0.460352422907489
    RT_MANIFEST0xd7eb00x500XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.4296875

    Imports

    DLLImport
    GDI32.dllGetDeviceCaps, CreateDIBSection, DeleteObject, SelectObject, GetTextExtentPointW, CreatePen, MoveToEx, LineTo, Rectangle
    USER32.dllGetWindowLongW, IsIconic, IsZoomed, SetWindowLongW, MonitorFromPoint, GetMonitorInfoW, GetClientRect, RedrawWindow, GetMenuState, GetMenuItemInfoW, KillTimer, CreateDialogParamW, GetWindowTextLengthW, SetDlgItemTextW, CheckMenuItem, SetGestureConfig, SwitchToThisWindow, MessageBeep, GetDoubleClickTime, GetCurrentInputMessageSource, SetMenuDefaultItem, RegisterWindowMessageW, UnregisterClassW, ShowWindowAsync, InternalGetWindowText, GetGestureInfo, EnableMenuItem, GetSubMenu, CheckMenuRadioItem, GetMenuItemCount, GetLastActivePopup, GetPropW, GetClassLongW, GetClassNameW, RemoveMenu, TrackPopupMenuEx, CopyIcon, DestroyMenu, GetWindowRect, TrackPopupMenu, GetCursorPos, PostMessageW, SendMessageW, CreateWindowExW, SetWindowPos, CloseGestureInfoHandle, AppendMenuW, GetSysColor, PostQuitMessage, IsWindowEnabled, OpenIcon, IsWindow, DefWindowProcW, LoadIconW, UpdateWindow, SetMenu, GetMenu, ChangeWindowMessageFilterEx, CreatePopupMenu, InsertMenuW, SetForegroundWindow, SystemParametersInfoW, GetDC, RegisterClassExW, GetMenuItemID, ReleaseDC, GetKeyState, EqualRect, GhostWindowFromHungWindow, HungWindowFromGhostWindow, CreateWindowInBand, GetWindowBand, GetWindowCompositionAttribute, CopyRect, TranslateAcceleratorW, GetMessageW, LoadAcceleratorsW, GetSystemMetrics, SendMessageTimeoutW, AllowSetForegroundWindow, FindWindowW, DestroyWindow, SetFocus, SetTimer, GetForegroundWindow, LoadMenuW, GetParent, DialogBoxParamW, LoadStringW, DispatchMessageW, MessageBoxW, TranslateMessage, MapWindowPoints, PtInRect, PeekMessageW, MsgWaitForMultipleObjectsEx, UnregisterDeviceNotification, RegisterDeviceNotificationW, EndDialog, EnableWindow, GetScrollPos, SetWindowTextW, DeleteMenu, GetMessagePos, GetWindowTextW, GetDlgItem, CharLowerW, OpenClipboard, EmptyClipboard, GetGuiResources, GetProcessWindowStation, SetClipboardData, CloseClipboard, EnumDesktopsW, GetFocus, CloseDesktop, EnumDesktopWindows, SetThreadDesktop, GetThreadDesktop, OpenDesktopW, InvalidateRect, ShowWindow, GetWindowThreadProcessId, IsHungAppWindow, IsWindowVisible, DestroyIcon, GetWindow, LoadImageW, CharUpperBuffW
    msvcrt.dll_i64tow_s, _wtoi, wcstok_s, wcstoul, iswdigit, realloc, memmove_s, towupper, _ui64tow_s, iswspace, free, _stricmp, _strnicmp, bsearch, wcstod, _wtol, wprintf_s, _purecall, _wcsnicmp, wcschr, __p__commode, _amsg_exit, __wgetmainargs, __set_app_type, memcpy_s, exit, _exit, _cexit, __p__fmode, __setusermatherr, _set_errno, _initterm, _wcmdln, _lock, _unlock, __dllonexit, _onexit, wcsstr, _callnewh, malloc, _except_handler4_common, ??1type_info@@UAE@XZ, __CxxFrameHandler3, toupper, iswalpha, _wcsicmp, wcsrchr, _XcptFilter, _vsnwprintf, memset, ?terminate@@YAXXZ, _controlfp, _get_errno, _CIsqrt, _ftol2, _ftol2_sse, ceil, floor, memcmp, memcpy, memmove, swscanf_s
    api-ms-win-core-libraryloader-l1-2-0.dllGetModuleHandleExW, GetModuleFileNameA, GetProcAddress, FreeLibrary, LoadLibraryExW, GetModuleHandleW, GetModuleFileNameW, GetModuleHandleA
    api-ms-win-core-synch-l1-1-0.dllSetEvent, CreateEventW, InitializeCriticalSectionEx, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, ReleaseSRWLockShared, AcquireSRWLockShared, ReleaseSRWLockExclusive, TryEnterCriticalSection, AcquireSRWLockExclusive, CreateMutexExW, ResetEvent, OpenSemaphoreW, WaitForSingleObjectEx, ReleaseMutex, WaitForSingleObject, ReleaseSemaphore, InitializeSRWLock, CreateEventExW, CreateMutexW, OpenEventW, DeleteCriticalSection, CreateSemaphoreExW
    api-ms-win-core-heap-l1-1-0.dllHeapSize, GetProcessHeap, HeapReAlloc, HeapSetInformation, HeapFree, HeapAlloc
    api-ms-win-core-errorhandling-l1-1-0.dllSetLastError, UnhandledExceptionFilter, RaiseException, SetUnhandledExceptionFilter, GetLastError, SetErrorMode, GetErrorMode
    api-ms-win-core-processthreads-l1-1-0.dllGetPriorityClass, CreateThread, GetCurrentThreadId, SetPriorityClass, SetProcessShutdownParameters, GetProcessTimes, GetThreadPriority, TerminateProcess, GetStartupInfoW, GetExitCodeThread, GetCurrentProcessId, CreateProcessW, GetCurrentThread, SetThreadPriority, GetCurrentProcess, OpenProcessToken, ProcessIdToSessionId
    api-ms-win-core-localization-l1-2-0.dllGetLocaleInfoEx, GetThreadPreferredUILanguages, GetLocaleInfoW, GetThreadUILanguage, FormatMessageW
    api-ms-win-core-debug-l1-1-0.dllOutputDebugStringA, OutputDebugStringW, DebugBreak, IsDebuggerPresent
    api-ms-win-core-handle-l1-1-0.dllDuplicateHandle, CloseHandle
    OLEAUT32.dllSafeArrayPutElement, SysStringLen, SysAllocStringLen, VariantClear, SafeArrayDestroy, SysFreeString, SysAllocString, VariantInit, SafeArrayCreateVector
    api-ms-win-core-threadpool-l1-2-0.dllCloseThreadpoolTimer, SetThreadpoolTimer, CreateThreadpoolTimer, WaitForThreadpoolTimerCallbacks
    api-ms-win-eventing-provider-l1-1-0.dllEventUnregister, EventProviderEnabled, EventSetInformation, EventRegister, EventWriteTransfer
    api-ms-win-core-profile-l1-1-0.dllQueryPerformanceCounter, QueryPerformanceFrequency
    api-ms-win-core-sysinfo-l1-1-0.dllGetLogicalProcessorInformationEx, GetSystemInfo, GetComputerNameExW, GetSystemTimeAsFileTime, GetVersionExW, GlobalMemoryStatusEx, GetSystemDirectoryW, GetSystemTime, GetTickCount, GetTickCount64, GetLocalTime
    api-ms-win-core-libraryloader-l1-2-1.dllLoadLibraryW, LoadLibraryA
    api-ms-win-core-synch-l1-2-0.dllInitOnceComplete, InitOnceExecuteOnce, Sleep, SleepConditionVariableSRW, WakeAllConditionVariable, InitOnceBeginInitialize
    api-ms-win-core-registry-l1-1-0.dllRegEnumValueW, RegQueryInfoKeyW, RegQueryValueExW, RegGetValueW, RegOpenKeyExW, RegDeleteValueW, RegCloseKey, RegSetValueExW, RegNotifyChangeKeyValue, RegCreateKeyExW
    api-ms-win-security-base-l1-1-0.dllGetLengthSid, AdjustTokenPrivileges, FreeSid, CopySid, AllocateAndInitializeSid, EqualSid, CreateWellKnownSid, GetTokenInformation, CheckTokenMembership, SetTokenInformation, IsWellKnownSid
    api-ms-win-core-heap-l2-1-0.dllLocalAlloc, LocalFree
    api-ms-win-core-sysinfo-l1-2-0.dllGetNativeSystemInfo, GetSystemFirmwareTable
    api-ms-win-core-synch-l1-2-1.dllWaitForMultipleObjects
    api-ms-win-core-string-l1-1-0.dllCompareStringEx, MultiByteToWideChar, CompareStringOrdinal
    api-ms-win-core-datetime-l1-1-0.dllGetDateFormatW, GetTimeFormatW
    api-ms-win-core-io-l1-1-1.dllCancelSynchronousIo
    api-ms-win-core-processenvironment-l1-1-0.dllGetCurrentDirectoryW, ExpandEnvironmentStringsW, ExpandEnvironmentStringsA
    api-ms-win-core-processthreads-l1-1-1.dllIsProcessorFeaturePresent, OpenProcess
    api-ms-win-core-version-l1-1-0.dllGetFileVersionInfoSizeExW, GetFileVersionInfoExW, VerQueryValueW
    api-ms-win-core-memory-l1-1-0.dllReadProcessMemory
    api-ms-win-core-file-l1-1-0.dllFindClose, FindFirstFileW, FindNextVolumeW, CreateFileW, FindFirstVolumeW, GetFileType, GetLongPathNameW, FindNextChangeNotification, GetFileAttributesExW, GetLogicalDriveStringsW, FindFirstChangeNotificationW, FindNextFileW, QueryDosDeviceW, CompareFileTime, GetDriveTypeW, FindVolumeClose
    api-ms-win-core-psapi-l1-1-0.dllQueryFullProcessImageNameW
    api-ms-win-core-sysinfo-l1-2-2.dllGetProcessorSystemCycleTime
    api-ms-win-core-wow64-l1-1-0.dllIsWow64Process
    api-ms-win-core-io-l1-1-0.dllDeviceIoControl
    api-ms-win-core-file-l1-2-0.dllGetTempPathW, GetVolumePathNamesForVolumeNameW
    api-ms-win-core-timezone-l1-1-0.dllSystemTimeToTzSpecificLocalTime, FileTimeToSystemTime, SystemTimeToFileTime
    api-ms-win-core-sysinfo-l1-2-1.dllGetPhysicallyInstalledSystemMemory
    api-ms-win-core-path-l1-1-0.dllPathCchCombine, PathCchCanonicalize, PathCchAppend
    api-ms-win-core-version-l1-1-1.dllGetFileVersionInfoW, GetFileVersionInfoSizeW
    api-ms-win-core-winrt-error-l1-1-0.dllRoTransformError, RoOriginateError
    api-ms-win-core-datetime-l1-1-2.dllGetDurationFormatEx
    api-ms-win-core-localization-l2-1-0.dllGetNumberFormatEx
    api-ms-win-core-memory-l1-1-1.dllVirtualUnlock
    api-ms-win-core-string-l2-1-1.dllSHLoadIndirectString
    api-ms-win-core-datetime-l1-1-1.dllGetDateFormatEx
    api-ms-win-power-setting-l1-1-0.dllPowerSettingRegisterNotification, PowerSettingUnregisterNotification
    api-ms-win-core-kernel32-legacy-l1-1-0.dllGetComputerNameW, MulDiv
    api-ms-win-core-shlwapi-legacy-l1-1-0.dllSHExpandEnvironmentStringsW, PathRemoveExtensionW, PathStripPathW, PathRemoveBackslashW, PathIsRelativeW, PathGetArgsW, PathFileExistsW, PathRemoveBlanksW, PathIsPrefixW
    api-ms-win-core-threadpool-legacy-l1-1-0.dllCreateTimerQueueTimer, QueueUserWorkItem, DeleteTimerQueueTimer
    api-ms-win-core-pcw-l1-1-0.dllPcwCollectData, PcwAddQueryItem, PcwCreateQuery
    NSI.dllNsiGetParameter
    COMCTL32.dllImageList_CoCreateInstance
    ntdll.dllZwQueryWnfStateData, NtQueryInformationThread, RtlInitUnicodeString, NtQueryTimerResolution, NtSetInformationProcess, NtQuerySystemInformationEx, RtlImageNtHeader, RtlNumberOfSetBitsUlongPtr, NtPowerInformation, NtQuerySystemInformation, RtlNtStatusToDosError, RtlTimeToElapsedTimeFields, RtlAllocateHeap, RtlSecondsSince1970ToTime, NtQueryInformationFile, NtQueryObject, NtSetInformationFile, LdrQueryProcessModuleInformation, EtwCheckCoverage, RtlIpv6AddressToStringExW, RtlIpv4AddressToStringExW, NtQueryInformationProcess, RtlCompareUnicodeString, RtlNtStatusToDosErrorNoTeb, NtQueryInformationToken, NtOpenFile, RtlCheckPortableOperatingSystem, RtlFreeHeap
    UxTheme.dllSetWindowTheme, UpdatePanningFeedback, GetThemeColor, OpenThemeData, GetThemeInt, BeginPanningFeedback, EndPanningFeedback, CloseThemeData
    SHLWAPI.dllAssocQueryStringW, PathRemoveArgsW, SHCreateStreamOnFileW, StrRChrIW, SHCreateStreamOnFileEx, StrToIntExW, StrRetToBufW, StrTrimW, PathIsNetworkPathW, StrStrW, StrStrIW
    SHELL32.dllSHGetKnownFolderItem, SHGetSpecialFolderPathW, SHOpenFolderAndSelectItems, Shell_NotifyIconW, SHGetPropertyStoreForWindow, DuplicateIcon, ShellExecuteW, CommandLineToArgvW, Shell_GetCachedImageIndexW, SHBindToParent, SHParseDisplayName, ShellExecuteExW, SHEvaluateSystemCommandTemplate, SHGetKnownFolderIDList
    credui.dllCredUIPromptForCredentialsW
    DUser.dllForwardGadgetMessage, SetGadgetStyle, GetGadgetRect
    DUI70.dll??0HWNDElement@DirectUI@@QAE@XZ, ??1HWNDElement@DirectUI@@UAE@XZ, ?Destroy@NativeHWNDHost@DirectUI@@QAEXXZ, ?WndProc@HWNDElement@DirectUI@@UAEJPAUHWND__@@IIJ@Z, ?FindDescendent@Element@DirectUI@@QAEPAV12@G@Z, ?GetRoot@Element@DirectUI@@QAEPAV12@XZ, StrToID, ?GetHWND@HWNDElement@DirectUI@@UAEPAUHWND__@@XZ, ?StartDefer@Element@DirectUI@@QAEXPAK@Z, ?EndDefer@Element@DirectUI@@QAEXK@Z, ?OnInput@HWNDElement@DirectUI@@UAEXPAUInputEvent@2@@Z, ?SetLayoutPos@Element@DirectUI@@QAEJH@Z, ?Release@Value@DirectUI@@QAEXXZ, ?GetExtent@Element@DirectUI@@QAEPBUtagSIZE@@PAPAVValue@2@@Z, ?Click@Button@DirectUI@@SG?AVUID@@XZ, ?GetID@Element@DirectUI@@QAEGXZ, ?KeyboardNavigate@Element@DirectUI@@SG?AVUID@@XZ, ?OnEvent@HWNDElement@DirectUI@@UAEXPAUEvent@2@@Z, ?OnDestroy@HWNDElement@DirectUI@@UAEXXZ, ?Create@NativeHWNDHost@DirectUI@@SGJPBGPAUHWND__@@PAUHICON__@@HHHHHHIPAPAV12@@Z, ?GetHWND@NativeHWNDHost@DirectUI@@QAEPAUHWND__@@XZ, ?Initialize@HWNDElement@DirectUI@@QAEJPAUHWND__@@_NIPAVElement@2@PAK@Z, ?SetAccessible@Element@DirectUI@@QAEJ_N@Z, ?SetAccRole@Element@DirectUI@@QAEJH@Z, ?SetVisible@Element@DirectUI@@QAEJ_N@Z, ?Host@NativeHWNDHost@DirectUI@@QAEXPAVElement@2@@Z, ?ShowWindow@NativeHWNDHost@DirectUI@@QAEXH@Z, ?Destroy@Element@DirectUI@@QAEJ_N@Z, ?CreateElement@DUIXmlParser@DirectUI@@QAEJPBGPAVElement@2@1PAKPAPAV32@@Z, ?Create@DUIXmlParser@DirectUI@@SGJPAPAV12@P6GPAVValue@2@PBGPAX@Z2P6GX11H2@Z2@Z, ?SetXMLFromResource@DUIXmlParser@DirectUI@@QAEJIPAUHINSTANCE__@@0@Z, ?Destroy@DUIXmlParser@DirectUI@@QAEXXZ, DisableAnimations, ?StartNavigate@Browser@DirectUI@@SG?AVUID@@XZ, ?FireEvent@Element@DirectUI@@QAEXPAUEvent@2@_N1@Z, ?UpdateSheets@DUIXmlParser@DirectUI@@QAEJPAVElement@2@@Z, ?GetEnabled@Element@DirectUI@@QAE_NXZ, ?GetDPI@Element@DirectUI@@QAEHXZ, ??0ScrollViewer@DirectUI@@QAE@XZ, ??1ScrollViewer@DirectUI@@UAE@XZ, ?OnPropertyChanging@BaseScrollViewer@DirectUI@@UAE_NPBUPropertyInfo@2@HPAVValue@2@1@Z, ?OnPropertyChanged@ScrollViewer@DirectUI@@UAEXPBUPropertyInfo@2@HPAVValue@2@1@Z, ?OnInput@BaseScrollViewer@DirectUI@@UAEXPAUInputEvent@2@@Z, ?OnEvent@BaseScrollViewer@DirectUI@@UAEXPAUEvent@2@@Z, ?Add@BaseScrollViewer@DirectUI@@UAEJPAPAVElement@2@I@Z, ?CreateScrollBars@ScrollViewer@DirectUI@@MAEJXZ, ?AddChildren@ScrollViewer@DirectUI@@MAEJXZ, ?OnListenerAttach@BaseScrollViewer@DirectUI@@UAEXPAVElement@2@@Z, ?OnListenerDetach@BaseScrollViewer@DirectUI@@UAEXPAVElement@2@@Z, ?OnListenedPropertyChanging@BaseScrollViewer@DirectUI@@UAE_NPAVElement@2@PBUPropertyInfo@2@HPAVValue@2@2@Z, ?OnListenedPropertyChanged@ScrollViewer@DirectUI@@UAEXPAVElement@2@PBUPropertyInfo@2@HPAVValue@2@2@Z, ?OnListenedInput@BaseScrollViewer@DirectUI@@UAEXPAVElement@2@PAUInputEvent@2@@Z, ?OnListenedEvent@BaseScrollViewer@DirectUI@@UAEXPAVElement@2@PAUEvent@2@@Z, ?GetClassInfoPtr@Expando@DirectUI@@SGPAUIClassInfo@2@XZ, ?GetClassInfoPtr@ScrollViewer@DirectUI@@SGPAUIClassInfo@2@XZ, ?Initialize@BaseScrollViewer@DirectUI@@QAEJPAVElement@2@PAK@Z, ?_PostEvent@Element@DirectUI@@AAEXPAUEvent@2@H@Z, ?Register@ScrollViewer@DirectUI@@SGJXZ, ?GetHScroll@ScrollViewer@DirectUI@@MAEPAVBaseScrollBar@2@XZ, ?GetVScroll@ScrollViewer@DirectUI@@MAEPAVBaseScrollBar@2@XZ, ?SetPadding@Element@DirectUI@@QAEJHHHH@Z, ?SetXOffset@BaseScrollViewer@DirectUI@@QAEJH@Z, ?XOffsetProp@BaseScrollViewer@DirectUI@@SGPBUPropertyInfo@2@XZ, ?SetHeight@Element@DirectUI@@QAEJH@Z, ?GetDesiredSize@Element@DirectUI@@QAEPBUtagSIZE@@XZ, ??1DCSurface@DirectUI@@UAE@XZ, ??0DCSurface@DirectUI@@QAE@PAUHDC__@@@Z, ?RemoveListener@Element@DirectUI@@QAEXPAUIElementListener@2@@Z, ?Init@NavReference@DirectUI@@QAEXPAVElement@2@PAUtagRECT@@@Z, ?Remove@Element@DirectUI@@QAEJPAV12@@Z, ?ExpandCollapse_ExpandCollapseState_Property@Schema@DirectUI@@2HA, ?GetIndex@Element@DirectUI@@QAEHXZ, ??0IProvider@DirectUI@@QAE@XZ, ?AdviseEventRemoved@ElementProvider@DirectUI@@UAGJHPAUtagSAFEARRAY@@@Z, ?AdviseEventAdded@ElementProvider@DirectUI@@UAGJHPAUtagSAFEARRAY@@@Z, ?get_FragmentRoot@ElementProvider@DirectUI@@UAGJPAPAUIRawElementProviderFragmentRoot@@@Z, ?SetFocus@ElementProvider@DirectUI@@UAGJXZ, ?GetEmbeddedFragmentRoots@ElementProvider@DirectUI@@UAGJPAPAUtagSAFEARRAY@@@Z, ?get_BoundingRectangle@ElementProvider@DirectUI@@UAGJPAUUiaRect@@@Z, ?GetRuntimeId@ElementProvider@DirectUI@@UAGJPAPAUtagSAFEARRAY@@@Z, ?Navigate@ElementProvider@DirectUI@@UAGJW4NavigateDirection@@PAPAUIRawElementProviderFragment@@@Z, ?ShowContextMenu@ElementProvider@DirectUI@@UAGJXZ, ?get_HostRawElementProvider@ElementProvider@DirectUI@@UAGJPAPAUIRawElementProviderSimple@@@Z, ?GetPropertyValue@ElementProvider@DirectUI@@UAGJHPAUtagVARIANT@@@Z, ?get_ProviderOptions@ElementProvider@DirectUI@@UAGJPAW4ProviderOptions@@@Z, ?TossElement@ElementProvider@DirectUI@@UAEXXZ, ?QueryInterface@ElementProvider@DirectUI@@UAGJABU_GUID@@PAPAX@Z, ?Create@ElementProvider@DirectUI@@SGJPAVElement@2@PAVInvokeHelper@2@PAPAV12@@Z, ?Create@HWNDElementProvider@DirectUI@@SGJPAVHWNDElement@2@PAVInvokeHelper@2@PAPAV12@@Z, ?Find@ElementProviderManager@DirectUI@@SGPAVElementProvider@2@PAVElement@2@@Z, ??1ElementProvider@DirectUI@@UAE@XZ, ??0RefcountBase@DirectUI@@QAE@XZ, ??0ElementProvider@DirectUI@@QAE@XZ, ??0ProviderProxy@DirectUI@@IAE@XZ, ??0ElementProxy@DirectUI@@IAE@XZ, ?GetInvokeHelper@InvokeManager@DirectUI@@SGJPAPAVInvokeHelper@2@@Z, ?Init@ProviderProxy@DirectUI@@MAEXPAVElement@2@@Z, ?CreatePatternProvider@Schema@DirectUI@@SGJW4Pattern@12@PAVElementProvider@2@PAPAUIUnknown@@@Z, ?IsPatternSupported@ElementProxy@DirectUI@@IAEJW4Pattern@Schema@2@PA_N@Z, ?AddRef@RefcountBase@DirectUI@@QAEJXZ, ?Release@RefcountBase@DirectUI@@QAEJXZ, ?AddRef@ElementProvider@DirectUI@@UAGKXZ, ?TossPatternProvider@ElementProvider@DirectUI@@QAEXW4Pattern@Schema@2@@Z, ??1RefcountBase@DirectUI@@UAE@XZ, ?DoInvokeArgs@ElementProvider@DirectUI@@QAEJHP6GPAVProviderProxy@2@PAVElement@2@@ZPAD@Z, ?GetElement@ElementProvider@DirectUI@@UAEPDVElement@2@XZ, ?Init@ElementProxy@DirectUI@@MAEXPAVElement@2@@Z, ?DoMethod@ElementProxy@DirectUI@@UAEJHPAD@Z, ?GetProperty@ElementProxy@DirectUI@@IAEJPAUtagVARIANT@@H@Z, ?Release@ElementProvider@DirectUI@@UAGKXZ, ?Init@ElementProvider@DirectUI@@MAEJPAVElement@2@PAVInvokeHelper@2@@Z, ??1AutoLock@DirectUI@@QAE@XZ, ??0AutoLock@DirectUI@@QAE@PAU_RTL_CRITICAL_SECTION@@@Z, ?DoInvoke@ElementProvider@DirectUI@@IAAJHZZ, ?PatternFromPatternId@Schema@DirectUI@@SG?AW4Pattern@12@H@Z, ?DataGridControlType@Schema@DirectUI@@2HA, ?SelectionPattern@Schema@DirectUI@@2HA, ?TablePattern@Schema@DirectUI@@2HA, ?InvokePattern@Schema@DirectUI@@2HA, ?TableItemPattern@Schema@DirectUI@@2HA, ?IsControlElementProperty@Schema@DirectUI@@2HA, ?IsContentElementProperty@Schema@DirectUI@@2HA, ?TreeItemControlType@Schema@DirectUI@@2HA, ?ListItemControlType@Schema@DirectUI@@2HA, ?ControlTypeProperty@Schema@DirectUI@@2HA, ?GridPattern@Schema@DirectUI@@2HA, ?SelectionItemPattern@Schema@DirectUI@@2HA, ?ExpandCollapsePattern@Schema@DirectUI@@2HA, ?GridItemPattern@Schema@DirectUI@@2HA, ?GetExpanded@Expandable@DirectUI@@QAE_NXZ, ?UiaRaiseAutomationPropertyChangedEvent@Schema@DirectUI@@2P6GJPAUIRawElementProviderSimple@@HUtagVARIANT@@1@ZA, ?GetAccessible@Element@DirectUI@@QAE_NXZ, ?WantPropertyEvent@EventManager@DirectUI@@SG_NH@Z, ?FWantAnyEvent@EventManager@DirectUI@@SG_NPAVElement@2@@Z, ?OnReceivedDialogFocus@Button@DirectUI@@UAE_NPAUIDialogElement@2@@Z, ?OnLostDialogFocus@Button@DirectUI@@UAE_NPAUIDialogElement@2@@Z, ?DefaultAction@Button@DirectUI@@UAEJXZ, ?OnInput@Button@DirectUI@@UAEXPAUInputEvent@2@@Z, ??1Button@DirectUI@@UAE@XZ, ??0Button@DirectUI@@QAE@XZ, ?GetClassInfoPtr@Button@DirectUI@@SGPAUIClassInfo@2@XZ, ?GetClassInfoPtr@Element@DirectUI@@SGPAUIClassInfo@2@XZ, ?Register@Button@DirectUI@@SGJXZ, ?Register@Element@DirectUI@@SGJXZ, ?OnDestroy@Element@DirectUI@@UAEXXZ, ?OnEvent@Element@DirectUI@@UAEXPAUEvent@2@@Z, ?GetAccessibleImpl@Element@DirectUI@@UAEJPAPAUIAccessible@@@Z, ?KeyFocusedProp@Element@DirectUI@@SGPBUPropertyInfo@2@XZ, ?OnPropertyChanged@Button@DirectUI@@UAEXPBUPropertyInfo@2@HPAVValue@2@1@Z, ?GetBackgroundColor@Element@DirectUI@@QAEPBUFill@2@PAPAVValue@2@@Z, ?Initialize@Button@DirectUI@@QAEJIPAVElement@2@PAK@Z, ?OnPropertyChanged@Element@DirectUI@@UAEXPBUPropertyInfo@2@HPAVValue@2@1@Z, ?GetClass@Element@DirectUI@@QAEPBGPAPAVValue@2@@Z, ?SetForegroundColor@Element@DirectUI@@QAEJK@Z, ?SetFontStyle@Element@DirectUI@@QAEJH@Z, ?SetFontWeight@Element@DirectUI@@QAEJH@Z, ?GetSelected@Element@DirectUI@@QAE_NXZ, ?GetFontStyle@Element@DirectUI@@QAEHXZ, ?GetVisible@Element@DirectUI@@QAE_NXZ, ?SetAccValue@Element@DirectUI@@QAEJPBG@Z, ?GetBool@Value@DirectUI@@QAE_NXZ, ?GetValue@Element@DirectUI@@QAEPAVValue@2@PBUPropertyInfo@2@HPAUUpdateCache@2@@Z, ?SetValue@Element@DirectUI@@QAEJPBUPropertyInfo@2@HPAVValue@2@@Z, ?SetExpanded@Expandable@DirectUI@@QAEJ_N@Z, ?SetPressed@Button@DirectUI@@QAEJ_N@Z, ?GetBoolFalse@Value@DirectUI@@SGPAV12@XZ, ?SetBackgroundColor@Element@DirectUI@@QAEJK@Z, ?SetBorderThickness@Element@DirectUI@@QAEJHHHH@Z, ?CreateBool@Value@DirectUI@@SGPAV12@_N@Z, ?GetContentString@Element@DirectUI@@QAEPBGPAPAVValue@2@@Z, ?SetAnimation@Element@DirectUI@@QAEJH@Z, ?GetChildren@Element@DirectUI@@QAEPAV?$DynamicArray@PAVElement@DirectUI@@$0A@@2@PAPAVValue@2@@Z, ?HeightProp@Element@DirectUI@@SGPBUPropertyInfo@2@XZ, ?SortChildren@Element@DirectUI@@QAEJP6AHPBX0@Z@Z, ?LayoutPosProp@Element@DirectUI@@SGPBUPropertyInfo@2@XZ, ?RemoveLocalValue@Element@DirectUI@@QAEJP6GPBUPropertyInfo@2@XZ@Z, ?HasPadding@Element@DirectUI@@QAE_NXZ, ?Initialize@Element@DirectUI@@QAEJIPAV12@PAK@Z, ??1Element@DirectUI@@UAE@XZ, ??0Element@DirectUI@@QAE@XZ, ?SetBorderColor@Element@DirectUI@@QAEJK@Z, ?HasBorder@Element@DirectUI@@QAE_NXZ, ?GetInt@Value@DirectUI@@QAEHXZ, ?GetType@Value@DirectUI@@QBEHXZ, ?CustomProp@Element@DirectUI@@SGPBUPropertyInfo@2@XZ, ?GetValue@Element@DirectUI@@QAEPAVValue@2@P6GPBUPropertyInfo@2@XZHPAUUpdateCache@2@@Z, ?CreateInt@Value@DirectUI@@SGPAV12@HW4DynamicScaleValue@@@Z, ?KeyWithinProp@Element@DirectUI@@SGPBUPropertyInfo@2@XZ, ?MouseWithinProp@Element@DirectUI@@SGPBUPropertyInfo@2@XZ, ?SetEnabled@Element@DirectUI@@QAEJ_N@Z, ?SetActive@Element@DirectUI@@QAEJH@Z, ?Destroy@Layout@DirectUI@@QAEXXZ, ?SetLayout@Element@DirectUI@@QAEJPAVLayout@2@@Z, ?Create@GridLayout@DirectUI@@SGJHHPAPAVLayout@2@@Z, ?HasChildren@Element@DirectUI@@QAE_NXZ, ?SetClass@Element@DirectUI@@QAEJPBG@Z, ?GetKeyWithin@Element@DirectUI@@QAE_NXZ, ?GetMouseWithin@Element@DirectUI@@QAE_NXZ, ?Insert@Element@DirectUI@@QAEJPAV12@I@Z, ?SetID@Element@DirectUI@@QAEJPBG@Z, ?SetMinSize@Element@DirectUI@@QAEJHH@Z, ?IsDescendent@Element@DirectUI@@QAE_NPAV12@@Z, EnableAnimations, ?AddListener@Element@DirectUI@@QAEJPAUIElementListener@2@@Z, ?Add@Element@DirectUI@@QAEJPAV12@@Z, ?SetAccDesc@Element@DirectUI@@QAEJPBG@Z, ?SetTooltip@Element@DirectUI@@QAEJ_N@Z, ?SetSelected@Element@DirectUI@@QAEJ_N@Z, ?SetXScrollable@BaseScrollViewer@DirectUI@@QAEJ_N@Z, ?GetWidth@Element@DirectUI@@QAEHXZ, ?SetWidth@Element@DirectUI@@QAEJH@Z, ?GetSize@Value@DirectUI@@QAEPBUtagSIZE@@XZ, ?ExtentProp@Element@DirectUI@@SGPBUPropertyInfo@2@XZ, ?GetKeyFocusedElement@HWNDElement@DirectUI@@SGPAVElement@2@XZ, UnInitProcessPriv, UnInitThread, InitThread, InitProcessPriv, ?OnInput@Element@DirectUI@@UAEXPAUInputEvent@2@@Z, ?IsDestroyed@Element@DirectUI@@QAE_NXZ, ?GetLocation@Element@DirectUI@@QAEPBUtagPOINT@@PAPAVValue@2@@Z, ?GetParent@Element@DirectUI@@QAEPAV12@XZ, ?SetX@Element@DirectUI@@QAEJH@Z, ?GetPadding@Element@DirectUI@@QAEPBUtagRECT@@PAPAVValue@2@@Z, ?GetBorderThickness@Element@DirectUI@@QAEPBUtagRECT@@PAPAVValue@2@@Z, ?SetContentAlign@Element@DirectUI@@QAEJH@Z, ?ContentProp@Element@DirectUI@@SGPBUPropertyInfo@2@XZ, ?SetValue@Element@DirectUI@@QAEJP6GPBUPropertyInfo@2@XZHPAVValue@2@@Z, ?CreateGraphic@Value@DirectUI@@SGPAV12@PAUHICON__@@_N11@Z, ?OnNotify@HWNDHost@DirectUI@@UAE_NIIJPAJ@Z, ?OnPropertyChanged@HWNDHost@DirectUI@@UAEXPBUPropertyInfo@2@HPAVValue@2@1@Z, ?GetClassInfoPtr@HWNDHost@DirectUI@@SGPAUIClassInfo@2@XZ, ?Register@HWNDHost@DirectUI@@SGJXZ, ?OnInput@HWNDHost@DirectUI@@UAEXPAUInputEvent@2@@Z, ?SetAccName@Element@DirectUI@@QAEJPBG@Z, ?SetContentString@Element@DirectUI@@QAEJPBG@Z, ?Release@Element@DirectUI@@QAGKXZ, ?Initialize@HWNDHost@DirectUI@@QAEJIIPAVElement@2@PAK@Z, ??1HWNDHost@DirectUI@@UAE@XZ, ??0HWNDHost@DirectUI@@QAE@XZ, ??1CCListView@DirectUI@@UAE@XZ, ?PostCreate@CCBase@DirectUI@@MAEXPAUHWND__@@@Z, ?OnReceivedDialogFocus@CCBase@DirectUI@@UAE_NPAUIDialogElement@2@@Z, ?OnLostDialogFocus@CCBase@DirectUI@@UAE_NPAUIDialogElement@2@@Z, ?OnCustomDraw@CCBase@DirectUI@@UAE_NPAUtagNMCUSTOMDRAWINFO@@PAJ@Z, ?EraseBkgnd@HWNDHost@DirectUI@@MAE_NPAUHDC__@@PAJ@Z, ?SetWindowDirection@HWNDHost@DirectUI@@UAEXPAUHWND__@@@Z, ?OnWindowStyleChanged@HWNDHost@DirectUI@@UAEXIPBUtagSTYLESTRUCT@@@Z, ?OnCtrlThemeChanged@HWNDHost@DirectUI@@UAE_NIIJPAJ@Z, ?OnSinkThemeChanged@HWNDHost@DirectUI@@UAE_NIIJPAJ@Z, ?OnSysChar@HWNDHost@DirectUI@@UAE_NG@Z, ?DefaultAction@CCBase@DirectUI@@UAEJXZ, ?GetAccessibleImpl@HWNDHost@DirectUI@@UAEJPAPAUIAccessible@@@Z, ?GetKeyFocused@HWNDHost@DirectUI@@UAE_NXZ, ?RemoveTooltip@Element@DirectUI@@MAEXPAV12@@Z, ?ActivateTooltip@Element@DirectUI@@MAEXPAV12@K@Z, ?UpdateTooltip@Element@DirectUI@@MAEXPAV12@@Z, ?OnUnHosted@HWNDHost@DirectUI@@MAEXPAVElement@2@@Z, ?OnHosted@HWNDHost@DirectUI@@MAEXPAVElement@2@@Z, ?MessageCallback@HWNDHost@DirectUI@@UAEIPAUtagGMSG@@@Z, ?GetContentSize@CCListView@DirectUI@@UAE?AUtagSIZE@@HHPAVSurface@2@@Z, ?Paint@HWNDHost@DirectUI@@UAEXPAUHDC__@@PBUtagRECT@@1PAU4@2@Z, ?OnEvent@HWNDHost@DirectUI@@UAEXPAUEvent@2@@Z, ?OnDestroy@HWNDHost@DirectUI@@UAEXXZ, ?OnGroupChanged@Element@DirectUI@@UAEXH_N@Z, ?GetLayoutPos@Element@DirectUI@@QAEHXZ, ?OnPropertyChanged@CCBase@DirectUI@@UAEXPBUPropertyInfo@2@HPAVValue@2@1@Z, ?GetClassInfoPtr@CCListView@DirectUI@@SGPAUIClassInfo@2@XZ, ?OnThemeChanged@HWNDElement@DirectUI@@UAEXPAUThemeChangedEvent@2@@Z, ?Register@CCListView@DirectUI@@SGJXZ, ?OnInput@CCBase@DirectUI@@UAEXPAUInputEvent@2@@Z, ?GetDisplayNode@Element@DirectUI@@QAEPAUHGADGET__@@XZ, ?SetKeyFocus@HWNDHost@DirectUI@@UAEXXZ, ?OnNotify@CCBase@DirectUI@@UAE_NIIJPAJ@Z, ?OnMessage@HWNDHost@DirectUI@@UAE_NIIJPAJ@Z, ?GetRootRelativeBounds@Element@DirectUI@@QAEJPAUtagRECT@@@Z, ?OnAdjustWindowSize@HWNDHost@DirectUI@@UAEHHHI@Z, ?GetHWND@HWNDHost@DirectUI@@UAEPAUHWND__@@XZ, ?SetWinStyle@CCBase@DirectUI@@QAEJH@Z, ?Initialize@CCListView@DirectUI@@QAEJIPAVElement@2@PAK@Z, ?CreateHWND@CCBase@DirectUI@@UAEPAUHWND__@@PAU3@@Z, ??0CCListView@DirectUI@@QAE@XZ, ?AssertPIZeroRef@ClassInfoBase@DirectUI@@UBEXXZ, ?GetChildren@ClassInfoBase@DirectUI@@UBEHXZ, ?RemoveChild@ClassInfoBase@DirectUI@@UAEXXZ, ?AddChild@ClassInfoBase@DirectUI@@UAEXXZ, ?IsGlobal@ClassInfoBase@DirectUI@@UBE_NXZ, ?GetModule@ClassInfoBase@DirectUI@@UBEPAUHINSTANCE__@@XZ, ?IsSubclassOf@ClassInfoBase@DirectUI@@UBE_NPAUIClassInfo@2@@Z, ?IsValidProperty@ClassInfoBase@DirectUI@@UBE_NPBUPropertyInfo@2@@Z, ?GetName@ClassInfoBase@DirectUI@@UBEPBGXZ, ?GetGlobalIndex@ClassInfoBase@DirectUI@@UBEIXZ, ?GetPICount@ClassInfoBase@DirectUI@@UBEIXZ, ?GetByClassIndex@ClassInfoBase@DirectUI@@UAEPBUPropertyInfo@2@I@Z, ?EnumPropertyInfo@ClassInfoBase@DirectUI@@UAEPBUPropertyInfo@2@I@Z, ?Release@ClassInfoBase@DirectUI@@UAEHXZ, ?AddRef@ClassInfoBase@DirectUI@@UAEXXZ, ?_OnUIStateChanged@HWNDElement@DirectUI@@MAEXGG@Z, ?GetWindowClassNameAndStyle@HWNDElement@DirectUI@@UAEXPAPBGPAI@Z, ?IsMSAAEnabled@HWNDElement@DirectUI@@UAE_NXZ, ?CanSetFocus@HWNDElement@DirectUI@@UAE_NXZ, ?OnCompositionChanged@HWNDElement@DirectUI@@UAEXXZ, ?OnWmSettingChanged@HWNDElement@DirectUI@@UAEXIJ@Z, ?OnWmThemeChanged@HWNDElement@DirectUI@@UAEXIJ@Z, ?OnGetDlgCode@HWNDElement@DirectUI@@UAEXPAUtagMSG@@PAJ@Z, ?OnNoChildWithShortcutFound@HWNDElement@DirectUI@@UAEXPAUKeyboardEvent@2@@Z, ?OnImmersiveColorSchemeChanged@HWNDElement@DirectUI@@UAEXXZ, ?GetUiaFocusDelegate@Element@DirectUI@@UAEPAV12@XZ, ?HandleUiaEventListener@Element@DirectUI@@UAEXPAUEvent@2@@Z, ?HandleUiaPropertyChangingListener@Element@DirectUI@@UAEXPBUPropertyInfo@2@@Z, ?HandleUiaPropertyListener@Element@DirectUI@@UAEXPBUPropertyInfo@2@HPAVValue@2@1@Z, ?HandleUiaDestroyListener@Element@DirectUI@@UAEXXZ, ?GetElementProviderImpl@Element@DirectUI@@UAEJPAVInvokeHelper@2@PAPAVElementProvider@2@@Z, ?GetUIAElementProvider@Element@DirectUI@@UAEJABU_GUID@@PAPAX@Z, ?DefaultAction@Element@DirectUI@@UAEJXZ, ?GetAccessibleImpl@HWNDElement@DirectUI@@UAEJPAPAUIAccessible@@@Z, ?GetKeyFocused@Element@DirectUI@@UAE_NXZ, ?RemoveTooltip@HWNDElement@DirectUI@@UAEXPAVElement@2@@Z, ?ActivateTooltip@HWNDElement@DirectUI@@UAEXPAVElement@2@K@Z, ?UpdateTooltip@HWNDElement@DirectUI@@UAEXPAVElement@2@@Z, ?OnUnHosted@Element@DirectUI@@MAEXPAV12@@Z, ?OnHosted@Element@DirectUI@@MAEXPAV12@@Z, ?_SelfLayoutUpdateDesiredSize@Element@DirectUI@@MAE?AUtagSIZE@@HHPAVSurface@2@@Z, ?_SelfLayoutDoLayout@Element@DirectUI@@MAEXHH@Z, ?GetImmersiveFocusRectOffsets@Element@DirectUI@@UAEXPAUtagRECT@@@Z, ?QueryInterface@Element@DirectUI@@UAGJABU_GUID@@PAPAX@Z, ?MessageCallback@Element@DirectUI@@UAEIPAUtagGMSG@@@Z, ?RemoveBehavior@Element@DirectUI@@UAEJPAUIDuiBehavior@@@Z, ?AddBehavior@Element@DirectUI@@UAEJPAUIDuiBehavior@@@Z, ?SetKeyFocus@Element@DirectUI@@UAEXXZ, ?EnsureVisible@Element@DirectUI@@UAE_NHHHH@Z, ?GetAdjacent@Element@DirectUI@@UAEPAV12@PAV12@HPBUNavReference@2@K@Z, ?Remove@Element@DirectUI@@UAEJPAPAV12@I@Z, ?Insert@Element@DirectUI@@UAEJPAPAV12@II@Z, ?Add@Element@DirectUI@@UAEJPAPAV12@I@Z, ?GetContentSize@Element@DirectUI@@UAE?AUtagSIZE@@HHPAVSurface@2@@Z, ?Paint@Element@DirectUI@@UAEXPAUHDC__@@PBUtagRECT@@1PAU4@2@Z, ?OnMouseFocusMoved@Element@DirectUI@@UAEXPAV12@0@Z, ?OnKeyFocusMoved@Element@DirectUI@@UAEXPAV12@0@Z, ?Register@HWNDElement@DirectUI@@SGJXZ, ??0CritSecLock@DirectUI@@QAE@PAU_RTL_CRITICAL_SECTION@@@Z, ?GetFactoryLock@Element@DirectUI@@SGPAU_RTL_CRITICAL_SECTION@@XZ, ?OnGroupChanged@HWNDElement@DirectUI@@UAEXH_N@Z, ?OnPropertyChanged@Element@DirectUI@@UAEXPAUPropertyInfo@2@HPAVValue@2@1@Z, ?OnPropertyChanged@HWNDElement@DirectUI@@UAEXPBUPropertyInfo@2@HPAVValue@2@1@Z, ?OnPropertyChanging@Element@DirectUI@@UAE_NPAUPropertyInfo@2@HPAVValue@2@1@Z, ??1CritSecLock@DirectUI@@QAE@XZ, ?OnPropertyChanging@Element@DirectUI@@UAE_NPBUPropertyInfo@2@HPAVValue@2@1@Z, ?GetContentStringAsDisplayed@Element@DirectUI@@UAEPBGPAPAVValue@2@@Z, ?IsContentProtected@Element@DirectUI@@UAE_NXZ, ?IsRTL@Element@DirectUI@@QAE_NXZ, ?IsRTLReading@Element@DirectUI@@UAE_NXZ, ??1ClassInfoBase@DirectUI@@UAE@XZ, ??0ClassInfoBase@DirectUI@@QAE@XZ, ?GetClassInfoPtr@HWNDElement@DirectUI@@SGPAUIClassInfo@2@XZ, ?Initialize@ClassInfoBase@DirectUI@@QAEJPAUHINSTANCE__@@PBG_NPBQBUPropertyInfo@2@I@Z, ?Register@ClassInfoBase@DirectUI@@QAEJXZ, ?ClassExist@ClassInfoBase@DirectUI@@SG_NPAPAUIClassInfo@2@PBQBUPropertyInfo@2@IPAU32@PAUHINSTANCE__@@PBG_N@Z
    VDMDBG.dllVDMEnumTaskWOWEx, VDMEnumProcessWOW, VDMTerminateTaskWOW
    api-ms-win-core-appcompat-l1-1-1.dllBaseFreeAppCompatDataForProcess, BaseReadAppCompatDataForProcess
    pdh.dllPdhAddCounterW, PdhCloseQuery, PdhCollectQueryData, PdhGetRawCounterArrayW, PdhGetFormattedCounterArrayW, PdhOpenQueryW
    dxgi.dllDXGIDeclareAdapterRemovalSupport, CreateDXGIFactory1
    SETUPAPI.dllSetupDiGetClassDevsW, SetupDiGetDevicePropertyW, SetupDiEnumDeviceInfo
    d3d11.dllD3D11CreateDevice
    d3d12.dll
    KERNEL32.dllParseApplicationUserModelId, PackageFamilyNameFromFullName, GetPackageFullName, SetProcessWorkingSetSize, GetNumberFormatW, GetActiveProcessorGroupCount, RegisterApplicationRestart
    api-ms-win-eventing-classicprovider-l1-1-0.dllTraceMessage
    api-ms-win-core-delayload-l1-1-1.dllResolveDelayLoadedAPI
    api-ms-win-core-delayload-l1-1-0.dllDelayLoadFailureHook
    api-ms-win-core-apiquery-l1-1-0.dllApiSetQueryApiSetPresence

    Possible Origin

    Language of compilation systemCountry where language is spokenMap
    EnglishUnited States

    Network Behavior

    No network behavior found

    Statistics

    CPU Usage

    Click to jump to process

    Memory Usage

    Click to jump to process

    High Level Behavior Distribution

    Click to dive into process behavior distribution

    Behavior

    Click to jump to process

    System Behavior

    General

    Target ID:0
    Start time:21:21:55
    Start date:23/11/2024
    Path:C:\Users\user\Desktop\file.exe
    Wow64 process (32bit):true
    Commandline:"C:\Users\user\Desktop\file.exe"
    Imagebase:0x5c0000
    File size:1'278'832 bytes
    MD5 hash:A00D324C74F00710CED44B8C7F1A3561
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:low
    Has exited:true

    General

    Target ID:4
    Start time:21:21:56
    Start date:23/11/2024
    Path:C:\Windows\SysWOW64\WerFault.exe
    Wow64 process (32bit):true
    Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 1200 -s 1460
    Imagebase:0xbe0000
    File size:483'680 bytes
    MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high
    Has exited:true

    Disassembly

    Reset < >

      Execution Graph

      Execution Coverage:4.6%
      Dynamic/Decrypted Code Coverage:0%
      Signature Coverage:31.6%
      Total number of Nodes:2000
      Total number of Limit Nodes:32
      execution_graph 54291 60ee00 54292 60ee28 GetWindowLongW 54291->54292 54293 60ef19 SetWindowLongW 54291->54293 54296 60ee33 54292->54296 54293->54296 54295 63fc8a PostMessageW 54296->54295 54298 60ee58 memset _ftol2 54296->54298 54299 60eef9 54296->54299 54308 60ef02 DefWindowProcW 54296->54308 54297 60eee4 54314 617990 54297->54314 54300 63fc82 54298->54300 54301 60ee8c 54298->54301 54303 60ef34 54299->54303 54304 60eefe 54299->54304 54300->54295 54313 5f08fa 44 API calls ctype 54301->54313 54331 665c33 15 API calls 54303->54331 54304->54308 54309 60ef2b 54304->54309 54307 60eef3 54308->54297 54319 5e24a6 memset LoadStringW 54309->54319 54310 60ee9c Shell_NotifyIconW 54310->54297 54311 60ef3b 54311->54297 54313->54310 54315 617998 54314->54315 54316 61799b 54314->54316 54315->54307 54332 6179a0 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 54316->54332 54318 617ad6 54318->54307 54320 634f7f GetLastError 54319->54320 54321 5e2533 54319->54321 54322 634f8b 54320->54322 54323 5e256e Shell_NotifyIconW 54321->54323 54324 5e254e LoadImageW 54321->54324 54322->54321 54325 634fa5 GetCurrentThreadId 54322->54325 54323->54321 54326 5e258c Shell_NotifyIconW 54323->54326 54324->54323 54328 5e25be 54324->54328 54333 5e9ae8 8 API calls ctype 54325->54333 54326->54328 54329 617990 ctype 4 API calls 54328->54329 54330 5e25cd 54329->54330 54330->54297 54331->54311 54332->54318 54333->54328 54334 60dea0 54337 60d800 GetProcessHeap RtlAllocateHeap 54334->54337 54336 60deb3 54338 60d826 ??0Element@DirectUI@@QAE 54337->54338 54339 60d838 GetCurrentThreadId 54337->54339 54338->54339 54340 60d871 ?Initialize@Element@DirectUI@@QAEJIPAV12@PAK 54338->54340 54347 5e9ae8 8 API calls ctype 54339->54347 54343 60d8c3 54340->54343 54344 60d883 GetCurrentThreadId 54340->54344 54342 60d85d 54342->54336 54343->54336 54348 5e9ae8 8 API calls ctype 54344->54348 54346 60d8a4 ?Destroy@Element@DirectUI@@QAEJ_N 54346->54336 54347->54342 54348->54346 54349 616640 ?CreateHWND@CCBase@DirectUI@@UAEPAUHWND__@@PAU3@ SetWindowTheme 54350 612640 54373 5e796f 54350->54373 54352 61273e 54353 6405ef GetLastError 54352->54353 54355 612751 SendMessageW SendMessageW SendMessageW 54352->54355 54354 6405fb 54353->54354 54354->54355 54357 640615 GetCurrentThreadId 54354->54357 54369 61278e 54355->54369 54416 5e9ae8 8 API calls ctype 54357->54416 54360 612809 54361 612813 54360->54361 54362 64068c DestroyWindow 54360->54362 54363 617990 ctype 4 API calls 54361->54363 54362->54361 54366 612826 54363->54366 54364 640656 54368 64065b GetCurrentThreadId 54364->54368 54365 61282c IsOS 54365->54369 54417 5e9ae8 8 API calls ctype 54368->54417 54369->54360 54369->54364 54369->54365 54369->54368 54371 6127cf SendMessageW 54369->54371 54380 5edbe6 54369->54380 54386 5ed05c 54369->54386 54397 602d40 54369->54397 54371->54369 54372 61283a 54371->54372 54372->54360 54376 5e797b ctype 54373->54376 54374 5e79ae CreateWindowExW 54418 5e79f0 54374->54418 54376->54374 54427 5e7a66 54376->54427 54379 5e79e6 ctype 54379->54352 54381 5edc2b 54380->54381 54382 5edc08 NtQuerySystemInformation 54380->54382 54383 617990 ctype 4 API calls 54381->54383 54382->54381 54384 5edc20 RtlNtStatusToDosError 54382->54384 54385 5edc75 54383->54385 54384->54381 54385->54369 54387 5ed11c 54386->54387 54388 5ed082 memset GetVersionExW 54386->54388 54390 617990 ctype 4 API calls 54387->54390 54389 5ed0b0 GetLastError 54388->54389 54391 5ed0ba 54388->54391 54389->54391 54392 5ed132 54390->54392 54391->54387 54393 5ed0d6 54391->54393 54481 632d74 22 API calls ctype 54391->54481 54392->54369 54393->54387 54395 5ed0ef 54482 5e9ae8 8 API calls ctype 54395->54482 54398 602d90 54397->54398 54399 602dde EnterCriticalSection 54398->54399 54402 602df3 54398->54402 54403 602eae 54398->54403 54411 602da7 54398->54411 54399->54402 54400 602dbc 54400->54369 54401 602e7c LeaveCriticalSection 54401->54400 54402->54403 54402->54411 54483 602eb3 54402->54483 54403->54369 54405 602e28 54406 602e32 54405->54406 54407 633aed GetCurrentThreadId 54405->54407 54409 602e44 SysAllocString 54406->54409 54410 633b4e SysFreeString 54406->54410 54408 633b37 54407->54408 54496 5e9ae8 8 API calls ctype 54408->54496 54409->54411 54412 633afe GetCurrentThreadId 54409->54412 54411->54400 54411->54401 54495 5e9ae8 8 API calls ctype 54412->54495 54415 633b20 GetCurrentThreadId 54415->54408 54416->54360 54417->54360 54419 5e79fd 54418->54419 54420 6367c5 54418->54420 54422 6367d7 GetLastError 54419->54422 54423 5e7a05 54419->54423 54421 5e7a13 54420->54421 54420->54422 54421->54379 54439 5e7a20 GetModuleHandleW LoadLibraryW DeactivateActCtx GetProcAddress ctype 54423->54439 54425 5e7a0f 54425->54421 54426 5e7a18 SetLastError 54425->54426 54426->54379 54428 6367e7 OutputDebugStringA 54427->54428 54430 5e7a81 54427->54430 54429 6367fc 54428->54429 54465 5e7c49 GetModuleHandleW LoadLibraryW GetProcAddress ctype 54429->54465 54431 5e7a92 54430->54431 54438 5e79a7 54430->54438 54440 5e7ad0 54430->54440 54431->54429 54434 5e7aae ActivateActCtx 54431->54434 54436 636821 GetLastError 54431->54436 54434->54436 54434->54438 54435 636810 54435->54436 54436->54438 54438->54374 54438->54379 54439->54425 54441 5e7adf ctype 54440->54441 54456 5e7af0 54441->54456 54466 614b87 GetModuleHandleW LoadLibraryW GetProcAddress QueryActCtxW ctype 54441->54466 54445 5e7b13 54446 5e7be8 54445->54446 54445->54456 54476 5e7c49 GetModuleHandleW LoadLibraryW GetProcAddress ctype 54445->54476 54477 614c73 GetModuleHandleW LoadLibraryW GetProcAddress ActivateActCtx ctype 54446->54477 54449 5e7bfa 54449->54456 54478 614c22 GetModuleHandleW LoadLibraryW GetProcAddress FindActCtxSectionStringW ctype 54449->54478 54450 5e7b39 54450->54456 54457 5e7b5b GetModuleFileNameW 54450->54457 54452 5e7c1d 54453 5e7c2c 54452->54453 54454 5e7c21 LoadLibraryW 54452->54454 54479 5e7c3d GetModuleHandleW LoadLibraryW DeactivateActCtx GetProcAddress ctype 54453->54479 54454->54453 54475 6331d0 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess ctype 54456->54475 54457->54456 54458 5e7b7c 54457->54458 54459 636853 SetLastError 54458->54459 54460 5e7b84 54458->54460 54459->54456 54467 614bdf 54460->54467 54463 5e7bcf GetLastError 54464 5e7be0 54463->54464 54464->54446 54464->54456 54465->54435 54466->54445 54468 614c0f CreateActCtxWWorker 54467->54468 54469 614bef 54467->54469 54474 5e7bc4 54468->54474 54480 5e7c49 GetModuleHandleW LoadLibraryW GetProcAddress ctype 54469->54480 54471 614c03 54471->54468 54473 614c1d 54471->54473 54473->54474 54474->54446 54474->54463 54476->54450 54477->54449 54478->54452 54479->54456 54480->54471 54481->54395 54482->54393 54484 602ec7 54483->54484 54485 63d121 GetCurrentThreadId 54484->54485 54486 602edb 54484->54486 54489 63d167 54485->54489 54487 602ef6 54486->54487 54488 602edf LoadStringW 54486->54488 54487->54405 54488->54487 54491 63d132 GetLastError 54488->54491 54497 5e9ae8 8 API calls ctype 54489->54497 54493 63d13e 54491->54493 54492 63d176 54492->54405 54493->54487 54494 63d158 GetCurrentThreadId 54493->54494 54494->54489 54495->54415 54496->54411 54497->54492 54498 616620 54501 601b0a GetProcessHeap RtlAllocateHeap 54498->54501 54502 601b30 54501->54502 54503 601b3b GetCurrentThreadId 54501->54503 54512 601bc0 ??0Element@DirectUI@@QAE 54502->54512 54513 5e9ae8 8 API calls ctype 54503->54513 54506 601b37 54506->54503 54508 601b66 ?Initialize@Element@DirectUI@@QAEJIPAV12@PAK 54506->54508 54507 601b61 54508->54507 54509 601b78 GetCurrentThreadId 54508->54509 54514 5e9ae8 8 API calls ctype 54509->54514 54511 601b99 ?Destroy@Element@DirectUI@@QAEJ_N 54511->54507 54512->54506 54513->54507 54514->54511 54515 602f63 GetCurrentProcessId ProcessIdToSessionId GetLocaleInfoEx 54516 63d17e GetLastError 54515->54516 54517 602f9d GetLocaleInfoEx 54515->54517 54523 63d188 54516->54523 54518 602fb5 GetLocaleInfoEx 54517->54518 54519 63d1b4 GetLastError 54517->54519 54521 63d1ea GetLastError 54518->54521 54522 602fcd GetLocaleInfoEx 54518->54522 54520 63d1be 54519->54520 54520->54518 54527 63d1f4 54521->54527 54524 63d220 GetLastError 54522->54524 54528 602fe5 54522->54528 54523->54517 54524->54528 54525 602eb3 12 API calls 54526 60301f GetKeyState 54525->54526 54529 603030 54526->54529 54530 63d24d GetKeyState 54526->54530 54527->54522 54528->54525 54530->54529 54531 63d25e GetKeyState 54530->54531 54531->54529 54532 5de61b RegGetValueW 54533 633b65 54532->54533 54534 5de684 54532->54534 54533->54534 54536 633b71 LoadStringW LoadStringW MessageBoxW 54533->54536 54535 617990 ctype 4 API calls 54534->54535 54537 5de692 54535->54537 54536->54534 54538 5de696 CreateMutexW 54539 633bbf GetLastError 54538->54539 54540 5de6d1 GetLastError 54538->54540 54541 5de6e8 54539->54541 54540->54541 54542 5de6f0 54541->54542 54545 633bfe WaitForSingleObject LoadStringW 54541->54545 54543 633cf6 GetCurrentThreadId 54542->54543 54544 5de6fa 54542->54544 54559 5e9ae8 8 API calls ctype 54543->54559 54548 617990 ctype 4 API calls 54544->54548 54546 633c30 GetLastError 54545->54546 54547 633c6f FindWindowW 54545->54547 54552 633c3a 54546->54552 54551 633c87 GetWindowThreadProcessId AllowSetForegroundWindow SendMessageTimeoutW 54547->54551 54556 633ccd 54547->54556 54550 5de709 54548->54550 54554 633cc3 GetLastError 54551->54554 54551->54556 54552->54547 54555 633c49 GetCurrentThreadId 54552->54555 54553 633c6a 54554->54556 54558 5e9ae8 8 API calls ctype 54555->54558 54556->54544 54558->54553 54559->54553 54560 5e0b53 54561 5e0b6c 54560->54561 54562 5e0b67 54560->54562 54566 61b017 54561->54566 54570 5e0ba1 120 API calls 54562->54570 54567 61b02b 54566->54567 54569 5e0b9a 54566->54569 54571 61b071 54567->54571 54570->54561 54572 61b09f 54571->54572 54575 61b0cb 54572->54575 54577 61a7a0 54572->54577 54573 617990 ctype 4 API calls 54574 61b11c 54573->54574 54574->54569 54575->54573 54578 61a819 54577->54578 54579 61a7ac 54577->54579 54578->54575 54581 61a7f1 54579->54581 54592 6164c5 18 API calls 54579->54592 54581->54578 54583 619adc 54581->54583 54584 619b18 54583->54584 54585 619ae9 AcquireSRWLockExclusive 54583->54585 54584->54578 54586 619b0d 54585->54586 54587 619afc 54585->54587 54586->54584 54588 619b11 ReleaseSRWLockExclusive 54586->54588 54593 642bb5 54587->54593 54588->54584 54592->54581 54594 642bc6 54593->54594 54595 619b03 54593->54595 54603 6190ee GetLastError 54594->54603 54599 5e34f4 54595->54599 54597 642bce 54604 619103 SetLastError 54597->54604 54600 5e3504 54599->54600 54601 5e351d 54600->54601 54605 5e3530 54600->54605 54601->54586 54603->54597 54604->54595 54606 5e353b 54605->54606 54608 5e354f 54605->54608 54618 61acdd 54606->54618 54610 5e3599 54608->54610 54629 61afb1 AcquireSRWLockExclusive 54608->54629 54610->54601 54612 5e357b 54630 5e35a1 12 API calls 54612->54630 54614 5e3582 54631 61ad39 6 API calls 54614->54631 54616 5e3591 54632 6195f3 ReleaseSRWLockExclusive 54616->54632 54619 61acf1 54618->54619 54627 5e354b 54618->54627 54633 5e5f80 54619->54633 54622 61acfa AcquireSRWLockExclusive 54641 619a9d 8 API calls 54622->54641 54624 61ad0c 54642 61ad39 6 API calls 54624->54642 54626 61ad1a 54626->54627 54628 61ad2b ReleaseSRWLockExclusive 54626->54628 54627->54601 54628->54627 54629->54612 54630->54614 54631->54616 54632->54610 54634 5e5f92 54633->54634 54640 5e5fb9 54633->54640 54643 5deca7 54634->54643 54638 5e5fa8 54648 6195f3 ReleaseSRWLockExclusive 54638->54648 54640->54622 54640->54627 54641->54624 54642->54626 54644 5decb6 54643->54644 54646 5decc4 54643->54646 54649 5dee3c GetCurrentProcessId 54644->54649 54647 61afb1 AcquireSRWLockExclusive 54646->54647 54647->54638 54648->54640 54650 5f7a70 ctype _vsnwprintf 54649->54650 54651 5dee7d CreateMutexExW 54650->54651 54652 5dfa3b CloseHandle GetLastError SetLastError 54651->54652 54653 5deea6 ctype 54652->54653 54654 5deebe 54653->54654 54655 5deeb5 54653->54655 54656 5df812 107 API calls 54654->54656 54657 619126 107 API calls 54655->54657 54658 5deed3 54656->54658 54659 5deeba 54657->54659 54660 5dece5 107 API calls 54658->54660 54662 5dfa2b CloseHandle CloseHandle CloseHandle 54659->54662 54661 5deeea 54660->54661 54663 5deef0 54661->54663 54666 5def35 54661->54666 54671 5def01 54661->54671 54664 5def22 54662->54664 54669 6428f8 107 API calls 54663->54669 54665 617990 ctype SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 54664->54665 54668 5def31 54665->54668 54667 5def89 107 API calls 54666->54667 54670 5def47 54667->54670 54668->54646 54669->54671 54670->54663 54670->54671 54671->54659 54672 5dfaee ReleaseMutex 54671->54672 54672->54659 54673 60a630 54674 60a680 54673->54674 54675 60b308 54673->54675 54678 60b03c 54674->54678 54681 60b005 54674->54681 54682 60a69b 54674->54682 55075 617d2b ReleaseSRWLockExclusive AcquireSRWLockExclusive SleepConditionVariableSRW 54675->55075 54677 60b312 54677->54674 54679 60b322 GetTickCount64 54677->54679 54680 60b2eb DefWindowProcW 54678->54680 54685 60b295 54678->54685 54686 60b04e 54678->54686 55076 617cea WakeAllConditionVariable AcquireSRWLockExclusive ReleaseSRWLockExclusive 54679->55076 54688 617990 ctype 4 API calls 54680->54688 55009 61a168 54681->55009 54687 60adc9 54682->54687 54693 60a6ad 54682->54693 54694 60a9be 54682->54694 54689 60b2d6 54685->54689 54690 60b29a IsWindowEnabled 54685->54690 54686->54680 54703 60b182 54686->54703 54704 60b0e2 54686->54704 54705 60b0a5 54686->54705 54706 60b167 54686->54706 54707 60b0c7 54686->54707 54708 60b06d 54686->54708 54709 60b1b3 54686->54709 54710 60b1f7 54686->54710 54711 60b0fc 54686->54711 54696 60add5 54687->54696 54697 60afbf 54687->54697 54695 60b302 54688->54695 54702 617990 ctype 4 API calls 54689->54702 54690->54689 54700 60b2a5 54690->54700 54691 60b33d 54691->54674 54693->54680 54727 60a751 54693->54727 54728 60a713 54693->54728 54729 60a915 54693->54729 54730 60a996 54693->54730 54731 60a6c7 LoadIconW 54693->54731 54732 60a838 54693->54732 54733 60a94a 54693->54733 54694->54689 54718 60a9da 54694->54718 54719 60ad5f 54694->54719 54698 60ae91 54696->54698 54699 60addb 54696->54699 54712 60afc8 54697->54712 54713 60afe9 54697->54713 54698->54689 54748 60aea5 54698->54748 54828 60af66 54698->54828 54714 60ade4 54699->54714 54715 60ae4f 54699->54715 54700->54689 54745 60b2c9 54700->54745 54775 60b2bc 54700->54775 54701 60b025 GetCurrentThreadId 54701->54678 54724 60b2e5 54702->54724 54703->54689 54722 60b18b 54703->54722 55067 61ae6e 119 API calls ctype 54704->55067 55065 642cbf 3837 API calls ctype 54705->55065 55069 643b4f 3498 API calls 54706->55069 55066 61a6a0 63 API calls 54707->55066 54708->54689 54741 60b08b 54708->54741 54709->54689 55071 643483 3871 API calls ctype 54709->55071 55072 5e9ae8 8 API calls ctype 54710->55072 54711->54689 54717 60b11d 54711->54717 54712->54680 54725 60afd1 54712->54725 54734 617990 ctype 4 API calls 54713->54734 54736 60ade9 54714->54736 54737 60ae2d 54714->54737 54715->54689 54744 60ae5b KillTimer 54715->54744 55068 5eaa74 3454 API calls ctype 54717->55068 54742 60a9e0 54718->54742 54743 60ad35 PostMessageW 54718->54743 54719->54689 54754 60ad6b GetTickCount64 54719->54754 55070 5eb14a 3449 API calls ctype 54722->55070 54758 617990 ctype 4 API calls 54725->54758 54727->54680 54771 60a768 54727->54771 54728->54689 54739 60a720 54728->54739 54729->54689 54756 60a91d 54729->54756 54982 60b59a 40 API calls ctype 54730->54982 54759 60a6eb SetTimer 54731->54759 54760 60a6dc SendMessageW 54731->54760 54750 60a85f 54732->54750 54751 60a83f GetFocus 54732->54751 54761 60a95a DestroyWindow 54733->54761 54762 60a96b 54733->54762 54735 60afff 54734->54735 54736->54680 54765 60adf4 54736->54765 55003 657587 11 API calls 54737->55003 54738 60b210 OpenIcon SetForegroundWindow SetWindowPos 54766 60b239 54738->54766 54767 60b27d 54738->54767 54976 6601b3 34 API calls ctype 54739->54976 55064 65f4c0 22 API calls 54741->55064 54742->54689 54798 60ada0 54742->54798 54799 60aa62 54742->54799 54800 60ac24 54742->54800 54801 60a928 PostMessageW 54742->54801 54802 60aaa8 54742->54802 54803 60aaee 54742->54803 54804 60acd1 54742->54804 54805 60abf2 54742->54805 54806 60abd3 54742->54806 54807 60ab34 54742->54807 54808 60ac56 54742->54808 54809 60aa39 54742->54809 54810 60ab7a 54742->54810 54811 60ac7b 54742->54811 54812 60aa1b ShowWindow 54742->54812 54813 60a9fd ShowWindow 54742->54813 54783 617990 ctype 4 API calls 54743->54783 54773 60ae71 54744->54773 54774 60ae6c 54744->54774 55074 60c24f 3498 API calls ctype 54745->55074 54746 60b0b2 54776 617990 ctype 4 API calls 54746->54776 54747 60b0cd 54778 617990 ctype 4 API calls 54747->54778 54819 60aeaa 54748->54819 54823 60af0b 54748->54823 54749 60b0e7 54779 617990 ctype 4 API calls 54749->54779 54781 60a86f IsWindow 54750->54781 54826 60a8d4 54750->54826 54780 617990 ctype 4 API calls 54751->54780 54753 60b16d 54784 617990 ctype 4 API calls 54753->54784 54754->54689 54830 60ad8b 54754->54830 54980 60b59a 40 API calls ctype 54756->54980 54788 60afe3 54758->54788 54763 617990 ctype 4 API calls 54759->54763 54760->54759 54761->54762 54981 60b7ef 8 API calls ctype 54762->54981 54789 60a70d 54763->54789 54765->54689 54837 60ae00 54765->54837 54791 5edbe6 ctype 6 API calls 54766->54791 54796 617990 ctype 4 API calls 54767->54796 54769 60a9a1 PostQuitMessage 54793 617990 ctype 4 API calls 54769->54793 54977 60b558 8 API calls ctype 54771->54977 55005 60b59a 40 API calls ctype 54773->55005 55004 60b7af 7 API calls 54774->55004 55073 6438c3 59 API calls ctype 54775->55073 54817 60b0c1 54776->54817 54818 60b0dc 54778->54818 54820 60b0f6 54779->54820 54821 60a859 54780->54821 54822 60a87a SetFocus 54781->54822 54781->54826 54782 60b12e 54824 617990 ctype 4 API calls 54782->54824 54827 60ad59 54783->54827 54829 60b17c 54784->54829 54785 60b19e 54831 617990 ctype 4 API calls 54785->54831 54787 60b1d8 54787->54689 54832 60b1e0 GetCurrentThreadId 54787->54832 54790 60a97a DestroyWindow 54833 617990 ctype 4 API calls 54790->54833 54838 60b243 54791->54838 54792 60a734 54839 617990 ctype 4 API calls 54792->54839 54840 60a9b8 54793->54840 54794 60ae3a 54841 617990 ctype 4 API calls 54794->54841 54843 60b28f 54796->54843 54797 60b090 54845 617990 ctype 4 API calls 54797->54845 55001 643483 3871 API calls ctype 54798->55001 54984 64383d 43 API calls ctype 54799->54984 54997 657680 CheckMenuRadioItem CheckMenuItem 54800->54997 54864 617990 ctype 4 API calls 54801->54864 54986 64383d 43 API calls ctype 54802->54986 54988 64383d 43 API calls ctype 54803->54988 55000 643483 3871 API calls ctype 54804->55000 54996 657680 CheckMenuRadioItem CheckMenuItem 54805->54996 54995 62ef43 155 API calls ctype 54806->54995 54990 64383d 43 API calls ctype 54807->54990 54998 643483 3871 API calls ctype 54808->54998 54983 643483 3871 API calls ctype 54809->54983 54834 60ab83 54810->54834 54835 60ab8d 54810->54835 54999 643483 3871 API calls ctype 54811->54999 54848 617990 ctype 4 API calls 54812->54848 54846 617990 ctype 4 API calls 54813->54846 54819->54689 54939 60aeee 54819->54939 54825 60a8f9 54822->54825 54856 60a88f 54822->54856 54823->54689 55007 62433c 783 API calls 54823->55007 54858 60b13d 54824->54858 54860 617990 ctype 4 API calls 54825->54860 54826->54825 54930 60a8f2 SetFocus 54826->54930 54828->54689 54915 60afa4 54828->54915 54830->54689 54830->54798 54862 60b1ad 54831->54862 54832->54710 54865 60a990 54833->54865 54992 61b4cd 5 API calls ctype 54834->54992 54993 62ecd8 23 API calls ctype 54835->54993 54836 60ae11 54869 617990 ctype 4 API calls 54836->54869 54837->54836 55002 61c1ad 5 API calls ctype 54837->55002 54838->54767 54894 5ed05c ctype 29 API calls 54838->54894 54870 60a74b 54839->54870 54871 60ae49 54841->54871 54842 60a76d GetClientRect SetWindowPos 54872 60a7a8 IsIconic 54842->54872 54937 60a7ca 54842->54937 54874 60b09f 54845->54874 54875 60aa15 54846->54875 54877 60aa33 54848->54877 54849 60ae7c 54878 617990 ctype 4 API calls 54849->54878 54856->54825 54885 60a898 ?GetKeyFocusedElement@HWNDElement@DirectUI@@SGPAVElement@2 54856->54885 54889 60a90f 54860->54889 54892 60a944 54864->54892 54895 60ae27 54869->54895 54896 60a7b3 54872->54896 54872->54937 54873 60abdd 54897 617990 ctype 4 API calls 54873->54897 54876 60ac0f 54898 617990 ctype 4 API calls 54876->54898 54899 60ae8b 54878->54899 54879 60aa43 54879->54689 54900 60aa4b GetCurrentThreadId 54879->54900 54880 60ac41 54901 617990 ctype 4 API calls 54880->54901 54881 60aa6c 54902 60aa70 GetCurrentThreadId 54881->54902 54903 60aa87 54881->54903 54882 60ac5c 54882->54689 54904 60ac64 GetCurrentThreadId 54882->54904 54883 60ac81 54905 60ac85 GetCurrentThreadId 54883->54905 54906 60ac9c CheckMenuItem 54883->54906 54884 60aab2 54907 60aab6 GetCurrentThreadId 54884->54907 54908 60aacd 54884->54908 54885->54825 54909 60a8a2 54885->54909 54887 60ace5 54911 60ad00 CheckMenuItem 54887->54911 54912 60ace9 GetCurrentThreadId 54887->54912 54888 60aaf8 54913 60ab13 54888->54913 54914 60aafc GetCurrentThreadId 54888->54914 54890 60ab3e 54916 60ab42 GetCurrentThreadId 54890->54916 54917 60ab59 54890->54917 54891 60adaa 54891->54689 54918 60adb2 GetCurrentThreadId 54891->54918 54893 60ab98 54919 60abb4 54893->54919 54994 61c20a 5 API calls ctype 54893->54994 54920 60b251 54894->54920 54921 5edbe6 ctype 6 API calls 54896->54921 54922 60abec 54897->54922 54923 60ac1e 54898->54923 54900->54799 54924 60ac50 54901->54924 54902->54903 54985 657680 CheckMenuRadioItem CheckMenuItem 54903->54985 54904->54811 54905->54906 54926 617990 ctype 4 API calls 54906->54926 54907->54908 54987 657680 CheckMenuRadioItem CheckMenuItem 54908->54987 54909->54825 54954 60a8b1 54909->54954 54910 60af32 54910->54689 54942 60af4b 54910->54942 54928 617990 ctype 4 API calls 54911->54928 54912->54911 54989 657680 CheckMenuRadioItem CheckMenuItem 54913->54989 54914->54913 54931 617990 ctype 4 API calls 54915->54931 54916->54917 54991 657680 CheckMenuRadioItem CheckMenuItem 54917->54991 54918->54687 54919->54689 54935 60abbc GetCurrentThreadId 54919->54935 54920->54767 54934 60b255 54920->54934 54936 60a7bd 54921->54936 54940 60accb 54926->54940 54943 60ad2f 54928->54943 54930->54825 54945 60afb9 54931->54945 54948 60b26d PostMessageW 54934->54948 54949 60b25e PostMessageW 54934->54949 54935->54806 54936->54937 54950 60a7c1 ShowWindow 54936->54950 54937->54689 54978 60a517 66 API calls 54937->54978 54938 60aa93 54952 617990 ctype 4 API calls 54938->54952 55006 65c9b3 311 API calls 54939->55006 54941 60aad9 54955 617990 ctype 4 API calls 54941->54955 55008 651502 13 API calls ctype 54942->55008 54944 60ab1f 54957 617990 ctype 4 API calls 54944->54957 54946 60ab65 54947 617990 ctype 4 API calls 54946->54947 54958 60ab74 54947->54958 54948->54767 54949->54948 54950->54937 54960 60aaa2 54952->54960 54970 617990 ctype 4 API calls 54954->54970 54962 60aae8 54955->54962 54964 60ab2e 54957->54964 54959 60a7f7 54959->54689 54965 60a7ff GetCurrentThreadId 54959->54965 54961 60aef6 54966 617990 ctype 4 API calls 54961->54966 54963 60af51 54967 617990 ctype 4 API calls 54963->54967 54979 5e9ae8 8 API calls ctype 54965->54979 54969 60af05 54966->54969 54971 60af60 54967->54971 54973 60a8ce 54970->54973 54972 60a820 54974 617990 ctype 4 API calls 54972->54974 54975 60a832 54974->54975 54976->54792 54977->54842 54978->54959 54979->54972 54980->54801 54981->54790 54982->54769 54983->54879 54984->54881 54985->54938 54986->54884 54987->54941 54988->54888 54989->54944 54990->54890 54991->54946 54992->54835 54993->54893 54994->54919 54995->54873 54996->54876 54997->54880 54998->54882 54999->54883 55000->54887 55001->54891 55002->54836 55003->54794 55004->54773 55005->54849 55006->54961 55007->54910 55008->54963 55010 5edbe6 ctype 6 API calls 55009->55010 55011 61a190 StrToID ?FindDescendent@Element@DirectUI@@QAEPAV12@G 55010->55011 55012 61a1b5 StrToID 55011->55012 55013 61a1c6 StrToID 55011->55013 55014 61a1d5 ?FindDescendent@Element@DirectUI@@QAEPAV12@G 55012->55014 55013->55014 55015 61a1e4 55014->55015 55016 61a1e8 DebugBreak 55014->55016 55015->55016 55019 61a1ee 55015->55019 55016->55019 55017 61a227 GetWindowLongW 55022 61a25d 55017->55022 55019->55017 55094 61b546 5 API calls ctype 55019->55094 55020 61a282 55023 61a292 55020->55023 55095 615ca4 IsZoomed IsIconic GetWindowRect GetWindowRect 55020->55095 55021 61a3ac ?SetVisible@Element@DirectUI@@QAEJ_N ?SetLayoutPos@Element@DirectUI@@QAEJH 55025 61a3d4 55021->55025 55026 61a3c8 55021->55026 55022->55020 55022->55021 55028 61a297 SetWindowLongW 55023->55028 55029 61a2a6 ?SetVisible@Element@DirectUI@@QAEJ_N ?SetLayoutPos@Element@DirectUI@@QAEJH 55023->55029 55031 61a3d9 SetWindowLongW 55025->55031 55032 61a3e8 SetWindowPos 55025->55032 55096 615ca4 IsZoomed IsIconic GetWindowRect GetWindowRect 55026->55096 55028->55029 55033 61a2ca SetWindowPos 55029->55033 55031->55032 55034 61a435 RedrawWindow 55032->55034 55035 61a417 GetLastError 55032->55035 55042 61a33b RedrawWindow 55033->55042 55043 61a30e GetLastError 55033->55043 55036 61a4a7 ?SetVisible@Element@DirectUI@@QAEJ_N 55034->55036 55037 61a44d ?SetVisible@Element@DirectUI@@QAEJ_N ?SetLayoutPos@Element@DirectUI@@QAEJH 55034->55037 55038 61a423 55035->55038 55039 61a4b3 ?SetLayoutPos@Element@DirectUI@@QAEJH 55036->55039 55047 61a36d 55037->55047 55038->55034 55041 61a4bd 55039->55041 55044 61a525 55041->55044 55049 61a4d8 55041->55049 55050 61a4cb 55041->55050 55045 61a353 ?SetVisible@Element@DirectUI@@QAEJ_N ?SetLayoutPos@Element@DirectUI@@QAEJH 55042->55045 55046 61a39b ?SetVisible@Element@DirectUI@@QAEJ_N 55042->55046 55048 61a31a 55043->55048 55051 61a53a 55044->55051 55101 63246e 5 API calls ctype 55044->55101 55045->55047 55046->55039 55077 6136a5 KiUserCallbackDispatcher 55047->55077 55048->55042 55098 5eac7e 3449 API calls 55049->55098 55097 60c24f 3498 API calls ctype 55050->55097 55057 60b01d 55051->55057 55102 61b4cd 5 API calls ctype 55051->55102 55056 61a4d6 55060 61a4df 55056->55060 55057->54689 55057->54701 55060->55044 55099 668983 23 API calls ctype 55060->55099 55062 61a514 55062->55044 55100 66a0d0 170 API calls 55062->55100 55064->54797 55065->54746 55066->54747 55067->54749 55068->54782 55069->54753 55070->54785 55071->54787 55072->54738 55073->54745 55074->54689 55075->54677 55076->54691 55078 6136e6 GetClientRect 55077->55078 55079 640bf9 GetLastError 55077->55079 55080 640c55 GetLastError 55078->55080 55081 6136fe SetWindowPos 55078->55081 55082 640c05 55079->55082 55083 640c61 55080->55083 55084 640c76 GetLastError 55081->55084 55090 613727 55081->55090 55082->55078 55087 640c18 GetCurrentThreadId 55082->55087 55083->55081 55089 640c2c GetCurrentThreadId 55083->55089 55086 640c92 55084->55086 55084->55090 55085 617990 ctype 4 API calls 55088 613736 KiUserCallbackDispatcher 55085->55088 55091 640c3e 55087->55091 55088->55036 55089->55091 55090->55085 55103 5e9ae8 8 API calls ctype 55091->55103 55094->55017 55095->55023 55096->55025 55097->55056 55098->55060 55099->55062 55100->55044 55101->55051 55102->55057 55103->55090 55104 60dfb0 55105 60dfeb ?WndProc@HWNDElement@DirectUI@@UAEJPAUHWND__@@IIJ 55104->55105 55109 60e010 55104->55109 55106 60dffd 55105->55106 55107 617990 ctype 4 API calls 55106->55107 55108 60e00a 55107->55108 55109->55105 55110 63f184 55109->55110 55111 60e03e 55109->55111 55110->55105 55112 63f190 memset GetGestureInfo 55110->55112 55113 60e047 55111->55113 55114 63f168 SetGestureConfig 55111->55114 55112->55106 55115 63f1b9 55112->55115 55116 63f103 55113->55116 55117 60e053 55113->55117 55114->55105 55118 63f3f4 CloseGestureInfoHandle 55115->55118 55120 63f1d2 BeginPanningFeedback 55115->55120 55123 63f1ee 55115->55123 55116->55105 55130 6534df 14 API calls ctype 55116->55130 55117->55105 55121 63f0f7 55117->55121 55122 63f0cb EndPanningFeedback 55117->55122 55118->55106 55120->55118 55121->55105 55122->55121 55123->55118 55124 63f2f5 GetTickCount64 55123->55124 55125 63f37a 55123->55125 55129 63f313 55124->55129 55125->55118 55126 63f386 55125->55126 55127 63f3b9 UpdatePanningFeedback 55125->55127 55126->55118 55128 63f3d9 UpdatePanningFeedback 55126->55128 55127->55126 55128->55118 55129->55125 55130->55121 55131 609855 GetKeyState 55132 6098a9 GetKeyState 55131->55132 55133 60988b GetKeyState 55131->55133 55135 6098c3 GetKeyState 55132->55135 55136 6098b6 GetKeyState 55132->55136 55133->55132 55134 609898 GetKeyState 55133->55134 55134->55132 55151 609977 55134->55151 55137 6098e4 RegGetValueW 55135->55137 55138 6098d0 GetKeyState 55135->55138 55136->55135 55136->55137 55140 60991a RegOpenKeyExW 55137->55140 55141 60990b 55137->55141 55138->55137 55139 6098dd 55138->55139 55139->55137 55143 609952 55140->55143 55144 60993b RegDeleteValueW RegCloseKey 55140->55144 55141->55140 55146 609956 GetCurrentThreadId 55143->55146 55149 60997f 55143->55149 55144->55143 55145 609ab1 55147 5edbe6 ctype 6 API calls 55145->55147 55148 609968 55146->55148 55150 609abb 55147->55150 55170 5e9ae8 8 API calls ctype 55148->55170 55149->55151 55171 64453a 30 API calls ctype 55149->55171 55154 609ae3 55150->55154 55155 609ada RegCloseKey 55150->55155 55151->55145 55174 609d3d 38 API calls ctype 55151->55174 55155->55154 55156 6099a6 55157 6099c0 55156->55157 55158 6099ac GetCurrentThreadId 55156->55158 55172 644081 14 API calls 55157->55172 55158->55148 55160 6099c7 ctype 55161 6099e1 RegGetValueW 55160->55161 55162 6099da 55160->55162 55161->55151 55163 609a1d 55161->55163 55162->55161 55173 61b65e RegCreateKeyExW 55163->55173 55165 609a38 55166 609a55 RegSetValueExW 55165->55166 55167 609a3e GetCurrentThreadId 55165->55167 55168 609a77 55166->55168 55167->55148 55168->55151 55169 609a8a GetCurrentThreadId 55168->55169 55169->55151 55170->55151 55171->55156 55172->55160 55173->55165 55174->55145 55175 60b81b memset 55209 5e747a 55175->55209 55177 60b8a7 LoadStringW 55216 5e82fe 55177->55216 55180 5edbe6 ctype 6 API calls 55181 60b8ec 55180->55181 55191 60b977 55181->55191 55222 609edb 55181->55222 55182 63e992 GetLastError 55184 63e99e 55182->55184 55186 60b980 KiUserCallbackDispatcher ChangeWindowMessageFilterEx GetMenu 55184->55186 55203 63e9b8 GetCurrentThreadId 55184->55203 55188 60b9b7 55186->55188 55189 60b9b9 KiUserCallbackDispatcher 55186->55189 55187 60b918 CreateWindowInBand 55187->55182 55187->55191 55188->55189 55225 60d65b GetWindowRect MonitorFromPoint GetMonitorInfoW 55189->55225 55191->55182 55191->55186 55194 63e9f0 55196 60b9db ShowWindow 55198 60b9f5 55196->55198 55199 63e9bf 55196->55199 55237 60ba33 55198->55237 55249 61b4cd 5 API calls ctype 55199->55249 55250 5e9ae8 8 API calls ctype 55203->55250 55204 60ba06 OpenEventW 55205 60ba20 55204->55205 55206 63e9fd SetEvent CloseHandle 55204->55206 55207 617990 ctype 4 API calls 55205->55207 55208 60ba2f 55207->55208 55211 5e7486 ctype 55209->55211 55210 5e74af RegisterClassExW 55251 5e74d5 6 API calls ctype 55210->55251 55211->55210 55213 5e7a66 ctype 19 API calls 55211->55213 55214 5e74ab 55213->55214 55214->55210 55215 5e74cc ctype 55214->55215 55215->55177 55217 5e831c 55216->55217 55218 5e8335 GetThreadUILanguage 55216->55218 55219 617990 ctype 4 API calls 55217->55219 55218->55217 55220 5e8343 GetLocaleInfoW 55218->55220 55221 5e8331 55219->55221 55220->55217 55221->55180 55221->55191 55223 609ef2 GetSystemMetrics 55222->55223 55224 609eea 55222->55224 55223->55224 55224->55187 55224->55191 55226 63ed0a GetLastError 55225->55226 55232 60d6a8 55225->55232 55227 63ed16 55226->55227 55228 63ed30 GetCurrentThreadId 55227->55228 55227->55232 55252 5e9ae8 8 API calls ctype 55228->55252 55230 63ed59 55235 63eda8 SetWindowPos 55230->55235 55231 60d729 55234 617990 ctype 4 API calls 55231->55234 55232->55230 55232->55231 55233 63edc2 55232->55233 55232->55235 55236 60b9cd 55234->55236 55235->55233 55236->55196 55248 609b35 55 API calls ctype 55236->55248 55253 60babc 55237->55253 55240 60ba73 UpdateWindow UpdateWindow 55243 60ba95 GetCurrentThreadId 55240->55243 55244 60baae 55240->55244 55241 60ba4d GetCurrentThreadId 55242 60ba5f 55241->55242 55330 5e9ae8 8 API calls ctype 55242->55330 55243->55242 55331 61bd6c 51 API calls ctype 55244->55331 55247 60b9fc 55247->55203 55247->55204 55248->55196 55249->55203 55250->55194 55251->55215 55252->55231 55254 5edbe6 ctype 6 API calls 55253->55254 55255 60bae9 55254->55255 55332 60d56a 55255->55332 55258 60bb26 55388 60d415 GetProcessHeap HeapAlloc 55258->55388 55259 60bafd GetCurrentThreadId 55260 60bb0f 55259->55260 55594 5e9ae8 8 API calls ctype 55260->55594 55264 60bb61 55392 617634 55264->55392 55265 60bb31 GetCurrentThreadId 55595 5e9ae8 8 API calls ctype 55265->55595 55268 60bb59 55273 617990 ctype 4 API calls 55268->55273 55270 60bee7 55270->55268 55601 5e38b3 232 API calls ctype 55270->55601 55271 60bb77 55277 60bbb1 55271->55277 55278 60bb81 GetCurrentThreadId 55271->55278 55272 60bedd ?Destroy@Element@DirectUI@@QAEJ_N 55272->55270 55276 60ba47 55273->55276 55276->55240 55276->55241 55396 60ca18 55277->55396 55597 5e9ae8 8 API calls ctype 55278->55597 55282 60bbd6 55284 60bbdd GetClientRect ?Create@NativeHWNDHost@DirectUI@@SGJPBGPAUHWND__@@PAUHICON__@@HHHHHHIPAPAV12@ 55282->55284 55283 60bbbf GetCurrentThreadId 55283->55260 55285 60bc27 GetCurrentThreadId 55284->55285 55286 60bc3e ?GetHWND@NativeHWNDHost@DirectUI@@QAEPAUHWND__@ SendMessageW ?GetHWND@NativeHWNDHost@DirectUI@@QAEPAUHWND__@ ?GetHWND@NativeHWNDHost@DirectUI@@QAEPAUHWND__@ ?Initialize@HWNDElement@DirectUI@@QAEJPAUHWND__@@_NIPAVElement@2@PAK 55284->55286 55285->55286 55287 60bca4 55286->55287 55288 60bc8d GetCurrentThreadId 55286->55288 55459 60c9a0 55287->55459 55288->55287 55291 60bd28 55292 60bda9 55291->55292 55297 617634 2 API calls 55291->55297 55469 60c834 55292->55469 55293 617634 2 API calls 55295 60bcbb 55293->55295 55300 60bd06 55295->55300 55301 60bce8 GetCurrentThreadId 55295->55301 55299 60bd3c 55297->55299 55305 60bd87 55299->55305 55306 60bd69 GetCurrentThreadId 55299->55306 55462 60bf07 ?Create@DUIXmlParser@DirectUI@@SGJPAPAV12@P6GPAVValue@2@PBGPAX@Z2P6GX11H2@Z2 55300->55462 55301->55300 55309 60bf07 4 API calls 55305->55309 55306->55305 55314 60bd8c 55309->55314 55310 60bd11 GetCurrentThreadId 55310->55291 55311 60bdc4 GetCurrentThreadId 55312 60bddb 55311->55312 55313 60bded 55312->55313 55598 64450f 22 API calls ctype 55312->55598 55565 60bf70 55313->55565 55314->55292 55317 60bd92 GetCurrentThreadId 55314->55317 55317->55292 55319 61a168 3556 API calls 55320 60be1a 8 API calls 55319->55320 55321 60be86 55320->55321 55322 60be9c 55320->55322 55321->55322 55324 60be8b 55321->55324 55600 5eac7e 3449 API calls 55322->55600 55599 60c24f 3498 API calls ctype 55324->55599 55325 60bea5 55325->55268 55328 60bb1e 55325->55328 55329 60bebd ?Destroy@NativeHWNDHost@DirectUI@ 55325->55329 55327 60be98 55327->55268 55328->55270 55328->55272 55329->55328 55330->55247 55331->55247 56784 616c70 15 API calls 55331->56784 55602 6149b3 ?GetClassInfoPtr@HWNDElement@DirectUI@@SGPAUIClassInfo@2 55332->55602 55335 63ebdf GetCurrentThreadId 55338 63ecf3 55335->55338 55336 60d57f 55616 61476f ?GetClassInfoPtr@HWNDHost@DirectUI@@SGPAUIClassInfo@2 55336->55616 55784 5e9ae8 8 API calls ctype 55338->55784 55341 60d591 55630 614891 ?GetClassInfoPtr@CCListView@DirectUI@@SGPAUIClassInfo@2 55341->55630 55342 63ebf6 GetCurrentThreadId 55342->55338 55343 63ed02 55346 60d5a3 55644 61464d ?GetClassInfoPtr@HWNDHost@DirectUI@@SGPAUIClassInfo@2 55346->55644 55347 63ec0d GetCurrentThreadId 55347->55338 55350 60d5b5 55658 6140a3 ?GetClassInfoPtr@Element@DirectUI@@SGPAUIClassInfo@2 55350->55658 55351 63ec24 GetCurrentThreadId 55351->55338 55354 60d5c7 55672 6141c5 ?GetClassInfoPtr@Element@DirectUI@@SGPAUIClassInfo@2 55354->55672 55355 63ec3b GetCurrentThreadId 55355->55338 55358 63ec52 GetCurrentThreadId 55358->55338 55359 60d5d9 55686 613c0b ?GetClassInfoPtr@Element@DirectUI@@SGPAUIClassInfo@2 55359->55686 55362 63ec69 GetCurrentThreadId 55362->55338 55363 60d5eb 55700 613d35 ?GetClassInfoPtr@Button@DirectUI@@SGPAUIClassInfo@2 55363->55700 55366 60d5fd 55714 613e5f ?GetClassInfoPtr@Element@DirectUI@@SGPAUIClassInfo@2 55366->55714 55367 63ec7d GetCurrentThreadId 55367->55338 55370 63ec91 GetCurrentThreadId 55370->55338 55371 60d60f 55728 613f81 ?GetClassInfoPtr@ScrollViewer@DirectUI@@SGPAUIClassInfo@2 55371->55728 55374 60d621 55742 6142e7 ?GetClassInfoPtr@Element@DirectUI@@SGPAUIClassInfo@2 55374->55742 55375 63eca5 GetCurrentThreadId 55375->55338 55378 60d633 55756 614409 ?GetClassInfoPtr@Element@DirectUI@@SGPAUIClassInfo@2 55378->55756 55379 63ecb9 GetCurrentThreadId 55379->55338 55382 60d645 55770 61452b ?GetClassInfoPtr@Element@DirectUI@@SGPAUIClassInfo@2 55382->55770 55383 63eccd GetCurrentThreadId 55383->55338 55386 63ece1 GetCurrentThreadId 55386->55338 55387 60baf7 55387->55258 55387->55259 55389 60d432 55388->55389 55390 60bb2b 55388->55390 55798 60d43d ??0HWNDElement@DirectUI@@QAE 55389->55798 55390->55264 55390->55265 55393 617649 malloc 55392->55393 55394 60bb6b 55393->55394 55395 61763c _callnewh 55393->55395 55394->55271 55596 60d352 26 API calls 55394->55596 55395->55393 55395->55394 55397 60ca41 GetCurrentThreadId 55396->55397 55398 60ca58 55396->55398 55399 60ccb7 55397->55399 55400 617634 2 API calls 55398->55400 55818 5e9ae8 8 API calls ctype 55399->55818 55402 60ca62 55400->55402 55404 60ca78 55402->55404 55811 62b19d 38 API calls 55402->55811 55403 60bbb9 55403->55282 55403->55283 55406 60caa1 55404->55406 55407 60ca83 GetCurrentThreadId 55404->55407 55408 5edbe6 ctype 6 API calls 55406->55408 55407->55399 55409 60caab 55408->55409 55409->55403 55410 617634 2 API calls 55409->55410 55411 60cabd 55410->55411 55412 60caca 55411->55412 55812 60d252 20 API calls 55411->55812 55414 60caf3 55412->55414 55415 60cad5 GetCurrentThreadId 55412->55415 55416 617634 2 API calls 55414->55416 55415->55399 55417 60cafd 55416->55417 55418 60cb0a 55417->55418 55813 60ccd2 18 API calls 55417->55813 55420 60cb33 55418->55420 55421 60cb15 GetCurrentThreadId 55418->55421 55422 617634 2 API calls 55420->55422 55421->55399 55423 60cb3d 55422->55423 55424 60cb4a 55423->55424 55814 60cffb 18 API calls 55423->55814 55426 60cb73 55424->55426 55427 60cb55 GetCurrentThreadId 55424->55427 55428 617634 2 API calls 55426->55428 55427->55399 55429 60cb7d 55428->55429 55431 60cb8a 55429->55431 55815 60cee6 19 API calls 55429->55815 55432 60cbb3 55431->55432 55433 60cb95 GetCurrentThreadId 55431->55433 55434 617634 2 API calls 55432->55434 55433->55399 55435 60cbbd 55434->55435 55436 60cbca 55435->55436 55816 61d4b9 18 API calls 55435->55816 55438 60cbf3 55436->55438 55439 60cbd5 GetCurrentThreadId 55436->55439 55440 617634 2 API calls 55438->55440 55439->55399 55441 60cbfd 55440->55441 55442 60cc0a 55441->55442 55799 60cf9b 55441->55799 55444 60cc33 55442->55444 55445 60cc15 GetCurrentThreadId 55442->55445 55446 617634 2 API calls 55444->55446 55445->55399 55447 60cc3d 55446->55447 55448 60cc4a 55447->55448 55804 60d05c 55447->55804 55450 60cc70 55448->55450 55451 60cc55 GetCurrentThreadId 55448->55451 55452 5ed05c ctype 29 API calls 55450->55452 55451->55399 55453 60cc7a 55452->55453 55453->55403 55454 617634 2 API calls 55453->55454 55455 60cc88 55454->55455 55456 60cc95 55455->55456 55817 60cd2f 18 API calls 55455->55817 55456->55403 55457 60cc9e GetCurrentThreadId 55456->55457 55457->55399 55914 5e6a38 55459->55914 55463 60bf2d ?SetXMLFromResource@DUIXmlParser@DirectUI@@QAEJIPAUHINSTANCE__@@0 55462->55463 55464 60bf51 55462->55464 55463->55464 55465 60bf46 55463->55465 55466 60bd0b 55464->55466 55467 63ea1e ?Destroy@NativeHWNDHost@DirectUI@ 55464->55467 55465->55464 55468 63ea10 ?Destroy@NativeHWNDHost@DirectUI@ 55465->55468 55466->55291 55466->55310 55468->55467 55470 5edbe6 ctype 6 API calls 55469->55470 55471 60c84a 55470->55471 55472 60bdb0 55471->55472 55473 63eaa3 CloseThemeData 55471->55473 55474 60c85c OpenThemeData 55471->55474 55478 60c3bf ?CreateElement@DUIXmlParser@DirectUI@@QAEJPBGPAVElement@2@1PAKPAPAV32@ 55472->55478 55473->55474 55475 63eab4 GetCurrentThreadId 55473->55475 56701 60c889 18 API calls ctype 55474->56701 56702 5e9ae8 8 API calls ctype 55475->56702 55479 60c3f2 GetCurrentThreadId 55478->55479 55480 60c41b 55478->55480 56714 5e9ae8 8 API calls ctype 55479->56714 55482 5edbe6 ctype 6 API calls 55480->55482 55484 60c425 55482->55484 55483 60bdb7 55493 5e6462 55483->55493 55484->55483 56703 60c803 55484->56703 55486 60c432 56709 60c7d2 55486->56709 55488 60c439 55488->55483 55489 60c451 StrToID ?FindDescendent@Element@DirectUI@@QAEPAV12@G 55488->55489 55491 60c490 StrToID ?FindDescendent@Element@DirectUI@@QAEPAV12@G 55488->55491 55489->55488 55490 60c46a ?CreateElement@DUIXmlParser@DirectUI@@QAEJPBGPAVElement@2@1PAKPAPAV32@ 55489->55490 55490->55488 55491->55488 55492 60c4aa ?CreateElement@DUIXmlParser@DirectUI@@QAEJPBGPAVElement@2@1PAKPAPAV32@ 55491->55492 55492->55488 55494 5e647a 55493->55494 55495 5e6470 55493->55495 55497 5edbe6 ctype 6 API calls 55494->55497 56740 61b4cd 5 API calls ctype 55495->56740 55498 5e6484 55497->55498 55499 5e684f 55498->55499 55500 617634 2 API calls 55498->55500 55501 617634 2 API calls 55499->55501 55503 5e6493 55500->55503 55502 5e6856 55501->55502 55504 5e688a GetCurrentThreadId 55502->55504 55505 5e68a8 55502->55505 55506 5e64fa 55503->55506 55507 5e64ca GetCurrentThreadId 55503->55507 55504->55505 56742 62b0c2 107 API calls 55505->56742 56715 5e68f3 55506->56715 55510 5e64e3 55507->55510 56741 5e9ae8 8 API calls ctype 55510->56741 55512 5e68b6 55516 5e68bc GetCurrentThreadId 55512->55516 55517 5e64f2 55512->55517 55514 5e650e GetCurrentThreadId 55514->55510 55515 5e6522 55518 617634 2 API calls 55515->55518 55516->55517 55520 5e68ed 55517->55520 56743 61b4cd 5 API calls ctype 55517->56743 55519 5e6529 55518->55519 55522 5e6562 GetCurrentThreadId 55519->55522 55523 5e6580 55519->55523 55520->55311 55520->55312 55522->55510 55524 5e68f3 10 API calls 55523->55524 55525 5e658e 55524->55525 55526 5e65ab 55525->55526 55527 5e6594 GetCurrentThreadId 55525->55527 55528 617634 2 API calls 55526->55528 55527->55510 55529 5e65b2 55528->55529 55530 5e65eb GetCurrentThreadId 55529->55530 55531 5e6609 55529->55531 55530->55531 55532 5e68f3 10 API calls 55531->55532 55533 5e6617 55532->55533 55534 5e661d GetCurrentThreadId 55533->55534 55535 5e6634 55533->55535 55534->55535 55536 617634 2 API calls 55535->55536 55537 5e663e 55536->55537 55538 5e667e StrToID ?GetRoot@Element@DirectUI@@QAEPAV12 ?FindDescendent@Element@DirectUI@@QAEPAV12@G 55537->55538 55539 5e6660 GetCurrentThreadId 55537->55539 55540 5ed05c ctype 29 API calls 55538->55540 55539->55538 55541 5e66ad 55540->55541 55542 5e673e 55541->55542 55544 617634 2 API calls 55541->55544 56724 5e6b53 55542->56724 55546 5e66bc 55544->55546 55550 5e66f5 GetCurrentThreadId 55546->55550 55551 5e6713 55546->55551 55547 5e676c GetCurrentThreadId 55548 5e6783 55547->55548 55549 617634 2 API calls 55548->55549 55552 5e678a 55549->55552 55550->55551 55553 5e68f3 10 API calls 55551->55553 55555 5e67bc GetCurrentThreadId 55552->55555 55556 5e67da 55552->55556 55554 5e6721 55553->55554 55554->55542 55557 5e6727 GetCurrentThreadId 55554->55557 55555->55556 56736 615df1 55556->56736 55557->55542 55560 5e67ee GetCurrentThreadId 55561 5e6805 55560->55561 55562 5e6b53 1939 API calls 55561->55562 55563 5e682e 55562->55563 55563->55517 55564 5e6838 GetCurrentThreadId 55563->55564 55564->55499 55566 60bfd8 ?Add@Element@DirectUI@@QAEJPAV12@ 55565->55566 55567 60bf9e ?CreateElement@DUIXmlParser@DirectUI@@QAEJPBGPAVElement@2@1PAKPAPAV32@ 55565->55567 55570 5edbe6 ctype 6 API calls 55566->55570 55568 60bfd2 55567->55568 55569 60bfbb GetCurrentThreadId 55567->55569 55568->55566 55571 60c163 55569->55571 55572 60bfec 55570->55572 56783 5e9ae8 8 API calls ctype 55571->56783 55573 60bff4 memset ExpandEnvironmentStringsW 55572->55573 55574 60c172 55572->55574 55577 60c025 PathFileExistsW 55573->55577 55578 60c068 StrToID ?FindDescendent@Element@DirectUI@@QAEPAV12@G 55573->55578 55576 617990 ctype 4 API calls 55574->55576 55579 60bdfa 55576->55579 55577->55578 55582 60c036 55577->55582 55580 60c089 StrToID ?FindDescendent@Element@DirectUI@@QAEPAV12@G 55578->55580 55581 60c13a 55578->55581 55579->55319 55583 60c0c4 StrToID ?FindDescendent@Element@DirectUI@@QAEPAV12@G 55580->55583 55584 60c0a6 ?SetVisible@Element@DirectUI@@QAEJ_N ?SetEnabled@Element@DirectUI@@QAEJ_N ?SetLayoutPos@Element@DirectUI@@QAEJH 55580->55584 56782 60c18a 19 API calls ctype 55581->56782 56781 60c18a 19 API calls ctype 55582->56781 55587 60c0e1 ?SetVisible@Element@DirectUI@@QAEJ_N ?SetEnabled@Element@DirectUI@@QAEJ_N ?SetLayoutPos@Element@DirectUI@@QAEJH 55583->55587 55588 60c0ff StrToID ?FindDescendent@Element@DirectUI@@QAEPAV12@G 55583->55588 55584->55583 55587->55588 55588->55581 55592 60c11c ?SetVisible@Element@DirectUI@@QAEJ_N ?SetEnabled@Element@DirectUI@@QAEJ_N ?SetLayoutPos@Element@DirectUI@@QAEJH 55588->55592 55589 60c14b 55589->55574 55593 60c151 GetCurrentThreadId 55589->55593 55590 60c047 55590->55581 55591 60c051 GetCurrentThreadId 55590->55591 55591->55571 55592->55581 55593->55571 55594->55328 55595->55268 55596->55271 55597->55328 55598->55313 55599->55327 55600->55325 55601->55268 55603 6410f4 ?Register@HWNDElement@DirectUI@ 55602->55603 55604 6149ce ?GetClassInfoPtr@HWNDElement@DirectUI@@SGPAUIClassInfo@2 55602->55604 55605 641101 55603->55605 55606 6149e2 55604->55606 55611 614a57 ??1CritSecLock@DirectUI@@QAE 55605->55611 55607 60d575 55606->55607 55608 6149ea ?GetFactoryLock@Element@DirectUI@@SGPAU_RTL_CRITICAL_SECTION@ ??0AutoLock@DirectUI@@QAE@PAU_RTL_CRITICAL_SECTION@@ ?GetClassInfoPtr@HWNDElement@DirectUI@@SGPAUIClassInfo@2 ?ClassExist@ClassInfoBase@DirectUI@@SG_NPAPAUIClassInfo@2@PBQBUPropertyInfo@2@IPAU32@PAUHINSTANCE__@@PBG_N 55606->55608 55607->55335 55607->55336 55609 614a23 55608->55609 55610 641117 55608->55610 55785 614a6b 7 API calls 55609->55785 55611->55607 55613 614a36 55613->55611 55614 614a3c ?Register@ClassInfoBase@DirectUI@ 55613->55614 55614->55605 55615 614a51 55614->55615 55615->55611 55617 641090 ?Register@HWNDHost@DirectUI@ 55616->55617 55618 61478a ?GetClassInfoPtr@HWNDHost@DirectUI@@SGPAUIClassInfo@2 55616->55618 55620 64109d 55617->55620 55619 61479e 55618->55619 55621 6147a6 ?GetFactoryLock@Element@DirectUI@@SGPAU_RTL_CRITICAL_SECTION@ ??0AutoLock@DirectUI@@QAE@PAU_RTL_CRITICAL_SECTION@@ ?GetClassInfoPtr@HWNDHost@DirectUI@@SGPAUIClassInfo@2 ?ClassExist@ClassInfoBase@DirectUI@@SG_NPAPAUIClassInfo@2@PBQBUPropertyInfo@2@IPAU32@PAUHINSTANCE__@@PBG_N 55619->55621 55622 60d587 55619->55622 55625 614813 ??1CritSecLock@DirectUI@@QAE 55620->55625 55623 6410b3 55621->55623 55624 6147df 55621->55624 55622->55341 55622->55342 55786 614827 7 API calls 55624->55786 55625->55622 55627 6147f2 55627->55625 55628 6147f8 ?Register@ClassInfoBase@DirectUI@ 55627->55628 55628->55620 55629 61480d 55628->55629 55629->55625 55631 6410c2 ?Register@CCListView@DirectUI@ 55630->55631 55632 6148ac ?GetClassInfoPtr@CCListView@DirectUI@@SGPAUIClassInfo@2 55630->55632 55636 6410cf 55631->55636 55633 6148c0 55632->55633 55634 6148c8 ?GetFactoryLock@Element@DirectUI@@SGPAU_RTL_CRITICAL_SECTION@ ??0AutoLock@DirectUI@@QAE@PAU_RTL_CRITICAL_SECTION@@ ?GetClassInfoPtr@CCListView@DirectUI@@SGPAUIClassInfo@2 ?ClassExist@ClassInfoBase@DirectUI@@SG_NPAPAUIClassInfo@2@PBQBUPropertyInfo@2@IPAU32@PAUHINSTANCE__@@PBG_N 55633->55634 55635 60d599 55633->55635 55637 614901 55634->55637 55638 6410e5 55634->55638 55635->55346 55635->55347 55639 614935 ??1CritSecLock@DirectUI@@QAE 55636->55639 55787 614949 7 API calls 55637->55787 55639->55635 55641 614914 55641->55639 55642 61491a ?Register@ClassInfoBase@DirectUI@ 55641->55642 55642->55636 55643 61492f 55642->55643 55643->55639 55645 614668 ?GetClassInfoPtr@HWNDHost@DirectUI@@SGPAUIClassInfo@2 55644->55645 55646 64105e ?Register@HWNDHost@DirectUI@ 55644->55646 55648 61467c 55645->55648 55647 64106b 55646->55647 55653 6146f1 ??1CritSecLock@DirectUI@@QAE 55647->55653 55649 614684 ?GetFactoryLock@Element@DirectUI@@SGPAU_RTL_CRITICAL_SECTION@ ??0AutoLock@DirectUI@@QAE@PAU_RTL_CRITICAL_SECTION@@ ?GetClassInfoPtr@HWNDHost@DirectUI@@SGPAUIClassInfo@2 ?ClassExist@ClassInfoBase@DirectUI@@SG_NPAPAUIClassInfo@2@PBQBUPropertyInfo@2@IPAU32@PAUHINSTANCE__@@PBG_N 55648->55649 55650 60d5ab 55648->55650 55651 641081 55649->55651 55652 6146bd 55649->55652 55650->55350 55650->55351 55788 614705 7 API calls 55652->55788 55653->55650 55655 6146d0 55655->55653 55656 6146d6 ?Register@ClassInfoBase@DirectUI@ 55655->55656 55656->55647 55657 6146eb 55656->55657 55657->55653 55659 640f64 ?Register@Element@DirectUI@ 55658->55659 55660 6140be ?GetClassInfoPtr@Element@DirectUI@@SGPAUIClassInfo@2 55658->55660 55661 640f71 55659->55661 55662 6140d2 55660->55662 55667 614147 ??1CritSecLock@DirectUI@@QAE 55661->55667 55663 60d5bd 55662->55663 55664 6140da ?GetFactoryLock@Element@DirectUI@@SGPAU_RTL_CRITICAL_SECTION@ ??0AutoLock@DirectUI@@QAE@PAU_RTL_CRITICAL_SECTION@@ ?GetClassInfoPtr@Element@DirectUI@@SGPAUIClassInfo@2 ?ClassExist@ClassInfoBase@DirectUI@@SG_NPAPAUIClassInfo@2@PBQBUPropertyInfo@2@IPAU32@PAUHINSTANCE__@@PBG_N 55662->55664 55663->55354 55663->55355 55665 614113 55664->55665 55666 640f87 55664->55666 55789 61415b 7 API calls 55665->55789 55667->55663 55669 614126 55669->55667 55670 61412c ?Register@ClassInfoBase@DirectUI@ 55669->55670 55670->55661 55671 614141 55670->55671 55671->55667 55673 6141e0 ?GetClassInfoPtr@Element@DirectUI@@SGPAUIClassInfo@2 55672->55673 55674 640f96 ?Register@Element@DirectUI@ 55672->55674 55676 6141f4 55673->55676 55675 640fa3 55674->55675 55682 614269 ??1CritSecLock@DirectUI@@QAE 55675->55682 55677 60d5cf 55676->55677 55678 6141fc ?GetFactoryLock@Element@DirectUI@@SGPAU_RTL_CRITICAL_SECTION@ ??0AutoLock@DirectUI@@QAE@PAU_RTL_CRITICAL_SECTION@@ ?GetClassInfoPtr@Element@DirectUI@@SGPAUIClassInfo@2 ?ClassExist@ClassInfoBase@DirectUI@@SG_NPAPAUIClassInfo@2@PBQBUPropertyInfo@2@IPAU32@PAUHINSTANCE__@@PBG_N 55676->55678 55677->55358 55677->55359 55679 614235 55678->55679 55680 640fb9 55678->55680 55790 61427d 7 API calls 55679->55790 55682->55677 55683 614248 55683->55682 55684 61424e ?Register@ClassInfoBase@DirectUI@ 55683->55684 55684->55675 55685 614263 55684->55685 55685->55682 55687 613c26 ?GetClassInfoPtr@Element@DirectUI@@SGPAUIClassInfo@2 55686->55687 55688 640e9c ?Register@Element@DirectUI@ 55686->55688 55690 613c3a 55687->55690 55689 640ea9 55688->55689 55695 613cb2 ??1CritSecLock@DirectUI@@QAE 55689->55695 55691 613c42 ?GetFactoryLock@Element@DirectUI@@SGPAU_RTL_CRITICAL_SECTION@ ??0AutoLock@DirectUI@@QAE@PAU_RTL_CRITICAL_SECTION@@ ?GetClassInfoPtr@Element@DirectUI@@SGPAUIClassInfo@2 ?ClassExist@ClassInfoBase@DirectUI@@SG_NPAPAUIClassInfo@2@PBQBUPropertyInfo@2@IPAU32@PAUHINSTANCE__@@PBG_N 55690->55691 55692 60d5e1 55690->55692 55693 640ebf 55691->55693 55694 613c7e 55691->55694 55692->55362 55692->55363 55791 613cc6 7 API calls 55694->55791 55695->55692 55697 613c91 55697->55695 55698 613c97 ?Register@ClassInfoBase@DirectUI@ 55697->55698 55698->55689 55699 613cac 55698->55699 55699->55695 55701 613d50 ?GetClassInfoPtr@Button@DirectUI@@SGPAUIClassInfo@2 55700->55701 55702 640ece ?Register@Button@DirectUI@ 55700->55702 55704 613d64 55701->55704 55703 640edb 55702->55703 55709 613ddc ??1CritSecLock@DirectUI@@QAE 55703->55709 55705 60d5f3 55704->55705 55706 613d6c ?GetFactoryLock@Element@DirectUI@@SGPAU_RTL_CRITICAL_SECTION@ ??0AutoLock@DirectUI@@QAE@PAU_RTL_CRITICAL_SECTION@@ ?GetClassInfoPtr@Button@DirectUI@@SGPAUIClassInfo@2 ?ClassExist@ClassInfoBase@DirectUI@@SG_NPAPAUIClassInfo@2@PBQBUPropertyInfo@2@IPAU32@PAUHINSTANCE__@@PBG_N 55704->55706 55705->55366 55705->55367 55707 640ef1 55706->55707 55708 613da8 55706->55708 55792 613df0 7 API calls 55708->55792 55709->55705 55711 613dbb 55711->55709 55712 613dc1 ?Register@ClassInfoBase@DirectUI@ 55711->55712 55712->55703 55713 613dd6 55712->55713 55713->55709 55715 640f00 ?Register@Element@DirectUI@ 55714->55715 55716 613e7a ?GetClassInfoPtr@Element@DirectUI@@SGPAUIClassInfo@2 55714->55716 55717 640f0d 55715->55717 55718 613e8e 55716->55718 55723 613f03 ??1CritSecLock@DirectUI@@QAE 55717->55723 55719 613e96 ?GetFactoryLock@Element@DirectUI@@SGPAU_RTL_CRITICAL_SECTION@ ??0AutoLock@DirectUI@@QAE@PAU_RTL_CRITICAL_SECTION@@ ?GetClassInfoPtr@Element@DirectUI@@SGPAUIClassInfo@2 ?ClassExist@ClassInfoBase@DirectUI@@SG_NPAPAUIClassInfo@2@PBQBUPropertyInfo@2@IPAU32@PAUHINSTANCE__@@PBG_N 55718->55719 55720 60d605 55718->55720 55721 640f23 55719->55721 55722 613ecf 55719->55722 55720->55370 55720->55371 55793 613f17 7 API calls 55722->55793 55723->55720 55725 613ee2 55725->55723 55726 613ee8 ?Register@ClassInfoBase@DirectUI@ 55725->55726 55726->55717 55727 613efd 55726->55727 55727->55723 55729 640f32 ?Register@ScrollViewer@DirectUI@ 55728->55729 55730 613f9c ?GetClassInfoPtr@ScrollViewer@DirectUI@@SGPAUIClassInfo@2 55728->55730 55732 640f3f 55729->55732 55731 613fb0 55730->55731 55733 613fb8 ?GetFactoryLock@Element@DirectUI@@SGPAU_RTL_CRITICAL_SECTION@ ??0AutoLock@DirectUI@@QAE@PAU_RTL_CRITICAL_SECTION@@ ?GetClassInfoPtr@ScrollViewer@DirectUI@@SGPAUIClassInfo@2 ?ClassExist@ClassInfoBase@DirectUI@@SG_NPAPAUIClassInfo@2@PBQBUPropertyInfo@2@IPAU32@PAUHINSTANCE__@@PBG_N 55731->55733 55734 60d617 55731->55734 55737 614025 ??1CritSecLock@DirectUI@@QAE 55732->55737 55735 613ff1 55733->55735 55736 640f55 55733->55736 55734->55374 55734->55375 55794 614039 7 API calls 55735->55794 55737->55734 55739 614004 55739->55737 55740 61400a ?Register@ClassInfoBase@DirectUI@ 55739->55740 55740->55732 55741 61401f 55740->55741 55741->55737 55743 614302 ?GetClassInfoPtr@Element@DirectUI@@SGPAUIClassInfo@2 55742->55743 55744 640fc8 ?Register@Element@DirectUI@ 55742->55744 55745 614316 55743->55745 55750 640fd5 55744->55750 55746 60d629 55745->55746 55747 61431e ?GetFactoryLock@Element@DirectUI@@SGPAU_RTL_CRITICAL_SECTION@ ??0AutoLock@DirectUI@@QAE@PAU_RTL_CRITICAL_SECTION@@ ?GetClassInfoPtr@Element@DirectUI@@SGPAUIClassInfo@2 ?ClassExist@ClassInfoBase@DirectUI@@SG_NPAPAUIClassInfo@2@PBQBUPropertyInfo@2@IPAU32@PAUHINSTANCE__@@PBG_N 55745->55747 55746->55378 55746->55379 55748 614357 55747->55748 55749 640feb 55747->55749 55795 61439f 7 API calls 55748->55795 55752 61438b ??1CritSecLock@DirectUI@@QAE 55750->55752 55752->55746 55753 61436a 55753->55752 55754 614370 ?Register@ClassInfoBase@DirectUI@ 55753->55754 55754->55750 55755 614385 55754->55755 55755->55752 55757 614424 ?GetClassInfoPtr@Element@DirectUI@@SGPAUIClassInfo@2 55756->55757 55758 640ffa ?Register@Element@DirectUI@ 55756->55758 55759 614438 55757->55759 55762 641007 55758->55762 55760 614440 ?GetFactoryLock@Element@DirectUI@@SGPAU_RTL_CRITICAL_SECTION@ ??0AutoLock@DirectUI@@QAE@PAU_RTL_CRITICAL_SECTION@@ ?GetClassInfoPtr@Element@DirectUI@@SGPAUIClassInfo@2 ?ClassExist@ClassInfoBase@DirectUI@@SG_NPAPAUIClassInfo@2@PBQBUPropertyInfo@2@IPAU32@PAUHINSTANCE__@@PBG_N 55759->55760 55761 60d63b 55759->55761 55763 614479 55760->55763 55764 64101d 55760->55764 55761->55382 55761->55383 55765 6144ad ??1CritSecLock@DirectUI@@QAE 55762->55765 55796 6144c1 7 API calls 55763->55796 55765->55761 55767 61448c 55767->55765 55768 614492 ?Register@ClassInfoBase@DirectUI@ 55767->55768 55768->55762 55769 6144a7 55768->55769 55769->55765 55771 614546 ?GetClassInfoPtr@Element@DirectUI@@SGPAUIClassInfo@2 55770->55771 55772 64102c ?Register@Element@DirectUI@ 55770->55772 55773 61455a 55771->55773 55778 641039 55772->55778 55774 614562 ?GetFactoryLock@Element@DirectUI@@SGPAU_RTL_CRITICAL_SECTION@ ??0AutoLock@DirectUI@@QAE@PAU_RTL_CRITICAL_SECTION@@ ?GetClassInfoPtr@Element@DirectUI@@SGPAUIClassInfo@2 ?ClassExist@ClassInfoBase@DirectUI@@SG_NPAPAUIClassInfo@2@PBQBUPropertyInfo@2@IPAU32@PAUHINSTANCE__@@PBG_N 55773->55774 55775 60d64d 55773->55775 55776 61459b 55774->55776 55777 64104f 55774->55777 55775->55386 55775->55387 55797 6145e3 7 API calls 55776->55797 55779 6145cf ??1CritSecLock@DirectUI@@QAE 55778->55779 55779->55775 55781 6145ae 55781->55779 55782 6145b4 ?Register@ClassInfoBase@DirectUI@ 55781->55782 55782->55778 55783 6145c9 55782->55783 55783->55779 55784->55343 55785->55613 55786->55627 55787->55641 55788->55655 55789->55669 55790->55683 55791->55697 55792->55711 55793->55725 55794->55739 55795->55753 55796->55767 55797->55781 55798->55390 55819 5e5640 55799->55819 55805 5e5640 18 API calls 55804->55805 55806 60d07a NtQuerySystemInformation 55805->55806 55904 60d155 55806->55904 55809 617990 ctype 4 API calls 55810 60d14f 55809->55810 55810->55448 55811->55404 55812->55412 55813->55418 55814->55424 55815->55431 55816->55436 55817->55456 55818->55403 55840 5e583b 55819->55840 55822 617634 2 API calls 55823 5e5760 55822->55823 55824 5e576b memset GetLocaleInfoW 55823->55824 55825 635d15 55823->55825 55826 5e57d2 _wtoi 55824->55826 55827 635d1c GetLastError 55824->55827 55825->55827 55829 5e57df GetProcessHeap HeapAlloc 55826->55829 55828 635d26 55827->55828 55828->55826 55832 635d3f 55828->55832 55830 635d49 GetCurrentThreadId 55829->55830 55831 5e5823 55829->55831 55843 5e9ae8 8 API calls ctype 55830->55843 55834 617990 ctype 4 API calls 55831->55834 55832->55829 55836 5e5835 55834->55836 55835 635d6e 55837 60d202 55836->55837 55849 6234d1 WindowsCreateStringReference 55837->55849 55844 5e5861 55840->55844 55842 5e565a 55842->55822 55843->55835 55848 6180d8 55844->55848 55846 5e586d InitializeCriticalSection 55847 5e5887 ctype 55846->55847 55847->55842 55848->55846 55850 623516 55849->55850 55851 623507 RaiseException 55849->55851 55866 6216fb RoActivateInstance 55850->55866 55851->55850 55854 623527 55868 6428f8 55854->55868 55855 62353f 55871 623713 _callnewh malloc CoGetApartmentType InitializeSRWLock 55855->55871 55858 623550 55859 6428f8 107 API calls 55858->55859 55861 62353a ctype 55859->55861 55860 617990 ctype 4 API calls 55862 60cfd7 55860->55862 55861->55860 55862->55442 55863 62354a 55863->55858 55864 62358a 55863->55864 55864->55861 55865 6428f8 107 API calls 55864->55865 55865->55861 55867 62171b 55866->55867 55867->55854 55867->55855 55872 64287e 55868->55872 55871->55863 55875 642714 55872->55875 55876 642726 55875->55876 55889 642318 55876->55889 55879 6427c6 55880 617990 ctype 4 API calls 55879->55880 55883 6427d7 55880->55883 55882 642796 55903 6192eb memset 55882->55903 55883->55861 55890 642347 55889->55890 55891 642351 55889->55891 55890->55891 55892 64287e 105 API calls 55890->55892 55893 6423c1 GetCurrentThreadId 55891->55893 55892->55891 55894 642410 55893->55894 55895 64243a 55894->55895 55902 6421c0 105 API calls 55894->55902 55896 642507 55895->55896 55897 61913d IsDebuggerPresent 55895->55897 55898 642481 55897->55898 55899 6424da OutputDebugStringW 55898->55899 55900 641d39 7 API calls 55898->55900 55901 64248b 55898->55901 55899->55901 55900->55899 55901->55879 55901->55882 55902->55895 55905 60d18a 55904->55905 55906 60d1e2 IsProcessorFeaturePresent 55905->55906 55907 60d13b 55905->55907 55908 63eb83 55905->55908 55906->55907 55906->55908 55907->55809 55909 5ed05c ctype 29 API calls 55908->55909 55910 63ebb4 55909->55910 55911 63ebcb IsProcessorFeaturePresent 55910->55911 55912 63ebb8 IsProcessorFeaturePresent 55910->55912 55911->55907 55912->55911 55913 63ebc4 55912->55913 55913->55911 55915 5e6a55 55914->55915 55916 5e6a5f GetCurrentThreadId 55915->55916 55917 5e6a76 55915->55917 55918 5e6b2b 55916->55918 55937 614d39 GetProcessHeap HeapAlloc 55917->55937 55973 5e9ae8 8 API calls ctype 55918->55973 55920 5e6a7b 55922 5e6a81 EnterCriticalSection 55920->55922 55930 5e6a92 55920->55930 55922->55930 55923 5e6ac3 GetCurrentThread SetThreadPriority 55926 5e6b0c 55923->55926 55927 5e6ad6 GetLastError 55923->55927 55924 5e6b3a 55969 5ef71c 55924->55969 55960 61c10d 55926->55960 55928 5e6ae2 55927->55928 55928->55926 55933 5e6af8 GetCurrentThreadId 55928->55933 55930->55923 55956 616b20 55930->55956 55933->55918 55934 5e6b19 GetCurrentThreadId 55934->55918 55935 5e6aae 55935->55923 55938 614d61 GetCurrentProcess OpenProcessToken 55937->55938 55939 641130 GetCurrentThreadId 55937->55939 55941 641146 GetLastError 55938->55941 55942 614d7c AdjustTokenPrivileges 55938->55942 55940 6411b2 55939->55940 55974 5e9ae8 8 API calls ctype 55940->55974 55946 641152 55941->55946 55947 64117d GetLastError 55942->55947 55948 614db8 55942->55948 55945 6411c1 55945->55920 55946->55942 55949 64116c GetCurrentThreadId 55946->55949 55950 641189 55947->55950 55951 614dd0 55948->55951 55952 614dc6 CloseHandle 55948->55952 55949->55940 55950->55948 55953 6411a3 GetCurrentThreadId 55950->55953 55954 614de3 55951->55954 55955 614dd4 GetProcessHeap HeapFree 55951->55955 55952->55951 55953->55940 55954->55920 55955->55954 55957 616b2f 55956->55957 55975 5e6df0 55957->55975 55961 61c130 KillTimer 55960->55961 55963 61c15d SetTimer 55961->55963 55965 61c16c GetLastError 55963->55965 55966 5e6b13 55963->55966 55967 61c178 55965->55967 55966->55924 55966->55934 55967->55966 55968 6428f8 107 API calls 55967->55968 55968->55966 55970 5e6b48 55969->55970 55971 5ef727 55969->55971 55970->55291 55970->55293 55971->55970 55972 5ef730 LeaveCriticalSection 55971->55972 55972->55970 55973->55924 55974->55945 55976 5e6e09 memset CreateEventW 55975->55976 55987 5e6ea3 55975->55987 55977 5e6e46 CreateEventW CreateThread 55976->55977 55976->55987 55978 636017 GetLastError 55977->55978 55979 5e6e7f 55977->55979 55992 5e3250 55977->55992 55978->55979 55980 5e6e8c GetCurrentThread SetThreadPriority 55979->55980 55981 63607a GetLastError 55979->55981 55984 63603d GetCurrentThreadId 55979->55984 55983 6360a1 GetLastError 55980->55983 55980->55987 55982 636086 55981->55982 55982->55984 55985 63609c 55982->55985 55988 6360ad 55983->55988 55986 636063 55984->55986 55985->55983 55991 5e9ae8 8 API calls ctype 55986->55991 55987->55935 55988->55987 55990 636051 GetCurrentThreadId 55988->55990 55990->55986 55991->55987 55993 5e326e 55992->55993 55994 5e3374 55992->55994 55995 5e327a 55993->55995 55996 5e3380 55993->55996 56050 5e6020 55994->56050 55998 5e338c 55995->55998 55999 5e3286 55995->55999 56148 5e2b50 34 API calls ctype 55996->56148 56101 5e2a60 55998->56101 56002 5e3398 55999->56002 56003 5e3292 55999->56003 56131 5e2b80 56002->56131 56005 5e329e 56003->56005 56149 5e2a00 39 API calls ctype 56003->56149 56006 5e32ff 56005->56006 56007 5e32c6 56005->56007 56021 5e3306 56005->56021 56042 5ef750 56006->56042 56009 5e32d2 56007->56009 56010 5e33b0 56007->56010 56012 5e32de 56009->56012 56013 5e33bc 56009->56013 56150 5e2c90 MsgWaitForMultipleObjectsEx GetLastError TranslateMessage DispatchMessageW PeekMessageW 56010->56150 56015 5e32ea 56012->56015 56016 5e33c8 56012->56016 56151 5e2d60 102 API calls 56013->56151 56015->56021 56022 5e32f6 56015->56022 56152 5e2ce0 MsgWaitForMultipleObjectsEx TranslateMessage DispatchMessageW PeekMessageW GetLastError 56016->56152 56018 635881 GetCurrentThreadId 56158 5e9ae8 8 API calls ctype 56018->56158 56019 5e3310 56025 5e332a 56019->56025 56026 5e33d4 56019->56026 56039 5e335a 56019->56039 56021->56018 56021->56019 56147 5e2db0 571 API calls ctype 56022->56147 56024 5e32fd 56024->56021 56029 5e33dd 56025->56029 56030 5e3336 56025->56030 56153 5e3140 RegCloseKey CloseHandle DestroyWindow CoUninitialize 56026->56153 56028 6358a2 56154 5e31c0 34 API calls 56029->56154 56032 5e33e6 56030->56032 56033 5e3342 56030->56033 56155 5e3100 CloseHandle CoUninitialize 56032->56155 56036 5e334e 56033->56036 56037 5e33f2 56033->56037 56034 5e33db 56034->56039 56036->56039 56157 5e30d0 CoUninitialize SetEvent WaitForSingleObject 56036->56157 56156 5e3230 161 API calls 56037->56156 56043 5ef76f WaitForMultipleObjects 56042->56043 56048 5ef784 56043->56048 56049 5ef7cf 56043->56049 56044 638675 GetLastError 56044->56048 56045 5ef7d7 56045->56048 56315 5ec4f0 579 API calls ctype 56045->56315 56048->56043 56048->56044 56048->56045 56048->56049 56159 5f1410 56048->56159 56049->56021 56049->56049 56551 5e29dc CoInitializeEx 56050->56551 56052 5e602d 56053 5e6039 GetCurrentThreadId 56052->56053 56054 5e6062 56052->56054 56055 5e604b 56053->56055 56555 61655b 56054->56555 56614 5e9ae8 8 API calls ctype 56055->56614 56059 5e605a 56059->56005 56060 5e606d GetCurrentThreadId 56060->56055 56061 5e6081 56062 62bb16 273 API calls 56061->56062 56063 5e6088 56062->56063 56064 5e608e GetCurrentThreadId 56063->56064 56065 5e60a2 56063->56065 56064->56055 56066 5e60b7 56065->56066 56068 5edbe6 ctype 6 API calls 56065->56068 56575 60443f InitializeCriticalSection 56066->56575 56068->56066 56070 617634 2 API calls 56071 5e60da 56070->56071 56072 5e60ec 56071->56072 56615 616684 18 API calls 56071->56615 56074 5e60fa GetCurrentThreadId 56072->56074 56075 5e6118 56072->56075 56074->56055 56099 5e6df0 1919 API calls 56075->56099 56076 5e6138 56077 617634 2 API calls 56076->56077 56078 5e6142 56077->56078 56079 5e6154 56078->56079 56616 616837 19 API calls 56078->56616 56081 5e6162 GetCurrentThreadId 56079->56081 56082 5e6180 56079->56082 56083 5e6226 56081->56083 56084 617634 2 API calls 56082->56084 56619 5e9ae8 8 API calls ctype 56083->56619 56085 5e61a2 56084->56085 56087 5e61b4 56085->56087 56617 5e16a1 18 API calls 56085->56617 56089 5e61dd 56087->56089 56090 5e61c2 GetCurrentThreadId 56087->56090 56091 617634 2 API calls 56089->56091 56090->56083 56092 5e61ed 56091->56092 56094 5e61ff 56092->56094 56618 5e16ea 18 API calls 56092->56618 56095 5e620d GetCurrentThreadId 56094->56095 56096 5e623a 56094->56096 56095->56083 56100 5e6df0 1919 API calls 56096->56100 56097 5e6259 56599 612c66 56097->56599 56099->56076 56100->56097 56102 5e29dc 2 API calls 56101->56102 56103 5e2a77 56102->56103 56104 63521b GetCurrentThreadId 56103->56104 56105 5e2a87 56103->56105 56681 5e9ae8 8 API calls ctype 56104->56681 56106 5e2ae1 56105->56106 56109 617634 2 API calls 56105->56109 56108 5e2b40 56106->56108 56666 5e27ae GetCurrentThreadId 56106->56666 56108->56005 56112 5e2a9a 56109->56112 56110 63523c 56117 63524b GetCurrentThreadId 56110->56117 56112->56110 56114 5e2aa5 memset 56112->56114 56114->56106 56116 5e2acb 56114->56116 56652 5e240c memset 56116->56652 56120 635271 56117->56120 56682 5e9ae8 8 API calls ctype 56120->56682 56121 5e2b26 56673 5e285d 56121->56673 56125 635280 56127 5e24a6 15 API calls 56127->56106 56128 5e2b37 56130 5e2829 2 API calls 56128->56130 56129 63525f GetCurrentThreadId 56129->56120 56130->56108 56132 5e29dc 2 API calls 56131->56132 56133 5e2b8d 56132->56133 56134 6352b1 GetCurrentThreadId 56133->56134 56135 5e2b9d 56133->56135 56699 5e9ae8 8 API calls ctype 56134->56699 56690 5e235d SHCreateWorkerWindowW 56135->56690 56138 5e2ba5 56140 6352da GetLastError 56138->56140 56142 5e2bc6 CreateEventW 56138->56142 56145 5e2c1f 56138->56145 56139 6352d2 56139->56140 56141 6352e4 56140->56141 56144 6352ff GetLastError 56141->56144 56141->56145 56143 5e2bde RegOpenKeyExW 56142->56143 56142->56144 56143->56145 56146 5e2c03 RegNotifyChangeKeyValue 56143->56146 56144->56145 56145->56005 56146->56145 56147->56024 56148->56005 56149->56005 56150->56021 56151->56024 56152->56021 56153->56034 56154->56039 56155->56034 56156->56039 56157->56039 56158->56028 56160 5f147c GetCurrentThread NtQueryInformationThread 56159->56160 56161 5f1472 56159->56161 56164 5f1535 RtlNtStatusToDosError 56160->56164 56169 5f14c7 56160->56169 56515 61b4cd 5 API calls ctype 56161->56515 56165 5f1542 56164->56165 56166 5f1559 GetCurrentThreadId 56165->56166 56165->56169 56517 5e9ae8 8 API calls ctype 56166->56517 56168 5f14fa 56316 5edcb1 memset 56168->56316 56169->56168 56516 61b9d0 107 API calls 56169->56516 56173 5f151d 56175 6428f8 107 API calls 56173->56175 56174 5f1582 56174->56174 56176 5f15a3 GetCurrentThread NtQueryInformationThread 56174->56176 56177 5f1530 56175->56177 56178 5f1619 56176->56178 56179 5f15c6 RtlNtStatusToDosError 56176->56179 56550 62b346 111 API calls 56177->56550 56326 619b1e EnterCriticalSection 56178->56326 56179->56178 56181 5f15d3 56179->56181 56181->56178 56185 5f15e2 GetCurrentThreadId 56181->56185 56182 5f2681 56184 617990 ctype 4 API calls 56182->56184 56187 5f2693 56184->56187 56518 5e9ae8 8 API calls ctype 56185->56518 56186 5f1680 56327 5ee190 56186->56327 56187->56048 56190 5f1603 56519 61b9d0 107 API calls 56190->56519 56193 5f16bf 56338 5ee2af 56193->56338 56194 5f16a7 56195 6428f8 107 API calls 56194->56195 56197 5f16ba 56195->56197 56549 6195e5 LeaveCriticalSection 56197->56549 56199 5f1714 56201 5f173a 56199->56201 56342 5ee397 56199->56342 56361 62bb16 56201->56361 56203 5f16fd 56203->56199 56521 61b9d0 107 API calls 56203->56521 56209 5f175f 56374 5ee530 56209->56374 56210 5f1747 56213 6428f8 107 API calls 56210->56213 56213->56197 56214 5f176a 56379 5f009a 56214->56379 56218 5f1839 56221 5f26f0 728 API calls 56218->56221 56220 5f178c 56220->56197 56220->56218 56223 5f199b 56220->56223 56394 5f26f0 56220->56394 56222 5f184f 56221->56222 56224 5f1866 56222->56224 56524 61b9d0 107 API calls 56222->56524 56228 6428f8 107 API calls 56223->56228 56226 5f1888 56224->56226 56227 5f1872 EnterCriticalSection 56224->56227 56229 5f18a8 LeaveCriticalSection 56226->56229 56300 5f18b3 __aulldiv 56226->56300 56227->56226 56228->56197 56229->56300 56230 5f202e 56530 5ee684 42 API calls ctype 56230->56530 56232 62bb16 273 API calls 56232->56300 56233 5f2039 56234 5f2050 56233->56234 56531 61b9d0 107 API calls 56233->56531 56532 5eea20 24 API calls ctype 56234->56532 56235 5f20c3 56239 6428f8 107 API calls 56235->56239 56238 5f205b 56240 5f2072 56238->56240 56533 61b9d0 107 API calls 56238->56533 56239->56197 56242 5f209e 56240->56242 56244 5f2082 56240->56244 56245 62bb16 273 API calls 56242->56245 56243 6428f8 107 API calls 56243->56300 56534 5eecaf 553 API calls ctype 56244->56534 56248 5f20a5 56245->56248 56246 5f19b7 EnterCriticalSection 56250 5f2559 56246->56250 56246->56300 56253 5f20ab 56248->56253 56260 5f20db 56248->56260 56255 6428f8 107 API calls 56250->56255 56251 5f2087 56251->56242 56535 61b9d0 107 API calls 56251->56535 56252 6214a5 9 API calls 56252->56300 56255->56197 56256 5f19ee LeaveCriticalSection 56256->56300 56258 5f1a3f GetCurrentThreadId 56526 5e9ae8 8 API calls ctype 56258->56526 56259 5f20fd 56260->56259 56536 61b9d0 107 API calls 56260->56536 56276 5f1b31 GetCurrentThreadId 56527 5e9ae8 8 API calls ctype 56276->56527 56300->56230 56300->56232 56300->56235 56300->56243 56300->56246 56300->56250 56300->56252 56300->56256 56300->56258 56300->56276 56302 5f1e96 GetCurrentThreadId 56300->56302 56312 5f1f3d GetCurrentThreadId 56300->56312 56525 61b9d0 107 API calls 56300->56525 56528 5e9ae8 8 API calls ctype 56302->56528 56529 5e9ae8 8 API calls ctype 56312->56529 56315->56045 56319 5edcdf 56316->56319 56317 5edd90 NtQuerySystemInformation RtlNtStatusToDosError 56317->56319 56318 638422 56323 638433 GetCurrentThreadId 56318->56323 56319->56317 56319->56318 56320 613290 NtQuerySystemInformationEx RtlNtStatusToDosError 56319->56320 56321 5edd58 56319->56321 56325 5edd0e 56319->56325 56320->56319 56321->56319 56322 6154e3 18 API calls 56321->56322 56321->56323 56322->56321 56324 5e9ae8 ctype 8 API calls 56323->56324 56324->56325 56325->56173 56325->56174 56326->56186 56328 5ee23c 56327->56328 56329 5ee1b0 56327->56329 56331 5ee257 56328->56331 56332 5ee24d LeaveCriticalSection 56328->56332 56330 5ee1b5 EnterCriticalSection 56329->56330 56333 5ee1c6 56329->56333 56330->56333 56331->56193 56331->56194 56332->56331 56334 638472 GetCurrentThreadId 56333->56334 56336 5ee200 56333->56336 56335 5e9ae8 ctype 8 API calls 56334->56335 56335->56336 56336->56328 56337 5e4c70 ctype 9 API calls 56336->56337 56337->56336 56339 5ee2d2 56338->56339 56341 5ee2ce 56338->56341 56339->56199 56520 60db70 31 API calls ctype 56339->56520 56340 5ee356 SetEvent MsgWaitForMultipleObjectsEx 56340->56339 56341->56339 56341->56340 56343 5ee3c4 NtQuerySystemInformation 56342->56343 56344 5ee421 56342->56344 56345 5ee3db RtlNtStatusToDosError 56343->56345 56346 5ee3e6 56343->56346 56347 5ee444 56344->56347 56348 5ee432 EnterCriticalSection 56344->56348 56357 5ee466 56344->56357 56345->56346 56346->56344 56350 5ee44f 56347->56350 56351 5ee46d 56347->56351 56348->56347 56349 617990 ctype SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 56352 5ee525 56349->56352 56353 61376c 138 API calls 56350->56353 56354 5ee190 20 API calls 56351->56354 56352->56201 56522 61b9d0 107 API calls 56352->56522 56360 5ee454 56353->56360 56355 5ee472 56354->56355 56356 5ee47c GetCurrentThreadId 56355->56356 56355->56360 56358 5e9ae8 ctype 8 API calls 56356->56358 56357->56349 56358->56360 56359 5ee50c LeaveCriticalSection 56359->56357 56360->56357 56360->56359 56362 62bb29 56361->56362 56363 62bb69 56361->56363 56365 617634 _callnewh malloc 56362->56365 56364 5f1741 56363->56364 56366 5e0dc0 168 API calls 56363->56366 56364->56209 56364->56210 56367 62bb33 56365->56367 56368 62bb7f 56366->56368 56369 62bb3f 56367->56369 56370 60ef3d memset memset InitializeCriticalSection 56367->56370 56368->56364 56372 61b9d0 107 API calls 56368->56372 56369->56363 56371 62bb4d 56369->56371 56370->56369 56373 6428f8 107 API calls 56371->56373 56372->56364 56373->56364 56377 5ee546 __aulldiv 56374->56377 56375 5ee5df EnterCriticalSection 56376 5ee65f LeaveCriticalSection 56375->56376 56378 5ee60f __aulldiv 56375->56378 56376->56214 56377->56375 56378->56376 56380 5f00be 56379->56380 56381 5f01e2 56379->56381 56382 5ecd97 49 API calls 56380->56382 56384 617990 ctype SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 56381->56384 56383 5f00c9 EnterCriticalSection 56382->56383 56385 5eca4b 39 API calls 56383->56385 56386 5f01ef 56384->56386 56387 5f00dd 56385->56387 56386->56220 56523 61b9d0 107 API calls 56386->56523 56388 5f00e4 GlobalMemoryStatusEx 56387->56388 56391 5f00fb 56388->56391 56389 6388d7 56390 5f01a7 LeaveCriticalSection 56390->56381 56391->56389 56391->56390 56393 5eb6f0 36 API calls 56391->56393 56393->56390 56395 5f27a5 56394->56395 56396 5f27ce 56395->56396 56403 5f27fa 56395->56403 56426 5f2872 56395->56426 56397 5f60a0 12 API calls 56396->56397 56399 5f27d8 56397->56399 56398 5f38f7 56400 5f2877 56399->56400 56401 5f27e2 56399->56401 56404 5f2880 NtQuerySystemInformation 56400->56404 56412 5f28ad ctype 56400->56412 56405 6428f8 107 API calls 56401->56405 56402 617990 ctype SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 56406 5f352e 56402->56406 56403->56398 56408 62bb16 273 API calls 56403->56408 56403->56426 56407 5f289e RtlNtStatusToDosError 56404->56407 56404->56412 56409 5f27f5 56405->56409 56406->56220 56407->56412 56410 5f2add 56408->56410 56409->56426 56411 5f2ae7 56410->56411 56416 5f2b82 56410->56416 56413 6428f8 107 API calls 56411->56413 56412->56398 56412->56403 56412->56409 56413->56426 56414 5f2bda 56417 5f50d6 21 API calls 56414->56417 56415 5f2bf7 56418 5efe1b 19 API calls 56415->56418 56444 5f3023 ctype 56415->56444 56416->56414 56416->56415 56419 5f2be0 56417->56419 56420 5f2c2a 56418->56420 56419->56415 56422 61b9d0 107 API calls 56419->56422 56421 5f2c46 56420->56421 56423 64b0aa 19 API calls 56420->56423 56424 5f2cfb 56421->56424 56425 5f2d78 56421->56425 56421->56426 56422->56415 56423->56421 56427 602eb3 12 API calls 56424->56427 56428 5f2ef0 56425->56428 56441 5f2dab 56425->56441 56426->56402 56429 5f2d11 56427->56429 56430 5f2f02 SysFreeString 56428->56430 56431 5f2f10 SysAllocString 56428->56431 56437 5f2d38 SysAllocString 56429->56437 56438 5f2d27 SysFreeString 56429->56438 56456 5f2d70 56429->56456 56430->56431 56433 5f2f47 56431->56433 56434 5f2f21 56431->56434 56432 5f31f6 memset GetVersionExW 56436 5f322a GetLastError 56432->56436 56458 5f3234 56432->56458 56446 5f2f6e SysAllocString 56433->56446 56447 5f2f5d SysFreeString 56433->56447 56434->56433 56439 5f2f25 GetCurrentThreadId 56434->56439 56435 5f3169 56440 62bb16 273 API calls 56435->56440 56436->56435 56436->56458 56442 5f2d4e GetCurrentThreadId 56437->56442 56437->56456 56438->56437 56443 5e9ae8 ctype 8 API calls 56439->56443 56451 5f31a4 56440->56451 56448 5f2dd5 SysAllocString 56441->56448 56449 5f2dc0 SysFreeString 56441->56449 56452 5e9ae8 ctype 8 API calls 56442->56452 56443->56433 56444->56398 56444->56426 56444->56432 56444->56435 56445 5f324d 56445->56435 56446->56442 56446->56456 56447->56446 56454 5f2de4 56448->56454 56455 5f2e51 56448->56455 56449->56448 56450 5f2ffa 56457 5f5180 516 API calls 56450->56457 56453 5f31b0 GetCurrentThreadId 56451->56453 56472 5f32da 56451->56472 56452->56456 56461 5f336b 56453->56461 56454->56455 56459 5f2de8 GetCurrentThreadId 56454->56459 56455->56398 56460 5f2e88 CompareStringOrdinal 56455->56460 56456->56450 56514 632aa0 169 API calls 56456->56514 56457->56444 56458->56435 56458->56445 56462 632d74 ctype 22 API calls 56458->56462 56466 5e9ae8 ctype 8 API calls 56459->56466 56463 5f2e9f 56460->56463 56469 5e9ae8 ctype 8 API calls 56461->56469 56464 5f3266 56462->56464 56463->56456 56475 5f2ec6 CompareStringOrdinal 56463->56475 56470 5e9ae8 ctype 8 API calls 56464->56470 56465 62bb16 273 API calls 56476 5f33a8 56465->56476 56471 5f2e0a GetCurrentThreadId 56466->56471 56467 5f2fe3 56467->56450 56479 61b9d0 107 API calls 56467->56479 56468 5f3330 GetCurrentThreadId 56473 5e9ae8 ctype 8 API calls 56468->56473 56474 5f3385 56469->56474 56470->56445 56478 5e9ae8 ctype 8 API calls 56471->56478 56472->56468 56480 5f33ca 56472->56480 56486 5f339f 56472->56486 56481 5f3355 GetCurrentThreadId 56473->56481 56483 61b9d0 107 API calls 56474->56483 56474->56486 56475->56456 56477 5f33b2 56476->56477 56490 5f3478 56476->56490 56484 6428f8 107 API calls 56477->56484 56479->56450 56485 5f33ce EnterCriticalSection 56480->56485 56480->56486 56481->56461 56483->56486 56484->56426 56485->56398 56489 5f33ed 56485->56489 56486->56465 56487 5f34c3 GetCurrentThreadId 56491 5e9ae8 ctype 8 API calls 56487->56491 56489->56398 56494 5f340c LeaveCriticalSection 56489->56494 56490->56426 56490->56487 56492 5f3534 56490->56492 56496 5f3592 56492->56496 56494->56486 56514->56467 56515->56160 56516->56168 56517->56169 56518->56190 56519->56178 56520->56203 56521->56199 56522->56201 56523->56220 56524->56224 56525->56300 56526->56300 56527->56300 56528->56300 56529->56300 56530->56233 56531->56234 56532->56238 56533->56240 56534->56251 56535->56242 56536->56259 56549->56177 56550->56182 56552 635207 56551->56552 56553 5e29f3 56551->56553 56552->56553 56554 63520f CoInitializeEx 56552->56554 56553->56052 56554->56052 56556 61656d 56555->56556 56565 5e6067 56555->56565 56620 5fa6da 10 API calls ctype 56556->56620 56558 61657a 56559 616580 GetCurrentThreadId 56558->56559 56560 6165a3 56558->56560 56562 61658f 56559->56562 56622 5fa6da 10 API calls ctype 56560->56622 56621 5e9ae8 8 API calls ctype 56562->56621 56563 6165b0 56566 6165c7 56563->56566 56567 6165b6 GetCurrentThreadId 56563->56567 56565->56060 56565->56061 56623 5fa6da 10 API calls ctype 56566->56623 56567->56562 56569 6165d4 56570 6165eb 56569->56570 56571 6165da GetCurrentThreadId 56569->56571 56624 5fa6da 10 API calls ctype 56570->56624 56571->56562 56573 6165f8 56573->56565 56574 6165fe GetCurrentThreadId 56573->56574 56574->56562 56576 604467 CreateEventW 56575->56576 56577 63db3a 56575->56577 56578 63db50 GetLastError 56576->56578 56579 60447f 56576->56579 56577->56578 56578->56579 56580 63dbb3 GetLastError 56579->56580 56581 60448c CreateEventW 56579->56581 56584 63db76 GetCurrentThreadId 56579->56584 56583 6044a4 56580->56583 56582 63dbda GetLastError 56581->56582 56581->56583 56582->56583 56583->56580 56583->56582 56583->56584 56585 6044b1 CreateEventW 56583->56585 56586 63dc14 GetLastError 56583->56586 56587 63dc3b GetLastError 56583->56587 56588 6044d7 CreateEventW 56583->56588 56589 63dc78 GetLastError 56583->56589 56591 63dc00 GetCurrentThreadId 56583->56591 56592 63dc9f GetLastError 56583->56592 56593 63dc61 GetCurrentThreadId 56583->56593 56594 63dcdc GetLastError 56583->56594 56596 63dcc5 GetCurrentThreadId 56583->56596 56597 63db8a GetCurrentThreadId 56583->56597 56598 5e60d0 56583->56598 56625 601724 56583->56625 56637 5e9ae8 8 API calls ctype 56583->56637 56584->56583 56585->56583 56585->56587 56586->56583 56587->56583 56588->56583 56588->56592 56589->56583 56591->56583 56592->56583 56593->56583 56594->56583 56596->56583 56597->56583 56598->56070 56600 612c76 56599->56600 56601 612cd8 56599->56601 56602 5edbe6 ctype 6 API calls 56600->56602 56601->56059 56603 612c83 56602->56603 56603->56601 56604 5ed05c ctype 29 API calls 56603->56604 56605 612c8e 56604->56605 56605->56601 56606 617634 2 API calls 56605->56606 56607 612c9c 56606->56607 56608 612cae 56607->56608 56638 612cf7 56607->56638 56610 6406f7 GetCurrentThreadId 56608->56610 56611 612cb8 56608->56611 56651 5e9ae8 8 API calls ctype 56610->56651 56611->56601 56613 5e6df0 1925 API calls 56611->56613 56613->56601 56614->56059 56615->56072 56616->56079 56617->56087 56618->56094 56619->56059 56620->56558 56621->56565 56622->56563 56623->56569 56624->56573 56626 601756 56625->56626 56631 601740 56625->56631 56627 601771 56626->56627 56629 5e7a66 ctype 19 API calls 56626->56629 56628 5e78dd ctype 21 API calls 56627->56628 56627->56631 56630 60177f 56628->56630 56629->56627 56630->56631 56632 601791 56630->56632 56633 63ca2e GetLastError 56630->56633 56631->56583 56634 5e7a20 ctype GetModuleHandleW LoadLibraryW DeactivateActCtx GetProcAddress 56632->56634 56635 60179e 56634->56635 56635->56631 56636 6017b2 SetLastError 56635->56636 56636->56631 56637->56583 56639 5e5640 18 API calls 56638->56639 56640 612d09 56639->56640 56641 612db1 6 API calls 56640->56641 56642 612d45 56641->56642 56643 612db1 6 API calls 56642->56643 56644 612d50 56643->56644 56645 612db1 6 API calls 56644->56645 56646 612d5b 56645->56646 56647 612db1 6 API calls 56646->56647 56648 612d66 56647->56648 56649 612db1 6 API calls 56648->56649 56650 612d71 56649->56650 56650->56608 56651->56601 56653 5e747a 22 API calls 56652->56653 56654 5e244e 56653->56654 56655 5e796f 22 API calls 56654->56655 56665 5e2496 56654->56665 56656 5e2466 56655->56656 56657 634f0f GetLastError 56656->56657 56658 5e2476 56656->56658 56657->56658 56659 634f5b GetLastError 56658->56659 56660 5e2480 RegisterWindowMessageW 56658->56660 56662 634f32 GetCurrentThreadId 56658->56662 56661 634f67 56659->56661 56660->56665 56661->56662 56663 634f7a 56661->56663 56683 5e9ae8 8 API calls ctype 56662->56683 56663->56663 56665->56106 56665->56127 56684 5e27de 56666->56684 56669 5e2829 56670 5e2839 CoDisableCallCancellation 56669->56670 56671 5e2836 56669->56671 56670->56671 56672 5e284c DeleteTimerQueueTimer 56670->56672 56671->56117 56671->56121 56672->56671 56674 5e28b6 56673->56674 56675 5e2876 56673->56675 56674->56128 56674->56129 56676 5e27ae 5 API calls 56675->56676 56677 5e2883 56676->56677 56678 5e2829 2 API calls 56677->56678 56679 5e28ae 56678->56679 56680 5e2829 2 API calls 56679->56680 56680->56674 56681->56110 56682->56125 56683->56665 56685 5e2829 CoDisableCallCancellation DeleteTimerQueueTimer 56684->56685 56686 5e27ec CoEnableCallCancellation 56685->56686 56688 5e27d7 CoCreateInstance 56686->56688 56689 5e2802 CreateTimerQueueTimer 56686->56689 56688->56669 56689->56688 56691 634e6f GetLastError 56690->56691 56694 5e2384 56690->56694 56691->56694 56692 634e96 GetLastError 56695 634ea2 56692->56695 56693 5e2391 56693->56138 56694->56692 56694->56693 56696 634ebc GetCurrentThreadId 56694->56696 56695->56693 56695->56696 56700 5e9ae8 8 API calls ctype 56696->56700 56698 634edd 56698->56138 56699->56139 56700->56698 56701->55472 56702->55472 56704 5edbe6 ctype 6 API calls 56703->56704 56705 60c812 56704->56705 56706 60c82d 56705->56706 56707 5ed05c ctype 29 API calls 56705->56707 56706->55486 56708 60c81d 56707->56708 56708->55486 56710 5edbe6 ctype 6 API calls 56709->56710 56711 60c7e1 56710->56711 56712 5ed05c ctype 29 API calls 56711->56712 56713 60c7ec 56711->56713 56712->56713 56713->55488 56714->55483 56716 5e6918 56715->56716 56717 635ef6 GetCurrentThreadId 56716->56717 56718 5e6922 56716->56718 56719 635f16 56717->56719 56721 635f07 GetCurrentThreadId 56718->56721 56722 5e6508 56718->56722 56744 5e9ae8 8 API calls ctype 56719->56744 56721->56719 56722->55514 56722->55515 56723 635f25 56725 617634 2 API calls 56724->56725 56726 5e6b66 56725->56726 56727 635f2d GetCurrentThreadId 56726->56727 56728 5e6b81 56726->56728 56756 5e9ae8 8 API calls ctype 56727->56756 56745 5e6bb3 56728->56745 56731 5e6b97 56732 635f58 GetCurrentThreadId 56731->56732 56733 5e6766 56731->56733 56757 5e9ae8 8 API calls ctype 56732->56757 56733->55547 56733->55548 56735 635f76 56737 615e11 56736->56737 56738 5e67e8 56736->56738 56739 6428f8 107 API calls 56737->56739 56738->55560 56738->55561 56739->56738 56740->55494 56741->55517 56742->55512 56743->55520 56744->56723 56746 5e6bcd 56745->56746 56747 5e6be3 56745->56747 56769 5e6c37 1928 API calls ctype 56746->56769 56749 5e6bf0 56747->56749 56751 5e6c02 StrToID ?FindDescendent@Element@DirectUI@@QAEPAV12@G 56747->56751 56749->56731 56750 5e6bd9 56750->56747 56752 635f92 GetCurrentThreadId 56750->56752 56751->56749 56753 5e6c1d 56751->56753 56770 5e9ae8 8 API calls ctype 56752->56770 56758 5e6f14 56753->56758 56756->56731 56757->56735 56759 5e6f77 SendMessageW 56758->56759 56761 5e700d 56759->56761 56762 5e6f8b SendMessageW 56759->56762 56761->56749 56764 5e6fd7 SendMessageW 56762->56764 56766 5e6ff9 SendMessageW 56764->56766 56771 5e708b 56766->56771 56769->56750 56770->56749 56773 5e7097 ctype 56771->56773 56772 5e70c2 56776 5e70d7 56772->56776 56778 5e710a ctype 56772->56778 56779 5e73e8 21 API calls ctype 56772->56779 56773->56772 56774 5e7a66 ctype 19 API calls 56773->56774 56774->56772 56780 5e7114 6 API calls ctype 56776->56780 56778->56761 56779->56776 56780->56778 56781->55590 56782->55589 56783->55574 56785 6135bd LdrResolveDelayLoadedAPI

      Executed Functions

      Function 0060A630 Relevance: 86.7, APIs: 44, Strings: 5, Instructions: 979windowtimeCOMMON
      Download Yara Rule
      APIs
      • LoadIconW.USER32(000077BB), ref: 0060A6D2
      • SendMessageW.USER32(?,00000080,00000001,00000000), ref: 0060A6E5
        • Part of subcall function 006601B3: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000001), ref: 006601DB
        • Part of subcall function 006601B3: GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(80004005), ref: 006601FB
      • SetTimer.USER32(?,00007534,000007D0,00000000), ref: 0060A6F8
      • GetTickCount64.API-MS-WIN-CORE-SYSINFO-L1-1-0 ref: 0060B322
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: Count64CurrentErrorIconLastLoadMessageSendThreadTickTimer
      • String ID: %d FAIL: 0x%08x$Externally activated by another instance of TaskMgr$TmWindowProc$base\diagnosis\pdui\atm\main\main.cpp$y-i
      • API String ID: 1804581965-4281838571
      • Opcode ID: efb7ac8ea3c69162432e48a7d8117a89fb50c0cfcf9866d841a907aec636d32d
      • Instruction ID: d994f23af8ad34bc3087978619b83a72c6c247ed0eae2dac3b3b11cb528c0e09
      • Opcode Fuzzy Hash: efb7ac8ea3c69162432e48a7d8117a89fb50c0cfcf9866d841a907aec636d32d
      • Instruction Fuzzy Hash: BB62F4313842016FE758DBB4ED46BBF3797EF94301F046A2EF946962D2DB618844C7A2
      Function 005F26F0 Relevance: 85.2, APIs: 33, Strings: 15, Instructions: 1199threadmemorynativeCOMMON
      Download Yara Rule
      APIs
      • NtQuerySystemInformation.NTDLL(000000B6,?,00000038,00000002), ref: 005F2890
      • RtlNtStatusToDosError.NTDLL ref: 005F289F
      • SysFreeString.OLEAUT32(?), ref: 005F2D28
      • SysAllocString.OLEAUT32(?), ref: 005F2D40
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(8007000E), ref: 005F2D53
      • SysFreeString.OLEAUT32(?), ref: 005F2DC1
      • SysAllocString.OLEAUT32(?), ref: 005F2DD6
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(8007000E), ref: 005F2DED
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(8007000E), ref: 005F2E12
      • CompareStringOrdinal.API-MS-WIN-CORE-STRING-L1-1-0(?,000000FF,svchost.exe,000000FF,00000001), ref: 005F2E94
      • CompareStringOrdinal.API-MS-WIN-CORE-STRING-L1-1-0(?,000000FF,ntvdm.exe,000000FF,00000001), ref: 005F2ED5
      • SysFreeString.OLEAUT32(?), ref: 005F2F03
      • SysAllocString.OLEAUT32(?), ref: 005F2F14
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(8007000E), ref: 005F2F2A
      • SysFreeString.OLEAUT32(?), ref: 005F2F5E
      • SysAllocString.OLEAUT32(ntoskrnl.exe), ref: 005F2F73
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 005F31B8
      • memset.MSVCRT ref: 005F3205
      • GetVersionExW.API-MS-WIN-CORE-SYSINFO-L1-1-0(0000011C), ref: 005F3220
      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 005F322A
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(80004005,?), ref: 005F3335
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 005F3365
      • EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?), ref: 005F33DC
      • LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?), ref: 005F341A
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(80004005), ref: 005F34C8
      • EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?), ref: 005F3543
      • LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?), ref: 005F3584
      • EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?), ref: 005F3597
      • memset.MSVCRT ref: 005F35F5
      • GetVersionExW.API-MS-WIN-CORE-SYSINFO-L1-1-0(0000011C), ref: 005F3610
      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 005F361A
      • _ftol2.MSVCRT ref: 005F378D
      • LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,00000028,00000168,00000030), ref: 005F38EC
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: String$CurrentThread$CriticalSection$AllocFree$EnterErrorLeave$CompareLastOrdinalVersionmemset$InformationQueryStatusSystem_ftol2
      • String ID: %d FAIL: 0x%08x$ATMAssignString$CRUMHelper::Pass1CalcProcDeltas$CRUMHelper::UpdateProcess$TmGlobalSettings::IsServer$Unknown version %d$WdcApplicationsMonitor::ResolveImageName$WdcApplicationsMonitor::SetRUMInfo$base\diagnosis\pdui\atm\main\applications.cpp$base\diagnosis\pdui\atm\main\inline.cpp$base\diagnosis\pdui\atm\main\rumhelper.cpp$base\diagnosis\pdui\atm\main\setting.cpp$ntoskrnl.exe$ntvdm.exe$svchost.exe
      • API String ID: 2863769452-3155172955
      • Opcode ID: 483aa157d5a5d8fd454c129b1aea366b70c1e61e959039275add79c9e2a079e8
      • Instruction ID: c5ff8407f0ccdd14aa0d289421dc2ff7a81a16692a6ed7e33da7d3fce5015034
      • Opcode Fuzzy Hash: 483aa157d5a5d8fd454c129b1aea366b70c1e61e959039275add79c9e2a079e8
      • Instruction Fuzzy Hash: 9DB27BB0604346DFE715CF28C854BAABBE5FF84304F14896DE6899B251D778E981CF42
      Function 005F1410 Relevance: 59.0, APIs: 24, Strings: 9, Instructions: 1251threadnativememoryCOMMON
      Download Yara Rule
      APIs
      • GetCurrentThread.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000017,?,?,00000000), ref: 005F14B6
      • NtQueryInformationThread.NTDLL(00000000), ref: 005F14BD
      • RtlNtStatusToDosError.NTDLL ref: 005F1536
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000), ref: 005F155A
      • GetCurrentThread.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000017,?,?,00000000), ref: 005F15B1
      • NtQueryInformationThread.NTDLL(00000000), ref: 005F15B8
      • RtlNtStatusToDosError.NTDLL ref: 005F15C7
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000), ref: 005F15E3
        • Part of subcall function 0060DB70: EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,00000000,?), ref: 0060DB8E
      • EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(00688C64,00689800), ref: 005F1877
      • LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(00688C64,00689800), ref: 005F18AD
      • EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,00689800), ref: 005F19BE
      • LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?), ref: 005F19FF
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,?,?,?,?), ref: 005F1A40
        • Part of subcall function 006214A5: GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,?,?,00000064,00000000,?,?,?,?,?,005F1A3B,?,?,?,?), ref: 006214FB
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,?,?,?,?,?,?), ref: 005F1B32
      • __aulldiv.LIBCMT ref: 005F1DAB
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(80070216), ref: 005F1E9D
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,?,?,?,?,?,?,?,?), ref: 005F1F3E
      • VDMEnumProcessWOW.VDMDBG(006647A0,?,00689800), ref: 005F214B
      • SysFreeString.OLEAUT32(?), ref: 005F21A3
      • SysAllocString.OLEAUT32(?), ref: 005F21B5
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(8007000E), ref: 005F21C8
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: Thread$Current$CriticalSection$Enter$ErrorInformationLeaveQueryStatusString$AllocEnumFreeProcess__aulldiv
      • String ID: %d FAIL: 0x%08x$ATMAssignString$CRUMHelper::CalcDiskPctHistAndAvg$CRUMHelper::CalcPctHistAndAvg$WdcGetTimeStampCounter$base\diagnosis\pdui\atm\main\applications.cpp$base\diagnosis\pdui\atm\main\inline.cpp$base\diagnosis\pdui\atm\main\process.cpp$base\diagnosis\pdui\atm\main\rumhelper.cpp
      • API String ID: 3244460515-2421074746
      • Opcode ID: e1169534eebe9b8fb1795bb02f7145a90266892b63c8d351112b302558b44ba5
      • Instruction ID: d24327bde073640d4cb83ecb977e043425a556bb0beaa2b594566e491f999a9a
      • Opcode Fuzzy Hash: e1169534eebe9b8fb1795bb02f7145a90266892b63c8d351112b302558b44ba5
      • Instruction Fuzzy Hash: 5DB2DFB0A04B05DBD725EF64C554BABBFE6FF84740F10481DEADA97290EB35A840CB85
      Function 0060BABC Relevance: 56.3, APIs: 28, Strings: 4, Instructions: 341threadCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 1264 60babc-60bafb call 5edbe6 call 60d56a 1269 60bb26-60bb2f call 60d415 1264->1269 1270 60bafd-60bb0a GetCurrentThreadId 1264->1270 1276 60bb61-60bb6e call 617634 1269->1276 1277 60bb31-60bb5c GetCurrentThreadId call 5e9ae8 1269->1277 1271 60bb0f-60bb21 call 5e9ae8 1270->1271 1279 60bed5-60bed7 1271->1279 1286 60bb70-60bb79 call 60d352 1276->1286 1287 60bb7b 1276->1287 1285 60bef2-60bf04 call 617990 1277->1285 1283 60bee7-60bee9 1279->1283 1284 60bed9-60bedb 1279->1284 1283->1285 1289 60beeb-60beed call 5e38b3 1283->1289 1284->1283 1288 60bedd-60bee1 ?Destroy@Element@DirectUI@@QAEJ_N@Z 1284->1288 1292 60bb7d-60bb7f 1286->1292 1287->1292 1288->1283 1289->1285 1296 60bbb1-60bbbd call 60ca18 1292->1296 1297 60bb81-60bbac GetCurrentThreadId call 5e9ae8 1292->1297 1302 60bbd6-60bc25 call 60c9c8 GetClientRect ?Create@NativeHWNDHost@DirectUI@@SGJPBGPAUHWND__@@PAUHICON__@@HHHHHHIPAPAV12@@Z 1296->1302 1303 60bbbf-60bbd1 GetCurrentThreadId 1296->1303 1297->1284 1306 60bc27-60bc34 GetCurrentThreadId 1302->1306 1307 60bc3e-60bc8b ?GetHWND@NativeHWNDHost@DirectUI@@QAEPAUHWND__@@XZ SendMessageW ?GetHWND@NativeHWNDHost@DirectUI@@QAEPAUHWND__@@XZ * 2 ?Initialize@HWNDElement@DirectUI@@QAEJPAUHWND__@@_NIPAVElement@2@PAK@Z 1302->1307 1303->1271 1306->1307 1308 60bca4-60bcb2 call 60c9a0 1307->1308 1309 60bc8d-60bc9a GetCurrentThreadId 1307->1309 1312 60bcb4-60bcc0 call 617634 1308->1312 1313 60bd28-60bd2e 1308->1313 1309->1308 1322 60bcc2-60bcda 1312->1322 1323 60bcdc 1312->1323 1314 60bd30-60bd33 1313->1314 1315 60bda9-60bdc2 call 60c834 call 60c3bf call 5e6462 1313->1315 1314->1315 1318 60bd35-60bd41 call 617634 1314->1318 1341 60bdc4-60bdd1 GetCurrentThreadId 1315->1341 1342 60bddb-60bdde 1315->1342 1330 60bd43-60bd5b 1318->1330 1331 60bd5d 1318->1331 1324 60bcde-60bce6 1322->1324 1323->1324 1327 60bd06 call 60bf07 1324->1327 1328 60bce8-60bcfc GetCurrentThreadId 1324->1328 1337 60bd0b-60bd0f 1327->1337 1328->1327 1334 60bd5f-60bd67 1330->1334 1331->1334 1335 60bd87 call 60bf07 1334->1335 1336 60bd69-60bd7d GetCurrentThreadId 1334->1336 1345 60bd8c-60bd90 1335->1345 1336->1335 1337->1313 1340 60bd11-60bd1e GetCurrentThreadId 1337->1340 1340->1313 1341->1342 1343 60bde0-60bde8 call 64450f 1342->1343 1344 60bded-60be00 call 60bf70 1342->1344 1343->1344 1350 60be02-60be05 1344->1350 1351 60be0b-60be0d 1344->1351 1345->1315 1348 60bd92-60bd9f GetCurrentThreadId 1345->1348 1348->1315 1350->1351 1352 60be07-60be09 1350->1352 1353 60be0e-60be84 call 61a168 ?SetAccessible@Element@DirectUI@@QAEJ_N@Z ?SetAccRole@Element@DirectUI@@QAEJH@Z ?SetVisible@Element@DirectUI@@QAEJ_N@Z ?Host@NativeHWNDHost@DirectUI@@QAEXPAVElement@2@@Z KiUserCallbackDispatcher ?EndDefer@Element@DirectUI@@QAEXK@Z GetErrorMode SetErrorMode 1351->1353 1352->1353 1356 60be86-60be89 1353->1356 1357 60be9c-60beaa call 5eac7e 1353->1357 1356->1357 1359 60be8b-60be9a call 60c24f 1356->1359 1357->1285 1362 60beac-60beb4 1357->1362 1359->1285 1364 60beb6-60bebb 1362->1364 1365 60becd-60bed3 1362->1365 1366 60bec6-60becc call 61762f 1364->1366 1367 60bebd-60bec3 ?Destroy@NativeHWNDHost@DirectUI@@QAEXXZ 1364->1367 1365->1279 1366->1365 1367->1366
      APIs
        • Part of subcall function 005EDBE6: NtQuerySystemInformation.NTDLL(000000B6,?,00000038,00000000), ref: 005EDC16
        • Part of subcall function 005EDBE6: RtlNtStatusToDosError.NTDLL ref: 005EDC21
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,00000000,80004005,00000000), ref: 0060BAFE
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(8007000E,00000000,80004005,00000000), ref: 0060BB39
      • ?Destroy@Element@DirectUI@@QAEJ_N@Z.DUI70(00000001,00000003,?,00000000), ref: 0060BEE1
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: CurrentThread$Destroy@DirectElement@ErrorInformationQueryStatusSystem
      • String ID: %d FAIL: 0x%08x$TaskManagerMain$WdcMonitor::Create$base\diagnosis\pdui\atm\main\monitor.cpp
      • API String ID: 597017551-3686988355
      • Opcode ID: cc13cf09e8f6e0a878de5d77b8dda2fa9db62803be1ab1a3e2e4d883fab0ccfb
      • Instruction ID: cec9d0adc0250818251b26cba3eb254aaa828eec19c4cec34963690739f02952
      • Opcode Fuzzy Hash: cc13cf09e8f6e0a878de5d77b8dda2fa9db62803be1ab1a3e2e4d883fab0ccfb
      • Instruction Fuzzy Hash: 71B10371BC0315BFDB19ABA4DC46BBF7A67AF44700F04A11DFA06AB2D1CBA44C418B95
      Function 005E19FF Relevance: 56.3, APIs: 27, Strings: 5, Instructions: 263memorythreadnativeCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 1469 5e19ff-5e1a1d PcwCreateQuery 1470 634b08 1469->1470 1471 5e1a23-5e1a25 1469->1471 1474 634b11-634b14 1470->1474 1475 634b0a 1470->1475 1472 5e1a2b-5e1a71 RtlInitUnicodeString * 2 PcwAddQueryItem 1471->1472 1473 634b1f-634b31 GetCurrentThreadId 1471->1473 1477 634b36 1472->1477 1478 5e1a77-5e1a79 1472->1478 1476 634c63-634c72 call 5e9ae8 1473->1476 1474->1473 1475->1474 1480 634b38 1477->1480 1481 634b3f-634b42 1477->1481 1482 5e1a7f-5e1a98 GetProcessHeap HeapAlloc 1478->1482 1483 634b4d-634b5f GetCurrentThreadId 1478->1483 1480->1481 1481->1483 1484 5e1a9e-5e1abc GetProcessHeap HeapAlloc 1482->1484 1485 634b64-634b7d GetCurrentThreadId 1482->1485 1483->1476 1487 634b82-634b9b GetCurrentThreadId 1484->1487 1488 5e1ac2-5e1adf call 5ed05c 1484->1488 1485->1476 1487->1476 1491 5e1baa-5e1bc0 NtQueryTimerResolution 1488->1491 1492 5e1ae5-5e1af2 PcwCreateQuery 1488->1492 1495 5e1bc6-5e1bce 1491->1495 1496 634c2f-634c38 RtlNtStatusToDosError 1491->1496 1493 634ba0 1492->1493 1494 5e1af8-5e1afa 1492->1494 1501 634ba2 1493->1501 1502 634ba9-634bac 1493->1502 1497 634bb7-634bc9 GetCurrentThreadId 1494->1497 1498 5e1b00-5e1b42 RtlInitUnicodeString * 2 PcwAddQueryItem 1494->1498 1499 634c3a 1496->1499 1500 634c49-634c4b 1496->1500 1497->1476 1503 5e1b48-5e1b4a 1498->1503 1504 634bce 1498->1504 1505 634c40-634c43 1499->1505 1506 634c3c-634c3e 1499->1506 1500->1495 1507 634c51-634c5e GetCurrentThreadId 1500->1507 1501->1502 1502->1497 1510 634be5-634bf7 GetCurrentThreadId 1503->1510 1511 5e1b50-5e1b69 GetProcessHeap HeapAlloc 1503->1511 1508 634bd0 1504->1508 1509 634bd7-634bda 1504->1509 1505->1500 1506->1500 1507->1476 1508->1509 1509->1510 1510->1476 1512 5e1b6f-5e1b8d GetProcessHeap HeapAlloc 1511->1512 1513 634bf9-634c12 GetCurrentThreadId 1511->1513 1514 634c14-634c2d GetCurrentThreadId 1512->1514 1515 5e1b93-5e1ba7 1512->1515 1513->1476 1514->1476 1515->1491
      APIs
      • PcwCreateQuery.KERNELBASE(?,00000000,?,?,?), ref: 005E1A13
      • RtlInitUnicodeString.NTDLL(?,Processor Information), ref: 005E1A35
      • RtlInitUnicodeString.NTDLL(?,005CB43C), ref: 005E1A45
      • PcwAddQueryItem.KERNELBASE(?,?,00000001,?,?,000000FF,0C000030,00000000,00000000), ref: 005E1A67
      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000018), ref: 005E1A84
      • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 005E1A8B
      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000018), ref: 005E1AA8
      • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 005E1AAF
      • PcwCreateQuery.KERNELBASE(?,00000000), ref: 005E1AEA
      • RtlInitUnicodeString.NTDLL(?,FileSystem Disk Activity), ref: 005E1B0A
      • RtlInitUnicodeString.NTDLL(?,005CB43C), ref: 005E1B1A
      • PcwAddQueryItem.KERNELBASE(?,?,00000000,?,?,000000FF,00000003,00000000,00000000), ref: 005E1B3A
      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000018), ref: 005E1B55
      • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 005E1B5C
      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000018), ref: 005E1B79
      • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 005E1B80
      • NtQueryTimerResolution.NTDLL ref: 005E1BB8
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000), ref: 00634B20
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000), ref: 00634B4E
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(8007000E), ref: 00634B6C
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(8007000E), ref: 00634B8A
        • Part of subcall function 005ED05C: memset.MSVCRT ref: 005ED091
        • Part of subcall function 005ED05C: GetVersionExW.API-MS-WIN-CORE-SYSINFO-L1-1-0(?,?,?,?), ref: 005ED0A6
        • Part of subcall function 005ED05C: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?), ref: 005ED0B0
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000), ref: 00634BB8
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000), ref: 00634BE6
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(8007000E), ref: 00634C01
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(8007000E), ref: 00634C1C
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: CurrentHeapThread$Query$AllocInitProcessStringUnicode$CreateItem$ErrorLastResolutionTimerVersionmemset
      • String ID: %d FAIL: 0x%08x$CRUMPCHelper::PCHelperInitialize$FileSystem Disk Activity$Processor Information$base\diagnosis\pdui\atm\main\rumdatasrcs.cpp
      • API String ID: 2011625643-3336019321
      • Opcode ID: b3842ead5a5682cd277afb819ec7d6d3b5028ca7427a47900df5e098b2c7ad91
      • Instruction ID: 3a07170041dd785097b70d6977aa5c5f49db7cf4f287a1e0844fd0c5bb15a170
      • Opcode Fuzzy Hash: b3842ead5a5682cd277afb819ec7d6d3b5028ca7427a47900df5e098b2c7ad91
      • Instruction Fuzzy Hash: 56812572544364BFD7248BA49C88FA7BA9EFB44B50F052615FE02EB2A1DB74D90087F1
      Function 00603169 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 260threadmemorycomCOMMONLIBRARYCODE
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 1516 603169-6031b0 1517 6031b2-6031ca CoCreateInstance 1516->1517 1518 6031fb-603206 1516->1518 1519 6031f5 1517->1519 1520 6031cc-6031d9 GetCurrentThreadId 1517->1520 1521 603247-60324d 1518->1521 1522 603208-60322d call 5f7a70 1518->1522 1519->1518 1526 6031de-6031f0 call 5e9ae8 1520->1526 1524 6032b0-6032db call 5f7a70 1521->1524 1525 60324f-60326f GetComputerNameW 1521->1525 1531 603233-603245 GetCurrentThreadId 1522->1531 1532 6032f4-603331 LookupAccountNameLocalW 1522->1532 1524->1532 1537 6032dd-6032ea GetCurrentThreadId 1524->1537 1525->1524 1528 603271-60327b GetLastError 1525->1528 1543 6034ce-6034d5 1526->1543 1533 60328a 1528->1533 1534 60327d 1528->1534 1531->1526 1538 603495-6034a2 GetCurrentThreadId 1532->1538 1539 603337-603340 GetLastError 1532->1539 1542 60328f 1533->1542 1540 603291 1534->1540 1541 60327f-603288 1534->1541 1537->1532 1544 6034a7-6034b6 call 5e9ae8 1538->1544 1539->1538 1545 603346-603360 GetProcessHeap HeapAlloc 1539->1545 1548 603293-6032a5 GetCurrentThreadId 1540->1548 1549 6032aa 1540->1549 1541->1542 1542->1540 1546 6034e3-603500 call 61cdb5 call 617990 1543->1546 1547 6034d7-6034dd LocalFree 1543->1547 1560 6034b9-6034bb 1544->1560 1551 603362-603374 GetCurrentThreadId 1545->1551 1552 60337e-6033b4 LookupAccountNameLocalW 1545->1552 1547->1546 1548->1526 1549->1524 1551->1552 1555 6033b6-6033c0 GetLastError 1552->1555 1556 6033ef-6033ff ConvertSidToStringSidW 1552->1556 1561 6033c2 1555->1561 1562 6033cf 1555->1562 1558 603401-60340b GetLastError 1556->1558 1559 603423-60344c call 61cdc3 1556->1559 1564 60341a 1558->1564 1565 60340d 1558->1565 1578 60344f-603453 1559->1578 1560->1543 1567 6034bd-6034c8 GetProcessHeap HeapFree 1560->1567 1568 6033c4-6033cd 1561->1568 1569 6033d6 1561->1569 1570 6033d4 1562->1570 1574 60341f 1564->1574 1572 603421 1565->1572 1573 60340f-603418 1565->1573 1567->1543 1568->1570 1569->1556 1576 6033d8-6033ea GetCurrentThreadId 1569->1576 1570->1569 1572->1538 1572->1559 1573->1574 1574->1572 1576->1544 1579 603455-603467 GetCurrentThreadId 1578->1579 1580 603469-603493 call 5f7a70 call 5fcd3a 1578->1580 1579->1544 1580->1560
      APIs
      • CoCreateInstance.COMBASE(005D3FBC,00000000,00000001,005D3148,?), ref: 006031C0
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000), ref: 006031CD
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,?,?,?,?,?), ref: 00603234
      • GetComputerNameW.API-MS-WIN-CORE-KERNEL32-LEGACY-L1-1-0(?,?,?,?,?), ref: 00603267
      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00603271
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(80004005), ref: 00603294
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,?,?,?,?,?), ref: 006032DE
      • LookupAccountNameLocalW.SECHOST(?,00000000,?,00000000,00000104,?), ref: 00603329
      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,?), ref: 00603337
      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,?,?,?,?), ref: 0060334F
      • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,?,?,?), ref: 00603356
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(8007000E,?,?,?,?,?), ref: 00603368
      • LookupAccountNameLocalW.SECHOST(?,00000000,?,?,00000104,?), ref: 006033AC
      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,?), ref: 006033B6
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(80004005,?,?,?,?,?), ref: 006033D9
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(80004005,?,?,?,?,?), ref: 00603496
      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 006034C1
      • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 006034C8
      • LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 006034DD
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: CurrentThread$Heap$ErrorLastLocalName$AccountFreeLookupProcess$AllocComputerCreateInstance
      • String ID: %d FAIL: 0x%08x$%s\%s$WdcUserMonitor::_SetSessionIcon$base\diagnosis\pdui\atm\main\session.cpp
      • API String ID: 3910829120-2812261233
      • Opcode ID: 93f09c0cfdc25518662d23ffa49a745378b706dd0cc7df24901a44616b361361
      • Instruction ID: 07fe5ad3dc727dbebc2a93be0c3311dc0ac6c0ef15a913b2dac794e915ce581c
      • Opcode Fuzzy Hash: 93f09c0cfdc25518662d23ffa49a745378b706dd0cc7df24901a44616b361361
      • Instruction Fuzzy Hash: D791E9B6980235AFDB259B90CC49BEB776EEB04701F0501A9FE09EB380DB745F448B65
      Function 00609855 Relevance: 42.2, APIs: 18, Strings: 6, Instructions: 202keyboardregistrythreadCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 1686 609855-609889 GetKeyState 1687 6098a9-6098b4 GetKeyState 1686->1687 1688 60988b-609896 GetKeyState 1686->1688 1690 6098c3-6098ce GetKeyState 1687->1690 1691 6098b6-6098c1 GetKeyState 1687->1691 1688->1687 1689 609898-6098a3 GetKeyState 1688->1689 1689->1687 1692 609aaa-609aac call 609d3d 1689->1692 1693 6098e4-609909 RegGetValueW 1690->1693 1694 6098d0-6098db GetKeyState 1690->1694 1691->1690 1691->1693 1703 609ab1-609ab6 call 5edbe6 1692->1703 1696 60991a-609939 RegOpenKeyExW 1693->1696 1697 60990b 1693->1697 1694->1693 1695 6098dd 1694->1695 1695->1693 1701 609952-609954 1696->1701 1702 60993b-60994c RegDeleteValueW RegCloseKey 1696->1702 1699 609911-609914 1697->1699 1700 60990d-60990f 1697->1700 1699->1696 1700->1696 1704 609956-609963 GetCurrentThreadId 1701->1704 1705 60997f-609983 1701->1705 1702->1701 1710 609abb-609abd 1703->1710 1707 609968-60997a call 5e9ae8 1704->1707 1708 609aa1 1705->1708 1709 609989-609990 1705->1709 1711 609aa6 1707->1711 1708->1711 1709->1708 1713 609996-609999 1709->1713 1714 609ac4-609acc 1710->1714 1715 609abf-609ac2 1710->1715 1717 609aa8 1711->1717 1713->1708 1719 60999f-6099aa call 64453a 1713->1719 1716 609acf-609ad8 1714->1716 1715->1716 1721 609ae3-609aeb 1716->1721 1722 609ada-609add RegCloseKey 1716->1722 1717->1692 1717->1703 1724 6099c0-6099d8 call 644081 call 5fcd0f 1719->1724 1725 6099ac-6099be GetCurrentThreadId 1719->1725 1722->1721 1730 6099e1-609a17 RegGetValueW 1724->1730 1731 6099da 1724->1731 1725->1707 1730->1711 1732 609a1d-609a25 1730->1732 1731->1730 1733 609a27-609a2c 1732->1733 1734 609a2f-609a3c call 61b65e 1732->1734 1733->1734 1737 609a55-609a75 RegSetValueExW 1734->1737 1738 609a3e-609a50 GetCurrentThreadId 1734->1738 1739 609a86-609a88 1737->1739 1740 609a77 1737->1740 1738->1707 1739->1717 1743 609a8a-609a97 GetCurrentThreadId 1739->1743 1741 609a79-609a7b 1740->1741 1742 609a7d-609a80 1740->1742 1741->1739 1742->1739 1743->1708
      APIs
      • GetKeyState.USER32(?), ref: 00609880
      • GetKeyState.USER32(00000012), ref: 0060988D
      • GetKeyState.USER32(00000011), ref: 0060989A
      • GetKeyState.USER32(00000047), ref: 006098AB
      • GetKeyState.USER32(00000067), ref: 006098B8
      • GetKeyState.USER32(00000012), ref: 006098C5
      • GetKeyState.USER32(00000011), ref: 006098D2
      • RegGetValueW.KERNELBASE(80000001,Software\Microsoft\Windows\CurrentVersion\TaskManager,Preferences,00000008,00000008,?,00000F08), ref: 006098FF
      • RegOpenKeyExW.KERNELBASE(80000001,Software\Microsoft\Windows\CurrentVersion\TaskManager,00000000,000F003F,?,?,00000F08), ref: 00609931
      • RegDeleteValueW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,Preferences,?,00000F08), ref: 00609943
      • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,00000F08), ref: 0060994C
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,?,00000F08), ref: 00609957
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,?,00000F08), ref: 006099AD
      • RegGetValueW.API-MS-WIN-CORE-REGISTRY-L1-1-0(80000001,Software\Microsoft\Windows\CurrentVersion\TaskManager,UseStatusSetting,?,00000003,00000000,00000F08), ref: 00609A0E
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,?), ref: 00609A3F
      • RegSetValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,UseStatusSetting,00000000,00000004,00000000,00000004,?), ref: 00609A6B
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000), ref: 00609A8B
      • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(00000000,?,00000F08), ref: 00609ADD
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: State$CurrentThreadValue$Close$DeleteOpen
      • String ID: %d FAIL: 0x%08x$Preferences$Software\Microsoft\Windows\CurrentVersion\TaskManager$TmSetting::LoadSettings$UseStatusSetting$base\diagnosis\pdui\atm\main\setting.cpp
      • API String ID: 917967779-3071540436
      • Opcode ID: 37fb71bfbbac247cf270b498ad43b784aec4eaae150bf1bf530b139c9b0592e5
      • Instruction ID: 4d3e5874967c6cc14f837501d79ec20fd4bc46180259bb26da8c98d4e965d114
      • Opcode Fuzzy Hash: 37fb71bfbbac247cf270b498ad43b784aec4eaae150bf1bf530b139c9b0592e5
      • Instruction Fuzzy Hash: A5619E75A80215BFEB159BA0CC4AFFF7BABBB10701F441168E901F62D2DBB449019BB1
      Function 00614D39 Relevance: 28.1, APIs: 13, Strings: 3, Instructions: 115memorythreadCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 1921 614d39-614d5b GetProcessHeap HeapAlloc 1922 614d61-614d76 GetCurrentProcess OpenProcessToken 1921->1922 1923 641130-641144 GetCurrentThreadId 1921->1923 1925 641146-641150 GetLastError 1922->1925 1926 614d7c-614d84 1922->1926 1924 6411b2-6411c4 call 5e9ae8 1923->1924 1928 641152 1925->1928 1929 64115f 1925->1929 1930 614d89-614da0 1926->1930 1933 641154-64115d 1928->1933 1934 641166 1928->1934 1935 641164 1929->1935 1930->1930 1931 614da2-614db2 AdjustTokenPrivileges 1930->1931 1936 64117d-641187 GetLastError 1931->1936 1937 614db8 1931->1937 1933->1935 1934->1926 1938 64116c-64117b GetCurrentThreadId 1934->1938 1935->1934 1939 641196 1936->1939 1940 641189 1936->1940 1941 614dba-614dbf 1937->1941 1938->1924 1946 64119b 1939->1946 1942 64119d 1940->1942 1943 64118b-641194 1940->1943 1944 614dc1-614dc4 1941->1944 1945 614dd0-614dd2 1941->1945 1942->1941 1948 6411a3-6411b0 GetCurrentThreadId 1942->1948 1943->1946 1944->1945 1947 614dc6-614dcd CloseHandle 1944->1947 1949 614de3-614deb 1945->1949 1950 614dd4-614ddd GetProcessHeap HeapFree 1945->1950 1946->1942 1947->1945 1948->1924 1950->1949
      APIs
      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,0000003C,?,00000000,?,?,?,005E6A7B), ref: 00614D4A
      • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00000000,?,?,?,005E6A7B), ref: 00614D51
      • GetCurrentProcess.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000020,00000000,?,00000000,?,?,?,005E6A7B), ref: 00614D67
      • OpenProcessToken.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,?,00000000,?,?,?,005E6A7B), ref: 00614D6E
      • AdjustTokenPrivileges.KERNELBASE(00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,?,005E6A7B), ref: 00614DAA
      • CloseHandle.KERNELBASE(00000000,?,00000000,?,?,?,005E6A7B), ref: 00614DC7
      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000,?,00000000,?,?,?,005E6A7B), ref: 00614DD6
      • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00000000,?,?,?,005E6A7B), ref: 00614DDD
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(8007000E,?,00000000,?,?,?,005E6A7B), ref: 00641136
      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,00000000,?,?,?,005E6A7B), ref: 00641146
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(80004005,?,00000000,?,?,?,005E6A7B), ref: 0064116D
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: HeapProcess$Current$ThreadToken$AdjustAllocCloseErrorFreeHandleLastOpenPrivileges
      • String ID: %d FAIL: 0x%08x$WdcAdjustPrivilege$base\diagnosis\pdui\atm\main\control.cpp
      • API String ID: 260710294-3529573436
      • Opcode ID: 7ef284f8b56decdc07e00eb03583fda66ddba90dc2c3f26f75d98b53e2d5787b
      • Instruction ID: 944ac9d12cc9488c63f3c916306992ff9c1d7dd8ed898fe28a76301512604481
      • Opcode Fuzzy Hash: 7ef284f8b56decdc07e00eb03583fda66ddba90dc2c3f26f75d98b53e2d5787b
      • Instruction Fuzzy Hash: B331E6B6D40225BBDB204BA49C48EBA7B6EFF01755F191259FE05EB750CB348D81C7A0
      Function 005E25E0 Relevance: 26.5, APIs: 12, Strings: 3, Instructions: 241threadwindowsynchronizationCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 1951 5e25e0-5e2645 call 5e9b97 call 5e27ae call 5e2829 call 5e147e 1960 5e264b-5e2650 1951->1960 1961 634fce-634fe0 GetCurrentThreadId 1951->1961 1962 63500b 1960->1962 1963 5e2656-5e2665 call 5e29dc 1960->1963 1964 634ff4-635003 call 5e9ae8 1961->1964 1968 635015-635027 GetCurrentThreadId 1962->1968 1963->1968 1970 5e266b-5e267c GetSystemTime 1963->1970 1964->1962 1968->1964 1971 635029-63505b call 5e27de call 5e1663 1970->1971 1972 5e2682-5e26bb call 5e27de call 5e1663 1970->1972 1981 63505d 1971->1981 1982 63506c-635077 call 5e2829 1971->1982 1983 635094 1972->1983 1984 5e26c1-5e26cc call 5e2829 1972->1984 1987 635063-635066 1981->1987 1988 63505f-635061 1981->1988 1982->1972 1993 63507d-63508f GetCurrentThreadId 1982->1993 1985 635096 1983->1985 1986 63509d-6350a0 1983->1986 1994 634fe2-634fef GetCurrentThreadId 1984->1994 1995 5e26d2 1984->1995 1985->1986 1996 6350ab-6350b5 GetLastError 1986->1996 1987->1982 1988->1982 1993->1964 1994->1964 1997 5e26d5-5e26eb MsgWaitForMultipleObjectsEx 1995->1997 1998 6350bb 1996->1998 1999 5e2737-5e2739 1996->1999 2000 5e26ed-5e26f0 1997->2000 2001 5e273b-5e2740 1997->2001 2002 6350c4-6350cd 1998->2002 2003 6350bd-6350bf 1998->2003 1999->1997 1999->2001 2000->1996 2004 5e26f6-5e26fa 2000->2004 2005 5e2777-5e277c 2001->2005 2006 5e2742-5e2749 2001->2006 2002->1999 2003->1999 2007 5e26fb-5e2708 PeekMessageW 2004->2007 2008 6350d2-6350d9 2005->2008 2009 5e2782-5e2787 2005->2009 2010 5e274b-5e2757 2006->2010 2011 5e2759-5e275e 2006->2011 2007->1999 2013 5e270a-5e2716 WaitForSingleObject 2007->2013 2016 6350db-6350e7 2008->2016 2017 6350e9-6350ee 2008->2017 2014 5e278f-5e27ab call 5e2829 call 617990 2009->2014 2015 5e2789 CoUninitialize 2009->2015 2010->2011 2011->2005 2012 5e2760-5e2767 2011->2012 2012->2005 2018 5e2769-5e2775 2012->2018 2013->1999 2020 5e2718-5e2735 TranslateMessage DispatchMessageW 2013->2020 2015->2014 2016->2017 2017->2009 2019 6350f4-6350fb 2017->2019 2018->2005 2019->2009 2023 635101-63510f 2019->2023 2020->2007 2023->2009
      APIs
        • Part of subcall function 005E27AE: GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,?,005E2177,000001F4,?,?), ref: 005E27B6
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,?,00001388), ref: 00634FCF
        • Part of subcall function 005E29DC: CoInitializeEx.COMBASE(00000000,00000006), ref: 005E29E5
      • MsgWaitForMultipleObjectsEx.USER32(00000001,?,000000FF,00001CFF,00000000), ref: 005E26E1
      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 005E2700
      • WaitForSingleObject.API-MS-WIN-CORE-SYNCH-L1-1-0(?,00000000), ref: 005E270E
      • TranslateMessage.USER32(?), ref: 005E271D
      • DispatchMessageW.USER32(?), ref: 005E2728
      • CoUninitialize.COMBASE ref: 005E2789
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,00000000,?,00000001,?,005E9B30,?,?,00001388,00000000,?,00000004,?,006519B0,?,?), ref: 00634FE3
      • GetSystemTime.API-MS-WIN-CORE-SYSINFO-L1-1-0(?,?,00001388), ref: 005E2670
        • Part of subcall function 005E27DE: CoEnableCallCancellation.COMBASE(00000000), ref: 005E27F5
        • Part of subcall function 005E27DE: CreateTimerQueueTimer.API-MS-WIN-CORE-THREADPOOL-LEGACY-L1-1-0(?,00000000,006519E0,?,00001388,000003E8,00000000,?,005E27D7,?,?,005E2177,000001F4,?,?), ref: 005E2816
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,?,00001388), ref: 00635016
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,00000000,?,00000004,?,006519B0,?,?,00001388), ref: 0063507E
      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 006350AB
        • Part of subcall function 005E2829: CoDisableCallCancellation.COMBASE(00000000), ref: 005E2841
        • Part of subcall function 005E2829: DeleteTimerQueueTimer.API-MS-WIN-CORE-THREADPOOL-LEGACY-L1-1-0(00000000,?,000000FF,?,005E27D7,?,?,005E2177,000001F4,?,?), ref: 005E2852
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: CurrentThread$Timer$Message$CallCancellationQueueWait$CreateDeleteDisableDispatchEnableErrorInitializeLastMultipleObjectObjectsPeekSingleSystemTimeTranslateUninitialize
      • String ID: %d FAIL: 0x%08x$CRUMAPIHelper::SrumThread$base\diagnosis\pdui\atm\main\rumdatasrcs.cpp
      • API String ID: 3772641432-3638444994
      • Opcode ID: b0ac3d394e5fb421aa08a87ce1b5fd59ddeb708965688697213aab59ae186da2
      • Instruction ID: 4e72db31368f1623e560a662e31e753833383385d28f22dd90604e6f2f9fd4ae
      • Opcode Fuzzy Hash: b0ac3d394e5fb421aa08a87ce1b5fd59ddeb708965688697213aab59ae186da2
      • Instruction Fuzzy Hash: BB81C372204352AFD318DF61CC49FAA7BA9FB84744F041A2DF98297291DB60D944CBE2
      Function 0060ECED Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 146threadnativeCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 2031 60eced-60ed28 NtQueryInformationProcess 2032 63fb74-63fb7f RtlNtStatusToDosError 2031->2032 2033 60ed2e-60ed50 ReadProcessMemory 2031->2033 2034 63fb81 2032->2034 2035 63fb90-63fb92 2032->2035 2036 63fbd5-63fbdf GetLastError 2033->2036 2037 60ed56-60ed73 ReadProcessMemory 2033->2037 2040 63fb83-63fb85 2034->2040 2041 63fb87-63fb8a 2034->2041 2035->2033 2042 63fb98-63fbaa GetCurrentThreadId 2035->2042 2038 63fbe1 2036->2038 2039 63fbee 2036->2039 2043 60ed79-60ed8c 2037->2043 2044 63fc0c-63fc16 GetLastError 2037->2044 2047 63fbe3-63fbec 2038->2047 2048 63fbf2 2038->2048 2049 63fbf0 2039->2049 2040->2035 2041->2035 2052 63fbbe-63fbd0 call 5e9ae8 2042->2052 2045 60ed90-60eda8 ReadProcessMemory 2043->2045 2046 60ed8e 2043->2046 2050 63fc25 2044->2050 2051 63fc18 2044->2051 2053 63fc46-63fc50 GetLastError 2045->2053 2054 60edae 2045->2054 2046->2045 2047->2049 2048->2037 2055 63fbf8-63fc0a GetCurrentThreadId 2048->2055 2049->2048 2058 63fc27 2050->2058 2056 63fc1a-63fc23 2051->2056 2057 63fc29 2051->2057 2067 60edbe-60edd0 call 617990 2052->2067 2060 63fc52 2053->2060 2061 63fc5f 2053->2061 2063 60edb0-60edba 2054->2063 2055->2052 2056->2058 2057->2043 2064 63fc2f-63fc41 GetCurrentThreadId 2057->2064 2058->2057 2065 63fc66 2060->2065 2066 63fc54-63fc5d 2060->2066 2068 63fc64 2061->2068 2063->2067 2064->2052 2065->2063 2069 63fc6c GetCurrentThreadId 2065->2069 2066->2068 2068->2065 2069->2052
      APIs
      • NtQueryInformationProcess.NTDLL ref: 0060ED20
      • ReadProcessMemory.KERNELBASE(?,?,?,00000480,00000000), ref: 0060ED43
      • ReadProcessMemory.API-MS-WIN-CORE-MEMORY-L1-1-0(?,?,?,000002AC,00000000), ref: 0060ED6B
      • ReadProcessMemory.API-MS-WIN-CORE-MEMORY-L1-1-0(?,?,?,80004005,00000000), ref: 0060EDA0
      • RtlNtStatusToDosError.NTDLL ref: 0063FB75
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000), ref: 0063FB99
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(80004005), ref: 0063FBAD
      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 0063FBD5
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(80004005), ref: 0063FBF9
      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 0063FC0C
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(80004005), ref: 0063FC30
      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 0063FC46
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: CurrentErrorProcessThread$LastMemoryRead$InformationQueryStatus
      • String ID: %d FAIL: 0x%08x$TmGetProcessCommandLine$base\diagnosis\pdui\atm\main\processcommon.cpp
      • API String ID: 2894403664-4098537197
      • Opcode ID: a4098770e5a8896b90c8e422c94ad57f3a481dff5949e6317c10a3267764b374
      • Instruction ID: b60059a9fe48a618896323bb3b2f2f7eb3353de828dfad2cc33afdca651b035b
      • Opcode Fuzzy Hash: a4098770e5a8896b90c8e422c94ad57f3a481dff5949e6317c10a3267764b374
      • Instruction Fuzzy Hash: 09411AB3E84239BBD72547A49C05FBB7A6AEF04710F012665FD0AE7290DB359C008BE0
      Function 005F5C20 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 138threadnativeCOMMON
      Download Yara Rule
      APIs
      • CompareStringOrdinal.API-MS-WIN-CORE-STRING-L1-1-0(C:\Windows\system32\winlogon.exe,000000FF,000001A8,000000FF,00000001,#0_,00000000,?), ref: 005F5C98
      • OpenProcess.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-1(00000400,?,?), ref: 005F5CDF
      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 005F5CEB
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(80004005), ref: 005F5D0B
      • NtQueryInformationProcess.NTDLL ref: 005F5D4A
      • RtlNtStatusToDosError.NTDLL ref: 005F5D55
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000), ref: 005F5D6E
      • CloseHandle.KERNELBASE(00000000), ref: 005F5DA5
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: CurrentErrorProcessThread$CloseCompareHandleInformationLastOpenOrdinalQueryStatusString
      • String ID: #0_$%d FAIL: 0x%08x$C:\Windows\system32\winlogon.exe$WdcApplicationsMonitor::IsCriticalProcess$base\diagnosis\pdui\atm\main\applications.cpp
      • API String ID: 939897112-1366193889
      • Opcode ID: 8e66ca743f383674cb26aa351b5208708e9c5e09d1ff5e13f47db99cfd26c9a5
      • Instruction ID: ba30c7514a6b49598f4ce7b39430b9f4e1e1a60d17877b6600009e3cc6c25ecf
      • Opcode Fuzzy Hash: 8e66ca743f383674cb26aa351b5208708e9c5e09d1ff5e13f47db99cfd26c9a5
      • Instruction Fuzzy Hash: 55413972A426183BE7209A589C0DBFA7E49F702720F540726FF55D62D0F729CE01C7A1
      Function 00602F63 Relevance: 19.6, APIs: 13, Instructions: 131keyboardCOMMON
      Download Yara Rule
      APIs
      • GetCurrentProcessId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00602F67
      • ProcessIdToSessionId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,00688C84), ref: 00602F78
      • GetLocaleInfoEx.KERNELBASE(00000000,00000076,006894C4,00000004), ref: 00602F8A
      • GetLocaleInfoEx.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,0000000E,006894CC,00000008), ref: 00602FA7
      • GetLocaleInfoEx.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,0000000F,006894DC,00000008), ref: 00602FBF
      • GetLocaleInfoEx.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,0000001E,006894EC,00000004), ref: 00602FD7
      • GetKeyState.USER32(?), ref: 00603021
      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 0063D17E
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: InfoLocale$Process$CurrentErrorLastSessionState
      • String ID:
      • API String ID: 1456736366-0
      • Opcode ID: 27322ee5f25f9e9a245adb450fe4abdf855ef0b7654a18d2ab23d835e28a3f75
      • Instruction ID: 1f4a9215b64885dea2162b419220f852f4191ff2d40dbead10d6770f3d04823c
      • Opcode Fuzzy Hash: 27322ee5f25f9e9a245adb450fe4abdf855ef0b7654a18d2ab23d835e28a3f75
      • Instruction Fuzzy Hash: B441F234390252BBE7246B71AC09B7726E7BF04B85F187625F606DA2E0E7B0C50293B5
      Function 005E81C1 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 100nativeCOMMON
      Download Yara Rule
      APIs
      • NtQueryInformationToken.NTDLL(FFFFFFFC,00000027,00000000,00000000,FFFFFFFC), ref: 005E81DC
        • Part of subcall function 005E8298: RtlAllocateHeap.NTDLL(?,00000000,?,FFFFFFFC,?,FFFFFFFC,?,005E81F5,?,00000000,00000000), ref: 005E82C1
      • memset.MSVCRT ref: 005E8205
      • NtQueryInformationToken.NTDLL(FFFFFFFC,00000027,00000000,FFFFFFFC,FFFFFFFC), ref: 005E8218
      • RtlInitUnicodeString.NTDLL(?,WIN://SYSAPPID), ref: 005E8235
      • RtlCompareUnicodeString.NTDLL ref: 005E8253
      • RtlNtStatusToDosErrorNoTeb.NTDLL ref: 00636A14
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: InformationQueryStringTokenUnicode$AllocateCompareErrorHeapInitStatusmemset
      • String ID: WIN://SYSAPPID
      • API String ID: 2258797427-742056630
      • Opcode ID: 53add4ddff063084dd00f15f2c3fe18d45810de248eb5799475d62180ff668c7
      • Instruction ID: ed1cc985e02f3b8a6c3168605857469817b4aafcf8a8b59f3e388dd811a10673
      • Opcode Fuzzy Hash: 53add4ddff063084dd00f15f2c3fe18d45810de248eb5799475d62180ff668c7
      • Instruction Fuzzy Hash: 6931B536A00A44BFDB249BA6DD48BBE7BBAFB84740F114125F749E7250DB719D00D790
      Function 005EE397 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 127nativethreadCOMMON
      Download Yara Rule
      APIs
      • NtQuerySystemInformation.NTDLL(000000B6,?,00000038,00000000), ref: 005EE3D1
      • RtlNtStatusToDosError.NTDLL ref: 005EE3DC
      • EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,00000000,?), ref: 005EE436
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000), ref: 005EE47D
      • LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?), ref: 005EE510
      Strings
      • base\diagnosis\pdui\atm\main\session.cpp, xrefs: 005EE493
      • %d FAIL: 0x%08x, xrefs: 005EE484
      • WdcUserMonitor::DoEnumeration, xrefs: 005EE48E
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: CriticalSection$CurrentEnterErrorInformationLeaveQueryStatusSystemThread
      • String ID: %d FAIL: 0x%08x$WdcUserMonitor::DoEnumeration$base\diagnosis\pdui\atm\main\session.cpp
      • API String ID: 612026706-991995575
      • Opcode ID: acb0b43896dc997c631053e3ff42d7cd6e8012c86aa63e772920f87b96f236ff
      • Instruction ID: fb642ee1e4bc737584c53344bdc34ddcaa0aaf4258c5da53369d9bd4b515382a
      • Opcode Fuzzy Hash: acb0b43896dc997c631053e3ff42d7cd6e8012c86aa63e772920f87b96f236ff
      • Instruction Fuzzy Hash: 3441B8706147A2AFDB18DF2AC846B6ABFE5FF44710F041A19F595C7290E774E840CB92
      Function 0064B0AA Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 78nativethreadCOMMON
      Download Yara Rule
      APIs
        • Part of subcall function 005EFF00: OpenProcess.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-1(00000400,00000000,?,?,?,005EFE47,00000000,?,00000000,?,00000000,?), ref: 005EFF31
        • Part of subcall function 005EFF00: GetProcessTimes.KERNELBASE(00000000,?,?,?,?), ref: 005EFF53
      • NtQueryInformationProcess.NTDLL ref: 0064B0F9
      • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(00000000,00000000,00000000,00000000,?,00000000,?), ref: 0064B124
      • RtlNtStatusToDosError.NTDLL ref: 0064B136
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000), ref: 0064B156
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: Process$CloseCurrentErrorHandleInformationOpenQueryStatusThreadTimes
      • String ID: $%d FAIL: 0x%08x$TmCheckSpecialProcess$base\diagnosis\pdui\atm\main\processcommon.cpp
      • API String ID: 3067036127-2256971224
      • Opcode ID: c540af3dde8d8cee5864c3440e095a46024c38c3f5d2afba2ffa4d4f62f8de34
      • Instruction ID: aef8460ba5380193ba0239a924f0fba6158ef75642cf3d7b94ccd6d2730f5200
      • Opcode Fuzzy Hash: c540af3dde8d8cee5864c3440e095a46024c38c3f5d2afba2ffa4d4f62f8de34
      • Instruction Fuzzy Hash: F221F672A00225BBEB215A94CC09BFEBEAAEB59B20F151255FD01B73C0D770DD0187A0
      Function 005E7A66 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 68COMMONLIBRARYCODE
      Download Yara Rule
      APIs
      • ActivateActCtx.KERNEL32(?,005E7910,006785C0,00000018,0060177F,?,80004005,00000000), ref: 005E7ABA
      • OutputDebugStringA.API-MS-WIN-CORE-DEBUG-L1-1-0(IsolationAware function called after IsolationAwareCleanup,00000000,00000000,00000000,006785C0,?,005E7910,006785C0,00000018,0060177F,?,80004005,00000000), ref: 006367EC
      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(ActivateActCtx,00000000,00000000,00000000,006785C0,?,005E7910,006785C0,00000018,0060177F,?,80004005,00000000), ref: 00636821
      Strings
      • ActivateActCtx, xrefs: 006367FC
      • IsolationAware function called after IsolationAwareCleanup, xrefs: 006367E7
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: ActivateDebugErrorLastOutputString
      • String ID: ActivateActCtx$IsolationAware function called after IsolationAwareCleanup
      • API String ID: 2396347390-235730925
      • Opcode ID: b0ab21325d75f7a89bcce92cfcb24490849e7a00ebd826864a5777564b330ec5
      • Instruction ID: 212626f7a4106e5face515d96d6efe0bd17acb4e2a764fcb73bdab8cdd8c5869
      • Opcode Fuzzy Hash: b0ab21325d75f7a89bcce92cfcb24490849e7a00ebd826864a5777564b330ec5
      • Instruction Fuzzy Hash: C811C4316041467B8B2C4B9AEC4487E7EABB68D740729622AF945C2310DA70CC0187E0
      Function 005E9B97 Relevance: 7.6, APIs: 5, Instructions: 83memoryCOMMON
      Download Yara Rule
      APIs
      • AllocateAndInitializeSid.API-MS-WIN-SECURITY-BASE-L1-1-0(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 005E9BFF
      • CheckTokenMembership.KERNELBASE(00000000,?,?), ref: 005E9C15
      • FreeSid.API-MS-WIN-SECURITY-BASE-L1-1-0(?), ref: 005E9C36
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: AllocateCheckFreeInitializeMembershipToken
      • String ID:
      • API String ID: 3429775523-0
      • Opcode ID: c96e8d98af3809551f02b72c9eb6e5a68301d5ed99a567bcb1011164eb0e527a
      • Instruction ID: c3692b4bf5d5542ff1721dc5d25f44968d1ee23575886073675c854d316099c4
      • Opcode Fuzzy Hash: c96e8d98af3809551f02b72c9eb6e5a68301d5ed99a567bcb1011164eb0e527a
      • Instruction Fuzzy Hash: 6321F5B0A0424AEFDB20DFAA8D45ABEBBFDFF04301F10542EA556D2150DB30D800DBA0
      Function 0060D05C Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 58nativeCOMMON
      Download Yara Rule
      APIs
        • Part of subcall function 005E5640: memset.MSVCRT ref: 005E579F
        • Part of subcall function 005E5640: GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000400,?,?,?,?,?,00688C60,00000000), ref: 005E57C3
        • Part of subcall function 005E5640: _wtoi.MSVCRT(?,?,00688C60,00000000), ref: 005E57D6
      • NtQuerySystemInformation.NTDLL ref: 0060D121
        • Part of subcall function 0060D155: IsProcessorFeaturePresent.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-1(00000015,00000000,00000000,00000000), ref: 0060D1E4
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: FeatureInfoInformationLocalePresentProcessorQuerySystem_wtoimemset
      • String ID: Mem
      • API String ID: 1333349711-2894742918
      • Opcode ID: 45d4126ab160324b9070d67535d6c2ab063f04c2f68624d9a949e2f975500b33
      • Instruction ID: 44123be1f573265beca645d1e9c9167d8f3b053ec6cf7a4beadc117b4e393b8d
      • Opcode Fuzzy Hash: 45d4126ab160324b9070d67535d6c2ab063f04c2f68624d9a949e2f975500b33
      • Instruction Fuzzy Hash: 45217DB4905B449FC3209F6A94459DBFFE9BFA5300F404A5FE4AAD6221CBB06464CF48
      Function 005EDBE6 Relevance: 3.0, APIs: 2, Instructions: 49nativeCOMMONLIBRARYCODE
      Download Yara Rule
      APIs
      • NtQuerySystemInformation.NTDLL(000000B6,?,00000038,00000000), ref: 005EDC16
      • RtlNtStatusToDosError.NTDLL ref: 005EDC21
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: ErrorInformationQueryStatusSystem
      • String ID:
      • API String ID: 2886859707-0
      • Opcode ID: b9fc7690ed593f08a99ad9567f4db32e0c2b1a1d250cfa75e283dd058f255bbc
      • Instruction ID: 404759d0ae4fc25ad558d72161d32eca13438ac05f72637a58e1e73aa7785566
      • Opcode Fuzzy Hash: b9fc7690ed593f08a99ad9567f4db32e0c2b1a1d250cfa75e283dd058f255bbc
      • Instruction Fuzzy Hash: D70192716143589FE318DE398909B6B77E4BB44754F140A2CF9DAC6281DBA4E800C762
      Function 005E82FE Relevance: 3.0, APIs: 2, Instructions: 41threadCOMMON
      Download Yara Rule
      APIs
      • GetThreadUILanguage.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 005E8335
      • GetLocaleInfoW.KERNELBASE(?,00000058,?,?), ref: 005E834C
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: InfoLanguageLocaleThread
      • String ID:
      • API String ID: 779814757-0
      • Opcode ID: 36639ee2899b76b0ddaab2c8cb0622adf8cd11ba6e3c078bc105b8ca7547badc
      • Instruction ID: 02efc0e751f56fd515942b48cede7543eecaf3dd87619d36bb5ea1b09800a40f
      • Opcode Fuzzy Hash: 36639ee2899b76b0ddaab2c8cb0622adf8cd11ba6e3c078bc105b8ca7547badc
      • Instruction Fuzzy Hash: 17F0A431610395EBDB1CDB798C456BF77F5EB08B01F44496DA8CA92180DE74A885D750
      Function 005EDD90 Relevance: 3.0, APIs: 2, Instructions: 41nativeCOMMON
      Download Yara Rule
      APIs
      • NtQuerySystemInformation.NTDLL(00000005,?,?,?), ref: 005EDDA9
      • RtlNtStatusToDosError.NTDLL ref: 005EDDC5
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: ErrorInformationQueryStatusSystem
      • String ID:
      • API String ID: 2886859707-0
      • Opcode ID: 47b280099b7be3a88be5c6461dda05933289ee82de790525cdb6663a2c6e3094
      • Instruction ID: 9ab199aa872a7b542e31ec0a1dd88a5401fad6fcb1c7bd540ce74961df8f5d64
      • Opcode Fuzzy Hash: 47b280099b7be3a88be5c6461dda05933289ee82de790525cdb6663a2c6e3094
      • Instruction Fuzzy Hash: E8F0A47260014AEBCB1C8A6ACD15AB67AF9FB04354B10452DA587C7394DA259D0097B0
      Function 005E8298 Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
      Download Yara Rule
      APIs
      • RtlAllocateHeap.NTDLL(?,00000000,?,FFFFFFFC,?,FFFFFFFC,?,005E81F5,?,00000000,00000000), ref: 005E82C1
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: AllocateHeap
      • String ID:
      • API String ID: 1279760036-0
      • Opcode ID: 5d53d49bf9ecfc0749007c227f1cb8b702ce3c50c61956ff44dad904fd683f07
      • Instruction ID: 4d728d47a5301f49b9d6bdb95973711bd2fc746da4eef4405ece3124dc185148
      • Opcode Fuzzy Hash: 5d53d49bf9ecfc0749007c227f1cb8b702ce3c50c61956ff44dad904fd683f07
      • Instruction Fuzzy Hash: D8E07232240604FFEB089B91CE0AF7A3B7DE788710F200558BB09C21A0EA32ED00E210
      Function 0060BF70 Relevance: 61.4, APIs: 25, Strings: 10, Instructions: 163threadwindowCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 680 60bf70-60bf9c 681 60bfd8-60bfee ?Add@Element@DirectUI@@QAEJPAV12@@Z call 5edbe6 680->681 682 60bf9e-60bfb9 ?CreateElement@DUIXmlParser@DirectUI@@QAEJPBGPAVElement@2@1PAKPAPAV32@@Z 680->682 688 60bff4-60c023 memset ExpandEnvironmentStringsW 681->688 689 60c175-60c187 call 617990 681->689 683 60bfd2 682->683 684 60bfbb-60bfcd GetCurrentThreadId 682->684 683->681 686 60c163-60c172 call 5e9ae8 684->686 686->689 692 60c025-60c034 PathFileExistsW 688->692 693 60c068-60c083 StrToID ?FindDescendent@Element@DirectUI@@QAEPAV12@G@Z 688->693 692->693 698 60c036-60c04b call 60c18a 692->698 696 60c089-60c0a4 StrToID ?FindDescendent@Element@DirectUI@@QAEPAV12@G@Z 693->696 697 60c13a-60c14f call 60c18a 693->697 699 60c0c4-60c0df StrToID ?FindDescendent@Element@DirectUI@@QAEPAV12@G@Z 696->699 700 60c0a6-60c0be ?SetVisible@Element@DirectUI@@QAEJ_N@Z ?SetEnabled@Element@DirectUI@@QAEJ_N@Z ?SetLayoutPos@Element@DirectUI@@QAEJH@Z 696->700 697->689 709 60c151-60c15e GetCurrentThreadId 697->709 698->697 707 60c051-60c063 GetCurrentThreadId 698->707 703 60c0e1-60c0f9 ?SetVisible@Element@DirectUI@@QAEJ_N@Z ?SetEnabled@Element@DirectUI@@QAEJ_N@Z ?SetLayoutPos@Element@DirectUI@@QAEJH@Z 699->703 704 60c0ff-60c11a StrToID ?FindDescendent@Element@DirectUI@@QAEPAV12@G@Z 699->704 700->699 703->704 704->697 708 60c11c-60c134 ?SetVisible@Element@DirectUI@@QAEJ_N@Z ?SetEnabled@Element@DirectUI@@QAEJ_N@Z ?SetLayoutPos@Element@DirectUI@@QAEJH@Z 704->708 707->686 708->697 709->686
      APIs
      • ?CreateElement@DUIXmlParser@DirectUI@@QAEJPBGPAVElement@2@1PAKPAPAV32@@Z.DUI70(GenericCommandBar,00000000,00000000,00000000,00000118,00000000,00000000,00000000), ref: 0060BFAF
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000), ref: 0060BFBC
      • ?Add@Element@DirectUI@@QAEJPAV12@@Z.DUI70(00000118,00000000,00000000,00000000), ref: 0060BFDC
      • memset.MSVCRT ref: 0060C002
      • ExpandEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(%systemroot%\system32\resmon.exe,?,00000104), ref: 0060C01B
      • PathFileExistsW.KERNELBASE(?), ref: 0060C02C
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,000079EB,resmonIcon), ref: 0060C052
      • StrToID.DUI70(dashboardBar), ref: 0060C06D
      • ?FindDescendent@Element@DirectUI@@QAEPAV12@G@Z.DUI70(?), ref: 0060C079
      • StrToID.DUI70(resmonIcon), ref: 0060C08E
      • ?FindDescendent@Element@DirectUI@@QAEPAV12@G@Z.DUI70 ref: 0060C09A
      • ?SetVisible@Element@DirectUI@@QAEJ_N@Z.DUI70(00000000), ref: 0060C0AA
      • ?SetEnabled@Element@DirectUI@@QAEJ_N@Z.DUI70(00000000), ref: 0060C0B4
      • ?SetLayoutPos@Element@DirectUI@@QAEJH@Z.DUI70(000000FD), ref: 0060C0BE
      • StrToID.DUI70(resmonLaunch), ref: 0060C0C9
      • ?FindDescendent@Element@DirectUI@@QAEPAV12@G@Z.DUI70(?), ref: 0060C0D5
      • ?SetVisible@Element@DirectUI@@QAEJ_N@Z.DUI70(00000000), ref: 0060C0E5
      • ?SetEnabled@Element@DirectUI@@QAEJ_N@Z.DUI70(00000000), ref: 0060C0EF
      • ?SetLayoutPos@Element@DirectUI@@QAEJH@Z.DUI70(000000FD), ref: 0060C0F9
      • StrToID.DUI70(seperatorId), ref: 0060C104
      • ?FindDescendent@Element@DirectUI@@QAEPAV12@G@Z.DUI70(?), ref: 0060C110
      • ?SetVisible@Element@DirectUI@@QAEJ_N@Z.DUI70(00000000), ref: 0060C120
      • ?SetEnabled@Element@DirectUI@@QAEJ_N@Z.DUI70(00000000), ref: 0060C12A
      • ?SetLayoutPos@Element@DirectUI@@QAEJH@Z.DUI70(000000FD), ref: 0060C134
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,000077BD,servicesIcon), ref: 0060C152
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: DirectElement@$Descendent@FindV12@$CurrentEnabled@LayoutPos@ThreadVisible@$Add@CreateElement@2@1EnvironmentExistsExpandFileParser@PathStringsV12@@V32@@memset
      • String ID: %d FAIL: 0x%08x$%systemroot%\system32\resmon.exe$GenericCommandBar$TmCommandBar::Initialize$base\diagnosis\pdui\atm\main\commandbar.cpp$dashboardBar$resmonIcon$resmonLaunch$seperatorId$servicesIcon
      • API String ID: 2260019621-1677726219
      • Opcode ID: bbe3138f28750726745dfd527b64e4ec00c2a6502d031ae0ab6cdd2ff3de0995
      • Instruction ID: a8a8beedc05077679665ecee36011711129c70c154660a74005479479f44f625
      • Opcode Fuzzy Hash: bbe3138f28750726745dfd527b64e4ec00c2a6502d031ae0ab6cdd2ff3de0995
      • Instruction Fuzzy Hash: A551C331B80715BBC7295BA49C1DF7F3A67AB48B21F002359F916D73D1DF6089048BA1
      Function 005F5180 Relevance: 60.0, APIs: 21, Strings: 13, Instructions: 520threadmemoryCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 710 5f5180-5f51de call 5f5fac call 641869 715 5f5217-5f5222 710->715 716 5f51e0-5f51ed call 60065d 710->716 717 5f525b-5f5281 call 5f5dc1 call 641869 715->717 718 5f5224-5f5244 call 641869 715->718 716->715 724 5f51ef-5f5207 call 61732d call 66417d 716->724 734 5f528c-5f52a2 call 5f6356 717->734 735 5f5283-5f528a 717->735 727 5f5246-5f5248 718->727 728 5f5253-5f5256 call 5ef9b0 718->728 742 5f5209-5f5210 724->742 743 5f5212-5f5214 724->743 727->728 731 5f524a-5f5251 call 5ff3fc 727->731 728->717 731->717 744 5f52a7-5f52ab 734->744 735->734 739 5f5301-5f5309 735->739 745 5f5311-5f5331 call 641869 739->745 742->715 743->715 746 5f52df-5f52e9 744->746 747 5f52ad-5f52b4 744->747 752 5f5337-5f5344 call 62bc49 745->752 753 5f54a2-5f54d5 745->753 746->739 750 5f52eb-5f52ff 746->750 747->746 749 5f52b6-5f52da GetCurrentThreadId call 5e9ae8 747->749 762 5f58e7-5f58fd call 617990 749->762 750->745 764 5f5346-5f534e call 62bd68 752->764 765 5f5350-5f5358 752->765 756 5f54dd-5f54eb 753->756 757 5f54d7 753->757 760 5f54ed-5f54f4 756->760 761 5f54f9-5f54fc 756->761 757->756 766 5f561c-5f5621 760->766 761->766 767 5f5502-5f550b 761->767 764->765 772 5f536a-5f5375 call 612215 764->772 765->772 773 5f535a-5f535f 765->773 768 5f5623-5f562f 766->768 769 5f5631-5f5633 766->769 767->766 774 5f5511-5f5514 767->774 775 5f5635-5f5655 call 641869 768->775 769->775 784 5f5377-5f539b GetCurrentThreadId call 5e9ae8 772->784 785 5f53a0-5f53a7 772->785 773->772 777 5f5361-5f5364 773->777 774->766 779 5f551a-5f551d 774->779 788 5f566e-5f5677 775->788 789 5f5657-5f565e 775->789 777->766 777->772 779->766 782 5f5523-5f5526 779->782 782->766 786 5f552c-5f5532 782->786 784->766 785->766 787 5f53ad-5f53c9 call 664294 785->787 791 5f55bd-5f55c5 786->791 792 5f5538-5f5546 786->792 810 5f53cf-5f53ef call 5f7a70 787->810 811 5f549a-5f549d 787->811 797 5f567d-5f567f 788->797 798 5f5780 788->798 789->788 794 5f5660-5f5669 call 612426 789->794 795 5f55c7-5f55d2 791->795 796 5f55d4-5f55d6 791->796 800 5f5548-5f554f SysFreeString 792->800 801 5f5555-5f5564 SysAllocString 792->801 816 5f57b7-5f581c call 5f5c20 call 5f5b0c call 5f5900 call 62dc22 794->816 806 5f55d8-5f5601 call 5f97b0 795->806 796->806 797->798 807 5f5685-5f569b call 5f6830 797->807 808 5f578a-5f5799 798->808 800->801 802 5f55b9-5f55bb 801->802 803 5f5566-5f5568 801->803 802->766 803->802 809 5f556a-5f55b7 GetCurrentThreadId call 5e9ae8 GetCurrentThreadId call 5e9ae8 803->809 806->766 827 5f5603-5f560c 806->827 807->798 828 5f56a1-5f56a8 807->828 815 5f579b-5f57a4 808->815 808->816 809->766 832 5f547b-5f5480 810->832 833 5f53f5-5f5411 SysAllocString 810->833 811->766 822 5f57ad-5f57b5 815->822 823 5f57a6-5f57ab 815->823 858 5f5821-5f5829 call 62bc0c 816->858 822->816 823->822 827->823 834 5f5612-5f561a 827->834 828->798 829 5f56ae-5f56d1 StrTrimW PathRemoveBlanksW 828->829 835 5f56e4-5f56f1 SysAllocString 829->835 836 5f56d3-5f56da SysFreeString 829->836 837 5f5482-5f5489 SysFreeString 832->837 838 5f5490-5f5495 832->838 841 5f5448-5f544d 833->841 842 5f5413-5f5440 GetCurrentThreadId call 5e9ae8 833->842 834->766 843 5f5778-5f577e 835->843 844 5f56f7-5f5776 GetCurrentThreadId call 5e9ae8 GetCurrentThreadId call 5e9ae8 GetCurrentThreadId call 5e9ae8 835->844 836->835 837->838 838->766 841->832 847 5f544f-5f5451 841->847 842->841 843->808 844->816 851 5f545a-5f545f 847->851 852 5f5453-5f5454 SysFreeString 847->852 855 5f546f-5f5476 851->855 856 5f5461-5f5468 SysFreeString 851->856 852->851 855->766 856->855 864 5f582f-5f5848 call 62b35a 858->864 865 5f58b6-5f58c4 858->865 864->865 872 5f584a-5f585b call 602d40 864->872 866 5f58ce-5f58de call 62bcb9 865->866 867 5f58c6-5f58c9 call 615748 865->867 866->762 874 5f58e0 866->874 867->866 872->865 877 5f585d-5f5862 872->877 874->762 878 5f5864-5f586b SysFreeString 877->878 879 5f5872-5f587f SysAllocString 877->879 878->879 880 5f58ac 879->880 881 5f5881-5f5883 879->881 883 5f58af 880->883 881->880 882 5f5885-5f58aa GetCurrentThreadId call 5e9ae8 881->882 882->883 883->865
      APIs
        • Part of subcall function 005F5FAC: IsWow64Process.API-MS-WIN-CORE-WOW64-L1-1-0(?,?,?,?,?,?,#0_,?), ref: 005F6010
        • Part of subcall function 005F5FAC: CloseHandle.KERNELBASE(00000000,#0_,?), ref: 005F6058
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000), ref: 005F52B7
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,#0_,?,?,?,?,?,?,?,?,#0_), ref: 005F5378
      • SysAllocString.OLEAUT32(?), ref: 005F5405
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(8007000E), ref: 005F5420
      • SysFreeString.OLEAUT32(?), ref: 005F5454
      • SysFreeString.OLEAUT32(00000000), ref: 005F5462
      • SysFreeString.OLEAUT32(00000000), ref: 005F5483
      • StrTrimW.SHLWAPI(?,005CB93C,CompanyName,?,?), ref: 005F56B8
      • PathRemoveBlanksW.API-MS-WIN-CORE-SHLWAPI-LEGACY-L1-1-0(?), ref: 005F56C3
      • SysFreeString.OLEAUT32(?), ref: 005F56D4
      • SysAllocString.OLEAUT32(?), ref: 005F56E9
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(8007000E), ref: 005F56FC
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(8007000E), ref: 005F5721
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(8007000E), ref: 005F5753
      • SysFreeString.OLEAUT32(?), ref: 005F5865
      • SysAllocString.OLEAUT32(00000000), ref: 005F5877
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(8007000E,?,?,?,?,?), ref: 005F588A
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: String$CurrentThread$Free$Alloc$BlanksCloseHandlePathProcessRemoveTrimWow64
      • String ID: #0_$%d FAIL: 0x%08x$%s %s$ATMAssignString$CompanyName$TmGetPublisherFromVersionInfo$WdcApplicationsMonitor::ResolveImageFriendlyName$WdcApplicationsMonitor::ResolveImageFriendlyName_Desktop$WdcApplicationsMonitor::ResolveImagePublisher_Desktop$WdcApplicationsMonitor::_SetPropertiesForProcess$base\diagnosis\pdui\atm\main\applications.cpp$base\diagnosis\pdui\atm\main\inline.cpp$base\diagnosis\pdui\atm\main\processcommon.cpp
      • API String ID: 1666959281-3789899742
      • Opcode ID: 7404136c58aeb8d0a777774d78dbf163fe9599b8bd49d3c8898413432e6b44d8
      • Instruction ID: 3f3831958cb84103fd8b9e5a337443c63669cf22544d60d2313a2c77a9121295
      • Opcode Fuzzy Hash: 7404136c58aeb8d0a777774d78dbf163fe9599b8bd49d3c8898413432e6b44d8
      • Instruction Fuzzy Hash: 6312E170604B46AFDB149F64C845BBABFA5FF84704F04061CFB4597291E778E884CBA1
      Function 0061A168 Relevance: 56.3, APIs: 26, Strings: 6, Instructions: 321windowCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 1370 61a168-61a1b3 call 5edbe6 StrToID ?FindDescendent@Element@DirectUI@@QAEPAV12@G@Z 1373 61a1b5-61a1c4 StrToID 1370->1373 1374 61a1c6-61a1d4 StrToID 1370->1374 1375 61a1d5-61a1e2 ?FindDescendent@Element@DirectUI@@QAEPAV12@G@Z 1373->1375 1374->1375 1376 61a1e4-61a1e6 1375->1376 1377 61a1e8 DebugBreak 1375->1377 1376->1377 1378 61a1ee-61a1f5 1376->1378 1377->1378 1379 61a227-61a22b 1378->1379 1380 61a1f7-61a200 1378->1380 1381 61a235-61a25b GetWindowLongW 1379->1381 1382 61a22d-61a230 1379->1382 1383 61a202-61a204 1380->1383 1384 61a206-61a208 1380->1384 1387 61a278-61a27c 1381->1387 1388 61a25d-61a266 call 61141e 1381->1388 1382->1381 1389 61a210 1383->1389 1385 61a20a-61a20c 1384->1385 1386 61a20e 1384->1386 1392 61a211-61a222 call 61b546 1385->1392 1386->1389 1390 61a282-61a284 1387->1390 1391 61a3ac-61a3c6 ?SetVisible@Element@DirectUI@@QAEJ_N@Z ?SetLayoutPos@Element@DirectUI@@QAEJH@Z 1387->1391 1406 61a275 1388->1406 1407 61a268-61a272 call 616a00 1388->1407 1389->1392 1394 61a292-61a295 1390->1394 1395 61a286-61a28d call 615ca4 1390->1395 1397 61a3d4-61a3d7 1391->1397 1398 61a3c8-61a3cf call 615ca4 1391->1398 1392->1379 1401 61a297-61a2a0 SetWindowLongW 1394->1401 1402 61a2a6-61a2c8 ?SetVisible@Element@DirectUI@@QAEJ_N@Z ?SetLayoutPos@Element@DirectUI@@QAEJH@Z 1394->1402 1395->1394 1404 61a3d9-61a3e2 SetWindowLongW 1397->1404 1405 61a3e8-61a415 SetWindowPos 1397->1405 1398->1397 1401->1402 1408 61a327-61a32c 1402->1408 1409 61a2ca-61a2d1 1402->1409 1404->1405 1410 61a435-61a44b RedrawWindow 1405->1410 1411 61a417-61a421 GetLastError 1405->1411 1406->1387 1407->1406 1415 61a2d6-61a2dd 1408->1415 1409->1415 1413 61a4a7-61a4b0 ?SetVisible@Element@DirectUI@@QAEJ_N@Z 1410->1413 1414 61a44d-61a469 ?SetVisible@Element@DirectUI@@QAEJ_N@Z ?SetLayoutPos@Element@DirectUI@@QAEJH@Z 1410->1414 1416 61a430 1411->1416 1417 61a423 1411->1417 1423 61a4b3-61a4c1 ?SetLayoutPos@Element@DirectUI@@QAEJH@Z 1413->1423 1419 61a46b-61a46d 1414->1419 1420 61a46f-61a477 1414->1420 1421 61a2df-61a2e5 1415->1421 1422 61a32e-61a334 1415->1422 1416->1410 1417->1410 1424 61a425-61a42e 1417->1424 1425 61a47a-61a482 1419->1425 1420->1425 1426 61a2ea-61a30c SetWindowPos 1421->1426 1422->1426 1432 61a4c3-61a4c9 1423->1432 1433 61a525-61a52e 1423->1433 1424->1410 1428 61a492-61a49e 1425->1428 1429 61a484-61a490 1425->1429 1430 61a33b-61a351 RedrawWindow 1426->1430 1431 61a30e-61a318 GetLastError 1426->1431 1438 61a4a0 call 6136a5 1428->1438 1429->1428 1436 61a353-61a36b ?SetVisible@Element@DirectUI@@QAEJ_N@Z ?SetLayoutPos@Element@DirectUI@@QAEJH@Z 1430->1436 1437 61a39b-61a3a7 ?SetVisible@Element@DirectUI@@QAEJ_N@Z 1430->1437 1439 61a336 1431->1439 1440 61a31a 1431->1440 1441 61a4d8-61a4da call 5eac7e 1432->1441 1442 61a4cb-61a4d6 call 60c24f 1432->1442 1434 61a530-61a533 1433->1434 1435 61a535 call 63246e 1433->1435 1434->1435 1443 61a53a-61a541 1434->1443 1435->1443 1445 61a372 1436->1445 1446 61a36d-61a370 1436->1446 1437->1423 1456 61a4a5 KiUserCallbackDispatcher 1438->1456 1439->1430 1440->1430 1449 61a31c-61a325 1440->1449 1453 61a4df-61a4f2 call 61141e 1441->1453 1442->1453 1454 61a543-61a548 call 61b4cd 1443->1454 1455 61a54d-61a557 1443->1455 1452 61a378-61a396 1445->1452 1446->1452 1449->1430 1452->1438 1460 61a4f4-61a4f6 1453->1460 1461 61a4f8-61a4fa 1453->1461 1454->1455 1456->1413 1460->1433 1460->1461 1461->1433 1462 61a4fc-61a505 1461->1462 1463 61a507-61a509 1462->1463 1464 61a50b-61a516 call 668983 1462->1464 1463->1433 1463->1464 1464->1433 1467 61a518-61a520 call 66a0d0 1464->1467 1467->1433
      APIs
        • Part of subcall function 005EDBE6: NtQuerySystemInformation.NTDLL(000000B6,?,00000038,00000000), ref: 005EDC16
        • Part of subcall function 005EDBE6: RtlNtStatusToDosError.NTDLL ref: 005EDC21
      • StrToID.DUI70(TabView,?,?,?,?,?,?,?,?,?), ref: 0061A198
      • ?FindDescendent@Element@DirectUI@@QAEPAV12@G@Z.DUI70(?,?,?,?,?,?,?,?), ref: 0061A1A4
      • StrToID.DUI70(LowMemoryView,?,?,?,?,?,?,?,?), ref: 0061A1BA
      • StrToID.DUI70(SmallView,?,?,?,?,?,?,?,?), ref: 0061A1CB
      • ?FindDescendent@Element@DirectUI@@QAEPAV12@G@Z.DUI70(?,?,?,?,?,?,?,?,?), ref: 0061A1D7
      • DebugBreak.API-MS-WIN-CORE-DEBUG-L1-1-0(?,?,?,?,?,?,?,?), ref: 0061A1E8
      • GetWindowLongW.USER32(000000F0), ref: 0061A23D
      • SetWindowLongW.USER32(000000F0,00000000), ref: 0061A2A0
      • ?SetVisible@Element@DirectUI@@QAEJ_N@Z.DUI70(00000000), ref: 0061A2AB
      • ?SetLayoutPos@Element@DirectUI@@QAEJH@Z.DUI70(000000FD), ref: 0061A2B6
      • SetWindowPos.USER32(00000000,00000000,00000000,800001DF,800001DF,00000026), ref: 0061A304
      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 0061A30E
      • RedrawWindow.USER32(00000000,00000000,00000005), ref: 0061A347
      • ?SetVisible@Element@DirectUI@@QAEJ_N@Z.DUI70(00000001), ref: 0061A356
      • ?SetLayoutPos@Element@DirectUI@@QAEJH@Z.DUI70(00000004), ref: 0061A361
      • ?SetVisible@Element@DirectUI@@QAEJ_N@Z.DUI70(00000001), ref: 0061A39E
      • ?SetLayoutPos@Element@DirectUI@@QAEJH@Z.DUI70(00000004), ref: 0061A4B5
        • Part of subcall function 005EAC7E: ?StartDefer@Element@DirectUI@@QAEXPAK@Z.DUI70(00000000), ref: 005EACFE
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: DirectElement@$Window$LayoutPos@Visible@$Descendent@ErrorFindLongV12@$BreakDebugDefer@InformationLastQueryRedrawStartStatusSystem
      • String ID: $]h$(]h$,]h$LowMemoryView$SmallView$TabView
      • API String ID: 2695496260-203837762
      • Opcode ID: ed3dccc659c7721c43f4b34e3acc95be99bee9d886fcfefc52304070c8880861
      • Instruction ID: 505106fa6c0c5b1a4840c58311cf8e0fd791c3bd7e4d61d673a5a2fccec89380
      • Opcode Fuzzy Hash: ed3dccc659c7721c43f4b34e3acc95be99bee9d886fcfefc52304070c8880861
      • Instruction Fuzzy Hash: 3AC1D430A05211BFDB149FE4DC49BEEBBA3AF45310F185359E956AB2E1D7704C81CBA2
      Function 005E6462 Relevance: 42.3, APIs: 18, Strings: 6, Instructions: 343threadCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 1585 5e6462-5e646e 1586 5e647a-5e6486 call 5edbe6 1585->1586 1587 5e6470-5e6475 call 61b4cd 1585->1587 1591 5e684f-5e6859 call 617634 1586->1591 1592 5e648c-5e6498 call 617634 1586->1592 1587->1586 1597 5e687e 1591->1597 1598 5e685b-5e687c 1591->1598 1599 5e64be 1592->1599 1600 5e649a-5e64bc 1592->1600 1601 5e6880-5e6888 1597->1601 1598->1601 1602 5e64c0-5e64c8 1599->1602 1600->1602 1603 5e688a-5e689e GetCurrentThreadId 1601->1603 1604 5e68a8-5e68ba call 62b0c2 1601->1604 1605 5e64fa-5e650c call 5e68f3 1602->1605 1606 5e64ca-5e64de GetCurrentThreadId 1602->1606 1603->1604 1616 5e68bc-5e68c9 GetCurrentThreadId 1604->1616 1617 5e68d3-5e68d5 call 616437 1604->1617 1614 5e650e-5e6520 GetCurrentThreadId 1605->1614 1615 5e6522-5e652c call 617634 1605->1615 1609 5e64e3-5e64f5 call 5e9ae8 1606->1609 1618 5e68da-5e68e1 1609->1618 1614->1609 1624 5e652e-5e6554 1615->1624 1625 5e6556 1615->1625 1616->1617 1617->1618 1622 5e68ed-5e68f2 1618->1622 1623 5e68e3-5e68e8 call 61b4cd 1618->1623 1623->1622 1627 5e6558-5e6560 1624->1627 1625->1627 1628 5e6562-5e657b GetCurrentThreadId 1627->1628 1629 5e6580-5e6592 call 5e68f3 1627->1629 1628->1609 1632 5e65ab-5e65b5 call 617634 1629->1632 1633 5e6594-5e65a6 GetCurrentThreadId 1629->1633 1636 5e65df 1632->1636 1637 5e65b7-5e65dd 1632->1637 1633->1609 1638 5e65e1-5e65e9 1636->1638 1637->1638 1639 5e65eb-5e65ff GetCurrentThreadId 1638->1639 1640 5e6609-5e661b call 5e68f3 1638->1640 1639->1640 1643 5e661d-5e662a GetCurrentThreadId 1640->1643 1644 5e6634-5e6641 call 617634 1640->1644 1643->1644 1647 5e6654 1644->1647 1648 5e6643-5e6652 call 615a08 1644->1648 1650 5e6656-5e665e 1647->1650 1648->1650 1652 5e667e-5e66af StrToID ?GetRoot@Element@DirectUI@@QAEPAV12@XZ ?FindDescendent@Element@DirectUI@@QAEPAV12@G@Z call 5ed05c 1650->1652 1653 5e6660-5e6674 GetCurrentThreadId 1650->1653 1656 5e673e-5e676a call 5e6b53 1652->1656 1657 5e66b5-5e66bf call 617634 1652->1657 1653->1652 1662 5e676c-5e6779 GetCurrentThreadId 1656->1662 1663 5e6783-5e678d call 617634 1656->1663 1664 5e66e9 1657->1664 1665 5e66c1-5e66e7 1657->1665 1662->1663 1672 5e678f-5e67ae 1663->1672 1673 5e67b0 1663->1673 1667 5e66eb-5e66f3 1664->1667 1665->1667 1668 5e66f5-5e6709 GetCurrentThreadId 1667->1668 1669 5e6713-5e6725 call 5e68f3 1667->1669 1668->1669 1669->1656 1678 5e6727-5e6734 GetCurrentThreadId 1669->1678 1674 5e67b2-5e67ba 1672->1674 1673->1674 1676 5e67bc-5e67d0 GetCurrentThreadId 1674->1676 1677 5e67da-5e67ec call 615df1 1674->1677 1676->1677 1681 5e67ee-5e67fb GetCurrentThreadId 1677->1681 1682 5e6805-5e6829 call 5e6b53 1677->1682 1678->1656 1681->1682 1684 5e682e-5e6832 1682->1684 1684->1617 1685 5e6838-5e6845 GetCurrentThreadId 1684->1685 1685->1591
      APIs
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(8007000E,00000000,00000000,00000000,0060BDBE), ref: 005E64D2
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,00000000,00000000,00000000,0060BDBE), ref: 005E650F
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(8007000E,00000000,00000000,00000000,0060BDBE), ref: 005E656A
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,00000000,00000000,00000000,0060BDBE), ref: 005E6595
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(8007000E,00000000,00000000,00000000,0060BDBE), ref: 005E65F3
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,00000000,00000000,00000000,0060BDBE), ref: 005E661E
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(8007000E,00000000,00000000,00000000,0060BDBE), ref: 005E6668
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: CurrentThread
      • String ID: %d FAIL: 0x%08x$WdcMonitor::SetupDUITabs$base\diagnosis\pdui\atm\main\monitor.cpp$cpuList$dashSidebarScrollViewer$svcList
      • API String ID: 2882836952-4039911298
      • Opcode ID: 213a9ef4e077189fc3735735c4a7cc504544b1bb1b3d3d3c5e343374b363aaeb
      • Instruction ID: 8a79cf640772a1a0bbf2328cd0addca303ddff56da6993d426515e0c0de85373
      • Opcode Fuzzy Hash: 213a9ef4e077189fc3735735c4a7cc504544b1bb1b3d3d3c5e343374b363aaeb
      • Instruction Fuzzy Hash: 53C1C670A44781AFE7194F6A9C45F657EE9FF71380F05416AF885DF2A2CBB4C8408BA1
      Function 005E1531 Relevance: 40.4, APIs: 15, Strings: 8, Instructions: 152threadlibraryloaderCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 1744 5e1531-5e1549 1745 5e154f-5e1554 call 5e15de 1744->1745 1746 5e15d0-5e15d2 1744->1746 1750 5e1559-5e155e 1745->1750 1747 5e15d8-5e15dd 1746->1747 1748 63486b-63487a 1746->1748 1751 634888 1748->1751 1752 63487c-634885 FreeLibrary 1748->1752 1753 5e1564-5e1577 GetProcAddress 1750->1753 1754 634738-634742 GetLastError 1750->1754 1752->1751 1755 5e157d-5e1590 GetProcAddress 1753->1755 1756 634795-63479f GetLastError 1753->1756 1757 634751 1754->1757 1758 634744 1754->1758 1759 5e1596-5e15a9 GetProcAddress 1755->1759 1760 6347cc-6347d6 GetLastError 1755->1760 1761 6347a1 1756->1761 1762 6347ae 1756->1762 1765 634756 1757->1765 1763 634746-63474f 1758->1763 1764 634758 1758->1764 1766 5e15af-5e15c2 GetProcAddress 1759->1766 1767 634806-634810 GetLastError 1759->1767 1771 6347e5 1760->1771 1772 6347d8 1760->1772 1768 6347a3-6347ac 1761->1768 1769 6347b5 1761->1769 1770 6347b3 1762->1770 1763->1765 1764->1753 1773 63475e-63476d GetCurrentThreadId 1764->1773 1765->1764 1777 634840-63484a GetLastError 1766->1777 1778 5e15c8 1766->1778 1775 634812 1767->1775 1776 63481f 1767->1776 1768->1770 1769->1755 1779 6347bb-6347ca GetCurrentThreadId 1769->1779 1770->1769 1782 6347ea 1771->1782 1780 6347da-6347e3 1772->1780 1781 6347ec 1772->1781 1774 63477e-634790 call 5e9ae8 1773->1774 1774->1746 1785 634826 1775->1785 1786 634814-63481d 1775->1786 1787 634824 1776->1787 1789 634859 1777->1789 1790 63484c 1777->1790 1788 5e15ca 1778->1788 1779->1774 1780->1782 1781->1759 1783 6347f2-634801 GetCurrentThreadId 1781->1783 1782->1781 1783->1774 1785->1766 1792 63482c-63483b GetCurrentThreadId 1785->1792 1786->1787 1787->1785 1788->1746 1795 63485e 1789->1795 1793 634860 1790->1793 1794 63484e-634857 1790->1794 1792->1774 1793->1788 1796 634866 GetCurrentThreadId 1793->1796 1794->1795 1795->1793 1796->1774
      APIs
        • Part of subcall function 005E15DE: LoadLibraryW.KERNELBASE(?,006784A0,?,005E1559,-8007000E,00000000,?,005E14F5,?), ref: 005E1614
      • GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,SruRegisterRealTimeStats,?,005E14F5,?), ref: 005E156C
      • GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,SruQueryStats,?,005E14F5,?), ref: 005E1585
      • GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,SruFreeRecordSet,?,005E14F5,?), ref: 005E159E
      • GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,SruUnregisterRealTimeStats,?,005E14F5,?), ref: 005E15B7
      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(-8007000E,00000000,?,005E14F5,?), ref: 00634738
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(80004005,?,005E14F5,?), ref: 0063475F
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(80004005,?,005E14F5,?), ref: 00634770
      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,005E14F5,?), ref: 00634795
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(80004005,?,005E14F5,?), ref: 006347BC
      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,005E14F5,?), ref: 006347CC
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(80004005,?,005E14F5,?), ref: 006347F3
      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,005E14F5,?), ref: 00634806
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(80004005,?,005E14F5,?), ref: 0063482D
      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,005E14F5,?), ref: 00634840
      • FreeLibrary.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,-8007000E,00000000,?,005E14F5,?), ref: 0063487F
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: CurrentErrorLastThread$AddressProc$Library$FreeLoad
      • String ID: %d FAIL: 0x%08x$SruApiWrapper::Initialize$SruFreeRecordSet$SruQueryStats$SruRegisterRealTimeStats$SruUnregisterRealTimeStats$base\diagnosis\pdui\atm\main\apiwrappers.cpp$srumapi.dll
      • API String ID: 3269034577-24361539
      • Opcode ID: e1dc1c633ee42232d958b45ebf642fba1a56b03ca05f066011ed5a6977ef72cd
      • Instruction ID: 58ffbf4f401adadb7cc173002f5cd765f86a73d16611ed9b708c9ada170d2bbe
      • Opcode Fuzzy Hash: e1dc1c633ee42232d958b45ebf642fba1a56b03ca05f066011ed5a6977ef72cd
      • Instruction Fuzzy Hash: 8B41C0B6D41A72BBD3210B959C05B66FE66FB01B11F06122AED19A7750DF34EC40CBD4
      Function 0060B81B Relevance: 35.2, APIs: 13, Strings: 7, Instructions: 179windowthreadCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 1798 60b81b-60b8d2 memset call 5e747a LoadStringW call 5e82fe 1803 63e976 1798->1803 1804 60b8d8-60b8df 1798->1804 1805 63e980-63e982 1803->1805 1804->1805 1806 60b8e5-60b8ee call 5edbe6 1804->1806 1808 63e988 1805->1808 1806->1805 1810 60b8f4-60b8fd call 609edb 1806->1810 1811 63e992-63e99c GetLastError 1808->1811 1810->1805 1819 60b903-60b912 1810->1819 1813 63e9ab 1811->1813 1814 63e99e 1811->1814 1818 63e9b0 1813->1818 1816 63e9b2 1814->1816 1817 63e9a0-63e9a9 1814->1817 1820 60b980-60b9b5 KiUserCallbackDispatcher ChangeWindowMessageFilterEx GetMenu 1816->1820 1821 63e9b8-63e9bd 1816->1821 1817->1818 1818->1816 1819->1808 1822 60b918-60b971 CreateWindowInBand 1819->1822 1823 60b9b7 1820->1823 1824 60b9b9-60b9d4 KiUserCallbackDispatcher call 60d65b 1820->1824 1825 63e9d3-63e9f8 GetCurrentThreadId call 5e9ae8 1821->1825 1822->1811 1826 60b977-60b97a 1822->1826 1823->1824 1831 60b9d6 call 609b35 1824->1831 1832 60b9db-60b9ef ShowWindow 1824->1832 1826->1811 1826->1820 1831->1832 1834 60b9f5-60b9f7 call 60ba33 1832->1834 1835 63e9bf-63e9c9 call 61b4cd 1832->1835 1838 60b9fc-60ba00 1834->1838 1841 63e9ce 1835->1841 1840 60ba06-60ba1a OpenEventW 1838->1840 1838->1841 1842 60ba20-60ba32 call 617990 1840->1842 1843 63e9fd-63ea05 SetEvent CloseHandle 1840->1843 1841->1825
      APIs
      • memset.MSVCRT ref: 0060B849
        • Part of subcall function 005E747A: RegisterClassExW.USER32 ref: 005E74B3
      • LoadStringW.USER32(00007EA4,?,00000104), ref: 0060B8BE
        • Part of subcall function 005EDBE6: NtQuerySystemInformation.NTDLL(000000B6,?,00000038,00000000), ref: 005EDC16
        • Part of subcall function 005EDBE6: RtlNtStatusToDosError.NTDLL ref: 005EDC21
      • CreateWindowInBand.USER32(00000000,005CC09C,?,00CF0000,?,?,?,?,00000000,00000000,00000000,00000001), ref: 0060B967
      • KiUserCallbackDispatcher.NTDLL(00000000), ref: 0060B981
      • ChangeWindowMessageFilterEx.USER32(00000000,000004D3,00000001,00000000), ref: 0060B997
      • GetMenu.USER32 ref: 0060B9A3
      • KiUserCallbackDispatcher.NTDLL(00000000), ref: 0060B9C0
      • ShowWindow.USER32(00000000,?), ref: 0060B9E2
      • OpenEventW.API-MS-WIN-CORE-SYNCH-L1-1-0(00000002,00000000,5806d667-654f-4b62-a561-119fb398abd3), ref: 0060BA10
      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 0063E992
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 0063E9D3
      • SetEvent.API-MS-WIN-CORE-SYNCH-L1-1-0(00000000), ref: 0063E9FE
      • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(00000000), ref: 0063EA05
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: Window$CallbackDispatcherErrorEventUser$BandChangeClassCloseCreateCurrentFilterHandleInformationLastLoadMenuMessageOpenQueryRegisterShowStatusStringSystemThreadmemset
      • String ID: %d FAIL: 0x%08x$4]h$5806d667-654f-4b62-a561-119fb398abd3$6c124d76-d8ba-4190-a5ed-c89f6a30d3cf$InitInstance$TaskManagerWindow$base\diagnosis\pdui\atm\main\main.cpp
      • API String ID: 1953002350-192232968
      • Opcode ID: c7fb5b010e4c111f2c7e18bf8a843b4a1d191aeeab0cd0bb4e17cf285e352988
      • Instruction ID: adb725c79fe74c8a33556481bcef4499552187be79a29b1da5a7143458ce4e5d
      • Opcode Fuzzy Hash: c7fb5b010e4c111f2c7e18bf8a843b4a1d191aeeab0cd0bb4e17cf285e352988
      • Instruction Fuzzy Hash: 1C51F671940219BBDB219F68DC4CBAE7BBBFB84700F041299F909A72D1CB714D818FA5
      Function 005DE696 Relevance: 29.9, APIs: 13, Strings: 4, Instructions: 136synchronizationthreadCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 1846 5de696-5de6cb CreateMutexW 1847 633bbf-633bcc GetLastError 1846->1847 1848 5de6d1-5de6e2 GetLastError 1846->1848 1849 633bd9 1847->1849 1850 633bce 1847->1850 1851 633be0 1848->1851 1852 5de6e8 1848->1852 1849->1851 1853 5de6ea 1850->1853 1854 633bd4-633bd7 1850->1854 1855 633be2 1851->1855 1856 633be9 1851->1856 1852->1853 1858 633bf3-633bf8 1853->1858 1859 5de6f0-5de6f4 1853->1859 1857 633bec 1854->1857 1855->1856 1856->1857 1857->1858 1858->1859 1862 633bfe-633c2e WaitForSingleObject LoadStringW 1858->1862 1860 633cf6-633d17 GetCurrentThreadId call 5e9ae8 1859->1860 1861 5de6fa-5de70c call 617990 1859->1861 1876 633d19 1860->1876 1863 633c30-633c38 GetLastError 1862->1863 1864 633c6f-633c85 FindWindowW 1862->1864 1867 633c43 1863->1867 1868 633c3a 1863->1868 1871 633c87-633cc1 GetWindowThreadProcessId AllowSetForegroundWindow SendMessageTimeoutW 1864->1871 1872 633cef-633cf1 1864->1872 1875 633c45 1867->1875 1873 633c47 1868->1873 1874 633c3c-633c41 1868->1874 1877 633cc3-633ccb GetLastError 1871->1877 1878 633cdf-633ce9 1871->1878 1872->1861 1873->1864 1879 633c49-633c6a GetCurrentThreadId call 5e9ae8 1873->1879 1874->1875 1875->1873 1880 633cd6 1877->1880 1881 633ccd 1877->1881 1878->1861 1878->1872 1879->1876 1885 633cdb 1880->1885 1883 633ccf-633cd4 1881->1883 1884 633cdd 1881->1884 1883->1885 1884->1872 1884->1878 1885->1884
      APIs
      • CreateMutexW.KERNELBASE(00000000,00000001), ref: 005DE6B9
      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 005DE6D1
      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00633BBF
      • WaitForSingleObject.API-MS-WIN-CORE-SYNCH-L1-1-0(00002710), ref: 00633C09
      • LoadStringW.USER32(00007EA4,?,00000105), ref: 00633C26
      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00633C30
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(80004005), ref: 00633C4A
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000), ref: 00633CF7
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: ErrorLast$CurrentThread$CreateLoadMutexObjectSingleStringWait
      • String ID: %d FAIL: 0x%08x$TaskManagerWindow$TmSingleInstance::LockSingleInstance$base\diagnosis\pdui\atm\main\main.cpp
      • API String ID: 3380117594-2544988574
      • Opcode ID: dd2c53006434048aae5cecd3b805c05f20c5b0dc86901af663b23ed467118116
      • Instruction ID: 2ae71421cfe221d6aedfbac3e403b1b2294a93d6a91def8663ac15d2d9f5d6aa
      • Opcode Fuzzy Hash: dd2c53006434048aae5cecd3b805c05f20c5b0dc86901af663b23ed467118116
      • Instruction Fuzzy Hash: C7410C74780225BFDB205BA9AC49FBA3B9BFB14741F143166F906E9390DB61CD40CBA1
      Function 005F6356 Relevance: 28.1, APIs: 12, Strings: 4, Instructions: 129memorythreadnetworkCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 1887 5f6356-5f637e 1888 5f6384-5f6389 1887->1888 1889 5f6483-5f6485 1887->1889 1888->1889 1890 5f638f-5f6398 PathIsNetworkPathW 1888->1890 1891 5f63f3-5f63fb 1889->1891 1890->1889 1892 5f639e-5f63af GetFileVersionInfoSizeExW 1890->1892 1893 5f6436-5f6440 GetLastError 1892->1893 1894 5f63b5 1892->1894 1895 5f6446 1893->1895 1896 638f7d 1893->1896 1897 5f63b7 1894->1897 1898 5f644c-5f6455 1895->1898 1899 5f63b9 1895->1899 1902 638f87-638f9e GetCurrentThreadId 1896->1902 1897->1899 1898->1897 1900 5f63bf-5f63c7 1899->1900 1901 5f645a-5f6467 GetCurrentThreadId 1899->1901 1904 5f63fe-5f6400 1900->1904 1905 5f63c9-5f63d1 1900->1905 1903 5f646c-5f647e call 5e9ae8 1901->1903 1902->1903 1903->1891 1908 5f6412-5f642f GetProcessHeap HeapAlloc 1904->1908 1909 5f6402-5f640c GetProcessHeap HeapFree 1904->1909 1907 5f63d3-5f63e5 GetFileVersionInfoExW 1905->1907 1911 638fa3-638fad GetLastError 1907->1911 1912 5f63eb 1907->1912 1908->1907 1913 5f6431 1908->1913 1909->1908 1915 638faf 1911->1915 1916 638fbc 1911->1916 1914 5f63ed-5f63f0 1912->1914 1913->1902 1914->1891 1917 638fc3 1915->1917 1918 638fb1-638fba 1915->1918 1919 638fc1 1916->1919 1917->1914 1920 638fc9-638fdb GetCurrentThreadId 1917->1920 1918->1919 1919->1917 1920->1903
      APIs
      • PathIsNetworkPathW.SHLWAPI(?,#0_,?,?,?,?), ref: 005F6390
      • GetFileVersionInfoSizeExW.KERNELBASE(00000003,?,?), ref: 005F63A5
      • GetFileVersionInfoExW.KERNELBASE(00000003,?,00000000,00000000,?), ref: 005F63DD
      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?), ref: 005F6405
      • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 005F640C
      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,00000000), ref: 005F641B
      • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 005F6422
      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 005F6436
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000), ref: 005F645B
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(8007000E), ref: 00638F8D
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: Heap$CurrentFileInfoPathProcessThreadVersion$AllocErrorFreeLastNetworkSize
      • String ID: #0_$%d FAIL: 0x%08x$TmLoadFileVersionInfo$base\diagnosis\pdui\atm\main\processcommon.cpp
      • API String ID: 123141542-2417129570
      • Opcode ID: a8800b93a5265d38ad60beade392bc4711e957dab17b8f3da3fb312569e5f952
      • Instruction ID: 74e343749f0f014501ff3cc21e4742bf6a0bd34a9663ce7da262c98983d8e5cd
      • Opcode Fuzzy Hash: a8800b93a5265d38ad60beade392bc4711e957dab17b8f3da3fb312569e5f952
      • Instruction Fuzzy Hash: FD41D376A40319AFE7119FA89C48BBABFAAFF44740F155158FE05E7290D7749C008BE0
      Function 005E6DF0 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 141threadCOMMON
      Download Yara Rule
      APIs
      • memset.MSVCRT ref: 005E6E1E
      • CreateEventW.API-MS-WIN-CORE-SYNCH-L1-1-0(00000000,00000001,00000000,00000000), ref: 005E6E2B
      • CreateEventW.API-MS-WIN-CORE-SYNCH-L1-1-0(00000000,00000000,00000000,00000000), ref: 005E6E52
      • CreateThread.KERNELBASE(00000000,00000000,005E3250,00000000,00000000,?), ref: 005E6E6B
      • GetCurrentThread.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000002), ref: 005E6E8E
      • SetThreadPriority.KERNELBASE(00000000), ref: 005E6E95
      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00636017
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(80004005), ref: 0063603E
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(80004005), ref: 00636052
      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 0063607A
      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 006360A1
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: Thread$CreateCurrentErrorLast$Event$Prioritymemset
      • String ID: %d FAIL: 0x%08x$WdcDataMonitor::Start$base\diagnosis\pdui\atm\main\data.cpp
      • API String ID: 2854119323-1863635956
      • Opcode ID: 73159a284c231d7ee4fc769ea2a83a1ff5598ceb99b9511e3df3a78dc94a304b
      • Instruction ID: ce18ebe15ff93431f3a84aa399a39f5994b31fa4af10428514780d95a4fc9f18
      • Opcode Fuzzy Hash: 73159a284c231d7ee4fc769ea2a83a1ff5598ceb99b9511e3df3a78dc94a304b
      • Instruction Fuzzy Hash: 5341347AE00261BFD3194B64CD49ABBBE9EFB04390F055255FD05E7382CB60AC508BE1
      Function 0060CA18 Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 230threadCOMMON
      Download Yara Rule
      APIs
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,00000000,00000000,00000000,?,0060BBB9,00000000,00000000,80004005,00000000), ref: 0060CA42
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(8007000E,00000000,00000000,00000000,?,0060BBB9,00000000,00000000,80004005,00000000), ref: 0060CA8B
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: CurrentThread
      • String ID: %d FAIL: 0x%08x$TmTraceControl::InitializeControl$base\diagnosis\pdui\atm\main\control.cpp
      • API String ID: 2882836952-1313430962
      • Opcode ID: 6794d4768df3e446ed5f1a48d4d0e1d861e3f3f6a0408e91c553a1c4ff6acc01
      • Instruction ID: 76aa720ec8a06cd292957afd158440c333b6ae01f10f07d6b36f56640e1f0fab
      • Opcode Fuzzy Hash: 6794d4768df3e446ed5f1a48d4d0e1d861e3f3f6a0408e91c553a1c4ff6acc01
      • Instruction Fuzzy Hash: 7C51F5317C4306AAE71867BD9C06FB769DBAB51724B14032EB909E76C1EBA4CC4087A5
      Function 00612640 Relevance: 22.9, APIs: 9, Strings: 4, Instructions: 170windowthreadCOMMON
      Download Yara Rule
      APIs
        • Part of subcall function 005E796F: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,005C0000,?), ref: 005E79CF
      • SendMessageW.USER32(00000000,00001331,00000000,00000000), ref: 00612759
      • SendMessageW.USER32(00000000,00001335,00000000,00000000), ref: 00612767
      • SendMessageW.USER32(00000000,00001334,00000000,00000000), ref: 00612778
        • Part of subcall function 005EDBE6: NtQuerySystemInformation.NTDLL(000000B6,?,00000038,00000000), ref: 005EDC16
        • Part of subcall function 005EDBE6: RtlNtStatusToDosError.NTDLL ref: 005EDC21
        • Part of subcall function 005ED05C: memset.MSVCRT ref: 005ED091
        • Part of subcall function 005ED05C: GetVersionExW.API-MS-WIN-CORE-SYSINFO-L1-1-0(?,?,?,?), ref: 005ED0A6
        • Part of subcall function 005ED05C: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?), ref: 005ED0B0
      • SendMessageW.USER32(00000000,0000133E,?,00000009), ref: 006127ED
      • IsOS.SHLWAPI(0000001A), ref: 0061282E
      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 006405EF
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(80004005), ref: 00640616
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,?,?), ref: 0064065C
      • DestroyWindow.USER32(00000000), ref: 0064068D
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: MessageSend$Error$CurrentLastThreadWindow$CreateDestroyInformationQueryStatusSystemVersionmemset
      • String ID: %d FAIL: 0x%08x$SysTabControl32$WdcTab::CreateHWND$base\diagnosis\pdui\atm\main\tab.cpp
      • API String ID: 1207291483-1413022190
      • Opcode ID: bb267a84f6a41542600a78b736d76a84f06beced38b0efb2e8938cd8faaa926a
      • Instruction ID: 121dccd13ef5d6bfe34b31eaa94463d985a7e1612c3fe14c07bb001f8640e1b0
      • Opcode Fuzzy Hash: bb267a84f6a41542600a78b736d76a84f06beced38b0efb2e8938cd8faaa926a
      • Instruction Fuzzy Hash: 6651F4B1509351AFE7219F14CC88BABBBEAFF84714F04461DFA9897380D7748C488B66
      Function 005F5900 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 163threadmemoryCOMMON
      Download Yara Rule
      APIs
      • CloseHandle.KERNELBASE(00000000,#0_,?,?), ref: 005F5AFB
        • Part of subcall function 005EFF00: OpenProcess.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-1(00000400,00000000,?,?,?,005EFE47,00000000,?,00000000,?,00000000,?), ref: 005EFF31
        • Part of subcall function 005EFF00: GetProcessTimes.KERNELBASE(00000000,?,?,?,?), ref: 005EFF53
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,00000001,?,?,?,#0_,?,?), ref: 005F5974
        • Part of subcall function 0060ECED: NtQueryInformationProcess.NTDLL ref: 0060ED20
        • Part of subcall function 0060ECED: ReadProcessMemory.KERNELBASE(?,?,?,00000480,00000000), ref: 0060ED43
        • Part of subcall function 0060ECED: ReadProcessMemory.API-MS-WIN-CORE-MEMORY-L1-1-0(?,?,?,000002AC,00000000), ref: 0060ED6B
        • Part of subcall function 0060ECED: ReadProcessMemory.API-MS-WIN-CORE-MEMORY-L1-1-0(?,?,?,80004005,00000000), ref: 0060EDA0
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000), ref: 005F59D3
      • SysFreeString.OLEAUT32(?), ref: 005F5A27
      • SysAllocString.OLEAUT32(00000001), ref: 005F5A3C
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(8007000E), ref: 005F5A4C
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(8007000E), ref: 005F5A6E
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: Process$CurrentThread$MemoryRead$String$AllocCloseFreeHandleInformationOpenQueryTimes
      • String ID: #0_$%d FAIL: 0x%08x$ATMAssignString$WdcApplicationsMonitor::_SetCommandLine$base\diagnosis\pdui\atm\main\applications.cpp$base\diagnosis\pdui\atm\main\inline.cpp
      • API String ID: 557392558-625316949
      • Opcode ID: 5fd1395d270890d79b84583fb1e1704409fb0138574f4ec8bf470c31e57a473e
      • Instruction ID: 05621e16b65606965be7a51b51125aa8285a404cc0b741deca31c532c3ec94d5
      • Opcode Fuzzy Hash: 5fd1395d270890d79b84583fb1e1704409fb0138574f4ec8bf470c31e57a473e
      • Instruction Fuzzy Hash: 2951F771A41A09AFCB199F68C884ABABFA5FF44311F184269FB459B351E7748C50CBD0
      Function 00602D40 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 145memoryCOMMON
      Download Yara Rule
      APIs
      • EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(00686C44,#0_,?,?), ref: 00602DE3
      • SysAllocString.OLEAUT32(00688460), ref: 00602E49
      • LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(00686C44,#0_,?,?), ref: 00602E81
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: CriticalSection$AllocEnterLeaveString
      • String ID: #0_$%d FAIL: 0x%08x$ATMAssignString$WdcStringMap::LoadStringW$base\diagnosis\pdui\atm\main\inline.cpp$base\diagnosis\pdui\atm\main\strmap.cpp
      • API String ID: 2105334186-2087882172
      • Opcode ID: a47a1aa1ff63feb6f88d05c53e5c02e464601f734fa192399b854f313105da38
      • Instruction ID: 1d2f0fa5931e42fe091a7e3f87bea8c8c71280780d534f546202891ed2336ba4
      • Opcode Fuzzy Hash: a47a1aa1ff63feb6f88d05c53e5c02e464601f734fa192399b854f313105da38
      • Instruction Fuzzy Hash: 61417831A40216BBDB1CCB59DC68BBA77A7EF94300F11826AF482A73D0D7744E408B95
      Function 005EF9B0 Relevance: 21.3, APIs: 6, Strings: 6, Instructions: 297COMMON
      Download Yara Rule
      APIs
      • QueryFullProcessImageNameW.KERNELBASE(?,00000000,?,00000000,?,?,?,00000000,?,005F525B,#0_), ref: 005EFAC3
      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,005F525B,#0_), ref: 005EFAD1
      • CompareStringOrdinal.API-MS-WIN-CORE-STRING-L1-1-0(?,000000FF,?,000000FF,00000001,?,?,?,?,?,?,?,00000000,?,005F525B,#0_), ref: 005EFBBF
      • CompareStringOrdinal.API-MS-WIN-CORE-STRING-L1-1-0(?,000000FF,?,000000FF,00000001,?,?,?,?,00000000,?,005F525B,#0_), ref: 005EFC58
      • CompareStringOrdinal.API-MS-WIN-CORE-STRING-L1-1-0(?,000000FF,?,000000FF,00000001,?,?,?,?,00000000,?,005F525B,#0_), ref: 005EFCB0
        • Part of subcall function 005E1C21: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000800,?,00000000,?,?,?,?,005F5BC6,?,%WINDIR%\System32\dllhost.exe,#0_,?), ref: 005E1C37
        • Part of subcall function 005E1C21: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,?,?,005F5BC6,?,%WINDIR%\System32\dllhost.exe,#0_,?), ref: 005E1C3E
        • Part of subcall function 005E1C21: ExpandEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,00000000,00000400,?,?,?,?,005F5BC6,?,%WINDIR%\System32\dllhost.exe,#0_,?), ref: 005E1C5C
        • Part of subcall function 005E1C21: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000,00000000,?,?,?,?,005F5BC6,?,%WINDIR%\System32\dllhost.exe,#0_,?), ref: 005E1C82
        • Part of subcall function 005E1C21: HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,?,?,005F5BC6,?,%WINDIR%\System32\dllhost.exe,#0_,?), ref: 005E1C89
      • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?,?,005F525B,#0_), ref: 005EFD1C
      Strings
      • %systemroot%\system32\ntoskrnl.exe, xrefs: 005EFD76
      • %windir%\Explorer.exe, xrefs: 005EFB7F
      • [R_, xrefs: 005EF9F2
      • #0_, xrefs: 005EF9DC
      • %WINDIR%\ImmersiveControlPanel\SystemSettings.exe, xrefs: 005EFC14
      • %windir%\system32\PickerHost.exe, xrefs: 005EFC7C
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: Heap$CompareOrdinalProcessString$AllocCloseEnvironmentErrorExpandFreeFullHandleImageLastNameQueryStrings
      • String ID: #0_$%WINDIR%\ImmersiveControlPanel\SystemSettings.exe$%systemroot%\system32\ntoskrnl.exe$%windir%\Explorer.exe$%windir%\system32\PickerHost.exe$[R_
      • API String ID: 1951720781-2746155755
      • Opcode ID: dd7ce474dd3576b7b435ba54de7f382ab7ecc78a65956dd8fdb0bb562f108b0f
      • Instruction ID: 093d28fae1c7720bc5713f9be8d5d53ba4aba49b3bf3f96b2a35d7b821972cde
      • Opcode Fuzzy Hash: dd7ce474dd3576b7b435ba54de7f382ab7ecc78a65956dd8fdb0bb562f108b0f
      • Instruction Fuzzy Hash: 7BB1C5717002459BEB18DB66C985BEF7FAAFB45310F604A39E99ADB280EF30D941C750
      Function 006136A5 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 101threadCOMMON
      Download Yara Rule
      APIs
      • KiUserCallbackDispatcher.NTDLL(51AAA965,000000FD), ref: 006136CE
      • GetClientRect.USER32(?), ref: 006136F0
      • SetWindowPos.USER32(00000000,00000000,00000000,?,?,00000004,?,?,?,00657D43), ref: 00613719
      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,00657D43), ref: 00640BF9
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(80004005,?,?,?,00657D43), ref: 00640C19
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(80004005,?,?,?,00657D43), ref: 00640C2D
      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,00657D43), ref: 00640C55
      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,00657D43), ref: 00640C76
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: ErrorLast$CurrentThread$CallbackClientDispatcherRectUserWindow
      • String ID: %d FAIL: 0x%08x$C}e$TmSetFileMenu$base\diagnosis\pdui\atm\main\main.cpp
      • API String ID: 2929538737-2963470394
      • Opcode ID: b87399a00f996ef9d951d979c72c6d7693c9f1e4039a146da353a3f29c614b58
      • Instruction ID: b80cc8abb76d65e74600e1c3318b781e26ccfa8872d2012b4d8708a958081043
      • Opcode Fuzzy Hash: b87399a00f996ef9d951d979c72c6d7693c9f1e4039a146da353a3f29c614b58
      • Instruction Fuzzy Hash: 9C31E873901235FB97205BA99D85DBB7AAAEB00750B052354FE05E7350C7308C409BE4
      Function 0060C3BF Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 97threadCOMMON
      Download Yara Rule
      APIs
      • ?CreateElement@DUIXmlParser@DirectUI@@QAEJPBGPAVElement@2@1PAKPAPAV32@@Z.DUI70(taskman,00000000,00000000,00000000,?,00000000,00000000,00000000,?,0060BDB7), ref: 0060C3E6
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,?,0060BDB7), ref: 0060C3F3
      • StrToID.DUI70(-0000000C,?,0060BDB7), ref: 0060C453
      • ?FindDescendent@Element@DirectUI@@QAEPAV12@G@Z.DUI70(?,?,0060BDB7), ref: 0060C460
      • ?CreateElement@DUIXmlParser@DirectUI@@QAEJPBGPAVElement@2@1PAKPAPAV32@@Z.DUI70(-0000000C,00000000,00000000,00000000,?,?,0060BDB7), ref: 0060C47E
      • StrToID.DUI70(?,?,0060BDB7), ref: 0060C493
      • ?FindDescendent@Element@DirectUI@@QAEPAV12@G@Z.DUI70(?,?,0060BDB7), ref: 0060C4A0
      • ?CreateElement@DUIXmlParser@DirectUI@@QAEJPBGPAVElement@2@1PAKPAPAV32@@Z.DUI70(?,00000000,00000000,00000000,?,?,0060BDB7), ref: 0060C4BF
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: DirectElement@$CreateElement@2@1Parser@V32@@$Descendent@FindV12@$CurrentThread
      • String ID: %d FAIL: 0x%08x$WdcMonitor::CreateDUITabs$base\diagnosis\pdui\atm\main\monitor.cpp$taskman
      • API String ID: 736889629-643655564
      • Opcode ID: 6e10384f5b6a660e17a7c884a1c44ac4bb327e19afa145f028764ce5da52d08a
      • Instruction ID: 84bb321b6335dfd15d7809529bc2e01f308cbad18df3a3ed641f5094bef10231
      • Opcode Fuzzy Hash: 6e10384f5b6a660e17a7c884a1c44ac4bb327e19afa145f028764ce5da52d08a
      • Instruction Fuzzy Hash: 8131D271A80305BBD7189BA4DC98F7B7BBBFB80320F144628F949972A1DB718C04DB60
      Function 0062DC22 Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 139COMMON
      Download Yara Rule
      APIs
      • memset.MSVCRT ref: 0062DC6E
      • memset.MSVCRT ref: 0062DC8E
        • Part of subcall function 0060068C: CompareStringOrdinal.API-MS-WIN-CORE-STRING-L1-1-0(?,000000FF,?,000000FF,00000001,00638ED5), ref: 00600694
      • _ftol2.MSVCRT ref: 0062DCD6
      • CoTaskMemFree.COMBASE(00000000), ref: 0062DE02
        • Part of subcall function 0062C1EF: WindowsDeleteString.COMBASE(?), ref: 0062C1F9
        • Part of subcall function 0062C1EF: WindowsCreateString.COMBASE(?,?,?), ref: 0062C209
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: String$Windowsmemset$CompareCreateDeleteFreeOrdinalTask_ftol2
      • String ID: #0_$A$B$Microsoft.MicrosoftEdge_8wekyb3d8bbwe$base\diagnosis\pdui\atm\main\applications.cpp$browser_broker.exe
      • API String ID: 1370391435-1045472828
      • Opcode ID: 18fec1567bd75660775d8beefab8f4727d337ac13955ff1087161240a378c2ab
      • Instruction ID: d0ff253a8792f973c4dfb28854ae65cb87b1b00a90e50dd44a0a554d3c55e1d9
      • Opcode Fuzzy Hash: 18fec1567bd75660775d8beefab8f4727d337ac13955ff1087161240a378c2ab
      • Instruction Fuzzy Hash: B551A371A00639ABDB21DB60DC51BDEB7BAEF45350F0041A9E909A7281DB30AE85CF94
      Function 006035AC Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 118threadmemoryCOMMONLIBRARYCODE
      Download Yara Rule
      APIs
      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,00603106,?,?,?,?,?,00000000,?,?,?,00000000,?,?), ref: 0063D3E5
      • SysFreeString.OLEAUT32(?), ref: 0063D438
      • SysAllocString.OLEAUT32(?), ref: 0063D446
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(8007000E,?,00603106,?,?,?,?,?,00000000,?,?,?,00000000,?,?), ref: 0063D45A
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(8007000E,?,?,?,00000000), ref: 0063D47C
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: CurrentStringThread$AllocErrorFreeLast
      • String ID: %d FAIL: 0x%08x$ATMAssignString$WdcUserMonitor::_SetClientName$base\diagnosis\pdui\atm\main\inline.cpp$base\diagnosis\pdui\atm\main\session.cpp
      • API String ID: 3574128080-2514745489
      • Opcode ID: a7afa101545d3924a2751c7d1902b8c4881dcfa35da67092a46db2c4243a2545
      • Instruction ID: 810f5df2e01f5b0d44c7e884adcf3c5495600e32d2109858dc5c7976cad722ea
      • Opcode Fuzzy Hash: a7afa101545d3924a2751c7d1902b8c4881dcfa35da67092a46db2c4243a2545
      • Instruction Fuzzy Hash: 5541E371A40211BFDB288F65D809B9BBBAAFF41711F054269E809A7342D730AE41CBE0
      Function 00603503 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 117threadmemoryCOMMONLIBRARYCODE
      Download Yara Rule
      APIs
      • SysAllocString.OLEAUT32(?), ref: 0060356F
      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,0060310F,?,?,?,?,?,?,?,00000000,?,?,?,00000000,?,?), ref: 0063D312
      • SysFreeString.OLEAUT32(00000000), ref: 0063D348
      • SysFreeString.OLEAUT32(?), ref: 0063D36C
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(8007000E,?,0060310F,?,?,?,?,?,?,?,00000000,?,?,?,00000000,?), ref: 0063D381
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(8007000E,?,?,?,00000000), ref: 0063D3A3
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: String$CurrentFreeThread$AllocErrorLast
      • String ID: %d FAIL: 0x%08x$ATMAssignString$WdcUserMonitor::_SetWinStaName$base\diagnosis\pdui\atm\main\inline.cpp$base\diagnosis\pdui\atm\main\session.cpp
      • API String ID: 3528816209-2962139563
      • Opcode ID: cbc46b2b52bd357934e523255f826b687f83ab386989e3d22cc2b6aadd856df5
      • Instruction ID: 8fa2ec6026b6534d867b7bfe0193cd6615a1e053743e3a6eab8bdc26a17354f7
      • Opcode Fuzzy Hash: cbc46b2b52bd357934e523255f826b687f83ab386989e3d22cc2b6aadd856df5
      • Instruction Fuzzy Hash: 19412771940221FBEB268F51DC08BAABBAAFF02311F15415AE805A7360D3309E81CBD1
      Function 005E24A6 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 107windowthreadCOMMON
      Download Yara Rule
      APIs
      • memset.MSVCRT ref: 005E24D4
      • LoadStringW.USER32(00007EA4,?,00000080), ref: 005E2525
      • LoadImageW.USER32(00000000,00000001,00000000,00000000,00000000,00000000), ref: 005E2562
      • Shell_NotifyIconW.SHELL32(00000000,?), ref: 005E257D
      • Shell_NotifyIconW.SHELL32(00000000,?), ref: 005E25B8
      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,00000000,?), ref: 00634F7F
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(80004005,?,00000000,?), ref: 00634FA6
      Strings
      • TmSysTrayIcon::InitializeTrayIconsInSystray, xrefs: 00634FB7
      • *^, xrefs: 005E25BF
      • base\diagnosis\pdui\atm\main\trayicon.cpp, xrefs: 00634FBC
      • %d FAIL: 0x%08x, xrefs: 00634FAD
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: IconLoadNotifyShell_$CurrentErrorImageLastStringThreadmemset
      • String ID: %d FAIL: 0x%08x$TmSysTrayIcon::InitializeTrayIconsInSystray$base\diagnosis\pdui\atm\main\trayicon.cpp$*^
      • API String ID: 1926828080-3365095730
      • Opcode ID: 85ddcba3693d028473a8c08d6924f837187b9a7da3a340ee5bd1d0d09133776e
      • Instruction ID: f64de784c4870f1a0213a0c635860848bbb5b91650a4921a86805671e690fe89
      • Opcode Fuzzy Hash: 85ddcba3693d028473a8c08d6924f837187b9a7da3a340ee5bd1d0d09133776e
      • Instruction Fuzzy Hash: 2C41A871A41329AFEB65CF55DC44BAA7BBDFB04704F0411EAF949EA244DB709E408F90
      Function 005E0D4A Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 107threadCOMMON
      Download Yara Rule
      APIs
      • CreateEventW.API-MS-WIN-CORE-SYNCH-L1-1-0(00000000,00000001,00000000,00000000,?,?,?,?,?,005E0DEE,?,?,?,?,?), ref: 005E0D6B
      • CreateThread.KERNELBASE(00000000,00000000,005E25E0,?,00000000,?,?,005E0DEE,?,?,?,?,?,?,0062BB7F,?), ref: 005E0D9A
      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,005E0DEE,?,?,?,?,?,?,0062BB7F,?), ref: 006345C2
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(80004005,?,005E0DEE,?,?,?,?,?,?,0062BB7F,?), ref: 006345E6
      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,005E0DEE,?,?,?,?,?,?,0062BB7F,?), ref: 006345F9
      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,005E0DEE,?,?,?,?,?,?,0062BB7F,?), ref: 0063461D
      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,005E0DEE,?,?,?,?,?,?,0062BB7F,?), ref: 00634641
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(80004005,?,005E0DEE,?,?,?,?,?,?,0062BB7F,?), ref: 00634665
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: ErrorLast$Thread$CreateCurrent$Event
      • String ID: %d FAIL: 0x%08x$CRUMAPIHelper::InitializeSrum$base\diagnosis\pdui\atm\main\rumdatasrcs.cpp
      • API String ID: 1349554999-2319581697
      • Opcode ID: 2a88fdadfcfeea4aa6457ee8bda7160a5d3b5e542dae6c7932b15868bfa07025
      • Instruction ID: 472baeb742b4b1cbcde6013c23845825b8cf89b6841e9bd85abe0334f7cb0548
      • Opcode Fuzzy Hash: 2a88fdadfcfeea4aa6457ee8bda7160a5d3b5e542dae6c7932b15868bfa07025
      • Instruction Fuzzy Hash: A031D377D01732AB87244E995C0AAA6E99ABB02730F165356FC64E7390DF60FC4187E0
      Function 005E6020 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 174threadCOMMON
      Download Yara Rule
      APIs
        • Part of subcall function 005E29DC: CoInitializeEx.COMBASE(00000000,00000006), ref: 005E29E5
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,?,?,005E337B), ref: 005E603A
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,?,?,005E337B), ref: 005E606E
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,?,?,005E337B), ref: 005E608F
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(8007000E,?,?,005E337B), ref: 005E6102
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(8007000E,?,005E337B), ref: 005E616A
        • Part of subcall function 00617634: malloc.MSVCRT ref: 0061764C
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(8007000E,?,005E337B), ref: 005E61CA
        • Part of subcall function 00617634: _callnewh.MSVCRT ref: 0061763F
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(8007000E,?,005E337B), ref: 005E6215
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: CurrentThread$Initialize_callnewhmalloc
      • String ID: %d FAIL: 0x%08x$WdcApplicationsMonitor::UpdateInitialize$base\diagnosis\pdui\atm\main\applications.cpp
      • API String ID: 4082652385-1525273817
      • Opcode ID: 0c77136e64b3af571506eabff777010aaf65b98056bc52eb60ff95c0cd402499
      • Instruction ID: e6d16a176a40335b6588470dc27cdffee020184aa59486a422fe35fa11d24e54
      • Opcode Fuzzy Hash: 0c77136e64b3af571506eabff777010aaf65b98056bc52eb60ff95c0cd402499
      • Instruction Fuzzy Hash: F8514B35B406919FDB195BB58C59AF92E95BF243D1F080079FE49DF282DB748C408BA4
      Function 005F5FAC Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 125threadCOMMON
      Download Yara Rule
      APIs
      • CloseHandle.KERNELBASE(00000000,#0_,?), ref: 005F6058
        • Part of subcall function 005EFF00: OpenProcess.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-1(00000400,00000000,?,?,?,005EFE47,00000000,?,00000000,?,00000000,?), ref: 005EFF31
        • Part of subcall function 005EFF00: GetProcessTimes.KERNELBASE(00000000,?,?,?,?), ref: 005EFF53
      • IsWow64Process.API-MS-WIN-CORE-WOW64-L1-1-0(?,?,?,?,?,?,#0_,?), ref: 005F6010
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,?,?,?,?,#0_,?), ref: 005F606C
      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00638EE2
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(80004005), ref: 00638F09
      • GetNativeSystemInfo.KERNELBASE(?), ref: 00638F4B
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: Process$CurrentThread$CloseErrorHandleInfoLastNativeOpenSystemTimesWow64
      • String ID: #0_$%d FAIL: 0x%08x$WdcGetProcessWowStatus$base\diagnosis\pdui\atm\main\process.cpp
      • API String ID: 2333470754-200681424
      • Opcode ID: 36aed3e0aff58bc591e1b195086ea0ce3f8a6687fbab44947945bbce2bfb5864
      • Instruction ID: d11dee54e7daa525981ed4515a495009bfd15fa483080b88899ab6c88f2e8e90
      • Opcode Fuzzy Hash: 36aed3e0aff58bc591e1b195086ea0ce3f8a6687fbab44947945bbce2bfb5864
      • Instruction Fuzzy Hash: A8411772900218BFD7218B98CD09ABEBF6AFB44310F240119FE05E7290DB78AD4197D1
      Function 005EFF00 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 107threadtimeCOMMON
      Download Yara Rule
      APIs
      • OpenProcess.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-1(00000400,00000000,?,?,?,005EFE47,00000000,?,00000000,?,00000000,?), ref: 005EFF31
      • GetProcessTimes.KERNELBASE(00000000,?,?,?,?), ref: 005EFF53
      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 005EFF8E
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(80004005), ref: 005EFFAA
      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 0063887B
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(80004005), ref: 006388A2
      • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(00000000), ref: 006388CC
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: CurrentErrorLastProcessThread$CloseHandleOpenTimes
      • String ID: %d FAIL: 0x%08x$WdcSafeOpenProcess$base\diagnosis\pdui\atm\main\processcommon.cpp
      • API String ID: 3702784530-964157255
      • Opcode ID: 993e1925e120af3656edfbb3d1cd80d70fca3c65cd5f8e2463fb467cade47046
      • Instruction ID: 62424db1edcabb72202ba93494de3f72db360456bae2887cfd1b8a5ecee0f9df
      • Opcode Fuzzy Hash: 993e1925e120af3656edfbb3d1cd80d70fca3c65cd5f8e2463fb467cade47046
      • Instruction Fuzzy Hash: BE310633640255ABD715864A9C04EFE7A2ABB86320F550226FDA5E7380DF30CC4187B1
      Function 005E6A38 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 97threadCOMMON
      Download Yara Rule
      APIs
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000), ref: 005E6A60
      • EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(00000000), ref: 005E6A85
      • GetCurrentThread.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000001), ref: 005E6AC5
      • SetThreadPriority.KERNELBASE(00000000), ref: 005E6ACC
      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 005E6AD6
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(80004005), ref: 005E6AF9
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: Thread$Current$CriticalEnterErrorLastPrioritySection
      • String ID: %d FAIL: 0x%08x$TmTraceControl::Start$base\diagnosis\pdui\atm\main\control.cpp
      • API String ID: 1300795857-3841886355
      • Opcode ID: 0456c024ed54161d7b659dbf8333a84591e00597b1444b846f923b150b8bb2e9
      • Instruction ID: 689e2035404aa9d805eccf064e516096958d7746cde5082e0b173a910363c135
      • Opcode Fuzzy Hash: 0456c024ed54161d7b659dbf8333a84591e00597b1444b846f923b150b8bb2e9
      • Instruction Fuzzy Hash: E5310532A40265BBCB159B959C49FAE7F6DFF60790B081129FD41E7241CB749C00CBD1
      Function 005E2B80 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 94registrythreadCOMMON
      Download Yara Rule
      APIs
        • Part of subcall function 005E29DC: CoInitializeEx.COMBASE(00000000,00000006), ref: 005E29E5
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,?,?,005E339F), ref: 006352B2
        • Part of subcall function 005E235D: SHCreateWorkerWindowW.SHLWAPI(00615BB0,000000FD,00000000,00000000,00000000,?,?,00000000,005E2BA5,?,?,?,005E339F), ref: 005E2370
      • CreateEventW.API-MS-WIN-CORE-SYNCH-L1-1-0(00000000,00000000,00000000,00000000,?,?,?,005E339F), ref: 005E2BCA
      • RegOpenKeyExW.KERNELBASE(80000002,Software\Microsoft\Windows\CurrentVersion\AccountPicture\Users,00000000,00020019,?,?,?,?,005E339F), ref: 005E2BF5
      • RegNotifyChangeKeyValue.KERNELBASE(?,00000001,00000005,?,00000001,?,?,?,005E339F), ref: 005E2C11
      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,005E339F), ref: 006352DA
      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,005E339F), ref: 006352FF
      Strings
      • Software\Microsoft\Windows\CurrentVersion\AccountPicture\Users, xrefs: 005E2BEB
      • WdcUserMonitor::UpdateInitialize, xrefs: 006352C3
      • base\diagnosis\pdui\atm\main\session.cpp, xrefs: 006352C8
      • %d FAIL: 0x%08x, xrefs: 006352B9
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: CreateErrorLast$ChangeCurrentEventInitializeNotifyOpenThreadValueWindowWorker
      • String ID: %d FAIL: 0x%08x$Software\Microsoft\Windows\CurrentVersion\AccountPicture\Users$WdcUserMonitor::UpdateInitialize$base\diagnosis\pdui\atm\main\session.cpp
      • API String ID: 2433898275-3423859168
      • Opcode ID: 6b91acc431920fa08b7c58f8a6d565fdd135b25fb1c8e324aee1fc0106faf365
      • Instruction ID: 3fe2fc7c892613bbaa074de558977ce5c8ab2187dcbe7db7a84b38efb335954f
      • Opcode Fuzzy Hash: 6b91acc431920fa08b7c58f8a6d565fdd135b25fb1c8e324aee1fc0106faf365
      • Instruction Fuzzy Hash: 3A21C730340B62BBE72426279C49BFBAE9EBF04791F101115BB4ADA159EB54C850A6F1
      Function 005E240C Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 93registrywindowthreadCOMMON
      Download Yara Rule
      APIs
      • memset.MSVCRT ref: 005E2424
        • Part of subcall function 005E747A: RegisterClassExW.USER32 ref: 005E74B3
        • Part of subcall function 005E796F: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,005C0000,?), ref: 005E79CF
      • RegisterWindowMessageW.USER32(TaskbarCreated,?,00000000,00000000,00000000,?), ref: 005E248E
      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,?), ref: 00634F0F
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(80004005,?,00000000,00000000,00000000,?), ref: 00634F33
      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,00000000,00000000,00000000,?), ref: 00634F5B
      Strings
      • TrayiconMessageWindow, xrefs: 005E2437
      • TaskbarCreated, xrefs: 005E2483
      • base\diagnosis\pdui\atm\main\trayicon.cpp, xrefs: 00634F49
      • TmSysTrayIcon::CreateTrayListenerWindow, xrefs: 00634F44
      • %d FAIL: 0x%08x, xrefs: 00634F3A
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: ErrorLastRegisterWindow$ClassCreateCurrentMessageThreadmemset
      • String ID: %d FAIL: 0x%08x$TaskbarCreated$TmSysTrayIcon::CreateTrayListenerWindow$TrayiconMessageWindow$base\diagnosis\pdui\atm\main\trayicon.cpp
      • API String ID: 1662780053-3234797759
      • Opcode ID: 11c5121b41dd70dda80f193d910a7204ef69622b78e56ba8ead327dfece873e2
      • Instruction ID: 059d662861c326b0ae071e443cfaf6f2f8e065e26bd44b6f7603d8b0b967c3e7
      • Opcode Fuzzy Hash: 11c5121b41dd70dda80f193d910a7204ef69622b78e56ba8ead327dfece873e2
      • Instruction Fuzzy Hash: 26210877D41366ABC7249B999C45A6AFE6AFB84750F05426EFC55A7380DF309C00C7D0
      Function 0060D800 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 74memorythreadCOMMON
      Download Yara Rule
      APIs
      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,00000084), ref: 0060D813
      • RtlAllocateHeap.NTDLL(00000000), ref: 0060D81A
      • ??0Element@DirectUI@@QAE@XZ.DUI70 ref: 0060D828
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(8007000E), ref: 0060D83D
      • ?Initialize@Element@DirectUI@@QAEJIPAV12@PAK@Z.DUI70(00000000), ref: 0060D877
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000), ref: 0060D884
      • ?Destroy@Element@DirectUI@@QAEJ_N@Z.DUI70(00000001), ref: 0060D8AB
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: DirectElement@$CurrentHeapThread$AllocateDestroy@Initialize@ProcessV12@
      • String ID: %d FAIL: 0x%08x$TmRowTextElement::Create$base\diagnosis\pdui\atm\main\colheader.cpp
      • API String ID: 2979339805-59955149
      • Opcode ID: c6bd8591fb256d37d5f286e2f76b55cd10a8f9d1e970b37c2ca043d787f21bb0
      • Instruction ID: ea845e0a4a211e3367428b2e4a3dfdc96746f7280168edf20bb7dad7e6011c2b
      • Opcode Fuzzy Hash: c6bd8591fb256d37d5f286e2f76b55cd10a8f9d1e970b37c2ca043d787f21bb0
      • Instruction Fuzzy Hash: 46110B76380215BBD3245B98AC09FAF7F55FBC0B25F00522AFA05DB390CB71880187A4
      Function 00601B0A Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 60memorythreadCOMMON
      Download Yara Rule
      APIs
      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,00000A40), ref: 00601B1D
      • RtlAllocateHeap.NTDLL(00000000), ref: 00601B24
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(8007000E), ref: 00601B41
        • Part of subcall function 00601BC0: ??0Element@DirectUI@@QAE@XZ.DUI70(?,00000000,00601B37), ref: 00601BC6
      • ?Initialize@Element@DirectUI@@QAEJIPAV12@PAK@Z.DUI70(00000000), ref: 00601B6C
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000), ref: 00601B79
      • ?Destroy@Element@DirectUI@@QAEJ_N@Z.DUI70(00000000), ref: 00601BA0
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: DirectElement@$CurrentHeapThread$AllocateDestroy@Initialize@ProcessV12@
      • String ID: %d FAIL: 0x%08x$AtmView::Create$base\diagnosis\pdui\atm\main\view.cpp
      • API String ID: 2979339805-236477343
      • Opcode ID: 4cc9fc90e351e54361123150b6a62b077c51ac876a0197cc7f57f095af71d838
      • Instruction ID: 6d6740df956a117554237598ac3156472d37b12576e6f9bd02b4e95a9326dc31
      • Opcode Fuzzy Hash: 4cc9fc90e351e54361123150b6a62b077c51ac876a0197cc7f57f095af71d838
      • Instruction Fuzzy Hash: 060122727C03157BD72923989C0AE6F3D2BEBD5F12F05011AFA05AA3C0DBA08C0183E1
      Function 0060DFB0 Relevance: 15.3, APIs: 10, Instructions: 297COMMON
      Download Yara Rule
      APIs
      • ?WndProc@HWNDElement@DirectUI@@UAEJPAUHWND__@@IIJ@Z.DUI70(?,?,00000004,?), ref: 0060DFF7
      • EndPanningFeedback.UXTHEME(?,00000001), ref: 0063F0CE
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: D__@@DirectElement@FeedbackPanningProc@
      • String ID:
      • API String ID: 229772420-0
      • Opcode ID: 6d81cf61c8fafbc8cb644a9516eab41ff294e442dd0acfbfea3c574d2b303239
      • Instruction ID: 7c6fe3bcebaf4ed30d8232c8c60cfc9004e81a331187b11e66715a8ac024cb38
      • Opcode Fuzzy Hash: 6d81cf61c8fafbc8cb644a9516eab41ff294e442dd0acfbfea3c574d2b303239
      • Instruction Fuzzy Hash: F5C12C35A00215DFDF19CFA8D894AED7BB6BF88310F28417AE90AAB351DB305D41CB91
      Function 005ECE40 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 140COMMON
      Download Yara Rule
      APIs
      • PcwCollectData.KERNELBASE(?,00000000,?,00000000,?,7FFE0014,7FFE001C), ref: 005ECEA2
      • RtlNtStatusToDosError.NTDLL ref: 005ECEE7
      • memcpy.MSVCRT(?,?,00000000), ref: 005ECF47
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: CollectDataErrorStatusmemcpy
      • String ID: %d FAIL: 0x%08x$TmQueryPcwCounter$base\diagnosis\pdui\atm\main\cpu.cpp
      • API String ID: 1513707696-2911750208
      • Opcode ID: 0e433860fa96d7e0b497a7a3941105a9016d9b32edad56a96a482ef94107372f
      • Instruction ID: 5772c0f2294f577c42e4aa920685c7435e5fe4e65238a4bcdfb178ec517b65a9
      • Opcode Fuzzy Hash: 0e433860fa96d7e0b497a7a3941105a9016d9b32edad56a96a482ef94107372f
      • Instruction Fuzzy Hash: 40515E75A00206EFCB14DF59C8809AABFF6FF88310B248069E5459B351DB71EE12DBD0
      Function 005DED2F Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 136synchronizationCOMMON
      Download Yara Rule
      APIs
      • OpenSemaphoreW.API-MS-WIN-CORE-SYNCH-L1-1-0(001F0003,00000000,?,_p0,?,00000000,?,?), ref: 005DED89
      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?), ref: 005DED9B
      • CloseHandle.KERNELBASE(00000000,?,?), ref: 005DEE0E
      • GetCurrentProcessId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(000000A8), ref: 005DEE60
      • CreateMutexExW.KERNELBASE(00000000,?,00000000,001F0001), ref: 005DEE94
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: CloseCreateCurrentErrorHandleLastMutexOpenProcessSemaphore
      • String ID: Local\SM0:%d:%d:%hs$_p0$wil
      • API String ID: 4244749389-3177128868
      • Opcode ID: 82f9af3cb73e43fa5a46a617098f9b131c00058b244a9e715f5efc4ed0656f89
      • Instruction ID: 649995f328efd7f2ec3a683a25aa58512f018da68ca4c995cb28cb3c2f11344f
      • Opcode Fuzzy Hash: 82f9af3cb73e43fa5a46a617098f9b131c00058b244a9e715f5efc4ed0656f89
      • Instruction Fuzzy Hash: 6841C771A4011DAFC720FF69DC8A9EA777AFB94300F1405AEF50997241DE709D45CBA0
      Function 005E2A60 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 102comthreadCOMMON
      Download Yara Rule
      APIs
        • Part of subcall function 005E29DC: CoInitializeEx.COMBASE(00000000,00000006), ref: 005E29E5
      • CoCreateInstance.COMBASE(005CB5B4,00000000,00000004,005CB5A4,?), ref: 005E2B0D
        • Part of subcall function 00617634: malloc.MSVCRT ref: 0061764C
      • memset.MSVCRT ref: 005E2AB9
        • Part of subcall function 005E240C: memset.MSVCRT ref: 005E2424
        • Part of subcall function 005E240C: RegisterWindowMessageW.USER32(TaskbarCreated,?,00000000,00000000,00000000,?), ref: 005E248E
        • Part of subcall function 005E24A6: memset.MSVCRT ref: 005E24D4
        • Part of subcall function 005E24A6: LoadStringW.USER32(00007EA4,?,00000080), ref: 005E2525
        • Part of subcall function 005E24A6: LoadImageW.USER32(00000000,00000001,00000000,00000000,00000000,00000000), ref: 005E2562
        • Part of subcall function 005E24A6: Shell_NotifyIconW.SHELL32(00000000,?), ref: 005E257D
        • Part of subcall function 005E24A6: Shell_NotifyIconW.SHELL32(00000000,?), ref: 005E25B8
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,?,?), ref: 0063521C
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: memset$IconLoadNotifyShell_$CreateCurrentImageInitializeInstanceMessageRegisterStringThreadWindowmalloc
      • String ID: %d FAIL: 0x%08x$WdcTrayIconMonitor::UpdateInitialize$base\diagnosis\pdui\atm\main\trayicon.cpp
      • API String ID: 1760580990-917814716
      • Opcode ID: 85bae2600db59ddfebe1690dd0c97d159d588d17547dcc6b521f5f79b32b522b
      • Instruction ID: bdd17fe36d8afe571809bace89959a4a3c486dc0b83a7c42d951bb82cf8fc94d
      • Opcode Fuzzy Hash: 85bae2600db59ddfebe1690dd0c97d159d588d17547dcc6b521f5f79b32b522b
      • Instruction Fuzzy Hash: C431A072A407516BE714AB698C47FB67F5DBF80B10F04013AFD49AB2C5EBA0484183E1
      Function 00603835 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 116COMMONLIBRARYCODE
      Download Yara Rule
      APIs
      • LoadStringW.USER32(00008313,?,00000028), ref: 006038AA
      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,006030C5,?,?,?,00000000,?,?), ref: 0063D6D0
      Strings
      • base\diagnosis\pdui\atm\main\session.cpp, xrefs: 0063D755
      • %d FAIL: 0x%08x, xrefs: 0063D746
      • WdcUserMonitor::_SetUserName, xrefs: 0063D750
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: ErrorLastLoadString
      • String ID: %d FAIL: 0x%08x$WdcUserMonitor::_SetUserName$base\diagnosis\pdui\atm\main\session.cpp
      • API String ID: 637397188-2312144391
      • Opcode ID: 767a37e13b19774f4a704c05f5bb3a0d4c1dad9598117646a74f85549c37c306
      • Instruction ID: 87ee3280c1783a425f7470687583cd414becad7510cc32c260a265dc3acecb43
      • Opcode Fuzzy Hash: 767a37e13b19774f4a704c05f5bb3a0d4c1dad9598117646a74f85549c37c306
      • Instruction Fuzzy Hash: 7E412832A40125FBDB258B54DC05BEB7BAEBF10711F1181A6FC09AB380D7B09E0187D1
      Function 005ECD97 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 87COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID:
      • String ID: %d FAIL: 0x%08x$CRUMPCHelper::Query$base\diagnosis\pdui\atm\main\rumdatasrcs.cpp
      • API String ID: 0-2749645412
      • Opcode ID: d9903f51df6619c8a879aa53ce1e8d69917f7b33a14d4d82c586e18e89c32b47
      • Instruction ID: deda3a4e0bb9373d435a5a8af19df3f7ebfd35054728bb47c2ec0b8f4c6798d1
      • Opcode Fuzzy Hash: d9903f51df6619c8a879aa53ce1e8d69917f7b33a14d4d82c586e18e89c32b47
      • Instruction Fuzzy Hash: 68212471640613BFC31A9B598C46EEABF6AFF50720B000319FD45A7A81DF60ED128BE1
      Function 005EFE1B Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 79threadCOMMON
      Download Yara Rule
      APIs
        • Part of subcall function 005EFF00: OpenProcess.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-1(00000400,00000000,?,?,?,005EFE47,00000000,?,00000000,?,00000000,?), ref: 005EFF31
        • Part of subcall function 005EFF00: GetProcessTimes.KERNELBASE(00000000,?,?,?,?), ref: 005EFF53
      • GetProcessUIContextInformation.USER32(?,?,00000000,?,00000000,?,00000000,?), ref: 005EFE59
      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 005EFE74
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(80004005), ref: 005EFE9F
      • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?,00000000,?,00000000,?,00000000,?), ref: 005EFEEA
      Strings
      • base\diagnosis\pdui\atm\main\processcommon.cpp, xrefs: 005EFEB5
      • %d FAIL: 0x%08x, xrefs: 005EFEA6
      • TmCheckImmersiveProcess, xrefs: 005EFEB0
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: Process$CloseContextCurrentErrorHandleInformationLastOpenThreadTimes
      • String ID: %d FAIL: 0x%08x$TmCheckImmersiveProcess$base\diagnosis\pdui\atm\main\processcommon.cpp
      • API String ID: 1735274317-3918293655
      • Opcode ID: 9fa365bc7c9ed983c48a63212d5704faf23c5a30b653c0a280f8d28b6719477b
      • Instruction ID: 35f46701ff4814ec6664299fa8ecf3407fc8d18946007437df338e2b995641cf
      • Opcode Fuzzy Hash: 9fa365bc7c9ed983c48a63212d5704faf23c5a30b653c0a280f8d28b6719477b
      • Instruction Fuzzy Hash: 8121FCB2900356ABDB649BA69844B7ABF5DFB44710F114235FD94E7362EF30AD1087D0
      Function 00602EB3 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 63COMMON
      Download Yara Rule
      APIs
      • LoadStringW.USER32(?,00688460,?,?), ref: 00602EE8
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: LoadString
      • String ID: %d FAIL: 0x%08x$WdcLoadString$base\diagnosis\pdui\atm\main\processcommon.cpp
      • API String ID: 2948472770-2568417721
      • Opcode ID: 2e0b9fd3bec8c96c9735ab63239a7601fb0251d812d4fcd427b3d5421a095192
      • Instruction ID: 7ef8cdfc2de7d02febc4aa40aeb5bf753a3bb9b9fff7117f6393ca942f342dc7
      • Opcode Fuzzy Hash: 2e0b9fd3bec8c96c9735ab63239a7601fb0251d812d4fcd427b3d5421a095192
      • Instruction Fuzzy Hash: EF012673AC02227BD32012E86C4DE6B696BFB40B60F160329FD15E76C1D5904C0147E5
      Function 005E235D Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 54threadCOMMON
      Download Yara Rule
      APIs
      • SHCreateWorkerWindowW.SHLWAPI(00615BB0,000000FD,00000000,00000000,00000000,?,?,00000000,005E2BA5,?,?,?,005E339F), ref: 005E2370
      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,005E339F), ref: 00634E6F
      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00634E96
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(80004005,?,?,?,005E339F), ref: 00634EBD
      Strings
      • base\diagnosis\pdui\atm\main\session.cpp, xrefs: 00634ED3
      • %d FAIL: 0x%08x, xrefs: 00634EC4
      • WdcUserMonitor::CreateListenerWindow, xrefs: 00634ECE
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: ErrorLast$CreateCurrentThreadWindowWorker
      • String ID: %d FAIL: 0x%08x$WdcUserMonitor::CreateListenerWindow$base\diagnosis\pdui\atm\main\session.cpp
      • API String ID: 1413965612-1198275627
      • Opcode ID: 9a91c2a0f14b330060c96b5a51fa4bae2c8bfab61d8c71b4a303c1fdeb14ef0d
      • Instruction ID: 1cf71eec66602be0a22552686f50c9e7b64af823a6c111ee5c9528009beb3d0c
      • Opcode Fuzzy Hash: 9a91c2a0f14b330060c96b5a51fa4bae2c8bfab61d8c71b4a303c1fdeb14ef0d
      • Instruction Fuzzy Hash: BB01B533949772A7C735429A1C08AA7ED5ABF41B71F170316FD58A6394DF149C4086E1
      Function 0060BA33 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 47threadCOMMON
      Download Yara Rule
      APIs
        • Part of subcall function 0060BABC: GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,00000000,80004005,00000000), ref: 0060BAFE
        • Part of subcall function 0060BABC: ?Destroy@Element@DirectUI@@QAEJ_N@Z.DUI70(00000001,00000003,?,00000000), ref: 0060BEE1
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,00000000,00000000,80004005,00000000,00000000,?,0060B9FC), ref: 0060BA4E
      • UpdateWindow.USER32(00000000), ref: 0060BA79
      • UpdateWindow.USER32(00000000), ref: 0060BA80
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(8007000E,?,0060B9FC), ref: 0060BA9B
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: CurrentThread$UpdateWindow$Destroy@DirectElement@
      • String ID: %d FAIL: 0x%08x$InitializeMonitorWindow$base\diagnosis\pdui\atm\main\main.cpp
      • API String ID: 3732216636-592266421
      • Opcode ID: 89a576cbe92f89c8a91943b0e465263f7f3c93dad14dcace8c441eeab6d1b5d2
      • Instruction ID: 0259effa89996939e5a8bd952361dcc88b541c72a1f29f86201040d5b16c21ba
      • Opcode Fuzzy Hash: 89a576cbe92f89c8a91943b0e465263f7f3c93dad14dcace8c441eeab6d1b5d2
      • Instruction Fuzzy Hash: E0F02831780314BFD3295794EC0AEBB3F5FEB80714705321DFD01A62929BA48D008BE5
      Function 00603035 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 143COMMONLIBRARYCODE
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID:
      • String ID: %d FAIL: 0x%08x$WdcUserMonitor::_InitUserInfo$base\diagnosis\pdui\atm\main\session.cpp
      • API String ID: 0-350873945
      • Opcode ID: 494e174698e2aa23e5cffe216791d6572f860b7a7104c50c33efcfe922d1d80a
      • Instruction ID: b20d25b4e75a09efd840bea0e210d90ae1b8a6ad78bda74851a25d0eda5db1ec
      • Opcode Fuzzy Hash: 494e174698e2aa23e5cffe216791d6572f860b7a7104c50c33efcfe922d1d80a
      • Instruction Fuzzy Hash: 4341F272540702AFD315DF64A841AABBBEEFF85701F14842EF15997381EB30DA41CBA2
      Function 005FCDEF Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 113threadCOMMONLIBRARYCODE
      Download Yara Rule
      APIs
        • Part of subcall function 0060023E: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,000003E0,00000004,?,?,?,?,?,005FCE12,00000000,?,?,?), ref: 00600263
        • Part of subcall function 0060023E: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,005FCE12,00000000,?,?,?), ref: 0060026A
        • Part of subcall function 0060023E: memset.MSVCRT ref: 00600281
      • _ftol2.MSVCRT ref: 005FCEAC
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,00000000,?,?,?), ref: 0063B032
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: Heap$AllocCurrentProcessThread_ftol2memset
      • String ID: %d FAIL: 0x%08x$WdcUserMonitor::_AddNewSession$base\diagnosis\pdui\atm\main\session.cpp
      • API String ID: 3563349176-1336372298
      • Opcode ID: d47c8917b4865daae625c73f1930a0bd315de5117f7a9cc66c0f11fcd08bd896
      • Instruction ID: c0a96360f3b8307dfa3b821609736ed6e823ee0f5717ef51357c9b52fd750f3e
      • Opcode Fuzzy Hash: d47c8917b4865daae625c73f1930a0bd315de5117f7a9cc66c0f11fcd08bd896
      • Instruction Fuzzy Hash: FA4100B1640309AFD315CF14C904AABBFE9FF84710F11892EEA9583750E779D908CB91
      Function 0060EE00 Relevance: 10.6, APIs: 7, Instructions: 109windowCOMMON
      Download Yara Rule
      APIs
      • GetWindowLongW.USER32(?,000000EB), ref: 0060EE2B
      • memset.MSVCRT ref: 0060EE65
      • _ftol2.MSVCRT ref: 0060EE75
      • Shell_NotifyIconW.SHELL32(00000001,?), ref: 0060EEDE
      • DefWindowProcW.USER32(?,00000001,?,?), ref: 0060EF08
      • SetWindowLongW.USER32(?,000000EB,?), ref: 0060EF1E
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: Window$Long$IconNotifyProcShell__ftol2memset
      • String ID:
      • API String ID: 2202408621-0
      • Opcode ID: 4e249513ce3cd9a46df35e281d148287de48864a76c3fe7b2b401d3f1c3987a0
      • Instruction ID: 79879ad2fa1b6b4b84b90c14788d0a638a4590f5ce844ac63200f6b89d224ddc
      • Opcode Fuzzy Hash: 4e249513ce3cd9a46df35e281d148287de48864a76c3fe7b2b401d3f1c3987a0
      • Instruction Fuzzy Hash: A231E571640219FFCB199F64CC48EAB7BBEFF44310F10595AF516A2291DB328E508F50
      Function 0061376C Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 98threadCOMMON
      Download Yara Rule
      APIs
        • Part of subcall function 005EDBE6: NtQuerySystemInformation.NTDLL(000000B6,?,00000038,00000000), ref: 005EDC16
        • Part of subcall function 005EDBE6: RtlNtStatusToDosError.NTDLL ref: 005EDC21
      • EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000000,?,?,00000000,?), ref: 006137C0
      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,00000000,?), ref: 006137EB
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,?,?,?,00000000,?), ref: 0061382C
      Strings
      • base\diagnosis\pdui\atm\main\session.cpp, xrefs: 0061383F
      • %d FAIL: 0x%08x, xrefs: 00613834
      • WdcUserMonitor::DoFirstEnumeration, xrefs: 0061383A
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: Error$CriticalCurrentEnterInformationLastQuerySectionStatusSystemThread
      • String ID: %d FAIL: 0x%08x$WdcUserMonitor::DoFirstEnumeration$base\diagnosis\pdui\atm\main\session.cpp
      • API String ID: 616838745-3475552780
      • Opcode ID: 70772a9164167be3bc11b3d3a5be75e47d84a184a6fefcd0005b364a0052e325
      • Instruction ID: 9865d28d4323b4762370dd5fb34619446813585af06a38c161a94ad253b1830b
      • Opcode Fuzzy Hash: 70772a9164167be3bc11b3d3a5be75e47d84a184a6fefcd0005b364a0052e325
      • Instruction Fuzzy Hash: D431D671904355ABDB619FA59C88BDABFABEB80310F18006DF94BD3351DB309A84C720
      Function 005E6BB3 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 66threadCOMMON
      Download Yara Rule
      APIs
      • StrToID.DUI70(?,00000000,?,?,00000000,00000000,?,005E6B97,?,?,?,?,?), ref: 005E6C03
      • ?FindDescendent@Element@DirectUI@@QAEPAV12@G@Z.DUI70(?,?,?,00000000,00000000,?,005E6B97,?,?,?,?,?), ref: 005E6C10
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,?,?,00000000,?,?,00000000,00000000,?,005E6B97,?,?,?,?,?), ref: 00635F93
      Strings
      • base\diagnosis\pdui\atm\main\portal.cpp, xrefs: 00635FA6
      • %d FAIL: 0x%08x, xrefs: 00635F9A
      • WdcDataPortal::InitializePortal, xrefs: 00635FA1
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: CurrentDescendent@DirectElement@FindThreadV12@
      • String ID: %d FAIL: 0x%08x$WdcDataPortal::InitializePortal$base\diagnosis\pdui\atm\main\portal.cpp
      • API String ID: 971798259-129588457
      • Opcode ID: 95dd02c09dacb6b1d778c063e159618fab5da7b74fd02490879fb5759e71f53c
      • Instruction ID: af432e61510f9fc1599577bc921d8d64c717e052ec9b9d3221daecc78465f875
      • Opcode Fuzzy Hash: 95dd02c09dacb6b1d778c063e159618fab5da7b74fd02490879fb5759e71f53c
      • Instruction Fuzzy Hash: 0811BF75A0074ABF9B189F96DC55D7B7FADFF94390704402DF986C2221EA70EC10AB60
      Function 005DE61B Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 60registrywindowCOMMON
      Download Yara Rule
      APIs
      • RegGetValueW.KERNELBASE(80000001,Software\Microsoft\Windows\CurrentVersion\Policies\System,DisableTaskMgr,0000FFFF,?,?,?), ref: 005DE676
      • LoadStringW.USER32(?,00007EA4,?,00000104), ref: 00633B83
      • LoadStringW.USER32(?,00007B11,?,000000C8), ref: 00633B9B
      • MessageBoxW.USER32(00000000,?,?,?), ref: 00633BB2
      Strings
      • Software\Microsoft\Windows\CurrentVersion\Policies\System, xrefs: 005DE65E
      • DisableTaskMgr, xrefs: 005DE659
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: LoadString$MessageValue
      • String ID: DisableTaskMgr$Software\Microsoft\Windows\CurrentVersion\Policies\System
      • API String ID: 1640534311-2481542415
      • Opcode ID: 13ac3538c374504f1392bdfa04dde3c53f3d2718513c584b382ab7ac3a462e4d
      • Instruction ID: 0bad012800a21fd01ce83cbc1f0cc5f6739b639adf80318622d7cf02f4d731fe
      • Opcode Fuzzy Hash: 13ac3538c374504f1392bdfa04dde3c53f3d2718513c584b382ab7ac3a462e4d
      • Instruction Fuzzy Hash: BA113371A4021CBFE7219F54DC86EEA77BCEF05700F4011AAB649A6280DBB05F48CB55
      Function 005EDCB1 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 93COMMON
      Download Yara Rule
      APIs
      • memset.MSVCRT ref: 005EDCD0
        • Part of subcall function 00613290: NtQuerySystemInformationEx.NTDLL ref: 006132AF
      Strings
      • base\diagnosis\pdui\atm\main\processcommon.cpp, xrefs: 0063844A
      • %d FAIL: 0x%08x, xrefs: 0063843B
      • WdcExpandingCall, xrefs: 00638445
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: InformationQuerySystemmemset
      • String ID: %d FAIL: 0x%08x$WdcExpandingCall$base\diagnosis\pdui\atm\main\processcommon.cpp
      • API String ID: 2252961353-1468907111
      • Opcode ID: 9a108354a4461094d6933539b157458e9708450260a80b4ce996afcbe81c1813
      • Instruction ID: 327e4f3728c60c01c0e38adc93404fe37478aacaf675a77fd3ecf931ad197ce4
      • Opcode Fuzzy Hash: 9a108354a4461094d6933539b157458e9708450260a80b4ce996afcbe81c1813
      • Instruction Fuzzy Hash: 6831B871904396AFC718EE1AD8449AABBF5FF84350F144929F8968B301DB709D44CBA2
      Function 005E6B53 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 70COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: malloc
      • String ID: %d FAIL: 0x%08x$WdcDataPortal::s_CreateInstance$base\diagnosis\pdui\atm\main\portal.cpp
      • API String ID: 2803490479-766559894
      • Opcode ID: ec7609d306fe9682348a7de678d2a6aa930ce194ac13484dbeb17816c1493fb2
      • Instruction ID: 4ff94fc4d187cfd54222c86a696474f61864c83dae54388d59e1d5e799d7b7d5
      • Opcode Fuzzy Hash: ec7609d306fe9682348a7de678d2a6aa930ce194ac13484dbeb17816c1493fb2
      • Instruction Fuzzy Hash: 501127363403497FDB152E969C4AEAB3E1AFFD5790B140029F90597291DEB1CC10DBA0
      Function 005E0DC0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 59threadCOMMON
      Download Yara Rule
      APIs
        • Part of subcall function 005ED05C: memset.MSVCRT ref: 005ED091
        • Part of subcall function 005ED05C: GetVersionExW.API-MS-WIN-CORE-SYSINFO-L1-1-0(?,?,?,?), ref: 005ED0A6
        • Part of subcall function 005ED05C: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?), ref: 005ED0B0
        • Part of subcall function 005E0D4A: CreateEventW.API-MS-WIN-CORE-SYNCH-L1-1-0(00000000,00000001,00000000,00000000,?,?,?,?,?,005E0DEE,?,?,?,?,?), ref: 005E0D6B
        • Part of subcall function 005E0D4A: CreateThread.KERNELBASE(00000000,00000000,005E25E0,?,00000000,?,?,005E0DEE,?,?,?,?,?,?,0062BB7F,?), ref: 005E0D9A
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,?,?,?,?,?,?,0062BB7F,?), ref: 0063468E
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: CreateThread$CurrentErrorEventLastVersionmemset
      • String ID: %d FAIL: 0x%08x$CRUMHelper::RUMHelperInitialize$base\diagnosis\pdui\atm\main\rumhelper.cpp
      • API String ID: 1620370846-4020262700
      • Opcode ID: 0a0a89dbc64c7ed5057e6381b2f93bcce856728839d3d8789976fcce2e74b46d
      • Instruction ID: c90aaff6dd19ffc9bc37fdcd05de7e4f29b88df3bbdeb3291f6312acfa6e9668
      • Opcode Fuzzy Hash: 0a0a89dbc64c7ed5057e6381b2f93bcce856728839d3d8789976fcce2e74b46d
      • Instruction Fuzzy Hash: F5012B7274076267C21C6AAA4C09DEAAE0EFBC1B50F040239FE459B282CE609C4183E0
      Function 005E3250 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 131COMMON
      Download Yara Rule
      Strings
      • %d FAIL: 0x%08x, xrefs: 00635889
      • base\diagnosis\pdui\atm\main\data.cpp, xrefs: 00635898
      • WdcDataMonitor::UpdateThread, xrefs: 00635893
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID:
      • String ID: %d FAIL: 0x%08x$WdcDataMonitor::UpdateThread$base\diagnosis\pdui\atm\main\data.cpp
      • API String ID: 0-1004717187
      • Opcode ID: d0a7e9e2fed60c436142ecb554fc9996d36e702cf56a1bf2dfa2d09926fac6c1
      • Instruction ID: 8361d9cee7fae0111169dcee02bb74ace8939ec59fdc6dc282a371f056833c2b
      • Opcode Fuzzy Hash: d0a7e9e2fed60c436142ecb554fc9996d36e702cf56a1bf2dfa2d09926fac6c1
      • Instruction Fuzzy Hash: 7D419225F041E297CB2D761B449D9BC6E87BBC8340F2A08BAE5C65B295CF944F41E783
      Function 006234D1 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 125COMMON
      Download Yara Rule
      APIs
      • WindowsCreateStringReference.COMBASE(Windows.Networking.UX.UXManager,0000001F,?,00000000), ref: 006234FD
      • RaiseException.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(C000000D,00000001,00000000,00000000,?,0060BBB9,00000000,00000000,80004005,00000000), ref: 00623510
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: CreateExceptionRaiseReferenceStringWindows
      • String ID: Windows.Networking.UX.UXManager$base\diagnosis\pdui\atm\main\adapter.cpp
      • API String ID: 289596593-3047176272
      • Opcode ID: 01e5a7186a22bb4b426e20a7fb592e54a35e62d29c3bd0ccfb74d0c5f0ea20be
      • Instruction ID: 4f349432c04f4a530b29a420e9f9b17d5bcec546b6d30eab678bac7b1e1a40ae
      • Opcode Fuzzy Hash: 01e5a7186a22bb4b426e20a7fb592e54a35e62d29c3bd0ccfb74d0c5f0ea20be
      • Instruction Fuzzy Hash: 0541AE36A00629AFDB00DB64D885EEE77BBEF88310F250129E906A7351DB74ED41CF60
      Function 005F009A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 113COMMON
      Download Yara Rule
      APIs
      • EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?), ref: 005F00D0
        • Part of subcall function 005ECA4B: GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,00000000,?,?,?,?,00000000,?), ref: 005ECA9C
      • GlobalMemoryStatusEx.KERNELBASE(?), ref: 005F00F1
      • LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?), ref: 005F01DA
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: CriticalSection$CurrentEnterGlobalLeaveMemoryStatusThread
      • String ID: @
      • API String ID: 1544352494-2766056989
      • Opcode ID: 0b54a82be23f9b68bc1ed376b74eff7cd207c7dd98ff1927b570951f7295cafe
      • Instruction ID: a96b142af32ecddf1a4a37f4d1d3057a47efd94cb20cda395b076336e048eeff
      • Opcode Fuzzy Hash: 0b54a82be23f9b68bc1ed376b74eff7cd207c7dd98ff1927b570951f7295cafe
      • Instruction Fuzzy Hash: B341B371E00B099AC726AF64C9483EABFF4FB44380F201C5DE1DA92296EB756445DB80
      Function 00641A49 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90synchronizationCOMMON
      Download Yara Rule
      APIs
      • GetCurrentProcessId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000040), ref: 00641A6A
      • CreateMutexExW.KERNELBASE(00000000,?,00000000,001F0001), ref: 00641A9E
        • Part of subcall function 0064254C: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,00000040,?,00000000,00000000,?,?,00641B51,?,?,?,?,00000000), ref: 0064256A
        • Part of subcall function 0064254C: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00000000,00000000,?,?,00641B51,?,?,?,?,00000000), ref: 00642571
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: HeapProcess$AllocCreateCurrentMutex
      • String ID: Local\SM0:%d:%d:%hs$wil
      • API String ID: 1201324406-2303653343
      • Opcode ID: 041d4dce44a13ca9202a310500db6229d522c3cc6d4d588d0b72e2400bd6f38c
      • Instruction ID: a795fd19e8a3e205a4ae3f1f25cf448d830b45413c1ac29a252c186726b49443
      • Opcode Fuzzy Hash: 041d4dce44a13ca9202a310500db6229d522c3cc6d4d588d0b72e2400bd6f38c
      • Instruction Fuzzy Hash: 0631B871A4021EAFCB24EF64DC99AE9777AFF51300F1006EAF40A97241EB705E85CB90
      Function 005DEE3C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90synchronizationCOMMON
      Download Yara Rule
      APIs
      • GetCurrentProcessId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(000000A8), ref: 005DEE60
      • CreateMutexExW.KERNELBASE(00000000,?,00000000,001F0001), ref: 005DEE94
        • Part of subcall function 005DEF89: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,000000A8,00000000,00000000,00000000,?,?,005DEF47,00000000,?,?,?,00000000), ref: 005DEFAA
        • Part of subcall function 005DEF89: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,005DEF47,00000000,?,?,?,00000000), ref: 005DEFB1
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: HeapProcess$AllocCreateCurrentMutex
      • String ID: Local\SM0:%d:%d:%hs$wil
      • API String ID: 1201324406-2303653343
      • Opcode ID: 5db2f09ae5e176be57fd860f48eebbf20d0f851455f66bae61ef1a71d7cd164f
      • Instruction ID: 09d033f8e68d7c3956f64d96dca3cd3c4b60c928e3a98b00fb138e874468bd28
      • Opcode Fuzzy Hash: 5db2f09ae5e176be57fd860f48eebbf20d0f851455f66bae61ef1a71d7cd164f
      • Instruction Fuzzy Hash: 2331977194011EAFC720FF68DC9AAE97B79FB60300F1005ABF40A97281DA705E85CBA1
      Function 00612C66 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 73COMMON
      Download Yara Rule
      Strings
      • WdcApplicationsMonitor::EnsureAndStartStartupMonitor, xrefs: 0064070E
      • base\diagnosis\pdui\atm\main\applications.cpp, xrefs: 00640713
      • %d FAIL: 0x%08x, xrefs: 00640704
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: Error$InformationLastQueryStatusSystemVersionmallocmemset
      • String ID: %d FAIL: 0x%08x$WdcApplicationsMonitor::EnsureAndStartStartupMonitor$base\diagnosis\pdui\atm\main\applications.cpp
      • API String ID: 605310503-3340200957
      • Opcode ID: 748d0fb364ad301121a05ce12450f8881919072dd7368bc794d1d25823c9e2c7
      • Instruction ID: 61884575b9793fb66fe7b2e71eb95a7eafa6122dba512e3c908f2f8fc06d3dd8
      • Opcode Fuzzy Hash: 748d0fb364ad301121a05ce12450f8881919072dd7368bc794d1d25823c9e2c7
      • Instruction Fuzzy Hash: 2D113A31B005229BDB156B594CA5AFD6A57BFC0790F0D0039EE05AB382DF700C929BD0
      Function 0061C10D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 57timeCOMMON
      Download Yara Rule
      APIs
      • KillTimer.USER32(00000000,?,?,?,0062B3A7,?,0062B358,?,005F2681), ref: 0061C135
      • SetTimer.USER32(00000000,?,?), ref: 0061C162
      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,0062B3A7,?,0062B358,?,005F2681), ref: 0061C16C
      Strings
      • base\diagnosis\pdui\atm\main\control.cpp, xrefs: 0061C197
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: Timer$ErrorKillLast
      • String ID: base\diagnosis\pdui\atm\main\control.cpp
      • API String ID: 2551693900-2337132064
      • Opcode ID: c7384910891de6f30cca4e6cb580bf95941a7d0f83fe7ffe7787924c5bb505db
      • Instruction ID: 9068881d47e94be2854095b93dae98ae22da93923d20b012e413f036900d07ae
      • Opcode Fuzzy Hash: c7384910891de6f30cca4e6cb580bf95941a7d0f83fe7ffe7787924c5bb505db
      • Instruction Fuzzy Hash: 1F012637B852207FE7104B61DC0EAAE3B9BEB84770B191015FE059B352CB64EC4187C0
      Function 005E6F14 Relevance: 6.1, APIs: 4, Instructions: 81windowCOMMON
      Download Yara Rule
      APIs
      • SendMessageW.USER32(00000000,?,005E6C35,00000000), ref: 005E6F7C
      • SendMessageW.USER32(00000000,?,005E6C35,00000000), ref: 005E6FB9
      • SendMessageW.USER32(00000000,?,005E6C35,00000000), ref: 005E6FDC
      • SendMessageW.USER32(00000000,?,005E6C35,00000000), ref: 005E6FFE
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: MessageSend
      • String ID:
      • API String ID: 3850602802-0
      • Opcode ID: c02710b1a98084353bd4d2376398b328ea79844d0a8ca86d8852a339f95c6bc7
      • Instruction ID: b323f36dcb1b58b55e674ce196aa38d90ac86b928e87eca389b9b9991433da78
      • Opcode Fuzzy Hash: c02710b1a98084353bd4d2376398b328ea79844d0a8ca86d8852a339f95c6bc7
      • Instruction Fuzzy Hash: 97212A75700255AFDB14DF69D888EAE7BEAFB88350F041126F919D7341DB74AC908FA0
      Function 0060BF07 Relevance: 6.1, APIs: 4, Instructions: 51COMMON
      Download Yara Rule
      APIs
      • ?Create@DUIXmlParser@DirectUI@@SGJPAPAV12@P6GPAVValue@2@PBGPAX@Z2P6GX11H2@Z2@Z.DUI70(?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,0060BD8C), ref: 0060BF21
      • ?SetXMLFromResource@DUIXmlParser@DirectUI@@QAEJIPAUHINSTANCE__@@0@Z.DUI70(00000000,?,005C0000,?,0060BD8C), ref: 0060BF3A
      • ?Destroy@NativeHWNDHost@DirectUI@@QAEXXZ.DUI70(?,0060BD8C), ref: 0063EA10
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: Direct$Parser@$Create@Destroy@E__@@0@FromHost@NativeResource@V12@Value@2@
      • String ID:
      • API String ID: 828835226-0
      • Opcode ID: d513de593045a37b0c014debe2784abc7ba0ea46c4f225d239cd2310f25a1734
      • Instruction ID: 49854237886554f3c83d1f67421555069903b28ac0782eebe4c1cbdd0f87868f
      • Opcode Fuzzy Hash: d513de593045a37b0c014debe2784abc7ba0ea46c4f225d239cd2310f25a1734
      • Instruction Fuzzy Hash: 3C01C031640616FB8B148F92DC4899BBF7AFB487207109229F91993350DB30AE10DBD0
      Function 005E8162 Relevance: 6.0, APIs: 4, Instructions: 44COMMON
      Download Yara Rule
      APIs
      • GetCurrentProcess.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,00000000,00000000,00000000,?,005E93D5,0062DCE4,?,00000000,00000000,00000000,00000000,?,0062DCE4,?), ref: 005E816F
      • OpenProcessToken.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,00000008,00000000,?,005E93D5,0062DCE4,?,00000000,00000000,00000000,00000000,?,0062DCE4,?), ref: 005E8180
      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,005E93D5,0062DCE4,?,00000000,00000000,00000000,00000000,?,0062DCE4,?), ref: 006369DE
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: Process$CurrentErrorLastOpenToken
      • String ID:
      • API String ID: 1838720048-0
      • Opcode ID: d9b443a42ed32f0421a73395dc2bc774d479a233be25da3de1a25305c5e6c036
      • Instruction ID: ab9d2a42693dc8b02ed12ede7c0c70a9256452ca2614df012243ee3a630cd95c
      • Opcode Fuzzy Hash: d9b443a42ed32f0421a73395dc2bc774d479a233be25da3de1a25305c5e6c036
      • Instruction Fuzzy Hash: 09F0D631901625FBCB2C9766DD0987EBA6ABB41760B155395F854A3290DF708E02D790
      Function 00632AA0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144COMMON
      Download Yara Rule
      APIs
      • LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(00000000,00000000,?,?), ref: 00632C1D
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: CriticalLeaveSection
      • String ID: base\diagnosis\pdui\atm\main\identity.cpp
      • API String ID: 3988221542-116235731
      • Opcode ID: c05873f367358bceb72ed26276e0bc225ae5b39fe96dcebfd7bfbc22dd9e6f8a
      • Instruction ID: fb686f0554c4f35d908bd7cce022874e1eae1bb71ad9e3a16787c39cf1ff8614
      • Opcode Fuzzy Hash: c05873f367358bceb72ed26276e0bc225ae5b39fe96dcebfd7bfbc22dd9e6f8a
      • Instruction Fuzzy Hash: CD41CE76604307ABC7229F18D861F6BBBA7EBC4B14F20441DF90A67281DB70D90696E6
      Function 00612DD3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON
      Download Yara Rule
      APIs
      • GetVersionExW.API-MS-WIN-CORE-SYSINFO-L1-1-0(?), ref: 00612DF9
      • #618.SHLWAPI(005CC328), ref: 00612E0E
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: #618Version
      • String ID: @
      • API String ID: 2478506813-2766056989
      • Opcode ID: a5bf51ae7f1f093d3f6b8f75d61cdd75907dc21cab73d1935fa070d9a9c3a123
      • Instruction ID: f7ae566d40e7a4a39700a1c38c1ff6c1f3b119cdcaa8719c4a45c933d3ce23fc
      • Opcode Fuzzy Hash: a5bf51ae7f1f093d3f6b8f75d61cdd75907dc21cab73d1935fa070d9a9c3a123
      • Instruction Fuzzy Hash: 5BF0A771A0030EABCF11DF7498157EB7BF5AB18700F442298E80A92242DF3489A89B54
      Function 00616640 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON
      Download Yara Rule
      APIs
      • ?CreateHWND@CCBase@DirectUI@@UAEPAUHWND__@@PAU3@@Z.DUI70(?), ref: 00616649
      • SetWindowTheme.UXTHEME(00000000,Explorer,00000000), ref: 00616659
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: Base@CreateD__@@DirectThemeU3@@Window
      • String ID: Explorer
      • API String ID: 1488502915-512347832
      • Opcode ID: 00870db86b9f998df46fdb9d5ecbf6332bacf9606d063068e9ed7fc825cf655c
      • Instruction ID: 001cf21a81a7b5d6fa051dd3878c23551370f6c092a54b48a3df3fbe12e07bc8
      • Opcode Fuzzy Hash: 00870db86b9f998df46fdb9d5ecbf6332bacf9606d063068e9ed7fc825cf655c
      • Instruction Fuzzy Hash: D3D012322403247BD3102796AC09E977F5DDB417B1F011121FB0886262DB615D51C7E4
      Function 0062D037 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 126COMMON
      Download Yara Rule
      APIs
        • Part of subcall function 006169CD: WindowsCreateStringReference.COMBASE(?,0062DD64,?,?), ref: 006169E5
      • RoGetActivationFactory.COMBASE(?,005CD2B8,?), ref: 0062D08B
      Strings
      • Windows.Internal.StateRepository.Application, xrefs: 0062D070
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: ActivationCreateFactoryReferenceStringWindows
      • String ID: Windows.Internal.StateRepository.Application
      • API String ID: 1966789792-4066378059
      • Opcode ID: 5a161daaaaad28ab748ec491fe5cfd4e1324c020da3da524b484f1cccce06c19
      • Instruction ID: 6dc3b8d437fbf9fdfa8e5afdbcac615be742f8119956916f02d3abcb40964a35
      • Opcode Fuzzy Hash: 5a161daaaaad28ab748ec491fe5cfd4e1324c020da3da524b484f1cccce06c19
      • Instruction Fuzzy Hash: 4C414B369006299FCF04DFA4D884AEEB7B6FF88324F154069E902B7250DB71AD41CFA0
      Function 005E93A5 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 97COMMON
      Download Yara Rule
      APIs
        • Part of subcall function 005E8162: GetCurrentProcess.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,00000000,00000000,00000000,?,005E93D5,0062DCE4,?,00000000,00000000,00000000,00000000,?,0062DCE4,?), ref: 005E816F
        • Part of subcall function 005E8162: OpenProcessToken.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,00000008,00000000,?,005E93D5,0062DCE4,?,00000000,00000000,00000000,00000000,?,0062DCE4,?), ref: 005E8180
      • CoTaskMemFree.COMBASE(00000000), ref: 005E9439
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: Process$CurrentFreeOpenTaskToken
      • String ID: onecore\shell\lib\calleridentity\calleridentity.cpp
      • API String ID: 2149007214-738500486
      • Opcode ID: 1a6b1f05f856368581fbff48afeb47dbef172795fe9213f0c1b1134a569a7eb3
      • Instruction ID: dc9d941db977ef18d9a98d36fdf7912ec6f88b439bd725671931c97fbd5136a2
      • Opcode Fuzzy Hash: 1a6b1f05f856368581fbff48afeb47dbef172795fe9213f0c1b1134a569a7eb3
      • Instruction Fuzzy Hash: FF31A976E0025AABCF18DFDAC8819EFBB79FF84310F11456AA84567381DA349E01D791
      Function 00614BDF Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24COMMONLIBRARYCODE
      Download Yara Rule
      APIs
      • CreateActCtxWWorker.KERNEL32 ref: 00614C18
        • Part of subcall function 005E7C49: GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(00000000,80004005,00000000,00000000,00000000,?,005E792C,?,006785C0,00000018,0060177F,?,80004005,00000000), ref: 005E7C5E
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: AddressCreateProcWorker
      • String ID: CreateActCtxW
      • API String ID: 1321444865-1163823230
      • Opcode ID: 88d80afa1c07a4fc5c758ac26589a4b5253e4fcb564aba72af1ba13c1af2c9ef
      • Instruction ID: ce16a68b3fb923c579cc6153e56ffa39a3d69eaa716ef21f6524a68a7309799e
      • Opcode Fuzzy Hash: 88d80afa1c07a4fc5c758ac26589a4b5253e4fcb564aba72af1ba13c1af2c9ef
      • Instruction Fuzzy Hash: C4E08636A0293257C325165A681499A6D679AD5F7031A132BE525AB390CEA09C8247D0
      Function 00642318 Relevance: 3.2, APIs: 2, Instructions: 175threadCOMMON
      Download Yara Rule
      APIs
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,00000000,00000000), ref: 006423C4
      • OutputDebugStringW.API-MS-WIN-CORE-DEBUG-L1-1-0(?), ref: 006424DB
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: CurrentDebugOutputStringThread
      • String ID:
      • API String ID: 345212951-0
      • Opcode ID: 2b2a4e935273b0edafda18e0ed28eba73a124485551f5c0fa26823f48a9ceb09
      • Instruction ID: 7f284d1166655f0bebde6282cff898cadbac575eaa305117d219be8465970d3f
      • Opcode Fuzzy Hash: 2b2a4e935273b0edafda18e0ed28eba73a124485551f5c0fa26823f48a9ceb09
      • Instruction Fuzzy Hash: A8516D71600606AFCB21DF28D8546AE7BF7EF89310F699629F946D3360DB35A841CB50
      Function 005EF750 Relevance: 3.1, APIs: 2, Instructions: 86COMMON
      Download Yara Rule
      APIs
      • WaitForMultipleObjects.API-MS-WIN-CORE-SYNCH-L1-2-1(00000002,?,00000000,000000FF,?,?,?,?,?,005E3306), ref: 005EF779
      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,005E3306), ref: 00638675
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: ErrorLastMultipleObjectsWait
      • String ID:
      • API String ID: 2132265239-0
      • Opcode ID: 78f0185bab76e5086d38bb5b477f52b69b65dc8ae55147d4d8c4788e1a579363
      • Instruction ID: e23f4a33fcd1862cf31b06b89a5b77037aea6cc6e7f40e003c18c8e6d93567f6
      • Opcode Fuzzy Hash: 78f0185bab76e5086d38bb5b477f52b69b65dc8ae55147d4d8c4788e1a579363
      • Instruction Fuzzy Hash: FC213836B001B29FCB199B298408AFDBF96FB49768F191276ED55A7381CF309C0197D1
      Function 0061ACDD Relevance: 3.0, APIs: 2, Instructions: 38COMMON
      Download Yara Rule
      APIs
      • AcquireSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0(006898E0,?,?,?,?,005E354B,?,?), ref: 0061ACFF
        • Part of subcall function 00619A9D: AcquireSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0(02EB2C08,?,006898D0,006898E0,0061AD0C,?,?,?,?,005E354B,?,?), ref: 00619AB8
        • Part of subcall function 00619A9D: ReleaseSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0(02EB2C08,006898FC,00619430,006898D0,?,?,?,?,005E354B,?,?), ref: 00619AD2
        • Part of subcall function 0061AD39: memcpy_s.MSVCRT ref: 0061AD97
      • ReleaseSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0(006898E0,?,?,00000000,?,?,?,?,005E354B,?,?), ref: 0061AD2C
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: ExclusiveLock$AcquireRelease$memcpy_s
      • String ID:
      • API String ID: 102148085-0
      • Opcode ID: 5fd28303db36f54e93ad7e5c460f2428f0e57bb91f2c964d8405da7bb6754dc9
      • Instruction ID: 3271a38045ccb0e331ecd74b8cb6330b8c902211a107417315c476fa6a74a264
      • Opcode Fuzzy Hash: 5fd28303db36f54e93ad7e5c460f2428f0e57bb91f2c964d8405da7bb6754dc9
      • Instruction Fuzzy Hash: 29F0BB725007077BD720DFA5E854BD6BB6EEF50361F180819F98542741DF74D885C761
      Function 00619ADC Relevance: 3.0, APIs: 2, Instructions: 27COMMON
      Download Yara Rule
      APIs
      • AcquireSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0(?), ref: 00619AEE
      • ReleaseSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0(?), ref: 00619B12
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: ExclusiveLock$AcquireRelease
      • String ID:
      • API String ID: 17069307-0
      • Opcode ID: b038727ba909651afd6acc1a5052fbd725c91c2221f921f8657e21e3326b689d
      • Instruction ID: bc10fd287e53ed5c743abcda18626355eb879fbabba27f2eaf093ba14b3fd633
      • Opcode Fuzzy Hash: b038727ba909651afd6acc1a5052fbd725c91c2221f921f8657e21e3326b689d
      • Instruction Fuzzy Hash: 41E06D325051666BC7115A65B818EDABB2AAFD2321F185225E510532D18F30A982C7E1
      Function 00617634 Relevance: 3.0, APIs: 2, Instructions: 20COMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: _callnewhmalloc
      • String ID:
      • API String ID: 2285944120-0
      • Opcode ID: 55ba169a4eefcc497a3b6bafbf9d2d64fc2d1590cf7ddf6b7db7556cef167581
      • Instruction ID: 03ce1bb7ed0933ad1d2cf95a71dd9248560e1b5eafa4e1e2664e1e2698d04ee1
      • Opcode Fuzzy Hash: 55ba169a4eefcc497a3b6bafbf9d2d64fc2d1590cf7ddf6b7db7556cef167581
      • Instruction Fuzzy Hash: 25D0A73754D92A234A11255DFC108E97B3B8F417F131C0035F9089A751CE11DDC152D8
      Function 005E29DC Relevance: 3.0, APIs: 2, Instructions: 17COMMON
      Download Yara Rule
      APIs
      • CoInitializeEx.COMBASE(00000000,00000006), ref: 005E29E5
      • CoInitializeEx.COMBASE(00000000,00000004), ref: 00635213
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: Initialize
      • String ID:
      • API String ID: 2538663250-0
      • Opcode ID: e3fdc34bc2e05d79fce93330ceda5e4539fc01497b4e2b5cd3bba3e01c7a1133
      • Instruction ID: 4b54af3384ba57e0eb7ca458881e0352f0f8f67e609e995818aca8066d58f778
      • Opcode Fuzzy Hash: e3fdc34bc2e05d79fce93330ceda5e4539fc01497b4e2b5cd3bba3e01c7a1133
      • Instruction Fuzzy Hash: AED012727C268167F7600B616C69F561A4EA781F66F181002F7539F0C0D76684246698
      Function 006216FB Relevance: 1.6, APIs: 1, Instructions: 52COMMON
      Download Yara Rule
      APIs
      • RoActivateInstance.COMBASE(?,00000000), ref: 0062170F
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: ActivateInstance
      • String ID:
      • API String ID: 676622152-0
      • Opcode ID: e21b35ea1a71952130eaf03bcd411113cf09f7ef624f57b9d9fe907bf0862a02
      • Instruction ID: 27ce7e8f487e2bd9b43a221c4442499635a65faeaa9d4d0662a068d46e17316f
      • Opcode Fuzzy Hash: e21b35ea1a71952130eaf03bcd411113cf09f7ef624f57b9d9fe907bf0862a02
      • Instruction Fuzzy Hash: 7001887A604524AF8711CF58D884D5EBBFEEBC976071400A5E60ADB310CA71AD02CB90
      Function 005E796F Relevance: 1.5, APIs: 1, Instructions: 42COMMON
      Download Yara Rule
      APIs
      • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,005C0000,?), ref: 005E79CF
        • Part of subcall function 005E7A66: ActivateActCtx.KERNEL32(?,005E7910,006785C0,00000018,0060177F,?,80004005,00000000), ref: 005E7ABA
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: ActivateCreateWindow
      • String ID:
      • API String ID: 2169890993-0
      • Opcode ID: 43c5ed20b505ce1b0971565a66e9ff25107342339dc72103049f5b3bd0cf457c
      • Instruction ID: 73e2ce8d0af0a31d09b915d4f295ff91714013d444627f7af0e81a9a4376c032
      • Opcode Fuzzy Hash: 43c5ed20b505ce1b0971565a66e9ff25107342339dc72103049f5b3bd0cf457c
      • Instruction Fuzzy Hash: D3012972900259AFCF15DFA58C018EEBFB6FF4C750B144119F954A3261CB318A11DF60
      Function 005E747A Relevance: 1.5, APIs: 1, Instructions: 28registryCOMMON
      Download Yara Rule
      APIs
      • RegisterClassExW.USER32 ref: 005E74B3
        • Part of subcall function 005E7A66: ActivateActCtx.KERNEL32(?,005E7910,006785C0,00000018,0060177F,?,80004005,00000000), ref: 005E7ABA
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: ActivateClassRegister
      • String ID:
      • API String ID: 1605589000-0
      • Opcode ID: 35fb5cad6a681289780784a160d277eb9e1acabb0cd1012c999326740a9e4822
      • Instruction ID: ae934a6335c6156fc9ac9dde9b5ac5c7ec6efceedcf79fdac80c96197483a014
      • Opcode Fuzzy Hash: 35fb5cad6a681289780784a160d277eb9e1acabb0cd1012c999326740a9e4822
      • Instruction Fuzzy Hash: ABF0823691429EAECF18EFB18C051EEBEB2BF5C790B49522AD054A3290EF344601DB19
      Function 005E15DE Relevance: 1.5, APIs: 1, Instructions: 27libraryCOMMON
      Download Yara Rule
      APIs
      • LoadLibraryW.KERNELBASE(?,006784A0,?,005E1559,-8007000E,00000000,?,005E14F5,?), ref: 005E1614
        • Part of subcall function 005E7A66: ActivateActCtx.KERNEL32(?,005E7910,006785C0,00000018,0060177F,?,80004005,00000000), ref: 005E7ABA
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: ActivateLibraryLoad
      • String ID:
      • API String ID: 389599620-0
      • Opcode ID: da3d57e48d0b4097103cc34d36b761f637ce40a8a5dc3ca13ae24d7905569462
      • Instruction ID: 670bafdc91642ef80a4948998cad65ebc1a474d003ded16bc942c456c4b7719b
      • Opcode Fuzzy Hash: da3d57e48d0b4097103cc34d36b761f637ce40a8a5dc3ca13ae24d7905569462
      • Instruction Fuzzy Hash: C5F0A771D00756DBCF19AFB68C051ADBAB2BB88B50B58051AE084A7690CB744A01DF68
      Function 006135BD Relevance: 1.5, APIs: 1, Instructions: 12libraryCOMMON
      Download Yara Rule
      APIs
      • LdrResolveDelayLoadedAPI.NTDLL(005C0000,?,?,?,00618F50,00678B34,00695050), ref: 006135DF
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: DelayLoadedResolve
      • String ID:
      • API String ID: 841769287-0
      • Opcode ID: 664f538c93a0bca39a411112322eceff71d525b5c3a61e84fb6f0084e5e404f4
      • Instruction ID: 5ddb8294f7d1a54ca4dc06f870c4cc0b419d9d599d00ee5488535b17593c777b
      • Opcode Fuzzy Hash: 664f538c93a0bca39a411112322eceff71d525b5c3a61e84fb6f0084e5e404f4
      • Instruction Fuzzy Hash: E6D09232045108FF8F126FD1AC04D953F76F759321B45A106F6190043087734024EB68
      Function 006037A2 Relevance: 1.3, APIs: 1, Instructions: 82COMMONLIBRARYCODE
      Download Yara Rule
      APIs
      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,006030DB,?,?,00000000,?,?,?,00000000,?,?), ref: 0063D672
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: ErrorLast
      • String ID:
      • API String ID: 1452528299-0
      • Opcode ID: 8226df957872354ce604f3363bbd8cc25cbff916a561b3add22e75eb4914a719
      • Instruction ID: 9d0a9ec5b779a0bb64d91f72e24b1a400742b02dde837a0c1ae44b5d7e9ae246
      • Opcode Fuzzy Hash: 8226df957872354ce604f3363bbd8cc25cbff916a561b3add22e75eb4914a719
      • Instruction Fuzzy Hash: DA21AD71A10124EBDB29CB5AD845AEBB7AFEF45310F1480AAE81A97350DA706E01D6E0
      Function 006038F6 Relevance: 1.3, APIs: 1, Instructions: 48COMMONLIBRARYCODE
      Download Yara Rule
      APIs
      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,006030B6,?,?), ref: 0063D786
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: ErrorLast
      • String ID:
      • API String ID: 1452528299-0
      • Opcode ID: 46c73c189d32f4299db5f3f713ea8c9c9c10a0c13b5210c29845d6311942345d
      • Instruction ID: 4c5b07396699c2fd03345b201b14d08e2b6bebc90cdb8c221074d122c355289e
      • Opcode Fuzzy Hash: 46c73c189d32f4299db5f3f713ea8c9c9c10a0c13b5210c29845d6311942345d
      • Instruction Fuzzy Hash: C501DB71A01349BFEB208FA59DC0AEBBBEDEB04310F10016AB949D6341D670DE04D7A0
      Function 005E810C Relevance: 1.3, APIs: 1, Instructions: 38COMMON
      Download Yara Rule
      APIs
        • Part of subcall function 005EFF00: OpenProcess.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-1(00000400,00000000,?,?,?,005EFE47,00000000,?,00000000,?,00000000,?), ref: 005EFF31
        • Part of subcall function 005EFF00: GetProcessTimes.KERNELBASE(00000000,?,?,?,?), ref: 005EFF53
      • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(00000000,00000000,00000000,?,0062DCE4,?,00000000,?,00000000,?,0062DCE4,?), ref: 005E8151
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: Process$CloseHandleOpenTimes
      • String ID:
      • API String ID: 181107442-0
      • Opcode ID: 15e9bf7836fd8b0dabd9448528711f9ab6df4e3f102dae91501c472a07fc5425
      • Instruction ID: 63e25b24e3c756fe1c47680e1f5b6e4e5ee6a14ddbf06bfdd3e01b97268bc20f
      • Opcode Fuzzy Hash: 15e9bf7836fd8b0dabd9448528711f9ab6df4e3f102dae91501c472a07fc5425
      • Instruction Fuzzy Hash: 81F0B43660115977CB195A4A8C05BEEBBAAFBC5371F144225F99893380CF358D0693A1

      Non-executed Functions

      Function 0064B210 Relevance: 63.4, APIs: 35, Strings: 1, Instructions: 371windowCOMMON
      Download Yara Rule
      APIs
      • EndDialog.USER32(?,00000002), ref: 0064B274
      • GetDlgItem.USER32(?,0000878F), ref: 0064B285
      • GetDlgItem.USER32(?,00008790), ref: 0064B29E
      • SendMessageW.USER32(00000000), ref: 0064B2A5
      • SendMessageW.USER32(?,0000102C,00000001,0000F000), ref: 0064B309
      • EndDialog.USER32(?,00000001), ref: 0064B337
      • GetDlgItem.USER32(?,00008790), ref: 0064B359
      • SendMessageW.USER32(00000000), ref: 0064B360
      • GetDlgItem.USER32(?,0000878E), ref: 0064B39F
      • GetWindowTextW.USER32(00000000), ref: 0064B3A6
      • GetDlgItem.USER32(?,0000878E), ref: 0064B3D4
      • SetWindowTextW.USER32(00000000), ref: 0064B3DB
      • GetDlgItem.USER32(?,0000878F), ref: 0064B3E7
      • SetWindowTheme.UXTHEME(00000000,Explorer,00000000), ref: 0064B3F8
      • SendMessageW.USER32(00000000,00001036,00000000,00000064), ref: 0064B407
      • memset.MSVCRT ref: 0064B417
      • GetClientRect.USER32(00000000,?), ref: 0064B427
      • GetSystemMetrics.USER32(00000002), ref: 0064B437
      • SendMessageW.USER32(00000000,00001061,00000000,?), ref: 0064B459
      • LoadStringW.USER32(00008794,?,00000104), ref: 0064B494
      • GetDlgItem.USER32(?,00008790), ref: 0064B4A0
      • SendMessageW.USER32(00000000,0000014A,?,?), ref: 0064B4EC
      • SendMessageW.USER32(00000000,00000151,?,?), ref: 0064B4FE
      • SendMessageW.USER32(?,0000014E,?,00000000), ref: 0064B528
      • GetDlgItem.USER32(?,0000878F), ref: 0064B54F
      • GetDlgItem.USER32(?,00008790), ref: 0064B592
      • SendMessageW.USER32(00000000), ref: 0064B599
      • SendMessageW.USER32(?,0000102C,00000000,0000F000), ref: 0064B5E6
      • SendMessageW.USER32(?,0000102B,00000001,?), ref: 0064B633
      • GetDlgItem.USER32(?,00000001), ref: 0064B656
      • EnableWindow.USER32(00000000), ref: 0064B65D
      • SendMessageW.USER32(?,0000102C,00000001,0000F000), ref: 0064B68C
      • GetDlgItem.USER32(?,00000001), ref: 0064B6C4
      • EnableWindow.USER32(00000000), ref: 0064B6CB
      • SendMessageW.USER32(?,0000102B,00000000,?), ref: 0064B713
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: MessageSend$Item$Window$DialogEnableText$ClientLoadMetricsRectStringSystemThemememset
      • String ID: Explorer
      • API String ID: 375462624-512347832
      • Opcode ID: aa48951a532a0bed573035e1e251257ca13fcc3f923b2c630415088816956acb
      • Instruction ID: 9552e009be28ebf2d5adeb0da47da2716290ad8ce1d2c23f9d90017de828eced
      • Opcode Fuzzy Hash: aa48951a532a0bed573035e1e251257ca13fcc3f923b2c630415088816956acb
      • Instruction Fuzzy Hash: 9FD195B1A00214EFDB209F65DC88EAABBBEFB48710F446299F609D7251CB749D81CF54
      Function 0065F026 Relevance: 58.1, APIs: 23, Strings: 10, Instructions: 393COMMON
      Download Yara Rule
      APIs
      • StrToID.DUI70(adapter,?,?,00000000), ref: 0065F048
      • ?FindDescendent@Element@DirectUI@@QAEPAV12@G@Z.DUI70(?,?,?,00000000), ref: 0065F055
      • StrToID.DUI70(wwan,?,?,00000000), ref: 0065F0C1
      • ?FindDescendent@Element@DirectUI@@QAEPAV12@G@Z.DUI70(?,?,?,00000000), ref: 0065F0CE
      • StrToID.DUI70(wifi,?,?,00000000), ref: 0065F13C
      • StrToID.DUI70(netname,?,?,00000000), ref: 0065F1B1
      • ?FindDescendent@Element@DirectUI@@QAEPAV12@G@Z.DUI70(?,?,?,00000000), ref: 0065F1BE
      • StrToID.DUI70(netname_Label,00000000,?,?,netname,00000001,00000001,?,?,00000000), ref: 0065F208
      • ?FindDescendent@Element@DirectUI@@QAEPAV12@G@Z.DUI70(?,?,?,00000000), ref: 0065F215
      • LoadStringW.USER32(?,?,00000080), ref: 0065F254
      • ?SetContentString@Element@DirectUI@@QAEJPBG@Z.DUI70(?,?,?,00000080,?,?,00000000), ref: 0065F27E
      • StrToID.DUI70(ipv4,?,?,00000000), ref: 0065F321
      • ?FindDescendent@Element@DirectUI@@QAEPAV12@G@Z.DUI70(?,?,?,00000000), ref: 0065F32E
      • ?SetAccName@Element@DirectUI@@QAEJPBG@Z.DUI70(?,?,?,00000080,?,?,00000000), ref: 0065F28D
        • Part of subcall function 006248D2: ?SetAccName@Element@DirectUI@@QAEJPBG@Z.DUI70(?), ref: 00624951
        • Part of subcall function 006248D2: GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000), ref: 0062495E
        • Part of subcall function 006248D2: ?SetLayoutPos@Element@DirectUI@@QAEJH@Z.DUI70(?,?,00000000,00000000), ref: 0062497C
        • Part of subcall function 006248D2: GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000), ref: 006249A8
        • Part of subcall function 006248D2: StrToID.DUI70(?), ref: 006249C5
        • Part of subcall function 006248D2: ?FindDescendent@Element@DirectUI@@QAEPAV12@G@Z.DUI70(?), ref: 006249D8
        • Part of subcall function 006248D2: ?SetLayoutPos@Element@DirectUI@@QAEJH@Z.DUI70(000000FD), ref: 00624A52
        • Part of subcall function 006248D2: ?SetLayoutPos@Element@DirectUI@@QAEJH@Z.DUI70(000000FD,?,00000000,00000000), ref: 006249EB
        • Part of subcall function 006248D2: GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000), ref: 00624A17
        • Part of subcall function 006248D2: StrToID.DUI70(?), ref: 00624A34
        • Part of subcall function 006248D2: ?FindDescendent@Element@DirectUI@@QAEPAV12@G@Z.DUI70(?), ref: 00624A44
      • StrToID.DUI70(netType,?,?,00000000), ref: 0065F299
      • ?FindDescendent@Element@DirectUI@@QAEPAV12@G@Z.DUI70(?,?,?,00000000), ref: 0065F2A6
      • ?FindDescendent@Element@DirectUI@@QAEPAV12@G@Z.DUI70(?,?,?,00000000), ref: 0065F149
        • Part of subcall function 006248D2: ?SetContentString@Element@DirectUI@@QAEJPBG@Z.DUI70(?,?,00000000,00000000), ref: 00624919
        • Part of subcall function 006248D2: GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000), ref: 00624926
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: DirectElement@$Descendent@FindV12@$CurrentThread$LayoutPos@$ContentName@String@$LoadString
      • String ID: adapter$base\diagnosis\pdui\atm\main\networkview.cpp$ipv4$ipv6$netType$netname$netname_Label$signal$wifi$wwan
      • API String ID: 848193257-2870819748
      • Opcode ID: 78ed17bb090f15b27b0b53c9904e4058b07a2189d5295414099137c4cff316a7
      • Instruction ID: 35893f4cc7ffe23d003a86ee62609c8178fcfff91f641974dd2d9320c913705e
      • Opcode Fuzzy Hash: 78ed17bb090f15b27b0b53c9904e4058b07a2189d5295414099137c4cff316a7
      • Instruction Fuzzy Hash: 0BC1C170700B15BBEB255BA0CC99F7B36ABEB58702F10813DF946862C1DFA4DD499B50
      Function 005DF0B3 Relevance: 44.0, APIs: 17, Strings: 8, Instructions: 270filememoryCOMMON
      Download Yara Rule
      APIs
      • memset.MSVCRT ref: 005DF115
      • FindClose.API-MS-WIN-CORE-FILE-L1-1-0(00000000,?,?), ref: 005DF151
        • Part of subcall function 005FE8BF: PathIsNetworkPathW.SHLWAPI(?,?,?,00000001,00000001,?,?,00000000), ref: 005FE8F5
        • Part of subcall function 005FE8BF: Shell_GetCachedImageIndexW.SHELL32(?,00000000,00000000), ref: 005FE91D
      • SHGetSpecialFolderPathW.SHELL32(00000000,?,005D40E0,00000000,00000000,08000000,00000000,00000003,005EEDD6), ref: 005DF167
      • FindFirstFileW.API-MS-WIN-CORE-FILE-L1-1-0(?,?), ref: 005DF1AD
      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 005DF312
      • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,?,?,?,?,?,?,00000000,00000001,?,?), ref: 005DF319
      • FindNextFileW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,00000012), ref: 005DF32F
      • FindClose.API-MS-WIN-CORE-FILE-L1-1-0(00000000), ref: 005DF371
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: Find$Path$CloseFileHeap$CachedFirstFolderFreeImageIndexNetworkNextProcessShell_Specialmemset
      • String ID: Error code - 0x%08x$%d FAIL: 0x%08x$%s\%s$%s\*.*$TM: Failed to Get approval status of item at Run Location.$WdcStartupMonitor::LoadFolderList$base\diagnosis\pdui\atm\main\startup.cpp$desktop.ini
      • API String ID: 3675598325-150666664
      • Opcode ID: 5b4a922537ef748fb385c20a5f2fb909f796c9bd97836f55d81a148ae02754b7
      • Instruction ID: def2448c9bfa6e2f408791fbfbbdd1fb4c73c7a4836f67fe9ec904cf7a37e84b
      • Opcode Fuzzy Hash: 5b4a922537ef748fb385c20a5f2fb909f796c9bd97836f55d81a148ae02754b7
      • Instruction Fuzzy Hash: 0BA1B876A0122DABCB318BA4CC45AEE7B79FF49710F0445D6F50AA2690D7348F84CF51
      Function 005F81B0 Relevance: 28.6, APIs: 11, Strings: 5, Instructions: 626memoryCOMMON
      Download Yara Rule
      APIs
      • UpdateWindow.USER32(00000000), ref: 005F81F1
      • AllocateAndInitializeSid.API-MS-WIN-SECURITY-BASE-L1-1-0(00000000,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 005F8262
      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,00000000), ref: 005F826C
      • CheckTokenMembership.API-MS-WIN-SECURITY-BASE-L1-1-0(00000000,00000000,00000000,?,00000000), ref: 005F828D
      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,00000000), ref: 005F8297
      • FreeSid.API-MS-WIN-SECURITY-BASE-L1-1-0(00000000,?,00000000), ref: 005F82C1
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: ErrorLast$AllocateCheckFreeInitializeMembershipTokenUpdateWindow
      • String ID: %d FAIL: 0x%08x$AtmView::UpdateParentRow$DPA_GetPtr$TmAppViewItem$base\diagnosis\pdui\atm\main\view.cpp
      • API String ID: 663239718-2919716559
      • Opcode ID: 8b301149a18a5e02f40d0dc1fe58e7873b02c70d72a57b57c6e57bdb1b9b3128
      • Instruction ID: bfe64f324083bef634d4de71f187c97b54059b614cc7430b4efe1c2aa2bcea63
      • Opcode Fuzzy Hash: 8b301149a18a5e02f40d0dc1fe58e7873b02c70d72a57b57c6e57bdb1b9b3128
      • Instruction Fuzzy Hash: 7232B131A0061AAFDF25DFA4CD84BBEBFB6FF48300F140519EA55A7290DB39A941CB51
      Function 0066D463 Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 133memorythreadnativeCOMMON
      Download Yara Rule
      APIs
      • DuplicateHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?,?,?,?,00000000,00000000,00000000,0000000A,00000000,00000000,?), ref: 0066D49E
      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 0066D4A8
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(80004005), ref: 0066D4CB
      • NtQueryObject.NTDLL ref: 0066D500
      • RtlNtStatusToDosError.NTDLL ref: 0066D511
      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?), ref: 0066D541
      • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 0066D548
      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?), ref: 0066D55E
      • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 0066D565
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000), ref: 0066D58A
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(8007000E), ref: 0066D5A6
      • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?), ref: 0066D5CE
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: Heap$CurrentThread$ErrorHandleProcess$AllocCloseDuplicateFreeLastObjectQueryStatus
      • String ID: %d FAIL: 0x%08x$TmEndTaskHandler::_GetObjectTypeInfoForHandle$base\diagnosis\pdui\atm\main\endtask.cpp
      • API String ID: 1997462918-3869986483
      • Opcode ID: ee524f5edff38ca8bd17df24f8edbd0a91e51009f0a70ffe1ec1f71980e7e5fb
      • Instruction ID: c7e22cc542b83fb73bc9bc7f8a1421a41c62a18175e8279a42e98b025b69f816
      • Opcode Fuzzy Hash: ee524f5edff38ca8bd17df24f8edbd0a91e51009f0a70ffe1ec1f71980e7e5fb
      • Instruction Fuzzy Hash: 34417C76E00229AFDB109F99DC48AAABBAAFF48714F051255FD06E7760D770DD018BA0
      Function 005EC040 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 238memorynativeCOMMON
      Download Yara Rule
      APIs
        • Part of subcall function 005EBE88: NtQuerySystemInformation.NTDLL(0000004F,?,00000014,?), ref: 005EBEA7
        • Part of subcall function 005EBE88: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,00000014,?), ref: 005EBECC
        • Part of subcall function 005EBE88: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00000014,?), ref: 005EBED3
        • Part of subcall function 005EBE88: NtQuerySystemInformation.NTDLL(0000004F,?,00000014,?), ref: 005EBEF1
      • memset.MSVCRT ref: 005EC0BB
      • NtQuerySystemInformation.NTDLL(000000B6,?,00000038,00000000), ref: 005EC0D1
      • GetPhysicallyInstalledSystemMemory.API-MS-WIN-CORE-SYSINFO-L1-2-1(?), ref: 005EC0E4
      • EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?), ref: 005EC102
      • LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?), ref: 005EC326
      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?), ref: 005EC337
      • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 005EC33E
      • RtlNtStatusToDosError.NTDLL ref: 00637F2F
      • RtlNtStatusToDosError.NTDLL ref: 00637F3B
      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00637F46
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: HeapSystem$ErrorInformationQuery$CriticalProcessSectionStatus$AllocEnterFreeInstalledLastLeaveMemoryPhysicallymemset
      • String ID: -$Chuk
      • API String ID: 809405552-2046584487
      • Opcode ID: f7cc6f2cd8beae4dfde7d8f0e1d0620065d1d510977c84735ede8464ea5b1777
      • Instruction ID: 49780cb90c38a77193caae5b0b00b11d07402f9053f748890b794c63d1dac962
      • Opcode Fuzzy Hash: f7cc6f2cd8beae4dfde7d8f0e1d0620065d1d510977c84735ede8464ea5b1777
      • Instruction Fuzzy Hash: AAA144B0908340DFDB48CF29C88875ABBE5FF88314F149A9DE8989B295D771D805CF96
      Function 0065B3BC Relevance: 17.8, APIs: 5, Strings: 5, Instructions: 286threadCOMMON
      Download Yara Rule
      APIs
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,?), ref: 0065B412
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: CurrentThread
      • String ID: %d FAIL: 0x%08x$AtmMemoryView::UpdateMemUsage$base\diagnosis\pdui\atm\main\memoryview.cpp$|%h$$h
      • API String ID: 2882836952-1886777501
      • Opcode ID: 7bd7d10204ec3da198f3514d3fccba03416ee6e670203835d583108b2fced126
      • Instruction ID: 9b625e46145577188d193c0b0f1808bcdbdbd60ed86c386014b6eac6b1647b6f
      • Opcode Fuzzy Hash: 7bd7d10204ec3da198f3514d3fccba03416ee6e670203835d583108b2fced126
      • Instruction Fuzzy Hash: 18B1CDB1E00A0CEBDB159FA4E895BEEBFBAFF88310F110559F849A6280DB345854CB55
      Function 005EB300 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 164COMMON
      Download Yara Rule
      APIs
      • memset.MSVCRT ref: 005EB32D
        • Part of subcall function 005EB69F: NtOpenFile.NTDLL(005EB349,0012019F,00000018,?,00000007,00000020), ref: 005EB6DB
      • DeviceIoControl.API-MS-WIN-CORE-IO-L1-1-0(00000000,0017003E,00685750,0000003C,?,000002D0,?,00000000), ref: 005EB382
      • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(00000000), ref: 005EB391
      • SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000), ref: 005EB459
      • SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(0000007A), ref: 00637A92
      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00637A9F
      • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(00000000), ref: 00637AA8
      • SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000), ref: 00637AAF
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: ErrorLast$CloseHandle$ControlDeviceFileOpenmemset
      • String ID: h
      • API String ID: 3697352567-2439710439
      • Opcode ID: 8751e1745f09c3a6ef2b15ad596933b262a4467516a353e7ae090ca6a10765ce
      • Instruction ID: 8684d51145239dae387d3025c2dbea146e7e7ade236749fc8e4f2f88e416a8e6
      • Opcode Fuzzy Hash: 8751e1745f09c3a6ef2b15ad596933b262a4467516a353e7ae090ca6a10765ce
      • Instruction Fuzzy Hash: D251B47150129ACFEF28CF16C8846AABB66FF04712F58469AE5859B293D770DD40CF80
      Function 006500A8 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 55threadnativeCOMMON
      Download Yara Rule
      APIs
      • GetCurrentThread.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000017,?,?,00000000,00000000,7FFE0018,?,?,?,?,005EC5B6), ref: 006500C9
      • NtQueryInformationThread.NTDLL(00000000), ref: 006500D0
      • RtlNtStatusToDosError.NTDLL ref: 006500DB
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,?,?,?,?,005EC5B6), ref: 006500F9
      Strings
      • WdcGetTimeStampCounter, xrefs: 0065010A
      • base\diagnosis\pdui\atm\main\process.cpp, xrefs: 0065010F
      • %d FAIL: 0x%08x, xrefs: 00650100
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: Thread$Current$ErrorInformationQueryStatus
      • String ID: %d FAIL: 0x%08x$WdcGetTimeStampCounter$base\diagnosis\pdui\atm\main\process.cpp
      • API String ID: 4069618809-2284518187
      • Opcode ID: 723ce8c46bfbe52ba7bbe7d7e0e40a4a49b60ab32841c06953cedd05c64ecab6
      • Instruction ID: 0f043e3b32192cedb368aa066bb3fa7bfe59c65787e92633cd0703207818c01c
      • Opcode Fuzzy Hash: 723ce8c46bfbe52ba7bbe7d7e0e40a4a49b60ab32841c06953cedd05c64ecab6
      • Instruction Fuzzy Hash: F5012271A40259BFE720ABE99C0AEABBB6AEB00711F001118FD05E7381CA30CC04C7A4
      Function 0066C466 Relevance: 12.0, APIs: 8, Instructions: 36windowCOMMON
      Download Yara Rule
      APIs
      • IsIconic.USER32(?), ref: 0066C46C
      • ShowWindowAsync.USER32(?,00000009), ref: 0066C479
      • GetLastActivePopup.USER32(?), ref: 0066C480
      • IsWindow.USER32(00000000), ref: 0066C489
      • GetWindowLongW.USER32(00000000,000000F0), ref: 0066C496
      • ShowWindow.USER32(00000006), ref: 0066C4B4
      • SwitchToThisWindow.USER32(00000000,00000001), ref: 0066C4BD
      • MessageBeep.USER32(00000000), ref: 0066C4C7
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: Window$Show$ActiveAsyncBeepIconicLastLongMessagePopupSwitchThis
      • String ID:
      • API String ID: 79078998-0
      • Opcode ID: b1cad55505a80b1cde034b8912338f7c550abcedef1d3f1096210e52753347bc
      • Instruction ID: d9dcf499de2e997ccbdd44a8af4311b5cb1d2ddc6c03b0ca5bc87267ae45b60c
      • Opcode Fuzzy Hash: b1cad55505a80b1cde034b8912338f7c550abcedef1d3f1096210e52753347bc
      • Instruction Fuzzy Hash: CFF03A31205B20BBE7215B30AC0DBBE3AABEF49762F147205F546A11F0DF648945CBA5
      Function 00613290 Relevance: 3.0, APIs: 2, Instructions: 43nativeCOMMON
      Download Yara Rule
      APIs
      • NtQuerySystemInformationEx.NTDLL ref: 006132AF
      • RtlNtStatusToDosError.NTDLL ref: 006132CB
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: ErrorInformationQueryStatusSystem
      • String ID:
      • API String ID: 2886859707-0
      • Opcode ID: bafe52409214715e0422a1102d48b20149f16bf0139fd1d4d0d5c874c7d71c2c
      • Instruction ID: f7947273edc8ec19c09754792f38294eb4329ece10a5ad55d9f910e0528d933f
      • Opcode Fuzzy Hash: bafe52409214715e0422a1102d48b20149f16bf0139fd1d4d0d5c874c7d71c2c
      • Instruction Fuzzy Hash: 0B01D671504616AFCB28ABA5CC15AF676EAFB08310B18452DF643CA350D731EF449760
      Function 005F80B1 Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON
      Download Yara Rule
      APIs
      • FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000500,?,00000000,00000000,-0000911E,00000000,?,00000000,?,?,006158A3,?,?,?,?,00008D09), ref: 005F80D2
      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,006158A3,?,?,?,?,00008D09,?,-0000911E,?), ref: 00639A69
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: ErrorFormatLastMessage
      • String ID:
      • API String ID: 3479602957-0
      • Opcode ID: 0014a0206f4ab0e8d4ae124935ba48f1f1a4d3134cd67daab83f13122b03eb91
      • Instruction ID: dffcf63d5eb39926027f81de98f524aa7dade843151da3342ed7bd308a07e191
      • Opcode Fuzzy Hash: 0014a0206f4ab0e8d4ae124935ba48f1f1a4d3134cd67daab83f13122b03eb91
      • Instruction Fuzzy Hash: 48F0307790113DBB8B204A959C08AEB7EADFF457A1F115252FE09D7110EA719E00D7E0
      Function 0061D477 Relevance: 3.0, APIs: 2, Instructions: 27nativeCOMMON
      Download Yara Rule
      APIs
      • NtPowerInformation.NTDLL(0000002E,?,00000002,00600F99,?), ref: 0061D48E
      • RtlNtStatusToDosError.NTDLL ref: 0061D499
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: ErrorInformationPowerStatus
      • String ID:
      • API String ID: 2580896533-0
      • Opcode ID: 64ec58c395f6f9e6c58fd5de03997227f058011280c963b14e237e1c194d8c0a
      • Instruction ID: 4f9b917ce8cae263f6abab0e0604707507e2a86211230ad7368470a8e45a49d2
      • Opcode Fuzzy Hash: 64ec58c395f6f9e6c58fd5de03997227f058011280c963b14e237e1c194d8c0a
      • Instruction Fuzzy Hash: 01E0D83124020ABFDB10DE69CC09FEA77DEAB50711F0CC018B905CB2A2EA74F9509BA0
      Function 0061D198 Relevance: 1.6, APIs: 1, Instructions: 54nativeCOMMON
      Download Yara Rule
      APIs
      • ZwQueryWnfStateData.NTDLL(?,00000000,00000000,?,00000000,?,?,?,?,00000000,?,?,?), ref: 0061D1EB
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: DataQueryState
      • String ID:
      • API String ID: 1805558623-0
      • Opcode ID: 6c213dc674a1e1e28aa8e5a3936d57e1c617fad758169f6b9942c4930e1f3271
      • Instruction ID: cafde0a7f99356062a3cec3dd321090571a4da2841fa558781b3dbeaad134b01
      • Opcode Fuzzy Hash: 6c213dc674a1e1e28aa8e5a3936d57e1c617fad758169f6b9942c4930e1f3271
      • Instruction Fuzzy Hash: 791170B1E00209AFCB14CF98D8559EFB7F9EB44310F18056FE626E3200E7709A84CB95
      Function 0061913D Relevance: 1.5, APIs: 1, Instructions: 24COMMON
      Download Yara Rule
      APIs
      • IsDebuggerPresent.API-MS-WIN-CORE-DEBUG-L1-1-0(?,?,00642481), ref: 00619163
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: DebuggerPresent
      • String ID:
      • API String ID: 1347740429-0
      • Opcode ID: 369d6e4ef82241d445a09dc1272d16d25ae06607bb522453723e31c5e5ab94b6
      • Instruction ID: 9cb78041ec82209ef1a7f1950ef84b511ad2dfa257070f790547c768863efa01
      • Opcode Fuzzy Hash: 369d6e4ef82241d445a09dc1272d16d25ae06607bb522453723e31c5e5ab94b6
      • Instruction Fuzzy Hash: 2EE08631E051637BD7150B54ACEE7FA278A0B117C4B0D2115D40297320C7D18CC697F0
      Function 005E82D4 Relevance: 1.3, APIs: 1, Instructions: 16memoryCOMMON
      Download Yara Rule
      APIs
      • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(?,00000000,?,00000000,005E93C6,00000000,00000000,00000000,00000000,?,0062DCE4,?), ref: 005E82EF
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: FreeHeap
      • String ID:
      • API String ID: 3298025750-0
      • Opcode ID: 5acb8fc83538b0d3ac70d636db8c3b0b625c26d538d905b5c372b2414d828635
      • Instruction ID: 67d5ecc6bd227105d1ef469db024fa14ff2c3638c10fefef8b4d4d116141192b
      • Opcode Fuzzy Hash: 5acb8fc83538b0d3ac70d636db8c3b0b625c26d538d905b5c372b2414d828635
      • Instruction Fuzzy Hash: 8DE05E36020A50DFD7369F14D904B617BF1FB54722F21085DE2C5424A0D7B48C80DB44
      Function 00608390 Relevance: 73.9, APIs: 33, Strings: 9, Instructions: 364memorythreadCOMMON
      Download Yara Rule
      APIs
      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 006083E8
      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 006083F3
      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?), ref: 0060841E
      • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 00608425
      • memset.MSVCRT ref: 00608435
      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?), ref: 00608447
      • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 0060844E
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(80004005), ref: 0060847F
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(8007000E), ref: 006084AC
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: Heap$CurrentErrorLastProcessThread$AllocFreememset
      • String ID: %d FAIL: 0x%08x$ATMAssignString$WdcLoadString$WdcServiceCache::AssignGroupStringAndExePath$WdcServiceCache::AssignServiceHostFriendlyName$base\diagnosis\pdui\atm\main\inline.cpp$base\diagnosis\pdui\atm\main\processcommon.cpp$base\diagnosis\pdui\atm\main\servicecache.cpp$svchost.exe
      • API String ID: 33999035-52863069
      • Opcode ID: 4f7f95bd7fdb7015f39eceb670a2b2fff2cc458e0d4e71c0b5a0a5895aebfe7f
      • Instruction ID: a7679fc407db0432d27744a72d45aa9c3d493cc5e108eeba7c5ce71ce071d20b
      • Opcode Fuzzy Hash: 4f7f95bd7fdb7015f39eceb670a2b2fff2cc458e0d4e71c0b5a0a5895aebfe7f
      • Instruction Fuzzy Hash: EAC13972A80215AFDB28DFA49C49F9B7BA6FF54710F101258F949AB2C1DB70CD418BA1
      Function 0062725F Relevance: 72.1, APIs: 30, Strings: 11, Instructions: 324threadCOMMON
      Download Yara Rule
      APIs
      • memset.MSVCRT ref: 00627288
      • memset.MSVCRT ref: 0062729B
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,?,00000001,-000000D8), ref: 006272E3
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(80004003,?,00000001,-000000D8), ref: 0062731A
      • StrToID.DUI70(engineSelector), ref: 00627341
      • ?FindDescendent@Element@DirectUI@@QAEPAV12@G@Z.DUI70(?), ref: 00627351
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(80004003), ref: 00627369
        • Part of subcall function 00626032: memset.MSVCRT ref: 00626064
        • Part of subcall function 00626032: GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(80004003), ref: 00626078
        • Part of subcall function 00626032: ?Destroy@Element@DirectUI@@QAEJ_N@Z.DUI70(00000001), ref: 006261C4
      • StrToID.DUI70(engineUtilizationRate), ref: 0062738D
      • ?FindDescendent@Element@DirectUI@@QAEPAV12@G@Z.DUI70(?), ref: 0062739D
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(80004003), ref: 006273B5
      • ?SetID@Element@DirectUI@@QAEJPBG@Z.DUI70(-000000D0), ref: 006273F7
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000), ref: 00627404
      • StrToID.DUI70(engineTitle), ref: 00627428
      • ?FindDescendent@Element@DirectUI@@QAEPAV12@G@Z.DUI70(?), ref: 00627438
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(80004003), ref: 00627450
      • ?SetContentString@Element@DirectUI@@QAEJPBG@Z.DUI70(?), ref: 006274B3
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000), ref: 006274C0
      • ?SetAccName@Element@DirectUI@@QAEJPBG@Z.DUI70(?), ref: 006274E6
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000), ref: 006274F3
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: CurrentThread$DirectElement@$Descendent@FindV12@memset$ContentDestroy@Name@String@
      • String ID: %d FAIL: %s is null$%d FAIL: 0x%08x$AtmGpuView::LoadSingleEngineView$base\diagnosis\pdui\atm\main\gpuview.cpp$engineChart$engineSelector$engineTitle$engineUtilizationRate$pEngine$pri_eng_%d_%d_%d$sel_eng_%d_%d_%d
      • API String ID: 2449808550-3153837685
      • Opcode ID: 5bcb007c4b35409864347c4fda7388bd6a5a7fee212e1deb119ddcf53a213c7f
      • Instruction ID: 38036fb46d2e3a4fdf1e4d1146f25a0885c541f88cf1ad8fcbeda19feb093a6f
      • Opcode Fuzzy Hash: 5bcb007c4b35409864347c4fda7388bd6a5a7fee212e1deb119ddcf53a213c7f
      • Instruction Fuzzy Hash: 4FC1E771A44725BFEB119F64EC45FAA3AAAFB04304F0412A5FD49EB282DB748940CF61
      Function 0066F2E6 Relevance: 66.8, APIs: 33, Strings: 5, Instructions: 347threadmemoryCOMMON
      Download Yara Rule
      APIs
        • Part of subcall function 005FCBB4: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000170,00000003,00000000,00000000,00000000,?,005FC84B,?,00002000,00000000,00000000,00000000,00000000,?,?), ref: 005FCBD2
        • Part of subcall function 005FCBB4: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,005FC84B,?,00002000,00000000,00000000,00000000,00000000,?,?,?,00000000,00000001,?,?), ref: 005FCBD9
        • Part of subcall function 005FCBB4: memset.MSVCRT ref: 005FCBF0
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,-00000007,0002A000,00000000,00000000,00000000,?,?,-00000007,00000000,?,?,?,?,005DF490,00000003), ref: 0066F315
      • SysFreeString.OLEAUT32(?), ref: 0066F348
      • SysAllocString.OLEAUT32(-00000007), ref: 0066F357
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(8007000E,?,?,?,?,005DF490,00000003), ref: 0066F36C
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(8007000E,?,?,?,?,?,?,?,?,?,?,?,?,?,005DF490,00000003), ref: 0066F391
      • SysFreeString.OLEAUT32(?), ref: 0066F3B1
      • SysAllocString.OLEAUT32(?), ref: 0066F3C0
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(8007000E,?,?,?,?,005DF490,00000003), ref: 0066F3D5
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(8007000E,?,?,?,?,?,?,?,?,?,?,?,?,?,005DF490,00000003), ref: 0066F3FA
      • SysFreeString.OLEAUT32(?), ref: 0066F41D
      • SysAllocString.OLEAUT32(?), ref: 0066F42D
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(8007000E,?,?,?,?,005DF490,00000003), ref: 0066F441
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(8007000E,?,?,?,?,?,?,?,?,?,?,?,?,?,005DF490,00000003), ref: 0066F466
      • SysFreeString.OLEAUT32(?), ref: 0066F489
      • SysAllocString.OLEAUT32(?), ref: 0066F497
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(8007000E,?,?,?,?,005DF490,00000003), ref: 0066F4AB
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(8007000E,?,?,?,?,?,?,?,?,?,?,?,?,?,005DF490,00000003), ref: 0066F4D0
      • SysFreeString.OLEAUT32(?), ref: 0066F4F3
      • SysAllocString.OLEAUT32(?), ref: 0066F501
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(8007000E,?,?,?,?,005DF490,00000003), ref: 0066F515
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(8007000E,?,?,?,?,?,?,?,?,?,?,?,?,?,005DF490,00000003), ref: 0066F53A
      • SysFreeString.OLEAUT32(?), ref: 0066F55D
      • SysAllocString.OLEAUT32(?), ref: 0066F56B
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(8007000E,?,?,?,?,005DF490,00000003), ref: 0066F57F
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(8007000E,?,?,?,?,?,?,?,?,?,?,?,?,?,005DF490,00000003), ref: 0066F5A4
      • SysFreeString.OLEAUT32(?), ref: 0066F5C5
      • SysAllocString.OLEAUT32(?), ref: 0066F5D2
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(8007000E), ref: 0066F5E8
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(8007000E,?,?,?,?,?,?,?,?,?,?,?,?,?,005DF490,00000003), ref: 0066F60D
      • SysFreeString.OLEAUT32(?), ref: 0066F62B
      • SysAllocString.OLEAUT32(?), ref: 0066F638
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(8007000E), ref: 0066F64E
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(8007000E), ref: 0066F673
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: CurrentThread$String$Alloc$Free$Heap$Processmemset
      • String ID: %d FAIL: 0x%08x$ATMAssignString$WdcStartupMonitor::SetPackagedData$base\diagnosis\pdui\atm\main\inline.cpp$base\diagnosis\pdui\atm\main\startup.cpp
      • API String ID: 548177390-3361011342
      • Opcode ID: 7780986f5390a80d731dedbded75d5992357002b9bb0aebe0ba7f8793bdef82b
      • Instruction ID: 2f39d4df6be6baf867c30c918fe1eeb95e467c97cf368f9c91c43c779a9d7c36
      • Opcode Fuzzy Hash: 7780986f5390a80d731dedbded75d5992357002b9bb0aebe0ba7f8793bdef82b
      • Instruction Fuzzy Hash: 4CD19FB0A01305BFDB199F64AC49FDABFA9FF05705F045228F909AA251D7709D80CBE5
      Function 005FC1B9 Relevance: 59.8, APIs: 30, Strings: 4, Instructions: 333memorythreadCOMMON
      Download Yara Rule
      APIs
      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000800,00000000,?,?), ref: 005FC211
      • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 005FC218
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(8007000E), ref: 005FC22E
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,?,?,?,?,00000002,?,00000000), ref: 005FC290
      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00000000), ref: 005FC5F1
      • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 005FC5F8
      • ?Destroy@Element@DirectUI@@QAEJ_N@Z.DUI70(00000001), ref: 005FC606
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000), ref: 005FC622
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,?,?), ref: 005FC636
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: CurrentHeapThread$Process$AllocDestroy@DirectElement@Free
      • String ID: %d FAIL: 0x%08x$AtmViewItem::CreateSmallViewItemFromData$TmFirstColumn$base\diagnosis\pdui\atm\main\colheader.cpp
      • API String ID: 661677169-3738965853
      • Opcode ID: 4b49ea12c62282994cf2616431838c46b2356c3e2f89df74972a4369aefeba14
      • Instruction ID: f699cc81f4424a16220b4d35a3ed54ad97b35fd276eccb2abd723e51c69b4184
      • Opcode Fuzzy Hash: 4b49ea12c62282994cf2616431838c46b2356c3e2f89df74972a4369aefeba14
      • Instruction Fuzzy Hash: 19D15D35A4122DAFCB219F64DD89BAD7FB6FF48710F011295EA09A7261CB349D90CF90
      Function 005FE3EB Relevance: 54.5, APIs: 25, Strings: 6, Instructions: 215windowCOMMON
      Download Yara Rule
      APIs
      • _ftol2_sse.MSVCRT ref: 005FE410
      • _ftol2_sse.MSVCRT ref: 005FE459
      • ?SetMinSize@Element@DirectUI@@QAEJHH@Z.DUI70(00000000,00000000,?,?,?,?,?,?,r^`,005FE1C2,r^`,?,?,?,00605E72,00000000), ref: 005FE462
      • GetDC.USER32(?), ref: 005FE48D
      • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 005FE4A6
      • SelectObject.GDI32(00000000,00000000), ref: 005FE4AE
      • GetTextExtentPointW.GDI32(00000000,005FE1C2,00000002,?), ref: 005FE4F6
      • ReleaseDC.USER32(?,00000000), ref: 005FE50B
      • StrToID.DUI70(Resizer,?,?,?,r^`,005FE1C2,r^`,?,?,?,00605E72,00000000,?,?,?,?), ref: 005FE516
      • ?FindDescendent@Element@DirectUI@@QAEPAV12@G@Z.DUI70(?,?,?,?,r^`,005FE1C2,r^`,?,?,?,00605E72,00000000,?,?,?,?), ref: 005FE526
      • ?HasBorder@Element@DirectUI@@QAE_NXZ.DUI70(?,?,?,r^`,005FE1C2,r^`,?,?,?,00605E72,00000000,?,?,?,?), ref: 005FE534
      • ?HasBorder@Element@DirectUI@@QAE_NXZ.DUI70(?,?,?,r^`,005FE1C2,r^`,?,?,?,00605E72,00000000,?,?,?,?), ref: 005FE548
      • ?HasPadding@Element@DirectUI@@QAE_NXZ.DUI70(?,?,?,r^`,005FE1C2,r^`,?,?,?,00605E72,00000000,?,?,?,?), ref: 005FE55C
      • ?GetPadding@Element@DirectUI@@QAEPBUtagRECT@@PAPAVValue@2@@Z.DUI70(?,?,?,?,r^`,005FE1C2,r^`,?,?,?,00605E72,00000000,?,?,?,?), ref: 005FE570
      • ?Release@Value@DirectUI@@QAEXXZ.DUI70(?,?,?,r^`,005FE1C2,r^`,?,?,?,00605E72,00000000,?,?,?,?), ref: 005FE583
      • ?HasPadding@Element@DirectUI@@QAE_NXZ.DUI70(?,?,?,r^`,005FE1C2,r^`,?,?,?,00605E72,00000000,?,?,?,?), ref: 005FE58F
      • ?GetPadding@Element@DirectUI@@QAEPBUtagRECT@@PAPAVValue@2@@Z.DUI70(?,?,?,?,r^`,005FE1C2,r^`,?,?,?,00605E72,00000000,?,?,?,?), ref: 005FE59F
      • ?Release@Value@DirectUI@@QAEXXZ.DUI70(?,?,?,r^`,005FE1C2,r^`,?,?,?,00605E72,00000000,?,?,?,?), ref: 005FE5B2
      • _ftol2_sse.MSVCRT ref: 005FE5E6
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: Direct$Element@$Padding@$_ftol2_sse$Border@Release@UtagValue@Value@2@@$Descendent@ExtentFindMessageObjectPointReleaseSelectSendSize@TextV12@
      • String ID: %d FAIL: 0x%08x$AtmColumnHeader::_SetColMinWidth$Resizer$W. $base\diagnosis\pdui\atm\main\colheader.cpp$r^`
      • API String ID: 1911704352-1792715954
      • Opcode ID: bc324495d366fd82a319a1d11958fcf40b1eb208d7a37242aeec408d661fdf00
      • Instruction ID: 7a30981da0ada992de0b93ad93a6299dbfc7af41aa91b5baf110e5675cb34670
      • Opcode Fuzzy Hash: bc324495d366fd82a319a1d11958fcf40b1eb208d7a37242aeec408d661fdf00
      • Instruction Fuzzy Hash: 0F816D34A00209EFCB14DF94E899ABE7BB6FF48300F155599EA06DB361DB309E50DB50
      Function 006064EA Relevance: 52.8, APIs: 26, Strings: 4, Instructions: 276threadwindowCOMMON
      Download Yara Rule
      APIs
      • StrToID.DUI70(005D5A00,?,00000000,?,?,?,?,?,0060707F,?,?,?,?), ref: 00606520
      • ?FindDescendent@Element@DirectUI@@QAEPAV12@G@Z.DUI70(?,?,?,?,?,0060707F,?,?,?,?), ref: 0060652D
      • ?GetLayoutPos@Element@DirectUI@@QAEHXZ.DUI70(?,?,?,?,0060707F,?,?,?,?), ref: 0060653C
      • ?SetLayoutPos@Element@DirectUI@@QAEJH@Z.DUI70(00000000,?,?,?,?,0060707F,?,?,?,?), ref: 0060654C
      • ?SetVisible@Element@DirectUI@@QAEJ_N@Z.DUI70(?,?,?,?,?,0060707F,?,?,?,?), ref: 0060655F
      • StrToID.DUI70(?,?,?,?,?,0060707F,?,?,?,?), ref: 00606576
      • ?FindDescendent@Element@DirectUI@@QAEPAV12@G@Z.DUI70(?,?,?,?,?,0060707F,?,?,?,?), ref: 00606583
      • ?GetLayoutPos@Element@DirectUI@@QAEHXZ.DUI70(?,?,?,?,0060707F,?,?,?,?), ref: 006065A1
      • ?SetLayoutPos@Element@DirectUI@@QAEJH@Z.DUI70(-00000005,?,?,?,?,0060707F,?,?,?,?), ref: 006065B1
      • ?SetVisible@Element@DirectUI@@QAEJ_N@Z.DUI70(?,?,?,?,?,0060707F,?,?,?,?), ref: 006065C4
      • StrToID.DUI70(?,?,?,?,?,0060707F,?,?,?,?), ref: 006065F5
      • ?FindDescendent@Element@DirectUI@@QAEPAV12@G@Z.DUI70(?,?,?,?,?,0060707F,?,?,?,?), ref: 00606602
      • ?GetLayoutPos@Element@DirectUI@@QAEHXZ.DUI70(?,?,?,?,0060707F,?,?,?,?), ref: 00606610
      • ?SetLayoutPos@Element@DirectUI@@QAEJH@Z.DUI70(?,?,?,?,?,0060707F,?,?,?,?), ref: 00606620
      • ?SetVisible@Element@DirectUI@@QAEJ_N@Z.DUI70(?,?,?,?,?,0060707F,?,?,?,?), ref: 00606633
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,?,?,?,?,0060707F,?,?,?,?), ref: 00606703
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,?,?,?,?,0060707F,?,?,?,?), ref: 0060671A
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,?,?,?,?,0060707F,?,?,?,?), ref: 00606731
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,?,?,?,?,0060707F,?,?,?,?), ref: 00606748
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: DirectElement@$LayoutPos@$CurrentThread$Descendent@FindV12@Visible@
      • String ID: %d FAIL: 0x%08x$AtmDashboard::Show$base\diagnosis\pdui\atm\main\dashboard.cpp$dynamic_disk_server
      • API String ID: 332391380-3345140079
      • Opcode ID: 5da05f767d0040cd79a0f08d97024e91d540b0e47c148a53f86cb51ad0578913
      • Instruction ID: 4f97b0403db385c35f8e731cdc1479cea57fe1c3376438761a62f625d300586f
      • Opcode Fuzzy Hash: 5da05f767d0040cd79a0f08d97024e91d540b0e47c148a53f86cb51ad0578913
      • Instruction Fuzzy Hash: 5A91A075B80311AFDB085BA0DC98E7A7B6BFB44705B085229F906E76D1CB75D860CBA0
      Function 0065306F Relevance: 49.2, APIs: 24, Strings: 4, Instructions: 223memorythreadCOMMON
      Download Yara Rule
      APIs
      • PathIsRelativeW.API-MS-WIN-CORE-SHLWAPI-LEGACY-L1-1-0(?,?,00000000,?,?,`^_,0063CE3F,?,?,?,?,?,?,005F5E60,?,#0_), ref: 0065309B
      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,00000000,?,?,`^_,0063CE3F,?,?,?,?,?,?,005F5E60,?), ref: 006530E7
      • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,`^_,0063CE3F,?,?,?,?,?,?,005F5E60,?,#0_,?,?,?), ref: 006530EE
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(8007000E,?,`^_,0063CE3F,?,?,?,?,?,?,005F5E60,?,#0_,?,?,?), ref: 00653105
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: Heap$AllocCurrentPathProcessRelativeThread
      • String ID: %d FAIL: 0x%08x$TmCombinePath$`^_$base\diagnosis\pdui\atm\main\mrtutils.cpp
      • API String ID: 20178816-3089090812
      • Opcode ID: d3d05e310a85937e4e758e36be3af876cc1d052d19b589c508ef57328c455b05
      • Instruction ID: b5111ca7f605698fa79edd4d3bcf0d8766c645cc5d5c1d5947e27234f5a71140
      • Opcode Fuzzy Hash: d3d05e310a85937e4e758e36be3af876cc1d052d19b589c508ef57328c455b05
      • Instruction Fuzzy Hash: A7610275A00725BFDB245BE89C49EAA3B6AFF08B42F045129FD06E7750D7748F058B60
      Function 005FD0E0 Relevance: 47.6, APIs: 20, Strings: 7, Instructions: 313threadwindowCOMMON
      Download Yara Rule
      APIs
      • GetWindowBand.USER32(?,?), ref: 005FD10E
      • #2574.USER32(?), ref: 005FD11D
      • GetWindow.USER32(?,00000004), ref: 005FD175
      • GetWindowLongW.USER32(?,000000EC), ref: 005FD182
      • IsWindowVisible.USER32(?), ref: 005FD1A9
      • GetClassNameW.USER32(?,?,00000040), ref: 005FD1BF
      • CompareStringOrdinal.API-MS-WIN-CORE-STRING-L1-1-0(?,000000FF,Shell_TrayWnd,000000FF,00000001), ref: 005FD1D9
      • IsWindowVisible.USER32(?), ref: 005FD1F5
      • GhostWindowFromHungWindow.USER32(?), ref: 005FD204
      • SHGetPropertyStoreForWindow.SHELL32(?,005CE574,?), ref: 005FD235
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000), ref: 005FD240
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000), ref: 005FD288
      • PropVariantClear.COMBASE(?), ref: 005FD2B7
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,?), ref: 005FD2F0
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: Window$CurrentThread$Visible$#2574BandClassClearCompareFromGhostHungLongNameOrdinalPropPropertyStoreStringVariant
      • String ID: %d FAIL: 0x%08x$MicrosoftEdgeCP.exe$MicrosoftEdgeDevtools.exe$Shell_TrayWnd$WdcWindowMonitor::UpdateWindow$WdcWindowMonitor::_IsFrameWindow$base\diagnosis\pdui\atm\main\window.cpp
      • API String ID: 3586161160-2363237009
      • Opcode ID: f799905605f19bc5e287b94b8f974e772f286a89c3ca0326a17ec9380edfc30f
      • Instruction ID: d48e5df1a9edb6c4fc7defc71951ccc516ec066d617a68e2b2481b62383ca692
      • Opcode Fuzzy Hash: f799905605f19bc5e287b94b8f974e772f286a89c3ca0326a17ec9380edfc30f
      • Instruction Fuzzy Hash: 1BB1CE716043099BDB20DF249888B3A7FFABF95744F044A2DFA85D7290D779D844CBA2
      Function 0060F170 Relevance: 42.1, APIs: 23, Strings: 1, Instructions: 130COMMON
      Download Yara Rule
      APIs
      • ?GetID@Element@DirectUI@@QAEGXZ.DUI70 ref: 0060F18C
      • ?GetID@Element@DirectUI@@QAEGXZ.DUI70 ref: 0060F198
      • ?GetID@Element@DirectUI@@QAEGXZ.DUI70 ref: 0060F1AD
      • ?GetID@Element@DirectUI@@QAEGXZ.DUI70 ref: 0060F1B9
      • ?GetID@Element@DirectUI@@QAEGXZ.DUI70 ref: 0060F1CB
      • StrToID.DUI70(VerticalScrollBar), ref: 0060F1D9
      • ?ExtentProp@Element@DirectUI@@SGPBUPropertyInfo@2@XZ.DUI70 ref: 0060F1E8
      • ?GetSize@Value@DirectUI@@QAEPBUtagSIZE@@XZ.DUI70 ref: 0060F203
      • ?GetSize@Value@DirectUI@@QAEPBUtagSIZE@@XZ.DUI70 ref: 0060F20E
      • ?SetPadding@Element@DirectUI@@QAEJHHHH@Z.DUI70(00000000,00000000,?,00000000), ref: 0060F226
      • ?XOffsetProp@BaseScrollViewer@DirectUI@@SGPBUPropertyInfo@2@XZ.DUI70 ref: 0060F22E
      • ?GetParent@Element@DirectUI@@QAEPAV12@XZ.DUI70 ref: 0060F248
      • ?GetID@Element@DirectUI@@QAEGXZ.DUI70 ref: 0060F250
      • ?GetID@Element@DirectUI@@QAEGXZ.DUI70 ref: 0060F25F
      • ?ExtentProp@Element@DirectUI@@SGPBUPropertyInfo@2@XZ.DUI70 ref: 0060F26A
      • ?GetSize@Value@DirectUI@@QAEPBUtagSIZE@@XZ.DUI70 ref: 0060F285
      • ?XOffsetProp@BaseScrollViewer@DirectUI@@SGPBUPropertyInfo@2@XZ.DUI70 ref: 0060F299
      • ?GetHWND@NativeHWNDHost@DirectUI@@QAEPAUHWND__@@XZ.DUI70(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0063FCFD
      • ?SetXOffset@BaseScrollViewer@DirectUI@@QAEJH@Z.DUI70(00000000), ref: 0063FD0A
      • ?GetID@Element@DirectUI@@QAEGXZ.DUI70 ref: 0063FD22
      • ?GetID@Element@DirectUI@@QAEGXZ.DUI70 ref: 0063FD2E
      • ?ExtentProp@Element@DirectUI@@SGPBUPropertyInfo@2@XZ.DUI70 ref: 0063FD3D
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: Direct$Element@$Info@2@Prop@Property$BaseExtentScrollSize@UtagValue@Viewer@$Offset$D__@@Host@NativeOffset@Padding@Parent@V12@
      • String ID: VerticalScrollBar
      • API String ID: 3891749916-3184073039
      • Opcode ID: d38447b21e8e9ff4a65c1b4f2075f5e1d781a5303a46bd32bd52431a3866bcbc
      • Instruction ID: b8800195969360a204c60e9091c4e60813fb3cb71d5fc049fd7b0d95c9e27e82
      • Opcode Fuzzy Hash: d38447b21e8e9ff4a65c1b4f2075f5e1d781a5303a46bd32bd52431a3866bcbc
      • Instruction Fuzzy Hash: E6519479600245EFCB2CDFA0D9589EA7763FF54311F446228E85687390CF30AD56CB90
      Function 00652385 Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 297threadmemoryCOMMON
      Download Yara Rule
      APIs
      • GetDlgItem.USER32(?,000075AC), ref: 0065245F
      • EnableWindow.USER32(00000000), ref: 00652466
      • GetDlgItem.USER32(?,000075AA), ref: 00652474
      • EnableWindow.USER32(00000000), ref: 0065247B
      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000800,00000000,00000001,00685CC0), ref: 006524DC
      • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 006524E3
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(8007000E), ref: 006524F6
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,-0000814A,00007DD4), ref: 00652534
      • GetDlgItem.USER32(?,000075AB), ref: 006525D7
      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,-0000814A,00007DD4), ref: 006525E3
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(80004005,?,?,-0000814A,00007DD4), ref: 00652606
      • SetWindowTextW.USER32(00000000,?), ref: 00652625
      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,-0000814A,00007DD4), ref: 0065262F
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(80004005,?,?,-0000814A,00007DD4), ref: 00652652
      • GetDlgItem.USER32(?,000075AA), ref: 0065266D
      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,-0000814A,00007DD4), ref: 00652679
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(80004005,?,?,-0000814A,00007DD4), ref: 0065269C
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,?,?,?,?,?,-0000814A,00007DD4), ref: 006526CD
      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,?,?,?,?,-0000814A,00007DD4), ref: 006526F5
      • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,-0000814A,00007DD4), ref: 006526FC
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: CurrentThread$HeapItem$ErrorLastWindow$EnableProcess$AllocFreeText
      • String ID: %d FAIL: 0x%08x$OnPostGetWaitChain$base\diagnosis\pdui\atm\main\waitchain.cpp
      • API String ID: 1467698841-660485515
      • Opcode ID: 7d94205f385d66e9044f704e283324ef7119e40b0fa38fbb0dd65b4ecef5a902
      • Instruction ID: a9e07b76fb096b6643757b91e791a41020efbf357045325e6c27b701d4b0a0ea
      • Opcode Fuzzy Hash: 7d94205f385d66e9044f704e283324ef7119e40b0fa38fbb0dd65b4ecef5a902
      • Instruction Fuzzy Hash: C1A12332E00217BBDB218F94CC64AAE7A77FB06312F154265ED55AB2A1C7749D0ACB90
      Function 00650366 Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 203threadCOMMON
      Download Yara Rule
      APIs
      • CreateEventW.API-MS-WIN-CORE-SYNCH-L1-1-0(00000000,00000000,00000000,00000000,00000000,?,?,005EC58D), ref: 00650375
      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,005EC58D), ref: 00650385
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(80004005), ref: 006503A8
      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 006503C7
      • CreateEventW.API-MS-WIN-CORE-SYNCH-L1-1-0(00000000,00000000,00000000,00000000), ref: 006503ED
      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 006503FD
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(80004005), ref: 00650420
      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 0065043F
      • CreateEventW.API-MS-WIN-CORE-SYNCH-L1-1-0(00000000,00000000,00000000,00000000), ref: 00650465
      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00650475
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(80004005), ref: 00650498
      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 006504B7
      • CreateThread.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,00000000,0064C2A0,?,00000000,00000000), ref: 006504E3
      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 006504F3
      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 0065051E
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(80004005), ref: 00650545
      • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(000000FF), ref: 0065057C
      • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?), ref: 00650598
      • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(000000FF), ref: 006505B4
      • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(000000FF), ref: 006505D0
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: ErrorLast$Thread$CloseCreateCurrentHandle$Event
      • String ID: %d FAIL: 0x%08x$WdcProcessMonitor::_CreateHangDetectionThread$base\diagnosis\pdui\atm\main\process.cpp
      • API String ID: 466786571-977770292
      • Opcode ID: 022a4627681aa88bf419e6c7896f7da23ea3107b6adc24b99982286be3689382
      • Instruction ID: 37a783e6ab436c27197ebd864941eefc3d01c1cb00ce8b64f4bc45d5b9637ebf
      • Opcode Fuzzy Hash: 022a4627681aa88bf419e6c7896f7da23ea3107b6adc24b99982286be3689382
      • Instruction Fuzzy Hash: 6651C5B7D02633BBF7210A685D446E6A99ABB00726F161325FE65F7390D724DC088FE1
      Function 006102D0 Relevance: 40.4, APIs: 16, Strings: 7, Instructions: 134COMMON
      Download Yara Rule
      APIs
      • ?Click@Button@DirectUI@@SG?AVUID@@XZ.DUI70(00000002), ref: 006102F0
      • ?GetID@Element@DirectUI@@QAEGXZ.DUI70 ref: 00610303
      • ?GetID@Element@DirectUI@@QAEGXZ.DUI70 ref: 00610314
      • StrToID.DUI70(resmonIcon), ref: 00610322
      • ?GetID@Element@DirectUI@@QAEGXZ.DUI70 ref: 00610333
      • StrToID.DUI70(resmonLaunch), ref: 00610341
      • ?GetID@Element@DirectUI@@QAEGXZ.DUI70 ref: 0061034E
      • StrToID.DUI70(servicesIcon), ref: 0061035C
      • ?GetID@Element@DirectUI@@QAEGXZ.DUI70 ref: 00610369
      • StrToID.DUI70(servicesLaunch), ref: 00610377
        • Part of subcall function 0061049C: ?GetID@Element@DirectUI@@QAEGXZ.DUI70(?,00000000,?,?), ref: 006104E5
        • Part of subcall function 0061049C: ?GetID@Element@DirectUI@@QAEGXZ.DUI70(?,00000000,?,?), ref: 0061050C
        • Part of subcall function 0061049C: StrToID.DUI70(CBExpandoButtonImage), ref: 0061051A
        • Part of subcall function 0061049C: PostMessageW.USER32(00000402,?,00000000,?), ref: 0061057C
        • Part of subcall function 00643411: ?StartDefer@Element@DirectUI@@QAEXPAK@Z.DUI70(00000000,005FF139,?,?,?,0061540B,?,?,?,005FF139), ref: 00643426
        • Part of subcall function 00643411: ?EndDefer@Element@DirectUI@@QAEXK@Z.DUI70(00000000,?,0061540B,?,?,?,005FF139), ref: 00643455
        • Part of subcall function 00643411: ?EndDefer@Element@DirectUI@@QAEXK@Z.DUI70(00000000,00000002,?,0061540B,?,?,?,005FF139), ref: 00643474
      • ?KeyboardNavigate@Element@DirectUI@@SG?AVUID@@XZ.DUI70(00000001), ref: 006103EC
      • ?GetID@Element@DirectUI@@QAEGXZ.DUI70 ref: 006103FB
      • StrToID.DUI70(tabctrl), ref: 00610409
      • ?KeyboardNavigate@Element@DirectUI@@SG?AVUID@@XZ.DUI70(00000001), ref: 00610451
      • ?GetKeyWithin@Element@DirectUI@@QAE_NXZ.DUI70 ref: 00610464
      • ?OnEvent@HWNDElement@DirectUI@@UAEXPAUEvent@2@@Z.DUI70(?), ref: 0061048D
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: Direct$Element@$Defer@$KeyboardNavigate@$Button@Click@Event@Event@2@@MessagePostStartWithin@
      • String ID: Open Resource Monitor$Open Services$resmonIcon$resmonLaunch$servicesIcon$servicesLaunch$tabctrl
      • API String ID: 1919918130-2009899650
      • Opcode ID: b5b957bf08e842e6a2be0f83ce044f877359c4039585e6c3f12f100f41f7e6ab
      • Instruction ID: 6191e02412b97ae63cbaea7902b2cc4f6ba15535115014c29f5141328bed781e
      • Opcode Fuzzy Hash: b5b957bf08e842e6a2be0f83ce044f877359c4039585e6c3f12f100f41f7e6ab
      • Instruction Fuzzy Hash: EE41A334100246FFEF209B60D888AE9BBA7FB55314F18912CE62657391DFB4ACD4CB91
      Function 0060236A Relevance: 38.7, APIs: 16, Strings: 6, Instructions: 179memorythreadCOMMON
      Download Yara Rule
      APIs
      • GetThreadPreferredUILanguages.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000008,?,00000000,00601E48,?,00000000,00000000,?,?,?,?,00601E48), ref: 00602389
      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00601E48,?,?,?,?,00601E48,?,?,?,?,005F5E60,?,#0_,?,?), ref: 0060239E
      • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,?,?,00601E48,?,?,?,?,005F5E60,?,#0_,?,?,?), ref: 006023A5
      • GetThreadPreferredUILanguages.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000008,?,00000000,00601E48,?,?,?,?,00601E48,?,?,?,?,005F5E60,?,#0_), ref: 006023C3
      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,?,?,?,?,?,?,?,?,00601E48,?,?,?,?,005F5E60,?), ref: 00602426
      • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,?,?,?,?,00601E48,?,?,?,?,005F5E60,?,#0_,?), ref: 0060242D
      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000,?,?,?,?,00601E48,?,?,?,?,005F5E60,?,#0_,?,?), ref: 00602455
      • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,?,?,00601E48,?,?,?,?,005F5E60,?,#0_,?,?,?), ref: 0060245C
      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,00601E48,?,?,?,?,005F5E60,?,#0_,?,?,?,#0_), ref: 0063CF2F
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(80004005,?,?,?,?,00601E48,?,?,?,?,005F5E60,?,#0_,?,?,?), ref: 0063CF52
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(8007000E,?,?,?,?,00601E48,?,?,?,?,005F5E60,?,#0_,?,?,?), ref: 0063CF68
      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,00601E48,?,?,?,?,005F5E60,?,#0_,?,?,?,#0_), ref: 0063CF94
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(80004005,?,?,?,?,00601E48,?,?,?,?,005F5E60,?,#0_,?,?,?), ref: 0063CFB7
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: Heap$Thread$CurrentProcess$AllocErrorLanguagesLastPreferred$Free
      • String ID: %d FAIL: 0x%08x$MrtGetThreadPreferredUILanguageName$WdcDupString$`^_$base\diagnosis\pdui\atm\main\inline.cpp$base\diagnosis\pdui\atm\main\mrtutils.cpp
      • API String ID: 4285112504-3554588553
      • Opcode ID: 6ff17cb0f464111611294a5a2fb45be839a01b3e32a7a5b19302e9cdb0a5c5eb
      • Instruction ID: e10f94fc66876d0d460641cab33c7bf107e91a4b2670fcd63708c3c47277b094
      • Opcode Fuzzy Hash: 6ff17cb0f464111611294a5a2fb45be839a01b3e32a7a5b19302e9cdb0a5c5eb
      • Instruction Fuzzy Hash: 2F51C376940225BBDB255BA49C09FBB7A6BFF45B10F051259FD06FB280C7748D0187E1
      Function 005FE23A Relevance: 38.6, APIs: 18, Strings: 4, Instructions: 149COMMON
      Download Yara Rule
      APIs
      • ?GetWidth@Element@DirectUI@@QAEHXZ.DUI70(00000000,00000000,00000868,?,?,?,?,00000000,?,00000000,?,?,?,?,?), ref: 005FE25F
      • ?SetWidth@Element@DirectUI@@QAEJH@Z.DUI70(00000000,?,?,?,?,00000000,?,00000000,?,?,?,?,?,?,005E7D77), ref: 005FE26C
      • StrToID.DUI70(?,00000000,00000000,00000868,?,?,?,?,00000000,?,00000000,?,?,?,?,?), ref: 005FE28F
      • ?FindDescendent@Element@DirectUI@@QAEPAV12@G@Z.DUI70(?,?,?,?,?,00000000,?,00000000,?,?,?,?,?,?,005E7D77), ref: 005FE29B
      • ?SetAccessible@Element@DirectUI@@QAEJ_N@Z.DUI70(00000000,?,?,?,?,00000000,?,00000000,?,?,?,?,?,?,005E7D77), ref: 005FE2A8
      • ?CreateInt@Value@DirectUI@@SGPAV12@HW4DynamicScaleValue@@@Z.DUI70(00000000,00000000,?,?,?,?,00000000,?,00000000,?,?,?,?,?,?,005E7D77), ref: 005FE2B5
      • ?SetValue@Element@DirectUI@@QAEJP6GPBUPropertyInfo@2@XZHPAVValue@2@@Z.DUI70(00000001,00000000,?,?,?,?,00000000,?,00000000,?,?,?,?,?,?,005E7D77), ref: 005FE2CE
      • ?Release@Value@DirectUI@@QAEXXZ.DUI70(?,?,?,?,00000000,?,00000000,?,?,?,?,?,?,005E7D77), ref: 005FE2D7
      • ?SetBackgroundColor@Element@DirectUI@@QAEJK@Z.DUI70(00000000,?,?,?,?,?,?,00000000,?,00000000,?,?,?,?,?), ref: 005FE308
      • _ftol2_sse.MSVCRT ref: 005FE32E
      • ?SetWidth@Element@DirectUI@@QAEJH@Z.DUI70(00000000,?,?,?,?,00000000,?,00000000,?,?,?,?,?,?,005E7D77), ref: 005FE337
      • StrToID.DUI70(TmGroupRow,0060D750,00000000,00000000,00000868,?,?,?,?,00000000,?,00000000,?), ref: 005FE36C
      • ?FindDescendent@Element@DirectUI@@QAEPAV12@G@Z.DUI70(?,?,?,?,?,00000000,?,00000000,?,?,?,?,?,?,005E7D77), ref: 005FE378
      • ?SortChildren@Element@DirectUI@@QAEJP6AHPBX0@Z@Z.DUI70(?,?,?,?,00000000,?,00000000,?,?,?,?,?,?,005E7D77), ref: 005FE380
      • StrToID.DUI70(00000001,?,?,?,?,00000000,?,00000000,?,?,?,?,?,?,005E7D77), ref: 005FE399
      • ?FindDescendent@Element@DirectUI@@QAEPAV12@G@Z.DUI70(?,?,?,?,?,00000000,?,00000000,?,?,?,?,?,?,005E7D77), ref: 005FE3A5
      • ?SetLayoutPos@Element@DirectUI@@QAEJH@Z.DUI70(?,?,?,?,?,00000000,?,00000000,?,?,?,?,?,?,005E7D77), ref: 005FE3BD
      Strings
      • base\diagnosis\pdui\atm\main\colheader.cpp, xrefs: 0063BB45
      • %d FAIL: 0x%08x, xrefs: 0063BB36
      • TmGroupRow, xrefs: 005FE367
      • AtmGroupHeader::UpdateGroupHeader, xrefs: 0063BB40
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: Direct$Element@$V12@$Descendent@FindValue@Width@$Accessible@BackgroundChildren@Color@CreateDynamicInfo@2@Int@LayoutPos@PropertyRelease@ScaleSortValue@2@@Value@@@_ftol2_sse
      • String ID: %d FAIL: 0x%08x$AtmGroupHeader::UpdateGroupHeader$TmGroupRow$base\diagnosis\pdui\atm\main\colheader.cpp
      • API String ID: 3942269120-4075832031
      • Opcode ID: 3583f9e176815b9c1dea54b1ce704eb978c74aab08193a20c57a1c7d84fa8e57
      • Instruction ID: a2d5021bed9d7f226d7a117a4c1c5a52308521cc7a7293b4926f9041c344f240
      • Opcode Fuzzy Hash: 3583f9e176815b9c1dea54b1ce704eb978c74aab08193a20c57a1c7d84fa8e57
      • Instruction Fuzzy Hash: B751BF75A00209EFCB149FA4DC9DABEBBB6FF48300F102519FA16A72A1DB349D50DB50
      Function 00655121 Relevance: 37.1, APIs: 17, Strings: 4, Instructions: 382threadmemorycomCOMMON
      Download Yara Rule
      APIs
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0065516F
      • CoCreateInstance.COMBASE(005CCCE8,00000000,00000017,005D9F40,?), ref: 006551B3
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 006551C0
      • StringFromCLSID.COMBASE(?,?), ref: 006551E6
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 006551F3
      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000348,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00655229
      • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00655230
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(8007000E,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00655245
      • memset.MSVCRT ref: 0065525F
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0065528D
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 006552C4
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 006552FA
      • CoTaskMemFree.COMBASE(00000000), ref: 006554E9
      • SysFreeString.OLEAUT32(00000000), ref: 006554FF
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: CurrentThread$FreeHeapString$AllocCreateFromInstanceProcessTaskmemset
      • String ID: %d FAIL: 0x%08x$CAdapter::WWanSetProperties$Unavailable$base\diagnosis\pdui\atm\main\adapter.cpp
      • API String ID: 2517706041-3930263823
      • Opcode ID: 26da011e7bafbad93e72e7ed1930a25aa302fd633d18c76f8f8429b527151ddc
      • Instruction ID: 1e37e8b8577df63fc3c55376816d8ef19aea64da37a6e245686d842c1c3cc42f
      • Opcode Fuzzy Hash: 26da011e7bafbad93e72e7ed1930a25aa302fd633d18c76f8f8429b527151ddc
      • Instruction Fuzzy Hash: 02D1B071A00605AFDB148F98CC68BBE7BAAEF48306F144069ED0BE7291DB74AD45CB51
      Function 0062F38B Relevance: 37.1, APIs: 16, Strings: 5, Instructions: 358memorythreadCOMMON
      Download Yara Rule
      APIs
      • memset.MSVCRT ref: 0062F3F6
      • PathStripPathW.API-MS-WIN-CORE-SHLWAPI-LEGACY-L1-1-0(?,?,00000000,00000000,00000000), ref: 0062F44B
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,?,?,?,?,?,?,00000000,00000000,00000000), ref: 0062F47C
      • _ftol2.MSVCRT ref: 0062F4FE
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 0062F5D6
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,?,00000000,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 0062F66C
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(8007000E,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 0062F68E
      • QueueUserWorkItem.API-MS-WIN-CORE-THREADPOOL-LEGACY-L1-1-0(0066D7E0,00000000,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 0062F6BA
      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 0062F6C4
        • Part of subcall function 0062FDF1: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000038,00000000,00000003,00000000,?,?,?,0062F9C5,?,00000001,?,00000000,?,00000000,00000000), ref: 0062FE08
        • Part of subcall function 0062FDF1: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,0062F9C5,?,00000001,?,00000000,?,00000000,00000000,00000000,00000000,80004005,00000000,00000003), ref: 0062FE0F
        • Part of subcall function 0062FDF1: GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(8007000E,?,0062F9C5,?,00000001,?,00000000,?,00000000,00000000,00000000,00000000,80004005,00000000,00000003), ref: 0062FE26
      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 0062F77E
      • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 0062F785
      • SysFreeString.OLEAUT32(?), ref: 0062F7D3
      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 0062F7E6
      • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 0062F7ED
      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 0062F82B
      • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 0062F832
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: Heap$CurrentThread$FreeProcess$Path$AllocErrorItemLastQueueStringStripUserWork_ftol2memset
      • String ID: %d FAIL: 0x%08x$%u.%u.%u.%u$0.0.0.0$TmEndTaskHandler::QueueKillProcess$base\diagnosis\pdui\atm\main\endtask.cpp
      • API String ID: 1584580552-493408547
      • Opcode ID: b5f2a0530df32b755c971e1ad9b425f24023eb40af6f344d3e41723caa05cb67
      • Instruction ID: 84de8c88d37abf7dd9b69a0edb6388fa4d36420462cbe82989a0f22ed63b8e59
      • Opcode Fuzzy Hash: b5f2a0530df32b755c971e1ad9b425f24023eb40af6f344d3e41723caa05cb67
      • Instruction Fuzzy Hash: 60E15DB1A006299FCB20DF64D884BEAB7B6FF49304F1481B9EA099B351DB709D85CF54
      Function 0060443F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 203threadCOMMON
      Download Yara Rule
      APIs
      • InitializeCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,005E60D0,?,?,005E337B), ref: 00604451
      • CreateEventW.API-MS-WIN-CORE-SYNCH-L1-1-0(00000000,00000000,00000000,00000000,?,005E337B), ref: 0060446B
      • CreateEventW.API-MS-WIN-CORE-SYNCH-L1-1-0(00000000,00000000,00000000,00000000), ref: 00604490
      • CreateEventW.API-MS-WIN-CORE-SYNCH-L1-1-0(00000000,00000001,00000000,00000000), ref: 006044B6
      • CreateEventW.API-MS-WIN-CORE-SYNCH-L1-1-0(00000000,00000001,00000000,00000000), ref: 006044DC
      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,005E337B), ref: 0063DB50
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(80004005), ref: 0063DB77
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(-8007000E), ref: 0063DB8B
      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 0063DBB3
      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 0063DBDA
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(80004005), ref: 0063DC01
      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 0063DC14
      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 0063DC3B
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(80004005), ref: 0063DC62
      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 0063DC78
      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 0063DC9F
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(80004005), ref: 0063DCC6
      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 0063DCDC
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: ErrorLast$CurrentThread$CreateEvent$CriticalInitializeSection
      • String ID: %d FAIL: 0x%08x$WdcApplicationsMonitor::_InitIconQueues$base\diagnosis\pdui\atm\main\applications.cpp
      • API String ID: 2381549771-3220779064
      • Opcode ID: 8a89f210dc3c0dd0ff705d9e5d161afc4cf7c940152b328e2506daa14759d21c
      • Instruction ID: c820af2f8dc17b19235c4ba9c9d3e4f4afce03ffb01a954432d2f2add6f102a6
      • Opcode Fuzzy Hash: 8a89f210dc3c0dd0ff705d9e5d161afc4cf7c940152b328e2506daa14759d21c
      • Instruction Fuzzy Hash: 4A51E4B7D91A32ABD72506A86C187A6A55BBF00765F062315ED16EB390CB748C01CBE4
      Function 00624469 Relevance: 35.3, APIs: 17, Strings: 3, Instructions: 304threadCOMMON
      Download Yara Rule
      APIs
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,00000004), ref: 006244E5
        • Part of subcall function 006263F8: GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,00008455,?,00000000,?,?,?,00624503,00000004), ref: 00626414
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,00000004), ref: 0062450A
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,00000004,00000004), ref: 00624536
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,00000000), ref: 00624853
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,00000000,00000000), ref: 0062487C
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: CurrentThread
      • String ID: %d FAIL: 0x%08x$AtmDashboard::SetDetailPane$base\diagnosis\pdui\atm\main\dashboard.cpp
      • API String ID: 2882836952-4059533788
      • Opcode ID: e1b791d9c10f7f645dc1240591c9b9704820f27de59f6eb9614348f8ea2e2eb0
      • Instruction ID: 55147e74856e4a583d894d7dcd2b29c8d46f543d4a79bba2423e3c043d5d01b2
      • Opcode Fuzzy Hash: e1b791d9c10f7f645dc1240591c9b9704820f27de59f6eb9614348f8ea2e2eb0
      • Instruction Fuzzy Hash: 84A1E231A90EB1BFDB165B90BC59FEA3E17BF21700F090118FE416A691CFA99841DF91
      Function 0060E066 Relevance: 35.2, APIs: 14, Strings: 6, Instructions: 195threadmemoryCOMMON
      Download Yara Rule
      APIs
      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000688,?,?,?,?,?,?,005E75F6,?), ref: 0060E082
      • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,?,?,?,?,005E75F6,?), ref: 0060E089
      • memset.MSVCRT ref: 0060E09C
        • Part of subcall function 0060EB66: CreateFileW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,00000000,00000001,00000000,00000003,00000000,00000000,00000688,?,005E75F6,00000000,?,?,005E75F6,?), ref: 0060EB7D
        • Part of subcall function 0060EB66: DeviceIoControl.API-MS-WIN-CORE-IO-L1-1-0(000000FF,002D0C14,00000000,00000000,00000008,00000008,00000000,00000000,?,005E75F6,?), ref: 0060EBC0
      • SysAllocString.OLEAUT32(005E75F6), ref: 0060E158
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(8007000E,?,?,?,?,?,?,005E75F6,?), ref: 0063F40C
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(8007000E,?,005E75F6,?), ref: 0063F425
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(8007000E,?,?,?,?,?,?,?,005E75F6,?), ref: 0063F448
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,00000000,005E75F6,00000000,?,?,005E75F6,?), ref: 0063F480
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,00000000,?,00000000,005E75F6,00000000,?,?,005E75F6,?), ref: 0063F494
      • RtlCheckPortableOperatingSystem.NTDLL(00000000), ref: 0063F4AF
      • RtlNtStatusToDosError.NTDLL ref: 0063F4C2
        • Part of subcall function 0060EAF2: DeviceIoControl.API-MS-WIN-CORE-IO-L1-1-0(?,002D1080,00000000,00000000,00000000,0000000C,0060E0CB,00000000,00000000,00000688,?,0060E0CB,00000000,005E75F6,00000000,?), ref: 0060EB35
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,005E75F6,00000000,00000000,00000000,?,00000000,005E75F6,00000000,?,?,005E75F6,?), ref: 0063F4D4
      • SysFreeString.OLEAUT32(?), ref: 0063F4EB
      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,00000014,00000000,?,005E75F6,?), ref: 0063F50D
        • Part of subcall function 0060E5BE: FindFirstVolumeW.API-MS-WIN-CORE-FILE-L1-1-0(?,00000104,00000000,00000000,?), ref: 0060E604
        • Part of subcall function 0060E5BE: CreateFileW.API-MS-WIN-CORE-FILE-L1-1-0(?,00000000,00000003,00000000,00000003,00000080,00000000,00000000), ref: 0060E686
        • Part of subcall function 0060E5BE: CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(00000000), ref: 0060E6ED
        • Part of subcall function 0060E5BE: FindNextVolumeW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,?,00000104), ref: 0060E717
        • Part of subcall function 0060E5BE: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 0060E725
        • Part of subcall function 0060E528: DeviceIoControl.API-MS-WIN-CORE-IO-L1-1-0(?,000700A0,00000000,00000000,?,00000028,?,00000000,00000000,00000000,?,?,?,?,?,0060E11B), ref: 0060E570
        • Part of subcall function 0060E21F: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000,?,?,?,0060E132,005E75F6,00000000,00000000,00000000,?,00000000,005E75F6,00000000,?), ref: 0060E41E
        • Part of subcall function 0060E21F: HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,?,0060E132,005E75F6,00000000,00000000,00000000,?,00000000,005E75F6,00000000,?,?,005E75F6), ref: 0060E425
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: CurrentThread$Heap$ControlDeviceError$AllocCreateFileFindFreeLastProcessStringVolume$CheckCloseFirstHandleNextOperatingPortableStatusSystemmemset
      • String ID: %d FAIL: 0x%08x$ATMAssignString$RegisterDiskInterfaceToHwnd failed at %d$WdcDiskMonitor::AddDisk$base\diagnosis\pdui\atm\main\disk.cpp$base\diagnosis\pdui\atm\main\inline.cpp
      • API String ID: 3752666044-590275127
      • Opcode ID: 7a370ae4f21347525a1acafb26d29de9617351c7247d1900f9626a9b433ec601
      • Instruction ID: bf48084bcc0b249ce6f62f6ae3bb396eeaa2027eb771d57868baac339fd4a25b
      • Opcode Fuzzy Hash: 7a370ae4f21347525a1acafb26d29de9617351c7247d1900f9626a9b433ec601
      • Instruction Fuzzy Hash: 7C516571D80355BFEB245BA09C89FBB7EAEEF11714F041269F901A2293D775884683F0
      Function 0064E288 Relevance: 35.2, APIs: 14, Strings: 6, Instructions: 176threadmemoryCOMMON
      Download Yara Rule
      APIs
        • Part of subcall function 0064D747: GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000), ref: 0064D798
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,00007E5E,?,?,?,?,?,?,?,0064EA5A,?,?,?,?,?,00000000), ref: 0064E2C5
      • SysFreeString.OLEAUT32(?), ref: 0064E2F7
      • SysAllocString.OLEAUT32(?), ref: 0064E303
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(8007000E,?,0064EA5A,?,?,?,?,?,00000000,?,?,00000000,?,?,?), ref: 0064E318
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(8007000E,?,00000000,?,?,?), ref: 0064E33C
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,00007E60,?,?,?,?,?,?,?,0064EA5A,?,?,?,?,?,00000000), ref: 0064E3A3
      • SysFreeString.OLEAUT32(?), ref: 0064E3C3
      • SysAllocString.OLEAUT32(?), ref: 0064E3CF
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(8007000E,?,0064EA5A,?,?,?,?,?,00000000,?,?,00000000,?,?,?), ref: 0064E3EC
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(8007000E,?,00000000,?,?,?), ref: 0064E410
      • SysFreeString.OLEAUT32(?), ref: 0064E42C
      • SysAllocString.OLEAUT32(?), ref: 0064E438
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(8007000E,?,0064EA5A,?,?,?,?,?,00000000,?,?,00000000,?,?,?), ref: 0064E44D
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(8007000E,?,00000000,?,?,?), ref: 0064E471
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: CurrentThread$String$AllocFree
      • String ID: %d FAIL: 0x%08x$ATMAssignString$WdcProcessMonitor::ResolveImageName$base\diagnosis\pdui\atm\main\inline.cpp$base\diagnosis\pdui\atm\main\process.cpp$ntvdm.exe
      • API String ID: 1444733479-2239173096
      • Opcode ID: 5144e02e7f89db963e6241f242b9d3eec54fd645aa43af9f6c4b1c94d1f883b8
      • Instruction ID: 1b570f603b38fa7d1d9c1df793d664a9821b5ba50f7d6a1f0e2b9fe399c06320
      • Opcode Fuzzy Hash: 5144e02e7f89db963e6241f242b9d3eec54fd645aa43af9f6c4b1c94d1f883b8
      • Instruction Fuzzy Hash: BE5124B1940211FFD7265F919C49EAA7E6AFF40B10F280129FA049B691D3729D81CBE1
      Function 0065109B Relevance: 33.6, APIs: 14, Strings: 5, Instructions: 322threadmemorywindowCOMMON
      Download Yara Rule
      APIs
      • EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000000), ref: 006510C9
        • Part of subcall function 00650F0D: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,000000B8), ref: 00650F1E
        • Part of subcall function 00650F0D: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 00650F25
        • Part of subcall function 00650F0D: GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(8007000E), ref: 00650F37
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,?,00000000,?,?,00000000), ref: 00651106
      • SysFreeString.OLEAUT32(00000000), ref: 006511B4
      • SysAllocString.OLEAUT32(?), ref: 006511C1
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(8007000E), ref: 006511D6
      • SysFreeString.OLEAUT32(00000000), ref: 0065122A
      • SysAllocString.OLEAUT32(?), ref: 00651237
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(8007000E), ref: 0065124C
      • SysFreeString.OLEAUT32(?), ref: 006512A5
      • SysAllocString.OLEAUT32(00000000), ref: 006512B5
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(8007000E), ref: 006512C4
      • PostMessageW.USER32(000004E0,00000000,00000000,?), ref: 006514A1
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: String$CurrentThread$Alloc$Free$Heap$CriticalEnterMessagePostProcessSection
      • String ID: %d FAIL: 0x%08x$ATMAssignString$WdcServiceMonitor::UpdateService$base\diagnosis\pdui\atm\main\inline.cpp$base\diagnosis\pdui\atm\main\service.cpp
      • API String ID: 1649468826-2083727675
      • Opcode ID: 79e1d435f0bdf979f302dad857357018daf6b4cfec92b07ccc32ecbea9c4772a
      • Instruction ID: 360ee2a0030d1803a1f57913f8bddccec6413e31b23a068c5af1eae1dd6bd457
      • Opcode Fuzzy Hash: 79e1d435f0bdf979f302dad857357018daf6b4cfec92b07ccc32ecbea9c4772a
      • Instruction Fuzzy Hash: B3D1D170600705EFDB24DF64C945BEABBF6FF06306F04826DE9569B691D770A888CB50
      Function 0066B280 Relevance: 33.4, APIs: 10, Strings: 9, Instructions: 140memorythreadCOMMON
      Download Yara Rule
      APIs
      • memset.MSVCRT ref: 0066B2A7
      • memset.MSVCRT ref: 0066B2C3
        • Part of subcall function 005E29DC: CoInitializeEx.COMBASE(00000000,00000006), ref: 005E29E5
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000), ref: 0066B2DB
      • AssocQueryStringW.SHLWAPI(00000000,00000002,http,open,?,00000104), ref: 0066B31D
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000), ref: 0066B32A
      • ShellExecuteExW.SHELL32(0000003C), ref: 0066B3ED
      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 0066B3FD
      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?), ref: 0066B423
      • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 0066B42A
      • CoUninitialize.COMBASE ref: 0066B434
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: CurrentHeapThreadmemset$AssocErrorExecuteFreeInitializeLastProcessQueryShellStringUninitialize
      • String ID: "%s%s %s"$"%s%s"$%d FAIL: 0x%08x$<$InvokeDefaultBrowserSearchCallback$base\diagnosis\pdui\atm\main\actions.cpp$http$https://www.bing.com/search?q=$open
      • API String ID: 4043792056-885925368
      • Opcode ID: d2ba61a93e46bf942bc607d45009a811288b6f9b4c6e6f82091a49005bb73db9
      • Instruction ID: 047b056fc4891b0c437a62e46fc728e5032400384510a550d565d4a6f6882a4c
      • Opcode Fuzzy Hash: d2ba61a93e46bf942bc607d45009a811288b6f9b4c6e6f82091a49005bb73db9
      • Instruction Fuzzy Hash: E441C971F00319EFDB20AB648C49EAA7BAAAF54700F0411A6F905F7342DF759E908B51
      Function 006501C2 Relevance: 33.4, APIs: 16, Strings: 3, Instructions: 138memorythreadCOMMON
      Download Yara Rule
      APIs
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(-8007000E,00000000,?,?,?,?,00650BEE,?,?), ref: 006501FF
      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000208,00000000,?,?,?,?,00650BEE,?,?), ref: 0065022F
      • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00650BEE,?,?), ref: 00650236
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(8007000E,?,00650BEE,?,?), ref: 00650248
      • memset.MSVCRT ref: 00650274
      • GetLengthSid.API-MS-WIN-SECURITY-BASE-L1-1-0(?,?,?,?,00650BEE,?,?), ref: 0065027F
      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000,?,?,?,00650BEE,?,?), ref: 0065028A
      • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,?,00650BEE,?,?), ref: 00650291
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(8007000E,?,?,?,00650BEE,?,?), ref: 006502A3
      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000,00000000,?,?,?,?,?,00650BEE,?,?), ref: 0065033C
      • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,?,?,?,00650BEE,?,?), ref: 00650343
      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000,00000000,?,?,?,?,?,00650BEE,?,?), ref: 0065034F
      • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,?,?,?,00650BEE,?,?), ref: 00650356
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: Heap$Process$CurrentThread$AllocFree$Lengthmemset
      • String ID: %d FAIL: 0x%08x$WdcProcessMonitor::_AddUserNameForSid$base\diagnosis\pdui\atm\main\process.cpp
      • API String ID: 2276598557-2662344957
      • Opcode ID: fef83e5276ae9d2fc52af39e526e759698c1a1a674a5ed26b5c4eb8f2ab4f3ac
      • Instruction ID: f30004de5e1d4f5bb655188647159d95e4c75cff6cf2de1d5e8ad6359e7b7441
      • Opcode Fuzzy Hash: fef83e5276ae9d2fc52af39e526e759698c1a1a674a5ed26b5c4eb8f2ab4f3ac
      • Instruction Fuzzy Hash: 7A412676980226FBF72517E49C0EFAA3E1AFF10712F151218FD05AA6A1DB74CC448BA1
      Function 00600420 Relevance: 31.7, APIs: 12, Strings: 6, Instructions: 248memorythreadwindowCOMMON
      Download Yara Rule
      APIs
      • GetWindowThreadProcessId.USER32(?,?), ref: 00600469
      • PathStripPathW.API-MS-WIN-CORE-SHLWAPI-LEGACY-L1-1-0(?,?), ref: 006004D6
      • EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?), ref: 0060050C
      • SysAllocString.OLEAUT32(?), ref: 006005BD
      • CopyIcon.USER32(00000000), ref: 006005EF
      • LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?), ref: 00600644
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: CriticalPathSection$AllocCopyEnterIconLeaveProcessStringStripThreadWindow
      • String ID: %d FAIL: 0x%08x$ATMAssignString$Explorer.exe$WdcTrayIconMonitor::Notify$base\diagnosis\pdui\atm\main\inline.cpp$base\diagnosis\pdui\atm\main\trayicon.cpp
      • API String ID: 1426039602-3606725058
      • Opcode ID: 95347d0a1c167b3591ac84ea6a0b0d92a33299498b1a74837ca389dd450db630
      • Instruction ID: 9333a50f68862a7cee3f0daf42128dd406e87aca4822c5c2e49cdc1d0e33762d
      • Opcode Fuzzy Hash: 95347d0a1c167b3591ac84ea6a0b0d92a33299498b1a74837ca389dd450db630
      • Instruction Fuzzy Hash: 36918070980215DFDB18DF28CC89BAA7BE6FF59300F1440A9E909DB296DB719D91CF90
      Function 0062844C Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 236threadCOMMON
      Download Yara Rule
      APIs
      • ?SetContentString@Element@DirectUI@@QAEJPBG@Z.DUI70(?,-0000004C), ref: 0062854B
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000), ref: 00628558
      • ?SetAccName@Element@DirectUI@@QAEJPBG@Z.DUI70(?), ref: 0062857B
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000), ref: 00628588
      • ?SetAccName@Element@DirectUI@@QAEJPBG@Z.DUI70(?,-0000004C), ref: 006285C4
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000), ref: 006285D5
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(80004003), ref: 00628679
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(80004003,?,00000000,00000000,?,?), ref: 00628470
        • Part of subcall function 0061C26A: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,000001E0,00000000,?,?,?,00627BB5,00625B46,00000000,?,00625B46,?), ref: 0061C2A0
        • Part of subcall function 0061C26A: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00627BB5,00625B46,00000000,?,00625B46,?), ref: 0061C2A7
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(80004003), ref: 00628516
      • ?SetContentString@Element@DirectUI@@QAEJPBG@Z.DUI70(?,-0000004C), ref: 006286C3
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000), ref: 006286D0
      • ?SetAccName@Element@DirectUI@@QAEJPBG@Z.DUI70(?), ref: 006286F6
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000), ref: 00628703
      • ?SetAccName@Element@DirectUI@@QAEJPBG@Z.DUI70(?,-0000004C), ref: 00628742
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000), ref: 0062874F
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: CurrentThread$DirectElement@$Name@$ContentHeapString@$AllocProcess
      • String ID: %d FAIL: 0x%08x$AtmGpuView::SwitchEngine$base\diagnosis\pdui\atm\main\gpuview.cpp
      • API String ID: 2209971721-3635982672
      • Opcode ID: 431e6745533d3be76bf5b4e56c0cd06a64dd76abd9fa576f3868c47e85df2d71
      • Instruction ID: 75205c29ddf1d70d6a7e175687c6718340dd5d23938ffc82db928c9d35b7e973
      • Opcode Fuzzy Hash: 431e6745533d3be76bf5b4e56c0cd06a64dd76abd9fa576f3868c47e85df2d71
      • Instruction Fuzzy Hash: 5E915D74A01716AFDB04DFA8DC84EA9B7B6FB08304F145269EA05E7751DB74A940CF90
      Function 00666327 Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 171memorythreadCOMMON
      Download Yara Rule
      APIs
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,?,?,?,00000000), ref: 00666381
      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000208,?,?,?,00000000), ref: 006663B1
      • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,00000000), ref: 006663B8
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(8007000E,?,?,00000000), ref: 006663CC
      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000208,?,?,00000000), ref: 006663E6
      • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,00000000), ref: 006663ED
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(8007000E,?,?,00000000), ref: 00666401
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,00000104,?,?,00000000), ref: 00666434
      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000,?,?,00000000), ref: 0066652F
      • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,00000000), ref: 00666536
      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000,?,?,00000000), ref: 00666543
      • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,00000000), ref: 0066654A
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: Heap$CurrentProcessThread$AllocFree
      • String ID: %d FAIL: 0x%08x$WdcUserMonitor::_GetUserCredentials$base\diagnosis\pdui\atm\main\session.cpp
      • API String ID: 1663568382-3016270160
      • Opcode ID: a0053bbb42ac84e6ed73b018873dd7746cf2edd7a3a8f17a324aea394be4386a
      • Instruction ID: b665de46bbf0635404525cb60e32875b196b63a1d48764c6059de22014109768
      • Opcode Fuzzy Hash: a0053bbb42ac84e6ed73b018873dd7746cf2edd7a3a8f17a324aea394be4386a
      • Instruction Fuzzy Hash: 52512EB1A80359BBD7209BA4DC49FAB7AAAFF44704F005165FA06F7381DB749D408FA4
      Function 00626032 Relevance: 31.6, APIs: 14, Strings: 4, Instructions: 139threadCOMMON
      Download Yara Rule
      APIs
      • memset.MSVCRT ref: 00626064
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(80004003), ref: 00626078
      • StrToID.DUI70(gpu_chart), ref: 006260A8
      • ?FindDescendent@Element@DirectUI@@QAEPAV12@G@Z.DUI70(?), ref: 006260B5
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(80004003), ref: 006260C9
      • StrToID.DUI70(-000000B0), ref: 00626101
      • ?FindDescendent@Element@DirectUI@@QAEPAV12@G@Z.DUI70(?), ref: 0062610D
      • ?CreateElement@DUIXmlParser@DirectUI@@QAEJPBGPAVElement@2@1PAKPAPAV32@@Z.DUI70(00000000,00000000,00000000,-000000B4), ref: 0062613D
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000), ref: 0062614A
      • ?SetID@Element@DirectUI@@QAEJPBG@Z.DUI70(-000000B0), ref: 00626167
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000), ref: 00626174
      • ?Add@Element@DirectUI@@QAEJPAV12@@Z.DUI70(?), ref: 0062618F
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000), ref: 0062619C
      • ?Destroy@Element@DirectUI@@QAEJ_N@Z.DUI70(00000001), ref: 006261C4
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: DirectElement@$CurrentThread$Descendent@FindV12@$Add@CreateDestroy@Element@2@1Parser@V12@@V32@@memset
      • String ID: %d FAIL: 0x%08x$AtmGpuView::GetEngineChartsRoot$base\diagnosis\pdui\atm\main\gpuview.cpp$gpu_chart
      • API String ID: 991153211-2476717817
      • Opcode ID: be8cea31be389ef81894e98f20616be40cc18aea5b42f4934555e0ba197e1803
      • Instruction ID: a04e3c08c50ee7f23bae8a8a4fa13397c06b4df957b191db6254bc0677259616
      • Opcode Fuzzy Hash: be8cea31be389ef81894e98f20616be40cc18aea5b42f4934555e0ba197e1803
      • Instruction Fuzzy Hash: 2541A271A40729AFDB119FD8EC49FAE7BBAFB08311F001119F906EB291D77598148F90
      Function 0066C136 Relevance: 31.6, APIs: 13, Strings: 5, Instructions: 137memorythreadCOMMON
      Download Yara Rule
      APIs
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,?,00000000,?,00000000,?,00000000,?,00000003), ref: 0066C178
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,?,?,?,00000000,?,00000000,?,00000000,?,00000003), ref: 0066C1A4
      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,00000000,?,?,?,00000000,?,00000000,?,00000000,?,00000003), ref: 0066C1BC
      • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,00000000,?,00000000,?,00000000,?,00000003), ref: 0066C1C3
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(8007000E,?,?,00000000,?,00000000,?,00000000,?,00000003), ref: 0066C1D5
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,00000000,?,?,00000000,?,00000000,?,00000000,?,00000003), ref: 0066C20C
      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000,?,?,?,00000000,?,00000000,?,00000000,?,00000003), ref: 0066C232
      • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,?,00000000,?,00000000,?,00000000,?,00000003), ref: 0066C239
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,00000000,?,00000000,?,00000000,?,00000003), ref: 0066C246
      • QueueUserWorkItem.API-MS-WIN-CORE-THREADPOOL-LEGACY-L1-1-0(0066C2C0,00000000,00000000,00000000,?,00000000,?,00000000,?,00000003), ref: 0066C273
      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,00000003), ref: 0066C281
      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000,?,00000003), ref: 0066C2AA
      • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00000003), ref: 0066C2B1
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: Heap$CurrentThread$Process$Free$AllocErrorItemLastQueueUserWork
      • String ID: %d FAIL: 0x%08x$ShowPropertiesDialog$WdcDupString$base\diagnosis\pdui\atm\main\actions.cpp$base\diagnosis\pdui\atm\main\inline.cpp
      • API String ID: 514135760-1135927922
      • Opcode ID: 6f2f7ea3489b9de6b1f3a8d029ab9fbf66233e5a0afbe993d3dbaf3df215f9e7
      • Instruction ID: bf3fd36e272428c65a59d1229523423dba9d176b88c1ae37091fd7c1a5e53b81
      • Opcode Fuzzy Hash: 6f2f7ea3489b9de6b1f3a8d029ab9fbf66233e5a0afbe993d3dbaf3df215f9e7
      • Instruction Fuzzy Hash: F8414C77A80B64BBD72527D44C19FBB7E2FFB95B21F051205FD81E6681CA608E0187E1
      Function 0066B44F Relevance: 31.6, APIs: 13, Strings: 5, Instructions: 137memorythreadCOMMON
      Download Yara Rule
      APIs
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,?,?,00000000), ref: 0066B491
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,?,?,?,?,00000000), ref: 0066B4BD
      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,?,?,?,?,?,00000000), ref: 0066B4D5
      • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,?,00000000), ref: 0066B4DC
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(8007000E,?,?,?,00000000), ref: 0066B4EE
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,?,?,?,?,00000000), ref: 0066B525
      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000,?,?,?,?,00000000), ref: 0066B54B
      • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,?,?,00000000), ref: 0066B552
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,?,00000000), ref: 0066B55F
      • QueueUserWorkItem.API-MS-WIN-CORE-THREADPOOL-LEGACY-L1-1-0(0066B5E0,00000000,00000000,?,00000000), ref: 0066B58C
      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 0066B59A
      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000), ref: 0066B5C3
      • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 0066B5CA
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: Heap$CurrentThread$Process$Free$AllocErrorItemLastQueueUserWork
      • String ID: %d FAIL: 0x%08x$LaunchImmersiveApplication$WdcDupString$base\diagnosis\pdui\atm\main\actions.cpp$base\diagnosis\pdui\atm\main\inline.cpp
      • API String ID: 514135760-1568898635
      • Opcode ID: 7760415031875de6492c8b687b182f8ff63e1210307e6478e15684e0c5b5b47c
      • Instruction ID: 453b9567385b95ebbdef15c77b88e73076fe9789073e8b876d38cf6602a22c6e
      • Opcode Fuzzy Hash: 7760415031875de6492c8b687b182f8ff63e1210307e6478e15684e0c5b5b47c
      • Instruction Fuzzy Hash: 63410977A80265FBD7252BD85C0AFEA3E6AEB84B01F052215FD02E7681DB608D4187A1
      Function 006263F8 Relevance: 31.6, APIs: 11, Strings: 7, Instructions: 94threadCOMMON
      Download Yara Rule
      APIs
        • Part of subcall function 00606EB0: LoadStringW.USER32(00000000,?,00000080), ref: 00606EC7
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,00008455,?,00000000,?,?,?,00624503,00000004), ref: 00626414
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,00008455,?,00000000,?,?,?,00624503,00000004), ref: 0062644A
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,00008455,?,00000000,?,?,?,00624503,00000004), ref: 00626488
      • StrToID.DUI70(gpuUsage,00008455,?,00000000,?,?,?,00624503,00000004), ref: 006264A9
      • ?FindDescendent@Element@DirectUI@@QAEPAV12@G@Z.DUI70(?,?,00624503,00000004), ref: 006264B6
      • StrToID.DUI70(gpuDedicatedMemRoot,?,00624503,00000004), ref: 006264C7
      • ?FindDescendent@Element@DirectUI@@QAEPAV12@G@Z.DUI70(?,?,00624503,00000004), ref: 006264D4
      • StrToID.DUI70(gpuSharedMemRoot,?,00624503,00000004), ref: 006264E5
      • ?FindDescendent@Element@DirectUI@@QAEPAV12@G@Z.DUI70(?,?,00624503,00000004), ref: 006264F2
      • StrToID.DUI70(gpuTotalMemory,?,00624503,00000004), ref: 00626503
      • ?FindDescendent@Element@DirectUI@@QAEPAV12@G@Z.DUI70(?,?,00624503,00000004), ref: 00626510
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: Descendent@DirectElement@FindV12@$CurrentThread$LoadString
      • String ID: %d FAIL: 0x%08x$AtmGpuView::Initialize$base\diagnosis\pdui\atm\main\gpuview.cpp$gpuDedicatedMemRoot$gpuSharedMemRoot$gpuTotalMemory$gpuUsage
      • API String ID: 455821098-971001319
      • Opcode ID: 94e2f39a2485f7706110f5e71233d761b7e082750710377beb752a6017a436f1
      • Instruction ID: 40e13ee62e6b6a99179f47d2c8881afe9172714022c6998d72de9b80801e11db
      • Opcode Fuzzy Hash: 94e2f39a2485f7706110f5e71233d761b7e082750710377beb752a6017a436f1
      • Instruction Fuzzy Hash: 4531B871A40715BBC7199BA4EC09EBB7A9AFB48701F00631AF859D7381DB74AC10DB90
      Function 006090EC Relevance: 30.0, APIs: 12, Strings: 5, Instructions: 206memorythreadCOMMON
      Download Yara Rule
      APIs
        • Part of subcall function 006092CE: RegGetValueW.API-MS-WIN-CORE-REGISTRY-L1-1-0(80000002,System\CurrentControlSet\Control\Session Manager\Memory Management,?,00000020,00000000,00000000,?,00000000,00000000,00000000,?,?,?,0060913D,00000000,?), ref: 006092F7
        • Part of subcall function 006092CE: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,0060913D,00000000,?,ExistingPageFiles,?,00000000,?), ref: 00609326
        • Part of subcall function 006092CE: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,0060913D,00000000,?,ExistingPageFiles,?,00000000,?,?,?,?,?,?,?,?), ref: 0060932D
        • Part of subcall function 006092CE: RegGetValueW.API-MS-WIN-CORE-REGISTRY-L1-1-0(80000002,System\CurrentControlSet\Control\Session Manager\Memory Management,?,00000000,00000000,00000000,?,?,0060913D,00000000,?,ExistingPageFiles,?,00000000,?), ref: 00609356
      • wcsstr.MSVCRT ref: 0060914F
      • towupper.MSVCRT ref: 0060916D
      • towupper.MSVCRT ref: 00609201
      • wcsstr.MSVCRT ref: 0060923D
      • wcsstr.MSVCRT ref: 00609253
      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000,?,?,PagingFiles,?,?,?,?), ref: 00609290
      • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,?,?), ref: 00609297
      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000,?,?,PagingFiles,?,?,?,?), ref: 006092A9
      • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,?,?), ref: 006092B0
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,00000000,?,ExistingPageFiles,?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 0063E659
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,?,?,PagingFiles,?,?,?,?,?,?,00000000,?,00000000,00608E03), ref: 0063E689
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: Heap$Processwcsstr$CurrentFreeThreadValuetowupper$Alloc
      • String ID: %d FAIL: 0x%08x$AtmDiskView::FindPageFile$ExistingPageFiles$PagingFiles$base\diagnosis\pdui\atm\main\diskview.cpp
      • API String ID: 710994341-4043675059
      • Opcode ID: c329ea2f922e8b85abbf8fcc62ac6b292867b4494f832caf95601c4920cdbb95
      • Instruction ID: 2cde39b5276fcc677e875c9cfc69c4c4f2ddd24acdf2f3a3fc91fc216cf69024
      • Opcode Fuzzy Hash: c329ea2f922e8b85abbf8fcc62ac6b292867b4494f832caf95601c4920cdbb95
      • Instruction Fuzzy Hash: 5861AE75E44219EBCB189FA4D8459EEBBB7FF08300B15116AE801A7292D7319D41CBA4
      Function 005FA140 Relevance: 29.9, APIs: 11, Strings: 6, Instructions: 177COMMON
      Download Yara Rule
      APIs
      • ?Release@Value@DirectUI@@QAEXXZ.DUI70(?,?,?,?,?,?,?,?), ref: 005FA377
        • Part of subcall function 005EDBE6: NtQuerySystemInformation.NTDLL(000000B6,?,00000038,00000000), ref: 005EDC16
        • Part of subcall function 005EDBE6: RtlNtStatusToDosError.NTDLL ref: 005EDC21
      • StrToID.DUI70(Clipped,?,?,?,?,?), ref: 005FA196
      • ?FindDescendent@Element@DirectUI@@QAEPAV12@G@Z.DUI70(?,?,?,?), ref: 005FA1A3
      • ?GetChildren@Element@DirectUI@@QAEPAV?$DynamicArray@PAVElement@DirectUI@@$0A@@2@PAPAVValue@2@@Z.DUI70(00000038,?,?,?), ref: 005FA1B2
      • ?GetValue@Element@DirectUI@@QAEPAVValue@2@PBUPropertyInfo@2@HPAUUpdateCache@2@@Z.DUI70(HD],00000002,00000000,?,?,?), ref: 005FA29F
      • ?GetBool@Value@DirectUI@@QAE_NXZ.DUI70(?,?,?), ref: 005FA2A9
      • ?Release@Value@DirectUI@@QAEXXZ.DUI70(?,?,?), ref: 005FA2B3
      • ?GetKeyWithin@Element@DirectUI@@QAE_NXZ.DUI70(?,?,?), ref: 005FA2C7
      • ?Remove@Element@DirectUI@@QAEJPAV12@@Z.DUI70(?,?,?,?), ref: 005FA2D6
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: Direct$Element@$Value@$Release@$A@@2@Array@Bool@Cache@2@@Children@Descendent@DynamicErrorFindI@@$0Info@2@InformationPropertyQueryRemove@StatusSystemUpdateV12@V12@@Value@2@Value@2@@Within@
      • String ID: %d FAIL: 0x%08x$8$AtmView::MoveChildRow$Clipped$HD]$base\diagnosis\pdui\atm\main\view.cpp
      • API String ID: 2275902499-2632710565
      • Opcode ID: 9d3dbf0ec338dc512691ef9ad32b5355ccb40fb03ba7b542faefd3b77dd856c3
      • Instruction ID: 8dd0df4178623682c68c5c7135f7de3acde971a7e93f538420241fa6df38c9bc
      • Opcode Fuzzy Hash: 9d3dbf0ec338dc512691ef9ad32b5355ccb40fb03ba7b542faefd3b77dd856c3
      • Instruction Fuzzy Hash: 90619F75B00209AFDB15CF64C845BBEBFB2FB55310F144619E95AA7291C738AC40CBA3
      Function 0060246B Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 153threadCOMMON
      Download Yara Rule
      APIs
        • Part of subcall function 005E29DC: CoInitializeEx.COMBASE(00000000,00000006), ref: 005E29E5
      • SHGetImageList.SHELL32(00000001,005CBF4C,00000000), ref: 006024CD
      • MsgWaitForMultipleObjectsEx.USER32(00000002,?,000000FF,00001CFF,00000000), ref: 006024FE
      • ResetEvent.API-MS-WIN-CORE-SYNCH-L1-1-0(?), ref: 00602519
      • SetEvent.API-MS-WIN-CORE-SYNCH-L1-1-0(?,00000000,00000000), ref: 00602548
      • ResetEvent.API-MS-WIN-CORE-SYNCH-L1-1-0(?), ref: 0060255A
        • Part of subcall function 005FF15B: EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,00000000,?,00000000,?,?,00602578,00000000,00000000), ref: 005FF16D
        • Part of subcall function 005FF15B: LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00602578,00000000,00000000), ref: 005FF1B4
        • Part of subcall function 005FF15B: EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,00602578,00000000,00000000), ref: 005FF1CC
        • Part of subcall function 005FF15B: LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00602578,00000000,00000000), ref: 005FF1F5
      • SetEvent.API-MS-WIN-CORE-SYNCH-L1-1-0(?,00000000,00000000), ref: 00602589
      • SetEvent.API-MS-WIN-CORE-SYNCH-L1-1-0(?,00000000,00000000), ref: 0060259F
      • CoUninitialize.COMBASE ref: 006025C4
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000), ref: 0063D047
      Strings
      • WdcApplicationsMonitor::_IconQueueThread, xrefs: 0063D06C
      • base\diagnosis\pdui\atm\main\applications.cpp, xrefs: 0063D071
      • %d FAIL: 0x%08x, xrefs: 0063D04E, 0063D062
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: Event$CriticalSection$EnterLeaveReset$CurrentImageInitializeListMultipleObjectsThreadUninitializeWait
      • String ID: %d FAIL: 0x%08x$WdcApplicationsMonitor::_IconQueueThread$base\diagnosis\pdui\atm\main\applications.cpp
      • API String ID: 3077353300-4016950656
      • Opcode ID: 90a61d900c32ec0a301dd12f02353f04378ec5e85bfa893dff8a7244ddd5f650
      • Instruction ID: 1d4fdb33e73b0d5cf7a5b9a31bb9c67df7765e1bab2cea4339a562912e402b37
      • Opcode Fuzzy Hash: 90a61d900c32ec0a301dd12f02353f04378ec5e85bfa893dff8a7244ddd5f650
      • Instruction Fuzzy Hash: AA51A371A40606EFDB159FB4DC2CEABBBEAFF44712F10111DF516E2290EBB099029B54
      Function 006772F8 Relevance: 29.9, APIs: 11, Strings: 6, Instructions: 138threadCOMMON
      Download Yara Rule
      APIs
        • Part of subcall function 0067759A: OpenThemeData.UXTHEME(00000000,TASKMANAGER,?,?,?,?,?,?,00677308,00000000,?,?,?,?,00658AF9,?), ref: 006775B5
        • Part of subcall function 0067759A: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,?,00677308,00000000,?,?,?,?,00658AF9,?,?,00000000,?), ref: 006775C1
        • Part of subcall function 0067759A: GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(80004005,?,?,?,?,?,00677308,00000000,?,?,?,?,00658AF9,?,?,00000000), ref: 006775E4
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,00000008,?,00000000,?,?,?,?,00658AF9,?,?,00000000,?,?,00658B8A,00000000), ref: 0067731D
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(8007000E,00000008,?,00000000,?,?,?,?,00658AF9,?,?,00000000,?,?,00658B8A,00000000), ref: 00677356
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: CurrentThread$DataErrorLastOpenTheme
      • String ID: %d FAIL: 0x%08x$CpuHeatMap::Initialize$base\diagnosis\pdui\atm\main\cpuheatmap.cpp$cpuBlock$cpuBlockData$cpuGrid
      • API String ID: 3441544403-1458601073
      • Opcode ID: 6e437c7778c25f39ff8e4581968251b9f1da0eae3d085e98f0fdada4d9670226
      • Instruction ID: 39b416044a44fea920ac09aaeccd1646676e1c328eabea97fa74f70c0c914178
      • Opcode Fuzzy Hash: 6e437c7778c25f39ff8e4581968251b9f1da0eae3d085e98f0fdada4d9670226
      • Instruction Fuzzy Hash: 26410871644315BFD7189BA8DC45E7A7FA9FF04711B00921AF91AD7690EB70DC40DBA0
      Function 0061532A Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 105COMMON
      Download Yara Rule
      APIs
      • StrToID.DUI70(sideBarNetChartHost,?,00000000,?,?,?,?,005FF139,?), ref: 0061533E
      • ?FindDescendent@Element@DirectUI@@QAEPAV12@G@Z.DUI70(?,?,005FF139,?), ref: 0061534B
      • StrToID.DUI70(sideBarNetSymbolHost,?,005FF139,?), ref: 0061535B
      • ?FindDescendent@Element@DirectUI@@QAEPAV12@G@Z.DUI70(?,?,005FF139,?), ref: 00615368
      • ?SetLayoutPos@Element@DirectUI@@QAEJH@Z.DUI70(00000000,?,?,005FF139,?), ref: 0061539D
      • ?SetLayoutPos@Element@DirectUI@@QAEJH@Z.DUI70(000000FD,?,?,005FF139,?), ref: 006153A8
      • ?SetLayoutPos@Element@DirectUI@@QAEJH@Z.DUI70(00000004,?,?,005FF139,?), ref: 006153B9
      • ?SetLayoutPos@Element@DirectUI@@QAEJH@Z.DUI70(00000000,?,?,005FF139,?), ref: 006153C3
      • ?SetLayoutPos@Element@DirectUI@@QAEJH@Z.DUI70(000000FD,?,?,005FF139,?), ref: 006153D2
      • ?SetLayoutPos@Element@DirectUI@@QAEJH@Z.DUI70(000000FD,?,?,005FF139,?), ref: 0061541A
      • ?SetLayoutPos@Element@DirectUI@@QAEJH@Z.DUI70(00000000,?,?,005FF139,?), ref: 00615426
      • ?SetLayoutPos@Element@DirectUI@@QAEJH@Z.DUI70(00000000,?,?,005FF139,?), ref: 00615436
      • ?SetLayoutPos@Element@DirectUI@@QAEJH@Z.DUI70(000000FD,?,?,005FF139,?), ref: 00615442
      • ?SetLayoutPos@Element@DirectUI@@QAEJH@Z.DUI70(00000000,?,?,005FF139,?), ref: 0061544C
      • ?SetEnabled@Element@DirectUI@@QAEJ_N@Z.DUI70(04408B00,005FF139,?,?,005FF139,?), ref: 00615460
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: DirectElement@$LayoutPos@$Descendent@FindV12@$Enabled@
      • String ID: sideBarNetChartHost$sideBarNetSymbolHost
      • API String ID: 4011614609-891536704
      • Opcode ID: d4bf93aedffad4664bf3e72cb01e617299703f6ce75275dfb771b5aa2d57d160
      • Instruction ID: 196c1a80c5ffc33a04a78f02447e5d30731491046689ddc3c3853fb4d66a9dc6
      • Opcode Fuzzy Hash: d4bf93aedffad4664bf3e72cb01e617299703f6ce75275dfb771b5aa2d57d160
      • Instruction Fuzzy Hash: 09418D31504640FFC7149B65DC88EBEBBF7EB89311B182259F5638B6A0DB70AC80DB21
      Function 0066C2C0 Relevance: 29.9, APIs: 12, Strings: 5, Instructions: 101threadmemorywindowCOMMON
      Download Yara Rule
      APIs
      • memset.MSVCRT ref: 0066C2DB
        • Part of subcall function 005E29DC: CoInitializeEx.COMBASE(00000000,00000006), ref: 005E29E5
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000), ref: 0066C2F1
      • SHParseDisplayName.SHELL32(?,00000000,00000000,00000000,00000000), ref: 0066C322
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000), ref: 0066C32F
      • ShellExecuteExW.SHELL32(?), ref: 0066C369
      • SendMessageW.USER32(00000086,00000000,00000000), ref: 0066C384
      • CoUninitialize.COMBASE ref: 0066C38E
      • ILFree.SHELL32(00000000), ref: 0066C39D
      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000), ref: 0066C3AE
      • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 0066C3B5
      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 0066C3C5
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(80004005), ref: 0066C3E8
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: CurrentThread$FreeHeap$DisplayErrorExecuteInitializeLastMessageNameParseProcessSendShellUninitializememset
      • String ID: %d FAIL: 0x%08x$<$ShowPropertiesDialogCallback$base\diagnosis\pdui\atm\main\actions.cpp$properties
      • API String ID: 1273859380-1639521540
      • Opcode ID: ebece52bd18014d4c1b1ac690ec2aaa0cc6e44334cd72057e4deac736b68e616
      • Instruction ID: 05e70b1b5d4848cb13b09d73ac40b0c0d03bd26d5699e6f8c79521f70be3de2c
      • Opcode Fuzzy Hash: ebece52bd18014d4c1b1ac690ec2aaa0cc6e44334cd72057e4deac736b68e616
      • Instruction Fuzzy Hash: 2D31A072A40614FFE7119BD4DC4ABBE7A6AFB00720F006219FA45F6391DB704E40CBA5
      Function 0064806E Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 255threadCOMMON
      Download Yara Rule
      APIs
      • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(00000000,?,00000000,00000002), ref: 006483DE
        • Part of subcall function 00645DE3: memset.MSVCRT ref: 00645DFC
        • Part of subcall function 00645DE3: SendMessageW.USER32(00000000), ref: 00645E25
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,?,?,00000000,00000002), ref: 006480F6
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,?,?,?,?,00000000,00000002), ref: 00648140
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,?,?,?,00000000,?,?,?,?,?,?,00000000,00000002), ref: 006481DA
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000), ref: 00648239
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,00000000,?,?), ref: 0064829E
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: CurrentThread$CloseHandleMessageSendmemset
      • String ID: %d FAIL: 0x%08x$WdcListView::SetProcessPriority$base\diagnosis\pdui\atm\main\listview.cpp
      • API String ID: 780765284-2664560405
      • Opcode ID: 34f9a98a1af170f90278968ac499eb67e665c8e8834098ea52a84129c2a44105
      • Instruction ID: ab1853e96244b3c741628fdad8ec538673992e9c7fe51674f85e76f43e95c611
      • Opcode Fuzzy Hash: 34f9a98a1af170f90278968ac499eb67e665c8e8834098ea52a84129c2a44105
      • Instruction Fuzzy Hash: 9191A2B5A00219AFCB119B54CC84FAE7BBBEB88710F54119AFA09A7351CF709E81CF55
      Function 0060E21F Relevance: 28.2, APIs: 11, Strings: 5, Instructions: 199memorythreadCOMMON
      Download Yara Rule
      APIs
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,?,?,?,0060E132,005E75F6,00000000,00000000,00000000,?,00000000,005E75F6,00000000,?,?,005E75F6), ref: 0060E27E
      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,?,?,0060E132,005E75F6,00000000,00000000,00000000,?,00000000,005E75F6,00000000,?), ref: 0060E2D0
      • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,?,0060E132,005E75F6,00000000,00000000,00000000,?,00000000,005E75F6,00000000,?), ref: 0060E2D7
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(8007000E,?,?,?,0060E132,005E75F6,00000000,00000000,00000000,?,00000000,005E75F6,00000000,?), ref: 0060E2EB
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,?,?,?,?,?,0060E132,005E75F6,00000000,00000000,00000000,?,00000000,005E75F6,00000000,?), ref: 0060E31D
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,?,?,?,0060E132,005E75F6,00000000,00000000,00000000,?,00000000,005E75F6), ref: 0060E377
      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000,?,?,?,0060E132,005E75F6,00000000,00000000,00000000,?,00000000,005E75F6), ref: 0060E3AB
      • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,?,0060E132,005E75F6,00000000,00000000,00000000,?,00000000,005E75F6), ref: 0060E3B2
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(8007000E,?,?,?,0060E132,005E75F6,00000000,00000000,00000000,?,00000000,005E75F6), ref: 0060E3CD
      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000,?,?,?,0060E132,005E75F6,00000000,00000000,00000000,?,00000000,005E75F6,00000000,?), ref: 0060E41E
      • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,?,0060E132,005E75F6,00000000,00000000,00000000,?,00000000,005E75F6,00000000,?,?,005E75F6), ref: 0060E425
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: Heap$CurrentThread$Process$Alloc$Free
      • String ID: %d FAIL: 0x%08x$WdcDiskMonitor::GetDiskFriendlyName$X\h$base\diagnosis\pdui\atm\main\disk.cpp$t\h
      • API String ID: 356002432-3673947882
      • Opcode ID: df3a2fe763769c28557103499d81d0e1c694cad0e0c6dc6b59ba652eb831987b
      • Instruction ID: 96283ca6e14bd12b58b99582af46019bb609035f142660f3ad88c9355e10b747
      • Opcode Fuzzy Hash: df3a2fe763769c28557103499d81d0e1c694cad0e0c6dc6b59ba652eb831987b
      • Instruction Fuzzy Hash: 60612672A80624FFD7298B94CD88FAB7BABFB14311F150669F906A7690C7728D41CB50
      Function 00674477 Relevance: 28.2, APIs: 11, Strings: 5, Instructions: 174memorythreadCOMMON
      Download Yara Rule
      APIs
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,?,?,?,?,?,?,006743E0,-00000008,?,00640BDC,?,0061345F,?,00000001,?), ref: 006744E8
      • SysFreeString.OLEAUT32(60B3FF00), ref: 0067451D
      • SysAllocString.OLEAUT32(006743E0), ref: 00674527
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(8007000E,?,?,?,?,?,?,006743E0,-00000008,?,00640BDC,?,0061345F,?,00000001,?), ref: 0067453B
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(8007000E,?,?,?,?,?,?,?,?,?,?,?,?,006743E0,-00000008), ref: 0067455D
      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000,?,006743E0), ref: 00674645
      • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 0067464C
      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000,?,006743E0), ref: 0067465B
      • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 00674662
      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,006743E0), ref: 00674671
      • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 00674678
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: Heap$Free$CurrentProcessThread$String$Alloc
      • String ID: %d FAIL: 0x%08x$ATMAssignString$WdcAppHistoryMonitor::_ReconcileMultiAppPackage$base\diagnosis\pdui\atm\main\apphistorymonitor.cpp$base\diagnosis\pdui\atm\main\inline.cpp
      • API String ID: 1551439368-1360704287
      • Opcode ID: f3866c65b6d1445b5de667c18ba84dbc59ba0d7df22fcad03bb8ab4d363c28c9
      • Instruction ID: 37dc9b0e11b1d88640ffd15032dd72389eb0a0412f751d8ab581eef6caba6ef8
      • Opcode Fuzzy Hash: f3866c65b6d1445b5de667c18ba84dbc59ba0d7df22fcad03bb8ab4d363c28c9
      • Instruction Fuzzy Hash: 9551C271A00249EFDB14DFA4CC89AEEBBBAFF44304F145169EA09E7251EB719D41CB90
      Function 005FA425 Relevance: 28.2, APIs: 11, Strings: 5, Instructions: 165COMMON
      Download Yara Rule
      APIs
      • ?GetValue@Element@DirectUI@@QAEPAVValue@2@PBUPropertyInfo@2@HPAUUpdateCache@2@@Z.DUI70(HD],00000002,00000000,-00000022,?,?,?,?,?,?,?,?,?,?,005F83CC), ref: 005FA4A2
      • ?GetBool@Value@DirectUI@@QAE_NXZ.DUI70(?,?,?,?,?,005F83CC,?,?,?,?,?,00000000,?,?,?), ref: 005FA4AC
      • ?Release@Value@DirectUI@@QAEXXZ.DUI70(?,?,?,?,?,005F83CC,?,?,?,?,?,00000000,?,?,?), ref: 005FA4B6
      • ?GetParent@Element@DirectUI@@QAEPAV12@XZ.DUI70(?,-00000022,?,?,?,?,?,?,?,?,?,?,005F83CC,?,?,?), ref: 005FA4F5
      • ?GetParent@Element@DirectUI@@QAEPAV12@XZ.DUI70(?,?,?,?,?,?,005F83CC,?,?,?,?,?,00000000), ref: 005FA502
      • ?Remove@Element@DirectUI@@QAEJPAV12@@Z.DUI70(?,?,?,?,?,005F83CC,?,?,?,?,?,00000000), ref: 005FA50A
      • ?Insert@Element@DirectUI@@QAEJPAV12@I@Z.DUI70(?,?,?,?,?,?,?,005F83CC,?,?,?,?,?,00000000), ref: 005FA521
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: Direct$Element@$V12@Value@$Parent@$Bool@Cache@2@@Info@2@Insert@PropertyRelease@Remove@UpdateV12@@Value@2@
      • String ID: %d FAIL: 0x%08x$8$AtmView::MoveParentRow$HD]$base\diagnosis\pdui\atm\main\view.cpp
      • API String ID: 590734038-1318300452
      • Opcode ID: db27b5eebbc70378de64a43bc20a036df412a07bf3d03408eb17bdfda0e069d2
      • Instruction ID: b7e08ebfe0fda87f01fba808bb019cfe75f6d5feff116cb6bba186bf7a34d00b
      • Opcode Fuzzy Hash: db27b5eebbc70378de64a43bc20a036df412a07bf3d03408eb17bdfda0e069d2
      • Instruction Fuzzy Hash: C751BFB1600308AFCF159FA4C888ABE7FA6BF48304F145169F94A97361CB75DC41DB92
      Function 0066A321 Relevance: 28.1, APIs: 11, Strings: 5, Instructions: 129memorythreadCOMMON
      Download Yara Rule
      APIs
      • memset.MSVCRT ref: 0066A356
        • Part of subcall function 0066AA6D: RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug,00000000,00020019,?,00000000,?,?), ref: 0066AAA8
        • Part of subcall function 0066AA6D: GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000), ref: 0066AAC8
        • Part of subcall function 0066AA6D: RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,00000000,?,?,?), ref: 0066AB48
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,?,00000000,00000000,?,?,?,?), ref: 0066A3B0
      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000,?,?,00000000,00000000,?,?,?,?), ref: 0066A46A
      • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,00000000,00000000,?,?,?,?), ref: 0066A471
      • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(00000000,?,?,00000000,00000000,?,?,?,?), ref: 0066A487
      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,00000000,00000000,?,?,?,?), ref: 0066A4A1
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(80004005,?,?,00000000,00000000,?,?,?,?), ref: 0066A4C8
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: CurrentThread$CloseHeap$ErrorFreeHandleLastOpenProcessmemset
      • String ID: %d FAIL: 0x%08x$%s -p %ld$AttachDebugger$No default debugger present$base\diagnosis\pdui\atm\main\actions.cpp
      • API String ID: 2801837935-2558344804
      • Opcode ID: 75af46e9014a7b7fddd295e345b5902f91d39a3a4a6b5a22812f7077e2c6915a
      • Instruction ID: 82b6cd782a54a6573759cfacd5cc8793b8f331103a20a955a202f98274028222
      • Opcode Fuzzy Hash: 75af46e9014a7b7fddd295e345b5902f91d39a3a4a6b5a22812f7077e2c6915a
      • Instruction Fuzzy Hash: D041FDB1A80229BBDB215BD49C09FEA7AA9EF04700F005195FB09F62D1DBB05D44CF95
      Function 005FE115 Relevance: 28.1, APIs: 11, Strings: 5, Instructions: 105COMMON
      Download Yara Rule
      APIs
      • StrToID.DUI70(?,?,?,00000000,?,?,00605E72,00000000,?,?,?,?,?,005E7D77), ref: 005FE14A
      • ?FindDescendent@Element@DirectUI@@QAEPAV12@G@Z.DUI70(?,?,?,00605E72,00000000,?,?,?,?,?,005E7D77), ref: 005FE156
      • ?RemoveLocalValue@Element@DirectUI@@QAEJP6GPBUPropertyInfo@2@XZ@Z.DUI70(?,?,00000000,?,?,00605E72,00000000,?,?,?,?,?,005E7D77), ref: 005FE166
      • ?RemoveLocalValue@Element@DirectUI@@QAEJP6GPBUPropertyInfo@2@XZ@Z.DUI70(?,?,00605E72,00000000,?,?,?,?,?,005E7D77), ref: 005FE174
      • ?RemoveLocalValue@Element@DirectUI@@QAEJP6GPBUPropertyInfo@2@XZ@Z.DUI70(?,?,00605E72,00000000,?,?,?,?,?,005E7D77), ref: 005FE182
      • ?CreateInt@Value@DirectUI@@SGPAV12@HW4DynamicScaleValue@@@Z.DUI70(00000000,00000000,?,?,00605E72,00000000,?,?,?,?,?,005E7D77), ref: 005FE18D
      • ?SetValue@Element@DirectUI@@QAEJP6GPBUPropertyInfo@2@XZHPAVValue@2@@Z.DUI70(00000001,00000000,?,?,00605E72,00000000,?,?,?,?,?,005E7D77), ref: 005FE1A5
      • ?Release@Value@DirectUI@@QAEXXZ.DUI70(?,?,00605E72,00000000,?,?,?,?,?,005E7D77), ref: 005FE1AE
      • ?SortChildren@Element@DirectUI@@QAEJP6AHPBX0@Z@Z.DUI70(0060D750,?,?,00000000,?,?,00605E72,00000000,?,?,?,?,?,005E7D77), ref: 005FE1FE
      • ?SetLayoutPos@Element@DirectUI@@QAEJH@Z.DUI70(?,?,?,00605E72,00000000,?,?,?,?,?,005E7D77), ref: 005FE220
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: Direct$Element@$Value@$Info@2@Property$LocalRemove$V12@$Children@CreateDescendent@DynamicFindInt@LayoutPos@Release@ScaleSortValue@2@@Value@@@
      • String ID: %d FAIL: 0x%08x$AtmColumnHeader::InitializeColumnHeader$base\diagnosis\pdui\atm\main\colheader.cpp$r^`$r^`
      • API String ID: 2941419198-2309354752
      • Opcode ID: e27bdbb7a7ab3e3cfa620e82843db75e07ce8f1be872b42c421b8859a24eb36f
      • Instruction ID: edcee669879192c5c5acd74e5dc0a4db612ee009ab77133dfa8abc418b58902c
      • Opcode Fuzzy Hash: e27bdbb7a7ab3e3cfa620e82843db75e07ce8f1be872b42c421b8859a24eb36f
      • Instruction Fuzzy Hash: 6131AC35A00209BFDB209F68DC59A7E7BB6FF44311F102629F956D72A0DB319D44DB50
      Function 0065D0D0 Relevance: 26.5, APIs: 11, Strings: 4, Instructions: 232threadCOMMON
      Download Yara Rule
      APIs
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000), ref: 0065D125
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000), ref: 0065D180
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000), ref: 0065D1C6
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000), ref: 0065D20F
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,000085ED,?), ref: 0065D23B
      • _ftol2_sse.MSVCRT ref: 0065D273
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,000085ED,?), ref: 0065D293
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,00689514,000086A2,00000001,?,?,000085ED,?), ref: 0065D306
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,000085ED,?), ref: 0065D340
        • Part of subcall function 00658518: GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,?,?,?), ref: 00658574
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,?,?,?,?,000085ED,?), ref: 0065D379
      • ?SetContentString@Element@DirectUI@@QAEJPBG@Z.DUI70(0068284C,?,?,?,?,000085ED,?), ref: 0065D39A
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: CurrentThread$ContentDirectElement@String@_ftol2_sse
      • String ID: %d FAIL: 0x%08x$AtmDiskView::Update$L(h$base\diagnosis\pdui\atm\main\diskview.cpp
      • API String ID: 1507916750-91129679
      • Opcode ID: 524bc5a7eadc3a7f5b9e5bdcd5704433b0173cacae73bbed9207f3779decf108
      • Instruction ID: ae74e353782ff4b105973f7aec8773f457fcbfc18a364efae064cf919a727a05
      • Opcode Fuzzy Hash: 524bc5a7eadc3a7f5b9e5bdcd5704433b0173cacae73bbed9207f3779decf108
      • Instruction Fuzzy Hash: 6F715372640B11BBD7316F84CC49FAA3BAAFF48701F050258FE85A73C1CB64D9448BA6
      Function 00605159 Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 171threadCOMMON
      Download Yara Rule
      APIs
      • memset.MSVCRT ref: 00605172
      • memset.MSVCRT ref: 0060518E
      • StringFromCLSID.COMBASE(0000000C,00000000), ref: 006051CE
      • CoTaskMemFree.COMBASE(00000000), ref: 006051FA
      • RtlInitUnicodeString.NTDLL(?,00000000), ref: 00605209
        • Part of subcall function 005EB300: memset.MSVCRT ref: 005EB32D
        • Part of subcall function 005EB300: DeviceIoControl.API-MS-WIN-CORE-IO-L1-1-0(00000000,0017003E,00685750,0000003C,?,000002D0,?,00000000), ref: 005EB382
        • Part of subcall function 005EB300: CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(00000000), ref: 005EB391
      • memset.MSVCRT ref: 00605278
      • memset.MSVCRT ref: 0060528A
      • memset.MSVCRT ref: 006052A1
      • memset.MSVCRT ref: 006052B3
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(8007000E,?,?,?,?,00000000), ref: 0063E0A3
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: memset$String$CloseControlCurrentDeviceFreeFromHandleInitTaskThreadUnicode
      • String ID: %d FAIL: 0x%08x$CAdapter::InitializeAdapter$\Device\%s$base\diagnosis\pdui\atm\main\adapter.cpp$h
      • API String ID: 118178612-3465198361
      • Opcode ID: 9bcd5f262c6482ed3f2a54467e6501415bd953119dcb56ace3131d6c08de7f68
      • Instruction ID: 8ade92c608b7adbc507890958c0d6a9cfa1bfbcd157cc32daaecdfee70ba5a24
      • Opcode Fuzzy Hash: 9bcd5f262c6482ed3f2a54467e6501415bd953119dcb56ace3131d6c08de7f68
      • Instruction Fuzzy Hash: 5B51D372A00614AFDB10DF58CC89FDB3BAAEF56314F1800A5F505AF391DB75AA05CBA1
      Function 006262C5 Relevance: 26.3, APIs: 12, Strings: 3, Instructions: 94threadwindowCOMMON
      Download Yara Rule
      APIs
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(80004003,00000000,?,?,?,00628996,?,?,00000000,?,00627AD4,?,?,00000000,?,?), ref: 006262DE
      • ?SetLayoutPos@Element@DirectUI@@QAEJH@Z.DUI70(000000FD,00000000,?,?,?,00628996,?,?,00000000,?,00627AD4,?,?,00000000,?,?), ref: 00626312
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,?,00628996,?,?,00000000,?,00627AD4,?,?,00000000,?,?,?,?), ref: 0062631F
      • ?SetVisible@Element@DirectUI@@QAEJ_N@Z.DUI70(00000000,?,00628996,?,?,00000000,?,00627AD4,?,?,00000000,?,?,?,?), ref: 0062633A
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,?,00628996,?,?,00000000,?,00627AD4,?,?,00000000,?,?,?,?), ref: 00626347
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,?,?,00000000,00000000,?,?,?,00628996,?,?,00000000,?,00627AD4,?,?), ref: 00626379
      • ?SetLayoutPos@Element@DirectUI@@QAEJH@Z.DUI70(000000FD,00000000,?,?,?,00628996,?,?,00000000,?,00627AD4,?,?,00000000,?,?), ref: 0062639B
      • ?SetVisible@Element@DirectUI@@QAEJ_N@Z.DUI70(00000000,?,00628996,?,?,00000000,?,00627AD4,?,?,00000000,?,?,?,?), ref: 006263A9
      • ?SetLayoutPos@Element@DirectUI@@QAEJH@Z.DUI70(000000FD,00000000,?,?,?,00628996,?,?,00000000,?,00627AD4,?,?,00000000,?,?), ref: 006263BB
      • ?SetVisible@Element@DirectUI@@QAEJ_N@Z.DUI70(00000000,?,00628996,?,?,00000000,?,00627AD4,?,?,00000000,?,?,?,?), ref: 006263C9
      • ?SetLayoutPos@Element@DirectUI@@QAEJH@Z.DUI70(000000FD,00000000,?,?,?,00628996,?,?,00000000,?,00627AD4,?,?,00000000,?,?), ref: 006263DB
      • ?SetVisible@Element@DirectUI@@QAEJ_N@Z.DUI70(00000000,?,00628996,?,?,00000000,?,00627AD4,?,?,00000000,?,?,?,?), ref: 006263E9
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: DirectElement@$CurrentLayoutPos@ThreadVisible@
      • String ID: %d FAIL: 0x%08x$AtmGpuView::HideAdapter$base\diagnosis\pdui\atm\main\gpuview.cpp
      • API String ID: 1850000234-2220378683
      • Opcode ID: b970f51d0e06fd04dd8d02ba5a03a5f14d6fd2002ad4331e52a9bd9da4f3820f
      • Instruction ID: b4a6294b0b5945430aaa1a34d26b201d37a065df94c2dd6db6986a1b631c4144
      • Opcode Fuzzy Hash: b970f51d0e06fd04dd8d02ba5a03a5f14d6fd2002ad4331e52a9bd9da4f3820f
      • Instruction Fuzzy Hash: 8831E836341B21BBE7189BA4EC19FAA7A16FF05762F142318FA19D66D0DB605C40CFE1
      Function 0066D12C Relevance: 24.7, APIs: 8, Strings: 6, Instructions: 247threadCOMMON
      Download Yara Rule
      APIs
      • memset.MSVCRT ref: 0066D178
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,?,?,?,?), ref: 0066D22A
      • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?), ref: 0066D3F4
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: CloseCurrentHandleThreadmemset
      • String ID: %d FAIL: 0x%08x$%u.%u.%u.%u$%windir%\explorer.exe$0.0.0.0$TmEndTaskHandler::_EndTaskProcess$base\diagnosis\pdui\atm\main\endtask.cpp
      • API String ID: 3732093462-322872737
      • Opcode ID: 20ef8100f88db5790042f044684da0f6db5c75077fec3c6b94177cfc55b82264
      • Instruction ID: 68691f286e311a127736c24e13318d2903f703f5aaa52156c20ebfc309c65424
      • Opcode Fuzzy Hash: 20ef8100f88db5790042f044684da0f6db5c75077fec3c6b94177cfc55b82264
      • Instruction Fuzzy Hash: D1910331B04752ABD721DF64C808BAABBEBBF85714F044619F984A7390C734ED55CBA2
      Function 00652126 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 203memorythreadwindowCOMMON
      Download Yara Rule
      APIs
      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00652162
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(80004005), ref: 00652182
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000), ref: 006521D3
      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?), ref: 0065222F
      • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 00652236
      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?), ref: 00652266
      • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 0065226D
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(8007000E), ref: 00652282
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(7FFFFFFF), ref: 006522C3
      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00652327
      • PostMessageW.USER32(?,00000403,00000000,00000000), ref: 00652354
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: CurrentHeapThread$ErrorLastProcess$AllocFreeMessagePost
      • String ID: %d FAIL: 0x%08x$GetProcessWaitChainAsync$base\diagnosis\pdui\atm\main\waitchain.cpp
      • API String ID: 1402747871-1897052769
      • Opcode ID: 3c31ac8f61d0e1235072ef958954ae9bacd19fdf680dbfb9f058dfccd2a9162a
      • Instruction ID: f6df879a8fb40fdfeca2905643a173e7bc29f5720fb11706cd8fee6547b8aadb
      • Opcode Fuzzy Hash: 3c31ac8f61d0e1235072ef958954ae9bacd19fdf680dbfb9f058dfccd2a9162a
      • Instruction Fuzzy Hash: F971DF75A00216AFDB148FA4CC54BAEBBBAFF05312F144229ED15E7390D7749E45CB90
      Function 00601420 Relevance: 24.6, APIs: 10, Strings: 4, Instructions: 150COMMON
      Download Yara Rule
      APIs
      • ?GetChildren@Element@DirectUI@@QAEPAV?$DynamicArray@PAVElement@DirectUI@@$0A@@2@PAPAVValue@2@@Z.DUI70(00000000), ref: 00601444
      • ?GetParent@Element@DirectUI@@QAEPAV12@XZ.DUI70 ref: 00601496
      • ?Remove@Element@DirectUI@@QAEJPAV12@@Z.DUI70 ref: 006014A3
      • StrToID.DUI70(clipped), ref: 006014B2
      • ?FindDescendent@Element@DirectUI@@QAEPAV12@G@Z.DUI70(?), ref: 006014BE
      • ?GetChildren@Element@DirectUI@@QAEPAV?$DynamicArray@PAVElement@DirectUI@@$0A@@2@PAPAVValue@2@@Z.DUI70(?), ref: 006014D7
      • ?Release@Value@DirectUI@@QAEXXZ.DUI70(00000000,?), ref: 006014EF
      • ?Destroy@Element@DirectUI@@QAEJ_N@Z.DUI70(00000000), ref: 0060152E
      • ?Release@Value@DirectUI@@QAEXXZ.DUI70 ref: 0060155E
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: Direct$Element@$A@@2@Array@Children@DynamicI@@$0Release@V12@Value@Value@2@@$Descendent@Destroy@FindParent@Remove@V12@@
      • String ID: %d FAIL: 0x%08x$AtmViewItemCache::AddItem$base\diagnosis\pdui\atm\main\view.cpp$clipped
      • API String ID: 2866029313-2392375449
      • Opcode ID: a9db94977df6cce518a21435c4ef18e07c77474cfc19ec496793f614e377fd84
      • Instruction ID: 34603c2a2a167103a77b7f0f1a9ce89e4de8cd9efdcf746825a560b64f9e615c
      • Opcode Fuzzy Hash: a9db94977df6cce518a21435c4ef18e07c77474cfc19ec496793f614e377fd84
      • Instruction Fuzzy Hash: 2B519BB06443019BD729DF658894B6BB7E6AB8A324F04462DE8669F3D0DB30E805CB52
      Function 00613399 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 137memorythreadCOMMON
      Download Yara Rule
      APIs
      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000028,?,00000000,?,?,005E8C3C,?,00000008,00000000,?,?,005E9FE5,?,?,?), ref: 006133AF
      • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,005E8C3C,?,00000008,00000000,?,?,005E9FE5,?,?,?,?,?,00000000,?), ref: 006133B6
      • GetWindowLongW.USER32(?,000000EB), ref: 00613446
      • DefWindowProcW.USER32(?,00000001,?,?), ref: 00613465
      • SetWindowLongW.USER32(?,000000EB,?), ref: 00613472
      • SysFreeString.OLEAUT32(?), ref: 00640B42
      • SysAllocString.OLEAUT32(?), ref: 00640B4D
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(8007000E,?,005E8C3C,?,00000008,00000000,?,?,005E9FE5,?,?,?,?,?,00000000,?), ref: 00640B60
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(8007000E,?,005E8C3C,?,00000008,00000000,?,?,005E9FE5,?,?,?,?,?,00000000,?), ref: 00640B93
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: Window$AllocCurrentHeapLongStringThread$FreeProcProcess
      • String ID: %d FAIL: 0x%08x$ATMAssignString$WdcDiskMonitor::CloneDriveInfo$base\diagnosis\pdui\atm\main\disk.cpp$base\diagnosis\pdui\atm\main\inline.cpp
      • API String ID: 1134646999-369177782
      • Opcode ID: 4bf1ba4c29a7057d8bf2dee45aea85fb9007be058d0551b1d8f6a84f68d9e45f
      • Instruction ID: dd6086c2126d9e1322ad1b102f9f815f963600341e77db1d835e8cc62e8c7fc0
      • Opcode Fuzzy Hash: 4bf1ba4c29a7057d8bf2dee45aea85fb9007be058d0551b1d8f6a84f68d9e45f
      • Instruction Fuzzy Hash: 2E41E472200324EFCB219F68DC44E967BEAFF48710B184219F94AD7760D770D980CBA4
      Function 00608020 Relevance: 23.0, APIs: 8, Strings: 5, Instructions: 272COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID:
      • String ID: %d FAIL: 0x%08x$ATMAssignString$DPA_InsertPtr$base\diagnosis\pdui\atm\main\inline.cpp$base\diagnosis\pdui\atm\main\servicecache.cpp
      • API String ID: 0-3801234096
      • Opcode ID: 6f039d82b482ea679e103eb37942e096e654b13a271a4bf88e82f6285bd28f35
      • Instruction ID: 75da69a2357f2d695687dad5a6dcdc1b20a47d9f64b910f2eec8b9cf12a61980
      • Opcode Fuzzy Hash: 6f039d82b482ea679e103eb37942e096e654b13a271a4bf88e82f6285bd28f35
      • Instruction Fuzzy Hash: 2CA1AE75A40205AFDB18DF94C845BEEBBA3FF84310F14812DE955AB381DB749D46CB90
      Function 005F9370 Relevance: 23.0, APIs: 8, Strings: 5, Instructions: 240threadCOMMON
      Download Yara Rule
      APIs
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(80004005,?,?,?,?,?), ref: 005F93C4
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,?,?,SmallViewItem,?,00000000,?,?,?,00000000,00000000,00000000,?,?,?), ref: 005F9485
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,?,?,?,00000000,?,?,?,?,00000000,?,00000000,00000000,?,?,?), ref: 005F9516
      • ?Insert@Element@DirectUI@@QAEJPAV12@I@Z.DUI70(00000000,?,?,?,?,00000000,?,?,?,?,00000000,?,00000000,00000000,?), ref: 005F9539
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,?,00000000,00000000,?,?,?,?,?), ref: 005F9546
      • ?Destroy@Element@DirectUI@@QAEJ_N@Z.DUI70(00000001,?,?,?,?,00000000), ref: 005F9666
        • Part of subcall function 005EDBE6: NtQuerySystemInformation.NTDLL(000000B6,?,00000038,00000000), ref: 005EDC16
        • Part of subcall function 005EDBE6: RtlNtStatusToDosError.NTDLL ref: 005EDC21
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,?,?,00000000,?,00000000,00000000,?,?,?,?,?), ref: 005F9570
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000), ref: 005F95B7
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: CurrentThread$DirectElement@$Destroy@ErrorInformationInsert@QueryStatusSystemV12@
      • String ID: %d FAIL: 0x%08x$AtmView::AddParentRow$SmallViewItem$TmLowMemoryViewItem$base\diagnosis\pdui\atm\main\view.cpp
      • API String ID: 3896406375-2766134086
      • Opcode ID: 8ea89ef0bc08397b173ec5fe38038aaab7e06f51649f801c39208cac41b7ad6c
      • Instruction ID: 1d5c5d239bca11d4423279739f3d74feede5254385771330e310e9537535c8d9
      • Opcode Fuzzy Hash: 8ea89ef0bc08397b173ec5fe38038aaab7e06f51649f801c39208cac41b7ad6c
      • Instruction Fuzzy Hash: 06917B31A00A49BFDF169F94C845ABA7FB6FF54300F148169FE05AB291CB349D51DBA0
      Function 0064C40D Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 176windowthreadCOMMON
      Download Yara Rule
      APIs
      • memset.MSVCRT ref: 0064C440
      • LoadStringW.USER32(00008793,?,00000104,00000000), ref: 0064C469
      • GetDlgItem.USER32(?,0000878F), ref: 0064C488
      • SendMessageW.USER32(00000000,00001009,00000000,00000000), ref: 0064C4A0
      • SendMessageW.USER32(00000000,0000104D,00000000,00000001), ref: 0064C4B4
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,00000001,?), ref: 0064C4DE
      Strings
      • base\diagnosis\pdui\atm\main\process.cpp, xrefs: 0064C4F4
      • WdcProcessMonitor::LoadProcessorAffinity, xrefs: 0064C4EF
      • %d FAIL: 0x%08x, xrefs: 0064C4E5
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: MessageSend$CurrentItemLoadStringThreadmemset
      • String ID: %d FAIL: 0x%08x$WdcProcessMonitor::LoadProcessorAffinity$base\diagnosis\pdui\atm\main\process.cpp
      • API String ID: 3306804815-2176858063
      • Opcode ID: e6fc0624be7cc7509ee46906628d2fa890f4c2ae522130aaf1878025ca5da2fb
      • Instruction ID: 4856699f313aae01f0ce8df930d75004d0c6fb23513ead2082ad43e093563284
      • Opcode Fuzzy Hash: e6fc0624be7cc7509ee46906628d2fa890f4c2ae522130aaf1878025ca5da2fb
      • Instruction Fuzzy Hash: 226162F1A41228ABDB60DF14CC45FD9B7BAFB44314F5051E5EA09A7241DB70AE80CFA9
      Function 0062C003 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 130memorythreadCOMMON
      Download Yara Rule
      APIs
      • GetClassNameW.USER32(?,?,00000064), ref: 0062C02D
      • _wcsicmp.MSVCRT ref: 0062C047
      • _wcsicmp.MSVCRT ref: 0062C074
      • GetWindowTextW.USER32(?,?,00000100), ref: 0062C0AB
      • SysFreeString.OLEAUT32(?), ref: 0062C150
      • SysAllocString.OLEAUT32(?), ref: 0062C160
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(8007000E), ref: 0062C170
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: String_wcsicmp$AllocClassCurrentFreeNameTextThreadWindow
      • String ID: %d FAIL: 0x%08x$ATMAssignString$Microsoft Edge$TabWindowClass$Windows.UI.Core.CoreWindow$base\diagnosis\pdui\atm\main\inline.cpp
      • API String ID: 2593673037-4212207443
      • Opcode ID: ad920152b33ae3e31188ceeba0276e295f1ae18dcd842d80b2e3d40f3998e454
      • Instruction ID: c50f9dc1fa113b60dec4c474c53f792abd1fc70f9857ec7fba1b1c656f63af91
      • Opcode Fuzzy Hash: ad920152b33ae3e31188ceeba0276e295f1ae18dcd842d80b2e3d40f3998e454
      • Instruction Fuzzy Hash: F2412331600B169BEB249B24EC4ABEA73BAFF60364F14415AE94AD6351E772D984CB10
      Function 006092CE Relevance: 22.9, APIs: 9, Strings: 4, Instructions: 117memorythreadregistryCOMMON
      Download Yara Rule
      APIs
      • RegGetValueW.API-MS-WIN-CORE-REGISTRY-L1-1-0(80000002,System\CurrentControlSet\Control\Session Manager\Memory Management,?,00000020,00000000,00000000,?,00000000,00000000,00000000,?,?,?,0060913D,00000000,?), ref: 006092F7
      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,0060913D,00000000,?,ExistingPageFiles,?,00000000,?), ref: 00609326
      • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,0060913D,00000000,?,ExistingPageFiles,?,00000000,?,?,?,?,?,?,?,?), ref: 0060932D
      • RegGetValueW.API-MS-WIN-CORE-REGISTRY-L1-1-0(80000002,System\CurrentControlSet\Control\Session Manager\Memory Management,?,00000000,00000000,00000000,?,?,0060913D,00000000,?,ExistingPageFiles,?,00000000,?), ref: 00609356
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,?,0060913D,00000000,?,ExistingPageFiles,?,00000000), ref: 0063E71D
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,?,0060913D,00000000,?,ExistingPageFiles,?,00000000,?,?,?,?,?,?,?,?), ref: 0063E731
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(8007000E,?,0060913D,00000000,?,ExistingPageFiles,?,00000000,?,?,?,?,?,?,?,?), ref: 0063E75F
      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000,00000000,?,ExistingPageFiles,?,00000000,?,?,?,?,?,?,?,?,?), ref: 0063E78B
      • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,00000000,?,00000000,00608E03), ref: 0063E792
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: Heap$CurrentThread$ProcessValue$AllocFree
      • String ID: %d FAIL: 0x%08x$AtmDiskView::GetPageFileFromRegistry$System\CurrentControlSet\Control\Session Manager\Memory Management$base\diagnosis\pdui\atm\main\diskview.cpp
      • API String ID: 1147357214-3117730108
      • Opcode ID: 5cad23f05a4da6f7957f3afb4ee31cec2476e662c575e28b385dfbe96d0293ff
      • Instruction ID: 7c3685888b234fb8267489caf2df8762be9c79cea0e898cbf13dd942a0342c65
      • Opcode Fuzzy Hash: 5cad23f05a4da6f7957f3afb4ee31cec2476e662c575e28b385dfbe96d0293ff
      • Instruction Fuzzy Hash: 1331CE76980226FBD7285BD48C4AFABBA7AFB14711F10021AFD01A62C1D7715D00CBF1
      Function 006601B3 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 107threadlibraryloaderCOMMON
      Download Yara Rule
      APIs
        • Part of subcall function 005E15DE: LoadLibraryW.KERNELBASE(?,006784A0,?,005E1559,-8007000E,00000000,?,005E14F5,?), ref: 005E1614
      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000001), ref: 006601DB
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(80004005), ref: 006601FB
      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000001), ref: 00660228
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(80004005), ref: 00660248
      • GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(00000000,WdcRunTaskAsInteractiveUser,00000001), ref: 00660273
      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 0066027F
      • FreeLibrary.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(00000000), ref: 006602E7
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: ErrorLast$CurrentLibraryThread$AddressFreeLoadProc
      • String ID: %d FAIL: 0x%08x$TmRunAsInteractiveUser$WdcRunTaskAsInteractiveUser$base\diagnosis\pdui\atm\main\tmutils.cpp$wdc.dll
      • API String ID: 2286128795-3289049831
      • Opcode ID: 17d3b68e4ea0a406ab2a69043d7571b3a34a8cf1a3840172be4fbf69c8e4eeff
      • Instruction ID: db8c5ebbe5ece7c0fd0a79506599733ce9b602a8fb803d4575e627ce7b711577
      • Opcode Fuzzy Hash: 17d3b68e4ea0a406ab2a69043d7571b3a34a8cf1a3840172be4fbf69c8e4eeff
      • Instruction Fuzzy Hash: 98316477E806667BA72117EC4C1DAAF6D5BBF40B11F211276FC05B6341CA608E4047D1
      Function 0066B139 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 105memorythreadCOMMON
      Download Yara Rule
      APIs
      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000410,?,?,00000000,00647CF2), ref: 0066B15B
      • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 0066B162
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(8007000E), ref: 0066B174
      • memset.MSVCRT ref: 0066B1A4
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,00000000,?,00000000,08000000,?,00000000,?,00000003), ref: 0066B1C4
      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000,?,00000003), ref: 0066B261
      • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00000003), ref: 0066B268
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: Heap$CurrentProcessThread$AllocFreememset
      • String ID: %d FAIL: 0x%08x$InvokeDefaultBrowserSearch$base\diagnosis\pdui\atm\main\actions.cpp
      • API String ID: 2315026106-709528807
      • Opcode ID: fc00d709b84791817574a9ef190d6386cd32593f5b80c3b7ba8d22d1ef0d5aba
      • Instruction ID: 1ce1bd3aae8be9b7a72ee45371c47fda434e170f1d029a07cca94d716cb7dfbb
      • Opcode Fuzzy Hash: fc00d709b84791817574a9ef190d6386cd32593f5b80c3b7ba8d22d1ef0d5aba
      • Instruction Fuzzy Hash: 79212573A80365F7D72223A45C1AFBF294EEF41B11F052225FE05E6391DBA44E8183E5
      Function 0065E053 Relevance: 22.8, APIs: 8, Strings: 5, Instructions: 83COMMON
      Download Yara Rule
      APIs
      • StrToID.DUI70(netSend,?,00607044,?,?,?), ref: 0065E0A9
      • ?FindDescendent@Element@DirectUI@@QAEPAV12@G@Z.DUI70(?,?,00607044,?,?,?), ref: 0065E0B6
      • StrToID.DUI70(netReceive,?,00607044,?,?,?), ref: 0065E0C7
      • ?FindDescendent@Element@DirectUI@@QAEPAV12@G@Z.DUI70(?,?,00607044,?,?,?), ref: 0065E0D4
      • StrToID.DUI70(netReceiveLegend,?,00607044,?,?,?), ref: 0065E0E5
      • ?FindDescendent@Element@DirectUI@@QAEPAV12@G@Z.DUI70(?,?,00607044,?,?,?), ref: 0065E0F2
      • StrToID.DUI70(netSendLegend,?,00607044,?,?,?), ref: 0065E100
      • ?FindDescendent@Element@DirectUI@@QAEPAV12@G@Z.DUI70(?,?,00607044,?,?,?), ref: 0065E10D
        • Part of subcall function 00660CB4: GetThemeColor.UXTHEME(?,?,00000000,00000EDA,0000008C,?,00000000,00000000,?,0065C4D4,?,?,?,006246A1,00000002), ref: 00660CD5
        • Part of subcall function 00660CB4: DeleteObject.GDI32(?), ref: 00660D06
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: Descendent@DirectElement@FindV12@$ColorDeleteObjectTheme
      • String ID: base\diagnosis\pdui\atm\main\networkview.cpp$netReceive$netReceiveLegend$netSend$netSendLegend
      • API String ID: 3527771036-1589048246
      • Opcode ID: 92caaa5479ad1e589ee6667ecc9c252d79dd3a1080a036429648325e9c4fa766
      • Instruction ID: 250f0de54c4faece11349082bc1b571711b46d4e20f5c61939fb9b6bdb0bf47a
      • Opcode Fuzzy Hash: 92caaa5479ad1e589ee6667ecc9c252d79dd3a1080a036429648325e9c4fa766
      • Instruction Fuzzy Hash: AB31F734700744BFCB149BA4D85CBBABBA6BF48305F04126AEC1987351CB75AC54DB50
      Function 006154E3 Relevance: 22.8, APIs: 10, Strings: 3, Instructions: 74memorythreadCOMMON
      Download Yara Rule
      APIs
      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00000000,00000000,?,?,?,005EDD65), ref: 006154FB
      • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,?,005EDD65), ref: 00615502
      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00000000,00000000,?,?,?,005EDD65), ref: 00615521
      • HeapReAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,?,005EDD65), ref: 00615528
      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,?,?,005EDD65), ref: 00615538
      • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,?,005EDD65), ref: 0061553F
      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,?,?,005EDD65), ref: 00615556
      • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,?,005EDD65), ref: 0061555D
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(8007000E,?,?,?,005EDD65), ref: 00641269
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: Heap$Process$Alloc$CurrentFreeThread
      • String ID: %d FAIL: 0x%08x$WdcExpandMemory$base\diagnosis\pdui\atm\main\processcommon.cpp
      • API String ID: 943192376-1312045815
      • Opcode ID: 6a66dc94dda532072717429f9dfa112fc5bada1e8ad64a7346faecfaca0eba0d
      • Instruction ID: abc3dc68f59b1200c8daa7fecf044d159880a526dca743352c7b122650e11d9a
      • Opcode Fuzzy Hash: 6a66dc94dda532072717429f9dfa112fc5bada1e8ad64a7346faecfaca0eba0d
      • Instruction Fuzzy Hash: 5F112976500718FBCB211BE85C4CEAB7E6FFB89711B082215F907D7210DB708C418BA1
      Function 006683E5 Relevance: 22.8, APIs: 10, Strings: 3, Instructions: 60COMMON
      Download Yara Rule
      APIs
      • ?GetParent@Element@DirectUI@@QAEPAV12@XZ.DUI70(00000000,?,00000000,?,006688C6,?,?,?,00000000,?,?,?,00000000,?,?,00610DCF), ref: 006683F2
      • ?GetParent@Element@DirectUI@@QAEPAV12@XZ.DUI70(?,006688C6,?,?,?,00000000,?,?,?,00000000,?,?,00610DCF,00000000), ref: 006683FA
      • ?GetID@Element@DirectUI@@QAEGXZ.DUI70 ref: 0066841F
      • StrToID.DUI70(TmGroupHeader_Apps), ref: 0066842D
      • ?GetID@Element@DirectUI@@QAEGXZ.DUI70 ref: 00668442
      • StrToID.DUI70(TmGroupHeader_Background), ref: 00668450
      • ?GetID@Element@DirectUI@@QAEGXZ.DUI70 ref: 0066846B
      • StrToID.DUI70(TmGroupHeader_Windows), ref: 00668479
      • ?GetID@Element@DirectUI@@QAEGXZ.DUI70 ref: 00668486
      • StrToID.DUI70(TmGroupHeader_Background), ref: 00668494
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: DirectElement@$Parent@V12@
      • String ID: TmGroupHeader_Apps$TmGroupHeader_Background$TmGroupHeader_Windows
      • API String ID: 1845028879-28530866
      • Opcode ID: 56610e7575314bec5262161211de8475968b68b771387e2306ef220e7766e40e
      • Instruction ID: 6d896b36dbec595542a70b0341b08fe2f48aa7bcaf6e08f33a49e8f788c23f24
      • Opcode Fuzzy Hash: 56610e7575314bec5262161211de8475968b68b771387e2306ef220e7766e40e
      • Instruction Fuzzy Hash: B9119336204246EFCF345BB59C885AA7BB7BB54765B906326E5568B364CF708C05C740
      Function 00674111 Relevance: 21.3, APIs: 9, Strings: 3, Instructions: 287threadwindowCOMMON
      Download Yara Rule
      APIs
        • Part of subcall function 00673EF8: EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(00000004,?,?), ref: 00673F11
      • EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(00000004,?,?,?,?,00640BDC,?,0061345F,?,00000001,?,?), ref: 00674145
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,?,?,?,?,?,00640BDC,?,0061345F,?,00000001,?,?), ref: 006741B3
      • SHGetKnownFolderItem.SHELL32(005CD2D8,00004000,00000000,005D3AD0,?,?,?,?,?,?,00640BDC,?,0061345F,?,00000001,?), ref: 006741F1
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,?,00640BDC,?,0061345F,?,00000001,?,?), ref: 006741FE
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,?,00640BDC,?,0061345F,?,00000001,?,?), ref: 0067423A
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,?,00640BDC,?,0061345F,?,00000001,?,?), ref: 00674275
      • CoTaskMemFree.COMBASE(00000008), ref: 006742F7
      • EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(00000004,?,00640BDC,?,0061345F,?,00000001,?,?), ref: 00674332
        • Part of subcall function 00674477: GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,?,?,?,?,?,?,006743E0,-00000008,?,00640BDC,?,0061345F,?,00000001,?), ref: 006744E8
        • Part of subcall function 00674477: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000,?,006743E0), ref: 00674645
        • Part of subcall function 00674477: HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 0067464C
        • Part of subcall function 00674477: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000,?,006743E0), ref: 0067465B
        • Part of subcall function 00674477: HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 00674662
        • Part of subcall function 00674477: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,006743E0), ref: 00674671
        • Part of subcall function 00674477: HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 00674678
      • PostMessageW.USER32(?,00000405,00000000,00000000), ref: 00674435
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: Heap$CurrentThread$Free$CriticalEnterProcessSection$FolderItemKnownMessagePostTask
      • String ID: %d FAIL: 0x%08x$WdcAppHistoryMonitor::_ReconcileImmersiveApplications$base\diagnosis\pdui\atm\main\apphistorymonitor.cpp
      • API String ID: 2020920371-1544239943
      • Opcode ID: 3a9209999b865f12f52792d9a39311a38488126b8604443374a04ea4d1e29678
      • Instruction ID: 5c2116dfe35216680234e21c2843ff30c1549b9b59d3295f220edf0c041c40a8
      • Opcode Fuzzy Hash: 3a9209999b865f12f52792d9a39311a38488126b8604443374a04ea4d1e29678
      • Instruction Fuzzy Hash: D8A1B271A00215AFDB14DFA4CC99AFEBBB6FF54310F148169E90AE7291EF70A945CB10
      Function 006590E6 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 210memoryCOMMON
      Download Yara Rule
      APIs
      • ?CreateElement@DUIXmlParser@DirectUI@@QAEJPBGPAVElement@2@1PAKPAPAV32@@Z.DUI70(atmCpu,00000000,00000000,00000000,?,006069FE,00000000,?,?,?,?,?,?,?,?,00000000), ref: 0065910E
      • ?Add@Element@DirectUI@@QAEJPAV12@@Z.DUI70(?,?,?,?,?,?,?,?,00000000,?,?,?,006069FE), ref: 0065913A
      • LocalAlloc.API-MS-WIN-CORE-HEAP-L2-1-0(00000040,00000100,?,?,?,?,?,?,?,00000000,?,?,?,006069FE), ref: 00659154
        • Part of subcall function 006054EB: memset.MSVCRT ref: 0060550E
        • Part of subcall function 006054EB: SendMessageW.USER32(00000000), ref: 00605558
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: DirectElement@$Add@AllocCreateElement@2@1LocalMessageParser@SendV12@@V32@@memset
      • String ID: CPU%d$CPU%d%d$atmCpu$atmCpuChart$base\diagnosis\pdui\atm\main\cpuview.cpp
      • API String ID: 3227239847-2752236397
      • Opcode ID: f4009c196fb3567e20485f9872db38784b75c1098c4b2fcc747b2342c67d5435
      • Instruction ID: 6ab32f8edcf57d5da24552edba1ae767af69297b2c20e31f15aae9bfa6886d9d
      • Opcode Fuzzy Hash: f4009c196fb3567e20485f9872db38784b75c1098c4b2fcc747b2342c67d5435
      • Instruction Fuzzy Hash: 2E61C6B0740316FBEB119F94CC85BBF369BEB44701F105025FE05962C1DAB49E4A97B5
      Function 005E83BD Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 178threadCOMMON
      Download Yara Rule
      APIs
        • Part of subcall function 005ED05C: memset.MSVCRT ref: 005ED091
        • Part of subcall function 005ED05C: GetVersionExW.API-MS-WIN-CORE-SYSINFO-L1-1-0(?,?,?,?), ref: 005ED0A6
        • Part of subcall function 005ED05C: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?), ref: 005ED0B0
      • ?SetContentString@Element@DirectUI@@QAEJPBG@Z.DUI70(00000114,?,00000001,?,?,?,?,?,?,?,?,?,?,005EA23B,?,?), ref: 005E8472
      • ?SetAccName@Element@DirectUI@@QAEJPBG@Z.DUI70(00000114,?,?,?,?,?,?,?,005EA23B,?,?,?,?,00000000,?,?), ref: 005E847C
      • ?SetContentString@Element@DirectUI@@QAEJPBG@Z.DUI70(?,00689514,?,?,000086A3,005DAC10,000086A3,000086A3,000086A3,00000000), ref: 00636B00
      • ?SetContentString@Element@DirectUI@@QAEJPBG@Z.DUI70(?,?,?,?,?,?,?,?,?,?,?,?,005EA23B,?,?,?), ref: 00636B0A
      • ?SetAccName@Element@DirectUI@@QAEJPBG@Z.DUI70(?,?,?,?,?,?,?,?,?,?,?,?,005EA23B,?,?,?), ref: 00636B1A
        • Part of subcall function 005F02F0: TryEnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,00000001,00000000,?,?,?,?,00000000,?), ref: 005F031D
        • Part of subcall function 005F02F0: LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,00000000,?), ref: 005F03E8
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,000086A4,?,?,?,00000001,?,?,?), ref: 00636B68
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,?,?,00000001,?,?,?,?,?,?,?,?,?,?,005EA23B,?), ref: 00636B7C
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: DirectElement@$ContentString@$CriticalCurrentName@SectionThread$EnterErrorLastLeaveVersionmemset
      • String ID: %d FAIL: 0x%08x$AtmDiskView::SidebarRender$base\diagnosis\pdui\atm\main\diskview.cpp
      • API String ID: 3228985726-2677942745
      • Opcode ID: 655ecf0c01259801efc9daa6a6c007c3738633c8042819cee3a9ed55f9f1aea6
      • Instruction ID: fce386a7acd59ef29ebcce8bc33271a79d97faaeaadc347a93efacdd396af9fe
      • Opcode Fuzzy Hash: 655ecf0c01259801efc9daa6a6c007c3738633c8042819cee3a9ed55f9f1aea6
      • Instruction Fuzzy Hash: 7C51937160051ABFCB189F94CC89EAEBB79FF48700F050255FA45A7291DB74AD11CBE1
      Function 00617174 Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 136threadmemoryCOMMON
      Download Yara Rule
      APIs
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,?,00000000,?,00000000,?,?), ref: 00617207
        • Part of subcall function 0062BD68: SysFreeString.OLEAUT32(?), ref: 0062BD99
        • Part of subcall function 0062BD68: SysAllocString.OLEAUT32(Windows.WARP.JITService), ref: 0062BDA7
        • Part of subcall function 0062BD68: GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(8007000E), ref: 0062BDB7
      • SysAllocString.OLEAUT32(?), ref: 00617286
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(8007000E), ref: 0061729A
      • SysFreeString.OLEAUT32(?), ref: 006172C8
      • SysFreeString.OLEAUT32(00000000), ref: 006172D7
      • SysFreeString.OLEAUT32(00000000), ref: 006172F0
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: String$Free$CurrentThread$Alloc
      • String ID: %d FAIL: 0x%08x$%s %s$ATMAssignString$WdcApplicationsMonitor::ResolveImageFriendlyName$base\diagnosis\pdui\atm\main\applications.cpp$base\diagnosis\pdui\atm\main\inline.cpp
      • API String ID: 3896373925-2092723910
      • Opcode ID: e9dfb05b91f4d815d2b98caae5735376ddbaa3ba4b2f8da5d09fd9fd718efadf
      • Instruction ID: f7a393ec93bf625e0659df8e48fa216e27ff24d8e09f436ceb1dbfa9ae82b18f
      • Opcode Fuzzy Hash: e9dfb05b91f4d815d2b98caae5735376ddbaa3ba4b2f8da5d09fd9fd718efadf
      • Instruction Fuzzy Hash: 1341AD71108701AFDB219F69C845BEBBBF6AF84310F18082DF99592251DB71E985CB61
      Function 0065A21C Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 136memorythreadCOMMON
      Download Yara Rule
      APIs
      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000800,00000000,-FFFF8916,02EEFDD8,00000004,00000004,-0000001C,00657901,?,?,00000004,00643138,?,00000000,00000001), ref: 0065A236
      • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00000402), ref: 0065A23D
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(8007000E,?,00000402), ref: 0065A24F
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,00008454,-00000030,?,00000402), ref: 0065A291
      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000), ref: 0065A3A5
      • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 0065A3AC
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: Heap$CurrentProcessThread$AllocFree
      • String ID: %d FAIL: 0x%08x$AtmMemoryView::OnCopy$base\diagnosis\pdui\atm\main\memoryview.cpp
      • API String ID: 1663568382-4270828881
      • Opcode ID: ce7db3e1442429bec887903a113e4210a5f24b7b3bb5698d020db53890e4cf7d
      • Instruction ID: 4749f7c4ec54d5dc4ac93d846c67178fcc7e86cbb401f001800e78abcc275f53
      • Opcode Fuzzy Hash: ce7db3e1442429bec887903a113e4210a5f24b7b3bb5698d020db53890e4cf7d
      • Instruction Fuzzy Hash: 88412572980214BFD7159BE4DC4AFAF3A6AEF04B01F140269FD01EB292DB748E0497A5
      Function 005FF3FC Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 134memorythreadCOMMON
      Download Yara Rule
      APIs
      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,?,#0_,?,?,?,?), ref: 005FF472
      • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 005FF479
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,?,?,?,?,?,#0_,?,?,?,?), ref: 0063C022
      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,?,?,#0_,?,?,?,?), ref: 0063C04D
      • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 0063C054
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: Heap$FreeProcess$CurrentThread
      • String ID: #0_$%d FAIL: 0x%08x$WdcDupString$base\diagnosis\pdui\atm\main\inline.cpp
      • API String ID: 3113103657-512284238
      • Opcode ID: f4f2be00cf94038983cd9f5d84b1202be15e100db74908d94548d08e43b1fd34
      • Instruction ID: da977e27d43aaaad551a3af6a4e973bcdbde97cecaf15e395c05b1a1c87af7d3
      • Opcode Fuzzy Hash: f4f2be00cf94038983cd9f5d84b1202be15e100db74908d94548d08e43b1fd34
      • Instruction Fuzzy Hash: 8C419575A0034AFFDB04DFE4C888AAEBBB9FF58310F14507DAA41A7641DB749A05DB90
      Function 00673317 Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 120threadCOMMON
      Download Yara Rule
      APIs
      • StrStrIW.SHLWAPI(?,\device\mup\,00000000,?,?), ref: 00673357
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,Remote running Apps,?,00000000,Remote running Apps,?), ref: 0067342A
        • Part of subcall function 0064AF6F: GetLogicalDriveStringsW.API-MS-WIN-CORE-FILE-L1-1-0(00000207,?,00000000), ref: 0064AFAB
        • Part of subcall function 0064AF6F: QueryDosDeviceW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000104,?,?), ref: 0064AFF0
        • Part of subcall function 0064AF6F: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 0064AFFA
        • Part of subcall function 0064AF6F: _wcsnicmp.MSVCRT ref: 0064B044
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,00000105), ref: 0067337A
      • CharLowerW.USER32(?,00000105), ref: 006733A9
      • PathFileExistsW.API-MS-WIN-CORE-SHLWAPI-LEGACY-L1-1-0(?), ref: 006733B6
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,00000000,Remote running Apps,?,Remote running Apps,?), ref: 0067345F
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: CurrentThread$CharDeviceDriveErrorExistsFileLastLogicalLowerPathQueryStrings_wcsnicmp
      • String ID: %d FAIL: 0x%08x$Remote running Apps$Uninstalled Apps$WdcAppHistoryMonitor::_MapAndGetDesktopItemEntry$\device\mup\$base\diagnosis\pdui\atm\main\apphistorymonitor.cpp
      • API String ID: 956212437-4079082101
      • Opcode ID: 800d2c05e81be60e187930fc9da2aa51107bdd5a9d4a05f0e4e169a1f3e41230
      • Instruction ID: 0f90561fb4b1e8f37183ff73a29705d2a8ad665a06841963137b78d2396fd336
      • Opcode Fuzzy Hash: 800d2c05e81be60e187930fc9da2aa51107bdd5a9d4a05f0e4e169a1f3e41230
      • Instruction Fuzzy Hash: F8411D71A40279BFCB219BA49C49FED7BBAAF54710F004299F408A7351CB709F819BA5
      Function 005E303C Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 116registrythreadCOMMON
      Download Yara Rule
      APIs
      • RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,00000000,?,?,00000100,80000002,00000000,?,005E2E77,Software\Microsoft\Windows\CurrentVersion\Run,80000002,00000100,?,?), ref: 005E3061
      • CreateEventW.API-MS-WIN-CORE-SYNCH-L1-1-0(00000000,00000000,00000000,00000000,?,005E2E77,Software\Microsoft\Windows\CurrentVersion\Run,80000002,00000100,?,?), ref: 005E307D
      • RegNotifyChangeKeyValue.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,00000001,00000005,?,00000001,?,005E2E77,Software\Microsoft\Windows\CurrentVersion\Run,80000002,00000100,?,?), ref: 005E30A0
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,?,005E2E77,Software\Microsoft\Windows\CurrentVersion\Run,80000002,00000100,?,?), ref: 00635764
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(80004005,?,005E2E77,Software\Microsoft\Windows\CurrentVersion\Run,80000002,00000100,?,?), ref: 00635778
      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,005E2E77,Software\Microsoft\Windows\CurrentVersion\Run,80000002,00000100,?,?), ref: 006357A0
      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,005E2E77,Software\Microsoft\Windows\CurrentVersion\Run,80000002,00000100,?,?), ref: 006357C8
      • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,005E2E77,Software\Microsoft\Windows\CurrentVersion\Run,80000002,00000100,?,?), ref: 0063580D
      • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?,?,005E2E77,Software\Microsoft\Windows\CurrentVersion\Run,80000002,00000100,?,?), ref: 0063582A
      Strings
      • base\diagnosis\pdui\atm\main\startup.cpp, xrefs: 0063578E
      • WdcStartupMonitor::_RegisterForRegChangeNotification, xrefs: 00635789
      • %d FAIL: 0x%08x, xrefs: 0063576B, 0063577F
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: CloseCurrentErrorLastThread$ChangeCreateEventHandleNotifyOpenValue
      • String ID: %d FAIL: 0x%08x$WdcStartupMonitor::_RegisterForRegChangeNotification$base\diagnosis\pdui\atm\main\startup.cpp
      • API String ID: 863154977-3894322898
      • Opcode ID: 2821019fac8017f55796dc8bdd5aba5b2eef2d325437960280f18ca558408ecc
      • Instruction ID: 83e6645e7aa9e82838093736dc6c8ece6fa79730421f130c471dab82f253a5bd
      • Opcode Fuzzy Hash: 2821019fac8017f55796dc8bdd5aba5b2eef2d325437960280f18ca558408ecc
      • Instruction Fuzzy Hash: 89319276841A72EBD7310B598C09BB67EAAFB00B61F151211FD52AB294D7348C509BE2
      Function 0066826E Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 103COMMON
      Download Yara Rule
      APIs
      • StrToID.DUI70(TmExpando,40000000,40000000,?,?,?,?,40000000,?,?,?,00000038,?,40000000,?,?), ref: 00668281
      • ?FindDescendent@Element@DirectUI@@QAEPAV12@G@Z.DUI70(?,?,?,?,40000000,?,?,?,00000038,?,40000000,?,?), ref: 00668290
      • ?GetExpanded@Expandable@DirectUI@@QAE_NXZ.DUI70(?,?,?,40000000,?,?,?,00000038,?,40000000,?,?), ref: 006682A2
      • ?SetExpanded@Expandable@DirectUI@@QAEJ_N@Z.DUI70(?,?,?,?,40000000,?,?,?,00000038,?,40000000,?,?), ref: 006682B1
      • StrToID.DUI70(ViewExpandoButtonImage,?,?,?,40000000,?,?,?,00000038,?,40000000,?,?), ref: 006682BC
      • ?FindDescendent@Element@DirectUI@@QAEPAV12@G@Z.DUI70(?,?,?,?,40000000,?,?,?,00000038,?,40000000,?,?), ref: 006682C8
      • ?SetSelected@Element@DirectUI@@QAEJ_N@Z.DUI70(?,?,?,?,?,40000000,?,?,?,00000038,?,40000000,?,?), ref: 006682D5
      • VariantClear.OLEAUT32(?), ref: 0066834D
      • VariantClear.OLEAUT32(?), ref: 00668366
      • ?SetSelected@Element@DirectUI@@QAEJ_N@Z.DUI70(00000000,?,?,?,?,40000000,?,?,?,00000038,?,40000000,?,?), ref: 0066837F
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: Direct$Element@$ClearDescendent@Expandable@Expanded@FindSelected@V12@Variant
      • String ID: TmExpando$ViewExpandoButtonImage
      • API String ID: 3364486357-2364742485
      • Opcode ID: 8d185cdf0d7c764c467511221c9821db0462223dc8ed8d858be7c40925670365
      • Instruction ID: e891b7393d532b33757a6ad35471022be3cb9a087c62c13ccfe01b7eb5726b97
      • Opcode Fuzzy Hash: 8d185cdf0d7c764c467511221c9821db0462223dc8ed8d858be7c40925670365
      • Instruction Fuzzy Hash: 9F316335A00209BFDB109FF5D8959FEBBBABF4C710F042229E545E7350DB74994887A1
      Function 006053A7 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 96memorythreadCOMMON
      Download Yara Rule
      APIs
      • StrToID.DUI70(primaryCpuChart), ref: 006053E0
      • ?FindDescendent@Element@DirectUI@@QAEPAV12@G@Z.DUI70(?), ref: 006053ED
      • SysFreeString.OLEAUT32(?), ref: 0060540B
      • SysAllocString.OLEAUT32(primaryCpuChart), ref: 0060541D
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(8007000E), ref: 0060542C
      • StrToID.DUI70(primaryCpuChart), ref: 006054AC
      • ?FindDescendent@Element@DirectUI@@QAEPAV12@G@Z.DUI70(?), ref: 006054B9
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: Descendent@DirectElement@FindStringV12@$AllocCurrentFreeThread
      • String ID: %d FAIL: 0x%08x$ATMAssignString$base\diagnosis\pdui\atm\main\cpuview.cpp$base\diagnosis\pdui\atm\main\inline.cpp$primaryCpuChart
      • API String ID: 905100735-2965668824
      • Opcode ID: dc519b827d33581e8e24df818bb05370f3e21ece433d5ea6e31d74b442aec6a2
      • Instruction ID: ce754d528ff85ab8c51b6f66de7631ed53fae5f98899b820b6701a406c08b1c7
      • Opcode Fuzzy Hash: dc519b827d33581e8e24df818bb05370f3e21ece433d5ea6e31d74b442aec6a2
      • Instruction Fuzzy Hash: 48319270680704AFD7289F69D849FA7BBEAFF84701F04526EB54A87391D7B09840CB61
      Function 0065C3C5 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 84threadCOMMON
      Download Yara Rule
      APIs
      • StrToID.DUI70(005DA6D0,?,00000000,?,?,?,006246A1,00000002), ref: 0065C3EB
      • ?FindDescendent@Element@DirectUI@@QAEPAV12@G@Z.DUI70(?,?,006246A1,00000002), ref: 0065C3F8
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,?,006246A1,00000002), ref: 0065C42A
      • StrToID.DUI70(diskReadLegend,?,006246A1,00000002), ref: 0065C457
      • ?FindDescendent@Element@DirectUI@@QAEPAV12@G@Z.DUI70(?,?,006246A1,00000002), ref: 0065C464
      • StrToID.DUI70(diskWriteLegend,?,006246A1,00000002), ref: 0065C472
      • ?FindDescendent@Element@DirectUI@@QAEPAV12@G@Z.DUI70(?,?,006246A1,00000002), ref: 0065C47F
        • Part of subcall function 00660CB4: GetThemeColor.UXTHEME(?,?,00000000,00000EDA,0000008C,?,00000000,00000000,?,0065C4D4,?,?,?,006246A1,00000002), ref: 00660CD5
        • Part of subcall function 00660CB4: DeleteObject.GDI32(?), ref: 00660D06
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: Descendent@DirectElement@FindV12@$ColorCurrentDeleteObjectThemeThread
      • String ID: %d FAIL: 0x%08x$AtmDiskView::Initialize$base\diagnosis\pdui\atm\main\diskview.cpp$diskReadLegend$diskWriteLegend
      • API String ID: 4248411995-3557444526
      • Opcode ID: ac74e491311e6283a5baecd9827e6d96d7cc8f8562c879589371323d7dc35072
      • Instruction ID: 890c01fdc8890506adb0ed2885de457199eff055267de1cff80657fcdfa4eac1
      • Opcode Fuzzy Hash: ac74e491311e6283a5baecd9827e6d96d7cc8f8562c879589371323d7dc35072
      • Instruction Fuzzy Hash: C1310330600345AFC7249B68DC4CBBABBE6FB44315F04526AFC4A873A2CB749C04DBA0
      Function 0062F128 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 82memorythreadCOMMON
      Download Yara Rule
      APIs
      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000210,?,?,?,?,00648788,00009173), ref: 0062F13A
      • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00648788,00009173), ref: 0062F141
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(8007000E,?,00648788,00009173), ref: 0062F153
      • memset.MSVCRT ref: 0062F182
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,00000000,?,?,?,?,00648788,00009173), ref: 0062F19E
      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000), ref: 0062F20F
      • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 0062F216
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: Heap$CurrentProcessThread$AllocFreememset
      • String ID: %d FAIL: 0x%08x$WdcStartService$base\diagnosis\pdui\atm\main\actions.cpp
      • API String ID: 2315026106-3006597684
      • Opcode ID: d24144bf5a759aeb64029af2db92dfc9a4d74a9807770c710ce640da23e5eb86
      • Instruction ID: e423c14d4752b2e0ed582c4b3130972f383b90cff4aec75f372ba672e3419613
      • Opcode Fuzzy Hash: d24144bf5a759aeb64029af2db92dfc9a4d74a9807770c710ce640da23e5eb86
      • Instruction Fuzzy Hash: CE217677A80A34FBD32027E4BC4DEA73D2AEB91710F002139F806E6352CB648D018BE1
      Function 0062F225 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 78memorythreadCOMMON
      Download Yara Rule
      APIs
      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000210,?,?,?,?,006488C1,00009174), ref: 0062F238
      • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,006488C1,00009174), ref: 0062F23F
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(8007000E,?,006488C1,00009174), ref: 0062F251
      • memset.MSVCRT ref: 0062F281
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,00000000,?,?,?,?,006488C1,00009174), ref: 0062F29D
      • QueueUserWorkItem.API-MS-WIN-CORE-THREADPOOL-LEGACY-L1-1-0(0066C710,00000000,00000000,00000000,?,?,?,?,006488C1,00009174), ref: 0062F2C7
      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,006488C1,00009174), ref: 0062F2D5
      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000,?,?,?,?,006488C1,00009174), ref: 0062F2FA
      • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,?,?,006488C1,00009174), ref: 0062F301
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: Heap$CurrentProcessThread$AllocErrorFreeItemLastQueueUserWorkmemset
      • String ID: %d FAIL: 0x%08x$WdcStopService$base\diagnosis\pdui\atm\main\actions.cpp
      • API String ID: 1421461446-322733374
      • Opcode ID: be8693916e327013af3e10c8d391e50b5e6ca1506747d8b5669f51753c1f23f0
      • Instruction ID: 0239de4d6ee6eec73532ea091622ed825193f402ebee1057d82076156ec0a2cc
      • Opcode Fuzzy Hash: be8693916e327013af3e10c8d391e50b5e6ca1506747d8b5669f51753c1f23f0
      • Instruction Fuzzy Hash: 4A11F376A81B75F7D32157E4AC0DFA7692AEB81B10F151235F905EA291CBA48C008BE4
      Function 005ED3D0 Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 270threadCOMMON
      Download Yara Rule
      APIs
      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 005ED44E
      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 005ED468
      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 005ED48C
      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 005ED4A5
      • swscanf_s.MSVCRT ref: 005ED4D3
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(80070057,?,00000000,7FFE001C), ref: 0063838E
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(80070057,?,00000000,7FFE001C), ref: 006383A6
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$CurrentThread$swscanf_s
      • String ID: %d FAIL: 0x%08x$%u,%u$CRUMPCHelper::UpdateProcessorUtilization$base\diagnosis\pdui\atm\main\rumdatasrcs.cpp
      • API String ID: 677258-2369161803
      • Opcode ID: 98ca63d32cfd5036e14fc657395ef78ffef2f9427a3b7c74948e6684b1b01972
      • Instruction ID: a870b39ea5429fd1468e87406fa63c28d705d0d9a4877d7e34e65c3c70f306fb
      • Opcode Fuzzy Hash: 98ca63d32cfd5036e14fc657395ef78ffef2f9427a3b7c74948e6684b1b01972
      • Instruction Fuzzy Hash: CFC1EF716083419FC718CF19C884A1AFBE2BFC8714F288A5EF99897365D731E915CB86
      Function 00664294 Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 112threadmemoryCOMMON
      Download Yara Rule
      APIs
      • _ftol2.MSVCRT ref: 006642B8
      • SysFreeString.OLEAUT32(00000000), ref: 00664315
      • SysAllocString.OLEAUT32(?), ref: 0066431F
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(8007000E,?,005F53C7,#0_,?,00000000,#0_,?,?,?,?,?,?,?,?,#0_), ref: 00664333
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(8007000E,#0_), ref: 00664355
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: CurrentStringThread$AllocFree_ftol2
      • String ID: #0_$%d FAIL: 0x%08x$ATMAssignString$WdcApplicationsMonitor::ResolveImageFriendlyName_Desktop$base\diagnosis\pdui\atm\main\applications.cpp$base\diagnosis\pdui\atm\main\inline.cpp
      • API String ID: 3528245343-3820171895
      • Opcode ID: 559c7fcb83bfc6485ce917646a385090bbcc551709dd34e678d5b187102b592a
      • Instruction ID: 6d999460209321a70777813610cfd066d115313882daf28e69cd22dd88029cbc
      • Opcode Fuzzy Hash: 559c7fcb83bfc6485ce917646a385090bbcc551709dd34e678d5b187102b592a
      • Instruction Fuzzy Hash: 52410472600301EFDB259F66CC45BEABBAAFF41300F14402DF549A7350DB70A882CB64
      Function 0065C21C Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 103threadCOMMON
      Download Yara Rule
      APIs
      • StrToID.DUI70(?,?,?,00000000,00000000), ref: 0065C294
      • ?FindDescendent@Element@DirectUI@@QAEPAV12@G@Z.DUI70(?,?,?,00000000,00000000), ref: 0065C2A1
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,?,00000080,?,?,?,00000000,00000000), ref: 0065C2C6
      • ?SetContentString@Element@DirectUI@@QAEJPBG@Z.DUI70(?,?,00000080,?,?,?,00000000,00000000), ref: 0065C2F8
      • ?SetAccName@Element@DirectUI@@QAEJPBG@Z.DUI70(?,?,?,00000000,00000000), ref: 0065C30B
      • ?SetLayoutPos@Element@DirectUI@@QAEJH@Z.DUI70(?,?,00000000,00000000), ref: 0065C322
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000), ref: 0065C32F
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: DirectElement@$CurrentThread$ContentDescendent@FindLayoutName@Pos@String@V12@
      • String ID: %d FAIL: 0x%08x$AtmDiskView::EnableDiskEntry$base\diagnosis\pdui\atm\main\diskview.cpp$sidebar_disk_name_%d
      • API String ID: 693145510-4106841379
      • Opcode ID: ce0e34360251836d65ffd39875e4c83df73cfb6c88bcd0fd07c2858849811a4c
      • Instruction ID: ea0b092df3a409efec7c341824a9ad1ae7dcbec3d0aeb8662d37e37a83e70b13
      • Opcode Fuzzy Hash: ce0e34360251836d65ffd39875e4c83df73cfb6c88bcd0fd07c2858849811a4c
      • Instruction Fuzzy Hash: 9E31F475A00319BFCB109BA48C449EA7B6ABF54321F0442A9FC8597241DB309E89CBA0
      Function 006041E2 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 96memorythreadCOMMON
      Download Yara Rule
      APIs
      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000348,?,?,?,?,?,?,00604E6A,?,?,?), ref: 006041F5
      • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00604E6A,?,?,?), ref: 006041FC
      • memset.MSVCRT ref: 0060420F
      • SysAllocString.OLEAUT32(?), ref: 0060423B
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(8007000E,?,00604E6A,?,?,?), ref: 0063DA7C
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,00007E8F,?,?,?,?,?,?,?), ref: 0063DAB9
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(8007000E,?,?,?), ref: 0063DACD
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: CurrentThread$AllocHeap$ProcessStringmemset
      • String ID: %d FAIL: 0x%08x$CAdapter::EthernetSetProperties$base\diagnosis\pdui\atm\main\adapter.cpp
      • API String ID: 23857881-2914812808
      • Opcode ID: f2b154bda59e28fb23c494ec292a60c46edd788526149b46f71f4863ef277339
      • Instruction ID: c8ab198867381152fb344102228e79d3d3fa6945bbd84039d663fdcde89f0888
      • Opcode Fuzzy Hash: f2b154bda59e28fb23c494ec292a60c46edd788526149b46f71f4863ef277339
      • Instruction Fuzzy Hash: BA31D5B1A84616BFD3159FA4DC45EBBBA6EFF04750F140229FD089B680DB749E0187E1
      Function 00612215 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 87memoryCOMMON
      Download Yara Rule
      APIs
      • SysAllocString.OLEAUT32(?), ref: 00612276
      • PathRemoveExtensionW.API-MS-WIN-CORE-SHLWAPI-LEGACY-L1-1-0(00000000,?,005F5373,#0_,?,?,?,?,?,?,?,?,#0_), ref: 0061228C
      Strings
      • base\diagnosis\pdui\atm\main\inline.cpp, xrefs: 00640537
      • WdcApplicationsMonitor::ResolveImageFriendlyName_Immersive, xrefs: 0064055E
      • ATMAssignString, xrefs: 00640532
      • base\diagnosis\pdui\atm\main\applications.cpp, xrefs: 00640563
      • %d FAIL: 0x%08x, xrefs: 0064052B, 00640554
      • #0_, xrefs: 00612228
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: AllocExtensionPathRemoveString
      • String ID: #0_$%d FAIL: 0x%08x$ATMAssignString$WdcApplicationsMonitor::ResolveImageFriendlyName_Immersive$base\diagnosis\pdui\atm\main\applications.cpp$base\diagnosis\pdui\atm\main\inline.cpp
      • API String ID: 443315280-3557418746
      • Opcode ID: d2622a4e23c0d97b43af2e62df0a121838a9be2360f8671d3a45f18a966fc961
      • Instruction ID: e24c1eac15e6ab69f35731ced6d6b6e57e0d3e879f59c73dc933ed15873f4f1b
      • Opcode Fuzzy Hash: d2622a4e23c0d97b43af2e62df0a121838a9be2360f8671d3a45f18a966fc961
      • Instruction Fuzzy Hash: 26213571600311EFD7289F55DC80EAABBBAFF85700B18412DFA8697211DB71E9D2DB60
      Function 0062A3F1 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 69COMMON
      Download Yara Rule
      Strings
      • base\diagnosis\pdui\atm\main\colheader.cpp, xrefs: 0062A472
      • AtmViewItem::SetVisibilityAndToolTip, xrefs: 0062A46D
      • %d FAIL: 0x%08x, xrefs: 0062A463
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID:
      • String ID: %d FAIL: 0x%08x$AtmViewItem::SetVisibilityAndToolTip$base\diagnosis\pdui\atm\main\colheader.cpp
      • API String ID: 0-4113268842
      • Opcode ID: 2cf8e4480c769a330f7cfb692ac8ff3797bf011033fe5f49c68cb8cbb5a3f96b
      • Instruction ID: 0b316ec29f48f28513c6f48633f963237d975f4aceb0a4a7f0358583f79e557c
      • Opcode Fuzzy Hash: 2cf8e4480c769a330f7cfb692ac8ff3797bf011033fe5f49c68cb8cbb5a3f96b
      • Instruction Fuzzy Hash: 17110A31740A25BBCB166F94AC1DDBE3BA7AF90701F00111AF902863A1CBF48D428B97
      Function 005E4160 Relevance: 18.3, APIs: 12, Instructions: 256memorysynchronizationCOMMONLIBRARYCODE
      Download Yara Rule
      APIs
        • Part of subcall function 005E4B70: EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(00000000), ref: 005E4B8F
        • Part of subcall function 005E4B70: LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(00000004), ref: 005E4BD6
        • Part of subcall function 00619B1E: EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,00000000,?,005F1680), ref: 00619B27
      • SetEvent.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,00000003,?,?,00000000,00000000,?,?,005E3D6F,00000000,00000000,?), ref: 005E4197
      • WaitForSingleObject.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,?,00000003,?,?,00000000,00000000,?,?,005E3D6F,00000000,00000000), ref: 005E41B8
      • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?,?,?,?,?,00000003,?,?,00000000,00000000,?,?,005E3D6F,00000000,00000000,?), ref: 005E41CD
      • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?,?,?,?,?,00000003,?,?,00000000,00000000,?,?,005E3D6F,00000000,00000000,?), ref: 005E41E8
      • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?,?,?,?,?,00000003,?,?,00000000,00000000,?,?,005E3D6F,00000000,00000000,?), ref: 005E4203
      • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?,?,?,?,?,00000003,?,?,00000000,00000000,?,?,005E3D6F,00000000,00000000,?), ref: 005E421E
      • DeleteCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(00002557,?,?,?,?,00000003,?,?,00000000,00000000,?,?,005E3D6F,00000000,00000000,?), ref: 005E4252
      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,?,?,?,00000003,?,?,00000000,00000000,?,?,005E3D6F,00000000,00000000), ref: 005E4264
      • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,00000000,00000000,?,?,005E3D6F,00000000,00000000,?,?,005E3AF6), ref: 005E426B
      • DeleteCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,00000003,?,?,00000000,00000000,?,?,005E3D6F,00000000,00000000,?), ref: 005E4451
      • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?,?,?,00000000,00000000,?,?,005E3D6F,00000000,00000000,?), ref: 005E4467
      • memset.MSVCRT ref: 005E448A
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: CloseCriticalHandleSection$DeleteEnterHeap$EventFreeLeaveObjectProcessSingleWaitmemset
      • String ID:
      • API String ID: 735090981-0
      • Opcode ID: c539deee20494db35c7c9a4103fb477c8eb4d064ac383c328c378c6aac6c9d10
      • Instruction ID: 478cde33c2daad231d6cabea242da3ffd95b2570655fd2e52c6595b7210fac47
      • Opcode Fuzzy Hash: c539deee20494db35c7c9a4103fb477c8eb4d064ac383c328c378c6aac6c9d10
      • Instruction Fuzzy Hash: 21A16E75700A52AFCB1CDF76DC98AA9BBA9BF08351B04122DE959C7390DB30AC51CF94
      Function 00644081 Relevance: 18.1, APIs: 12, Instructions: 120COMMON
      Download Yara Rule
      APIs
      • GetDC.USER32(00000000), ref: 00644093
      • GetDeviceCaps.GDI32(00000000,00000058), ref: 0064409E
      • GetDeviceCaps.GDI32(00000000,0000005A), ref: 006440AA
      • ReleaseDC.USER32(00000000,00000000), ref: 006440B5
      • MulDiv.API-MS-WIN-CORE-KERNEL32-LEGACY-L1-1-0(?,00000003,00000003), ref: 006440D5
      • MulDiv.API-MS-WIN-CORE-KERNEL32-LEGACY-L1-1-0(?,00000003,00000003), ref: 006440E5
        • Part of subcall function 00609F09: MulDiv.API-MS-WIN-CORE-KERNEL32-LEGACY-L1-1-0(-00000259,?,00000060,?,00000000,?,?,00609D8C,00000000,00000003,00000F08,?), ref: 00609F38
        • Part of subcall function 00609F09: MulDiv.API-MS-WIN-CORE-KERNEL32-LEGACY-L1-1-0(-000002A9,?,00000060,?,00000000,?,?,00609D8C,00000000,00000003,00000F08,?), ref: 00609F5D
      • MulDiv.API-MS-WIN-CORE-KERNEL32-LEGACY-L1-1-0(?,00000003,00000003,00000000,00000003,00000000,?), ref: 00644110
      • MulDiv.API-MS-WIN-CORE-KERNEL32-LEGACY-L1-1-0(00000000,00000003,00000003), ref: 00644120
      • MulDiv.API-MS-WIN-CORE-KERNEL32-LEGACY-L1-1-0(?,00000F08,00000F08), ref: 00644151
      • MulDiv.API-MS-WIN-CORE-KERNEL32-LEGACY-L1-1-0(?,00000F08,00000F08), ref: 00644161
      • MulDiv.API-MS-WIN-CORE-KERNEL32-LEGACY-L1-1-0(?,00000F08,00000F08,00000000,00000003,00000F08,?), ref: 0064418D
      • MulDiv.API-MS-WIN-CORE-KERNEL32-LEGACY-L1-1-0(00000000,00000F08,00000F08), ref: 0064419D
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: CapsDevice$Release
      • String ID:
      • API String ID: 1035833867-0
      • Opcode ID: b7e4504289f9c5d1916311a0aea5b4c32bcfb29b8e78928d2bfdbdbfde30a038
      • Instruction ID: 987b0b9812fdaa60a6fb82d7fb6346b9ee626023244b744b6c37a68d829e175a
      • Opcode Fuzzy Hash: b7e4504289f9c5d1916311a0aea5b4c32bcfb29b8e78928d2bfdbdbfde30a038
      • Instruction Fuzzy Hash: D9417F71405646BFE7119F61CC49FA6FFBAFF09310F005215F50882952DBB1A8A4CBE1
      Function 00611080 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 254windowCOMMON
      Download Yara Rule
      APIs
      • PostMessageW.USER32(000004E3,?,?,?), ref: 006110E5
      • GetCursorPos.USER32(?), ref: 0061118D
      • PostMessageW.USER32(000004E3,?,?), ref: 006111AE
        • Part of subcall function 00653305: ?GetRootRelativeBounds@Element@DirectUI@@QAEJPAUtagRECT@@@Z.DUI70(?,00000000,?,02EEFDD8,00000000,00000003), ref: 00653325
        • Part of subcall function 00653305: GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000), ref: 00653332
      • ?OnInput@HWNDElement@DirectUI@@UAEXPAUInputEvent@2@@Z.DUI70(?), ref: 006113F1
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: DirectElement@MessagePost$Bounds@CurrentCursorEvent@2@@InputInput@RelativeRootT@@@ThreadUtag
      • String ID: tabctrl
      • API String ID: 2399559785-2255977970
      • Opcode ID: 7f3370f1f6f482ccef4f3d8bbe657f3f1ced4c7c8ecd73a9290ad2da8c194d4c
      • Instruction ID: caea58bf0d1ba44b45c74aee3eda431c6d44c9881ab192edf6174839cbcbd925
      • Opcode Fuzzy Hash: 7f3370f1f6f482ccef4f3d8bbe657f3f1ced4c7c8ecd73a9290ad2da8c194d4c
      • Instruction Fuzzy Hash: FF91D230A04342DBCF258F65C8847EABBA3BB46315F1C065AEA65CE659C770CEC5CB52
      Function 00670160 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 208threadCOMMON
      Download Yara Rule
      APIs
      • _ftol2.MSVCRT ref: 0067024D
      • GetDurationFormatEx.API-MS-WIN-CORE-DATETIME-L1-1-2(00000000,00000000,00000000,00000000,?,h:mm:ss,?,?), ref: 00670289
      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00670297
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(80004005), ref: 006702BE
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,?,?,?,?,?), ref: 006702EF
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,?,000090A8,?,?,?), ref: 00670394
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: CurrentThread$DurationErrorFormatLast_ftol2
      • String ID: %d FAIL: 0x%08x$WdcAppHistoryMonitor::GetColumnText$base\diagnosis\pdui\atm\main\apphistorymonitor.cpp$h:mm:ss
      • API String ID: 526506461-138573266
      • Opcode ID: 75994dc5da746ed7cb53b17a4f9b37d067a25141cc9feb86ecf69650a93b0fc1
      • Instruction ID: 5d5f07aedb274579b687a3684319e3e1301ea637d083d7e054bacf4f7013ea51
      • Opcode Fuzzy Hash: 75994dc5da746ed7cb53b17a4f9b37d067a25141cc9feb86ecf69650a93b0fc1
      • Instruction Fuzzy Hash: 8B6119B1E0061AFBEF159F84CC446EE7F76FB49720F25819AE959E2351D6348D808BE0
      Function 0062504C Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 207memoryCOMMON
      Download Yara Rule
      APIs
      • LocalAlloc.API-MS-WIN-CORE-HEAP-L2-1-0(00000040,000000A0,00000000,?,00000000,?,00659593,005C9F80,?,00000001,005C9FB4,005C9F80), ref: 00625095
      • LocalAlloc.API-MS-WIN-CORE-HEAP-L2-1-0(00000040,000000A0,?,00000000,?,00659593,005C9F80,?,00000001,005C9FB4,005C9F80), ref: 006250C1
      • LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(00000000,?,00000000,?,00659593,005C9F80,?,00000001,005C9FB4), ref: 00625269
      • LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(00000000,?,00000000,?,00659593,005C9F80,?,00000001,005C9FB4), ref: 00625270
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: Local$AllocFree
      • String ID: CPU%d$CPU%d%d$base\diagnosis\pdui\atm\main\cpuview.cpp
      • API String ID: 2012307162-1697716366
      • Opcode ID: fbb5a5ab6e4e75cf0124684183b34724ae502dbab06617d7acb7bc9d7e3e4b35
      • Instruction ID: 1261cd3218d1808ab9a90b1e1acb6824175d79999472567ebf6133d73ca6b306
      • Opcode Fuzzy Hash: fbb5a5ab6e4e75cf0124684183b34724ae502dbab06617d7acb7bc9d7e3e4b35
      • Instruction Fuzzy Hash: C1618034601B25AFDB20DF94DC84BAF7BA6AF49300F104169EA06AB391DA749E45CF61
      Function 0064A260 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 191windowthreadCOMMON
      Download Yara Rule
      APIs
      • memset.MSVCRT ref: 0064A29B
      • SendMessageW.USER32(?,0000104C,00000000,?), ref: 0064A2C4
      • SendMessageW.USER32(?,00001015,00000000,00000000), ref: 0064A2D8
      • SendMessageW.USER32(?,00001073,00000000,?), ref: 0064A3A6
      • memset.MSVCRT ref: 0064A3EF
      • SendMessageW.USER32(?,0000104C,00000000,?), ref: 0064A421
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,?,?), ref: 0064A478
      Strings
      • WdcDataMonitor::ListUpdateRow, xrefs: 0064A489
      • %d FAIL: 0x%08x, xrefs: 0064A47F
      • base\diagnosis\pdui\atm\main\data.cpp, xrefs: 0064A48E
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: MessageSend$memset$CurrentThread
      • String ID: %d FAIL: 0x%08x$WdcDataMonitor::ListUpdateRow$base\diagnosis\pdui\atm\main\data.cpp
      • API String ID: 2881542667-2078273292
      • Opcode ID: 3f391eddc2813fc99e58d7d2de7e5583f49903b2c02b835d72a93133284f118b
      • Instruction ID: d090e567b0afb7dfaabb305e43f3149a9631d64aed35ac52d848a0801f9b6e65
      • Opcode Fuzzy Hash: 3f391eddc2813fc99e58d7d2de7e5583f49903b2c02b835d72a93133284f118b
      • Instruction Fuzzy Hash: DE717571A40219EFDB11CFA4C985BEEBBB6FF08310F144169E805EB781D7B0AA51CB91
      Function 0066E098 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 157threadCOMMON
      Download Yara Rule
      APIs
        • Part of subcall function 00617634: malloc.MSVCRT ref: 0061764C
      • memset.MSVCRT ref: 0066E0D3
        • Part of subcall function 006169CD: WindowsCreateStringReference.COMBASE(?,0062DD64,?,?), ref: 006169E5
      • RoGetActivationFactory.COMBASE(?,Function_0000B214,?), ref: 0066E128
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,?,?), ref: 0066E135
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,?,?), ref: 0066E1A9
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,?,?,?,?), ref: 0066E1CD
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,?,?,?,?,?), ref: 0066E1FE
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: CurrentThread$ActivationCreateFactoryReferenceStringWindowsmallocmemset
      • String ID: %d FAIL: 0x%08x$PackagedStartupTask::Create$Windows.ApplicationModel.Internal.StartupTaskInternal$base\diagnosis\pdui\atm\main\startup.cpp
      • API String ID: 3730818199-2581210214
      • Opcode ID: f3aaa72777c0ddd3a4bc33ff82b7bbf81df14ce2da53b8d02e755b67439ab115
      • Instruction ID: e4d6138fa19c966eae774ce4a712089b0f2985071248cfe8dd2b870989c78307
      • Opcode Fuzzy Hash: f3aaa72777c0ddd3a4bc33ff82b7bbf81df14ce2da53b8d02e755b67439ab115
      • Instruction Fuzzy Hash: 9B51BC75E00209AFCB05EFA4DC85DEDBBBAEF94700F14001DF506A7291EB31A902CB95
      Function 006452D8 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 144windowthreadCOMMON
      Download Yara Rule
      APIs
      • SendMessageW.USER32(00000000), ref: 0064531D
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000), ref: 00645374
      • SendMessageW.USER32(?,0000120B,?,00000004), ref: 006453AC
      • SendMessageW.USER32(?,0000120C,?,00000004), ref: 006453D4
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000), ref: 0064541B
      • SendMessageW.USER32(?,0000120B,?,00000004), ref: 00645441
      • SendMessageW.USER32(?,0000120C,?,00000004), ref: 00645471
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: MessageSend$CurrentThread
      • String ID: %d FAIL: 0x%08x$WdcListView::ChangeSortFlag$base\diagnosis\pdui\atm\main\listview.cpp
      • API String ID: 2377075789-3700916923
      • Opcode ID: e5bd35e18ef2d30975a6fdc0ce7b7ace1708e53621011a3bf2644d6de5234b7a
      • Instruction ID: 9d1e6dc326764ba2d07617346aa448b07a2850bf4e85b92efc4c29b7fb69b539
      • Opcode Fuzzy Hash: e5bd35e18ef2d30975a6fdc0ce7b7ace1708e53621011a3bf2644d6de5234b7a
      • Instruction Fuzzy Hash: 0C519076A40629BFDB159FA0CC44EEE7BAAFF08750F041265F912E7352EB7099408B90
      Function 0064E13B Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 110threadwindowCOMMON
      Download Yara Rule
      APIs
      • Shell_GetCachedImageIndexW.SHELL32(?,00000000,00000000), ref: 0064E154
      • SHGetImageList.SHELL32(00000001,005CBF4C,?), ref: 0064E178
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000), ref: 0064E185
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000), ref: 0064E1BC
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000), ref: 0064E1E9
      • DestroyIcon.USER32(00000000), ref: 0064E277
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: CurrentThread$Image$CachedDestroyIconIndexListShell_
      • String ID: %d FAIL: 0x%08x$WdcProcessMonitor::ResolveImageIcon$base\diagnosis\pdui\atm\main\process.cpp
      • API String ID: 2071108508-1554746147
      • Opcode ID: 76ddc2f5c78086c749b50c904920e60a5460433a9e029a6ee1b924e863212406
      • Instruction ID: 232385865072ae157b15adf2a765afb275ba8fd1ae32c990c13ff65cecf41999
      • Opcode Fuzzy Hash: 76ddc2f5c78086c749b50c904920e60a5460433a9e029a6ee1b924e863212406
      • Instruction Fuzzy Hash: 0731C135680201BFDB119BA4DC49FBB3BABFB84320F151169FD49D7291EBB19A40CB11
      Function 005F50D6 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 95memorythreadCOMMON
      Download Yara Rule
      APIs
      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,000001B0,00000000,00000000,00000000,?,?,?,?,005F2BE0,00000000), ref: 005F5103
      • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,?,005F2BE0,00000000), ref: 005F510A
      • memset.MSVCRT ref: 005F5122
      • EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?), ref: 005F5137
      • LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?), ref: 005F5164
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,00000000,00000000,00000000,?,?,?,?,005F2BE0,00000000), ref: 00638DB1
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(8007000E,?,?,?,005F2BE0,00000000), ref: 00638DDF
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: CriticalCurrentHeapSectionThread$AllocEnterLeaveProcessmemset
      • String ID: %d FAIL: 0x%08x$CRUMHelper::AddProcData$base\diagnosis\pdui\atm\main\rumhelper.cpp
      • API String ID: 3519974343-2698517836
      • Opcode ID: 78c407d813098ff76df1fad8609f0c25cea08db2d0b0ecc28cbf94d5da5dab30
      • Instruction ID: 768156898e65592c6eb4022dfaa5741514e38ac71e61db70125c02c4dc0a3e20
      • Opcode Fuzzy Hash: 78c407d813098ff76df1fad8609f0c25cea08db2d0b0ecc28cbf94d5da5dab30
      • Instruction Fuzzy Hash: C321E471640208BBD7149B98CC49FE67BADFF44711F044169FA05EB282EB749A008BE0
      Function 0063203C Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 91COMMON
      Download Yara Rule
      APIs
      • _wtol.MSVCRT ref: 0063209C
        • Part of subcall function 005DE2B8: EventWriteTransfer.API-MS-WIN-EVENTING-PROVIDER-L1-1-0(00000000,00000000,?,00000000,00000000,?,00000000,?,00000000,?,?,?,?), ref: 005DE332
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: EventTransferWrite_wtol
      • String ID: Action Center$Ctrl + Alt + Del$Ctrl + Shift + Escape$Logon Screen$MsConfig$Other$Perf Center$Self$Start bar
      • API String ID: 3055179170-1782475914
      • Opcode ID: e3b8e625c392eaef90254bf3259e7a2353528e07f4386a5ef31ef122262bf97e
      • Instruction ID: 962d55f2447c5557c8d93362cce258eb96e40b8772eaa579a06d5ea2c3bd81ba
      • Opcode Fuzzy Hash: e3b8e625c392eaef90254bf3259e7a2353528e07f4386a5ef31ef122262bf97e
      • Instruction Fuzzy Hash: 8B314731D04106ABC738AB28D865A7ABBEBF740324F244577D909AB390DB718D4AD7C6
      Function 0060C24F Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 89windowCOMMON
      Download Yara Rule
      APIs
      • StrToID.DUI70(tabctrl,?,?,?,?,?,?,?,?,?,?,?,0060B2D6,00000003), ref: 0060C26E
      • ?FindDescendent@Element@DirectUI@@QAEPAV12@G@Z.DUI70(?,?,?,?,?,?,?,?,?,?,0060B2D6,00000003), ref: 0060C27A
      • SendMessageW.USER32(00000000,00001304,00000000,00000000), ref: 0060C2B8
      • SendMessageW.USER32(00000003,0000133C,00000000,00000008), ref: 0060C2D4
      • SendMessageW.USER32(00000003,0000130C,00000000,00000000), ref: 0060C2F4
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: MessageSend$Descendent@DirectElement@FindV12@
      • String ID: %d FAIL: 0x%08x$WdcMonitor::SwitchTabByTabId$base\diagnosis\pdui\atm\main\monitor.cpp$tabctrl
      • API String ID: 3524387312-2222976740
      • Opcode ID: 8fa21d3398a3f1e38018a3715d627d17ae7c341e03f70c38bad836c548049941
      • Instruction ID: ffdbf821d08f22fc8a13f986c86348837d41d618a046726b1a57909adb5c5fe1
      • Opcode Fuzzy Hash: 8fa21d3398a3f1e38018a3715d627d17ae7c341e03f70c38bad836c548049941
      • Instruction Fuzzy Hash: 1521D632A80314BBD7159B988C49FEFBAA6FB48760F251265FD08E73C1D7705E4187A4
      Function 0060C18A Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 85COMMON
      Download Yara Rule
      APIs
      • ?GetDPI@Element@DirectUI@@QAEHXZ.DUI70(00000000,00000000,00000104), ref: 0060C1D3
      • LoadImageW.USER32(00000018,00000001,00000010,00000010,00000000), ref: 0060C1F8
      • StrToID.DUI70(?), ref: 0060C214
      • ?FindDescendent@Element@DirectUI@@QAEPAV12@G@Z.DUI70(?), ref: 0060C221
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: DirectElement@$Descendent@FindImageLoadV12@
      • String ID: %d FAIL: 0x%08x$TmCommandBar::_LoadIcon$base\diagnosis\pdui\atm\main\commandbar.cpp$x
      • API String ID: 3644739348-1990446749
      • Opcode ID: 672d382f213d4e224c1d67d1dcfdfe64c1a020fe2a7305fca0f634ef364b736a
      • Instruction ID: 98d9e09aa99fe273b2b5a0e2c465c661f8645beb1598efbf9974fb7e5c049749
      • Opcode Fuzzy Hash: 672d382f213d4e224c1d67d1dcfdfe64c1a020fe2a7305fca0f634ef364b736a
      • Instruction Fuzzy Hash: 1921E171A40228ABCB149BA9DC487BF7AA6FB44310F10025AEC01A7291DB7589058BE0
      Function 006140A3 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 75COMMON
      Download Yara Rule
      APIs
      • ?GetClassInfoPtr@Element@DirectUI@@SGPAUIClassInfo@2@XZ.DUI70(00000000,00000000,00000000,?,?,0060D5BD), ref: 006140B0
      • ?GetClassInfoPtr@Element@DirectUI@@SGPAUIClassInfo@2@XZ.DUI70(?,?,0060D5BD), ref: 006140BE
      • ?GetFactoryLock@Element@DirectUI@@SGPAU_RTL_CRITICAL_SECTION@@XZ.DUI70(?,?,0060D5BD), ref: 006140DA
      • ??0AutoLock@DirectUI@@QAE@PAU_RTL_CRITICAL_SECTION@@@Z.DUI70(00000000,?,?,0060D5BD), ref: 006140E4
      • ?GetClassInfoPtr@Element@DirectUI@@SGPAUIClassInfo@2@XZ.DUI70(?,?,0060D5BD), ref: 006140EA
      • ?ClassExist@ClassInfoBase@DirectUI@@SG_NPAPAUIClassInfo@2@PBQBUPropertyInfo@2@IPAU32@PAUHINSTANCE__@@PBG_N@Z.DUI70(?,00000000,00000000,00000000,005C0000,TmColumnHeader,00000000,?,?,0060D5BD), ref: 00614105
        • Part of subcall function 0061415B: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,00000008,00000000,00000000,00000000,?,00614126,?,?,?,?,?,0060D5BD), ref: 0061416E
        • Part of subcall function 0061415B: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00614126,?,?,?,?,?,0060D5BD), ref: 00614175
        • Part of subcall function 0061415B: ??0ClassInfoBase@DirectUI@@QAE@XZ.DUI70(?,00614126,?,?,?,?,?,0060D5BD), ref: 00614183
        • Part of subcall function 0061415B: ?Initialize@ClassInfoBase@DirectUI@@QAEJPAUHINSTANCE__@@PBG_NPBQBUPropertyInfo@2@I@Z.DUI70(005C0000,TmColumnHeader,00000000,00000000,00000000,?,00614126,?,?,?,?,?,0060D5BD), ref: 0061419E
      • ?Register@ClassInfoBase@DirectUI@@QAEJXZ.DUI70(?,?,?,?,?,0060D5BD), ref: 00614131
      • ??1CritSecLock@DirectUI@@QAE@XZ.DUI70(?,?,?,?,?,0060D5BD), ref: 0061414A
      • ?Register@Element@DirectUI@@SGJXZ.DUI70(?,?,0060D5BD), ref: 00640F64
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: Class$Direct$Info$Info@2@$Element@$Base@$Lock@Ptr@$E__@@HeapPropertyRegister@$AllocAutoCritExist@FactoryInitialize@N@@@ProcessU32@
      • String ID: TmColumnHeader
      • API String ID: 474453925-461794429
      • Opcode ID: b04db945972f78776e91299ccc3b374540d9075887ece9615a25a42f40ca3df7
      • Instruction ID: 4ae04c7bfb2b5c5af1e70312bd5e657ddc458902c2f5449c1dd5e456fd31f035
      • Opcode Fuzzy Hash: b04db945972f78776e91299ccc3b374540d9075887ece9615a25a42f40ca3df7
      • Instruction Fuzzy Hash: 0521C235700215BFC700AFA4EC98BBD7BBAFB48355F182229EA02D3260DF705949CB51
      Function 006141C5 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 75COMMON
      Download Yara Rule
      APIs
      • ?GetClassInfoPtr@Element@DirectUI@@SGPAUIClassInfo@2@XZ.DUI70(00000000,00000000,00000000,?,?,0060D5CF), ref: 006141D2
      • ?GetClassInfoPtr@Element@DirectUI@@SGPAUIClassInfo@2@XZ.DUI70(?,?,0060D5CF), ref: 006141E0
      • ?GetFactoryLock@Element@DirectUI@@SGPAU_RTL_CRITICAL_SECTION@@XZ.DUI70(?,?,0060D5CF), ref: 006141FC
      • ??0AutoLock@DirectUI@@QAE@PAU_RTL_CRITICAL_SECTION@@@Z.DUI70(00000000,?,?,0060D5CF), ref: 00614206
      • ?GetClassInfoPtr@Element@DirectUI@@SGPAUIClassInfo@2@XZ.DUI70(?,?,0060D5CF), ref: 0061420C
      • ?ClassExist@ClassInfoBase@DirectUI@@SG_NPAPAUIClassInfo@2@PBQBUPropertyInfo@2@IPAU32@PAUHINSTANCE__@@PBG_N@Z.DUI70(?,00000000,00000000,00000000,005C0000,TmGroupHeader,00000000,?,?,0060D5CF), ref: 00614227
        • Part of subcall function 0061427D: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,00000008,00000000,00000000,00000000,?,00614248,?,?,?,?,?,0060D5CF), ref: 00614290
        • Part of subcall function 0061427D: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00614248,?,?,?,?,?,0060D5CF), ref: 00614297
        • Part of subcall function 0061427D: ??0ClassInfoBase@DirectUI@@QAE@XZ.DUI70(?,00614248,?,?,?,?,?,0060D5CF), ref: 006142A5
        • Part of subcall function 0061427D: ?Initialize@ClassInfoBase@DirectUI@@QAEJPAUHINSTANCE__@@PBG_NPBQBUPropertyInfo@2@I@Z.DUI70(005C0000,TmGroupHeader,00000000,00000000,00000000,?,00614248,?,?,?,?,?,0060D5CF), ref: 006142C0
      • ?Register@ClassInfoBase@DirectUI@@QAEJXZ.DUI70(?,?,?,?,?,0060D5CF), ref: 00614253
      • ??1CritSecLock@DirectUI@@QAE@XZ.DUI70(?,?,?,?,?,0060D5CF), ref: 0061426C
      • ?Register@Element@DirectUI@@SGJXZ.DUI70(?,?,0060D5CF), ref: 00640F96
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: Class$Direct$Info$Info@2@$Element@$Base@$Lock@Ptr@$E__@@HeapPropertyRegister@$AllocAutoCritExist@FactoryInitialize@N@@@ProcessU32@
      • String ID: TmGroupHeader
      • API String ID: 474453925-778773172
      • Opcode ID: e46b72fd8eb9c38eaffdc3f466987f757f5d9992c039d0f16d26173174440ad9
      • Instruction ID: 68c8dcf4d8a514ddf8b7f0b07282cf140592caf70ec0b78bfd6449edee429c79
      • Opcode Fuzzy Hash: e46b72fd8eb9c38eaffdc3f466987f757f5d9992c039d0f16d26173174440ad9
      • Instruction Fuzzy Hash: 45219235700215FFDB009FA5AC98BAE7BBABB48351F142129FA02D3261DF705A498F61
      Function 006142E7 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 75COMMON
      Download Yara Rule
      APIs
      • ?GetClassInfoPtr@Element@DirectUI@@SGPAUIClassInfo@2@XZ.DUI70(00000000,00000000,00000000,?,?,0060D629), ref: 006142F4
      • ?GetClassInfoPtr@Element@DirectUI@@SGPAUIClassInfo@2@XZ.DUI70(?,?,0060D629), ref: 00614302
      • ?GetFactoryLock@Element@DirectUI@@SGPAU_RTL_CRITICAL_SECTION@@XZ.DUI70(?,?,0060D629), ref: 0061431E
      • ??0AutoLock@DirectUI@@QAE@PAU_RTL_CRITICAL_SECTION@@@Z.DUI70(00000000,?,?,0060D629), ref: 00614328
      • ?GetClassInfoPtr@Element@DirectUI@@SGPAUIClassInfo@2@XZ.DUI70(?,?,0060D629), ref: 0061432E
      • ?ClassExist@ClassInfoBase@DirectUI@@SG_NPAPAUIClassInfo@2@PBQBUPropertyInfo@2@IPAU32@PAUHINSTANCE__@@PBG_N@Z.DUI70(?,00000000,00000000,00000000,005C0000,TmColHeaderItem,00000000,?,?,0060D629), ref: 00614349
        • Part of subcall function 0061439F: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,00000008,00000000,00000000,00000000,?,0061436A,?,?,?,?,?,0060D629), ref: 006143B2
        • Part of subcall function 0061439F: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,0061436A,?,?,?,?,?,0060D629), ref: 006143B9
        • Part of subcall function 0061439F: ??0ClassInfoBase@DirectUI@@QAE@XZ.DUI70(?,0061436A,?,?,?,?,?,0060D629), ref: 006143C7
        • Part of subcall function 0061439F: ?Initialize@ClassInfoBase@DirectUI@@QAEJPAUHINSTANCE__@@PBG_NPBQBUPropertyInfo@2@I@Z.DUI70(005C0000,TmColHeaderItem,00000000,00000000,00000000,?,0061436A,?,?,?,?,?,0060D629), ref: 006143E2
      • ?Register@ClassInfoBase@DirectUI@@QAEJXZ.DUI70(?,?,?,?,?,0060D629), ref: 00614375
      • ??1CritSecLock@DirectUI@@QAE@XZ.DUI70(?,?,?,?,?,0060D629), ref: 0061438E
      • ?Register@Element@DirectUI@@SGJXZ.DUI70(?,?,0060D629), ref: 00640FC8
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: Class$Direct$Info$Info@2@$Element@$Base@$Lock@Ptr@$E__@@HeapPropertyRegister@$AllocAutoCritExist@FactoryInitialize@N@@@ProcessU32@
      • String ID: TmColHeaderItem
      • API String ID: 474453925-1429816369
      • Opcode ID: 7a0e35bd46b83c65c8d2a6362effb890e5f2369a7d0c7fc88009dcb2343dced0
      • Instruction ID: f12f24deadc61c77f3551f1292b4abd1496ab752688c7fac70de06404edf8c9a
      • Opcode Fuzzy Hash: 7a0e35bd46b83c65c8d2a6362effb890e5f2369a7d0c7fc88009dcb2343dced0
      • Instruction Fuzzy Hash: 42216F35700215BFD704AFA5EC98BAE7BAABB48711F142229EA02D3261DF705909CB61
      Function 00614409 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 75COMMON
      Download Yara Rule
      APIs
      • ?GetClassInfoPtr@Element@DirectUI@@SGPAUIClassInfo@2@XZ.DUI70(00000000,00000000,00000000,?,?,0060D63B), ref: 00614416
      • ?GetClassInfoPtr@Element@DirectUI@@SGPAUIClassInfo@2@XZ.DUI70(?,?,0060D63B), ref: 00614424
      • ?GetFactoryLock@Element@DirectUI@@SGPAU_RTL_CRITICAL_SECTION@@XZ.DUI70(?,?,0060D63B), ref: 00614440
      • ??0AutoLock@DirectUI@@QAE@PAU_RTL_CRITICAL_SECTION@@@Z.DUI70(00000000,?,?,0060D63B), ref: 0061444A
      • ?GetClassInfoPtr@Element@DirectUI@@SGPAUIClassInfo@2@XZ.DUI70(?,?,0060D63B), ref: 00614450
      • ?ClassExist@ClassInfoBase@DirectUI@@SG_NPAPAUIClassInfo@2@PBQBUPropertyInfo@2@IPAU32@PAUHINSTANCE__@@PBG_N@Z.DUI70(?,00000000,00000000,00000000,005C0000,TmRowTextElement,00000000,?,?,0060D63B), ref: 0061446B
        • Part of subcall function 006144C1: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,00000008,00000000,00000000,00000000,?,0061448C,?,?,?,?,?,0060D63B), ref: 006144D4
        • Part of subcall function 006144C1: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,0061448C,?,?,?,?,?,0060D63B), ref: 006144DB
        • Part of subcall function 006144C1: ??0ClassInfoBase@DirectUI@@QAE@XZ.DUI70(?,0061448C,?,?,?,?,?,0060D63B), ref: 006144E9
        • Part of subcall function 006144C1: ?Initialize@ClassInfoBase@DirectUI@@QAEJPAUHINSTANCE__@@PBG_NPBQBUPropertyInfo@2@I@Z.DUI70(005C0000,TmRowTextElement,00000000,00000000,00000000,?,0061448C,?,?,?,?,?,0060D63B), ref: 00614504
      • ?Register@ClassInfoBase@DirectUI@@QAEJXZ.DUI70(?,?,?,?,?,0060D63B), ref: 00614497
      • ??1CritSecLock@DirectUI@@QAE@XZ.DUI70(?,?,?,?,?,0060D63B), ref: 006144B0
      • ?Register@Element@DirectUI@@SGJXZ.DUI70(?,?,0060D63B), ref: 00640FFA
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: Class$Direct$Info$Info@2@$Element@$Base@$Lock@Ptr@$E__@@HeapPropertyRegister@$AllocAutoCritExist@FactoryInitialize@N@@@ProcessU32@
      • String ID: TmRowTextElement
      • API String ID: 474453925-2123282327
      • Opcode ID: f8ef102ae13ae4e1aa2f58ea4899a20ebd4630a86d05be21d24e3652600693ad
      • Instruction ID: 5f2f478dba4c45e60638f8caf5ef2d87bf9972923396909d09bfbde9f90a129b
      • Opcode Fuzzy Hash: f8ef102ae13ae4e1aa2f58ea4899a20ebd4630a86d05be21d24e3652600693ad
      • Instruction Fuzzy Hash: 5A21B071700201AFC7009FA5EC98BAD7BBBFB48315F142229E906D3260CF705945CB61
      Function 00677477 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 73threadCOMMON
      Download Yara Rule
      APIs
      • ?GetExtent@Element@DirectUI@@QAEPBUtagSIZE@@PAPAVValue@2@@Z.DUI70(?,?,00000000,00000000,?), ref: 00677490
      • ?Create@GridLayout@DirectUI@@SGJHHPAPAVLayout@2@@Z.DUI70(000000FF,00000000,00000001), ref: 006774C2
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000), ref: 006774CF
      • ?Release@Value@DirectUI@@QAEXXZ.DUI70 ref: 0067752E
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: Direct$Create@CurrentElement@Extent@GridLayout@Layout@2@@Release@ThreadUtagValue@Value@2@@
      • String ID: %d FAIL: 0x%08x$CpuHeatMap::LayoutCpuBlocks$base\diagnosis\pdui\atm\main\cpuheatmap.cpp
      • API String ID: 2957920956-776856145
      • Opcode ID: 538997c708d682e11c315dcc75088cfcf8a39a47848ba25805506613e5c7f583
      • Instruction ID: ae8694e4a6e33cfcbf6cd198bd881304f3dc889f0c2459dc535ba17cab23794d
      • Opcode Fuzzy Hash: 538997c708d682e11c315dcc75088cfcf8a39a47848ba25805506613e5c7f583
      • Instruction Fuzzy Hash: D311E471A04221BBD711DB989C49DAEBFAAEF48721B04426AF919E3391DB705D00C791
      Function 005E10C0 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 156synchronizationCOMMONLIBRARYCODE
      Download Yara Rule
      APIs
      • ResetEvent.API-MS-WIN-CORE-SYNCH-L1-1-0(?,00000001), ref: 005E10D3
      • SetEvent.API-MS-WIN-CORE-SYNCH-L1-1-0(?,00000001), ref: 005E10E1
      • WaitForSingleObject.API-MS-WIN-CORE-SYNCH-L1-1-0(?,000000FF,00000001), ref: 005E10F1
      • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?), ref: 005E1104
      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000), ref: 005E1190
      • SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,00000000), ref: 005E11B1
      • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?,00000000), ref: 005E126F
      • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?,00000000), ref: 005E1289
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: CloseHandle$ErrorEventLast$ObjectResetSingleWait
      • String ID: DPA_DeletePtr
      • API String ID: 2077743388-2281077657
      • Opcode ID: 871c3a5b97b234f5b5bc08709220c19989043dbe3804b4e77d4ac00572785c4e
      • Instruction ID: 901fc2fd86a7bc4d73e3f802e9222cc0ce6a4139234c68314563d2a11a8101f4
      • Opcode Fuzzy Hash: 871c3a5b97b234f5b5bc08709220c19989043dbe3804b4e77d4ac00572785c4e
      • Instruction Fuzzy Hash: B7514074A00A46ABCB1CDF67CC89BAEBBB9BF44311F140219EA55D3291DB30E940CB94
      Function 006721A5 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 145memorythreadCOMMON
      Download Yara Rule
      APIs
      • EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,80004005,?,?,?,?,00630C9D,?,?,?), ref: 006721D2
      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,?,?,?,?,?,80004005,?,?,?,?,00630C9D,?,?,?), ref: 00672295
      • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,?,80004005,?,?,?,?,00630C9D,?,?,?), ref: 0067229C
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,?,?,?,80004005,?,?,?,?,00630C9D,?,?,?), ref: 006722CA
      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,?,?,?,80004005,?,?,?,?,00630C9D,?,?,?), ref: 006722F3
      • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,?,?,80004005,?,?,?,?,00630C9D,?,?,?), ref: 006722FA
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: Heap$Process$AllocCriticalCurrentEnterFreeSectionThread
      • String ID: %d FAIL: 0x%08x$WdcDupString$base\diagnosis\pdui\atm\main\inline.cpp
      • API String ID: 1698248605-1942429579
      • Opcode ID: bb7f2b030c144f2a7746e41a2fe31fd0cd402d1f28d7973c81f17ac512c8cb8a
      • Instruction ID: 3bd6b40cc655fc0bfc7b742f0a398f74727665face00960523e7de8f7f6f7a3c
      • Opcode Fuzzy Hash: bb7f2b030c144f2a7746e41a2fe31fd0cd402d1f28d7973c81f17ac512c8cb8a
      • Instruction Fuzzy Hash: 38519275A0021ADFCB14CFA4C864AAEBBB6FF59310F148169E909EB340D734DE41CB91
      Function 005DF4FF Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145threadCOMMON
      Download Yara Rule
      APIs
        • Part of subcall function 00617634: malloc.MSVCRT ref: 0061764C
        • Part of subcall function 006169CD: WindowsCreateStringReference.COMBASE(?,0062DD64,?,?), ref: 006169E5
      • RoGetActivationFactory.COMBASE(00000000,005CB214,00000000), ref: 005DF571
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,?,?,?,?,?,005DF4C1,00000003,00000000,?,?,?,?,?,005DF490,00000003), ref: 006340F5
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,?,?,?,?,?,?,005DF4C1,00000003,00000000,?,?,?,?,?,005DF490), ref: 00634109
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,?,?,?,?,?,005DF4C1,00000003,00000000,?,?,?,?,?,005DF490,00000003), ref: 00634132
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,00000004,?,?,?,?,?,?,005DF4C1,00000003,00000000,?), ref: 00634146
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: CurrentThread$ActivationCreateFactoryReferenceStringWindowsmalloc
      • String ID: %d FAIL: 0x%08x$PackagedStartupTasks::Create$Windows.ApplicationModel.Internal.StartupTaskInternal$base\diagnosis\pdui\atm\main\startup.cpp
      • API String ID: 4189892172-4210891781
      • Opcode ID: dee67e65933c1a26d638011bd2fd2e2a8fbd1d00720b08dd6796a41ea9de80f0
      • Instruction ID: 87e137cd640daf02197d8662db5d7b2c34478ae0fba966e40023ad56e8f34350
      • Opcode Fuzzy Hash: dee67e65933c1a26d638011bd2fd2e2a8fbd1d00720b08dd6796a41ea9de80f0
      • Instruction Fuzzy Hash: C941D371640601AFCB15AF948C819BEFBBAEFA4710B18015EF9026B351DF70AC81DBA1
      Function 0065E172 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 136windowmemoryCOMMON
      Download Yara Rule
      APIs
      • SendMessageW.USER32(?,00001009,00000000,00000000), ref: 0065E193
      • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 0065E1A6
      • SendMessageW.USER32(00000000,00001200,00000000,00000000), ref: 0065E1B4
      • SendMessageW.USER32(?,0000101C,00000000,00000000), ref: 0065E1CD
      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,000000D0), ref: 0065E215
      • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 0065E21C
      • memset.MSVCRT ref: 0065E234
      • SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0065E2CD
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: MessageSend$Heap$AllocProcessmemset
      • String ID: base\diagnosis\pdui\atm\main\networkview.cpp
      • API String ID: 2304107609-2543364597
      • Opcode ID: f864f54b7267a91aed0fc3688e08f4532f76f75909d69335bc374601103cff06
      • Instruction ID: 4e81733ab9520d858af53371c04ba5ddec8627722511ea4e1bf6700f61a0a4ed
      • Opcode Fuzzy Hash: f864f54b7267a91aed0fc3688e08f4532f76f75909d69335bc374601103cff06
      • Instruction Fuzzy Hash: 76413471A00211BBDB249F65CC48F9ABBBAFFC4711F154129FD08AB291CB719E45CB94
      Function 0062827B Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 124threadCOMMON
      Download Yara Rule
      APIs
      • memset.MSVCRT ref: 006282AD
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(80004003), ref: 00628317
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,00689514,?,00000001,?,?,00000001,00689514,-00000128,-00000114,?,?), ref: 00628376
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: CurrentThread$memset
      • String ID: %d FAIL: 0x%08x$AtmGpuView::SetStaticMemoryString$base\diagnosis\pdui\atm\main\gpuview.cpp
      • API String ID: 3613767788-1647136298
      • Opcode ID: aef323f90c3f221514faa7e85490d060c766ec06992cde60eb3b65cd437d3f02
      • Instruction ID: 33f88a58d4705d787c00d469df130c85ea2ac4facb26e0954099a6fe79b34095
      • Opcode Fuzzy Hash: aef323f90c3f221514faa7e85490d060c766ec06992cde60eb3b65cd437d3f02
      • Instruction Fuzzy Hash: D9418E71A00629AFDB249F60DC46FAE7B79FB45710F0041D9F988A6281DB7489948FA1
      Function 0061229F Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 121memorythreadCOMMON
      Download Yara Rule
      APIs
      • SysFreeString.OLEAUT32(00000000), ref: 006123B3
      • SysAllocString.OLEAUT32(?), ref: 006123C4
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(8007000E), ref: 006123D4
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: String$AllocCurrentFreeThread
      • String ID: #0_$%d FAIL: 0x%08x$ATMAssignString$base\diagnosis\pdui\atm\main\inline.cpp$base\diagnosis\pdui\atm\main\tmutils.cpp
      • API String ID: 2456199392-3099253638
      • Opcode ID: df3ec616064dcb2241d80236c270368dec1009f333e2a57230bfe3c450c3e04e
      • Instruction ID: 6f6cc3ac094845beb03277839255475bce515370c17d5076006e3751f854b6bc
      • Opcode Fuzzy Hash: df3ec616064dcb2241d80236c270368dec1009f333e2a57230bfe3c450c3e04e
      • Instruction Fuzzy Hash: B7410671A4023A9BCB249F64DC58ADB77F6EF54710F1801A8EC18EB300E6349ED19BA1
      Function 00647380 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 115windowthreadCOMMON
      Download Yara Rule
      APIs
      • GetFocus.USER32 ref: 006473C3
      • SendMessageW.USER32(00000000), ref: 00647406
      • SetFocus.USER32(00000000), ref: 0064740D
      • ?OnInput@CCBase@DirectUI@@UAEXPAUInputEvent@2@@Z.DUI70(?), ref: 0064741F
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000), ref: 00647472
      • SendMessageW.USER32(00000000), ref: 006474D0
      Strings
      • WdcListView::OnInput, xrefs: 00647483
      • base\diagnosis\pdui\atm\main\listview.cpp, xrefs: 00647488
      • %d FAIL: 0x%08x, xrefs: 00647479
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: FocusMessageSend$Base@CurrentDirectEvent@2@@InputInput@Thread
      • String ID: %d FAIL: 0x%08x$WdcListView::OnInput$base\diagnosis\pdui\atm\main\listview.cpp
      • API String ID: 540933269-3443133642
      • Opcode ID: 2a5fd7ba8f9525ef082eddb1a2785214c0d38ae8b207ef8ecff32c31dedc6992
      • Instruction ID: 8625cb571ef1bab20309ff45dd62fd716a4964b9248d65651f5389a3f34fd1b3
      • Opcode Fuzzy Hash: 2a5fd7ba8f9525ef082eddb1a2785214c0d38ae8b207ef8ecff32c31dedc6992
      • Instruction Fuzzy Hash: F6412331A08304ABDB24AF78DC0CBB87FEBBB10311F041629F94197392C7B49880CB96
      Function 005E8028 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 114threadCOMMON
      Download Yara Rule
      APIs
      • _wcsicmp.MSVCRT ref: 005E8089
      • StrToIntExW.SHLWAPI(?,00000000,?), ref: 005E80E5
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000), ref: 0063698E
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000), ref: 006369B6
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: CurrentThread$_wcsicmp
      • String ID: %d FAIL: 0x%08x$CStartupImpactHelper::ReadProcessAttributes$PID$base\diagnosis\pdui\atm\main\startuputils.cpp
      • API String ID: 2472610947-3281991706
      • Opcode ID: 75c8cf9956d0b4d50890ed7d251f4eed4c2c688cd94714fac09ed60d412d0b2d
      • Instruction ID: df90b41eba62bfdd039802e5c09f24615cc2857511224c9359189d288a497c2f
      • Opcode Fuzzy Hash: 75c8cf9956d0b4d50890ed7d251f4eed4c2c688cd94714fac09ed60d412d0b2d
      • Instruction Fuzzy Hash: 3931B232A40526BFC7219BA5CC48EAEBFA9FF04750F150256FD41E72A0DF61AD018BD0
      Function 005E92EB Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 103threadtimeCOMMON
      Download Yara Rule
      APIs
      • swscanf_s.MSVCRT ref: 005E9339
      • SystemTimeToFileTime.API-MS-WIN-CORE-TIMEZONE-L1-1-0(?,005E91CF), ref: 005E934C
      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00637229
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(80004005), ref: 00637250
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,?,FDA7890F,?,00000000), ref: 00637264
      Strings
      • CStartupImpactHelper::ConvertStrToTime, xrefs: 00637275
      • %4hu/%2hu/%2hu:%2hu:%2hu:%2hu.%3hu%4lu, xrefs: 005E9333
      • base\diagnosis\pdui\atm\main\startuputils.cpp, xrefs: 0063727A
      • %d FAIL: 0x%08x, xrefs: 00637257, 0063726B
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: CurrentThreadTime$ErrorFileLastSystemswscanf_s
      • String ID: %4hu/%2hu/%2hu:%2hu:%2hu:%2hu.%3hu%4lu$%d FAIL: 0x%08x$CStartupImpactHelper::ConvertStrToTime$base\diagnosis\pdui\atm\main\startuputils.cpp
      • API String ID: 3333435158-581157013
      • Opcode ID: 6afff26cd98335aa64db66c996baa8542e67276eb2f421e193bb1099930a05d9
      • Instruction ID: 63bf4ffc89d66fbadb5299d57fc7a869ebfa54f51884c7565cf966e247991fea
      • Opcode Fuzzy Hash: 6afff26cd98335aa64db66c996baa8542e67276eb2f421e193bb1099930a05d9
      • Instruction Fuzzy Hash: 99314BB690421ABFDB25CBD5DC45EEFBBB9FB08710F001266F905F7240DA349A048BA1
      Function 006421F9 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 101synchronizationCOMMON
      Download Yara Rule
      APIs
      • WaitForSingleObject.API-MS-WIN-CORE-SYNCH-L1-1-0(00000000,00000000,00000000,00000000,?,005DEDCF,?,?), ref: 0064220C
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: ObjectSingleWait
      • String ID: wil
      • API String ID: 24740636-1589926490
      • Opcode ID: f58937325d5d5aca2d606fdcfe2cecf89c058cc4cb66004eab39626e9c0f26c6
      • Instruction ID: 8984e64cd316555892d6cf6b3c654c120570385e80ceef4fa1f6b6aab58baa08
      • Opcode Fuzzy Hash: f58937325d5d5aca2d606fdcfe2cecf89c058cc4cb66004eab39626e9c0f26c6
      • Instruction Fuzzy Hash: 2C31A530704207ABEB105AA19CA4BFF3A6BDF41350FB05175F901D6695DBB4CF42A762
      Function 006572E1 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 86threadwindowCOMMON
      Download Yara Rule
      APIs
      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,00000000,?,?,00652D99,?,00000000,?,?,00000000), ref: 00657303
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(80004005,?,?,00652D99,?,00000000,?,?,00000000), ref: 00657326
      • FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(-00001200,00000000,?,00000400,00000000,?,00652D99,00000000,00000000,?,?,00652D99,?,00000000,?,?), ref: 0065737F
      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,00652D99,?,00000000,?,?,00000000), ref: 00657389
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,?,?,00652D99,?,00000000,?,?,00000000), ref: 006573A8
      • FreeLibrary.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(00000000,?,?,00652D99,?,00000000,?,?,00000000), ref: 006573D0
        • Part of subcall function 005E15DE: LoadLibraryW.KERNELBASE(?,006784A0,?,005E1559,-8007000E,00000000,?,005E14F5,?), ref: 005E1614
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: CurrentErrorLastLibraryThread$FormatFreeLoadMessage
      • String ID: %d FAIL: 0x%08x$ATMFormatMessage$base\diagnosis\pdui\atm\main\main.cpp
      • API String ID: 3901178024-135567437
      • Opcode ID: 71cd55837d6d8b378671be4b2842d60f6688fc9b2ed7900b4c4b65481716f240
      • Instruction ID: 16c54c2bf5d1e7b59b6fd9b7a93f5fbf17e7c92d5280cbb7aadf69022d6b0246
      • Opcode Fuzzy Hash: 71cd55837d6d8b378671be4b2842d60f6688fc9b2ed7900b4c4b65481716f240
      • Instruction Fuzzy Hash: C0213A73984626BB8B254AA8AC05EEF3E17EF80761F051218FD05E7340E734CC0497D0
      Function 005EA2B0 Relevance: 14.3, APIs: 4, Strings: 4, Instructions: 294windowthreadCOMMON
      Download Yara Rule
      APIs
      • VariantInit.OLEAUT32(?), ref: 005EA484
      • SendMessageW.USER32(?,00000419,?,Function_0000B754), ref: 005EA597
      • SendMessageW.USER32(?,00000410,00000000,00000000), ref: 005EA5B4
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,?), ref: 005EA683
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: MessageSend$CurrentInitThreadVariant
      • String ID: %d FAIL: 0x%08x$WdcChart::UpdateChartData$base\diagnosis\pdui\atm\main\chart.cpp$wwww
      • API String ID: 73153902-908542149
      • Opcode ID: d2012ca93e437e34319da633b2a01fd87cfafdc16902f9cfdcf3c7275cd89593
      • Instruction ID: 65beaf481575884a9c51be68714049823830e0c83468ec7d353ad9493d321016
      • Opcode Fuzzy Hash: d2012ca93e437e34319da633b2a01fd87cfafdc16902f9cfdcf3c7275cd89593
      • Instruction Fuzzy Hash: B6B1A831A005659FDB2ECF35CC94BE9BBB9FF48300F0442A9E559A7291D770AE94CB81
      Function 005ED140 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 210threadCOMMON
      Download Yara Rule
      APIs
      • swscanf_s.MSVCRT ref: 005ED1E3
      • memcpy_s.MSVCRT ref: 005ED209
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(80070057,?,?,?), ref: 006382CB
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(80070057,?,?,?), ref: 006382E3
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: CurrentThread$memcpy_sswscanf_s
      • String ID: %d FAIL: 0x%08x$%u,%u$WdcCpuMonitor::UpdateQuery$base\diagnosis\pdui\atm\main\cpu.cpp
      • API String ID: 3939246747-3331764071
      • Opcode ID: b47e80a1ec2ab4482a9baf27e8ccac2c2885430bf58016985af140d8ef92cbed
      • Instruction ID: 9b6929f26fb314f0759a1cbbef975d84669062976468340fac6176bbfb0d3cd6
      • Opcode Fuzzy Hash: b47e80a1ec2ab4482a9baf27e8ccac2c2885430bf58016985af140d8ef92cbed
      • Instruction Fuzzy Hash: 4B914671508741DFD318CF59C844A9ABBF1FF88314F288A1DF5A997260DB35E954CB82
      Function 005EB14A Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 148threadtimeCOMMON
      Download Yara Rule
      APIs
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000), ref: 005EB174
      • KillTimer.USER32(00000000), ref: 005EB1BB
      • EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(00000001), ref: 005EB29C
      Strings
      • %d FAIL: 0x%08x, xrefs: 005EB17B
      • base\diagnosis\pdui\atm\main\control.cpp, xrefs: 005EB18A
      • TmTraceControl::Update, xrefs: 005EB185
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: CriticalCurrentEnterKillSectionThreadTimer
      • String ID: %d FAIL: 0x%08x$TmTraceControl::Update$base\diagnosis\pdui\atm\main\control.cpp
      • API String ID: 1726587639-1771057091
      • Opcode ID: f45d2f9e188138475ea09228743cfce9d3f35bec7eccfcf61442e246ed27d164
      • Instruction ID: e7d9f3af3108c01fde682b559b73e9a03ddf6f1cb6ac5ed6144f5f695eac1bf4
      • Opcode Fuzzy Hash: f45d2f9e188138475ea09228743cfce9d3f35bec7eccfcf61442e246ed27d164
      • Instruction Fuzzy Hash: 78511235B003109FEB199F51C898B6E3FA6BF88711F09124DEE459B296CBB0EC41CB81
      Function 006322F3 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 120COMMON
      Download Yara Rule
      APIs
      • _ftol2_sse.MSVCRT ref: 0063234A
        • Part of subcall function 005DE2B8: EventWriteTransfer.API-MS-WIN-EVENTING-PROVIDER-L1-1-0(00000000,00000000,?,00000000,00000000,?,00000000,?,00000000,?,?,?,?), ref: 005DE332
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: EventTransferWrite_ftol2_sse
      • String ID: Disabled$Enabled$High$Low$Medium$None$Unknown
      • API String ID: 259072040-960437330
      • Opcode ID: 9f9a412b183808c7ede7ed84b0d72544837613a83b37c3d218ffdf7023c1ff71
      • Instruction ID: cfafcd4bdb414a845aee7959f2d7c92f052c8a8dae608808de8afa80e5d89c3b
      • Opcode Fuzzy Hash: 9f9a412b183808c7ede7ed84b0d72544837613a83b37c3d218ffdf7023c1ff71
      • Instruction Fuzzy Hash: 9D41C731E0010B97DB24FB68D965AEEBBBBBB81310F20452BE505AB395DA355D0AC7C1
      Function 0061E210 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 118threadCOMMON
      Download Yara Rule
      APIs
        • Part of subcall function 005EDDF9: EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(00000001,?,0061E581,00625FFC,?,00000000,?,?,?,?,?,00625FFC,?,?,?,00000000), ref: 005EDE08
      • DXGIDeclareAdapterRemovalSupport.DXGI(?), ref: 0061E234
        • Part of subcall function 00617634: malloc.MSVCRT ref: 0061764C
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(8007000E), ref: 0061E264
        • Part of subcall function 0061FC0E: PdhOpenQueryW.PDH(00000000,00000000,00000018,?,?,00000000,0061E290), ref: 0061FC1D
        • Part of subcall function 0061FC0E: wprintf_s.MSVCRT ref: 0061FDE1
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000), ref: 0061E297
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(-8007000E), ref: 0061E2DE
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000), ref: 0061E354
        • Part of subcall function 0061D591: GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(80004003), ref: 0061D5AC
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: CurrentThread$AdapterCriticalDeclareEnterOpenQueryRemovalSectionSupportmallocwprintf_s
      • String ID: %d FAIL: 0x%08x$WdcGpuMonitor::Initialize$base\diagnosis\pdui\atm\main\gpu.cpp
      • API String ID: 860920493-2380480986
      • Opcode ID: db54e584ae86e02e05ca6bfc3204057e7ba1a70af21ddf509e9b925e567d35c5
      • Instruction ID: 3e8164793026fa4e81e0732f94f49daf458a714a99efdca2b4954ede90086f22
      • Opcode Fuzzy Hash: db54e584ae86e02e05ca6bfc3204057e7ba1a70af21ddf509e9b925e567d35c5
      • Instruction Fuzzy Hash: 16311471B40312ABD7189BA49845EFA7B9ABF85700F18022DFC5AD7281DB35CD8187A5
      Function 00600054 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 117threadCOMMONLIBRARYCODE
      Download Yara Rule
      APIs
      • MulDiv.API-MS-WIN-CORE-KERNEL32-LEGACY-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,005FFD56), ref: 006000A0
      • MulDiv.API-MS-WIN-CORE-KERNEL32-LEGACY-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,005FFD56,?), ref: 006000B6
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,?,?,?,?,?,?,?,00000000,?,?,?,005FFD56,?,?,?), ref: 0063C31A
      • MulDiv.API-MS-WIN-CORE-KERNEL32-LEGACY-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,005FFD56), ref: 0063C349
      • MulDiv.API-MS-WIN-CORE-KERNEL32-LEGACY-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,005FFD56,?), ref: 0063C35F
      Strings
      • ScaleWICBitmapSource, xrefs: 0063C328
      • %d FAIL: 0x%08x, xrefs: 0063C321
      • base\diagnosis\pdui\atm\main\imgutils.cpp, xrefs: 0063C32D
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: CurrentThread
      • String ID: %d FAIL: 0x%08x$ScaleWICBitmapSource$base\diagnosis\pdui\atm\main\imgutils.cpp
      • API String ID: 2882836952-3254248726
      • Opcode ID: 5f7bea3c795a7d6d8a0338e7cc319b69a1a346db3d27e2df549f2da35bb915c2
      • Instruction ID: 8ca739f0028132ffa236980fc8e4f850e52b2fcb86c098555165215a2db53bcf
      • Opcode Fuzzy Hash: 5f7bea3c795a7d6d8a0338e7cc319b69a1a346db3d27e2df549f2da35bb915c2
      • Instruction Fuzzy Hash: 9241397AA0021AFFCB05DF98DC449AEBBB6FF48310F105169F905A3261D771AE51DBA0
      Function 0062E450 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 111threadCOMMON
      Download Yara Rule
      APIs
      • _ftol2.MSVCRT ref: 0062E4FB
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,?,?,?), ref: 0062E516
        • Part of subcall function 00666565: _ftol2.MSVCRT ref: 0066659E
        • Part of subcall function 00666565: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,00000000), ref: 006665B4
        • Part of subcall function 00666565: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00001300,00000000,?,00000400,00000000,00000000,00000000,00000104,00000064,?,?,00000000), ref: 00666661
        • Part of subcall function 00666565: MessageBoxW.USER32(?,?,00000030), ref: 006666A6
        • Part of subcall function 00666565: LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(00000000,?,?,?,?,00000000), ref: 006666BB
      • _ftol2.MSVCRT ref: 0062E54A
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,?,?,?), ref: 0062E55D
      • _ftol2.MSVCRT ref: 0062E5A3
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: _ftol2$CurrentMessageThread$ErrorFormatFreeLastLocal
      • String ID: %d FAIL: 0x%08x$WdcUserMonitor::AtmOnProcessCommand$base\diagnosis\pdui\atm\main\session.cpp
      • API String ID: 3865096668-3156885552
      • Opcode ID: 7bedcd00c0d71d0bfa792aaf79a31310edbf00a26adce4bb79048bec953163a6
      • Instruction ID: 937c95eeec405978c98484d43fd4cee0858cd8283e094d790ec541d755089e1b
      • Opcode Fuzzy Hash: 7bedcd00c0d71d0bfa792aaf79a31310edbf00a26adce4bb79048bec953163a6
      • Instruction Fuzzy Hash: C131D431B14B16AFDB01AEB8EC8596A7BDAAF44314F00803CF95496296EB77C9008B51
      Function 00606187 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 104COMMON
      Download Yara Rule
      APIs
      • StrToID.DUI70(?,?,?,?,?,?,005E7D77), ref: 006061C7
      • ?FindDescendent@Element@DirectUI@@QAEPAV12@G@Z.DUI70(?,?,?,?,?,?,005E7D77), ref: 006061D4
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: Descendent@DirectElement@FindV12@
      • String ID: %d FAIL: 0x%08x$TmPage::OnNavigateTo$base\diagnosis\pdui\atm\main\apppage.cpp
      • API String ID: 894778106-4243269983
      • Opcode ID: bb1592d2f8f7525b06b6896e327651d492ac63d83048e14d7beae05e31386fc3
      • Instruction ID: 3fb4278b95aa6bdc0d0e4fab2f9962b4d8d0052d18efff728c7528334397a8b4
      • Opcode Fuzzy Hash: bb1592d2f8f7525b06b6896e327651d492ac63d83048e14d7beae05e31386fc3
      • Instruction Fuzzy Hash: 2E31DB31600211BFDF1A9FA4D889E6BBF66EF44310F050294FD459B2A2CB66DC208BE1
      Function 00646452 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 97threadwindowCOMMON
      Download Yara Rule
      APIs
      • PostMessageW.USER32(?,00000000,00000000,00000000), ref: 006464BA
      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,00645934,?,00000000,?,?,?,?,00000000), ref: 006464C8
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,00000000,?,00000000,?,?,?,00645934,?,00000000,?,?,?,?,00000000), ref: 006464E2
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(80004005,?,00645934,?,00000000,?,?,?,?,00000000), ref: 00646511
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,00000000,00000000,000076C0,00000000,?,00000000,?,?,?,00645934,?,00000000,?,?,?), ref: 0064653E
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: CurrentThread$ErrorLastMessagePost
      • String ID: %d FAIL: 0x%08x$WdcListView::KillProcessTree$base\diagnosis\pdui\atm\main\listview.cpp
      • API String ID: 3262489775-2371905289
      • Opcode ID: 35687df60bdb796a58eb264d9e4fee6f8cec16e2bee56e6792a7b9d00c53922e
      • Instruction ID: b220017d5c1f67fff498f2f3fc729300133b8717e3f2673f0aa390608f0ded89
      • Opcode Fuzzy Hash: 35687df60bdb796a58eb264d9e4fee6f8cec16e2bee56e6792a7b9d00c53922e
      • Instruction Fuzzy Hash: BA31E832A81626FBCB255F98DC45EAA7BA7FF06710B004129FE0496B50DB70EC10CBD6
      Function 005E22A7 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 96threadCOMMON
      Download Yara Rule
      APIs
      • CompareStringOrdinal.API-MS-WIN-CORE-STRING-L1-1-0(?,000000FF,?,000000FF,00000001,?,%ProgramFiles%\Windows Sidebar\sidebar.exe,00000000,?,?,?,?,?,005EFBF6,?), ref: 005E22E0
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,%ProgramFiles%\Windows Sidebar\sidebar.exe,00000000,?,?,?,?,?,005EFBF6,?,?,?,?,?,00000000), ref: 00634D9B
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,%ProgramFiles(x86)%\Windows Sidebar\sidebar.exe,?,%ProgramFiles%\Windows Sidebar\sidebar.exe,00000000,?,?,?,?,?,005EFBF6,?,?,?,?,?), ref: 00634DAF
      Strings
      • %ProgramFiles(x86)%\Windows Sidebar\sidebar.exe, xrefs: 00634DEF
      • TmSpecialProcesses::IsSidebarPath, xrefs: 00634DC0
      • base\diagnosis\pdui\atm\main\applications.cpp, xrefs: 00634DC5
      • %d FAIL: 0x%08x, xrefs: 00634DA2, 00634DB6
      • %ProgramFiles%\Windows Sidebar\sidebar.exe, xrefs: 005E2303
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: CurrentThread$CompareOrdinalString
      • String ID: %ProgramFiles%\Windows Sidebar\sidebar.exe$%ProgramFiles(x86)%\Windows Sidebar\sidebar.exe$%d FAIL: 0x%08x$TmSpecialProcesses::IsSidebarPath$base\diagnosis\pdui\atm\main\applications.cpp
      • API String ID: 3162366800-2461571097
      • Opcode ID: 5f6486d5b82f56a0c0a58715df889509da3be5e28435b8a42764b5840c0377ad
      • Instruction ID: 6d04eec16fa597e03bcfc1c7a83fbbcd39e302fe60edc15b942546e94f63dd3b
      • Opcode Fuzzy Hash: 5f6486d5b82f56a0c0a58715df889509da3be5e28435b8a42764b5840c0377ad
      • Instruction Fuzzy Hash: 71217D717442A577EB181B958C45FBB6E0FBF91710F100615FE85A73C9CE649C42D3A1
      Function 00656320 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 92memorythreadCOMMON
      Download Yara Rule
      APIs
      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 0065636C
      • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 00656373
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(8007000E), ref: 00656386
      Strings
      • WdcNumaCpuList::AddItem, xrefs: 00656397
      • %d FAIL: 0x%08x, xrefs: 0065638D
      • base\diagnosis\pdui\atm\main\selist.cpp, xrefs: 0065639C
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: Heap$AllocCurrentProcessThread
      • String ID: %d FAIL: 0x%08x$WdcNumaCpuList::AddItem$base\diagnosis\pdui\atm\main\selist.cpp
      • API String ID: 516287359-350574187
      • Opcode ID: a5ba4936af957cd2edb5501507427cb847d9995359e9a4d523aa1bc4567fb582
      • Instruction ID: 6f2ca5ccbd64523ac0e0f39cae2b841c7acb71cabc258a6df317d34be6a58f18
      • Opcode Fuzzy Hash: a5ba4936af957cd2edb5501507427cb847d9995359e9a4d523aa1bc4567fb582
      • Instruction Fuzzy Hash: CB31F4B9604626FFC3148F58C884965F7EAFB08302F90912AFD4687711D331ED61CBA0
      Function 00656430 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 92memorythreadCOMMON
      Download Yara Rule
      APIs
      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 0065647C
      • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 00656483
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(8007000E), ref: 00656496
      Strings
      • WdcNumaNodeList::AddItem, xrefs: 006564A7
      • %d FAIL: 0x%08x, xrefs: 0065649D
      • base\diagnosis\pdui\atm\main\selist.cpp, xrefs: 006564AC
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: Heap$AllocCurrentProcessThread
      • String ID: %d FAIL: 0x%08x$WdcNumaNodeList::AddItem$base\diagnosis\pdui\atm\main\selist.cpp
      • API String ID: 516287359-2863397346
      • Opcode ID: 0db8393e3dd8d25766feca1051d5ad38be2c0ae4e39d823387d58a4ab12ece39
      • Instruction ID: ff0e25394b92d4b94e8abe9a11be0d6c537c21ffc77a5f4941f9b9e320bc13f8
      • Opcode Fuzzy Hash: 0db8393e3dd8d25766feca1051d5ad38be2c0ae4e39d823387d58a4ab12ece39
      • Instruction Fuzzy Hash: 4A31C1B9600216FBC3248F68C884966F7FAFB08305B90D229FC4687711E734ED55D7A0
      Function 0064D192 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 91threadCOMMON
      Download Yara Rule
      APIs
      • OpenProcessToken.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,00000008,?,?,?,?,?,?,?), ref: 0064D1C1
      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 0064D1CB
      • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(00000000,?,?,?,?,?,?), ref: 0064D228
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 0064D25E
        • Part of subcall function 00677C33: NtQueryInformationToken.NTDLL(?,00000012,?,00000004,?), ref: 00677C5D
        • Part of subcall function 00677C33: NtQueryInformationToken.NTDLL(?,00000014,?,00000004,?), ref: 00677C83
      • RtlNtStatusToDosError.NTDLL ref: 0064D23A
      Strings
      • base\diagnosis\pdui\atm\main\process.cpp, xrefs: 0064D271
      • %d FAIL: 0x%08x, xrefs: 0064D266
      • WdcProcessMonitor::ProcessSetIsElevated, xrefs: 0064D26C
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: Token$ErrorInformationQuery$CloseCurrentHandleLastOpenProcessStatusThread
      • String ID: %d FAIL: 0x%08x$WdcProcessMonitor::ProcessSetIsElevated$base\diagnosis\pdui\atm\main\process.cpp
      • API String ID: 876866777-4197462289
      • Opcode ID: 181ef5fa05a056d1ea779c0a2a0243dcd2e00ce6a3a80006ba08d2692c46ceeb
      • Instruction ID: d35a8b83a2bebbf83435d1f640634e031faa2b9e5b2a75d57685a81aa58261f4
      • Opcode Fuzzy Hash: 181ef5fa05a056d1ea779c0a2a0243dcd2e00ce6a3a80006ba08d2692c46ceeb
      • Instruction Fuzzy Hash: D721B932D40165ABCB208ADACC44AEFBBAAAF91760B154256EE14E7350D670DE01D7D0
      Function 00653305 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 86threadCOMMON
      Download Yara Rule
      APIs
      • ?GetRootRelativeBounds@Element@DirectUI@@QAEJPAUtagRECT@@@Z.DUI70(?,00000000,?,02EEFDD8,00000000,00000003), ref: 00653325
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000), ref: 00653332
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000), ref: 0065336C
      • ?GetRootRelativeBounds@Element@DirectUI@@QAEJPAUtagRECT@@@Z.DUI70(-0000002C), ref: 0065338F
      • MapWindowPoints.USER32(00000000), ref: 006533DC
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: Bounds@CurrentDirectElement@RelativeRootT@@@ThreadUtag$PointsWindow
      • String ID: %d FAIL: 0x%08x$DUI_GetElementBounds$base\diagnosis\pdui\atm\main\utils.cpp
      • API String ID: 1152628651-2798366623
      • Opcode ID: 75a0b56d718b38a5479477fff589bc8cc91edb49a93da6388697b76c394bc0a4
      • Instruction ID: 5bed606e23f69ba5ed1f906284f3e9e7155e840088e5f3787fbd5ddcd82e6531
      • Opcode Fuzzy Hash: 75a0b56d718b38a5479477fff589bc8cc91edb49a93da6388697b76c394bc0a4
      • Instruction Fuzzy Hash: CD31BF71A0071AAFCB109FA5DC85DAEBBFAFB48711F00542DE946D7341DB30AD458B90
      Function 00609386 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 79threadCOMMON
      Download Yara Rule
      APIs
      • GetSystemDirectoryW.API-MS-WIN-CORE-SYSINFO-L1-1-0(?,00000104,00000000,?), ref: 006093B4
      • wcsstr.MSVCRT ref: 006093E8
      • wcsstr.MSVCRT ref: 006093FE
      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 0063E7BA
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(80004005), ref: 0063E7E1
      Strings
      • AtmDiskView::FindSystemDrive, xrefs: 0063E7F2
      • %d FAIL: 0x%08x, xrefs: 0063E7E8
      • base\diagnosis\pdui\atm\main\diskview.cpp, xrefs: 0063E7F7
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: wcsstr$CurrentDirectoryErrorLastSystemThread
      • String ID: %d FAIL: 0x%08x$AtmDiskView::FindSystemDrive$base\diagnosis\pdui\atm\main\diskview.cpp
      • API String ID: 3764754629-1963488669
      • Opcode ID: 3505a850abd2fb787884acaf9f290930aaee006477e3067ba104be700d468292
      • Instruction ID: 76d8f4a9b04ce541fa31101411059eb8c346010345e8803b1e9a32f35287589d
      • Opcode Fuzzy Hash: 3505a850abd2fb787884acaf9f290930aaee006477e3067ba104be700d468292
      • Instruction Fuzzy Hash: 6D210736640219BBD7248FA89C057ABB7BBFF04310F15126AE805D36D1DB74AC41CBE4
      Function 00643335 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 75threadwindowCOMMON
      Download Yara Rule
      APIs
        • Part of subcall function 005E796F: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,005C0000,?), ref: 005E79CF
      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,80000000,80000000,80000000,80000000,80000000,00000000), ref: 00643389
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(80004005,?,?,?,?,?,?,?,?,?,?,?,?,?,006452CD,00000008), ref: 006433A6
      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,80000000,80000000,80000000,80000000,80000000,00000000), ref: 006433D4
      • SendMessageW.USER32(000000FF,00000418,00000000,000000C8), ref: 00643401
      Strings
      • tooltips_class32, xrefs: 00643367
      • base\diagnosis\pdui\atm\main\monitor.cpp, xrefs: 006433BC
      • WdcMonitor::GetTooltipWnd, xrefs: 006433B7
      • %d FAIL: 0x%08x, xrefs: 006433AD
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: ErrorLast$CreateCurrentMessageSendThreadWindow
      • String ID: %d FAIL: 0x%08x$WdcMonitor::GetTooltipWnd$base\diagnosis\pdui\atm\main\monitor.cpp$tooltips_class32
      • API String ID: 928980288-844689950
      • Opcode ID: f22418cab81360e83b683433301fecf088a266d73e0636c684109d1522043396
      • Instruction ID: 2845c66d73960459a5e3dd665063362e9efeacfeabebb987cab688ab59c5ae92
      • Opcode Fuzzy Hash: f22418cab81360e83b683433301fecf088a266d73e0636c684109d1522043396
      • Instruction Fuzzy Hash: 1A11E671780263BBE7215B658C49FBA699BFB50755F001229F914C6391DF20DD0197B1
      Function 005FB07A Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 59threadCOMMON
      Download Yara Rule
      APIs
      • StrToID.DUI70(00000001,?,?,?,00000000), ref: 005FB0B3
      • ?FindDescendent@Element@DirectUI@@QAEPAV12@G@Z.DUI70(?,?,?,?,00000000), ref: 005FB0BF
      • ?SetID@Element@DirectUI@@QAEJPBG@Z.DUI70(?,?,?,?,00000000), ref: 005FB0D8
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(80004003,?,?,?,00000000), ref: 0063A7EC
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,?,?,?,00000000), ref: 0063A800
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: CurrentDirectElement@Thread$Descendent@FindV12@
      • String ID: %d FAIL: 0x%08x$AtmBaseView::FindAndSetElementID$base\diagnosis\pdui\atm\main\baseview.cpp
      • API String ID: 2332497298-3800473150
      • Opcode ID: d75c3b5dd61eb1a792e9975628adcd3e87207c62c98ed1b002ae793182688d1f
      • Instruction ID: 8d450ad096883fdda23eba61b8c9e16e56d3ece11d3b519d5fe404d0ada3eb02
      • Opcode Fuzzy Hash: d75c3b5dd61eb1a792e9975628adcd3e87207c62c98ed1b002ae793182688d1f
      • Instruction Fuzzy Hash: 0911E576A00319BBDB20AFA49C09EEF3B6EEB48710F441159FD85E3281DB7499509BA1
      Function 0060019F Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 56memoryCOMMON
      Download Yara Rule
      APIs
      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,00000208), ref: 006001BB
      • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 006001C2
        • Part of subcall function 005FE60F: ??0CCListView@DirectUI@@QAE@XZ.DUI70 ref: 005FE61A
        • Part of subcall function 005FE60F: _ftol2_sse.MSVCRT ref: 005FE6E3
      • ?Initialize@CCListView@DirectUI@@QAEJIPAVElement@2@PAK@Z.DUI70(00000003,?,?), ref: 006001DD
      • ?Destroy@Element@DirectUI@@QAEJ_N@Z.DUI70(00000001,?,?), ref: 006001ED
      • ?GetID@Element@DirectUI@@QAEGXZ.DUI70(?,?), ref: 006001FB
      • StrToID.DUI70(servicestab_tables,?,?), ref: 00600209
      • ?SetWinStyle@CCBase@DirectUI@@QAEJH@Z.DUI70(5000004C), ref: 0060022A
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: Direct$Element@HeapListView@$AllocBase@Destroy@Element@2@Initialize@ProcessStyle@_ftol2_sse
      • String ID: servicestab_tables
      • API String ID: 2254318444-1060200909
      • Opcode ID: d2622ab05e1f48e1723fbb51e2532429ab1a08eb9c2b2a79738f001d2c123abb
      • Instruction ID: 5526fe75a90b3be22525d86ac9fc77a55f3a1ea32383bd221642f933301ae83c
      • Opcode Fuzzy Hash: d2622ab05e1f48e1723fbb51e2532429ab1a08eb9c2b2a79738f001d2c123abb
      • Instruction Fuzzy Hash: 9701A136380345BBE7195B94A84CB7F3A6BFB89B11F046218FA1A8B3A1CB758D018750
      Function 006042AC Relevance: 13.6, APIs: 9, Instructions: 89memorywindowCOMMONLIBRARYCODE
      Download Yara Rule
      APIs
      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,?,?,005E5908), ref: 006042D4
      • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,?,?,005E5908), ref: 006042DB
      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,?,?,005E5908), ref: 006042FA
      • HeapSize.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,?,?,005E5908), ref: 00604301
      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,?,?,?,005E5908), ref: 00604339
      • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,?,?,005E5908), ref: 00604340
      • DestroyIcon.USER32(00000000,?,?,?,?,005E5908), ref: 00604357
      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000,?,?,?,?,?,?,?,?,?,?,005E5908), ref: 00604377
      • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,?,005E5908), ref: 0060437E
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: Heap$Process$Free$DestroyIconSize
      • String ID:
      • API String ID: 1867346565-0
      • Opcode ID: c7a4c774d90fd741bb7f309e624777b95f115a78277a5abaae3a14f729f32969
      • Instruction ID: e6900940eeb6f31f71b21d1a4c71583b113b4e5d7d468f00306ed1e556526e5c
      • Opcode Fuzzy Hash: c7a4c774d90fd741bb7f309e624777b95f115a78277a5abaae3a14f729f32969
      • Instruction Fuzzy Hash: 1F3180B6340701EBD73C8F65C898B67B7EBEB94706F14A62CE606C7690DF7098028B50
      Function 005EF0B0 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 374memorythreadCOMMON
      Download Yara Rule
      APIs
      • memset.MSVCRT ref: 005EF0D8
      • SysFreeString.OLEAUT32(?), ref: 005EF399
      • SysAllocString.OLEAUT32(?), ref: 005EF3B0
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(8007000E), ref: 005EF3BF
      Strings
      • base\diagnosis\pdui\atm\main\inline.cpp, xrefs: 005EF3D2
      • ATMAssignString, xrefs: 005EF3CD
      • %d FAIL: 0x%08x, xrefs: 005EF3C6
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: String$AllocCurrentFreeThreadmemset
      • String ID: %d FAIL: 0x%08x$ATMAssignString$base\diagnosis\pdui\atm\main\inline.cpp
      • API String ID: 47896159-2229420436
      • Opcode ID: 228e62883ecb6c3e3e93b8a9fd668560f74e1c50d9db41905312ec3ecc4c0c2b
      • Instruction ID: 4584325d8016624e0978e8b608361cdf4974b5086762a77d6bdb9467054fd5e6
      • Opcode Fuzzy Hash: 228e62883ecb6c3e3e93b8a9fd668560f74e1c50d9db41905312ec3ecc4c0c2b
      • Instruction Fuzzy Hash: CBE18FB1E00A56DBCB2A6F11D9887D5BFF4FB05380F2189E8D1DA62194EF3159A4CF84
      Function 0062D23C Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 267threadCOMMON
      Download Yara Rule
      APIs
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,?,?,?,00000000,?,00000000,?,00000000,00000000,?,?,?,?,00000000,00000000), ref: 0062D34C
        • Part of subcall function 00617634: malloc.MSVCRT ref: 0061764C
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(8007000E,00000000,00000000,?,?,base\diagnosis\pdui\atm\main\applications.cpp,00000000,?,?,?,?,00000000,00000001,base\diagnosis\pdui\atm\main\applications.cpp), ref: 0062D294
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,-FFFFFBB0,00000001), ref: 0062D49B
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,?,?,?,00000000,00000003,?,?,?,?,00000000,00000000,?,?,base\diagnosis\pdui\atm\main\applications.cpp,00000000), ref: 0062D53D
        • Part of subcall function 005EDDF9: EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(00000001,?,0061E581,00625FFC,?,00000000,?,?,?,?,?,00625FFC,?,?,?,00000000), ref: 005EDE08
        • Part of subcall function 00648C48: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000,00000000,00007EBC,00007EBD,00007EBE,?), ref: 00648E30
        • Part of subcall function 00648C48: HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 00648E37
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: CurrentThread$Heap$CriticalEnterFreeProcessSectionmalloc
      • String ID: %d FAIL: 0x%08x$WdcApplicationsMonitor::_HandleEndTask$base\diagnosis\pdui\atm\main\applications.cpp
      • API String ID: 2526143064-1135706197
      • Opcode ID: 19e97b867d81386482c3054526af68d37eb6567878701b3c06620a92191c11d3
      • Instruction ID: 8f224230c96a7c91b35581c875af834826e0076ea4df3b217300d21d597a0e1f
      • Opcode Fuzzy Hash: 19e97b867d81386482c3054526af68d37eb6567878701b3c06620a92191c11d3
      • Instruction Fuzzy Hash: 2291E431E00A2AAFDB05DFA4DC459FEBBB6FF48304F144168E945AB241DB319D52CBA4
      Function 0066E257 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 183threadCOMMON
      Download Yara Rule
      APIs
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,?,?,00000000,?,?,?,?,?,?), ref: 0066E2C2
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: CurrentThread
      • String ID: %d FAIL: 0x%08x$WdcStartupMonitor::DisableItem$base\diagnosis\pdui\atm\main\startup.cpp
      • API String ID: 2882836952-724207521
      • Opcode ID: 69c99e08a05fa1a3c46ac627785ff7a1686159e1a80e4329bf500d8b2ec9ce4e
      • Instruction ID: 7cb855fb73effeaf4dd1a1b9c98bd0f055aca38822c4f15ccf8c05d1a6131adc
      • Opcode Fuzzy Hash: 69c99e08a05fa1a3c46ac627785ff7a1686159e1a80e4329bf500d8b2ec9ce4e
      • Instruction Fuzzy Hash: F351F575A00605DBDF149F64D886ABE7BB3FF84700F15406EE809AB342DF329985CBA1
      Function 006062AB Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 182COMMON
      Download Yara Rule
      APIs
      • StrToID.DUI70(005D5C2C), ref: 0060634C
      • ?FindDescendent@Element@DirectUI@@QAEPAV12@G@Z.DUI70(?), ref: 00606359
      • ?SetContentString@Element@DirectUI@@QAEJPBG@Z.DUI70(0067B3F8), ref: 006064C3
      • ?SetAccName@Element@DirectUI@@QAEJPBG@Z.DUI70(0067B3F8), ref: 006064CD
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: DirectElement@$ContentDescendent@FindName@String@V12@
      • String ID: base\diagnosis\pdui\atm\main\cpuview.cpp
      • API String ID: 523764757-3794436693
      • Opcode ID: f99bafd8269a207e996da1311bb11b0fb4e9afb995abcf97da94613b8dac2ef9
      • Instruction ID: c7343262555057c8747dc1d5d8f32b107070f022188a0a266a3f4c5b30b9226f
      • Opcode Fuzzy Hash: f99bafd8269a207e996da1311bb11b0fb4e9afb995abcf97da94613b8dac2ef9
      • Instruction Fuzzy Hash: 6A51AF31A41625EBCB28CF24D944BAF7AA3EF44710F15916AFC09AB381CB749D119BD1
      Function 006252B2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 166memoryCOMMON
      Download Yara Rule
      APIs
      • LocalAlloc.API-MS-WIN-CORE-HEAP-L2-1-0(00000040,000000A0,00000000,?,00000000,?,00659554,005C9F80,005C9FB4,005C9F80,base\diagnosis\pdui\atm\main\cpuview.cpp), ref: 006252EE
      • LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(00000000,?,00000000,?,00659554,005C9F80,005C9FB4,005C9F80,base\diagnosis\pdui\atm\main\cpuview.cpp), ref: 00625467
      • LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(00000000,?,00000000,?,00659554,005C9F80,005C9FB4,005C9F80,base\diagnosis\pdui\atm\main\cpuview.cpp), ref: 0062546E
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: Local$Free$Alloc
      • String ID: base\diagnosis\pdui\atm\main\cpuview.cpp
      • API String ID: 3098330729-3794436693
      • Opcode ID: 1b03cfe1921f9a064f6642dc177eefd251799b62bf63f4e13a24910ce250b7fc
      • Instruction ID: 7a94141dd3a4ab806f48ee7aa79384aacbf83d28745db4a7ea40f303c09ae97a
      • Opcode Fuzzy Hash: 1b03cfe1921f9a064f6642dc177eefd251799b62bf63f4e13a24910ce250b7fc
      • Instruction Fuzzy Hash: 0351A274B00A15AFD720DF99D8C5AAEBBF6EF48311F108169EA069B382CB749D41CF50
      Function 005F60A0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 146memorythreadCOMMON
      Download Yara Rule
      APIs
      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000470,00000000,?,?,005F27D8,00000000), ref: 005F60E0
      • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,005F27D8,00000000), ref: 005F60E7
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(8007000E,?,005F27D8,00000000), ref: 005F60F8
      • memset.MSVCRT ref: 005F612E
      Strings
      • WdcApplicationsMonitor::CreateEntry, xrefs: 005F6109
      • base\diagnosis\pdui\atm\main\applications.cpp, xrefs: 005F610E
      • %d FAIL: 0x%08x, xrefs: 005F60FF
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: Heap$AllocCurrentProcessThreadmemset
      • String ID: %d FAIL: 0x%08x$WdcApplicationsMonitor::CreateEntry$base\diagnosis\pdui\atm\main\applications.cpp
      • API String ID: 1983401886-2143304187
      • Opcode ID: e76105dc30e68e4984aa5e4539dac6f75eb85a573d2eb84fa4a14305fd6a9310
      • Instruction ID: 48b3105f3738fd4f795cfd5d9df2bd32fc4befeddeed359d435132bbbfbd62ef
      • Opcode Fuzzy Hash: e76105dc30e68e4984aa5e4539dac6f75eb85a573d2eb84fa4a14305fd6a9310
      • Instruction Fuzzy Hash: B671F5B1501B04CFD366CF74C484B92BBE4FF08304F518A6ED6AE9B251EBB5A584CB58
      Function 00663100 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 119threadCOMMON
      Download Yara Rule
      APIs
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000), ref: 0066311C
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: CurrentThread
      • String ID: %d FAIL: 0x%08x$TmScrollViewerSelectionPatternProxy::DoMethod$base\diagnosis\pdui\atm\main\atmacc.cpp
      • API String ID: 2882836952-207285681
      • Opcode ID: 08bd3c070c3c79a3da668c6ec27556c86683e338724b74f6445344bb76edb090
      • Instruction ID: 9cdec23d666a2cb47842f834b3ba8f89e2232f34bc0a6dc0ff1cd1b9470bc842
      • Opcode Fuzzy Hash: 08bd3c070c3c79a3da668c6ec27556c86683e338724b74f6445344bb76edb090
      • Instruction Fuzzy Hash: 1041CD72A40226ABCB11DB99CC52DAEFFBAEF52710F054159E901AB351CB70AF01CB90
      Function 0066A190 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 115threadCOMMON
      Download Yara Rule
      APIs
      • ?StartDefer@Element@DirectUI@@QAEXPAK@Z.DUI70(?,?,?,?), ref: 0066A21B
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,?,?,?), ref: 0066A2A7
      • ?EndDefer@Element@DirectUI@@QAEXK@Z.DUI70(?,?,?,?,?,?,?), ref: 0066A2D8
      • ?EndDefer@Element@DirectUI@@QAEXK@Z.DUI70(?,?,?,?,?), ref: 0066A2FB
      Strings
      • AtmView::_UpdateSortOnSelectedColumnHeader, xrefs: 0066A2B8
      • %d FAIL: 0x%08x, xrefs: 0066A2AE
      • base\diagnosis\pdui\atm\main\view.cpp, xrefs: 0066A2BD
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: Defer@DirectElement@$CurrentStartThread
      • String ID: %d FAIL: 0x%08x$AtmView::_UpdateSortOnSelectedColumnHeader$base\diagnosis\pdui\atm\main\view.cpp
      • API String ID: 3649675080-2454622148
      • Opcode ID: 5bc2457f90ec62aa1be0edd500acfeebb602808a31bf4152d383e684e7a9e032
      • Instruction ID: 453b906dd2b953d272d071f1c336b7a7e3dbd8452532e3fd5bac066a89abf35d
      • Opcode Fuzzy Hash: 5bc2457f90ec62aa1be0edd500acfeebb602808a31bf4152d383e684e7a9e032
      • Instruction Fuzzy Hash: 34411431544381AFCB21DFA4C8546AABBE7BF85300F08951EE895A3351DB319945CFA3
      Function 006771AC Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 113threadCOMMON
      Download Yara Rule
      APIs
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000), ref: 006771FB
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000), ref: 0067725A
      • _ftol2_sse.MSVCRT ref: 006772A4
      • _ftol2_sse.MSVCRT ref: 006772E3
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: CurrentThread_ftol2_sse
      • String ID: %d FAIL: 0x%08x$CpuHeatMap::GetCpuUsageData$base\diagnosis\pdui\atm\main\cpuheatmap.cpp
      • API String ID: 1690794121-1437082059
      • Opcode ID: 7a48cf7745aad7fd2bfcd0a88bcf941388905eb359117515a32334c82db9dbf0
      • Instruction ID: 1a29545832cd721e0c391bab0f33a11471918703e8a7f956511a5f1c7d32c66c
      • Opcode Fuzzy Hash: 7a48cf7745aad7fd2bfcd0a88bcf941388905eb359117515a32334c82db9dbf0
      • Instruction Fuzzy Hash: 25412A71A04615EBCB11EF54E848B9D7BB5FF45340F11408AF995A7392DB309E24CB91
      Function 0061E3D0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 110threadCOMMON
      Download Yara Rule
      APIs
        • Part of subcall function 005EDDF9: EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(00000001,?,0061E581,00625FFC,?,00000000,?,?,?,?,?,00625FFC,?,?,?,00000000), ref: 005EDE08
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000), ref: 0061E416
        • Part of subcall function 006200E5: PdhCollectQueryData.PDH(?,00000000,00000000), ref: 00620112
        • Part of subcall function 006200E5: wprintf_s.MSVCRT ref: 0062012B
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(80004003), ref: 0061E44B
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,00000000), ref: 0061E46C
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,00000000), ref: 0061E48D
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: CurrentThread$CollectCriticalDataEnterQuerySectionwprintf_s
      • String ID: %d FAIL: 0x%08x$WdcGpuMonitor::Query$base\diagnosis\pdui\atm\main\gpu.cpp
      • API String ID: 4269204345-2717095022
      • Opcode ID: edd33b46a56f1b061cd4f1fdac33a9857aea5d8c5e7d9897378be3d123ae3c59
      • Instruction ID: fba2b95f8c85419f6ce22036d97b7739a7a6964b3f49fd69cc417c144965562f
      • Opcode Fuzzy Hash: edd33b46a56f1b061cd4f1fdac33a9857aea5d8c5e7d9897378be3d123ae3c59
      • Instruction Fuzzy Hash: AD314831740722ABD710AFA0E885EE9BBA6FF50710F040568FC8593681CB71DC9487D6
      Function 00648433 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 108windowCOMMON
      Download Yara Rule
      APIs
      • memset.MSVCRT ref: 0064845E
        • Part of subcall function 00643335: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,80000000,80000000,80000000,80000000,80000000,00000000), ref: 00643389
        • Part of subcall function 00643335: GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(80004005,?,?,?,?,?,?,?,?,?,?,?,?,?,006452CD,00000008), ref: 006433A6
      • SendMessageW.USER32(00000000), ref: 00648499
      • SendMessageW.USER32(?,00000433,00000000,00000030), ref: 006484D5
      • SendMessageW.USER32(00000000,00001200,00000000,00000000), ref: 006484F6
      • SendMessageW.USER32(?,00001207,00000000,?), ref: 0064853A
      • SendMessageW.USER32(00000010,00000432,00000000,00000030), ref: 00648554
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: MessageSend$CurrentErrorLastThreadmemset
      • String ID: 0
      • API String ID: 1632937475-4108050209
      • Opcode ID: 799660b4d1b1ee64ccfe1ead816723701e1bb23e3d65065ab3f3b6784730c4ec
      • Instruction ID: fcc5ec825a60c427babda14edcabb6ef874e43b6cbb0a29e6cad63ad67781f8c
      • Opcode Fuzzy Hash: 799660b4d1b1ee64ccfe1ead816723701e1bb23e3d65065ab3f3b6784730c4ec
      • Instruction Fuzzy Hash: 8F317F71604311AFE754CF18CC45B9F7BE9EB88710F041A29B999DB282CB70DA05CBA6
      Function 006632F9 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 95threadCOMMON
      Download Yara Rule
      APIs
      • StrToID.DUI70(?,?,00000000), ref: 00663332
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000), ref: 0066336A
        • Part of subcall function 00663884: memmove.MSVCRT(00000038,00000034,80000000,00000000,00000000,00000000,80000000,?,006633AF,80000000,00000033), ref: 00663911
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,80000000,00000033), ref: 006633C3
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,?,00000000), ref: 006633F0
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: CurrentThread$memmove
      • String ID: %d FAIL: 0x%08x$GetColumnHeaderItemByID$base\diagnosis\pdui\atm\main\atmacc.cpp
      • API String ID: 611251561-2782448803
      • Opcode ID: eef65dd592412bf71452949c2d384899389cf53c0ef01fda9fdb9b272e5b9f63
      • Instruction ID: a134fbcaaa8b038851970373f17c97a49e5310a94a869db17b974a970c59a28e
      • Opcode Fuzzy Hash: eef65dd592412bf71452949c2d384899389cf53c0ef01fda9fdb9b272e5b9f63
      • Instruction Fuzzy Hash: 7D31A132A0022AEFC715EB94C806AAEBBB6FF10710F554159E945B7391DF709F018BE1
      Function 0060023E Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 87memorythreadCOMMONLIBRARYCODE
      Download Yara Rule
      APIs
      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,000003E0,00000004,?,?,?,?,?,005FCE12,00000000,?,?,?), ref: 00600263
      • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,005FCE12,00000000,?,?,?), ref: 0060026A
      • memset.MSVCRT ref: 00600281
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(8007000E,?,005FCE12,00000000,?,?,?), ref: 0063C3D2
      Strings
      • base\diagnosis\pdui\atm\main\session.cpp, xrefs: 0063C3E8
      • %d FAIL: 0x%08x, xrefs: 0063C3D9
      • WdcUserMonitor::CreateEntry, xrefs: 0063C3E3
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: Heap$AllocCurrentProcessThreadmemset
      • String ID: %d FAIL: 0x%08x$WdcUserMonitor::CreateEntry$base\diagnosis\pdui\atm\main\session.cpp
      • API String ID: 1983401886-2600662040
      • Opcode ID: cee056f44b4840f1d42c8f097e67578432a4ecce9eb91d24704d41b6be0e4988
      • Instruction ID: 39c31adc1a1b3c61be8f488cffe4bddb4287b388186d7ee1779a0c8163d6036c
      • Opcode Fuzzy Hash: cee056f44b4840f1d42c8f097e67578432a4ecce9eb91d24704d41b6be0e4988
      • Instruction Fuzzy Hash: D54168B0500B44DFE325CF64C885B86BFE9FF08710F105A2EE5EA9B651D7B1AA40CB54
      Function 0064C138 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 82threadCOMMON
      Download Yara Rule
      APIs
      • EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,00000000,?,00000000,?,?,?,00648139,?,?,?,?,00000000,00000002), ref: 0064C16D
      • _ftol2.MSVCRT ref: 0064C17D
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,00000000,00000000,00000000,?,00000000,?,?,?,00648139,?,?,?,?,00000000,00000002), ref: 0064C194
      Strings
      • WdcProcessMonitor::GetProcessPriority, xrefs: 0064C1A5
      • base\diagnosis\pdui\atm\main\process.cpp, xrefs: 0064C1AA
      • %d FAIL: 0x%08x, xrefs: 0064C19B
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: CriticalCurrentEnterSectionThread_ftol2
      • String ID: %d FAIL: 0x%08x$WdcProcessMonitor::GetProcessPriority$base\diagnosis\pdui\atm\main\process.cpp
      • API String ID: 2353905074-2295317342
      • Opcode ID: a3319849fca204158452faefde67f29e0f8fd3d502cf10b863cc27c31e48ec74
      • Instruction ID: b7d5a436e13726dcc4dbd89163fd131e8302645011e5b4707c9fb11f0c554f54
      • Opcode Fuzzy Hash: a3319849fca204158452faefde67f29e0f8fd3d502cf10b863cc27c31e48ec74
      • Instruction Fuzzy Hash: F421C471141206FBD7949FA8C818BA67EE6FB49320F24412AE585D7341DBF59A42CB50
      Function 00609003 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 78threadCOMMON
      Download Yara Rule
      APIs
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(-8006FF3B,00000000,?,00000000,00608E03), ref: 0060902D
        • Part of subcall function 00609429: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00609467
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,?,?,00000000,?,00000000,00608E03), ref: 0060906C
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000), ref: 006090AD
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,?,?,?,00000000,?,00000000,00608E03), ref: 006090C1
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: CurrentThread$Unothrow_t@std@@@__ehfuncinfo$??2@
      • String ID: %d FAIL: 0x%08x$AtmDiskView::InitializeDiskList$base\diagnosis\pdui\atm\main\diskview.cpp
      • API String ID: 1099167795-4132822483
      • Opcode ID: a2fc56cf27a70172711520f5e975b4454d7ed542ada099200278f72b4c83dc69
      • Instruction ID: 1fc80c01284c04395f3b0743f08e1e86e9402513bfe08b0b70ecd9103e042265
      • Opcode Fuzzy Hash: a2fc56cf27a70172711520f5e975b4454d7ed542ada099200278f72b4c83dc69
      • Instruction Fuzzy Hash: 90212332B81621BBC32D52A49C85FBBAA1BAB54714F05031EF807976C2DBA19C0187F1
      Function 005E21B8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70windowCOMMON
      Download Yara Rule
      APIs
      • memset.MSVCRT ref: 005E21EC
      • Shell_NotifyIconW.SHELL32(00000002,?), ref: 005E2217
      • LoadStringW.USER32(00007EA4,?,00000080), ref: 005E223A
      • Shell_NotifyIconW.SHELL32(00000001,?), ref: 005E225D
      • Shell_NotifyIconW.SHELL32(00000002,?), ref: 005E2278
      • DestroyWindow.USER32(?,?,?,?), ref: 005E2281
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: IconNotifyShell_$DestroyLoadStringWindowmemset
      • String ID: TrayiconMessageWindow
      • API String ID: 1593413056-1913090498
      • Opcode ID: f43fefe52142016ab18f61c2c545a893c1cad679e9bed56d511790ac9e56b1cb
      • Instruction ID: a22be9b0cffaa71070d3b676527b101ad3ab5c79e5bcf7075f6a34dddc9fe396
      • Opcode Fuzzy Hash: f43fefe52142016ab18f61c2c545a893c1cad679e9bed56d511790ac9e56b1cb
      • Instruction Fuzzy Hash: DC216DB1A05328EFE7259F559C85BA9BBBDFB08704F0011A9EA09E6251DB709E408F84
      Function 006720B9 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 67memorythreadCOMMON
      Download Yara Rule
      APIs
      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000060,00000000,00000000,00000000,?,006716AF,006742EC), ref: 006720C8
      • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,006716AF,006742EC), ref: 006720CF
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(8007000E,?,006716AF,006742EC), ref: 006720E1
      • memset.MSVCRT ref: 0067210A
      Strings
      • WdcAppHistoryMonitor::_CreateApplicationEntry, xrefs: 006720F2
      • %d FAIL: 0x%08x, xrefs: 006720E8
      • base\diagnosis\pdui\atm\main\apphistorymonitor.cpp, xrefs: 006720F7
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: Heap$AllocCurrentProcessThreadmemset
      • String ID: %d FAIL: 0x%08x$WdcAppHistoryMonitor::_CreateApplicationEntry$base\diagnosis\pdui\atm\main\apphistorymonitor.cpp
      • API String ID: 1983401886-3181170337
      • Opcode ID: 7ee36bc27b2d1e0b2b70c469cb0226c64e0478dbd38221d6c5b9f7c0511fd800
      • Instruction ID: 69379eab6b33b773291cbd47ca8c72e28ca21e17babf61b4aca66a5a344e7d50
      • Opcode Fuzzy Hash: 7ee36bc27b2d1e0b2b70c469cb0226c64e0478dbd38221d6c5b9f7c0511fd800
      • Instruction Fuzzy Hash: 18219FB1541744AFC320CF65C845A93BFF9FF85714B04466EE99ACB752E771A801CBA0
      Function 0060037D Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 62memorythreadCOMMON
      Download Yara Rule
      APIs
      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000090), ref: 00600392
      • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 00600399
      • memset.MSVCRT ref: 006003B0
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(8007000E), ref: 0063C400
      Strings
      • base\diagnosis\pdui\atm\main\trayicon.cpp, xrefs: 0063C416
      • WdcTrayIconMonitor::CreateEntry, xrefs: 0063C411
      • %d FAIL: 0x%08x, xrefs: 0063C407
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: Heap$AllocCurrentProcessThreadmemset
      • String ID: %d FAIL: 0x%08x$WdcTrayIconMonitor::CreateEntry$base\diagnosis\pdui\atm\main\trayicon.cpp
      • API String ID: 1983401886-366942423
      • Opcode ID: d20facaa36034d9f842d73137087b5caa56170a5054d6eed9b99615949a36d55
      • Instruction ID: 0b67fc1f3730d73ffb30fe69e773d54924dd0f4c708b4eafb612af77bf9e2522
      • Opcode Fuzzy Hash: d20facaa36034d9f842d73137087b5caa56170a5054d6eed9b99615949a36d55
      • Instruction Fuzzy Hash: FD11BEB1500714AFE3308F6AC849E53BFE9FF89B20F00461EE58A9BB51D770A400CBA4
      Function 0065C4F0 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 54threadCOMMON
      Download Yara Rule
      APIs
      • StrToID.DUI70(chartInfo,?,00000000,?,?,?,00640D68,?,00607044,?,?,?), ref: 0065C502
      • ?FindDescendent@Element@DirectUI@@QAEPAV12@G@Z.DUI70(?,?,00640D68,?,00607044,?,?,?), ref: 0065C50F
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,00000000,00000000), ref: 0065C555
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: CurrentDescendent@DirectElement@FindThreadV12@
      • String ID: %d FAIL: 0x%08x$AtmDiskView::LoadDiskChart$base\diagnosis\pdui\atm\main\diskview.cpp$chartInfo
      • API String ID: 971798259-4221445404
      • Opcode ID: 2145540bf280b574204aa45ffc222a1c085ef1f2e8cc6790772efdd0d3b34959
      • Instruction ID: 529bcbbae0aea57d7142ab38e50cace731fab78a89f5a941a0d7f7b86fa3ad22
      • Opcode Fuzzy Hash: 2145540bf280b574204aa45ffc222a1c085ef1f2e8cc6790772efdd0d3b34959
      • Instruction Fuzzy Hash: 7A01DD31600304BFCB149B95DCC9DBA7BABEB84722F14107AFC499B341EB74AD1997A0
      Function 006060A8 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 46memorythreadCOMMON
      Download Yara Rule
      APIs
      • SysAllocString.OLEAUT32(00000000), ref: 006060CD
      • SysFreeString.OLEAUT32(00000000), ref: 0063E32A
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(8007000E,?,00605F6E,00000000,0000000C,?,00000000,?,?,?,?,?), ref: 0063E33D
      • SysFreeString.OLEAUT32(00000000), ref: 0063E367
      Strings
      • base\diagnosis\pdui\atm\main\inline.cpp, xrefs: 0063E350
      • ATMAssignString, xrefs: 0063E34B
      • %d FAIL: 0x%08x, xrefs: 0063E344
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: String$Free$AllocCurrentThread
      • String ID: %d FAIL: 0x%08x$ATMAssignString$base\diagnosis\pdui\atm\main\inline.cpp
      • API String ID: 3091281111-2229420436
      • Opcode ID: da1b63e85decfe5d7aa625534386ce3f97e67fa5f5bf93bf1b60a2e465df02c1
      • Instruction ID: 45db560a8990e852500aebb27c28c9c8326d1a4bcf62d52a249253c39e9e8415
      • Opcode Fuzzy Hash: da1b63e85decfe5d7aa625534386ce3f97e67fa5f5bf93bf1b60a2e465df02c1
      • Instruction Fuzzy Hash: B201D171280316BFEB241F95DC44D9ABF6AFF28B25B244225F50592291D7B148A1CBE0
      Function 0060D155 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 164COMMON
      Download Yara Rule
      APIs
      • IsProcessorFeaturePresent.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-1(00000015,00000000,00000000,00000000), ref: 0060D1E4
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: FeaturePresentProcessor
      • String ID: Auth$Microsoft Hv$ntelineI
      • API String ID: 2325560087-3534065741
      • Opcode ID: 052e2f8590b9d05e82ae308f023415c34e22282556d7b345de87055641ba6c68
      • Instruction ID: b39d62e3cda1f88fcfaab19ba97bde457fa0e35e64ee82b15786e0d67af6edea
      • Opcode Fuzzy Hash: 052e2f8590b9d05e82ae308f023415c34e22282556d7b345de87055641ba6c68
      • Instruction Fuzzy Hash: B551B171A48616AFDB19CFA9C8816AAF7F6FF14314F20C66ED41BE7280D7319911CB90
      Function 006012C2 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 159threadCOMMON
      Download Yara Rule
      APIs
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(-80070057,00000000,?,00000001,00000000,00000000,?,00600FE0,00000000,00000000,?,?,?,00000000), ref: 0063C812
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: CurrentThread
      • String ID: %d FAIL: 0x%08x$TmProcessorFrequency::_InitProcessorInfo$base\diagnosis\pdui\atm\main\cpu.cpp
      • API String ID: 2882836952-857637553
      • Opcode ID: 24947a33dee950138961152408ca44de2315435ace819bb2b92bbca9b9394ae1
      • Instruction ID: a9d36a6045df8e044d17b370e1181ca5083cb9b4626f07f0572de009f32b3580
      • Opcode Fuzzy Hash: 24947a33dee950138961152408ca44de2315435ace819bb2b92bbca9b9394ae1
      • Instruction Fuzzy Hash: 214125757C53129BD72C4A799CC1BEB7A8A9F16B10F18522CB912DB7C1EAB4CD058390
      Function 0062924F Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 153threadCOMMON
      Download Yara Rule
      APIs
        • Part of subcall function 006293EC: GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,00000004,?,?,80004005,?,?,?,?,?,?,?,?,0062929B,00000005,?), ref: 00629417
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,00000005,?,?,006247E5,00000000,?,00000000,?), ref: 006292A2
      • _ftol2.MSVCRT ref: 00629314
      • _ftol2.MSVCRT ref: 00629369
      Strings
      • base\diagnosis\pdui\atm\main\memoryview.cpp, xrefs: 006292B8
      • AtmMemoryView::GetCurrentUsagePercent, xrefs: 006292B3
      • %d FAIL: 0x%08x, xrefs: 006292A9
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: CurrentThread_ftol2
      • String ID: %d FAIL: 0x%08x$AtmMemoryView::GetCurrentUsagePercent$base\diagnosis\pdui\atm\main\memoryview.cpp
      • API String ID: 2722173181-724833885
      • Opcode ID: 202a3104307ef96ba06c2de701a0665fe61207efb58448dc74003ebd5ba65ef8
      • Instruction ID: 2cc2532e370777ab7b898a882573f64ac951e95cfa367ac53599d58b27292797
      • Opcode Fuzzy Hash: 202a3104307ef96ba06c2de701a0665fe61207efb58448dc74003ebd5ba65ef8
      • Instruction Fuzzy Hash: 245128B3E00529A2CB01EBD0D9047CDB7F9FB99790F214596D941B22A0FB364E058FE4
      Function 00617476 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 128threadCOMMON
      Download Yara Rule
      APIs
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,?,00000000,?,?,?,?,?,?,?,?,?,00000000,?,?,?), ref: 006174DE
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: CurrentThread
      • String ID: %d FAIL: 0x%08x$AtmView::UpdateParentRow$base\diagnosis\pdui\atm\main\view.cpp
      • API String ID: 2882836952-218864705
      • Opcode ID: 5b2413ea4b5f4e6c5a7f290197a21fb369b74cb31aab83a07518149452fe9894
      • Instruction ID: 320a096fe84bd1ad293ef744965983f3662202448c254f202dfd7e632e654b5f
      • Opcode Fuzzy Hash: 5b2413ea4b5f4e6c5a7f290197a21fb369b74cb31aab83a07518149452fe9894
      • Instruction Fuzzy Hash: 1E418B7160020ABFCB129F84CC85EFA7BB7FF44310F084169FD059A651DB70AD909B90
      Function 00658362 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 123threadCOMMON
      Download Yara Rule
      APIs
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,?,?), ref: 0065841F
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,00008703,?,?,?), ref: 0065845F
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: CurrentThread
      • String ID: %.0f$%d FAIL: 0x%08x$AtmBaseView::GetBestFitUnit$base\diagnosis\pdui\atm\main\baseview.cpp
      • API String ID: 2882836952-1196467508
      • Opcode ID: 93541fdea79fd2a5271d5a370b2be8f0eeae5228a8a0ee97ddf38fc096eee41d
      • Instruction ID: d8c2ffb2630f079fd92883bb14803c27f6058cc11e8364d69712e6403b944645
      • Opcode Fuzzy Hash: 93541fdea79fd2a5271d5a370b2be8f0eeae5228a8a0ee97ddf38fc096eee41d
      • Instruction Fuzzy Hash: 0E410471E00228AFDB209F64CC41BAABAB5FF44700F0141D9EA4DA7291DE344D958F90
      Function 005EE190 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 113COMMON
      Download Yara Rule
      APIs
      • EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,00000000,?,?,?,?,005F16A1), ref: 005EE1B9
      • LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,00000000,?,?,?,?,005F16A1), ref: 005EE251
      Strings
      • WdcDataMonitor::Update, xrefs: 00638484
      • %d FAIL: 0x%08x, xrefs: 0063847A
      • base\diagnosis\pdui\atm\main\data.cpp, xrefs: 00638489
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: CriticalSection$EnterLeave
      • String ID: %d FAIL: 0x%08x$WdcDataMonitor::Update$base\diagnosis\pdui\atm\main\data.cpp
      • API String ID: 3168844106-2199942355
      • Opcode ID: d98ff813fb5927e79c419641a0d2a992071d4f609dcf3862c5bf0f1cb2fe66d5
      • Instruction ID: 86342acc3922b1bc988c21cd629fe4d541c4b5749e38c7f8c6cf230f8f7027bf
      • Opcode Fuzzy Hash: d98ff813fb5927e79c419641a0d2a992071d4f609dcf3862c5bf0f1cb2fe66d5
      • Instruction Fuzzy Hash: AF41D035A00246AFDB0CDF96C8895BDBBBABF84300B14016EE695A7241CB70AD41CF80
      Function 006690BA Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 105windowthreadCOMMON
      Download Yara Rule
      APIs
        • Part of subcall function 005FB660: ?GetValue@Element@DirectUI@@QAEPAVValue@2@PBUPropertyInfo@2@HPAUUpdateCache@2@@Z.DUI70(HD],00000002,00000000,?,?,005F900D), ref: 005FB66D
        • Part of subcall function 005FB660: ?GetBool@Value@DirectUI@@QAE_NXZ.DUI70(?,005F900D), ref: 005FB677
        • Part of subcall function 005FB660: ?Release@Value@DirectUI@@QAEXXZ.DUI70(?,005F900D), ref: 005FB681
      • TrackPopupMenu.USER32(00000000,00000100,?,?,00000000,00000000,?), ref: 00669167
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,00000000,?,?,00000000), ref: 006691A4
      • DestroyMenu.USER32(?,?,00000000), ref: 00669220
        • Part of subcall function 0066985B: ?GetID@Element@DirectUI@@QAEGXZ.DUI70 ref: 0066987A
        • Part of subcall function 0066985B: StrToID.DUI70(ViewExpandoButtonImage), ref: 0066988C
        • Part of subcall function 0066985B: ?GetParent@Element@DirectUI@@QAEPAV12@XZ.DUI70 ref: 00669899
        • Part of subcall function 0066985B: ?GetParent@Element@DirectUI@@QAEPAV12@XZ.DUI70 ref: 006698A1
        • Part of subcall function 0066985B: ?GetParent@Element@DirectUI@@QAEPAV12@XZ.DUI70 ref: 006698A9
        • Part of subcall function 0066985B: ?GetParent@Element@DirectUI@@QAEPAV12@XZ.DUI70 ref: 006698B1
      Strings
      • AtmView::_HandleRightClickOnViewItem, xrefs: 006691B5
      • %d FAIL: 0x%08x, xrefs: 006691AB
      • base\diagnosis\pdui\atm\main\view.cpp, xrefs: 006691BA
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: Direct$Element@$Parent@V12@$Value@$Menu$Bool@Cache@2@@CurrentDestroyInfo@2@PopupPropertyRelease@ThreadTrackUpdateValue@2@
      • String ID: %d FAIL: 0x%08x$AtmView::_HandleRightClickOnViewItem$base\diagnosis\pdui\atm\main\view.cpp
      • API String ID: 797787866-848586360
      • Opcode ID: cc939e58ccad74d0e4944a885f0dae7f9f860b5e4e55e0e2e7feb5fc8d0e9ab5
      • Instruction ID: 710f05276fc6144ea3464b0c8f2e9301847dfa2cbe91157168d0bff684878e0c
      • Opcode Fuzzy Hash: cc939e58ccad74d0e4944a885f0dae7f9f860b5e4e55e0e2e7feb5fc8d0e9ab5
      • Instruction Fuzzy Hash: AC415835A00304FBDB119FA4DC44FAABBBAFB89310F148069E999AB351DB7169109B60
      Function 006022BC Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 100threadCOMMON
      Download Yara Rule
      APIs
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,?,00602081,?,?,?), ref: 0063CEC5
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,?,00602081,?,?,?), ref: 0063CF02
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: CurrentThread
      • String ID: %d FAIL: 0x%08x$MrtCreateOverrideResourceContext$base\diagnosis\pdui\atm\main\mrtutils.cpp
      • API String ID: 2882836952-4000992729
      • Opcode ID: 84becfa1db3a4b244e961f8e53ede67a31f3e9f77a2d0929ff377e2380db7f54
      • Instruction ID: 4b834f19a607785b8f648df3fb0587b604e5f0263d455ab082301f5a6b54b54d
      • Opcode Fuzzy Hash: 84becfa1db3a4b244e961f8e53ede67a31f3e9f77a2d0929ff377e2380db7f54
      • Instruction Fuzzy Hash: 3931D436A40225BFD719DB68CC59FAE7B6AFF48720F14015AF901B7290CB749E018BD0
      Function 0066F1FA Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 93threadCOMMON
      Download Yara Rule
      APIs
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,?,0066E30F,00000001,?,?,00000000), ref: 0066F23C
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,?,?,0066E30F,00000001,?,?,00000000), ref: 0066F278
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: CurrentThread
      • String ID: %d FAIL: 0x%08x$PackagedStartupTask::SetIsDisabled$base\diagnosis\pdui\atm\main\startup.cpp
      • API String ID: 2882836952-3832736486
      • Opcode ID: 6a18337b70bd4fe7d385e321466e331792c10dd014f79bde5ec912fa4e96ee88
      • Instruction ID: 688b21fa1ba34951dbd345431c15015aa509ca90161715b882304abd2018ce31
      • Opcode Fuzzy Hash: 6a18337b70bd4fe7d385e321466e331792c10dd014f79bde5ec912fa4e96ee88
      • Instruction Fuzzy Hash: 5621F276A40224BFCB159B94DC45DAEBFAEEF54710B0502AAF901E7251CB70AE41CFE1
      Function 005EC360 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 93COMMON
      Download Yara Rule
      APIs
      • EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?), ref: 005EC383
      • LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?), ref: 005EC3F2
      Strings
      • base\diagnosis\pdui\atm\main\network.cpp, xrefs: 00637FE1
      • %d FAIL: 0x%08x, xrefs: 00637FD2
      • WdcNetworkMonitor::Query, xrefs: 00637FDC
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: CriticalSection$EnterLeave
      • String ID: %d FAIL: 0x%08x$WdcNetworkMonitor::Query$base\diagnosis\pdui\atm\main\network.cpp
      • API String ID: 3168844106-3628858878
      • Opcode ID: cc90ba95e2594faf62709149018f14a4bf0106bc382cd9ff335c469eb2555e32
      • Instruction ID: 03063593c077fc797abbb5e879c059d86eddb308a8ba32c79ef6cef1934664cd
      • Opcode Fuzzy Hash: cc90ba95e2594faf62709149018f14a4bf0106bc382cd9ff335c469eb2555e32
      • Instruction Fuzzy Hash: CD319771604645EBE728DF65C8899A7FFE9FB84310F10496EE189C2190DBB19D07CB50
      Function 00644206 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 86threadCOMMON
      Download Yara Rule
      APIs
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(-8007000E,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00644271
        • Part of subcall function 006759A7: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,-8007000E,?,0064429D,00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 006759D6
        • Part of subcall function 006759A7: GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(80004005,?,0064429D,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 006759F9
        • Part of subcall function 006759A7: FreeLibrary.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,00000000,-8007000E,?,0064429D,00000000,?,?,?,?,?), ref: 00675C29
        • Part of subcall function 006759A7: FreeLibrary.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,00000000,-8007000E,?,0064429D,00000000,?,?,?,?,?), ref: 00675C3A
      • FreeLibrary.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 006442C9
      • FreeLibrary.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 006442D7
        • Part of subcall function 00617CB6: __EH_prolog3_catch.LIBCMT ref: 00617CBD
      Strings
      • base\diagnosis\pdui\atm\main\setting.cpp, xrefs: 00644287
      • TmGlobalSettings::GetWlanApiWrapper, xrefs: 00644282
      • %d FAIL: 0x%08x, xrefs: 00644278
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: FreeLibrary$CurrentThread$ErrorH_prolog3_catchLast
      • String ID: %d FAIL: 0x%08x$TmGlobalSettings::GetWlanApiWrapper$base\diagnosis\pdui\atm\main\setting.cpp
      • API String ID: 4179816064-3609510330
      • Opcode ID: 1abce35fd1ec2d7dba23db19bae4a034c8d2f01577213bb597c5f92dc5399509
      • Instruction ID: 060e8a93b5cd3959c11dfe26caebac27a4abdeb5303c3cfd53e8de854da40f03
      • Opcode Fuzzy Hash: 1abce35fd1ec2d7dba23db19bae4a034c8d2f01577213bb597c5f92dc5399509
      • Instruction Fuzzy Hash: B8210672A10600BF97119F69DC03A6AF7AAEF84720718425EF81C97781EFB0AD00C7E5
      Function 0067321F Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 86timeregistryCOMMON
      Download Yara Rule
      APIs
      • GetSystemTimeAsFileTime.API-MS-WIN-CORE-SYSINFO-L1-1-0(?,?,00000000,?), ref: 0067324E
      • RegGetValueW.API-MS-WIN-CORE-REGISTRY-L1-1-0(80000002,Software\Microsoft\Windows NT\CurrentVersion,InstallDate,00000018,00000000,?,00000004,?,00000000,?), ref: 0067327E
      • RtlSecondsSince1970ToTime.NTDLL(?,?), ref: 0067328F
      • GetLocalTime.API-MS-WIN-CORE-SYSINFO-L1-1-0(?,?,?,00000000,00000000,?,00000000,?), ref: 006732EF
      Strings
      • InstallDate, xrefs: 0067326F
      • Software\Microsoft\Windows NT\CurrentVersion, xrefs: 00673274
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: Time$FileLocalSecondsSince1970SystemValue
      • String ID: InstallDate$Software\Microsoft\Windows NT\CurrentVersion
      • API String ID: 3693839993-2483358291
      • Opcode ID: ecf1c6c2eeb80ae88766c113d4ec332436f0d6d303e735f2ccdf7ec94e92988d
      • Instruction ID: eedc472a5d64e4da73b26582feebd2ab1d9a568082cf2bed8c13faac6406bc6f
      • Opcode Fuzzy Hash: ecf1c6c2eeb80ae88766c113d4ec332436f0d6d303e735f2ccdf7ec94e92988d
      • Instruction Fuzzy Hash: 34316171E00119ABDF14DFA5D8849EEB7BAFB48310F14416AF918E7351DB309A059B64
      Function 005FF33B Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 84windowthreadCOMMON
      Download Yara Rule
      APIs
      • InitOnceExecuteOnce.API-MS-WIN-CORE-SYNCH-L1-2-0(006898B8,00612FA0,00000000,?,?,00000000,00000000,?,?,?,005FF27A,00000400,00000000,?,?,00000000), ref: 005FF363
      • CopyIcon.USER32 ref: 005FF388
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,?,005FF27A,00000400,00000000,?,?,00000000), ref: 0063BED7
      Strings
      • base\diagnosis\pdui\atm\inc\imgutils.h, xrefs: 0063BEED
      • TmImageUtils::GetDefaultIcon, xrefs: 0063BEE8
      • %d FAIL: 0x%08x, xrefs: 0063BEDE
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: Once$CopyCurrentExecuteIconInitThread
      • String ID: %d FAIL: 0x%08x$TmImageUtils::GetDefaultIcon$base\diagnosis\pdui\atm\inc\imgutils.h
      • API String ID: 3961365418-3583982462
      • Opcode ID: 0d7ac9ef13a70eb812d67b5c37401871471505c51c6456e83673a4cbde31f7ee
      • Instruction ID: 4ef03efb1115a577490625b083a048cabbd8ccc1fe9fa2ae1b8999dca2ade501
      • Opcode Fuzzy Hash: 0d7ac9ef13a70eb812d67b5c37401871471505c51c6456e83673a4cbde31f7ee
      • Instruction Fuzzy Hash: 3021C573A60218FB9B144F54EC469FA7E76FB64310B182A39F601E2650D77C8C1097A4
      Function 005ED05C Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 65COMMONLIBRARYCODE
      Download Yara Rule
      APIs
      • memset.MSVCRT ref: 005ED091
      • GetVersionExW.API-MS-WIN-CORE-SYSINFO-L1-1-0(?,?,?,?), ref: 005ED0A6
      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?), ref: 005ED0B0
      Strings
      • base\diagnosis\pdui\atm\main\setting.cpp, xrefs: 005ED103
      • Unknown version %d, xrefs: 005ED0F4
      • TmGlobalSettings::IsServer, xrefs: 005ED0FE
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: ErrorLastVersionmemset
      • String ID: TmGlobalSettings::IsServer$Unknown version %d$base\diagnosis\pdui\atm\main\setting.cpp
      • API String ID: 173866510-1265474954
      • Opcode ID: 687018680155cf125f81d5329c6ec146a036e64666ad61f8aabb5b057abdc6a7
      • Instruction ID: c65f711055a734ef19f20796f6c0dd9b0abe6e169477b5b40459257f0c816150
      • Opcode Fuzzy Hash: 687018680155cf125f81d5329c6ec146a036e64666ad61f8aabb5b057abdc6a7
      • Instruction Fuzzy Hash: 8D115670A4039D9ADB289B7A8D0BBFA7FF6BB01300F4800ADE4D997140DA719941CBB5
      Function 005FC090 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 63windowthreadCOMMON
      Download Yara Rule
      APIs
      • InitOnceExecuteOnce.API-MS-WIN-CORE-SYNCH-L1-2-0(006898B8,Function_00052FA0,00000000,?,005FC30A,?,?,005FC30A,005FC30A,?,005FBFA6,00000000,?,00000000,00000000), ref: 005FC0DE
      • CopyIcon.USER32 ref: 005FC0F4
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,?,005FBFA6,00000000,?,00000000,00000000), ref: 0063AA6D
      Strings
      • base\diagnosis\pdui\atm\inc\imgutils.h, xrefs: 0063AA83
      • TmImageUtils::GetDefaultIcon, xrefs: 0063AA7E
      • %d FAIL: 0x%08x, xrefs: 0063AA74
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: Once$CopyCurrentExecuteIconInitThread
      • String ID: %d FAIL: 0x%08x$TmImageUtils::GetDefaultIcon$base\diagnosis\pdui\atm\inc\imgutils.h
      • API String ID: 3961365418-3583982462
      • Opcode ID: ce8e10fe4e37cc0827ff0d08a8c3ead5993d38dccf85a61492df7ebc486c0867
      • Instruction ID: ba4eeb4921c44d591c03d511c309752dff3f1f270dca10ca089f9eb740bd52ca
      • Opcode Fuzzy Hash: ce8e10fe4e37cc0827ff0d08a8c3ead5993d38dccf85a61492df7ebc486c0867
      • Instruction Fuzzy Hash: BB11A272640209FFD710CF58D906BAABBF8FB14311F24462EF485A2290D7B89A90DB60
      Function 0067515E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 62threadCOMMON
      Download Yara Rule
      APIs
      • Shell_GetCachedImageIndexW.SHELL32(?,00000000,00000000), ref: 00675173
      • SHGetImageList.SHELL32(00000001,005CBF4C), ref: 00675192
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000), ref: 0067519F
      Strings
      • WdcAppHistoryMonitor::_SetIcon, xrefs: 006751B0
      • %d FAIL: 0x%08x, xrefs: 006751A6
      • base\diagnosis\pdui\atm\main\apphistorymonitor.cpp, xrefs: 006751B5
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: Image$CachedCurrentIndexListShell_Thread
      • String ID: %d FAIL: 0x%08x$WdcAppHistoryMonitor::_SetIcon$base\diagnosis\pdui\atm\main\apphistorymonitor.cpp
      • API String ID: 340527635-554341064
      • Opcode ID: 29e76894bc999b598f6d00b1bd5970851297fd5abdc6385321dea3bff9e0aba4
      • Instruction ID: e0f2d9c322c29437ff6d144354eeae3d5586705e8bf92497bcfc969f6cf1d492
      • Opcode Fuzzy Hash: 29e76894bc999b598f6d00b1bd5970851297fd5abdc6385321dea3bff9e0aba4
      • Instruction Fuzzy Hash: 89110632B41620BFC7205B99CC09E9BBF2AEF45721B51426AF90997390D7B15D40CBD0
      Function 00673164 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 61memorythreadCOMMON
      Download Yara Rule
      APIs
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,00000044,00000000,00000044,00000000,00000000,00000044,00000000), ref: 0067318B
      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000,00000000,00000044,00000000,00000044,00000000,00000000,00000044,00000000), ref: 006731E8
      • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 006731EF
      Strings
      • WdcAppHistoryMonitor::_IsImmersiveApplication, xrefs: 0067319C
      • %d FAIL: 0x%08x, xrefs: 00673192
      • base\diagnosis\pdui\atm\main\apphistorymonitor.cpp, xrefs: 006731A1
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: Heap$CurrentFreeProcessThread
      • String ID: %d FAIL: 0x%08x$WdcAppHistoryMonitor::_IsImmersiveApplication$base\diagnosis\pdui\atm\main\apphistorymonitor.cpp
      • API String ID: 192039753-2187446637
      • Opcode ID: dee3ef3f62f59d83b964576ddf7a2d29a1f68d7e7339de4cb1548c47609c3b8b
      • Instruction ID: e1c8d5d92f1d9f9b55d0e4410bed1378edcbbced1fbf852e101e65297548e064
      • Opcode Fuzzy Hash: dee3ef3f62f59d83b964576ddf7a2d29a1f68d7e7339de4cb1548c47609c3b8b
      • Instruction Fuzzy Hash: 27010876B41239B78B30AAA84C4599B7F6AEB85710F54416AF90CA3300DA308F0597A0
      Function 00660374 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 61timethreadCOMMON
      Download Yara Rule
      APIs
      • FileTimeToSystemTime.API-MS-WIN-CORE-TIMEZONE-L1-1-0(?,?,?,00000000,?,?,006393AD,?,?,?,?,?), ref: 006603A6
      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,006393AD,?,?,?,?,?,?,?,?,?,005F760E,?,?,?,?), ref: 006603B0
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(80004005,?,006393AD,?,?,?,?,?,?,?,?,?,005F760E,?,?,?), ref: 006603D3
      Strings
      • %d FAIL: 0x%08x, xrefs: 006603DA
      • TmULongLongToLocalTime, xrefs: 006603E4
      • base\diagnosis\pdui\atm\main\tmutils.cpp, xrefs: 006603E9
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: Time$CurrentErrorFileLastSystemThread
      • String ID: %d FAIL: 0x%08x$TmULongLongToLocalTime$base\diagnosis\pdui\atm\main\tmutils.cpp
      • API String ID: 1553313453-2220014484
      • Opcode ID: 945ee8b7fbd0077bc508153991cbd151b953a063b7cc59482606f896c5d3f2d9
      • Instruction ID: df19010daa0e687793edc93b2ebe987c787daec88ff681ae7643bb46f30e0569
      • Opcode Fuzzy Hash: 945ee8b7fbd0077bc508153991cbd151b953a063b7cc59482606f896c5d3f2d9
      • Instruction Fuzzy Hash: 0911A076E4021AAB9710DFA98C459AFBBAAEF84711B11513AFD05F7340EA308D0087E5
      Function 00658262 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 58threadCOMMON
      Download Yara Rule
      APIs
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,?,-00000174,00000000,00000000,00000000), ref: 006582AC
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: CurrentThread
      • String ID: %s%s$%s%s$%d FAIL: 0x%08x$AtmBaseView::FormatTable$base\diagnosis\pdui\atm\main\baseview.cpp
      • API String ID: 2882836952-546896193
      • Opcode ID: 3c19f92fa9ce883b4323ddc6003c9fa52d8f5b71680cfaae4450f4979c00369a
      • Instruction ID: 19dc3eb9bb51dcc461eea02a884ffafb358233ef8cca3b7cc6f04515aa05224d
      • Opcode Fuzzy Hash: 3c19f92fa9ce883b4323ddc6003c9fa52d8f5b71680cfaae4450f4979c00369a
      • Instruction Fuzzy Hash: 8F11CA71E0021D6BCB249F99CC46EDB7FA9EF45710F0005A6FA44A3241DA719E948BE1
      Function 006463AA Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 57threadwindowCOMMON
      Download Yara Rule
      APIs
        • Part of subcall function 00645DE3: memset.MSVCRT ref: 00645DFC
        • Part of subcall function 00645DE3: SendMessageW.USER32(00000000), ref: 00645E25
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,?), ref: 006463D1
      • PostMessageW.USER32(00000406,00000000,00000000), ref: 0064641E
      Strings
      • WdcListView::GotoTab, xrefs: 006463E2
      • base\diagnosis\pdui\atm\main\listview.cpp, xrefs: 006463E7
      • %d FAIL: 0x%08x, xrefs: 006463D8
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: Message$CurrentPostSendThreadmemset
      • String ID: %d FAIL: 0x%08x$WdcListView::GotoTab$base\diagnosis\pdui\atm\main\listview.cpp
      • API String ID: 1570699066-3018805463
      • Opcode ID: d2cdd5da37933c1a91385f0fd0bc1e43ad66550652589ed40ed5d5c35a9ddb88
      • Instruction ID: 0d14797a2dedb172387c53d05e1d9bf09eafc4d26af475bd509312c9cbbd01ca
      • Opcode Fuzzy Hash: d2cdd5da37933c1a91385f0fd0bc1e43ad66550652589ed40ed5d5c35a9ddb88
      • Instruction Fuzzy Hash: F3012636F40221BBCB254E94CC0ABAABA9BFB41750F155215FD05A7390CBE09C8187D3
      Function 006602F8 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 48timethreadCOMMON
      Download Yara Rule
      APIs
      • SystemTimeToFileTime.API-MS-WIN-CORE-TIMEZONE-L1-1-0(?,?,?,00000000,?,?,?,00674F01), ref: 0066030F
      • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,00674F01,?,?,?,?,?,?,?,?,?,?,?,?,?,00640BCE), ref: 00660319
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(80004005,?,00674F01), ref: 0066033C
      Strings
      • %d FAIL: 0x%08x, xrefs: 00660343
      • TmSystemTimeToULongLong, xrefs: 0066034D
      • base\diagnosis\pdui\atm\main\tmutils.cpp, xrefs: 00660352
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: Time$CurrentErrorFileLastSystemThread
      • String ID: %d FAIL: 0x%08x$TmSystemTimeToULongLong$base\diagnosis\pdui\atm\main\tmutils.cpp
      • API String ID: 1553313453-1385867681
      • Opcode ID: 96971d982b1ab621244dbc543d751bc70af20d3da5c81b4dfa8eebe52f56810a
      • Instruction ID: 05246465fbd347dc353fd1541b68d866ea3b11aa032fe50aa21c4536ba8f2ccc
      • Opcode Fuzzy Hash: 96971d982b1ab621244dbc543d751bc70af20d3da5c81b4dfa8eebe52f56810a
      • Instruction Fuzzy Hash: 0401DBB7A51622BB97248B8ADC059ABBE9EFF44711B151266FC08F3300D7709D01C7D5
      Function 006152CA Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 46windowthreadCOMMON
      Download Yara Rule
      APIs
      • InitOnceExecuteOnce.API-MS-WIN-CORE-SYNCH-L1-2-0(006898B8,Function_00052FA0,00000000,?,?,00000000,00000000,00000000,?,005F91BD,005FC30A,?,?,005FC30A,?,005FC02D), ref: 006152F1
      • CopyIcon.USER32 ref: 00615308
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,?,005F91BD,005FC30A,?,?,005FC30A,?,005FC02D,00000000,?,00000000,00000000,00000000,?,?), ref: 00641239
      Strings
      • base\diagnosis\pdui\atm\inc\imgutils.h, xrefs: 0064124F
      • %d FAIL: 0x%08x, xrefs: 00641240
      • TmImageUtils::GetPendingIcon, xrefs: 0064124A
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: Once$CopyCurrentExecuteIconInitThread
      • String ID: %d FAIL: 0x%08x$TmImageUtils::GetPendingIcon$base\diagnosis\pdui\atm\inc\imgutils.h
      • API String ID: 3961365418-2003250826
      • Opcode ID: 50ab81058c224744715207a2655e38bd470e46e13ae507610d035956ea6a99a6
      • Instruction ID: d26d543ac52193a5587d05597b5e3dd95355455468348fb07bb9e2294090a829
      • Opcode Fuzzy Hash: 50ab81058c224744715207a2655e38bd470e46e13ae507610d035956ea6a99a6
      • Instruction Fuzzy Hash: 0C01D6B2940228FF97149B98DC06DEABB7EEB51B20B15035AFC05E3340EBB06D4187E0
      Function 006043DC Relevance: 10.5, APIs: 7, Instructions: 42memoryCOMMONLIBRARYCODE
      Download Yara Rule
      APIs
      • SysFreeString.OLEAUT32(?), ref: 006043F0
      • SysFreeString.OLEAUT32(?), ref: 00604413
      • SysFreeString.OLEAUT32(?), ref: 00604424
      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,?,006043C7,00000000,?,00604328,?,?,?,?,?,005E5908), ref: 0060442F
      • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00604328,?,?,?,?,?,005E5908), ref: 00604436
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: Free$String$Heap$Process
      • String ID:
      • API String ID: 1137075025-0
      • Opcode ID: 2d5457dbb5b8fb13baabdea98408688b021100c0d3a1cd7f2e8eec269577d678
      • Instruction ID: 47f8cea5c53d9349d34dd98ecf4802d9fb79e7132d975ac0a04fcc039c9b149f
      • Opcode Fuzzy Hash: 2d5457dbb5b8fb13baabdea98408688b021100c0d3a1cd7f2e8eec269577d678
      • Instruction Fuzzy Hash: 9501E9B5841B00EBC7365F11EC08957BBF2FB94722714AA2EE59741A61DB30A886DB90
      Function 006101F0 Relevance: 10.5, APIs: 7, Instructions: 35threadCOMMON
      Download Yara Rule
      APIs
      • OpenDesktopW.USER32(?,00000000,00000000,00000003), ref: 006101FF
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 0061020C
      • GetThreadDesktop.USER32(00000000), ref: 00610213
      • SetThreadDesktop.USER32(00000000), ref: 0061021C
      • EnumDesktopWindows.USER32(00000000,005FD0C0,?), ref: 0061022F
      • SetThreadDesktop.USER32(00000000), ref: 00610236
      • CloseDesktop.USER32(00000000), ref: 0061023D
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: Desktop$Thread$CloseCurrentEnumOpenWindows
      • String ID:
      • API String ID: 59027413-0
      • Opcode ID: e98bd3ca79df51137d4534b3db205563d1e7dce07baa40274e97372567710164
      • Instruction ID: 47183e9053b7923a46fd145b5b3cbfa8394300009a7f873df06ef801ae26d4a6
      • Opcode Fuzzy Hash: e98bd3ca79df51137d4534b3db205563d1e7dce07baa40274e97372567710164
      • Instruction Fuzzy Hash: BEF0A7B21401147BD7612BB1AC1CFEF3FAEEF45751F082210FA45D61A0CB748541CBA4
      Function 006313D3 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 35windowCOMMON
      Download Yara Rule
      APIs
      • StrToID.DUI70(CBEndTaskInfoIcon,?,?,00602C0D,00000001,00000002,000000FD,?,00000000,?,?,?,?,00606273,00000000,00000000), ref: 006313EF
      • ?FindDescendent@Element@DirectUI@@QAEPAV12@G@Z.DUI70(?,?,00602C0D,00000001,00000002,000000FD,?,00000000,?,?,?,?,00606273,00000000,00000000,?), ref: 006313FC
      • ?SetVisible@Element@DirectUI@@QAEJ_N@Z.DUI70(00000000,?,?,00602C0D,00000001,00000002,000000FD,?,00000000,?,?,?,?,00606273,00000000,00000000), ref: 00631411
      • ?GetVisible@Element@DirectUI@@QAE_NXZ.DUI70(?,00602C0D,00000001,00000002,000000FD,?,00000000,?,?,?,?,00606273,00000000,00000000,?,00000000), ref: 00631419
      • ?SetLayoutPos@Element@DirectUI@@QAEJH@Z.DUI70(000000FD,?,00602C0D,00000001,00000002,000000FD,?,00000000,?,?,?,?,00606273,00000000,00000000,?), ref: 0063142B
        • Part of subcall function 0063106E: StrToID.DUI70(EndTaskButtonHost,?,006313AB,?,?,00610632,000000FD,?,?,00610294), ref: 0063107F
        • Part of subcall function 0063106E: ?FindDescendent@Element@DirectUI@@QAEPAV12@G@Z.DUI70(?,?,00610632,000000FD,?,?,00610294), ref: 0063108C
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: DirectElement@$Descendent@FindV12@Visible@$LayoutPos@
      • String ID: CBEndTaskInfoIcon
      • API String ID: 1692028734-3213099510
      • Opcode ID: 6413715e685cf2f4ef78808c0a48a4ec0ac5d975fe506b1f43e8150062b2f5a3
      • Instruction ID: 654ad41d74ba28993d838b788135e4babdb342d0a38bfd66461adace2ac122ed
      • Opcode Fuzzy Hash: 6413715e685cf2f4ef78808c0a48a4ec0ac5d975fe506b1f43e8150062b2f5a3
      • Instruction Fuzzy Hash: 74F0B431600324ABCB245F119808A7F7BE7EB4AB31F041609EC569B3A1DB30DC81D7E1
      Function 0065D3B4 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 33COMMON
      Download Yara Rule
      APIs
      • StrToID.DUI70(005DAB88,00000000,00000000,?,?,?,0065BE92,?,?,00000064,00000000), ref: 0065D3D1
      • ?FindDescendent@Element@DirectUI@@QAEPAV12@G@Z.DUI70(?,?,?,?,0065BE92,?,?,00000064,00000000), ref: 0065D3DE
      • ?SetContentString@Element@DirectUI@@QAEJPBG@Z.DUI70(?,?,?,?,0065BE92,?,?,00000064,00000000), ref: 0065D3EF
      • ?SetAccName@Element@DirectUI@@QAEJPBG@Z.DUI70(?,?,?,?,0065BE92,?,?,00000064,00000000), ref: 0065D3FA
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: DirectElement@$ContentDescendent@FindName@String@V12@
      • String ID: RateLabelDiskRate$RateLabelDiskTime
      • API String ID: 523764757-420751161
      • Opcode ID: 43a3a52110929fc24781eee565910ba377b367d4ed95d03d13f07dc43eaa2607
      • Instruction ID: 26c3fdb8f2f1df9627ba674be69ce1e0639c959086ab44c244e7e784491bf0db
      • Opcode Fuzzy Hash: 43a3a52110929fc24781eee565910ba377b367d4ed95d03d13f07dc43eaa2607
      • Instruction Fuzzy Hash: 8DF0E231500218BB8B255F58EC0C8BFBFABEBC8321B10511BFC1593320DB708916AB91
      Function 006614EC Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 23memoryCOMMON
      Download Yara Rule
      APIs
      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,00000014,00000000,006625F8), ref: 006614F3
      • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 006614FA
      • ??0RefcountBase@DirectUI@@QAE@XZ.DUI70 ref: 00661509
      • ??0IProvider@DirectUI@@QAE@XZ.DUI70 ref: 00661512
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: DirectHeap$AllocBase@ProcessProvider@Refcount
      • String ID: qa$@;f
      • API String ID: 940640848-4048877703
      • Opcode ID: e3e84556409988595f085f812068a9452a23d1207bfd9b293e24d2555ac28158
      • Instruction ID: 352c08876cb4d880cb8e151658844519fb5c06d0c60c5958d875551a6c65b1de
      • Opcode Fuzzy Hash: e3e84556409988595f085f812068a9452a23d1207bfd9b293e24d2555ac28158
      • Instruction Fuzzy Hash: 90E0927120070ABFC7105F69EC5CB55BBB6FBC5315F089208E0168B664DBB0C555CBD0
      Function 0064D3C8 Relevance: 9.1, APIs: 6, Instructions: 86COMMON
      Download Yara Rule
      APIs
      • _ftol2.MSVCRT ref: 0064D3DE
      • OpenProcessToken.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,00000008,00000000,?,?,?,?,?), ref: 0064D3FD
      • GetTokenInformation.API-MS-WIN-SECURITY-BASE-L1-1-0(00000000,00000017(TokenIntegrityLevel),?,00000004,?), ref: 0064D416
      • GetTokenInformation.API-MS-WIN-SECURITY-BASE-L1-1-0(00000000,00000018(TokenIntegrityLevel),00000000,00000004,?), ref: 0064D43C
      • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(00000000), ref: 0064D457
      • _ftol2.MSVCRT ref: 0064D463
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: Token$Information_ftol2$CloseHandleOpenProcess
      • String ID:
      • API String ID: 3982777737-0
      • Opcode ID: 26dc34e3d8b7eb62376368c9a02514802620f923a302577be48aba6a68417878
      • Instruction ID: 1eb6ddeeda836154d0b6cd2e06228853fe71e61e89f6605262e692f443737121
      • Opcode Fuzzy Hash: 26dc34e3d8b7eb62376368c9a02514802620f923a302577be48aba6a68417878
      • Instruction Fuzzy Hash: D9315171A00209EFEB11DF95D884BEABBF9FF04301F40907AEA55D6291D770AE58DB50
      Function 0067303F Relevance: 9.0, APIs: 6, Instructions: 48COMMON
      Download Yara Rule
      APIs
      • EqualSid.API-MS-WIN-SECURITY-BASE-L1-1-0(00000000,?,?,?,00673D4C,00000000), ref: 0067305F
      • IsWellKnownSid.API-MS-WIN-SECURITY-BASE-L1-1-0(?,00000016,?,00673D4C,00000000), ref: 0067306C
      • IsWellKnownSid.API-MS-WIN-SECURITY-BASE-L1-1-0(?,00000007,?,00673D4C,00000000), ref: 00673079
      • IsWellKnownSid.API-MS-WIN-SECURITY-BASE-L1-1-0(?,00000018,?,00673D4C,00000000), ref: 00673086
      • IsWellKnownSid.API-MS-WIN-SECURITY-BASE-L1-1-0(?,00000017,?,00673D4C,00000000), ref: 00673093
      • IsWellKnownSid.API-MS-WIN-SECURITY-BASE-L1-1-0(?,0000000C,?,00673D4C,00000000), ref: 006730A0
        • Part of subcall function 00611B42: GetCurrentProcess.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000008,00000000,00000000,00002900,?), ref: 00611B65
        • Part of subcall function 00611B42: OpenProcessToken.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000), ref: 00611B6C
        • Part of subcall function 00611B42: GetTokenInformation.API-MS-WIN-SECURITY-BASE-L1-1-0(00000000,00000001(TokenIntegrityLevel),00000000,000000FF,000000FF), ref: 00611B88
        • Part of subcall function 00611B42: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00611B96
        • Part of subcall function 00611B42: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,000000FF), ref: 00611BBE
        • Part of subcall function 00611B42: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 00611BC5
        • Part of subcall function 00611B42: GetTokenInformation.API-MS-WIN-SECURITY-BASE-L1-1-0(00000000,00000001(TokenIntegrityLevel),00000000,000000FF,000000FF), ref: 00611BE2
        • Part of subcall function 00611B42: GetLengthSid.API-MS-WIN-SECURITY-BASE-L1-1-0(00000000), ref: 00611BF2
        • Part of subcall function 00611B42: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,00000000), ref: 00611BFD
        • Part of subcall function 00611B42: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 00611C04
        • Part of subcall function 00611B42: CopySid.API-MS-WIN-SECURITY-BASE-L1-1-0(00000000,00000000,00000000), ref: 00611C10
        • Part of subcall function 00611B42: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000), ref: 00611C34
        • Part of subcall function 00611B42: HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 00611C3B
        • Part of subcall function 00611B42: CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(00000000), ref: 00611C4E
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: Heap$KnownProcessWell$Token$AllocInformation$CloseCopyCurrentEqualErrorFreeHandleLastLengthOpen
      • String ID:
      • API String ID: 3056859156-0
      • Opcode ID: 7a16f51d51f20af907ae5c3a74fac9ee71360daf5e940c949212ce056fb31541
      • Instruction ID: c45f61b5c0b81b3c30e25973e82164004e186f1e7552af8f33a81ca95fec31b6
      • Opcode Fuzzy Hash: 7a16f51d51f20af907ae5c3a74fac9ee71360daf5e940c949212ce056fb31541
      • Instruction Fuzzy Hash: B8018130300228BBDB301F62AD08FDB375FAF15B41F00A414F909EB351F7659A02A795
      Function 0061E011 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 171threadCOMMON
      Download Yara Rule
      APIs
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(80004003,?,?,?,?,?,?,?,?,?,?,?,?,?,005F4403,?), ref: 0061E045
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: CurrentThread
      • String ID: %d FAIL: 0x%08x$WdcGpuMonitor::GetInfoForPid$base\diagnosis\pdui\atm\main\gpu.cpp
      • API String ID: 2882836952-3192073245
      • Opcode ID: 024e5bad74079a6b8ae56cd407f60368c16ae40fb2d8dd9f84bb52cd7dfe80a6
      • Instruction ID: 6ba474ada8448da6c112f08d5ac9ebdc568d62def3d9c242235e786df2c92be5
      • Opcode Fuzzy Hash: 024e5bad74079a6b8ae56cd407f60368c16ae40fb2d8dd9f84bb52cd7dfe80a6
      • Instruction Fuzzy Hash: 60619370E00715AFCB24CFA8D8819EAB7F6FF48310B144A5DE896A3381D771E995CB91
      Function 005F9180 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 167threadCOMMON
      Download Yara Rule
      APIs
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,?,005FC02D,00000000,?,00000000,00000000,00000000,?,?,005FC30A,?), ref: 005F92E7
        • Part of subcall function 006152CA: InitOnceExecuteOnce.API-MS-WIN-CORE-SYNCH-L1-2-0(006898B8,Function_00052FA0,00000000,?,?,00000000,00000000,00000000,?,005F91BD,005FC30A,?,?,005FC30A,?,005FC02D), ref: 006152F1
        • Part of subcall function 006152CA: CopyIcon.USER32 ref: 00615308
      Strings
      • WdcApplicationsMonitor::TmGetIcon, xrefs: 005F92F8
      • base\diagnosis\pdui\atm\main\applications.cpp, xrefs: 005F92FD
      • %d FAIL: 0x%08x, xrefs: 005F92EE
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: Once$CopyCurrentExecuteIconInitThread
      • String ID: %d FAIL: 0x%08x$WdcApplicationsMonitor::TmGetIcon$base\diagnosis\pdui\atm\main\applications.cpp
      • API String ID: 3961365418-2981256330
      • Opcode ID: 32c3c730c7e523253ef7d4567c24db740252c4c53e62a13ddb0399fc771aac16
      • Instruction ID: b2eb746cbb150a65c7ab6c9c094fb7d369f3352a2696555051b5cb926306d34e
      • Opcode Fuzzy Hash: 32c3c730c7e523253ef7d4567c24db740252c4c53e62a13ddb0399fc771aac16
      • Instruction Fuzzy Hash: 4E51F536700A19EFCB11CE58D844BAABBA5FB89361F18026AEE44D7381C735AC51CBD1
      Function 0062B3F0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 138windowCOMMON
      Download Yara Rule
      APIs
        • Part of subcall function 00619B1E: EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,00000000,?,005F1680), ref: 00619B27
      • _ftol2.MSVCRT ref: 0062B7A1
      • _ftol2.MSVCRT ref: 0062B7FB
      • PostMessageW.USER32(00000406,00000000,00000000,?), ref: 0062B80C
      • LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(00000000), ref: 0062B960
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: CriticalSection_ftol2$EnterLeaveMessagePost
      • String ID: base\diagnosis\pdui\atm\main\applications.cpp
      • API String ID: 2173714566-1921993757
      • Opcode ID: ff2597c76809c50d3ee028e2a40989925e5fa2ac84fe0e58957fdfb238aa1055
      • Instruction ID: fec8453f177152d18640fb6c3d6277d2d58943de3841d1c939498b8195ccd1b3
      • Opcode Fuzzy Hash: ff2597c76809c50d3ee028e2a40989925e5fa2ac84fe0e58957fdfb238aa1055
      • Instruction Fuzzy Hash: 0F41C131A04A26AFCB059F10EC59DAF7BA7EF85350F049129FD199A261CB31DC91DF90
      Function 0065F4F0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 138COMMON
      Download Yara Rule
      APIs
        • Part of subcall function 00658518: GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,?,?,?), ref: 00658574
      • ?SetContentString@Element@DirectUI@@QAEJPBG@Z.DUI70(?), ref: 0065F5E1
      • ?SetAccName@Element@DirectUI@@QAEJPBG@Z.DUI70(?), ref: 0065F601
      • ?SetContentString@Element@DirectUI@@QAEJPBG@Z.DUI70(?), ref: 0065F657
      • ?SetAccName@Element@DirectUI@@QAEJPBG@Z.DUI70(?), ref: 0065F67B
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: DirectElement@$ContentName@String@$CurrentThread
      • String ID: base\diagnosis\pdui\atm\main\networkview.cpp
      • API String ID: 3520724212-2543364597
      • Opcode ID: 1021f7e83d214fc3b86b80de74b0f295be2e56eadc0970c915096d782145e995
      • Instruction ID: 29ab89975f4334909e43baf0a200ee07153b3a7798174dcd7e1eb5174f85937c
      • Opcode Fuzzy Hash: 1021f7e83d214fc3b86b80de74b0f295be2e56eadc0970c915096d782145e995
      • Instruction Fuzzy Hash: 0041E231300605ABDB11AF15C899ABB37AAEF89751F040579FC49EB394EB30ED05CBA5
      Function 006293EC Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 132threadCOMMON
      Download Yara Rule
      APIs
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,00000004,?,?,80004005,?,?,?,?,?,?,?,?,0062929B,00000005,?), ref: 00629417
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,?,?,80004005,?,?,?,?,?,?,?,?,0062929B,00000005,?,?), ref: 0062948F
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: CurrentThread
      • String ID: %d FAIL: 0x%08x$AtmMemoryView::_GetCurrentUsage$base\diagnosis\pdui\atm\main\memoryview.cpp
      • API String ID: 2882836952-2176286654
      • Opcode ID: f3f2d3346863a9ef81889768ae2ae26c099f79505ff5cc14328b623a73327ffc
      • Instruction ID: 5d987424c4508f5b1635dfe2431416a2ce1ff5f11088c7204e3a828a7d860d65
      • Opcode Fuzzy Hash: f3f2d3346863a9ef81889768ae2ae26c099f79505ff5cc14328b623a73327ffc
      • Instruction Fuzzy Hash: A9412871E00619BBCB05AF91E859BED7BB9FF89310F2181A9E995A7381DF345810CF60
      Function 00631097 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 128threadCOMMON
      Download Yara Rule
      APIs
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000), ref: 00631194
        • Part of subcall function 00667AB8: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,0000001C,?,?,?,000000FF,00000000,?,?,?,0063116D,?), ref: 00667B06
        • Part of subcall function 00667AB8: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,0063116D,?), ref: 00667B0D
        • Part of subcall function 00667AB8: ?_PostEvent@Element@DirectUI@@AAEXPAUEvent@2@H@Z.DUI70(00000000,000083F8,?,0063116D,?), ref: 00667B3B
      Strings
      • base\diagnosis\pdui\atm\main\commandbar.cpp, xrefs: 006311AA
      • %d FAIL: 0x%08x, xrefs: 0063119B
      • TmCommandBar::InvokeMenu, xrefs: 006311A5
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: Heap$AllocCurrentDirectElement@Event@Event@2@PostProcessThread
      • String ID: %d FAIL: 0x%08x$TmCommandBar::InvokeMenu$base\diagnosis\pdui\atm\main\commandbar.cpp
      • API String ID: 3151111536-379602119
      • Opcode ID: 4a5590e0a2c78579d86104f1fc3854c253c8882329fcbf9708afabda5d2ba8d4
      • Instruction ID: c3e621eb01d0caab3b4d71abe619f93cdb84a8943c9c83ed99372725f4718adf
      • Opcode Fuzzy Hash: 4a5590e0a2c78579d86104f1fc3854c253c8882329fcbf9708afabda5d2ba8d4
      • Instruction Fuzzy Hash: F1412E31708210DBDF159B96DC48BA97B97AF86310F08416EF9498F3A2CB749D81CBD1
      Function 0062E230 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 100threadCOMMON
      Download Yara Rule
      APIs
      • ShowWindowAsync.USER32(?,-00000007,?,?,?), ref: 0062E2CA
        • Part of subcall function 006658B0: IsIconic.USER32(?), ref: 006658BF
        • Part of subcall function 006658B0: ShowWindowAsync.USER32(?,00000009,?,0062E2F8,00000000,?,?,?), ref: 006658D1
        • Part of subcall function 006658B0: SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00004003,?,0062E2F8,00000000,?,?,?), ref: 006658E9
        • Part of subcall function 006658B0: AllowSetForegroundWindow.USER32(?), ref: 006658F2
        • Part of subcall function 006658B0: SetForegroundWindow.USER32(?), ref: 006658FE
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,?,?,?), ref: 0062E32A
      Strings
      • base\diagnosis\pdui\atm\main\window.cpp, xrefs: 0062E340
      • %d FAIL: 0x%08x, xrefs: 0062E331
      • WdcWindowMonitor::AtmOnProcessCommand, xrefs: 0062E33B
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: Window$AsyncForegroundShow$AllowCurrentIconicThread
      • String ID: %d FAIL: 0x%08x$WdcWindowMonitor::AtmOnProcessCommand$base\diagnosis\pdui\atm\main\window.cpp
      • API String ID: 1923275748-1513599218
      • Opcode ID: dd15c4ef64083fa31efaa8f8f545387a3e02eede2307f942e868680772b11553
      • Instruction ID: f52b7d1925d5d4a0d4f3cc0e34731c3cdc237a935e3f8a0c4661f5667b3cd4f3
      • Opcode Fuzzy Hash: dd15c4ef64083fa31efaa8f8f545387a3e02eede2307f942e868680772b11553
      • Instruction Fuzzy Hash: E6312432A05A25FBDB158A18DC41EAE7B5BFF91761F48813AF91987290D733DC108BD0
      Function 005E147E Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 90COMMON
      Download Yara Rule
      Strings
      • base\diagnosis\pdui\atm\main\setting.cpp, xrefs: 00634709
      • TmGlobalSettings::GetSruApiWrapper, xrefs: 00634704
      • %d FAIL: 0x%08x, xrefs: 006346FA
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: H_prolog3_catch
      • String ID: %d FAIL: 0x%08x$TmGlobalSettings::GetSruApiWrapper$base\diagnosis\pdui\atm\main\setting.cpp
      • API String ID: 3886170330-1224871139
      • Opcode ID: a889173e3fce5675e7f8ac632a684cbc6bab85b97c074acb485a0a7d7f1828f6
      • Instruction ID: ec57548cdedd383919eb42ab09512e27753be1a80ae17b32b287e3b79d03f963
      • Opcode Fuzzy Hash: a889173e3fce5675e7f8ac632a684cbc6bab85b97c074acb485a0a7d7f1828f6
      • Instruction Fuzzy Hash: 3921EAB26017109B97188F5ADC41966FBE9EFD5710714421EE855D7381DE709C008BE5
      Function 00663426 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 82threadCOMMON
      Download Yara Rule
      APIs
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,80000000,00000032), ref: 006634DA
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000), ref: 006634EB
        • Part of subcall function 00661739: ?GetInvokeHelper@InvokeManager@DirectUI@@SGJPAPAVInvokeHelper@2@@Z.DUI70(00000000,00000000,?,?,?,00662894,?,00668337,?,?), ref: 0066174D
        • Part of subcall function 00663884: memmove.MSVCRT(00000038,00000034,80000000,00000000,00000000,00000000,80000000,?,006633AF,80000000,00000033), ref: 00663911
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: Invoke$CurrentThread$DirectHelper@Helper@2@@Manager@memmove
      • String ID: %d FAIL: 0x%08x$GetColumnHeaderItems$base\diagnosis\pdui\atm\main\atmacc.cpp
      • API String ID: 4049973829-4100709908
      • Opcode ID: a86c3e46eb1da2ffc9fc8f62f61b5639d2bb73d4ff1c7e13460a1ca090b4ccf2
      • Instruction ID: 8bc99d2f3482573fe7ad78c9ad07f88f37731b62e0d5e9e3a47c418dedc69d2f
      • Opcode Fuzzy Hash: a86c3e46eb1da2ffc9fc8f62f61b5639d2bb73d4ff1c7e13460a1ca090b4ccf2
      • Instruction Fuzzy Hash: 29216D32D00229ABDB05DF98C842BFEB7B6FF50715F144169E915AB381DB385E05CB90
      Function 0063126A Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 79COMMON
      Download Yara Rule
      Strings
      • base\diagnosis\pdui\atm\main\commandbar.cpp, xrefs: 00631334
      • %d FAIL: 0x%08x, xrefs: 00631325
      • TmCommandBar::InvokeMenu, xrefs: 0063132F
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: CurrentErrorExecuteLastShellThreadmemset
      • String ID: %d FAIL: 0x%08x$TmCommandBar::InvokeMenu$base\diagnosis\pdui\atm\main\commandbar.cpp
      • API String ID: 2625987911-379602119
      • Opcode ID: 7423ea7da40ba6d6057b714891ad14605c91830ea014c82b24062d632072a9ac
      • Instruction ID: 298edc471c5b15f5d690e9a404d1b06a829be6ab84b4083c8db03416eda25222
      • Opcode Fuzzy Hash: 7423ea7da40ba6d6057b714891ad14605c91830ea014c82b24062d632072a9ac
      • Instruction Fuzzy Hash: 7C21B232200249ABDF155FA6DC49AEA3F67EF96310F081119FD069A761CB31A950DBA0
      Function 006692C4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62COMMON
      Download Yara Rule
      APIs
        • Part of subcall function 005FB660: ?GetValue@Element@DirectUI@@QAEPAVValue@2@PBUPropertyInfo@2@HPAUUpdateCache@2@@Z.DUI70(HD],00000002,00000000,?,?,005F900D), ref: 005FB66D
        • Part of subcall function 005FB660: ?GetBool@Value@DirectUI@@QAE_NXZ.DUI70(?,005F900D), ref: 005FB677
        • Part of subcall function 005FB660: ?Release@Value@DirectUI@@QAEXXZ.DUI70(?,005F900D), ref: 005FB681
      • StrToID.DUI70(clipped,?,00000000,?,?,0063A0E8,?,-00000022,?,?,?,?,?,?,?,?), ref: 006692E6
      • ?FindDescendent@Element@DirectUI@@QAEPAV12@G@Z.DUI70(?,?,?,0063A0E8,?,-00000022,?,?,?,?,?,?,?,?,?), ref: 006692F3
      • ?GetChildren@Element@DirectUI@@QAEPAV?$DynamicArray@PAVElement@DirectUI@@$0A@@2@PAPAVValue@2@@Z.DUI70(00000000,?,?,0063A0E8,?,-00000022,?,?,?,?,?,?,?,?,?), ref: 006692FF
      • ?Release@Value@DirectUI@@QAEXXZ.DUI70(?,0063A0E8,?,-00000022,?,?,?,?,?,?,?,?,?,?,005F83CC), ref: 00669353
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: Direct$Element@Value@$Release@$A@@2@Array@Bool@Cache@2@@Children@Descendent@DynamicFindI@@$0Info@2@PropertyUpdateV12@Value@2@Value@2@@
      • String ID: clipped
      • API String ID: 224649954-2713559412
      • Opcode ID: 153699841c1ab2c90add02087f01cf1dea4bc5a1dfd5ef65428b38b1edaf2335
      • Instruction ID: d87ba39b0584fda41ddce14164221f06e61dea9a8db3effa38aced68729817c0
      • Opcode Fuzzy Hash: 153699841c1ab2c90add02087f01cf1dea4bc5a1dfd5ef65428b38b1edaf2335
      • Instruction Fuzzy Hash: 9611A332204209ABC728DF58D4A4DFE776FAB89310714126AEC16D73D0DB319D02DB60
      Function 005FB2AD Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62COMMON
      Download Yara Rule
      APIs
      • StrToID.DUI70(TmGroupHeaderName,00000000,00000000,00000000,?,005FB2A1,?,005FE3DC,00000000,?,00000000,?,005FE3DC,?,?), ref: 005FB2C7
      • ?FindDescendent@Element@DirectUI@@QAEPAV12@G@Z.DUI70(?,?,005FB2A1,?,005FE3DC,00000000,?,00000000,?,005FE3DC,?,?,?,?,?,?), ref: 005FB2D3
      • ?SetBorderColor@Element@DirectUI@@QAEJK@Z.DUI70(?,005FB2A1,?,005FE3DC,00000000,?,00000000,?,005FE3DC,?,?,?,?,?,?,00000000), ref: 005FB32D
      • ?SetBorderThickness@Element@DirectUI@@QAEJHHHH@Z.DUI70(00000000,00000000,00000000,00000000,?,005FB2A1,?,005FE3DC,00000000,?,00000000,?,005FE3DC,?,?), ref: 005FB33C
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: DirectElement@$Border$Color@Descendent@FindThickness@V12@
      • String ID: TmGroupHeaderName
      • API String ID: 592527499-219620824
      • Opcode ID: c23a70e75b5b430b8cd8a0ab93c72ad6dd5e8d45321d65a0bba9b85405862bda
      • Instruction ID: 9661746469e70ffb9adf919418ad732598203f1ae97c3e7e4075057829f59f10
      • Opcode Fuzzy Hash: c23a70e75b5b430b8cd8a0ab93c72ad6dd5e8d45321d65a0bba9b85405862bda
      • Instruction Fuzzy Hash: 15119E34200219FFEB108F15D884F7F7BAAFF58750F541618FA058B190DB68AD50DBA0
      Function 0064B17B Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 60threadCOMMON
      Download Yara Rule
      APIs
        • Part of subcall function 00602EB3: LoadStringW.USER32(?,00688460,?,?), ref: 00602EE8
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,?), ref: 0064B19C
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,?,?), ref: 0064B1D2
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: CurrentThread$LoadString
      • String ID: %d FAIL: 0x%08x$WdcLoadStringEx$base\diagnosis\pdui\atm\main\processcommon.cpp
      • API String ID: 655915839-439379373
      • Opcode ID: fb80d3f028e1c89a830521807e80f330691a048c3a232d147b7207dacb1db0db
      • Instruction ID: b51d74b7a130ca59d0e1099655ff50cbd4790892e74ec9ed2320a8d75d22e62c
      • Opcode Fuzzy Hash: fb80d3f028e1c89a830521807e80f330691a048c3a232d147b7207dacb1db0db
      • Instruction Fuzzy Hash: F1012131B40218AB97159A99CC51DBF7B9FEBC4710701016AFC04D7341DB70DE0087A0
      Function 00609429 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 60threadCOMMON
      Download Yara Rule
      APIs
        • Part of subcall function 005E7E50: PathRemoveBlanksW.API-MS-WIN-CORE-SHLWAPI-LEGACY-L1-1-0(?,?,00000000,00000000), ref: 005E7F2D
        • Part of subcall function 005E7E50: SysFreeString.OLEAUT32(00000000), ref: 005E7F58
        • Part of subcall function 005E7E50: SysAllocString.OLEAUT32(?), ref: 005E7F68
        • Part of subcall function 005E7E50: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 005E7F8E
      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00609467
        • Part of subcall function 005FB8F2: _ftol2.MSVCRT ref: 005FB96F
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,?,?,00000000,?,?,?,?,00000000,?,?,?,?,?,005FF139), ref: 0063E80A
      Strings
      • %d FAIL: 0x%08x, xrefs: 0063E811
      • base\diagnosis\pdui\atm\main\diskview.cpp, xrefs: 0063E820
      • AtmDiskView::SetDiskStaticData, xrefs: 0063E81B
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: StringUnothrow_t@std@@@__ehfuncinfo$??2@$AllocBlanksCurrentFreePathRemoveThread_ftol2
      • String ID: %d FAIL: 0x%08x$AtmDiskView::SetDiskStaticData$base\diagnosis\pdui\atm\main\diskview.cpp
      • API String ID: 2345705802-1730816692
      • Opcode ID: adeccd10310293586fb188d111ab9468cbeda7c0cf2e9b8447a1721b433bfd9f
      • Instruction ID: 876bd5e864293b05fc200620409aab7bb50ad36ef9f52f0b66d81136181d5548
      • Opcode Fuzzy Hash: adeccd10310293586fb188d111ab9468cbeda7c0cf2e9b8447a1721b433bfd9f
      • Instruction Fuzzy Hash: FA11B271A00709BBD710AF99DC89FEABFB9FF44304F00416AF54452682D7B56951C7E1
      Function 0062C26B Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 59threadCOMMON
      Download Yara Rule
      APIs
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,?,?,?,?,00000000,?,?,?,?,0062DC0E,?,?,00000000,?,?), ref: 0062C28E
      Strings
      • WdcApplicationsMonitor::_AddProcessTreeToAggregator, xrefs: 0062C2E9
      • base\diagnosis\pdui\atm\main\applications.cpp, xrefs: 0062C2EE
      • %d FAIL: 0x%08x, xrefs: 0062C295, 0062C2DF
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: CurrentThread
      • String ID: %d FAIL: 0x%08x$WdcApplicationsMonitor::_AddProcessTreeToAggregator$base\diagnosis\pdui\atm\main\applications.cpp
      • API String ID: 2882836952-3455656102
      • Opcode ID: 22e49d97eb913438243d8ccc2923b1effca4f102288769ff6cde8f763f3259e4
      • Instruction ID: b4417b181bd80c96699ecc15a67aea0c6333fe9ac9f3d4624688250040ef1d9f
      • Opcode Fuzzy Hash: 22e49d97eb913438243d8ccc2923b1effca4f102288769ff6cde8f763f3259e4
      • Instruction Fuzzy Hash: 4D01DBB2642A35FBC7105AD4EC45EEE7B1AEF54B30F500105FE046B241DE719E01DBA0
      Function 006243DF Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 54threadCOMMON
      Download Yara Rule
      APIs
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,00000000,?,?,?,00608AC2,?,?), ref: 0062440E
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,?,00000000,?,?,?,00608AC2,?,?), ref: 0062443D
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: CurrentThread
      • String ID: %d FAIL: 0x%08x$AtmDashboard::LoadGpuSidebar$base\diagnosis\pdui\atm\main\dashboard.cpp
      • API String ID: 2882836952-1841594491
      • Opcode ID: 94031fd4dfbc686861e0ea7a1f3e54847e356ea5d63878a5ae470c306ee5375b
      • Instruction ID: 4eb27cdd2057542306766acc1c2a8374d2532a575d361b0f7e8623bf78698809
      • Opcode Fuzzy Hash: 94031fd4dfbc686861e0ea7a1f3e54847e356ea5d63878a5ae470c306ee5375b
      • Instruction Fuzzy Hash: 5301F9723406217FD3089B94EC46FA67B9DFF58710704012DF608C7A40DAA0B8018BE5
      Function 00612426 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 52threadCOMMON
      Download Yara Rule
      APIs
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,?,#0_,00000000,?,?,?,005F5669,#0_,?,?,?,?,?,?,?), ref: 0061245C
      Strings
      • WdcApplicationsMonitor::ResolveImagePublisher_Immersive, xrefs: 0061246D
      • base\diagnosis\pdui\atm\main\applications.cpp, xrefs: 00612472
      • %d FAIL: 0x%08x, xrefs: 00612463
      • #0_, xrefs: 00612438
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: CurrentThread
      • String ID: #0_$%d FAIL: 0x%08x$WdcApplicationsMonitor::ResolveImagePublisher_Immersive$base\diagnosis\pdui\atm\main\applications.cpp
      • API String ID: 2882836952-329072242
      • Opcode ID: 97ed96cc8818f25d8d9383296ec6241f7aeacf754c314abc505d8e8106f59084
      • Instruction ID: baff326a69c0df4592f7567b3f784b8a63315b3480e3b7d41bcc13d810c7856b
      • Opcode Fuzzy Hash: 97ed96cc8818f25d8d9383296ec6241f7aeacf754c314abc505d8e8106f59084
      • Instruction Fuzzy Hash: CF01D2B6641212AFD3089A94D801E92BFE9FF54750F0A816EEA48CB241D770A941CBE0
      Function 005DF453 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 48threadCOMMON
      Download Yara Rule
      APIs
        • Part of subcall function 005DF0B3: memset.MSVCRT ref: 005DF115
        • Part of subcall function 005DF0B3: FindClose.API-MS-WIN-CORE-FILE-L1-1-0(00000000,?,?), ref: 005DF151
        • Part of subcall function 005DF0B3: SHGetSpecialFolderPathW.SHELL32(00000000,?,005D40E0,00000000,00000000,08000000,00000000,00000003,005EEDD6), ref: 005DF167
        • Part of subcall function 005DF0B3: FindFirstFileW.API-MS-WIN-CORE-FILE-L1-1-0(?,?), ref: 005DF1AD
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,00000003,00000000,00000003,005EEDD6), ref: 00633ED9
        • Part of subcall function 005DFAFE: RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(80000002,?,00000000,-00000201,?,00000003,00000000,?), ref: 005DFBA6
        • Part of subcall function 005DFAFE: RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(00000000,?,80000002,00000000,?,005DF47F,?,?,00000000,-00000201,?,00000003,00000000,?), ref: 005DFBD6
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,00000003,00000000,00000003,005EEDD6), ref: 00633EED
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: CloseCurrentFindThread$FileFirstFolderOpenPathSpecialmemset
      • String ID: %d FAIL: 0x%08x$WdcStartupMonitor::_LoadStartupItems$base\diagnosis\pdui\atm\main\startup.cpp
      • API String ID: 2132097571-3476333950
      • Opcode ID: ad35971b86a60a137eacaa149dc874f30dc28124f5cff5905e0d9918123c0314
      • Instruction ID: bc25ec26086d1f76c32d78005bfeb0e1738d597b92c1e5d3f69e1d2fdbc498b8
      • Opcode Fuzzy Hash: ad35971b86a60a137eacaa149dc874f30dc28124f5cff5905e0d9918123c0314
      • Instruction Fuzzy Hash: BBF0D672B41272338635239D2C16ABF0C87AFC1B14F19122BFA47A6B92CF548C0153E2
      Function 00614039 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 42memoryCOMMON
      Download Yara Rule
      APIs
      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,00000008,00000000,00000000,00000000,?,00614004,?,?,?,?,?,0060D617), ref: 0061404C
      • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00614004,?,?,?,?,?,0060D617), ref: 00614053
      • ??0ClassInfoBase@DirectUI@@QAE@XZ.DUI70(?,00614004,?,?,?,?,?,0060D617), ref: 00614061
      • ?Initialize@ClassInfoBase@DirectUI@@QAEJPAUHINSTANCE__@@PBG_NPBQBUPropertyInfo@2@I@Z.DUI70(005C0000,TmScrollViewer,00000000,00000000,00000000,?,00614004,?,?,?,?,?,0060D617), ref: 0061407C
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: Base@ClassDirectHeapInfo$AllocE__@@Info@2@Initialize@ProcessProperty
      • String ID: TmScrollViewer
      • API String ID: 2570828156-722894801
      • Opcode ID: e9b579ef806bae5d483517cb7f0c9d3ccd0e324d73d89afa575d85b7ff6da95e
      • Instruction ID: acfb7ee4e104b1591e786a63889d2c1d8da0db3de8057a3f38458e44d6461a12
      • Opcode Fuzzy Hash: e9b579ef806bae5d483517cb7f0c9d3ccd0e324d73d89afa575d85b7ff6da95e
      • Instruction Fuzzy Hash: 57F0C236240265BBC7211F569C58E5B7E6BE7C9B11B185018F6068B340CF7288428BA1
      Function 0061415B Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 42memoryCOMMON
      Download Yara Rule
      APIs
      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,00000008,00000000,00000000,00000000,?,00614126,?,?,?,?,?,0060D5BD), ref: 0061416E
      • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00614126,?,?,?,?,?,0060D5BD), ref: 00614175
      • ??0ClassInfoBase@DirectUI@@QAE@XZ.DUI70(?,00614126,?,?,?,?,?,0060D5BD), ref: 00614183
      • ?Initialize@ClassInfoBase@DirectUI@@QAEJPAUHINSTANCE__@@PBG_NPBQBUPropertyInfo@2@I@Z.DUI70(005C0000,TmColumnHeader,00000000,00000000,00000000,?,00614126,?,?,?,?,?,0060D5BD), ref: 0061419E
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: Base@ClassDirectHeapInfo$AllocE__@@Info@2@Initialize@ProcessProperty
      • String ID: TmColumnHeader
      • API String ID: 2570828156-461794429
      • Opcode ID: e102105abc264595376a1574bd18d18edfc49a3800147869881336fa12adf8a6
      • Instruction ID: 7899575b8942d5bcdc01c7ca376962c28028d0829852c75d0f91d6ee9ce8026e
      • Opcode Fuzzy Hash: e102105abc264595376a1574bd18d18edfc49a3800147869881336fa12adf8a6
      • Instruction Fuzzy Hash: E6F0CD362402A4BBC7211B969C5AEAB3EABEBC5B21B18501CF5028B340CF608841C7A2
      Function 0061427D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 42memoryCOMMON
      Download Yara Rule
      APIs
      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,00000008,00000000,00000000,00000000,?,00614248,?,?,?,?,?,0060D5CF), ref: 00614290
      • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00614248,?,?,?,?,?,0060D5CF), ref: 00614297
      • ??0ClassInfoBase@DirectUI@@QAE@XZ.DUI70(?,00614248,?,?,?,?,?,0060D5CF), ref: 006142A5
      • ?Initialize@ClassInfoBase@DirectUI@@QAEJPAUHINSTANCE__@@PBG_NPBQBUPropertyInfo@2@I@Z.DUI70(005C0000,TmGroupHeader,00000000,00000000,00000000,?,00614248,?,?,?,?,?,0060D5CF), ref: 006142C0
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: Base@ClassDirectHeapInfo$AllocE__@@Info@2@Initialize@ProcessProperty
      • String ID: TmGroupHeader
      • API String ID: 2570828156-778773172
      • Opcode ID: 641cf20930a6bd6988711d5993fde96a42e4638cf5721608dbc1bcff3f03414a
      • Instruction ID: a860d7d53b9c7213ccd61bc6b3be3287a7fdd7838bc110b17f64eac2a95d5eb9
      • Opcode Fuzzy Hash: 641cf20930a6bd6988711d5993fde96a42e4638cf5721608dbc1bcff3f03414a
      • Instruction Fuzzy Hash: 25F0CD36200268ABC7311B96AC5CE9B3EABEBC5B20F181019F5068B240CF70884287A2
      Function 0061439F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 42memoryCOMMON
      Download Yara Rule
      APIs
      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,00000008,00000000,00000000,00000000,?,0061436A,?,?,?,?,?,0060D629), ref: 006143B2
      • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,0061436A,?,?,?,?,?,0060D629), ref: 006143B9
      • ??0ClassInfoBase@DirectUI@@QAE@XZ.DUI70(?,0061436A,?,?,?,?,?,0060D629), ref: 006143C7
      • ?Initialize@ClassInfoBase@DirectUI@@QAEJPAUHINSTANCE__@@PBG_NPBQBUPropertyInfo@2@I@Z.DUI70(005C0000,TmColHeaderItem,00000000,00000000,00000000,?,0061436A,?,?,?,?,?,0060D629), ref: 006143E2
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: Base@ClassDirectHeapInfo$AllocE__@@Info@2@Initialize@ProcessProperty
      • String ID: TmColHeaderItem
      • API String ID: 2570828156-1429816369
      • Opcode ID: 1f2ce0ef26c30354c1864d801b5edbb129428405896e16e8b9185d8493da9d70
      • Instruction ID: cec56c47043ccbe54db0241fddd2afd5b3a17046b7e7f35d9d13bba15a213d53
      • Opcode Fuzzy Hash: 1f2ce0ef26c30354c1864d801b5edbb129428405896e16e8b9185d8493da9d70
      • Instruction Fuzzy Hash: 92F0F076240264BBC7251B56AC4CFAF3EABFBC5B21B181018F6028B240CF718802C7A2
      Function 006144C1 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 42memoryCOMMON
      Download Yara Rule
      APIs
      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,00000008,00000000,00000000,00000000,?,0061448C,?,?,?,?,?,0060D63B), ref: 006144D4
      • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,0061448C,?,?,?,?,?,0060D63B), ref: 006144DB
      • ??0ClassInfoBase@DirectUI@@QAE@XZ.DUI70(?,0061448C,?,?,?,?,?,0060D63B), ref: 006144E9
      • ?Initialize@ClassInfoBase@DirectUI@@QAEJPAUHINSTANCE__@@PBG_NPBQBUPropertyInfo@2@I@Z.DUI70(005C0000,TmRowTextElement,00000000,00000000,00000000,?,0061448C,?,?,?,?,?,0060D63B), ref: 00614504
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: Base@ClassDirectHeapInfo$AllocE__@@Info@2@Initialize@ProcessProperty
      • String ID: TmRowTextElement
      • API String ID: 2570828156-2123282327
      • Opcode ID: 6fcc7484c93885ceda5f32deef5b53d68a55ec4763acb8af00b21ec058d0221b
      • Instruction ID: fbfae4d1416230d24597087aef59edfd23df89bb833e225547ea8b53c404a283
      • Opcode Fuzzy Hash: 6fcc7484c93885ceda5f32deef5b53d68a55ec4763acb8af00b21ec058d0221b
      • Instruction Fuzzy Hash: 52F06236240265ABC7311F66AC58E5F7E6BF7C5B11B195119F6069B240CF71C84187A1
      Function 0064621A Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 41threadCOMMON
      Download Yara Rule
      APIs
        • Part of subcall function 00645DE3: memset.MSVCRT ref: 00645DFC
        • Part of subcall function 00645DE3: SendMessageW.USER32(00000000), ref: 00645E25
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,?), ref: 0064624B
      • _ftol2.MSVCRT ref: 00646279
      Strings
      • WdcListView::GetSelectedProcessUAC, xrefs: 0064625C
      • base\diagnosis\pdui\atm\main\listview.cpp, xrefs: 00646261
      • %d FAIL: 0x%08x, xrefs: 00646252
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: CurrentMessageSendThread_ftol2memset
      • String ID: %d FAIL: 0x%08x$WdcListView::GetSelectedProcessUAC$base\diagnosis\pdui\atm\main\listview.cpp
      • API String ID: 1813792661-3111699613
      • Opcode ID: 66568c28112df2a7a3a3b83895309babc03725f99b3fe1f01a5dbd9c3fe405ce
      • Instruction ID: 3cf7c9bd24c1b1098f650a9ee57ffc11e813ddc0120938fafcfa1556c84deb5e
      • Opcode Fuzzy Hash: 66568c28112df2a7a3a3b83895309babc03725f99b3fe1f01a5dbd9c3fe405ce
      • Instruction Fuzzy Hash: A5F028B2A00215BBC3109BC9CC09E9A7BADEF51310F1501A6F904E7251C7B09E41C7E5
      Function 0060419F Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 38threadCOMMON
      Download Yara Rule
      APIs
      • GetThemeColor.UXTHEME(00604103,?,00000000,00000EDA,009ADEA4,00000000,00000000,?,00604103), ref: 006041CA
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,?,00604103), ref: 0063DA37
      Strings
      • WdcChart::_GetScaleReferenceLineColor, xrefs: 0063DA48
      • base\diagnosis\pdui\atm\main\chart.cpp, xrefs: 0063DA4D
      • %d FAIL: 0x%08x, xrefs: 0063DA3E
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: ColorCurrentThemeThread
      • String ID: %d FAIL: 0x%08x$WdcChart::_GetScaleReferenceLineColor$base\diagnosis\pdui\atm\main\chart.cpp
      • API String ID: 1889534078-3661471658
      • Opcode ID: 51b3a9b6b4bc21ec94099a939531b9822de4c2b33a703e522e9cdcd704bd68d1
      • Instruction ID: 95182016d4e0293ee32a068166c85701e0791c8bb1aba3423deed30bb93a3308
      • Opcode Fuzzy Hash: 51b3a9b6b4bc21ec94099a939531b9822de4c2b33a703e522e9cdcd704bd68d1
      • Instruction Fuzzy Hash: 61F0FC72640304BFD7249B94CD0BE9B7AA9FB18300F04416AF606D6050D7B0AE519751
      Function 00663270 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 35threadCOMMON
      Download Yara Rule
      APIs
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000), ref: 00663289
      Strings
      • 2, xrefs: 006632AE
      • %d FAIL: 0x%08x, xrefs: 00663290
      • TmScrollViewerTablePatternProxy::DoMethod, xrefs: 0066329A
      • base\diagnosis\pdui\atm\main\atmacc.cpp, xrefs: 0066329F
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: CurrentThread
      • String ID: %d FAIL: 0x%08x$2$TmScrollViewerTablePatternProxy::DoMethod$base\diagnosis\pdui\atm\main\atmacc.cpp
      • API String ID: 2882836952-1682666188
      • Opcode ID: 30fa2bcd058d7281ca0495dd0e3c615c15058fd9564c30844faec9d9fc59604b
      • Instruction ID: 07670411afa0df4647c516892ee3a89354cde1ca571fbd3a640ceede3fab65d4
      • Opcode Fuzzy Hash: 30fa2bcd058d7281ca0495dd0e3c615c15058fd9564c30844faec9d9fc59604b
      • Instruction Fuzzy Hash: 98F05932A40234FB4710D6C8CC52C997B5BEF46310715829AFC089B300DB709F0287D5
      Function 0066121A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24COMMON
      Download Yara Rule
      APIs
      • StrToID.DUI70(ResizerImage,?,?,005FB818,?), ref: 00661230
      • ?FindDescendent@Element@DirectUI@@QAEPAV12@G@Z.DUI70(?,?,005FB818,?), ref: 0066123C
      • ?SetClass@Element@DirectUI@@QAEJPBG@Z.DUI70(Function_0000B754,?,?,005FB818,?), ref: 0066125F
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: DirectElement@$Class@Descendent@FindV12@
      • String ID: NoBorderColor$ResizerImage
      • API String ID: 3343749721-3005979734
      • Opcode ID: 396610dbdb7f1680603a0a6537b87764f2281ed23cbd73d7266bc5bc77611eac
      • Instruction ID: 2bd11ee7c66102201ddfd40a07b02da52839a80bd9c92378fc898121d8ff9d09
      • Opcode Fuzzy Hash: 396610dbdb7f1680603a0a6537b87764f2281ed23cbd73d7266bc5bc77611eac
      • Instruction Fuzzy Hash: D0E09271900354ABD7205BA5940CBA77FDEF799721F04551AF5AAC7240CB749844E7A0
      Function 006612AE Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 23memoryCOMMON
      Download Yara Rule
      APIs
      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,00000014,00000000,00662442,?,?,?,?,?,00661D40), ref: 006612B5
      • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,?,?,?,00661D40), ref: 006612BC
      • ??0RefcountBase@DirectUI@@QAE@XZ.DUI70(?,?,?,?,?,?,00661D40), ref: 006612CB
      • ??0IProvider@DirectUI@@QAE@XZ.DUI70(?,?,?,?,?,00661D40), ref: 006612D4
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: DirectHeap$AllocBase@ProcessProvider@Refcount
      • String ID: P:f
      • API String ID: 940640848-310767030
      • Opcode ID: b8117e4963912e3fbedba4af3b990d77886e7110cbe14c3db296e27102ffbb5f
      • Instruction ID: 780bf37db01f5ef48af918fc1e1a65e20b645e0c172f119a6d3a531670ad523e
      • Opcode Fuzzy Hash: b8117e4963912e3fbedba4af3b990d77886e7110cbe14c3db296e27102ffbb5f
      • Instruction Fuzzy Hash: F3E0923220060AFFC3109F69E85CB55BFB6FBC5311F049308E1169A664CBB08555CB90
      Function 00661340 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 23memoryCOMMON
      Download Yara Rule
      APIs
      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,00000014,00000000,006624D4,?,?,?,?,?,00661E00), ref: 00661347
      • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,?,?,?,00661E00), ref: 0066134E
      • ??0RefcountBase@DirectUI@@QAE@XZ.DUI70(?,?,?,?,?,?,00661E00), ref: 0066135D
      • ??0IProvider@DirectUI@@QAE@XZ.DUI70(?,?,?,?,?,00661E00), ref: 00661366
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: DirectHeap$AllocBase@ProcessProvider@Refcount
      • String ID: pa
      • API String ID: 940640848-4055612580
      • Opcode ID: d8402b8d33babfd7df0ec626f20f70398e87af8868cd11f5b86e954d99dab982
      • Instruction ID: 565a2ea681b6a3313940a9634403b5ed3f1cde97b4456129f8574fd31d388040
      • Opcode Fuzzy Hash: d8402b8d33babfd7df0ec626f20f70398e87af8868cd11f5b86e954d99dab982
      • Instruction Fuzzy Hash: 55E0923620064AFFC3109F69E85CB55BBB6FBC4315F049308E1169A660CBB48455CB90
      Function 00661389 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 23memoryCOMMON
      Download Yara Rule
      APIs
      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,00000014,00000000,0066251D,?,?,?,?,?,00661E70), ref: 00661390
      • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,?,?,?,00661E70), ref: 00661397
      • ??0RefcountBase@DirectUI@@QAE@XZ.DUI70(?,?,?,?,?,?,00661E70), ref: 006613A6
      • ??0IProvider@DirectUI@@QAE@XZ.DUI70(?,?,?,?,?,00661E70), ref: 006613AF
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: DirectHeap$AllocBase@ProcessProvider@Refcount
      • String ID: :f
      • API String ID: 940640848-1699319432
      • Opcode ID: 1adf6c3da12f9c563bbc4614dcf7f617407bd6cbbb4c8fde4dd13dd1821e57d7
      • Instruction ID: d1d0723448defe70318bdff59f2bd4edc2ecdedadc669c32c05df463a03652bd
      • Opcode Fuzzy Hash: 1adf6c3da12f9c563bbc4614dcf7f617407bd6cbbb4c8fde4dd13dd1821e57d7
      • Instruction Fuzzy Hash: DFE0923220064AFBC3109F69E85CB55BFB6FBC4311F04A208E1169B650CBB48555CB90
      Function 005F02F0 Relevance: 7.7, APIs: 5, Instructions: 238COMMON
      Download Yara Rule
      APIs
      • TryEnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,00000001,00000000,?,?,?,?,00000000,?), ref: 005F031D
      • LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,00000000,?), ref: 005F03E8
      • memcpy.MSVCRT(000000E8,000000E8,00000000,?,?,?,00000000,?), ref: 005F04A8
      • memcpy.MSVCRT(000002C8,000002C8,00000000,?,?,?,00000000,?), ref: 006389B1
      • memcpy.MSVCRT(000004A8,000004A8,00000000,?,?,?,00000000,?), ref: 006389F4
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: memcpy$CriticalSection$EnterLeave
      • String ID:
      • API String ID: 3738969554-0
      • Opcode ID: f47ba185e766e137a0dd1e676fbe7baf8733634043457952cd35098922dfbd20
      • Instruction ID: eab5f97df776a7cf7224e46dfc2bf23a72b8f6b05198f07a1a9541ab705658a7
      • Opcode Fuzzy Hash: f47ba185e766e137a0dd1e676fbe7baf8733634043457952cd35098922dfbd20
      • Instruction Fuzzy Hash: E981D77060160ADBDF249A24D8847FE3BA6FF44310F289D69E64AC72D2DF39E951C750
      Function 0066C021 Relevance: 7.6, APIs: 5, Instructions: 114memoryCOMMON
      Download Yara Rule
      APIs
        • Part of subcall function 0066A954: CoCreateInstance.COMBASE(005CCCC8,00000000,00000004,005DC44C,?), ref: 0066A977
        • Part of subcall function 0066A954: IUnknown_QueryService.SHLWAPI(?,005D8248,005DC43C,?), ref: 0066A9D3
      • SysAllocString.OLEAUT32(?), ref: 0066C058
      • VariantInit.OLEAUT32(?), ref: 0066C07C
      • SysAllocString.OLEAUT32(?), ref: 0066C083
      • VariantClear.OLEAUT32(?), ref: 0066C0F5
      • SysFreeString.OLEAUT32(0066B3B6), ref: 0066C101
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: String$AllocVariant$ClearCreateFreeInitInstanceQueryServiceUnknown_
      • String ID:
      • API String ID: 400273952-0
      • Opcode ID: 352cbcc17f3286b5d6d87ebbbea1bca2c506d9c2df58d6bceea5b06af9ebc174
      • Instruction ID: 7250c1234f721c781a9a2def4b4f2c5fda06a6ea4658370369e8a10034ab0fda
      • Opcode Fuzzy Hash: 352cbcc17f3286b5d6d87ebbbea1bca2c506d9c2df58d6bceea5b06af9ebc174
      • Instruction Fuzzy Hash: F731C037D00908AFCB01EFB8D8044AEB77BEF89320B154255ED15EB211DF72AD468B95
      Function 0065E3E0 Relevance: 7.6, APIs: 5, Instructions: 100COMMON
      Download Yara Rule
      APIs
      • GetWindowLongW.USER32(?,000000EB), ref: 0065E3F0
      • SetWindowLongW.USER32(?,000000EB,?), ref: 0065E461
      • GetDlgItem.USER32(?,0000876A), ref: 0065E473
        • Part of subcall function 0065E72A: LocalAlloc.API-MS-WIN-CORE-HEAP-L2-1-0(00000040,00000100,?,?,00000000), ref: 0065E745
      • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000002), ref: 0065E4D6
      • SetWindowLongW.USER32(?,00000000,00000000), ref: 0065E4E8
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: Window$Long$AllocItemLocal
      • String ID:
      • API String ID: 3255403141-0
      • Opcode ID: 66dd47bf724984a43b7851463d1a60c9bed18ebe514ef34dae1a3fb1caf2ff38
      • Instruction ID: 05b2b6f5f1fff7541a0bb81b409b5592cc1edade244d268fc96baa27ff09eb05
      • Opcode Fuzzy Hash: 66dd47bf724984a43b7851463d1a60c9bed18ebe514ef34dae1a3fb1caf2ff38
      • Instruction Fuzzy Hash: 0F21FB713002166BDF389F789C89BBA27DBEB44712F144229FA05D62D1D6659D44C351
      Function 005FB4C0 Relevance: 7.6, APIs: 5, Instructions: 83COMMON
      Download Yara Rule
      APIs
      • StrToID.DUI70(?,?,00000000,00000000,?,005FB4A4,?,?,00000000,?,?,?,?,?,?,?), ref: 005FB4D6
      • ?FindDescendent@Element@DirectUI@@QAEPAV12@G@Z.DUI70(?,?,005FB4A4,?,?,00000000,?,?,?,?,?,?,?,?), ref: 005FB4E2
      • ?SetBorderThickness@Element@DirectUI@@QAEJHHHH@Z.DUI70(00000000,00000000,00000001,00000000,?,005FB4A4,?), ref: 005FB54E
      • ?SetBorderThickness@Element@DirectUI@@QAEJHHHH@Z.DUI70(00000000,00000000,00000000,00000000,?,005FB4A4,?), ref: 005FB583
      • ?GetParent@Element@DirectUI@@QAEPAV12@XZ.DUI70(?,005FB4A4,?), ref: 005FB58D
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: DirectElement@$BorderThickness@V12@$Descendent@FindParent@
      • String ID:
      • API String ID: 1212065540-0
      • Opcode ID: 6ccee250e80406115822f25fc4d2bbbb56fc27eb3b58bbf40aee3db2316f5e92
      • Instruction ID: d4a9925fd663ca13514b6aafa6199301edbc02b7a928182061e9315a73a022a3
      • Opcode Fuzzy Hash: 6ccee250e80406115822f25fc4d2bbbb56fc27eb3b58bbf40aee3db2316f5e92
      • Instruction Fuzzy Hash: D421B33130021EFBEB158E14EC94BBA3F6AFF94720F241114FA059B291E779D951DBA0
      Function 005E51B0 Relevance: 7.6, APIs: 5, Instructions: 80COMMONLIBRARYCODE
      Download Yara Rule
      APIs
      • EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 005E51CE
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: CriticalEnterSection
      • String ID:
      • API String ID: 1904992153-0
      • Opcode ID: 40d1d2d33b860f728607f28bffec679d3b3852827c21733819e5e5355ca91dcf
      • Instruction ID: 202e60988243d6160098f55133bc5c8cd0eaac55f07574b122c6ce0c782e8e66
      • Opcode Fuzzy Hash: 40d1d2d33b860f728607f28bffec679d3b3852827c21733819e5e5355ca91dcf
      • Instruction Fuzzy Hash: 4E21BF75A00205EFCB18CF69D888BA9BBB6FF44319F1591ACE84ADB351D7309D41CB90
      Function 005E00A3 Relevance: 7.6, APIs: 5, Instructions: 60memoryCOMMON
      Download Yara Rule
      APIs
      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,005DFF3D,?,?,?,?,005E009B,?,?,006343E2,005DFF5D,?,?,?,005DFF3D), ref: 005E00C3
      • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,005E009B,?,?,006343E2,005DFF5D,?,?,?,005DFF3D,?,00000000,?,?,005DFF3D), ref: 005E00CA
      • memcpy_s.MSVCRT ref: 005E00E3
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: Heap$AllocProcessmemcpy_s
      • String ID:
      • API String ID: 52538628-0
      • Opcode ID: cceb7efed96c1e92efddd6746d9c44ed9a1c744711d86debf642dfb0898cbe96
      • Instruction ID: 69bb15c9cc5548547d6f2318d24da0656777835abfb3f9418d3e4580c6a5140e
      • Opcode Fuzzy Hash: cceb7efed96c1e92efddd6746d9c44ed9a1c744711d86debf642dfb0898cbe96
      • Instruction Fuzzy Hash: AE11A372500245AFD728CF6ACC88D27BBE9FF44310B14592EE996C7250E770E840CB60
      Function 00618025 Relevance: 7.6, APIs: 5, Instructions: 51timethreadCOMMON
      Download Yara Rule
      APIs
      • GetSystemTimeAsFileTime.API-MS-WIN-CORE-SYSINFO-L1-1-0(00000000), ref: 00618052
      • GetCurrentProcessId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00618061
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 0061806A
      • GetTickCount.API-MS-WIN-CORE-SYSINFO-L1-1-0 ref: 00618073
      • QueryPerformanceCounter.API-MS-WIN-CORE-PROFILE-L1-1-0(?), ref: 00618088
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
      • String ID:
      • API String ID: 1445889803-0
      • Opcode ID: a742c16837ba7d15f197dabbcb46db12259b924a4c34d0f58daa8daa06ac8b08
      • Instruction ID: 38a91b460d83f7fed0cf6f17d0adfb4481c0f2114258abb48d4bf582e3d56033
      • Opcode Fuzzy Hash: a742c16837ba7d15f197dabbcb46db12259b924a4c34d0f58daa8daa06ac8b08
      • Instruction Fuzzy Hash: 72111871D01209EFCB24DBB8D9486DEB7F6FF4C311F655966E801E7210EB309A449B40
      Function 005FC03B Relevance: 7.5, APIs: 5, Instructions: 45windowCOMMON
      Download Yara Rule
      APIs
      • ?CreateGraphic@Value@DirectUI@@SGPAV12@PAUHICON__@@_N11@Z.DUI70(00000000,00000000,00000000,00000000,?), ref: 005FC057
      • ?SetValue@Element@DirectUI@@QAEJP6GPBUPropertyInfo@2@XZHPAVValue@2@@Z.DUI70(00000001,00000000), ref: 005FC072
      • ?Release@Value@DirectUI@@QAEXXZ.DUI70 ref: 005FC07C
      • DuplicateIcon.SHELL32(00000000,?), ref: 0063AA35
      • DestroyIcon.USER32(00000000), ref: 0063AA50
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: DirectValue@$Icon$CreateDestroyDuplicateElement@Graphic@Info@2@N11@N__@@_PropertyRelease@V12@Value@2@@
      • String ID:
      • API String ID: 2149323922-0
      • Opcode ID: 646a430b18e4bacd8e4c25b2c4509f6bf9f4435b498b544fb6a45c5e174af9d8
      • Instruction ID: 103aa77e4332f11f46263255fed70588e06e766344975c640c7c112f3b66f17e
      • Opcode Fuzzy Hash: 646a430b18e4bacd8e4c25b2c4509f6bf9f4435b498b544fb6a45c5e174af9d8
      • Instruction Fuzzy Hash: E4F0FF32200629BBD72107646C08ABB7E9EEB85664B182226FD09E3320DE698C4083D0
      Function 0061D29D Relevance: 7.5, APIs: 5, Instructions: 33COMMONLIBRARYCODE
      Download Yara Rule
      APIs
      • SysFreeString.OLEAUT32(?), ref: 0061D2AD
      • SysFreeString.OLEAUT32(?), ref: 0061D2BC
      • SysFreeString.OLEAUT32(?), ref: 0061D2CC
      • SysFreeString.OLEAUT32(?), ref: 0061D2DD
      • SysFreeString.OLEAUT32(?), ref: 0061D2EE
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: FreeString
      • String ID:
      • API String ID: 3341692771-0
      • Opcode ID: 3cd72d314bb0082ae993de221ed786c9bb9a319b3a8f6f5c4033771b7611e8d9
      • Instruction ID: 96e8ee25d0dfdad9d3cb8deec18c529551204097ba5121dd3f58bf96381e274a
      • Opcode Fuzzy Hash: 3cd72d314bb0082ae993de221ed786c9bb9a319b3a8f6f5c4033771b7611e8d9
      • Instruction Fuzzy Hash: 47F0E774801B00EFC7324F15DC084A2BBF2FF807623289A2EE5E642A24E771A9C1DF50
      Function 005E7014 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID:
      • String ID: xjh
      • API String ID: 0-2044234429
      • Opcode ID: b06073e084a9b9a75759754c76b4545d6e8bfaf8a92bedb3cb12dc8d6e9332d2
      • Instruction ID: a79a0a9926e8dd97cf294b20685775c5b41129616c06378d3ca42a49deb58d27
      • Opcode Fuzzy Hash: b06073e084a9b9a75759754c76b4545d6e8bfaf8a92bedb3cb12dc8d6e9332d2
      • Instruction Fuzzy Hash: 3F811B71A00169DFDB24CF55C894BE9BBB6FB48310F1580EAD90AAB355DB30AD85CF60
      Function 006673C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120COMMON
      Download Yara Rule
      APIs
      • ?OnEvent@Element@DirectUI@@UAEXPAUEvent@2@@Z.DUI70(?), ref: 0066750F
        • Part of subcall function 0066A190: ?StartDefer@Element@DirectUI@@QAEXPAK@Z.DUI70(?,?,?,?), ref: 0066A21B
        • Part of subcall function 0066A190: GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,?,?,?), ref: 0066A2A7
        • Part of subcall function 0066A190: ?EndDefer@Element@DirectUI@@QAEXK@Z.DUI70(?,?,?,?,?,?,?), ref: 0066A2D8
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: DirectElement@$Defer@$CurrentEvent@Event@2@@StartThread
      • String ID: ViewExpandoButtonImage
      • API String ID: 4052342737-3949667097
      • Opcode ID: 9db426500788f45744b3ed3b2f58d27c972dd0319dc0baeb1875248382897994
      • Instruction ID: 732e770d2f248b87c4211264d99f249f13514c3b114191452e884b9af4ae5655
      • Opcode Fuzzy Hash: 9db426500788f45744b3ed3b2f58d27c972dd0319dc0baeb1875248382897994
      • Instruction Fuzzy Hash: 70410031A08215ABCF21DB65D9889ADBBF7FF85318F14456AE406A3310DF30AE91CBD1
      Function 005EB060 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 78threadCOMMON
      Download Yara Rule
      APIs
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,?,?,?,?,?,005EB034), ref: 006379F8
        • Part of subcall function 005F81B0: UpdateWindow.USER32(00000000), ref: 005F81F1
        • Part of subcall function 005F81B0: AllocateAndInitializeSid.API-MS-WIN-SECURITY-BASE-L1-1-0(00000000,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 005F8262
        • Part of subcall function 005F81B0: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,00000000), ref: 005F826C
        • Part of subcall function 005F81B0: CheckTokenMembership.API-MS-WIN-SECURITY-BASE-L1-1-0(00000000,00000000,00000000,?,00000000), ref: 005F828D
        • Part of subcall function 005F81B0: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,00000000), ref: 005F8297
        • Part of subcall function 005F81B0: FreeSid.API-MS-WIN-SECURITY-BASE-L1-1-0(00000000,?,00000000), ref: 005F82C1
        • Part of subcall function 005EA843: StrToID.DUI70(TmEmptyList), ref: 005EA869
        • Part of subcall function 005EA843: ?FindDescendent@Element@DirectUI@@QAEPAV12@G@Z.DUI70(?), ref: 005EA875
        • Part of subcall function 005EA843: ?GetLayoutPos@Element@DirectUI@@QAEHXZ.DUI70 ref: 005EA894
        • Part of subcall function 005EA843: ?SetContentString@Element@DirectUI@@QAEJPBG@Z.DUI70(?,00000064), ref: 005EA8EA
        • Part of subcall function 005EA843: ?SetLayoutPos@Element@DirectUI@@QAEJH@Z.DUI70(00000001), ref: 005EA8F8
        • Part of subcall function 005EA843: ?AddListener@Element@DirectUI@@QAEJPAUIElementListener@2@@Z.DUI70 ref: 005EA923
      Strings
      • WdcApplicationsMonitor::_UpdateView, xrefs: 00637A09
      • base\diagnosis\pdui\atm\main\applications.cpp, xrefs: 00637A0E
      • %d FAIL: 0x%08x, xrefs: 006379FF
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: DirectElement@$ErrorLastLayoutPos@$AllocateCheckContentCurrentDescendent@ElementFindFreeInitializeListener@Listener@2@@MembershipString@ThreadTokenUpdateV12@Window
      • String ID: %d FAIL: 0x%08x$WdcApplicationsMonitor::_UpdateView$base\diagnosis\pdui\atm\main\applications.cpp
      • API String ID: 4242206059-1770702459
      • Opcode ID: d20cee845e933cd399b734b522b3d9d4d5ae0cfa287bb7e374c913fd7d13d56a
      • Instruction ID: 42fb56df4e3844a3f3c9302fd0ca98a19eeb875a356d9602d89de5f26fdff537
      • Opcode Fuzzy Hash: d20cee845e933cd399b734b522b3d9d4d5ae0cfa287bb7e374c913fd7d13d56a
      • Instruction Fuzzy Hash: F021577A3485844B9629A77E485D8BF6EC7BFD0311B19012CE1DAC7381DE61BD0197D2
      Function 0065E319 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75COMMON
      Download Yara Rule
      APIs
      • StrToID.DUI70(chartInfo,?,00000000,?,?,?,00640D8E,?,00607044,?,?,?), ref: 0065E366
      • ?FindDescendent@Element@DirectUI@@QAEPAV12@G@Z.DUI70(?,?,00640D8E,?,00607044,?,?,?), ref: 0065E373
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: Descendent@DirectElement@FindV12@
      • String ID: base\diagnosis\pdui\atm\main\networkview.cpp$chartInfo
      • API String ID: 894778106-2251470286
      • Opcode ID: 4340281c461fa07c5c51f0b57ff2451699c57d4a4eae67f11bf69b68f05866ab
      • Instruction ID: 19e002088184d4f5e93edc903c85405cdcba690aad553ea01fd52795ae3577a4
      • Opcode Fuzzy Hash: 4340281c461fa07c5c51f0b57ff2451699c57d4a4eae67f11bf69b68f05866ab
      • Instruction Fuzzy Hash: 4821C031700709AFDB28DA55C884EAB73EFEB84341F20442DFD1A87340EA71AE059660
      Function 005E209E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74COMMON
      Download Yara Rule
      APIs
      • EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?), ref: 005E20C3
      • DestroyWindow.USER32(?,?,?,?), ref: 005E2121
      Strings
      • AppHistoryMessageWindow, xrefs: 005E212E
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: CriticalDestroyEnterSectionWindow
      • String ID: AppHistoryMessageWindow
      • API String ID: 1574564669-517515421
      • Opcode ID: 31ad749bc27cbe779324e0b3429e5e0578edc816e2a2d5582ef2a76167c927f2
      • Instruction ID: e295d0090c16918e43e9a43d9cc621ac7dc336911bd93285eafc6b7a0d781dce
      • Opcode Fuzzy Hash: 31ad749bc27cbe779324e0b3429e5e0578edc816e2a2d5582ef2a76167c927f2
      • Instruction Fuzzy Hash: A921B3716053499FCB2CDFA5D888AAABBEEFF84301F04092DE45787241DB30AE44CB55
      Function 0062E360 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 73threadCOMMON
      Download Yara Rule
      APIs
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,?,?,?), ref: 0062E417
        • Part of subcall function 0062F225: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000210,?,?,?,?,006488C1,00009174), ref: 0062F238
        • Part of subcall function 0062F225: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,006488C1,00009174), ref: 0062F23F
        • Part of subcall function 0062F225: GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(8007000E,?,006488C1,00009174), ref: 0062F251
      Strings
      • WdcAppServiceMonitor::AtmOnProcessCommand, xrefs: 0062E428
      • %d FAIL: 0x%08x, xrefs: 0062E41E
      • base\diagnosis\pdui\atm\main\serviceinfo.cpp, xrefs: 0062E42D
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: CurrentHeapThread$AllocProcess
      • String ID: %d FAIL: 0x%08x$WdcAppServiceMonitor::AtmOnProcessCommand$base\diagnosis\pdui\atm\main\serviceinfo.cpp
      • API String ID: 831837137-399871419
      • Opcode ID: f65929662b6ebc864766c3aa78ee46a87053bb3f9b835c128f7087d3a84c70be
      • Instruction ID: 251c93a97cec50c622cafd4b9f78b361f075723263a39d5c659e645e9a84e47a
      • Opcode Fuzzy Hash: f65929662b6ebc864766c3aa78ee46a87053bb3f9b835c128f7087d3a84c70be
      • Instruction Fuzzy Hash: DC212B32A41937A7DF26AE58DC559FA7796EF40710FA4813AF904CB251D726EC02ABC0
      Function 0060408E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON
      Download Yara Rule
      APIs
      • memset.MSVCRT ref: 006040B3
      • SendMessageW.USER32(?,00000407,00000007,00000004), ref: 006040E0
      • GetThemeColor.UXTHEME(?,?,00000000,00000EDB,?,?,00000403,00000000,00000000), ref: 0060413F
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: ColorMessageSendThemememset
      • String ID: ppp
      • API String ID: 1207639762-3565861256
      • Opcode ID: 902ca964e9d05594d188c760dac250429c5dcbde904581938100ee14490e8bd6
      • Instruction ID: 5be39d1e3a994a6e37ac6531572bb01a0d891546578554ea0f42efbb63ee6c64
      • Opcode Fuzzy Hash: 902ca964e9d05594d188c760dac250429c5dcbde904581938100ee14490e8bd6
      • Instruction Fuzzy Hash: 92214F71940318AFDB20DFA0CC45BEEBBF9FB48701F20062DE605AB281DB756545CB54
      Function 00657220 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 62threadCOMMON
      Download Yara Rule
      APIs
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000), ref: 00657283
      Strings
      • WdcSelectableList::TotalIndexToSelectedIndex, xrefs: 00657291
      • %d FAIL: 0x%08x, xrefs: 0065728A
      • base\diagnosis\pdui\atm\main\selist.cpp, xrefs: 00657296
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: CurrentThread
      • String ID: %d FAIL: 0x%08x$WdcSelectableList::TotalIndexToSelectedIndex$base\diagnosis\pdui\atm\main\selist.cpp
      • API String ID: 2882836952-259833619
      • Opcode ID: 40ac2fd7d52f58229ad39651fc38714ae1c5e12144749eaba3d876a62851dda5
      • Instruction ID: 3fb69ea55fb87846a03b908eaf6783bd9ca30b0b791961d71f3d3f85386adc42
      • Opcode Fuzzy Hash: 40ac2fd7d52f58229ad39651fc38714ae1c5e12144749eaba3d876a62851dda5
      • Instruction Fuzzy Hash: 4211A332A04215AF8B10DF99E845C9EBBAAFF88751F110156FD01A7310DAB0AF019B90
      Function 00663050 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 60threadCOMMON
      Download Yara Rule
      APIs
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000), ref: 00663069
      Strings
      • TmScrollViewerGridPatternProxy::DoMethod, xrefs: 0066307A
      • %d FAIL: 0x%08x, xrefs: 00663070
      • base\diagnosis\pdui\atm\main\atmacc.cpp, xrefs: 0066307F
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: CurrentThread
      • String ID: %d FAIL: 0x%08x$TmScrollViewerGridPatternProxy::DoMethod$base\diagnosis\pdui\atm\main\atmacc.cpp
      • API String ID: 2882836952-2421558185
      • Opcode ID: f7ee6ba29db42fa384cd6082b468b3ae4b6fbbb9ebbc3666aea3a72446b8c27c
      • Instruction ID: 434df24f31d5cbc1c8559bf38fc824ac91494bcd6b9e7f3ccef9125918145e4c
      • Opcode Fuzzy Hash: f7ee6ba29db42fa384cd6082b468b3ae4b6fbbb9ebbc3666aea3a72446b8c27c
      • Instruction Fuzzy Hash: 30118F3AA00164EFC710DFA8D945CA97BA6EB49310B198199FC099B311CA72EE05DB95
      Function 00657050 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 59threadCOMMON
      Download Yara Rule
      APIs
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000), ref: 006570AC
      Strings
      • %d FAIL: 0x%08x, xrefs: 006570B3
      • WdcSelectableList::SelectedIndexToTotalIndex, xrefs: 006570BA
      • base\diagnosis\pdui\atm\main\selist.cpp, xrefs: 006570BF
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: CurrentThread
      • String ID: %d FAIL: 0x%08x$WdcSelectableList::SelectedIndexToTotalIndex$base\diagnosis\pdui\atm\main\selist.cpp
      • API String ID: 2882836952-231330905
      • Opcode ID: 7bb36e23ad7cbde99ce0323c72adba4cf4054eaa2581471d5e5b3699fafcbc7a
      • Instruction ID: 6ab897115a0fd77cae70aaf7f9d34080013fe96eebaf821126d8fed285e6e579
      • Opcode Fuzzy Hash: 7bb36e23ad7cbde99ce0323c72adba4cf4054eaa2581471d5e5b3699fafcbc7a
      • Instruction Fuzzy Hash: 8E11A072A04614AF8710DB99E844C9EFBEAEB98761F110166ED05D7350C6B09E008BA0
      Function 006261DF Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 58threadCOMMON
      Download Yara Rule
      APIs
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(8007000E,?,?,00000000,00000000,?,?,-00000008,006198E7,-00000024,?,?,?,?,?,00000000), ref: 00626263
      Strings
      • AtmGpuView::GetEngineNames, xrefs: 00626274
      • %d FAIL: 0x%08x, xrefs: 0062626A
      • base\diagnosis\pdui\atm\main\gpuview.cpp, xrefs: 00626279
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: CurrentThread
      • String ID: %d FAIL: 0x%08x$AtmGpuView::GetEngineNames$base\diagnosis\pdui\atm\main\gpuview.cpp
      • API String ID: 2882836952-3581755640
      • Opcode ID: 83bf7a0286dc0a045bcca586c5b1a7f005eba23698955a9a22960ad3c57b5cf9
      • Instruction ID: 4cbdcdc7b78d690aa4ed9aa225413fe2cc60a12751deaaa06a4ba1e28291ffab
      • Opcode Fuzzy Hash: 83bf7a0286dc0a045bcca586c5b1a7f005eba23698955a9a22960ad3c57b5cf9
      • Instruction Fuzzy Hash: 6111E371601114EBC718DB4DDC81EAA37AAFB85710F24027EF909DB391DE715D01CBA0
      Function 00661182 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 50COMMON
      Download Yara Rule
      APIs
      • StrToID.DUI70(?,?,00000000,?,?,?,00667A74,?,?,?), ref: 006611A4
      • ?FindDescendent@Element@DirectUI@@QAEPAV12@G@Z.DUI70(?,?,00667A74,?,?,?), ref: 006611B0
      • ?SetBackgroundColor@Element@DirectUI@@QAEJK@Z.DUI70(00000000,?,?,?,00667A74,?,?,?), ref: 006611E0
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: DirectElement@$BackgroundColor@Descendent@FindV12@
      • String ID: yf
      • API String ID: 1565891855-3189609038
      • Opcode ID: 6b64ba685dab1fb24a9a72105b3bdc7362934d581bd70b85b28f8a64a1cb2be0
      • Instruction ID: 8dba4eaea76a75bb9e1595128ae70f80c73364dd7299b1ee60bf02b96ffa693d
      • Opcode Fuzzy Hash: 6b64ba685dab1fb24a9a72105b3bdc7362934d581bd70b85b28f8a64a1cb2be0
      • Instruction Fuzzy Hash: 9501B13550020DEFCB159F91DC59ABFBBAAFB89350F14492DFA5587210CB309E60DB90
      Function 006643E9 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 47threadCOMMON
      Download Yara Rule
      APIs
        • Part of subcall function 005FAEE3: StrTrimW.SHLWAPI(?,005CB93C,CompanyName,?,00000000,00000000,?,00000000), ref: 005FAF41
        • Part of subcall function 005FAEE3: PathRemoveBlanksW.API-MS-WIN-CORE-SHLWAPI-LEGACY-L1-1-0(?), ref: 005FAF4E
        • Part of subcall function 005FAEE3: SysAllocString.OLEAUT32(?), ref: 005FAF63
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,?,00000000,?,?,?,006173A0,?,?,?,?,0062DF06,?,?,00000000,00000000), ref: 0066440F
      Strings
      • base\diagnosis\pdui\atm\main\applications.cpp, xrefs: 00664425
      • %d FAIL: 0x%08x, xrefs: 00664416
      • WdcApplicationsMonitor::ResolveImagePublisher_Desktop, xrefs: 00664420
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: AllocBlanksCurrentPathRemoveStringThreadTrim
      • String ID: %d FAIL: 0x%08x$WdcApplicationsMonitor::ResolveImagePublisher_Desktop$base\diagnosis\pdui\atm\main\applications.cpp
      • API String ID: 2916109227-2449323022
      • Opcode ID: 38c62b05a67f386680581890112e21c538dd48cf01d30ddeb84f86f0737172d0
      • Instruction ID: b5f3a9ea65267385ad315dcb00e4ca7ee3cb31ab046771ca8f9733afc2946fc0
      • Opcode Fuzzy Hash: 38c62b05a67f386680581890112e21c538dd48cf01d30ddeb84f86f0737172d0
      • Instruction Fuzzy Hash: 2A019E766003019FC719CF98D841FA27BE9FF88714F15816AE619CB601DB70A840CBA0
      Function 005FB229 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 46threadCOMMON
      Download Yara Rule
      APIs
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0063A8B0
      Strings
      • AtmView::UpdateContentionOnGroupHeaders, xrefs: 0063A8C1
      • %d FAIL: 0x%08x, xrefs: 0063A8B7
      • base\diagnosis\pdui\atm\main\view.cpp, xrefs: 0063A8C6
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: CurrentThread
      • String ID: %d FAIL: 0x%08x$AtmView::UpdateContentionOnGroupHeaders$base\diagnosis\pdui\atm\main\view.cpp
      • API String ID: 2882836952-3626915869
      • Opcode ID: 82f9e37b89e0e7569b0dd1cced166035ae5c63543837c19356cba67a75db7e04
      • Instruction ID: 9e72346a2017b5b79ab56c1c8d0b5f46dc89d2249d6c88a2c9de68473bc0e4c8
      • Opcode Fuzzy Hash: 82f9e37b89e0e7569b0dd1cced166035ae5c63543837c19356cba67a75db7e04
      • Instruction Fuzzy Hash: 82014432A40219FBEB18979CCC09FEDFFAAFF85310F244246F94882240DB602D109BE1
      Function 0064C3A0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 40threadCOMMON
      Download Yara Rule
      APIs
        • Part of subcall function 005E8E8F: TryEnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,0061E078,?,?,?,?), ref: 005E8E9E
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,00000000), ref: 0064C3D5
      Strings
      • base\diagnosis\pdui\atm\main\process.cpp, xrefs: 0064C3EB
      • %d FAIL: 0x%08x, xrefs: 0064C3DC
      • WdcProcessMonitor::ListUpdate, xrefs: 0064C3E6
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: CriticalCurrentEnterSectionThread
      • String ID: %d FAIL: 0x%08x$WdcProcessMonitor::ListUpdate$base\diagnosis\pdui\atm\main\process.cpp
      • API String ID: 3488303727-241058769
      • Opcode ID: d68d4ef559437088c448d485830d63a4a2878bb89383d90609fdd73d28c42813
      • Instruction ID: 815f5920e24cbe191dc005c077d02b07f8c8429ea9a26d2ebdc792d7ef9de0fe
      • Opcode Fuzzy Hash: d68d4ef559437088c448d485830d63a4a2878bb89383d90609fdd73d28c42813
      • Instruction Fuzzy Hash: 84F0F632B812597BCB15D6D99C0AFEF7E6EDB90320F05405AF804A3340CE748E00C7A1
      Function 0067045D Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 38threadCOMMON
      Download Yara Rule
      APIs
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(8007000E,00000000,00000001,00000000,00674A86,?,?,0000228C,00000000,00000000,00000000), ref: 0067047F
      Strings
      • AppHistoryStringCache::Initialize, xrefs: 00670490
      • %d FAIL: 0x%08x, xrefs: 00670486
      • base\diagnosis\pdui\atm\main\apphistorymonitor.cpp, xrefs: 00670495
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: CurrentThread
      • String ID: %d FAIL: 0x%08x$AppHistoryStringCache::Initialize$base\diagnosis\pdui\atm\main\apphistorymonitor.cpp
      • API String ID: 2882836952-3979749189
      • Opcode ID: 464dd40ed0f8a79e7f18f96f7e0e955aae148ee450d7694c14637d93eafb5a6b
      • Instruction ID: 18c4610997cc111ba8063845fc9a3f24694105b253ddee2492acecac368512dd
      • Opcode Fuzzy Hash: 464dd40ed0f8a79e7f18f96f7e0e955aae148ee450d7694c14637d93eafb5a6b
      • Instruction Fuzzy Hash: 59F0B4B2741612FBE3244AA8DC4199AAD9DEB91724714417EF108D6B41E7E4C84287E4
      Function 006581E4 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34COMMON
      Download Yara Rule
      APIs
      • ?IsDescendent@Element@DirectUI@@QAE_NPAV12@@Z.DUI70(?,?,?,00611253,?), ref: 006581F5
      • StrToID.DUI70(chartInfo,?,?,?,00611253,?), ref: 0065820F
      • ?FindDescendent@Element@DirectUI@@QAEPAV12@G@Z.DUI70(?,?,?,?,00611253,?), ref: 0065821C
        • Part of subcall function 00657B08: ?SetSelected@Element@DirectUI@@QAEJ_N@Z.DUI70(00000001,?,?,00658207,?,?,?,00611253,?), ref: 00657B72
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: DirectElement@$Descendent@$FindSelected@V12@V12@@
      • String ID: chartInfo
      • API String ID: 3461643364-2909797920
      • Opcode ID: 10cfbff687446baed0fb97d0c9052951638870d60545c29d541ff0ce32ae3ec4
      • Instruction ID: 8a8462cbeb933f8f9faccc25f0cbaf041389b334c0d41b37fbeff8a4eb14afdd
      • Opcode Fuzzy Hash: 10cfbff687446baed0fb97d0c9052951638870d60545c29d541ff0ce32ae3ec4
      • Instruction Fuzzy Hash: 93F0BE39200610AB87155B61E818D7E7F67EBC87A2B04111AFC1A93340CF309D0ADAD0
      Function 0066C3FE Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34COMMON
      Download Yara Rule
      APIs
      • memset.MSVCRT ref: 0066C423
      • ExpandEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(%SystemRoot%\System32\ShellStyle.dll,?,00000104), ref: 0066C43C
      • PathFileExistsW.API-MS-WIN-CORE-SHLWAPI-LEGACY-L1-1-0(?), ref: 0066C44D
      Strings
      • %SystemRoot%\System32\ShellStyle.dll, xrefs: 0066C437
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: EnvironmentExistsExpandFilePathStringsmemset
      • String ID: %SystemRoot%\System32\ShellStyle.dll
      • API String ID: 1250305355-2988473861
      • Opcode ID: eb9bc6a4c486074556e111bb6c076862ac7fd92652d3d8dd2d5990894f0e4aee
      • Instruction ID: fe44da74dd238c2b0a6b884edb6f441490eed34da1e56ff9c647ef545301c078
      • Opcode Fuzzy Hash: eb9bc6a4c486074556e111bb6c076862ac7fd92652d3d8dd2d5990894f0e4aee
      • Instruction Fuzzy Hash: AEF054B1A0122CABD720DBA89C099AA77ADDB44710F500295AD18D3281DE709E04C7D5
      Function 00670060 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33memoryCOMMON
      Download Yara Rule
      APIs
      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000), ref: 00670084
      • HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 0067008B
      • SysFreeString.OLEAUT32(00000000), ref: 0067009E
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: FreeHeap$ProcessString
      • String ID: `
      • API String ID: 457288585-2679148245
      • Opcode ID: d357fae666c769616e01cfdb712f65525e9f9ae54f8ed1245ddeb54476e6634b
      • Instruction ID: c8ab5d5a4f7c5bde6a6122cc117cf3dc3afaabed051df782840f46a397b14614
      • Opcode Fuzzy Hash: d357fae666c769616e01cfdb712f65525e9f9ae54f8ed1245ddeb54476e6634b
      • Instruction Fuzzy Hash: 30F09032100B54EBE7359B56C80DB97B7A6FF80327F04441DF24B569A0C7B5A895CB64
      Function 00662340 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27memoryCOMMON
      Download Yara Rule
      APIs
      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,00000008), ref: 0066234A
      • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 00662351
      • ??0IProvider@DirectUI@@QAE@XZ.DUI70 ref: 00662360
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: Heap$AllocDirectProcessProvider@
      • String ID: P0f
      • API String ID: 4131806188-3899262268
      • Opcode ID: 3758ed2b631bb0330ddbe97d27098cde38ec6d52eb0a7e4e4ba31f55374b5d6a
      • Instruction ID: e3155cec5b3841ce863afe4e1a5eeab09f9c8cd50aa72a0fc52bf0d69448f96b
      • Opcode Fuzzy Hash: 3758ed2b631bb0330ddbe97d27098cde38ec6d52eb0a7e4e4ba31f55374b5d6a
      • Instruction Fuzzy Hash: D7E0923A300659BBC7111B59AC1CA6D3F6BFBC8761F085115F602D7360CF7488059760
      Function 00661141 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 26COMMON
      Download Yara Rule
      APIs
      • ?CreateBool@Value@DirectUI@@SGPAV12@_N@Z.DUI70(?,?,?,?,0063EDFD,?), ref: 0066114D
      • ?SetValue@Element@DirectUI@@QAEJPBUPropertyInfo@2@HPAVValue@2@@Z.DUI70(C],00000001,00000000,?,?,?,0063EDFD,?), ref: 0066116A
      • ?Release@Value@DirectUI@@QAEXXZ.DUI70(?,?,?,0063EDFD,?), ref: 00661174
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: DirectValue@$Bool@CreateElement@Info@2@PropertyRelease@V12@_Value@2@@
      • String ID: C]
      • API String ID: 3635108339-717202707
      • Opcode ID: bb3470585fd1953e72fa3a7733bd1ad347d3a6f6286d3f47f1b557d03dc4aeb6
      • Instruction ID: f6bd909ec287196faf157bf5ffa44b9df6716d822e874153010a730bd9e0bf9c
      • Opcode Fuzzy Hash: bb3470585fd1953e72fa3a7733bd1ad347d3a6f6286d3f47f1b557d03dc4aeb6
      • Instruction Fuzzy Hash: C9E0DF36300318738B211226AC0CE5BBE2BCBC6BB1B152126FA19DB320CA66CC4083D0
      Function 00661100 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 26COMMON
      Download Yara Rule
      APIs
      • ?CreateBool@Value@DirectUI@@SGPAV12@_N@Z.DUI70(?,00000000,?,?,0063C0BF,00000000,?,005F677F,?,?,?,00000000), ref: 0066110C
      • ?SetValue@Element@DirectUI@@QAEJPBUPropertyInfo@2@HPAVValue@2@@Z.DUI70(|D],00000001,00000000,?,0063C0BF,00000000,?,005F677F,?,?,?,00000000), ref: 00661129
      • ?Release@Value@DirectUI@@QAEXXZ.DUI70(?,0063C0BF,00000000,?,005F677F,?,?,?,00000000), ref: 00661133
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: DirectValue@$Bool@CreateElement@Info@2@PropertyRelease@V12@_Value@2@@
      • String ID: |D]
      • API String ID: 3635108339-593882990
      • Opcode ID: 928b7a0c64e3649834e141274dcc894810ff253e3bb243fc45155be3952e67b2
      • Instruction ID: 80c162fedb978f64c2f2e880d715925aa5737a6d58ae4f2febd1f29b0e4b39e7
      • Opcode Fuzzy Hash: 928b7a0c64e3649834e141274dcc894810ff253e3bb243fc45155be3952e67b2
      • Instruction Fuzzy Hash: 2EE0DF3630031873872012266C1CD5BBA2BCBD67B1B05212AFA199B320CA65CC418390
      Function 006740C7 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 25threadCOMMON
      Download Yara Rule
      APIs
        • Part of subcall function 00672343: EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(00000004,00000000,00000000,00000000,006715F6,?,?,00000000,00000044,00000000), ref: 00672366
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(80070490,00000044,00000000,?,006715F6,?,?,00000000,00000044,00000000), ref: 006740E7
      Strings
      • %d FAIL: 0x%08x, xrefs: 006740EE
      • WdcAppHistoryMonitor::_ReconcileImmersiveApplication, xrefs: 006740F8
      • base\diagnosis\pdui\atm\main\apphistorymonitor.cpp, xrefs: 006740FD
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: CriticalCurrentEnterSectionThread
      • String ID: %d FAIL: 0x%08x$WdcAppHistoryMonitor::_ReconcileImmersiveApplication$base\diagnosis\pdui\atm\main\apphistorymonitor.cpp
      • API String ID: 3488303727-529402721
      • Opcode ID: 1a7e9dbd5b4b4e8dbeb7ad026d6eb31369bbbb0d5d16db6f75acdc1aff6f1bfc
      • Instruction ID: c0c8b1f1af8c3436ac8f46c3cce97447b1d0d8ce217081c5c939d8d11d7234c0
      • Opcode Fuzzy Hash: 1a7e9dbd5b4b4e8dbeb7ad026d6eb31369bbbb0d5d16db6f75acdc1aff6f1bfc
      • Instruction Fuzzy Hash: CDE07D722813603AC71036D99C0AED77F0DDB60790F048076FA0CAB652CE9ACDA183F5
      Function 0060F2C0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24COMMON
      Download Yara Rule
      APIs
      • ?MouseWithinProp@Element@DirectUI@@SGPBUPropertyInfo@2@XZ.DUI70 ref: 0060F2C5
      • ?KeyWithinProp@Element@DirectUI@@SGPBUPropertyInfo@2@XZ.DUI70(00000000), ref: 0060F2DF
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: DirectElement@Info@2@Prop@PropertyWithin$Mouse
      • String ID: sidebar_disk_r$sidebar_disk_w
      • API String ID: 3496444043-2019982918
      • Opcode ID: 8956a9f4805c6ae611b2d565582145f0c487611fe65136421ea987836a39f10f
      • Instruction ID: 23986f3bd9a6d0e6f32835b0741fe86d73365ce43a82db3913976d9056be553a
      • Opcode Fuzzy Hash: 8956a9f4805c6ae611b2d565582145f0c487611fe65136421ea987836a39f10f
      • Instruction Fuzzy Hash: 5CE0923414034DABCF34AF60D819D9F37176F44310F104016FC1613762CF70D90296A4
      Function 0060F300 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24COMMON
      Download Yara Rule
      APIs
      • ?MouseWithinProp@Element@DirectUI@@SGPBUPropertyInfo@2@XZ.DUI70 ref: 0060F305
      • ?KeyWithinProp@Element@DirectUI@@SGPBUPropertyInfo@2@XZ.DUI70(00000000), ref: 0060F31F
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: DirectElement@Info@2@Prop@PropertyWithin$Mouse
      • String ID: sidebar_net_r$sidebar_net_s
      • API String ID: 3496444043-3717826706
      • Opcode ID: 0de3129baa4829e329c24441ad0871b7bb0743ec1e6a9d0c9d3faae61fa1906d
      • Instruction ID: b62a73f6a6e0ec3a02e35916bca16f8aa85e655e76f1c1807c425681c612ac8a
      • Opcode Fuzzy Hash: 0de3129baa4829e329c24441ad0871b7bb0743ec1e6a9d0c9d3faae61fa1906d
      • Instruction Fuzzy Hash: B0E01A75180349EBCF28EFA0D909CAF372BAF88326F108115FC1657762CBB4991686A5
      Function 005EB0F0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 21threadCOMMON
      Download Yara Rule
      APIs
        • Part of subcall function 005EB14A: GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000), ref: 005EB174
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,00000000), ref: 00637A68
      Strings
      • WdcMonitor::UpdateTimer, xrefs: 00637A79
      • base\diagnosis\pdui\atm\main\monitor.cpp, xrefs: 00637A7E
      • %d FAIL: 0x%08x, xrefs: 00637A6F
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: CurrentThread
      • String ID: %d FAIL: 0x%08x$WdcMonitor::UpdateTimer$base\diagnosis\pdui\atm\main\monitor.cpp
      • API String ID: 2882836952-3155282084
      • Opcode ID: 949a3e9c7fc4fcb1d16438ab2e5b0af1d977cabc1841e4c8dde59f1014fad63c
      • Instruction ID: b8d24f371ddd023da1356c6a010e6437f5cc162179c76bc6c428aff9b880ad7a
      • Opcode Fuzzy Hash: 949a3e9c7fc4fcb1d16438ab2e5b0af1d977cabc1841e4c8dde59f1014fad63c
      • Instruction Fuzzy Hash: 1FE0C2717803846BE218A6D55C2AF673E1DBB80B00F050429FA999A1C2CAA2A820C3B1
      Function 006192B0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 21libraryloaderCOMMON
      Download Yara Rule
      APIs
      • GetModuleHandleW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(kernelbase.dll,RaiseFailFastException), ref: 006192C0
      • GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(00000000), ref: 006192C7
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: AddressHandleModuleProc
      • String ID: RaiseFailFastException$kernelbase.dll
      • API String ID: 1646373207-919018592
      • Opcode ID: 0f564e82f7182c52b09578b005abdf0816f433b5d3528d966ecaf7a4c73930dc
      • Instruction ID: 35897506660db3075c971ddc45a86ed703810b5186fbb25c206291396ac6ad81
      • Opcode Fuzzy Hash: 0f564e82f7182c52b09578b005abdf0816f433b5d3528d966ecaf7a4c73930dc
      • Instruction Fuzzy Hash: 29E0E6325002157B8B211FD59C0CD9E7F26EB447A17045125F90591121DB718951D7A4
      Function 00628416 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 18threadCOMMON
      Download Yara Rule
      APIs
        • Part of subcall function 00628D9C: GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,?,?,?), ref: 00628DC9
      • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,?,005EA253,?,?,?,?,00000000,?,?,?,?,?,005FF139), ref: 00628425
      Strings
      • %d FAIL: 0x%08x, xrefs: 0062842C
      • AtmGpuView::SidebarRender, xrefs: 00628436
      • base\diagnosis\pdui\atm\main\gpuview.cpp, xrefs: 0062843B
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: CurrentThread
      • String ID: %d FAIL: 0x%08x$AtmGpuView::SidebarRender$base\diagnosis\pdui\atm\main\gpuview.cpp
      • API String ID: 2882836952-3031800593
      • Opcode ID: 04721c37333037d1fb097b8bd20fa68ca953d647c0eed3bac467daaa6065e797
      • Instruction ID: 1bb8fb671c790bd8e2984d0c8a6e63d97c45285362794c86bfa96895da428a01
      • Opcode Fuzzy Hash: 04721c37333037d1fb097b8bd20fa68ca953d647c0eed3bac467daaa6065e797
      • Instruction Fuzzy Hash: B2D0A922BC2AB17B862232D83C07EAE1C05AFA1B10F862506FA04B76C1DA40880147EA
      Function 005E6268 Relevance: 6.1, APIs: 4, Instructions: 141COMMON
      Download Yara Rule
      APIs
      • ?Destroy@NativeHWNDHost@DirectUI@@QAEXXZ.DUI70(?,?,?,005E376D), ref: 005E62C0
      • CloseThemeData.UXTHEME(?), ref: 005E63C8
        • Part of subcall function 005E38B3: ctype.LIBCPMT ref: 005E38CF
      • ?Destroy@NativeHWNDHost@DirectUI@@QAEXXZ.DUI70 ref: 005E63E5
      • ?Destroy@NativeHWNDHost@DirectUI@@QAEXXZ.DUI70 ref: 005E640C
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: Destroy@DirectHost@Native$CloseDataThemectype
      • String ID:
      • API String ID: 3846488597-0
      • Opcode ID: d450f660568217b23ec718c841728d08990b1e34c323010f7a0f899986b57d32
      • Instruction ID: ce1cefb8d86bce9d2b8832172be73317760d99289796c0ccce7d17e8683f2c20
      • Opcode Fuzzy Hash: d450f660568217b23ec718c841728d08990b1e34c323010f7a0f899986b57d32
      • Instruction Fuzzy Hash: 7E517035701B52AFDB1CDF62C894BADBB62BF48750F04522DD65A8B341CB706C048F91
      Function 00623259 Relevance: 6.1, APIs: 4, Instructions: 121COMMON
      Download Yara Rule
      APIs
      • RoOriginateError.API-MS-WIN-CORE-WINRT-ERROR-L1-1-0(8000000B,00000000,00000000), ref: 0062329E
      • memmove_s.MSVCRT ref: 0062331F
      • RoOriginateError.API-MS-WIN-CORE-WINRT-ERROR-L1-1-0(8000FFFF,00000000), ref: 00623334
      • ReleaseSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0(?,00000000), ref: 0062336A
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: ErrorOriginate$ExclusiveLockReleasememmove_s
      • String ID:
      • API String ID: 3089511417-0
      • Opcode ID: a5f18ca56c83b9993c5166e06ebee26e5dcb3f21c9e1463f7aeb9f9766438739
      • Instruction ID: a7700faf88bac3d01620784854cb65bb206117c074139d1735b1f459b92cb242
      • Opcode Fuzzy Hash: a5f18ca56c83b9993c5166e06ebee26e5dcb3f21c9e1463f7aeb9f9766438739
      • Instruction Fuzzy Hash: DB41C072A00975ABC715DFA4E880AAAB76ABF04310F044269E911DB740DB35EF55CFE0
      Function 005FF206 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON
      Download Yara Rule
      APIs
        • Part of subcall function 005FD90A: SendMessageTimeoutW.USER32(?,0000007F,00000002,00000000,00000003,00000064,?), ref: 005FD922
      • CopyIcon.USER32(00000000), ref: 005FF24F
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: CopyIconMessageSendTimeout
      • String ID:
      • API String ID: 2733916428-0
      • Opcode ID: 5963dd6208f7e33216fa182d4edfc9bb5bb487e548bb2dcbe328e12acc564f1d
      • Instruction ID: 1e9e284242f7ac8252417974c87f250bded4c20c7ecba2307d9e2a75f2b51f43
      • Opcode Fuzzy Hash: 5963dd6208f7e33216fa182d4edfc9bb5bb487e548bb2dcbe328e12acc564f1d
      • Instruction Fuzzy Hash: 9031D07230061AABC314DF64DC89ABABBA5FF44364F144A38F225C3690E378E9048BD0
      Function 00646291 Relevance: 6.1, APIs: 4, Instructions: 98windowCOMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: MessageSend$_ftol2memset
      • String ID:
      • API String ID: 3739171816-0
      • Opcode ID: 050b179cef672da955def9f1f0e8c23225b66ba85f56b843d4a1d5007c2fc8a7
      • Instruction ID: 24e18d919495fc4c6a400dd3e6eb59dabbe1d35b30d55ad1438ffd47f5fa6425
      • Opcode Fuzzy Hash: 050b179cef672da955def9f1f0e8c23225b66ba85f56b843d4a1d5007c2fc8a7
      • Instruction Fuzzy Hash: 0731B070E00248EFDB21DF95C8849ADBBB6FF85360F14616AF51597391DB709E41CB41
      Function 00667000 Relevance: 6.1, APIs: 4, Instructions: 82COMMON
      Download Yara Rule
      APIs
      • ?StartDefer@Element@DirectUI@@QAEXPAK@Z.DUI70(00000008,?,00000000,?,?,?,?,00000025,00000000), ref: 0066708F
      • ?StartDefer@Element@DirectUI@@QAEXPAK@Z.DUI70(?,00000000,00000000,?,?), ref: 006670C1
      • ?EndDefer@Element@DirectUI@@QAEXK@Z.DUI70(?,006694E0), ref: 006670DF
      • ?EndDefer@Element@DirectUI@@QAEXK@Z.DUI70(00000008,006694E0), ref: 006670F3
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: Defer@DirectElement@$Start
      • String ID:
      • API String ID: 2038970047-0
      • Opcode ID: eb7f7c899c31e2f12191fdfd8af863ff9a1142f0ca86f6a3b998afd61d2c6948
      • Instruction ID: 0c6b5bd2ba61f9377e397f57d37070e129b06fb0e55870a2815faf2b8ad6a0f7
      • Opcode Fuzzy Hash: eb7f7c899c31e2f12191fdfd8af863ff9a1142f0ca86f6a3b998afd61d2c6948
      • Instruction Fuzzy Hash: A431A030A00604ABCF26AF69C8449FEBBFBFFC4314F04914EE86592251CF745945DBA5
      Function 0064A13A Relevance: 6.1, APIs: 4, Instructions: 66windowCOMMON
      Download Yara Rule
      APIs
      • memset.MSVCRT ref: 0064A17A
      • SendMessageW.USER32(00000000,0000104B,00000000,?), ref: 0064A19B
      • SendMessageW.USER32(00000000,00001053,000000FF,?), ref: 0064A1C6
      • SendMessageW.USER32(00000000,00001008,?,00000000), ref: 0064A1DC
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: MessageSend$memset
      • String ID:
      • API String ID: 2191228795-0
      • Opcode ID: 085d05da88f010ec937a1bed2fc37cda4739819526e2a2754a4f62a35c4873f2
      • Instruction ID: f1950644f3ec2163f58b8ccc9cffaee6773ef06690cadc96bf2703613e1fd29a
      • Opcode Fuzzy Hash: 085d05da88f010ec937a1bed2fc37cda4739819526e2a2754a4f62a35c4873f2
      • Instruction Fuzzy Hash: 4811B132A40348BBDB108F94DC45BDFBBBAEB84720F100215FA10AB3C0C7B4AA458B95
      Function 00669362 Relevance: 6.0, APIs: 4, Instructions: 47COMMON
      Download Yara Rule
      APIs
      • ?GetHWND@NativeHWNDHost@DirectUI@@QAEPAUHWND__@@XZ.DUI70(00000001,?,?,00000000,?,00000001,?,?,?,?,00610D71,0000000C), ref: 0066938A
      • GetGadgetRect.DUSER(00000000,?,00000000,?,00000001,?,?,?,?,00610D71,0000000C), ref: 00669391
      • ?GetHWND@NativeHWNDHost@DirectUI@@QAEPAUHWND__@@XZ.DUI70(?,?,?,00000000,?,00000001,?,?,?,?,00610D71,0000000C), ref: 006693A3
      • GetGadgetRect.DUSER(00000000,?,00000000,?,00000001,?,?,?,?,00610D71,0000000C), ref: 006693AA
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: D__@@DirectGadgetHost@NativeRect
      • String ID:
      • API String ID: 3814467030-0
      • Opcode ID: 4b6a05e08e03800ba615aaf63d1a20bbca274d0e1815d35fe2a5e2d49371a8e3
      • Instruction ID: 068177d927d93b5fc3a0a39b6c1b417900a4dbdff65959ce3148e1a6d5b78a44
      • Opcode Fuzzy Hash: 4b6a05e08e03800ba615aaf63d1a20bbca274d0e1815d35fe2a5e2d49371a8e3
      • Instruction Fuzzy Hash: 18012131900509BFDB10DFA4D8499EEB7BAEF48310F002959E901E7251CB30A945CB65
      Function 006693D8 Relevance: 6.0, APIs: 4, Instructions: 47COMMON
      Download Yara Rule
      APIs
      • ?GetHWND@NativeHWNDHost@DirectUI@@QAEPAUHWND__@@XZ.DUI70(?,?), ref: 00669400
      • GetGadgetRect.DUSER(00000000), ref: 00669407
      • ?GetHWND@NativeHWNDHost@DirectUI@@QAEPAUHWND__@@XZ.DUI70(?,?), ref: 00669419
      • GetGadgetRect.DUSER(00000000), ref: 00669420
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: D__@@DirectGadgetHost@NativeRect
      • String ID:
      • API String ID: 3814467030-0
      • Opcode ID: 1f2c93120327bf511e632737968e13162da142aefa6f4505f204140177e47299
      • Instruction ID: a5de0e77c64335c9e45a83d99f809dff8d5b29a19c930951cf1eeddfd590d7d9
      • Opcode Fuzzy Hash: 1f2c93120327bf511e632737968e13162da142aefa6f4505f204140177e47299
      • Instruction Fuzzy Hash: 32011E32904109BFDB10DFB5D8459DEB7FAEF48311F501959E901E7251CA30AD458B65
      Function 005E3140 Relevance: 6.0, APIs: 4, Instructions: 34registryCOMMON
      Download Yara Rule
      APIs
      • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?), ref: 005E3162
      • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?), ref: 005E317E
      • DestroyWindow.USER32(?), ref: 005E319C
      • CoUninitialize.COMBASE ref: 005E31B2
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: Close$DestroyHandleUninitializeWindow
      • String ID:
      • API String ID: 2640996749-0
      • Opcode ID: 261e9481eb888ece9231c20682d25a654409f2ef81fbb5fade6d310b1183e06b
      • Instruction ID: 6a026809f98294300081eddd791afb8fed3d237104d645d55ecaaef359b79b26
      • Opcode Fuzzy Hash: 261e9481eb888ece9231c20682d25a654409f2ef81fbb5fade6d310b1183e06b
      • Instruction Fuzzy Hash: 4501F674504B81EBC72A5B36C84C5DBBBE9BB84351B041B2EE5AAC2260C770A421CB64
      Function 00653429 Relevance: 6.0, APIs: 4, Instructions: 34COMMON
      Download Yara Rule
      APIs
      • ?GetBorderThickness@Element@DirectUI@@QAEPBUtagRECT@@PAPAVValue@2@@Z.DUI70(?), ref: 00653437
      • ?Release@Value@DirectUI@@QAEXXZ.DUI70 ref: 00653449
      • ?GetPadding@Element@DirectUI@@QAEPBUtagRECT@@PAPAVValue@2@@Z.DUI70(?), ref: 00653459
      • ?Release@Value@DirectUI@@QAEXXZ.DUI70 ref: 0065346D
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: Direct$Element@Release@UtagValue@Value@2@@$BorderPadding@Thickness@
      • String ID:
      • API String ID: 781969675-0
      • Opcode ID: 5dc69210fb87f15059c79688d3becd5c592065df41f0d975719300d8380b3249
      • Instruction ID: c99991c24883c7403ac6130ff77493966442159bb62cc88450e6b813bb34a2fa
      • Opcode Fuzzy Hash: 5dc69210fb87f15059c79688d3becd5c592065df41f0d975719300d8380b3249
      • Instruction Fuzzy Hash: B5F03635601214EFDB14DB85D81CDAE77BAEF84752B15119DAC0AD3311DB706E04DB51
      Function 005E8372 Relevance: 6.0, APIs: 4, Instructions: 29COMMON
      Download Yara Rule
      APIs
      • ?SetContentString@Element@DirectUI@@QAEJPBG@Z.DUI70(0067B09C,?,?,005EA215,?,?), ref: 005E838D
      • ?SetAccName@Element@DirectUI@@QAEJPBG@Z.DUI70(0067B09C,?,005EA215,?,?), ref: 005E8397
      • ?SetContentString@Element@DirectUI@@QAEJPBG@Z.DUI70(0067B12C,?,005EA215,?,?), ref: 005E83A6
      • ?SetAccName@Element@DirectUI@@QAEJPBG@Z.DUI70(0067B12C,?,005EA215,?,?), ref: 005E83B0
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: DirectElement@$ContentName@String@
      • String ID:
      • API String ID: 1484081255-0
      • Opcode ID: 3edaa5fe9055a83691ab23da3ffced0186d67ed784d9ce275eac0d79defd3fd1
      • Instruction ID: 70f9f09680adb0df2ce5013b1da24fa38623c389111722aad5ba864ade307a4f
      • Opcode Fuzzy Hash: 3edaa5fe9055a83691ab23da3ffced0186d67ed784d9ce275eac0d79defd3fd1
      • Instruction Fuzzy Hash: EDF08C35500929BB8714AF60DC08AAE3B6ABF89311B00A019F90E97354CF345E01CBD5
      Function 006612F7 Relevance: 6.0, APIs: 4, Instructions: 23memoryCOMMON
      Download Yara Rule
      APIs
      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,00000014,00000000,0066248B,?,?,?,?,?,00661DA0), ref: 006612FE
      • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,?,?,?,00661DA0), ref: 00661305
      • ??0RefcountBase@DirectUI@@QAE@XZ.DUI70(?,?,?,?,?,?,00661DA0), ref: 00661314
      • ??0IProvider@DirectUI@@QAE@XZ.DUI70(?,?,?,?,?,00661DA0), ref: 0066131D
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: DirectHeap$AllocBase@ProcessProvider@Refcount
      • String ID:
      • API String ID: 940640848-0
      • Opcode ID: 3531e80c60430b2236809f033ca6ef4169b2af56bd9c52bfc008ce669eef1888
      • Instruction ID: 0461dcca099f5339e0e2cc8ab5cedbcca2b26c9ea6edab871247bb3797ba82f8
      • Opcode Fuzzy Hash: 3531e80c60430b2236809f033ca6ef4169b2af56bd9c52bfc008ce669eef1888
      • Instruction Fuzzy Hash: 1FE0923620064AFBC3109F69E85CB55BFB6FFC4311F049308E1169A650CBB08455CB90
      Function 00661416 Relevance: 6.0, APIs: 4, Instructions: 23memoryCOMMON
      Download Yara Rule
      APIs
      • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,00000014,00000000,00662566), ref: 0066141D
      • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 00661424
      • ??0RefcountBase@DirectUI@@QAE@XZ.DUI70 ref: 00661433
      • ??0IProvider@DirectUI@@QAE@XZ.DUI70 ref: 0066143C
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: DirectHeap$AllocBase@ProcessProvider@Refcount
      • String ID:
      • API String ID: 940640848-0
      • Opcode ID: 80f0038b44e7cd0bf8bde79eade55877a63c0a7c2c156e85447948e9bef86a45
      • Instruction ID: a46e6d63b2646a756590cb56e690e60d649088a3346852b26a848e65802d5e5a
      • Opcode Fuzzy Hash: 80f0038b44e7cd0bf8bde79eade55877a63c0a7c2c156e85447948e9bef86a45
      • Instruction Fuzzy Hash: 7CE0927520060ABBC7104FA9E85CB55BBB7FFC4711F08D708E1168B650CBB09555CB90
      Function 00631361 Relevance: 6.0, APIs: 4, Instructions: 22windowCOMMON
      Download Yara Rule
      APIs
      • ?FindDescendent@Element@DirectUI@@QAEPAV12@G@Z.DUI70(00000000,?,?,00602BE0,?,?,00606273,00000000,00000000,?,00000000,?,?,?,?,?), ref: 0063136D
      • ?SetLayoutPos@Element@DirectUI@@QAEJH@Z.DUI70(00000000,?,00602BE0,?,?,00606273,00000000,00000000,?,00000000,?,?,?,?,?), ref: 0063137E
      • ?SetEnabled@Element@DirectUI@@QAEJ_N@Z.DUI70(?,?,00602BE0,?,?,00606273,00000000,00000000,?,00000000,?,?,?,?,?), ref: 00631389
      • ?SetVisible@Element@DirectUI@@QAEJ_N@Z.DUI70(00000001,?,00602BE0,?,?,00606273,00000000,00000000,?,00000000,?,?,?,?,?), ref: 00631393
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: DirectElement@$Descendent@Enabled@FindLayoutPos@V12@Visible@
      • String ID:
      • API String ID: 1183884505-0
      • Opcode ID: cc034fbfa05e8381a894ff5afee24fcdab16f2addc7c40b2317af3351929ab46
      • Instruction ID: 9b51ace15d705740485ca0671aa3058f9a4b737be51f6569e12d08dcba1844cb
      • Opcode Fuzzy Hash: cc034fbfa05e8381a894ff5afee24fcdab16f2addc7c40b2317af3351929ab46
      • Instruction Fuzzy Hash: F3E04F32601725BBCB161F50AC189AE7F27EB88B61B016105FE1A4A361CF319951DBD1
      Function 0061F3ED Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 165COMMONLIBRARYCODE
      Download Yara Rule
      APIs
      • PdhCloseQuery.PDH(00000000,?,?,0061D559,?,0061D944,?,00000000,?,?,?,0061D537), ref: 0061F514
      • wprintf_s.MSVCRT ref: 0061F52B
      Strings
      • PdhCloseQuery failed with 0x%x., xrefs: 0061F526
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: CloseQuerywprintf_s
      • String ID: PdhCloseQuery failed with 0x%x.
      • API String ID: 3936139676-3948899340
      • Opcode ID: 43bdf95e4545428d8a1c7292c7ad4dae2e1dff34d3f2bcc842e00df5694b7733
      • Instruction ID: 87e01ef6f355a2f7c6306de0c8abb28b4e6b038629534e0c7c329ca5aa75789b
      • Opcode Fuzzy Hash: 43bdf95e4545428d8a1c7292c7ad4dae2e1dff34d3f2bcc842e00df5694b7733
      • Instruction Fuzzy Hash: 06516F716006109FDB209F39E484ADAB7EBEF94314B18847EE549C7352EB70EDC2CA94
      Function 0060D252 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMON
      Download Yara Rule
      APIs
        • Part of subcall function 005E5640: memset.MSVCRT ref: 005E579F
        • Part of subcall function 005E5640: GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000400,?,?,?,?,?,00688C60,00000000), ref: 005E57C3
        • Part of subcall function 005E5640: _wtoi.MSVCRT(?,?,00688C60,00000000), ref: 005E57D6
      • memset.MSVCRT ref: 0060D2CF
      • CreateEventW.API-MS-WIN-CORE-SYNCH-L1-1-0(00000000,00000001,00000000,00000000,00000000,80004005,00000000), ref: 0060D2DC
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: memset$CreateEventInfoLocale_wtoi
      • String ID: Process
      • API String ID: 2481564804-1235230986
      • Opcode ID: 8f7f166e15a4a98afb12a5c7eda3464f6aa7f92850e857ec4ba2624703943c51
      • Instruction ID: a7f8d043659c00bc140243fd1aa14f6ebafef5bfc0fe5af81718a8d7d597e7a8
      • Opcode Fuzzy Hash: 8f7f166e15a4a98afb12a5c7eda3464f6aa7f92850e857ec4ba2624703943c51
      • Instruction Fuzzy Hash: 5821BFB1806B459ED3608F3A84C15D7FFE8FF08394F85492EE0AE83222DB70A454CB64
      Function 0064435D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35registryCOMMON
      Download Yara Rule
      APIs
      • RegGetValueW.API-MS-WIN-CORE-REGISTRY-L1-1-0(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon,AutoRestartShell,00000018,?,00000000,?), ref: 00644392
      Strings
      • AutoRestartShell, xrefs: 00644383
      • SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, xrefs: 00644388
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: Value
      • String ID: AutoRestartShell$SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
      • API String ID: 3702945584-170228914
      • Opcode ID: 4eee6e6b7ee7681bb6ea1b4b97bab2d0341e1cf2f202fbdd75c7c17426a46d24
      • Instruction ID: bb4635ab15bb15bed6e1bdef360f82bc9d136f0b558e59a81d9efe3c9e5af241
      • Opcode Fuzzy Hash: 4eee6e6b7ee7681bb6ea1b4b97bab2d0341e1cf2f202fbdd75c7c17426a46d24
      • Instruction Fuzzy Hash: E9F05471940208FBEB21DE56C90BBFEB7ADEB04715F10419AAA04E6281EE749A04D661
      Function 006060E8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26COMMON
      Download Yara Rule
      APIs
      • ?GetBorderThickness@Element@DirectUI@@QAEPBUtagRECT@@PAPAVValue@2@@Z.DUI70(00000000,00000000,00000084,?,?,0060607E), ref: 006060F8
      • ?Release@Value@DirectUI@@QAEXXZ.DUI70 ref: 00606110
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: Direct$BorderElement@Release@Thickness@UtagValue@Value@2@@
      • String ID: ~``
      • API String ID: 2764176861-2304874167
      • Opcode ID: a5477af3426623eed8db9b974691c1e6d88da157e431da7d769c4c1816369fab
      • Instruction ID: 754d24b88285de341d07b35693e5189400e129cb7a9f1ae91c2dd2aa32562a28
      • Opcode Fuzzy Hash: a5477af3426623eed8db9b974691c1e6d88da157e431da7d769c4c1816369fab
      • Instruction Fuzzy Hash: 14E01A3A501208BBCB14CE85D909DDB7B7AEF86372F1011A5FC0497201D6729E04D7A1
      Function 00631037 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
      Download Yara Rule
      APIs
        • Part of subcall function 0063106E: StrToID.DUI70(EndTaskButtonHost,?,006313AB,?,?,00610632,000000FD,?,?,00610294), ref: 0063107F
        • Part of subcall function 0063106E: ?FindDescendent@Element@DirectUI@@QAEPAV12@G@Z.DUI70(?,?,00610632,000000FD,?,?,00610294), ref: 0063108C
      • StrToID.DUI70(CBEndTaskButton,?,?,006313C1,?,?,00610632,000000FD,?,?,00610294), ref: 00631053
      • ?FindDescendent@Element@DirectUI@@QAEPAV12@G@Z.DUI70(?,?,?,006313C1,?,?,00610632,000000FD,?,?,00610294), ref: 0063105F
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: Descendent@DirectElement@FindV12@
      • String ID: CBEndTaskButton
      • API String ID: 894778106-4054805690
      • Opcode ID: ed27f831b9e7dd077916d10e9f4b4d6df5be5baa28d1a25ceaad98f658970d99
      • Instruction ID: aee2d6625a0992a8b7352987b6a1beea4e10fa225384eebb30c0c77127e0c388
      • Opcode Fuzzy Hash: ed27f831b9e7dd077916d10e9f4b4d6df5be5baa28d1a25ceaad98f658970d99
      • Instruction Fuzzy Hash: 45E08C355007549FC3399729A44867AB6E6EBC9721F05121EF48A86210DF70CC829BA1
      Function 0063106E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON
      Download Yara Rule
      APIs
      • StrToID.DUI70(EndTaskButtonHost,?,006313AB,?,?,00610632,000000FD,?,?,00610294), ref: 0063107F
      • ?FindDescendent@Element@DirectUI@@QAEPAV12@G@Z.DUI70(?,?,00610632,000000FD,?,?,00610294), ref: 0063108C
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: Descendent@DirectElement@FindV12@
      • String ID: EndTaskButtonHost
      • API String ID: 894778106-4258401125
      • Opcode ID: 2bc565978231b4dd60183d9a6e431cb08a841d89e77e78f72017f6f833c92b6c
      • Instruction ID: 8f22ded6c9c8c0741a6830803d1556cc2fd570b61507572145a7fe50dcd54435
      • Opcode Fuzzy Hash: 2bc565978231b4dd60183d9a6e431cb08a841d89e77e78f72017f6f833c92b6c
      • Instruction Fuzzy Hash: 85D05EB05103109B83748B65B9088733BE5BA88310304250AF886C3610DB20EC009B60
      Function 005FF15B Relevance: 5.1, APIs: 4, Instructions: 59COMMON
      Download Yara Rule
      APIs
      • EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,00000000,?,00000000,?,?,00602578,00000000,00000000), ref: 005FF16D
      • LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00602578,00000000,00000000), ref: 005FF1B4
      • EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,00602578,00000000,00000000), ref: 005FF1CC
      • LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00602578,00000000,00000000), ref: 005FF1F5
      Memory Dump Source
      • Source File: 00000000.00000002.2451702109.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
      • Associated: 00000000.00000002.2451679668.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451902167.000000000067B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451919717.000000000067D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000682000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451936169.0000000000689000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
      Similarity
      • API ID: CriticalSection$EnterLeave
      • String ID:
      • API String ID: 3168844106-0
      • Opcode ID: 59fbb787fb108941850bf26351f50ff5b6cc185a3b6b4ac46100653440b68e16
      • Instruction ID: 8073e56651e8a33e7ca12a3b25d924a4ac4950bc79a9e03e41f9c978e5849765
      • Opcode Fuzzy Hash: 59fbb787fb108941850bf26351f50ff5b6cc185a3b6b4ac46100653440b68e16
      • Instruction Fuzzy Hash: B1114F7260091AEFCB14DFA5DC9CDAABBA9FF48311B004275EA15C7214DB74E915CB90