Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SCU_9028892992899029_789290929209922________________.exe

Overview

General Information

Sample name:SCU_9028892992899029_789290929209922________________.exe
Analysis ID:1427198
MD5:bbc13924be0c7a3ba79084d630234692
SHA1:c94f800d87ee60f2c48e7023504d8859dcaa19b3
SHA256:2a1ab3dd3ed3b1bf3d4430f92e5872599c64e5ca5db73d9e8449be9df5953470
Tags:AgentTeslaexe
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Double Extension File Execution
Yara detected AgentTesla
Binary is likely a compiled AutoIt script file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • SCU_9028892992899029_789290929209922________________.exe (PID: 6968 cmdline: "C:\Users\user\Desktop\SCU_9028892992899029_789290929209922________________.exe" MD5: BBC13924BE0C7A3BA79084D630234692)
    • RegSvcs.exe (PID: 5476 cmdline: "C:\Users\user\Desktop\SCU_9028892992899029_789290929209922________________.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.worlorderbillions.top", "Username": "absach@worlorderbillions.top", "Password": "@qwerty90123        "}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.2448214756.0000000000402000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
    00000000.00000002.1204947706.0000000001490000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      0.2.SCU_9028892992899029_789290929209922________________.exe.1490000.1.raw.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
        0.2.SCU_9028892992899029_789290929209922________________.exe.1490000.1.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
          2.2.RegSvcs.exe.400000.0.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Suspicious Double Extension File Execution
            Source: Process startedAuthor: Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Users\user\Desktop\SCU_9028892992899029_789290929209922________________.exe", CommandLine: "C:\Users\user\Desktop\SCU_9028892992899029_789290929209922________________.exe", CommandLine|base64offset|contains: , Image: C:\Users\user\Desktop\SCU_9028892992899029_789290929209922________________.exe, NewProcessName: C:\Users\user\Desktop\SCU_9028892992899029_789290929209922________________.exe, OriginalFileName: C:\Users\user\Desktop\SCU_9028892992899029_789290929209922________________.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4056, ProcessCommandLine: "C:\Users\user\Desktop\SCU_9028892992899029_789290929209922________________.exe", ProcessId: 6968, ProcessName: SCU_9028892992899029_789290929209922________________.exe

            Snort Signatures

            No Snort rule has matched

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Found malware configuration
            Source: SCU_9028892992899029_789290929209922________________.exe.6968.0.memstrminMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.worlorderbillions.top", "Username": "absach@worlorderbillions.top", "Password": "@qwerty90123 "}
            Multi AV Scanner detection for submitted file
            Source: SCU_9028892992899029_789290929209922________________.exeReversingLabs: Detection: 44%
            Source: SCU_9028892992899029_789290929209922________________.exeVirustotal: Detection: 33%Perma Link
            Machine Learning detection for sample
            Source: SCU_9028892992899029_789290929209922________________.exeJoe Sandbox ML: detected
            Source: SCU_9028892992899029_789290929209922________________.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: Binary string: wntdll.pdbUGP source: SCU_9028892992899029_789290929209922________________.exe, 00000000.00000003.1201746369.0000000003EC0000.00000004.00001000.00020000.00000000.sdmp, SCU_9028892992899029_789290929209922________________.exe, 00000000.00000003.1202950451.0000000004060000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: SCU_9028892992899029_789290929209922________________.exe, 00000000.00000003.1201746369.0000000003EC0000.00000004.00001000.00020000.00000000.sdmp, SCU_9028892992899029_789290929209922________________.exe, 00000000.00000003.1202950451.0000000004060000.00000004.00001000.00020000.00000000.sdmp
            Source: C:\Users\user\Desktop\SCU_9028892992899029_789290929209922________________.exeCode function: 0_2_00C74696 GetFileAttributesW,FindFirstFileW,FindClose,0_2_00C74696
            Source: C:\Users\user\Desktop\SCU_9028892992899029_789290929209922________________.exeCode function: 0_2_00C7C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_00C7C9C7
            Source: C:\Users\user\Desktop\SCU_9028892992899029_789290929209922________________.exeCode function: 0_2_00C7C93C FindFirstFileW,FindClose,0_2_00C7C93C
            Source: C:\Users\user\Desktop\SCU_9028892992899029_789290929209922________________.exeCode function: 0_2_00C7F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00C7F200
            Source: C:\Users\user\Desktop\SCU_9028892992899029_789290929209922________________.exeCode function: 0_2_00C7F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00C7F35D
            Source: C:\Users\user\Desktop\SCU_9028892992899029_789290929209922________________.exeCode function: 0_2_00C7F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00C7F65E
            Source: C:\Users\user\Desktop\SCU_9028892992899029_789290929209922________________.exeCode function: 0_2_00C73A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00C73A2B
            Source: C:\Users\user\Desktop\SCU_9028892992899029_789290929209922________________.exeCode function: 0_2_00C73D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00C73D4E
            Source: C:\Users\user\Desktop\SCU_9028892992899029_789290929209922________________.exeCode function: 0_2_00C7BF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00C7BF27
            Source: C:\Users\user\Desktop\SCU_9028892992899029_789290929209922________________.exeCode function: 0_2_00C825E2 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,0_2_00C825E2
            Source: C:\Users\user\Desktop\SCU_9028892992899029_789290929209922________________.exeCode function: 0_2_00C8425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00C8425A
            Source: C:\Users\user\Desktop\SCU_9028892992899029_789290929209922________________.exeCode function: 0_2_00C84458 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00C84458
            Source: C:\Users\user\Desktop\SCU_9028892992899029_789290929209922________________.exeCode function: 0_2_00C8425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00C8425A
            Source: C:\Users\user\Desktop\SCU_9028892992899029_789290929209922________________.exeCode function: 0_2_00C70219 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,0_2_00C70219
            Source: C:\Users\user\Desktop\SCU_9028892992899029_789290929209922________________.exeCode function: 0_2_00C9CDAC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_00C9CDAC

            System Summary

            barindex
            Binary is likely a compiled AutoIt script file
            Source: C:\Users\user\Desktop\SCU_9028892992899029_789290929209922________________.exeCode function: This is a third-party compiled AutoIt script.0_2_00C13B4C
            Source: SCU_9028892992899029_789290929209922________________.exeString found in binary or memory: This is a third-party compiled AutoIt script.
            Source: SCU_9028892992899029_789290929209922________________.exe, 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_0c27cfb5-b
            Source: SCU_9028892992899029_789290929209922________________.exe, 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_cf678d7f-8
            Source: SCU_9028892992899029_789290929209922________________.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_5e26b6b0-a
            Source: SCU_9028892992899029_789290929209922________________.exeString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_406fd882-6
            Source: C:\Users\user\Desktop\SCU_9028892992899029_789290929209922________________.exeCode function: 0_2_00C740B1: CreateFileW,_memset,DeviceIoControl,CloseHandle,0_2_00C740B1
            Source: C:\Users\user\Desktop\SCU_9028892992899029_789290929209922________________.exeCode function: 0_2_00C68858 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00C68858
            Source: C:\Users\user\Desktop\SCU_9028892992899029_789290929209922________________.exeCode function: 0_2_00C7545F ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_00C7545F
            Source: C:\Users\user\Desktop\SCU_9028892992899029_789290929209922________________.exeCode function: 0_2_00C1E8000_2_00C1E800
            Source: C:\Users\user\Desktop\SCU_9028892992899029_789290929209922________________.exeCode function: 0_2_00C3DBB50_2_00C3DBB5
            Source: C:\Users\user\Desktop\SCU_9028892992899029_789290929209922________________.exeCode function: 0_2_00C9804A0_2_00C9804A
            Source: C:\Users\user\Desktop\SCU_9028892992899029_789290929209922________________.exeCode function: 0_2_00C1E0600_2_00C1E060
            Source: C:\Users\user\Desktop\SCU_9028892992899029_789290929209922________________.exeCode function: 0_2_00C241400_2_00C24140
            Source: C:\Users\user\Desktop\SCU_9028892992899029_789290929209922________________.exeCode function: 0_2_00C324050_2_00C32405
            Source: C:\Users\user\Desktop\SCU_9028892992899029_789290929209922________________.exeCode function: 0_2_00C465220_2_00C46522
            Source: C:\Users\user\Desktop\SCU_9028892992899029_789290929209922________________.exeCode function: 0_2_00C906650_2_00C90665
            Source: C:\Users\user\Desktop\SCU_9028892992899029_789290929209922________________.exeCode function: 0_2_00C4267E0_2_00C4267E
            Source: C:\Users\user\Desktop\SCU_9028892992899029_789290929209922________________.exeCode function: 0_2_00C268430_2_00C26843
            Source: C:\Users\user\Desktop\SCU_9028892992899029_789290929209922________________.exeCode function: 0_2_00C3283A0_2_00C3283A
            Source: C:\Users\user\Desktop\SCU_9028892992899029_789290929209922________________.exeCode function: 0_2_00C489DF0_2_00C489DF
            Source: C:\Users\user\Desktop\SCU_9028892992899029_789290929209922________________.exeCode function: 0_2_00C90AE20_2_00C90AE2
            Source: C:\Users\user\Desktop\SCU_9028892992899029_789290929209922________________.exeCode function: 0_2_00C46A940_2_00C46A94
            Source: C:\Users\user\Desktop\SCU_9028892992899029_789290929209922________________.exeCode function: 0_2_00C28A0E0_2_00C28A0E
            Source: C:\Users\user\Desktop\SCU_9028892992899029_789290929209922________________.exeCode function: 0_2_00C6EB070_2_00C6EB07
            Source: C:\Users\user\Desktop\SCU_9028892992899029_789290929209922________________.exeCode function: 0_2_00C78B130_2_00C78B13
            Source: C:\Users\user\Desktop\SCU_9028892992899029_789290929209922________________.exeCode function: 0_2_00C3CD610_2_00C3CD61
            Source: C:\Users\user\Desktop\SCU_9028892992899029_789290929209922________________.exeCode function: 0_2_00C470060_2_00C47006
            Source: C:\Users\user\Desktop\SCU_9028892992899029_789290929209922________________.exeCode function: 0_2_00C231900_2_00C23190
            Source: C:\Users\user\Desktop\SCU_9028892992899029_789290929209922________________.exeCode function: 0_2_00C2710E0_2_00C2710E
            Source: C:\Users\user\Desktop\SCU_9028892992899029_789290929209922________________.exeCode function: 0_2_00C112870_2_00C11287
            Source: C:\Users\user\Desktop\SCU_9028892992899029_789290929209922________________.exeCode function: 0_2_00C333C70_2_00C333C7
            Source: C:\Users\user\Desktop\SCU_9028892992899029_789290929209922________________.exeCode function: 0_2_00C3F4190_2_00C3F419
            Source: C:\Users\user\Desktop\SCU_9028892992899029_789290929209922________________.exeCode function: 0_2_00C316C40_2_00C316C4
            Source: C:\Users\user\Desktop\SCU_9028892992899029_789290929209922________________.exeCode function: 0_2_00C256800_2_00C25680
            Source: C:\Users\user\Desktop\SCU_9028892992899029_789290929209922________________.exeCode function: 0_2_00C258C00_2_00C258C0
            Source: C:\Users\user\Desktop\SCU_9028892992899029_789290929209922________________.exeCode function: 0_2_00C378D30_2_00C378D3
            Source: C:\Users\user\Desktop\SCU_9028892992899029_789290929209922________________.exeCode function: 0_2_00C31BB80_2_00C31BB8
            Source: C:\Users\user\Desktop\SCU_9028892992899029_789290929209922________________.exeCode function: 0_2_00C49D050_2_00C49D05
            Source: C:\Users\user\Desktop\SCU_9028892992899029_789290929209922________________.exeCode function: 0_2_00C1FE400_2_00C1FE40
            Source: C:\Users\user\Desktop\SCU_9028892992899029_789290929209922________________.exeCode function: 0_2_00C31FD00_2_00C31FD0
            Source: C:\Users\user\Desktop\SCU_9028892992899029_789290929209922________________.exeCode function: 0_2_00C3BFE60_2_00C3BFE6
            Source: C:\Users\user\Desktop\SCU_9028892992899029_789290929209922________________.exeCode function: 0_2_014836700_2_01483670
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_016041102_2_01604110
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0160D0482_2_0160D048
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_01604D282_2_01604D28
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_01609DD02_2_01609DD0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_016044582_2_01604458
            Source: C:\Users\user\Desktop\SCU_9028892992899029_789290929209922________________.exeCode function: String function: 00C30D27 appears 70 times
            Source: C:\Users\user\Desktop\SCU_9028892992899029_789290929209922________________.exeCode function: String function: 00C17F41 appears 35 times
            Source: C:\Users\user\Desktop\SCU_9028892992899029_789290929209922________________.exeCode function: String function: 00C38B40 appears 42 times
            Source: SCU_9028892992899029_789290929209922________________.exe, 00000000.00000003.1201746369.0000000003FE3000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs SCU_9028892992899029_789290929209922________________.exe
            Source: SCU_9028892992899029_789290929209922________________.exe, 00000000.00000003.1200504371.000000000418D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs SCU_9028892992899029_789290929209922________________.exe
            Source: SCU_9028892992899029_789290929209922________________.exe, 00000000.00000002.1204947706.0000000001490000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamee98985aa-1a0a-4027-b0e4-a37605f1db47.exe4 vs SCU_9028892992899029_789290929209922________________.exe
            Source: SCU_9028892992899029_789290929209922________________.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: 0.2.SCU_9028892992899029_789290929209922________________.exe.1490000.1.raw.unpack, O.csCryptographic APIs: 'TransformFinalBlock'
            Source: 0.2.SCU_9028892992899029_789290929209922________________.exe.1490000.1.raw.unpack, O.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
            Source: 0.2.SCU_9028892992899029_789290929209922________________.exe.1490000.1.raw.unpack, P.csCryptographic APIs: 'TransformFinalBlock'
            Source: 0.2.SCU_9028892992899029_789290929209922________________.exe.1490000.1.raw.unpack, P.csCryptographic APIs: 'TransformFinalBlock'
            Source: 0.2.SCU_9028892992899029_789290929209922________________.exe.1490000.1.raw.unpack, N.csCryptographic APIs: 'TransformFinalBlock'
            Source: 0.2.SCU_9028892992899029_789290929209922________________.exe.1490000.1.raw.unpack, N.csCryptographic APIs: 'TransformFinalBlock'
            Source: 0.2.SCU_9028892992899029_789290929209922________________.exe.1490000.1.raw.unpack, N.csCryptographic APIs: 'TransformFinalBlock'
            Source: 0.2.SCU_9028892992899029_789290929209922________________.exe.1490000.1.raw.unpack, N.csCryptographic APIs: 'TransformFinalBlock'
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/4@0/0
            Source: C:\Users\user\Desktop\SCU_9028892992899029_789290929209922________________.exeCode function: 0_2_00C7A2D5 GetLastError,FormatMessageW,0_2_00C7A2D5
            Source: C:\Users\user\Desktop\SCU_9028892992899029_789290929209922________________.exeCode function: 0_2_00C68713 AdjustTokenPrivileges,CloseHandle,0_2_00C68713
            Source: C:\Users\user\Desktop\SCU_9028892992899029_789290929209922________________.exeCode function: 0_2_00C68CC3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_00C68CC3
            Source: C:\Users\user\Desktop\SCU_9028892992899029_789290929209922________________.exeCode function: 0_2_00C7B59E SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_00C7B59E
            Source: C:\Users\user\Desktop\SCU_9028892992899029_789290929209922________________.exeCode function: 0_2_00C8F121 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00C8F121
            Source: C:\Users\user\Desktop\SCU_9028892992899029_789290929209922________________.exeCode function: 0_2_00C886D0 CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear,0_2_00C886D0
            Source: C:\Users\user\Desktop\SCU_9028892992899029_789290929209922________________.exeCode function: 0_2_00C14FE9 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_00C14FE9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: NULL
            Source: C:\Users\user\Desktop\SCU_9028892992899029_789290929209922________________.exeFile created: C:\Users\user~1\AppData\Local\Temp\aut9FBD.tmpJump to behavior
            Source: SCU_9028892992899029_789290929209922________________.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
            Source: C:\Users\user\Desktop\SCU_9028892992899029_789290929209922________________.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: RegSvcs.exe, 00000002.00000002.2451495228.00000000032AB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2451495228.00000000032BF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: SCU_9028892992899029_789290929209922________________.exeReversingLabs: Detection: 44%
            Source: SCU_9028892992899029_789290929209922________________.exeVirustotal: Detection: 33%
            Source: unknownProcess created: C:\Users\user\Desktop\SCU_9028892992899029_789290929209922________________.exe "C:\Users\user\Desktop\SCU_9028892992899029_789290929209922________________.exe"
            Source: C:\Users\user\Desktop\SCU_9028892992899029_789290929209922________________.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\SCU_9028892992899029_789290929209922________________.exe"
            Source: C:\Users\user\Desktop\SCU_9028892992899029_789290929209922________________.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\SCU_9028892992899029_789290929209922________________.exe"Jump to behavior
            Source: C:\Users\user\Desktop\SCU_9028892992899029_789290929209922________________.exeSection loaded: wsock32.dllJump to behavior
            Source: C:\Users\user\Desktop\SCU_9028892992899029_789290929209922________________.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\SCU_9028892992899029_789290929209922________________.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\Desktop\SCU_9028892992899029_789290929209922________________.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Users\user\Desktop\SCU_9028892992899029_789290929209922________________.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\Desktop\SCU_9028892992899029_789290929209922________________.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\SCU_9028892992899029_789290929209922________________.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\SCU_9028892992899029_789290929209922________________.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\SCU_9028892992899029_789290929209922________________.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\SCU_9028892992899029_789290929209922________________.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\SCU_9028892992899029_789290929209922________________.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
            Source: SCU_9028892992899029_789290929209922________________.exeStatic file information: File size 1059840 > 1048576
            Source: SCU_9028892992899029_789290929209922________________.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
            Source: SCU_9028892992899029_789290929209922________________.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
            Source: SCU_9028892992899029_789290929209922________________.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
            Source: SCU_9028892992899029_789290929209922________________.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: SCU_9028892992899029_789290929209922________________.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
            Source: SCU_9028892992899029_789290929209922________________.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
            Source: SCU_9028892992899029_789290929209922________________.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: wntdll.pdbUGP source: SCU_9028892992899029_789290929209922________________.exe, 00000000.00000003.1201746369.0000000003EC0000.00000004.00001000.00020000.00000000.sdmp, SCU_9028892992899029_789290929209922________________.exe, 00000000.00000003.1202950451.0000000004060000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: SCU_9028892992899029_789290929209922________________.exe, 00000000.00000003.1201746369.0000000003EC0000.00000004.00001000.00020000.00000000.sdmp, SCU_9028892992899029_789290929209922________________.exe, 00000000.00000003.1202950451.0000000004060000.00000004.00001000.00020000.00000000.sdmp
            Source: SCU_9028892992899029_789290929209922________________.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
            Source: SCU_9028892992899029_789290929209922________________.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
            Source: SCU_9028892992899029_789290929209922________________.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
            Source: SCU_9028892992899029_789290929209922________________.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
            Source: SCU_9028892992899029_789290929209922________________.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
            Source: C:\Users\user\Desktop\SCU_9028892992899029_789290929209922________________.exeCode function: 0_2_00C8C304 LoadLibraryA,GetProcAddress,0_2_00C8C304
            Source: C:\Users\user\Desktop\SCU_9028892992899029_789290929209922________________.exeCode function: 0_2_00C38B85 push ecx; ret 0_2_00C38B98
            Source: C:\Users\user\Desktop\SCU_9028892992899029_789290929209922________________.exeCode function: 0_2_00C2553F push ebx; retn 0000h0_2_00C2554A
            Source: C:\Users\user\Desktop\SCU_9028892992899029_789290929209922________________.exeCode function: 0_2_00C14A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00C14A35
            Source: C:\Users\user\Desktop\SCU_9028892992899029_789290929209922________________.exeCode function: 0_2_00C955FD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_00C955FD
            Source: C:\Users\user\Desktop\SCU_9028892992899029_789290929209922________________.exeCode function: 0_2_00C333C7 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00C333C7
            Source: C:\Users\user\Desktop\SCU_9028892992899029_789290929209922________________.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SCU_9028892992899029_789290929209922________________.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
            Source: C:\Users\user\Desktop\SCU_9028892992899029_789290929209922________________.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-99782
            Source: C:\Users\user\Desktop\SCU_9028892992899029_789290929209922________________.exeAPI coverage: 4.6 %
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
            Source: C:\Users\user\Desktop\SCU_9028892992899029_789290929209922________________.exeCode function: 0_2_00C74696 GetFileAttributesW,FindFirstFileW,FindClose,0_2_00C74696
            Source: C:\Users\user\Desktop\SCU_9028892992899029_789290929209922________________.exeCode function: 0_2_00C7C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_00C7C9C7
            Source: C:\Users\user\Desktop\SCU_9028892992899029_789290929209922________________.exeCode function: 0_2_00C7C93C FindFirstFileW,FindClose,0_2_00C7C93C
            Source: C:\Users\user\Desktop\SCU_9028892992899029_789290929209922________________.exeCode function: 0_2_00C7F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00C7F200
            Source: C:\Users\user\Desktop\SCU_9028892992899029_789290929209922________________.exeCode function: 0_2_00C7F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00C7F35D
            Source: C:\Users\user\Desktop\SCU_9028892992899029_789290929209922________________.exeCode function: 0_2_00C7F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00C7F65E
            Source: C:\Users\user\Desktop\SCU_9028892992899029_789290929209922________________.exeCode function: 0_2_00C73A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00C73A2B
            Source: C:\Users\user\Desktop\SCU_9028892992899029_789290929209922________________.exeCode function: 0_2_00C73D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00C73D4E
            Source: C:\Users\user\Desktop\SCU_9028892992899029_789290929209922________________.exeCode function: 0_2_00C7BF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00C7BF27
            Source: C:\Users\user\Desktop\SCU_9028892992899029_789290929209922________________.exeCode function: 0_2_00C14AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00C14AFE
            Source: C:\Users\user\Desktop\SCU_9028892992899029_789290929209922________________.exeAPI call chain: ExitProcess graph end nodegraph_0-99142
            Source: C:\Users\user\Desktop\SCU_9028892992899029_789290929209922________________.exeAPI call chain: ExitProcess graph end nodegraph_0-98713
            Source: C:\Users\user\Desktop\SCU_9028892992899029_789290929209922________________.exeCode function: 0_2_00C841FD BlockInput,0_2_00C841FD
            Source: C:\Users\user\Desktop\SCU_9028892992899029_789290929209922________________.exeCode function: 0_2_00C13B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00C13B4C
            Source: C:\Users\user\Desktop\SCU_9028892992899029_789290929209922________________.exeCode function: 0_2_00C45CCC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_00C45CCC
            Source: C:\Users\user\Desktop\SCU_9028892992899029_789290929209922________________.exeCode function: 0_2_00C8C304 LoadLibraryA,GetProcAddress,0_2_00C8C304
            Source: C:\Users\user\Desktop\SCU_9028892992899029_789290929209922________________.exeCode function: 0_2_01483560 mov eax, dword ptr fs:[00000030h]0_2_01483560
            Source: C:\Users\user\Desktop\SCU_9028892992899029_789290929209922________________.exeCode function: 0_2_01483500 mov eax, dword ptr fs:[00000030h]0_2_01483500
            Source: C:\Users\user\Desktop\SCU_9028892992899029_789290929209922________________.exeCode function: 0_2_01481ED0 mov eax, dword ptr fs:[00000030h]0_2_01481ED0
            Source: C:\Users\user\Desktop\SCU_9028892992899029_789290929209922________________.exeCode function: 0_2_00C681F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_00C681F7
            Source: C:\Users\user\Desktop\SCU_9028892992899029_789290929209922________________.exeCode function: 0_2_00C3A395 SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00C3A395
            Source: C:\Users\user\Desktop\SCU_9028892992899029_789290929209922________________.exeCode function: 0_2_00C3A364 SetUnhandledExceptionFilter,0_2_00C3A364
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Maps a DLL or memory area into another process
            Source: C:\Users\user\Desktop\SCU_9028892992899029_789290929209922________________.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and writeJump to behavior
            Writes to foreign memory regions
            Source: C:\Users\user\Desktop\SCU_9028892992899029_789290929209922________________.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 11B3008Jump to behavior
            Source: C:\Users\user\Desktop\SCU_9028892992899029_789290929209922________________.exeCode function: 0_2_00C68C93 LogonUserW,0_2_00C68C93
            Source: C:\Users\user\Desktop\SCU_9028892992899029_789290929209922________________.exeCode function: 0_2_00C13B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00C13B4C
            Source: C:\Users\user\Desktop\SCU_9028892992899029_789290929209922________________.exeCode function: 0_2_00C14A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00C14A35
            Source: C:\Users\user\Desktop\SCU_9028892992899029_789290929209922________________.exeCode function: 0_2_00C74EC9 mouse_event,0_2_00C74EC9
            Source: C:\Users\user\Desktop\SCU_9028892992899029_789290929209922________________.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\SCU_9028892992899029_789290929209922________________.exe"Jump to behavior
            Source: C:\Users\user\Desktop\SCU_9028892992899029_789290929209922________________.exeCode function: 0_2_00C681F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_00C681F7
            Source: C:\Users\user\Desktop\SCU_9028892992899029_789290929209922________________.exeCode function: 0_2_00C74C03 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_00C74C03
            Source: SCU_9028892992899029_789290929209922________________.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
            Source: SCU_9028892992899029_789290929209922________________.exeBinary or memory string: Shell_TrayWnd
            Source: C:\Users\user\Desktop\SCU_9028892992899029_789290929209922________________.exeCode function: 0_2_00C3886B cpuid 0_2_00C3886B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SCU_9028892992899029_789290929209922________________.exeCode function: 0_2_00C450D7 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00C450D7
            Source: C:\Users\user\Desktop\SCU_9028892992899029_789290929209922________________.exeCode function: 0_2_00C52230 GetUserNameW,0_2_00C52230
            Source: C:\Users\user\Desktop\SCU_9028892992899029_789290929209922________________.exeCode function: 0_2_00C4418A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_00C4418A
            Source: C:\Users\user\Desktop\SCU_9028892992899029_789290929209922________________.exeCode function: 0_2_00C14AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00C14AFE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information

            barindex
            Yara detected AgentTesla
            Source: Yara matchFile source: 0.2.SCU_9028892992899029_789290929209922________________.exe.1490000.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.SCU_9028892992899029_789290929209922________________.exe.1490000.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000002.00000002.2448214756.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.1204947706.0000000001490000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
            Source: SCU_9028892992899029_789290929209922________________.exeBinary or memory string: WIN_81
            Source: SCU_9028892992899029_789290929209922________________.exeBinary or memory string: WIN_XP
            Source: SCU_9028892992899029_789290929209922________________.exeBinary or memory string: WIN_XPe
            Source: SCU_9028892992899029_789290929209922________________.exeBinary or memory string: WIN_VISTA
            Source: SCU_9028892992899029_789290929209922________________.exeBinary or memory string: WIN_7
            Source: SCU_9028892992899029_789290929209922________________.exeBinary or memory string: WIN_8
            Source: SCU_9028892992899029_789290929209922________________.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 5USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

            Remote Access Functionality

            barindex
            Yara detected AgentTesla
            Source: Yara matchFile source: 0.2.SCU_9028892992899029_789290929209922________________.exe.1490000.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.SCU_9028892992899029_789290929209922________________.exe.1490000.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000002.00000002.2448214756.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.1204947706.0000000001490000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: C:\Users\user\Desktop\SCU_9028892992899029_789290929209922________________.exeCode function: 0_2_00C86596 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,0_2_00C86596
            Source: C:\Users\user\Desktop\SCU_9028892992899029_789290929209922________________.exeCode function: 0_2_00C86A5A socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_00C86A5A

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire Infrastructure2
            Valid Accounts            		121
            Windows Management Instrumentation            		1
            DLL Side-Loading            		1
            Exploitation for Privilege Escalation            		11
            Disable or Modify Tools            		1
            OS Credential Dumping            		2
            System Time Discovery            		Remote Services11
            Archive Collected Data            		1
            Ingress Tool Transfer            		Exfiltration Over Other Network Medium1
            System Shutdown/Reboot
            CredentialsDomainsDefault Accounts2
            Native API            		2
            Valid Accounts            		1
            DLL Side-Loading            		11
            Deobfuscate/Decode Files or Information            		21
            Input Capture            		1
            Account Discovery            		Remote Desktop Protocol1
            Data from Local System            		1
            Encrypted Channel            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)2
            Valid Accounts            		2
            Obfuscated Files or Information            		Security Account Manager2
            File and Directory Discovery            		SMB/Windows Admin Shares1
            Email Collection            		SteganographyAutomated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook21
            Access Token Manipulation            		1
            DLL Side-Loading            		NTDS38
            System Information Discovery            		Distributed Component Object Model21
            Input Capture            		Protocol ImpersonationTraffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script212
            Process Injection            		2
            Valid Accounts            		LSA Secrets14
            Security Software Discovery            		SSH3
            Clipboard Data            		Fallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts11
            Virtualization/Sandbox Evasion            		Cached Domain Credentials11
            Virtualization/Sandbox Evasion            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items21
            Access Token Manipulation            		DCSync2
            Process Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job212
            Process Injection            		Proc Filesystem1
            Application Window Discovery            		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow1
            System Owner/User Discovery            		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            SCU_9028892992899029_789290929209922________________.exe45%ReversingLabsWin32.Spyware.Negasteal
            SCU_9028892992899029_789290929209922________________.exe34%VirustotalBrowse
            SCU_9028892992899029_789290929209922________________.exe100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            No Antivirus matches

            Domains and IPs

            Contacted Domains

            No contacted domains info

            World Map of Contacted IPs

            No contacted IP infos

            General Information

            Joe Sandbox version:40.0.0 Tourmaline
            Analysis ID:1427198
            Start date and time:2024-04-17 08:35:55 +02:00
            Joe Sandbox product:CloudBasic
            Overall analysis duration:0h 5m 30s
            Hypervisor based Inspection enabled:false
            Report type:full
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
            Number of analysed new started processes analysed:17
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Sample name:SCU_9028892992899029_789290929209922________________.exe
            Detection:MAL
            Classification:mal100.troj.spyw.evad.winEXE@3/4@0/0
            EGA Information:
            • Successful, ratio: 50%
            HCA Information:
            • Successful, ratio: 100%
            • Number of executed functions: 56
            • Number of non-executed functions: 267
            Cookbook Comments:
            • Found application associated with file extension: .exe

            Warnings

            • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, conhost.exe, svchost.exe
            • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
            • Execution Graph export aborted for target RegSvcs.exe, PID 5476 because it is empty
            • Not all processes where analyzed, report is missing behavior information
            • Report size exceeded maximum capacity and may have missing disassembly code.

            Simulations

            Behavior and APIs

            No simulations

            Joe Sandbox View / Context

            IPs

            No context

            Domains

            No context

            ASNs

            No context

            JA3 Fingerprints

            No context

            Dropped Files

            No context

            Created / dropped Files

            C:\Users\user\AppData\Local\Temp\Halitherses

            Download File
            Process:C:\Users\user\Desktop\SCU_9028892992899029_789290929209922________________.exe
            File Type:SVr4 curses screen image, big-endian
            Category:dropped
            Size (bytes):167936
            Entropy (8bit):7.003708305366994
            Encrypted:false
            SSDEEP:3072:DV80KipD+CqFVtNNK96uv71Naq0dM1NZL4BclDa9Ew3utrh6yuCgu:DnKipYx7uvfaq0dMNZLqc7w+Jh/uCf
            MD5:03E9843994BA6F1554102190AB161E63
            SHA1:89FB9980F5E1645EB19E8DA7E3A69C1BC4DF9C30
            SHA-256:36501069D83E196B69F9491580CCCAF0DE18B63642AECFF2E4467022700D1EDC
            SHA-512:446CF3FEF83A03A5A2EA29AA5CA46C8B7F25A4425A0F924F60511C90549A9821F59C633579BF38982C077AA6EC4018942E054DB245DD9AA990C837971EBCD035
            Malicious:false
            Reputation:low
            Preview:...FTINN53PL..LG.FWINN13.LF4LGHFWINN13PLF4LGHFWINN13PLF4LGHF.INN?,.BF.E.i.V..oe[9?fD>(/46$n-P]>#2.."h4"'n'_.....!(,#yDCD.3PLF4LG..WI.O23L..PLGHFWINN.3RMM5|GH.UINF13PLF4r.JFWiNN13PLF4.GHfWINL13TLF4LGHFSINN13PLF4OGHDWINN13RL..LGXFWYNN13@LF$LGHFWI^N13PLF4LGHF..LN~3PLF.NG.CWINN13PLF4LGHFWINN1.RLJ4LGHFWINN13PLF4LGHFWINN13PLF4LGHFWINN13PLF4LGHFWINN1.PLN4LGHFWINN13XlF4.GHFWINN13PLh@)?<FWI..33PlF4L.JFWKNN13PLF4LGHFWInN1S~>5F/GHF.LNN1.RLF2LGH.UINN13PLF4LGHF.IN..A5 )WLGDFWIN.33PNF4L.JFWINN13PLF4LG.FW.NN13PLF4LGHFWINN..RLF4LG.FWILN43.KD4..HFTINN03PJF4LGHFWINN13PLF4LGHFWINN13PLF4LGHFWINN13PLF4LGHFDyLNx3PLG4LV^L|.NH(.Q`A.MGHLMCNH&.Q`J..HHF.KNN;+ZL@,.FdA.JNN7*ZL@".FdEW^DN7).Mj6gEc.}WLf53PFl4LGKvUI.N13QLF%ZMp.WINN7,Y.G.A9JFWM!.13VSL>LA_.VeIf:3PJ^>LAU.VeB0?3PH..LGHX]IHU.2|@5yLGN.VINJ-9PJ\.MkA8ZINJ..KFF2P.Ij[7ON17?.F4JZBFQW.O.>#.F4J.JFWMQG;3VT.5`@`FUIHW;3VU.5`@`@WIHT;3VZ.5`DHQ]IHQ;.Q`D.I.....dN13C|B4rGHFVIN_'9{{F2[.IjJi.Fr"x,D4JoAFWOfI13VNQ.DEH@OCNH'.Q`E4[MH@O.Ob3.Rg..LGSvRI.N13RLF%ZJcwW@Y.0.GdC4LMh._.

            C:\Users\user\AppData\Local\Temp\aut9FBD.tmp

            Download File
            Process:C:\Users\user\Desktop\SCU_9028892992899029_789290929209922________________.exe
            File Type:data
            Category:dropped
            Size (bytes):125974
            Entropy (8bit):7.92059338289431
            Encrypted:false
            SSDEEP:3072:BH9ONcyviKHqrvtbISDRF7XAJpxl/67+ho6:BdON1iKHqrvlISFZng9
            MD5:8E9E8EFFB8D110B1DB0E9AFA7EEA65BD
            SHA1:3CB332439380D577BE6780D4E9B7B539255E5D6C
            SHA-256:C354C0BE7143F2DC19C4F8468D483AA103C5206E9765148582E85509F752CA97
            SHA-512:6DE5ACF6A0B81C0C6A7544EE2A1592BB9357269B331E9ED43CD167882D6D0EBACCB8B9160AF229960BBD409E756FBF1A030E9B997F8C11B0A7856A8B05BDEDA0
            Malicious:false
            Reputation:low
            Preview:EA06......{.j.&.N........G.Q.....g..Q...= .;5.....O....E.Z..h...e..g.j$.Q/.M...mB.>......i".....R...He....C.E@......0*|.gL.....Z...T.l..G.p*..u..../.*.W..?j.G.Y...d.gT...L.kt.="..Q..2...Q..j.d.9.S(.@.,W.1;...).....N..`..7N.L...~...4N.L...v.l.M ..].P%3...q....u......)`.....1...Z4..8......J.F...............A)..(.@.'\..S...M(.k..Q.....#....P......)tI.S.H....:.*....../4.u..8..).j.2...R%..........m..H.......H._.;...L.K6Tk%..J.S....D..Qj..%:o).SmSk=......`*..l.b)wj.'...Ti.i-j.p..?3yegeG.Pg ..6C.....:d..A..*.ZM.t..W.....qB.O.u.E.j.PV+..EW.2.P&..e...Ri.l.J.r.......G|..5.eP..mU..>.1...Ti.*.B.Tj..|v}#....p...G....M...@.Q...E\.8...T..&.T..+@....Q.p*3.......{.F....P.).....~+.y...F.V...U..F.H...$.o....5$.H.Tc.J-".O.B$....i[....z}.g..Y.1.e..v.Rt.^...J.......a...(sJe6.....j..J....*e>.N..#f.H..#k.2.P).j..n...u.uR.G.[..u"34.S(.+%<.p..).....n...........(.Y-.OJ.Tl4zt.kx....P..Z.....4.%..P).@..e[..".*|.....).|.^.n..F..-..=..(6I4.A.S@..d.Wp.S...|..W..)2...\.Y..9d..)..X.Q..

            C:\Users\user\AppData\Local\Temp\autA02C.tmp

            Download File
            Process:C:\Users\user\Desktop\SCU_9028892992899029_789290929209922________________.exe
            File Type:data
            Category:dropped
            Size (bytes):9896
            Entropy (8bit):7.599684673441806
            Encrypted:false
            SSDEEP:192:9fDyaFcKX01EhmJm1+lUNa5GshQ0qu+U55BmRf7ewHU+rlY6jXksNXE9:95F7kkmJmcl3hQPu+UrBafP5Y8kM0
            MD5:4588832AD92110E96768EC3B1A10E732
            SHA1:A5B5D053760927C5BFED225380354641CD954D86
            SHA-256:8C0DC9ADC1DBF5EB47B3C1BE00E765AE11E62AE196245B612A42696CA0B16300
            SHA-512:E15CBFA7A189B11AA1EE10286162C23195BAA4390693C967EBA7CC1647ED929AEBB13848EB2C2A4C1484C65ECA53638DB6BCD9704E26AFF36220A88FC3D4A123
            Malicious:false
            Reputation:low
            Preview:EA06..t$...:5.g9.Q&T9..c3.P..Y..eB..&3.$.E.M.....qb.....-..c.L...$.m5...k..c0.M....k8.X.3i...l..%.o2....A8.6,.........3k....e.N&s0.oNf.)...k.K$.eb....5..f.........6.0.o.p....l39....V0...S..$.if...6....f.I...@.....i8........X@.4.1..........$.P...0z.5..$}3Y.....=5..`d....!d..V...7f.[$..8...|.I..W.d...|vI..W.d...|vK..W.d...|vK(.W.e...|vY..W,.O...k.`..X@..9..^.8..F.6.z..G......`......i..G../Z...zqd...l.;.........|......7...}3{(........;^..l =..p.........3p.o....,.......x.....H<.lX.:...b.....,. ...2...f.[...K.)....b..i|v F......X......`....,.9....5...._..l......>K.....ir.e....[4..d..f.y.....,.....S >..p...........s9.... !..Y....f...ja4....ea.h,.p.....,.a8.,..3........f.....f ....,j.0..&...J......f ....6K%.ke..f....L..;2.X...4.Y.V@.Fn.....f@....l..05.....!;3.X...c )D.g6... ...'&`....,f.6..&....r...Brh.....l...i2...B....@.......d.L.`!.....P...@X5d..lSK...9...!;5.X...cVY......'.B...,vl.!..>.a..l...M..@...X...b.M&.X..B.a.Q...sp..X..9..o5..f.!...,vn......d........#...

            C:\Users\user\AppData\Local\Temp\enterogenous

            Download File
            Process:C:\Users\user\Desktop\SCU_9028892992899029_789290929209922________________.exe
            File Type:ASCII text, with very long lines (29732), with no line terminators
            Category:modified
            Size (bytes):29732
            Entropy (8bit):3.543169688440123
            Encrypted:false
            SSDEEP:768:ciTZ+2QoioGRk6ZklputwjpjBkCiw2RuJ3nXKUrvzjsNbiE+I76Md4vfF3if6gyU:ciTZ+2QoioGRk6ZklputwjpjBkCiw2RF
            MD5:35CD505BECD82881CB5A85ECA966F1CF
            SHA1:3A2701675E00B88F83FB423F4D2FC3E8B4213E40
            SHA-256:D9B1AFE049626BAF313BA1840D5A23790C18F798F5A14273022AC8C0E3DA85C9
            SHA-512:95EA4F90FC58FDA8EB30B0AF25C13D1261148174D334F24D224798DB598E0F0E2E849AE5E1DA761CBD72FC828171B6DAA0DEB3C1EBB5C20B410B2222C19788E8
            Malicious:false
            Reputation:low
            Preview:36FCFF394D2C75138B45282B7018D1FE660x558bec81eccc0200005657b86b00000066894584b96500000066894d86ba7200000066895588b86e0000006689458ab96500000066894d8cba6c0000006689558eb83300000066894590b93200000066894d92ba2e00000066895594b86400000066894596b96c00000066894d98ba6c0000006689559a33c06689459cb96e00000066898d44ffffffba7400000066899546ffffffb86400000066898548ffffffb96c00000066898d4affffffba6c0000006689954cffffffb82e0000006689854effffffb96400000066898d50ffffffba6c00000066899552ffffffb86c00000066898554ffffff33c966898d56ffffffba75000000668955d0b873000000668945d2b96500000066894dd4ba72000000668955d6b833000000668945d8b93200000066894ddaba2e000000668955dcb864000000668945deb96c00000066894de0ba6c000000668955e233c0668945e4b96100000066898d68ffffffba640000006689956affffffb8760000006689856cffffffb96100000066898d6effffffba7000000066899570ffffffb86900000066898572ffffffb93300000066898d74ffffffba3200000066899576ffffffb82e00000066898578ffffffb96400000066898d7affffffba6c0000006689957cffffffb86c0000006689857effffff

            Static File Info

            General

            File type:PE32 executable (GUI) Intel 80386, for MS Windows
            Entropy (8bit):6.871537061488949
            TrID:
            • Win32 Executable (generic) a (10002005/4) 99.96%
            • Generic Win/DOS Executable (2004/3) 0.02%
            • DOS Executable Generic (2002/1) 0.02%
            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
            File name:SCU_9028892992899029_789290929209922________________.exe
            File size:1'059'840 bytes
            MD5:bbc13924be0c7a3ba79084d630234692
            SHA1:c94f800d87ee60f2c48e7023504d8859dcaa19b3
            SHA256:2a1ab3dd3ed3b1bf3d4430f92e5872599c64e5ca5db73d9e8449be9df5953470
            SHA512:9ecbe0fb824a72161ca75c02d15574aa319329584c21e561ecbe82a87dbc606cd327885b7878e494e900cab58cff3c1ade5eaca029f46180d757729da479895e
            SSDEEP:24576:YAHnh+eWsN3skA4RV1Hom2KXMmHaTFQhMhv5:fh+ZkldoPK8YaTSW
            TLSH:66358C3263918335FFAB9E73DB5DB20D56BC6D250123842FD29C2F79A9F01B1126D262
            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..R...R...R....C..P.....;.S..._@#.a..._@......_@..g...[j..[...[jo.w...R...r.............#.S..._@'.S...R.k.S.....".S...RichR..

            File Icon

            Icon Hash:1a5ada12a98c3689

            Static PE Info

            General

            Entrypoint:0x42800a
            Entrypoint Section:.text
            Digitally signed:false
            Imagebase:0x400000
            Subsystem:windows gui
            Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
            Time Stamp:0x661E3592 [Tue Apr 16 08:23:46 2024 UTC]
            TLS Callbacks:
            CLR (.Net) Version:
            OS Version Major:5
            OS Version Minor:1
            File Version Major:5
            File Version Minor:1
            Subsystem Version Major:5
            Subsystem Version Minor:1
            Import Hash:afcdf79be1557326c854b6e20cb900a7

            Entrypoint Preview

            Instruction
            call 00007F30788264FDh
            jmp 00007F30788192B4h
            int3
            int3
            int3
            int3
            int3
            int3
            int3
            int3
            int3
            int3
            int3
            int3
            push edi
            push esi
            mov esi, dword ptr [esp+10h]
            mov ecx, dword ptr [esp+14h]
            mov edi, dword ptr [esp+0Ch]
            mov eax, ecx
            mov edx, ecx
            add eax, esi
            cmp edi, esi
            jbe 00007F307881943Ah
            cmp edi, eax
            jc 00007F307881979Eh
            bt dword ptr [004C41FCh], 01h
            jnc 00007F3078819439h
            rep movsb
            jmp 00007F307881974Ch
            cmp ecx, 00000080h
            jc 00007F3078819604h
            mov eax, edi
            xor eax, esi
            test eax, 0000000Fh
            jne 00007F3078819440h
            bt dword ptr [004BF324h], 01h
            jc 00007F3078819910h
            bt dword ptr [004C41FCh], 00000000h
            jnc 00007F30788195DDh
            test edi, 00000003h
            jne 00007F30788195EEh
            test esi, 00000003h
            jne 00007F30788195CDh
            bt edi, 02h
            jnc 00007F307881943Fh
            mov eax, dword ptr [esi]
            sub ecx, 04h
            lea esi, dword ptr [esi+04h]
            mov dword ptr [edi], eax
            lea edi, dword ptr [edi+04h]
            bt edi, 03h
            jnc 00007F3078819443h
            movq xmm1, qword ptr [esi]
            sub ecx, 08h
            lea esi, dword ptr [esi+08h]
            movq qword ptr [edi], xmm1
            lea edi, dword ptr [edi+08h]
            test esi, 00000007h
            je 00007F3078819495h
            bt esi, 03h

            Rich Headers

            Programming Language:
            • [ASM] VS2013 build 21005
            • [ C ] VS2013 build 21005
            • [C++] VS2013 build 21005
            • [ C ] VS2008 SP1 build 30729
            • [IMP] VS2008 SP1 build 30729
            • [ASM] VS2013 UPD5 build 40629
            • [RES] VS2013 build 21005
            • [LNK] VS2013 UPD5 build 40629

            Data Directories

            NameVirtual AddressVirtual Size Is in Section
            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IMPORT0xbc0cc0x17c.rdata
            IMAGE_DIRECTORY_ENTRY_RESOURCE0xc80000x385a4.rsrc
            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
            IMAGE_DIRECTORY_ENTRY_BASERELOC0x1010000x7134.reloc
            IMAGE_DIRECTORY_ENTRY_DEBUG0x92bc00x1c.rdata
            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xa4b500x40.rdata
            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IAT0x8f0000x884.rdata
            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

            Sections

            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
            .text0x10000x8dfdd0x8e000310e36668512d53489c005622bb1b4a9False0.5735602580325704data6.675248351711057IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            .rdata0x8f0000x2fd8e0x2fe00748cf1ab2605ce1fd72d53d912abb68fFalse0.32828818537859006data5.763244005758284IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .data0xbf0000x8f740x5200aae9601d920f07080bdfadf43dfeff12False0.1017530487804878data1.1963819235530628IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            .rsrc0xc80000x385a40x386008909ce64127bad3d30d4216f26a79abcFalse0.6863263927383592data7.039429864913265IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .reloc0x1010000x71340x7200f04128ad0f87f42830e4a6cdbc38c719False0.7617530153508771data6.783955557128661IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

            Resources

            NameRVASizeTypeLanguageCountryZLIB Complexity
            RT_ICON0xc84580x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
            RT_ICON0xc85800x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
            RT_ICON0xc86a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
            RT_ICON0xc87d00x10828Device independent bitmap graphic, 128 x 256 x 32, image size 67584EnglishGreat Britain0.046891636105524666
            RT_MENU0xd8ff80x50dataEnglishGreat Britain0.9
            RT_STRING0xd90480x594dataEnglishGreat Britain0.3333333333333333
            RT_STRING0xd95dc0x68adataEnglishGreat Britain0.2747909199522103
            RT_STRING0xd9c680x490dataEnglishGreat Britain0.3715753424657534
            RT_STRING0xda0f80x5fcdataEnglishGreat Britain0.3087467362924282
            RT_STRING0xda6f40x65cdataEnglishGreat Britain0.34336609336609336
            RT_STRING0xdad500x466dataEnglishGreat Britain0.3605683836589698
            RT_STRING0xdb1b80x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
            RT_RCDATA0xdb3100x24d48data1.0003712149334465
            RT_GROUP_ICON0x1000580x14dataEnglishGreat Britain1.25
            RT_GROUP_ICON0x10006c0x14dataEnglishGreat Britain1.25
            RT_GROUP_ICON0x1000800x14dataEnglishGreat Britain1.15
            RT_GROUP_ICON0x1000940x14dataEnglishGreat Britain1.25
            RT_VERSION0x1000a80x10cdataEnglishGreat Britain0.5895522388059702
            RT_MANIFEST0x1001b40x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

            Imports

            DLLImport
            WSOCK32.dllWSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
            VERSION.dllGetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
            WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
            COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
            MPR.dllWNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
            WININET.dllInternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
            PSAPI.DLLGetProcessMemoryInfo
            IPHLPAPI.DLLIcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
            USERENV.dllDestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
            UxTheme.dllIsThemeActive
            KERNEL32.dllDuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
            USER32.dllAdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
            GDI32.dllStrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
            COMDLG32.dllGetOpenFileNameW, GetSaveFileNameW
            ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
            SHELL32.dllDragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
            ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
            OLEAUT32.dllLoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

            Possible Origin

            Language of compilation systemCountry where language is spokenMap
            EnglishGreat Britain

            Network Behavior

            No network behavior found

            Statistics

            CPU Usage

            Click to jump to process

            Memory Usage

            Click to jump to process

            High Level Behavior Distribution

            Click to dive into process behavior distribution

            Behavior

            Click to jump to process

            System Behavior

            General

            Target ID:0
            Start time:08:36:42
            Start date:17/04/2024
            Path:C:\Users\user\Desktop\SCU_9028892992899029_789290929209922________________.exe
            Wow64 process (32bit):true
            Commandline:"C:\Users\user\Desktop\SCU_9028892992899029_789290929209922________________.exe"
            Imagebase:0xc10000
            File size:1'059'840 bytes
            MD5 hash:BBC13924BE0C7A3BA79084D630234692
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.1204947706.0000000001490000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
            Reputation:low
            Has exited:true

            General

            Target ID:2
            Start time:08:36:43
            Start date:17/04/2024
            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
            Wow64 process (32bit):true
            Commandline:"C:\Users\user\Desktop\SCU_9028892992899029_789290929209922________________.exe"
            Imagebase:0xe40000
            File size:45'984 bytes
            MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000002.00000002.2448214756.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
            Reputation:high
            Has exited:false

            Disassembly

            Reset < >

              Execution Graph

              Execution Coverage:3.9%
              Dynamic/Decrypted Code Coverage:0.4%
              Signature Coverage:6.2%
              Total number of Nodes:2000
              Total number of Limit Nodes:182
              execution_graph 98522 c37e93 98523 c37e9f ___lock_fhandle 98522->98523 98559 c3a048 GetStartupInfoW 98523->98559 98525 c37ea4 98561 c38dbc GetProcessHeap 98525->98561 98527 c37efc 98528 c37f07 98527->98528 98644 c37fe3 58 API calls 3 library calls 98527->98644 98562 c39d26 98528->98562 98531 c37f0d 98532 c37f18 __RTC_Initialize 98531->98532 98645 c37fe3 58 API calls 3 library calls 98531->98645 98583 c3d812 98532->98583 98535 c37f27 98536 c37f33 GetCommandLineW 98535->98536 98646 c37fe3 58 API calls 3 library calls 98535->98646 98602 c45173 GetEnvironmentStringsW 98536->98602 98540 c37f32 98540->98536 98542 c37f4d 98543 c37f58 98542->98543 98647 c332f5 58 API calls 3 library calls 98542->98647 98612 c44fa8 98543->98612 98546 c37f5e 98549 c37f69 98546->98549 98648 c332f5 58 API calls 3 library calls 98546->98648 98626 c3332f 98549->98626 98550 c37f71 98551 c37f7c __wwincmdln 98550->98551 98649 c332f5 58 API calls 3 library calls 98550->98649 98632 c1492e 98551->98632 98554 c37f90 98555 c37f9f 98554->98555 98650 c33598 58 API calls _doexit 98554->98650 98651 c33320 58 API calls _doexit 98555->98651 98558 c37fa4 ___lock_fhandle 98560 c3a05e 98559->98560 98560->98525 98561->98527 98652 c333c7 36 API calls 2 library calls 98562->98652 98564 c39d2b 98653 c39f7c InitializeCriticalSectionAndSpinCount ___lock_fhandle 98564->98653 98566 c39d30 98567 c39d34 98566->98567 98655 c39fca TlsAlloc 98566->98655 98654 c39d9c 61 API calls 2 library calls 98567->98654 98570 c39d46 98570->98567 98572 c39d51 98570->98572 98571 c39d39 98571->98531 98656 c38a15 98572->98656 98575 c39d93 98664 c39d9c 61 API calls 2 library calls 98575->98664 98578 c39d72 98578->98575 98580 c39d78 98578->98580 98579 c39d98 98579->98531 98663 c39c73 58 API calls 4 library calls 98580->98663 98582 c39d80 GetCurrentThreadId 98582->98531 98584 c3d81e ___lock_fhandle 98583->98584 98676 c39e4b 98584->98676 98586 c3d825 98587 c38a15 __calloc_crt 58 API calls 98586->98587 98589 c3d836 98587->98589 98588 c3d8a1 GetStartupInfoW 98591 c3d9e5 98588->98591 98598 c3d8b6 98588->98598 98589->98588 98590 c3d841 ___lock_fhandle @_EH4_CallFilterFunc@8 98589->98590 98590->98535 98592 c3daad 98591->98592 98595 c3da32 GetStdHandle 98591->98595 98597 c3da45 GetFileType 98591->98597 98684 c3a06b InitializeCriticalSectionAndSpinCount 98591->98684 98685 c3dabd LeaveCriticalSection _doexit 98592->98685 98594 c38a15 __calloc_crt 58 API calls 98594->98598 98595->98591 98596 c3d904 98596->98591 98599 c3d938 GetFileType 98596->98599 98683 c3a06b InitializeCriticalSectionAndSpinCount 98596->98683 98597->98591 98598->98591 98598->98594 98598->98596 98599->98596 98603 c45184 98602->98603 98604 c37f43 98602->98604 98725 c38a5d 58 API calls 2 library calls 98603->98725 98608 c44d6b GetModuleFileNameW 98604->98608 98606 c451aa _memmove 98607 c451c0 FreeEnvironmentStringsW 98606->98607 98607->98604 98610 c44d9f _wparse_cmdline 98608->98610 98609 c44ddf _wparse_cmdline 98609->98542 98610->98609 98726 c38a5d 58 API calls 2 library calls 98610->98726 98613 c44fc1 __NMSG_WRITE 98612->98613 98617 c44fb9 98612->98617 98614 c38a15 __calloc_crt 58 API calls 98613->98614 98622 c44fea __NMSG_WRITE 98614->98622 98615 c45041 98616 c32f95 _free 58 API calls 98615->98616 98616->98617 98617->98546 98618 c38a15 __calloc_crt 58 API calls 98618->98622 98619 c45066 98620 c32f95 _free 58 API calls 98619->98620 98620->98617 98622->98615 98622->98617 98622->98618 98622->98619 98623 c4507d 98622->98623 98727 c44857 58 API calls 2 library calls 98622->98727 98728 c39006 IsProcessorFeaturePresent 98623->98728 98625 c45089 98625->98546 98627 c3333b __IsNonwritableInCurrentImage 98626->98627 98751 c3a711 98627->98751 98629 c33359 __initterm_e 98631 c33378 _doexit __IsNonwritableInCurrentImage 98629->98631 98754 c32f80 98629->98754 98631->98550 98633 c14948 98632->98633 98634 c149e7 98632->98634 98635 c14982 IsThemeActive 98633->98635 98634->98554 98789 c335ac 98635->98789 98639 c149ae 98801 c14a5b SystemParametersInfoW SystemParametersInfoW 98639->98801 98641 c149ba 98802 c13b4c 98641->98802 98643 c149c2 SystemParametersInfoW 98643->98634 98644->98528 98645->98532 98646->98540 98650->98555 98651->98558 98652->98564 98653->98566 98654->98571 98655->98570 98657 c38a1c 98656->98657 98659 c38a57 98657->98659 98661 c38a3a 98657->98661 98665 c45446 98657->98665 98659->98575 98662 c3a026 TlsSetValue 98659->98662 98661->98657 98661->98659 98673 c3a372 Sleep 98661->98673 98662->98578 98663->98582 98664->98579 98666 c45451 98665->98666 98671 c4546c 98665->98671 98667 c4545d 98666->98667 98666->98671 98674 c38d68 58 API calls __getptd_noexit 98667->98674 98669 c4547c RtlAllocateHeap 98670 c45462 98669->98670 98669->98671 98670->98657 98671->98669 98671->98670 98675 c335e1 DecodePointer 98671->98675 98673->98661 98674->98670 98675->98671 98677 c39e6f EnterCriticalSection 98676->98677 98678 c39e5c 98676->98678 98677->98586 98686 c39ed3 98678->98686 98680 c39e62 98680->98677 98710 c332f5 58 API calls 3 library calls 98680->98710 98683->98596 98684->98591 98685->98590 98687 c39edf ___lock_fhandle 98686->98687 98688 c39f00 98687->98688 98689 c39ee8 98687->98689 98698 c39f21 ___lock_fhandle 98688->98698 98714 c38a5d 58 API calls 2 library calls 98688->98714 98711 c3a3ab 58 API calls 2 library calls 98689->98711 98691 c39eed 98712 c3a408 58 API calls 6 library calls 98691->98712 98694 c39f15 98696 c39f2b 98694->98696 98697 c39f1c 98694->98697 98695 c39ef4 98713 c332df GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 98695->98713 98701 c39e4b __lock 58 API calls 98696->98701 98715 c38d68 58 API calls __getptd_noexit 98697->98715 98698->98680 98703 c39f32 98701->98703 98704 c39f57 98703->98704 98705 c39f3f 98703->98705 98717 c32f95 98704->98717 98716 c3a06b InitializeCriticalSectionAndSpinCount 98705->98716 98708 c39f4b 98723 c39f73 LeaveCriticalSection _doexit 98708->98723 98711->98691 98712->98695 98714->98694 98715->98698 98716->98708 98718 c32fc7 __dosmaperr 98717->98718 98719 c32f9e RtlFreeHeap 98717->98719 98718->98708 98719->98718 98720 c32fb3 98719->98720 98724 c38d68 58 API calls __getptd_noexit 98720->98724 98722 c32fb9 GetLastError 98722->98718 98723->98698 98724->98722 98725->98606 98726->98609 98727->98622 98729 c39011 98728->98729 98734 c38e99 98729->98734 98733 c3902c 98733->98625 98735 c38eb3 _memset ___raise_securityfailure 98734->98735 98736 c38ed3 IsDebuggerPresent 98735->98736 98742 c3a395 SetUnhandledExceptionFilter UnhandledExceptionFilter 98736->98742 98738 c38f97 ___raise_securityfailure 98743 c3c836 98738->98743 98740 c38fba 98741 c3a380 GetCurrentProcess TerminateProcess 98740->98741 98741->98733 98742->98738 98744 c3c840 IsProcessorFeaturePresent 98743->98744 98745 c3c83e 98743->98745 98747 c45b5a 98744->98747 98745->98740 98750 c45b09 5 API calls ___raise_securityfailure 98747->98750 98749 c45c3d 98749->98740 98750->98749 98752 c3a714 EncodePointer 98751->98752 98752->98752 98753 c3a72e 98752->98753 98753->98629 98757 c32e84 98754->98757 98756 c32f8b 98756->98631 98758 c32e90 ___lock_fhandle 98757->98758 98765 c33457 98758->98765 98764 c32eb7 ___lock_fhandle 98764->98756 98766 c39e4b __lock 58 API calls 98765->98766 98767 c32e99 98766->98767 98768 c32ec8 DecodePointer DecodePointer 98767->98768 98769 c32ea5 98768->98769 98770 c32ef5 98768->98770 98779 c32ec2 98769->98779 98770->98769 98782 c389e4 59 API calls 2 library calls 98770->98782 98772 c32f58 EncodePointer EncodePointer 98772->98769 98773 c32f2c 98773->98769 98777 c32f46 EncodePointer 98773->98777 98784 c38aa4 61 API calls 2 library calls 98773->98784 98774 c32f07 98774->98772 98774->98773 98783 c38aa4 61 API calls 2 library calls 98774->98783 98777->98772 98778 c32f40 98778->98769 98778->98777 98785 c33460 98779->98785 98782->98774 98783->98773 98784->98778 98788 c39fb5 LeaveCriticalSection 98785->98788 98787 c32ec7 98787->98764 98788->98787 98790 c39e4b __lock 58 API calls 98789->98790 98791 c335b7 DecodePointer EncodePointer 98790->98791 98854 c39fb5 LeaveCriticalSection 98791->98854 98793 c149a7 98794 c33614 98793->98794 98795 c33638 98794->98795 98796 c3361e 98794->98796 98795->98639 98796->98795 98855 c38d68 58 API calls __getptd_noexit 98796->98855 98798 c33628 98856 c38ff6 9 API calls strtoxl 98798->98856 98800 c33633 98800->98639 98801->98641 98803 c13b59 __ftell_nolock 98802->98803 98857 c177c7 98803->98857 98807 c13b8c IsDebuggerPresent 98808 c4d4ad MessageBoxA 98807->98808 98809 c13b9a 98807->98809 98811 c4d4c7 98808->98811 98809->98811 98812 c13bb7 98809->98812 98842 c13c73 98809->98842 98810 c13c7a SetCurrentDirectoryW 98813 c13c87 Mailbox 98810->98813 99081 c17373 59 API calls Mailbox 98811->99081 98943 c173e5 98812->98943 98813->98643 98816 c4d4d7 98821 c4d4ed SetCurrentDirectoryW 98816->98821 98818 c13bd5 GetFullPathNameW 98959 c17d2c 98818->98959 98820 c13c10 98968 c20a8d 98820->98968 98821->98813 98824 c13c2e 98825 c13c38 98824->98825 99082 c74c03 AllocateAndInitializeSid CheckTokenMembership FreeSid 98824->99082 98984 c13a58 GetSysColorBrush LoadCursorW LoadIconW LoadIconW LoadIconW 98825->98984 98828 c4d50a 98828->98825 98831 c4d51b 98828->98831 99083 c14864 98831->99083 98832 c13c42 98834 c13c55 98832->98834 98992 c143db 98832->98992 99003 c20b30 98834->99003 98835 c4d523 99090 c17f41 98835->99090 98842->98810 98854->98793 98855->98798 98856->98800 99110 c30ff6 98857->99110 98859 c177e8 98860 c30ff6 Mailbox 59 API calls 98859->98860 98861 c13b63 GetCurrentDirectoryW 98860->98861 98862 c13778 98861->98862 98863 c177c7 59 API calls 98862->98863 98864 c1378e 98863->98864 99148 c13d43 98864->99148 98866 c137ac 98867 c14864 61 API calls 98866->98867 98868 c137c0 98867->98868 98869 c17f41 59 API calls 98868->98869 98870 c137cd 98869->98870 99162 c14f3d 98870->99162 98873 c4d3ae 99233 c797e5 98873->99233 98874 c137ee Mailbox 99186 c181a7 98874->99186 98877 c4d3cd 98880 c32f95 _free 58 API calls 98877->98880 98882 c4d3da 98880->98882 98884 c14faa 84 API calls 98882->98884 98886 c4d3e3 98884->98886 98890 c13ee2 59 API calls 98886->98890 98887 c17f41 59 API calls 98888 c1381a 98887->98888 99193 c18620 98888->99193 98892 c4d3fe 98890->98892 98891 c1382c Mailbox 98893 c17f41 59 API calls 98891->98893 98894 c13ee2 59 API calls 98892->98894 98895 c13852 98893->98895 98896 c4d41a 98894->98896 98897 c18620 69 API calls 98895->98897 98898 c14864 61 API calls 98896->98898 98900 c13861 Mailbox 98897->98900 98899 c4d43f 98898->98899 98901 c13ee2 59 API calls 98899->98901 98903 c177c7 59 API calls 98900->98903 98902 c4d44b 98901->98902 98904 c181a7 59 API calls 98902->98904 98905 c1387f 98903->98905 98906 c4d459 98904->98906 99197 c13ee2 98905->99197 98908 c13ee2 59 API calls 98906->98908 98910 c4d468 98908->98910 98916 c181a7 59 API calls 98910->98916 98912 c13899 98912->98886 98913 c138a3 98912->98913 98914 c3313d _W_store_winword 60 API calls 98913->98914 98915 c138ae 98914->98915 98915->98892 98917 c138b8 98915->98917 98918 c4d48a 98916->98918 98919 c3313d _W_store_winword 60 API calls 98917->98919 98920 c13ee2 59 API calls 98918->98920 98921 c138c3 98919->98921 98922 c4d497 98920->98922 98921->98896 98923 c138cd 98921->98923 98922->98922 98924 c3313d _W_store_winword 60 API calls 98923->98924 98927 c138d8 98924->98927 98925 c13919 98925->98910 98926 c13926 98925->98926 99213 c1942e 98926->99213 98927->98910 98927->98925 98928 c13ee2 59 API calls 98927->98928 98930 c138fc 98928->98930 98932 c181a7 59 API calls 98930->98932 98934 c1390a 98932->98934 98936 c13ee2 59 API calls 98934->98936 98936->98925 98938 c193ea 59 API calls 98940 c13961 98938->98940 98939 c19040 60 API calls 98939->98940 98940->98938 98940->98939 98941 c13ee2 59 API calls 98940->98941 98942 c139a7 Mailbox 98940->98942 98941->98940 98942->98807 98944 c173f2 __ftell_nolock 98943->98944 98945 c1740b 98944->98945 98946 c4ee4b _memset 98944->98946 100103 c148ae 98945->100103 98948 c4ee67 GetOpenFileNameW 98946->98948 98950 c4eeb6 98948->98950 98952 c17d2c 59 API calls 98950->98952 98954 c4eecb 98952->98954 98954->98954 98956 c17429 100131 c169ca 98956->100131 98960 c17da5 98959->98960 98961 c17d38 __NMSG_WRITE 98959->98961 98962 c17e8c 59 API calls 98960->98962 98963 c17d73 98961->98963 98964 c17d4e 98961->98964 98967 c17d56 _memmove 98962->98967 98965 c18189 59 API calls 98963->98965 100449 c18087 59 API calls Mailbox 98964->100449 98965->98967 98967->98820 98969 c20a9a __ftell_nolock 98968->98969 100450 c16ee0 98969->100450 98971 c20a9f 98983 c13c26 98971->98983 100461 c212fe 89 API calls 98971->100461 98973 c20aac 98973->98983 100462 c24047 91 API calls Mailbox 98973->100462 98975 c20ab5 98976 c20ab9 GetFullPathNameW 98975->98976 98975->98983 98977 c17d2c 59 API calls 98976->98977 98978 c20ae5 98977->98978 98979 c17d2c 59 API calls 98978->98979 98980 c20af2 98979->98980 98981 c17d2c 59 API calls 98980->98981 98982 c550d5 _wcscat 98980->98982 98981->98983 98983->98816 98983->98824 98985 c13ac2 LoadImageW RegisterClassExW 98984->98985 98986 c4d49c 98984->98986 100467 c13041 7 API calls 98985->100467 100468 c148fe LoadImageW EnumResourceNamesW 98986->100468 98989 c13b46 98991 c139e7 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 98989->98991 98990 c4d4a5 98991->98832 98993 c14406 _memset 98992->98993 100469 c14213 98993->100469 99004 c550ed 99003->99004 99016 c20b55 99003->99016 100563 c7a0b5 89 API calls 4 library calls 99004->100563 99011 c20bab PeekMessageW 99079 c20b65 Mailbox 99011->99079 99015 c20e44 99016->99079 100564 c19fbd 60 API calls 99016->100564 100565 c668bf 341 API calls 99016->100565 99017 c552ab Sleep 99017->99079 99022 c5517a TranslateAcceleratorW 99023 c20fa3 PeekMessageW 99022->99023 99022->99079 99023->99079 99024 c20fbf TranslateMessage DispatchMessageW 99024->99023 99025 c30ff6 59 API calls Mailbox 99025->99079 99026 c20e73 timeGetTime 99026->99079 99027 c55c49 WaitForSingleObject 99027->99079 99030 c20fdd Sleep 99063 c20fee Mailbox 99030->99063 99031 c181a7 59 API calls 99031->99079 99033 c55f22 Sleep 99033->99063 99035 c1b89c 314 API calls 99035->99079 99038 c210ae timeGetTime 99050 c19fbd 60 API calls 99050->99079 99059 c1a000 314 API calls 99059->99079 99064 c210f5 99063->99064 99063->99079 99067 c7a0b5 89 API calls 99067->99079 99068 c19df0 59 API calls Mailbox 99068->99079 99069 c18620 69 API calls 99069->99079 99071 c666f4 59 API calls Mailbox 99071->99079 99072 c17f41 59 API calls 99072->99079 99073 c18b13 69 API calls 99073->99079 99074 c559ff VariantClear 99074->99079 99075 c55a95 VariantClear 99075->99079 99076 c55843 VariantClear 99076->99079 99077 c67405 59 API calls 99077->99079 99078 c18e34 59 API calls Mailbox 99078->99079 99079->99011 99079->99015 99079->99017 99079->99022 99079->99023 99079->99024 99079->99025 99079->99026 99079->99027 99079->99030 99079->99031 99079->99033 99079->99035 99079->99038 99079->99050 99079->99059 99079->99063 99079->99064 99079->99067 99079->99068 99079->99069 99079->99071 99079->99072 99079->99073 99079->99074 99079->99075 99079->99076 99079->99077 99079->99078 100501 c1e580 99079->100501 100508 c1e800 99079->100508 100539 c1f5c0 99079->100539 100558 c1fe40 341 API calls 2 library calls 99079->100558 100559 c131ce IsDialogMessageW GetClassLongW 99079->100559 99081->98816 99082->98828 99084 c41b90 __ftell_nolock 99083->99084 99085 c14871 GetModuleFileNameW 99084->99085 99086 c17f41 59 API calls 99085->99086 99087 c14897 99086->99087 99088 c148ae 60 API calls 99087->99088 99089 c148a1 Mailbox 99088->99089 99089->98835 99112 c30ffe 99110->99112 99113 c31018 99112->99113 99115 c3101c std::exception::exception 99112->99115 99120 c3594c 99112->99120 99137 c335e1 DecodePointer 99112->99137 99113->98859 99138 c387db RaiseException 99115->99138 99117 c31046 99139 c38711 58 API calls _free 99117->99139 99119 c31058 99119->98859 99121 c359c7 99120->99121 99134 c35958 99120->99134 99146 c335e1 DecodePointer 99121->99146 99123 c359cd 99147 c38d68 58 API calls __getptd_noexit 99123->99147 99124 c35963 99124->99134 99140 c3a3ab 58 API calls 2 library calls 99124->99140 99141 c3a408 58 API calls 6 library calls 99124->99141 99142 c332df GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 99124->99142 99127 c3598b RtlAllocateHeap 99128 c359bf 99127->99128 99127->99134 99128->99112 99130 c359b3 99144 c38d68 58 API calls __getptd_noexit 99130->99144 99134->99124 99134->99127 99134->99130 99135 c359b1 99134->99135 99143 c335e1 DecodePointer 99134->99143 99145 c38d68 58 API calls __getptd_noexit 99135->99145 99137->99112 99138->99117 99139->99119 99140->99124 99141->99124 99143->99134 99144->99135 99145->99128 99146->99123 99147->99128 99149 c13d50 __ftell_nolock 99148->99149 99150 c17d2c 59 API calls 99149->99150 99160 c13eb6 Mailbox 99149->99160 99152 c13d82 99150->99152 99153 c13db8 Mailbox 99152->99153 99274 c17b52 99152->99274 99154 c13e89 99153->99154 99156 c17f41 59 API calls 99153->99156 99153->99160 99161 c17b52 59 API calls 99153->99161 99277 c13f84 99153->99277 99155 c17f41 59 API calls 99154->99155 99154->99160 99157 c13eaa 99155->99157 99156->99153 99158 c13f84 59 API calls 99157->99158 99158->99160 99160->98866 99161->99153 99287 c14d13 99162->99287 99167 c14f68 LoadLibraryExW 99297 c14cc8 99167->99297 99168 c4dd0f 99169 c14faa 84 API calls 99168->99169 99171 c4dd16 99169->99171 99173 c14cc8 3 API calls 99171->99173 99175 c4dd1e 99173->99175 99323 c1506b 99175->99323 99176 c14f8f 99176->99175 99177 c14f9b 99176->99177 99179 c14faa 84 API calls 99177->99179 99181 c137e6 99179->99181 99181->98873 99181->98874 99183 c4dd45 99331 c15027 99183->99331 99185 c4dd52 99187 c181b2 99186->99187 99188 c13801 99186->99188 99761 c180d7 59 API calls 2 library calls 99187->99761 99190 c193ea 99188->99190 99191 c30ff6 Mailbox 59 API calls 99190->99191 99192 c1380d 99191->99192 99192->98887 99194 c1862b 99193->99194 99196 c18652 99194->99196 99762 c18b13 69 API calls Mailbox 99194->99762 99196->98891 99198 c13f05 99197->99198 99199 c13eec 99197->99199 99201 c17d2c 59 API calls 99198->99201 99200 c181a7 59 API calls 99199->99200 99202 c1388b 99200->99202 99201->99202 99203 c3313d 99202->99203 99204 c33149 99203->99204 99205 c331be 99203->99205 99212 c3316e 99204->99212 99763 c38d68 58 API calls __getptd_noexit 99204->99763 99765 c331d0 60 API calls 4 library calls 99205->99765 99208 c331cb 99208->98912 99209 c33155 99764 c38ff6 9 API calls strtoxl 99209->99764 99211 c33160 99211->98912 99212->98912 99214 c19436 99213->99214 99215 c30ff6 Mailbox 59 API calls 99214->99215 99216 c19444 99215->99216 99218 c13936 99216->99218 99766 c1935c 59 API calls Mailbox 99216->99766 99219 c191b0 99218->99219 99767 c192c0 99219->99767 99221 c191bf 99222 c30ff6 Mailbox 59 API calls 99221->99222 99223 c13944 99221->99223 99222->99223 99224 c19040 99223->99224 99225 c4f5a5 99224->99225 99231 c19057 99224->99231 99225->99231 99777 c18d3b 59 API calls Mailbox 99225->99777 99227 c191a0 99776 c19e9c 60 API calls Mailbox 99227->99776 99228 c19158 99229 c30ff6 Mailbox 59 API calls 99228->99229 99232 c1915f 99229->99232 99231->99227 99231->99228 99231->99232 99232->98940 99234 c15045 85 API calls 99233->99234 99235 c79854 99234->99235 99778 c799be 99235->99778 99238 c1506b 74 API calls 99239 c79881 99238->99239 99240 c1506b 74 API calls 99239->99240 99241 c79891 99240->99241 99242 c1506b 74 API calls 99241->99242 99243 c798ac 99242->99243 99244 c1506b 74 API calls 99243->99244 99245 c798c7 99244->99245 99246 c15045 85 API calls 99245->99246 99247 c798de 99246->99247 99248 c3594c __malloc_crt 58 API calls 99247->99248 99249 c798e5 99248->99249 99250 c3594c __malloc_crt 58 API calls 99249->99250 99251 c798ef 99250->99251 99252 c1506b 74 API calls 99251->99252 99253 c79903 99252->99253 99254 c79393 GetSystemTimeAsFileTime 99253->99254 99255 c79916 99254->99255 99256 c79940 99255->99256 99257 c7992b 99255->99257 99259 c79946 99256->99259 99260 c799a5 99256->99260 99258 c32f95 _free 58 API calls 99257->99258 99263 c79931 99258->99263 99784 c78d90 99259->99784 99262 c32f95 _free 58 API calls 99260->99262 99265 c4d3c1 99262->99265 99266 c32f95 _free 58 API calls 99263->99266 99265->98877 99268 c14faa 99265->99268 99266->99265 99267 c32f95 _free 58 API calls 99267->99265 99269 c14fb4 99268->99269 99271 c14fbb 99268->99271 99270 c355d6 __fcloseall 83 API calls 99269->99270 99270->99271 99272 c14fdb FreeLibrary 99271->99272 99273 c14fca 99271->99273 99272->99273 99273->98877 99283 c17faf 99274->99283 99276 c17b5d 99276->99152 99278 c13fb4 _memmove 99277->99278 99279 c13f92 99277->99279 99280 c30ff6 Mailbox 59 API calls 99278->99280 99281 c30ff6 Mailbox 59 API calls 99279->99281 99282 c13fc8 99280->99282 99281->99278 99282->99153 99284 c17fc2 99283->99284 99286 c17fbf _memmove 99283->99286 99285 c30ff6 Mailbox 59 API calls 99284->99285 99285->99286 99286->99276 99336 c14d61 99287->99336 99290 c14d61 2 API calls 99293 c14d3a 99290->99293 99291 c14d53 99294 c3548b 99291->99294 99292 c14d4a FreeLibrary 99292->99291 99293->99291 99293->99292 99340 c354a0 99294->99340 99296 c14f5c 99296->99167 99296->99168 99498 c14d94 99297->99498 99300 c14d08 99304 c14dd0 99300->99304 99301 c14cff FreeLibrary 99301->99300 99302 c14d94 2 API calls 99303 c14ced 99302->99303 99303->99300 99303->99301 99305 c30ff6 Mailbox 59 API calls 99304->99305 99306 c14de5 99305->99306 99502 c1538e 99306->99502 99308 c14df1 _memmove 99309 c14e2c 99308->99309 99310 c14f21 99308->99310 99311 c14ee9 99308->99311 99312 c15027 69 API calls 99309->99312 99516 c79ba5 95 API calls 99310->99516 99505 c14fe9 CreateStreamOnHGlobal 99311->99505 99320 c14e35 99312->99320 99315 c1506b 74 API calls 99315->99320 99317 c14ec9 99317->99176 99318 c4dcd0 99319 c15045 85 API calls 99318->99319 99321 c4dce4 99319->99321 99320->99315 99320->99317 99320->99318 99511 c15045 99320->99511 99322 c1506b 74 API calls 99321->99322 99322->99317 99324 c4ddf6 99323->99324 99325 c1507d 99323->99325 99540 c35812 99325->99540 99328 c79393 99738 c791e9 99328->99738 99330 c793a9 99330->99183 99332 c15036 99331->99332 99333 c4ddb9 99331->99333 99743 c35e90 99332->99743 99335 c1503e 99335->99185 99337 c14d2e 99336->99337 99338 c14d6a LoadLibraryA 99336->99338 99337->99290 99337->99293 99338->99337 99339 c14d7b GetProcAddress 99338->99339 99339->99337 99343 c354ac ___lock_fhandle 99340->99343 99341 c354bf 99389 c38d68 58 API calls __getptd_noexit 99341->99389 99343->99341 99345 c354f0 99343->99345 99344 c354c4 99390 c38ff6 9 API calls strtoxl 99344->99390 99359 c40738 99345->99359 99348 c354f5 99349 c3550b 99348->99349 99350 c354fe 99348->99350 99352 c35535 99349->99352 99353 c35515 99349->99353 99391 c38d68 58 API calls __getptd_noexit 99350->99391 99374 c40857 99352->99374 99392 c38d68 58 API calls __getptd_noexit 99353->99392 99355 c354cf ___lock_fhandle @_EH4_CallFilterFunc@8 99355->99296 99360 c40744 ___lock_fhandle 99359->99360 99361 c39e4b __lock 58 API calls 99360->99361 99372 c40752 99361->99372 99362 c407c6 99394 c4084e 99362->99394 99363 c407cd 99399 c38a5d 58 API calls 2 library calls 99363->99399 99366 c407d4 99366->99362 99400 c3a06b InitializeCriticalSectionAndSpinCount 99366->99400 99367 c40843 ___lock_fhandle 99367->99348 99369 c39ed3 __mtinitlocknum 58 API calls 99369->99372 99371 c407fa EnterCriticalSection 99371->99362 99372->99362 99372->99363 99372->99369 99397 c36e8d 59 API calls __lock 99372->99397 99398 c36ef7 LeaveCriticalSection LeaveCriticalSection _doexit 99372->99398 99375 c40877 __wopenfile 99374->99375 99376 c40891 99375->99376 99388 c40a4c 99375->99388 99407 c33a0b 60 API calls 3 library calls 99375->99407 99405 c38d68 58 API calls __getptd_noexit 99376->99405 99378 c40896 99406 c38ff6 9 API calls strtoxl 99378->99406 99380 c35540 99393 c35562 LeaveCriticalSection LeaveCriticalSection __wfsopen 99380->99393 99381 c40aaf 99402 c487f1 99381->99402 99384 c40a45 99384->99388 99408 c33a0b 60 API calls 3 library calls 99384->99408 99386 c40a64 99386->99388 99409 c33a0b 60 API calls 3 library calls 99386->99409 99388->99376 99388->99381 99389->99344 99390->99355 99391->99355 99392->99355 99393->99355 99401 c39fb5 LeaveCriticalSection 99394->99401 99396 c40855 99396->99367 99397->99372 99398->99372 99399->99366 99400->99371 99401->99396 99410 c47fd5 99402->99410 99404 c4880a 99404->99380 99405->99378 99406->99380 99407->99384 99408->99386 99409->99388 99413 c47fe1 ___lock_fhandle 99410->99413 99411 c47ff7 99495 c38d68 58 API calls __getptd_noexit 99411->99495 99413->99411 99414 c4802d 99413->99414 99421 c4809e 99414->99421 99415 c47ffc 99496 c38ff6 9 API calls strtoxl 99415->99496 99418 c48049 99497 c48072 LeaveCriticalSection __unlock_fhandle 99418->99497 99420 c48006 ___lock_fhandle 99420->99404 99422 c480be 99421->99422 99423 c3471a __wsopen_nolock 58 API calls 99422->99423 99426 c480da 99423->99426 99424 c39006 __invoke_watson 8 API calls 99425 c487f0 99424->99425 99428 c47fd5 __wsopen_helper 103 API calls 99425->99428 99427 c48114 99426->99427 99434 c48137 99426->99434 99494 c48211 99426->99494 99429 c38d34 __chsize_nolock 58 API calls 99427->99429 99430 c4880a 99428->99430 99431 c48119 99429->99431 99430->99418 99432 c38d68 __flswbuf 58 API calls 99431->99432 99433 c48126 99432->99433 99436 c38ff6 strtoxl 9 API calls 99433->99436 99435 c481f5 99434->99435 99443 c481d3 99434->99443 99437 c38d34 __chsize_nolock 58 API calls 99435->99437 99438 c48130 99436->99438 99439 c481fa 99437->99439 99438->99418 99440 c38d68 __flswbuf 58 API calls 99439->99440 99441 c48207 99440->99441 99442 c38ff6 strtoxl 9 API calls 99441->99442 99442->99494 99444 c3d4d4 __alloc_osfhnd 61 API calls 99443->99444 99445 c482a1 99444->99445 99446 c482ce 99445->99446 99447 c482ab 99445->99447 99449 c47f4d ___createFile GetModuleHandleW GetProcAddress CreateFileW 99446->99449 99448 c38d34 __chsize_nolock 58 API calls 99447->99448 99450 c482b0 99448->99450 99460 c482f0 99449->99460 99451 c38d68 __flswbuf 58 API calls 99450->99451 99453 c482ba 99451->99453 99452 c4836e GetFileType 99454 c48379 GetLastError 99452->99454 99455 c483bb 99452->99455 99458 c38d68 __flswbuf 58 API calls 99453->99458 99459 c38d47 __dosmaperr 58 API calls 99454->99459 99464 c3d76a __set_osfhnd 59 API calls 99455->99464 99456 c4833c GetLastError 99457 c38d47 __dosmaperr 58 API calls 99456->99457 99461 c48361 99457->99461 99458->99438 99462 c483a0 CloseHandle 99459->99462 99460->99452 99460->99456 99463 c47f4d ___createFile GetModuleHandleW GetProcAddress CreateFileW 99460->99463 99467 c38d68 __flswbuf 58 API calls 99461->99467 99462->99461 99465 c483ae 99462->99465 99466 c48331 99463->99466 99470 c483d9 99464->99470 99468 c38d68 __flswbuf 58 API calls 99465->99468 99466->99452 99466->99456 99467->99494 99469 c483b3 99468->99469 99469->99461 99471 c48594 99470->99471 99472 c41b11 __lseeki64_nolock 60 API calls 99470->99472 99491 c4845a 99470->99491 99473 c48767 CloseHandle 99471->99473 99471->99494 99474 c48443 99472->99474 99475 c47f4d ___createFile GetModuleHandleW GetProcAddress CreateFileW 99473->99475 99477 c38d34 __chsize_nolock 58 API calls 99474->99477 99474->99491 99476 c4878e 99475->99476 99478 c48796 GetLastError 99476->99478 99479 c487c2 99476->99479 99477->99491 99480 c38d47 __dosmaperr 58 API calls 99478->99480 99479->99494 99482 c487a2 99480->99482 99481 c4848c 99485 c499f2 __chsize_nolock 82 API calls 99481->99485 99481->99491 99486 c3d67d __free_osfhnd 59 API calls 99482->99486 99483 c40d2d __close_nolock 61 API calls 99483->99491 99484 c410ab 70 API calls __read_nolock 99484->99491 99485->99481 99486->99479 99487 c3dac6 __write 78 API calls 99487->99491 99488 c48611 99489 c40d2d __close_nolock 61 API calls 99488->99489 99490 c48618 99489->99490 99493 c38d68 __flswbuf 58 API calls 99490->99493 99491->99471 99491->99481 99491->99483 99491->99484 99491->99487 99491->99488 99492 c41b11 60 API calls __lseeki64_nolock 99491->99492 99492->99491 99493->99494 99494->99424 99495->99415 99496->99420 99497->99420 99499 c14ce1 99498->99499 99500 c14d9d LoadLibraryA 99498->99500 99499->99302 99499->99303 99500->99499 99501 c14dae GetProcAddress 99500->99501 99501->99499 99503 c30ff6 Mailbox 59 API calls 99502->99503 99504 c153a0 99503->99504 99504->99308 99506 c15003 FindResourceExW 99505->99506 99510 c15020 99505->99510 99507 c4dd5c LoadResource 99506->99507 99506->99510 99508 c4dd71 SizeofResource 99507->99508 99507->99510 99509 c4dd85 LockResource 99508->99509 99508->99510 99509->99510 99510->99309 99512 c4ddd4 99511->99512 99513 c15054 99511->99513 99517 c35a7d 99513->99517 99515 c15062 99515->99320 99516->99309 99518 c35a89 ___lock_fhandle 99517->99518 99519 c35a9b 99518->99519 99521 c35ac1 99518->99521 99530 c38d68 58 API calls __getptd_noexit 99519->99530 99532 c36e4e 99521->99532 99522 c35aa0 99531 c38ff6 9 API calls strtoxl 99522->99531 99525 c35ac7 99538 c359ee 83 API calls 5 library calls 99525->99538 99527 c35ad6 99539 c35af8 LeaveCriticalSection LeaveCriticalSection __wfsopen 99527->99539 99528 c35aab ___lock_fhandle 99528->99515 99530->99522 99531->99528 99533 c36e80 EnterCriticalSection 99532->99533 99534 c36e5e 99532->99534 99536 c36e76 99533->99536 99534->99533 99535 c36e66 99534->99535 99537 c39e4b __lock 58 API calls 99535->99537 99536->99525 99537->99536 99538->99527 99539->99528 99543 c3582d 99540->99543 99542 c1508e 99542->99328 99544 c35839 ___lock_fhandle 99543->99544 99545 c3587c 99544->99545 99546 c35874 ___lock_fhandle 99544->99546 99548 c3584f _memset 99544->99548 99547 c36e4e __lock_file 59 API calls 99545->99547 99546->99542 99549 c35882 99547->99549 99570 c38d68 58 API calls __getptd_noexit 99548->99570 99556 c3564d 99549->99556 99552 c35869 99571 c38ff6 9 API calls strtoxl 99552->99571 99560 c35668 _memset 99556->99560 99563 c35683 99556->99563 99557 c35673 99668 c38d68 58 API calls __getptd_noexit 99557->99668 99559 c35678 99669 c38ff6 9 API calls strtoxl 99559->99669 99560->99557 99560->99563 99567 c356c3 99560->99567 99572 c358b6 LeaveCriticalSection LeaveCriticalSection __wfsopen 99563->99572 99564 c357d4 _memset 99671 c38d68 58 API calls __getptd_noexit 99564->99671 99567->99563 99567->99564 99573 c34916 99567->99573 99580 c410ab 99567->99580 99648 c40df7 99567->99648 99670 c40f18 58 API calls 4 library calls 99567->99670 99570->99552 99571->99546 99572->99546 99574 c34920 99573->99574 99575 c34935 99573->99575 99672 c38d68 58 API calls __getptd_noexit 99574->99672 99575->99567 99577 c34925 99673 c38ff6 9 API calls strtoxl 99577->99673 99579 c34930 99579->99567 99581 c410e3 99580->99581 99582 c410cc 99580->99582 99584 c4181b 99581->99584 99588 c4111d 99581->99588 99683 c38d34 58 API calls __getptd_noexit 99582->99683 99699 c38d34 58 API calls __getptd_noexit 99584->99699 99585 c410d1 99684 c38d68 58 API calls __getptd_noexit 99585->99684 99590 c41125 99588->99590 99597 c4113c 99588->99597 99589 c41820 99700 c38d68 58 API calls __getptd_noexit 99589->99700 99685 c38d34 58 API calls __getptd_noexit 99590->99685 99593 c41131 99701 c38ff6 9 API calls strtoxl 99593->99701 99594 c4112a 99686 c38d68 58 API calls __getptd_noexit 99594->99686 99596 c41151 99687 c38d34 58 API calls __getptd_noexit 99596->99687 99597->99596 99599 c4116b 99597->99599 99601 c41189 99597->99601 99628 c410d8 99597->99628 99599->99596 99604 c41176 99599->99604 99688 c38a5d 58 API calls 2 library calls 99601->99688 99674 c45ebb 99604->99674 99605 c41199 99606 c411a1 99605->99606 99607 c411bc 99605->99607 99689 c38d68 58 API calls __getptd_noexit 99606->99689 99691 c41b11 60 API calls 3 library calls 99607->99691 99608 c4128a 99610 c41303 ReadFile 99608->99610 99615 c412a0 GetConsoleMode 99608->99615 99613 c41325 99610->99613 99614 c417e3 GetLastError 99610->99614 99612 c411a6 99690 c38d34 58 API calls __getptd_noexit 99612->99690 99613->99614 99621 c412f5 99613->99621 99617 c412e3 99614->99617 99618 c417f0 99614->99618 99619 c412b4 99615->99619 99620 c41300 99615->99620 99630 c412e9 99617->99630 99692 c38d47 58 API calls 3 library calls 99617->99692 99697 c38d68 58 API calls __getptd_noexit 99618->99697 99619->99620 99623 c412ba ReadConsoleW 99619->99623 99620->99610 99621->99630 99631 c4135a 99621->99631 99640 c415c7 99621->99640 99623->99621 99625 c412dd GetLastError 99623->99625 99624 c417f5 99698 c38d34 58 API calls __getptd_noexit 99624->99698 99625->99617 99628->99567 99629 c32f95 _free 58 API calls 99629->99628 99630->99628 99630->99629 99632 c413c6 ReadFile 99631->99632 99638 c41447 99631->99638 99635 c413e7 GetLastError 99632->99635 99646 c413f1 99632->99646 99634 c416cd ReadFile 99641 c416f0 GetLastError 99634->99641 99647 c416fe 99634->99647 99635->99646 99636 c41504 99642 c414b4 MultiByteToWideChar 99636->99642 99695 c41b11 60 API calls 3 library calls 99636->99695 99637 c414f4 99694 c38d68 58 API calls __getptd_noexit 99637->99694 99638->99630 99638->99636 99638->99637 99638->99642 99640->99630 99640->99634 99641->99647 99642->99625 99642->99630 99646->99631 99693 c41b11 60 API calls 3 library calls 99646->99693 99647->99640 99696 c41b11 60 API calls 3 library calls 99647->99696 99649 c40e02 99648->99649 99653 c40e17 99648->99653 99735 c38d68 58 API calls __getptd_noexit 99649->99735 99651 c40e07 99736 c38ff6 9 API calls strtoxl 99651->99736 99654 c40e4c 99653->99654 99660 c40e12 99653->99660 99737 c46234 58 API calls __malloc_crt 99653->99737 99656 c34916 __stbuf 58 API calls 99654->99656 99657 c40e60 99656->99657 99702 c40f97 99657->99702 99659 c40e67 99659->99660 99661 c34916 __stbuf 58 API calls 99659->99661 99660->99567 99662 c40e8a 99661->99662 99662->99660 99663 c34916 __stbuf 58 API calls 99662->99663 99664 c40e96 99663->99664 99664->99660 99665 c34916 __stbuf 58 API calls 99664->99665 99666 c40ea3 99665->99666 99667 c34916 __stbuf 58 API calls 99666->99667 99667->99660 99668->99559 99669->99563 99670->99567 99671->99559 99672->99577 99673->99579 99675 c45ec6 99674->99675 99676 c45ed3 99674->99676 99677 c38d68 __flswbuf 58 API calls 99675->99677 99678 c45edf 99676->99678 99679 c38d68 __flswbuf 58 API calls 99676->99679 99680 c45ecb 99677->99680 99678->99608 99681 c45f00 99679->99681 99680->99608 99682 c38ff6 strtoxl 9 API calls 99681->99682 99682->99680 99683->99585 99684->99628 99685->99594 99686->99593 99687->99594 99688->99605 99689->99612 99690->99628 99691->99604 99692->99630 99693->99646 99694->99630 99695->99642 99696->99647 99697->99624 99698->99630 99699->99589 99700->99593 99701->99628 99703 c40fa3 ___lock_fhandle 99702->99703 99704 c40fc7 99703->99704 99705 c40fb0 99703->99705 99706 c4108b 99704->99706 99708 c40fdb 99704->99708 99707 c38d34 __chsize_nolock 58 API calls 99705->99707 99709 c38d34 __chsize_nolock 58 API calls 99706->99709 99710 c40fb5 99707->99710 99711 c41006 99708->99711 99712 c40ff9 99708->99712 99713 c40ffe 99709->99713 99714 c38d68 __flswbuf 58 API calls 99710->99714 99716 c41013 99711->99716 99717 c41028 99711->99717 99715 c38d34 __chsize_nolock 58 API calls 99712->99715 99720 c38d68 __flswbuf 58 API calls 99713->99720 99726 c40fbc ___lock_fhandle 99714->99726 99715->99713 99718 c38d34 __chsize_nolock 58 API calls 99716->99718 99719 c3d446 ___lock_fhandle 59 API calls 99717->99719 99722 c41018 99718->99722 99723 c4102e 99719->99723 99721 c41020 99720->99721 99729 c38ff6 strtoxl 9 API calls 99721->99729 99727 c38d68 __flswbuf 58 API calls 99722->99727 99724 c41054 99723->99724 99725 c41041 99723->99725 99730 c38d68 __flswbuf 58 API calls 99724->99730 99728 c410ab __read_nolock 70 API calls 99725->99728 99726->99659 99727->99721 99731 c4104d 99728->99731 99729->99726 99732 c41059 99730->99732 99734 c41083 __read LeaveCriticalSection 99731->99734 99733 c38d34 __chsize_nolock 58 API calls 99732->99733 99733->99731 99734->99726 99735->99651 99736->99660 99737->99654 99741 c3543a GetSystemTimeAsFileTime 99738->99741 99740 c791f8 99740->99330 99742 c35468 __aulldiv 99741->99742 99742->99740 99744 c35e9c ___lock_fhandle 99743->99744 99745 c35ec3 99744->99745 99746 c35eae 99744->99746 99748 c36e4e __lock_file 59 API calls 99745->99748 99757 c38d68 58 API calls __getptd_noexit 99746->99757 99750 c35ec9 99748->99750 99749 c35eb3 99758 c38ff6 9 API calls strtoxl 99749->99758 99759 c35b00 67 API calls 7 library calls 99750->99759 99753 c35ed4 99760 c35ef4 LeaveCriticalSection LeaveCriticalSection __wfsopen 99753->99760 99755 c35ee6 99756 c35ebe ___lock_fhandle 99755->99756 99756->99335 99757->99749 99758->99756 99759->99753 99760->99755 99761->99188 99762->99196 99763->99209 99764->99211 99765->99208 99766->99218 99768 c192c9 Mailbox 99767->99768 99769 c4f5c8 99768->99769 99774 c192d3 99768->99774 99770 c30ff6 Mailbox 59 API calls 99769->99770 99772 c4f5d4 99770->99772 99771 c192da 99771->99221 99774->99771 99775 c19df0 59 API calls Mailbox 99774->99775 99775->99774 99776->99232 99777->99231 99779 c799d2 __tzset_nolock _wcscmp 99778->99779 99780 c1506b 74 API calls 99779->99780 99781 c79866 99779->99781 99782 c79393 GetSystemTimeAsFileTime 99779->99782 99783 c15045 85 API calls 99779->99783 99780->99779 99781->99238 99781->99265 99782->99779 99783->99779 99785 c78d9b 99784->99785 99786 c78da9 99784->99786 99787 c3548b 115 API calls 99785->99787 99788 c78dee 99786->99788 99789 c3548b 115 API calls 99786->99789 99799 c78db2 99786->99799 99787->99786 99815 c7901b 99788->99815 99791 c78dd3 99789->99791 99791->99788 99793 c78ddc 99791->99793 99792 c78e32 99794 c78e57 99792->99794 99795 c78e36 99792->99795 99798 c355d6 __fcloseall 83 API calls 99793->99798 99793->99799 99819 c78c33 99794->99819 99797 c78e43 99795->99797 99801 c355d6 __fcloseall 83 API calls 99795->99801 99797->99799 99804 c355d6 __fcloseall 83 API calls 99797->99804 99798->99799 99799->99267 99801->99797 99802 c78e85 99828 c78eb5 99802->99828 99803 c78e65 99806 c355d6 __fcloseall 83 API calls 99803->99806 99807 c78e72 99803->99807 99804->99799 99806->99807 99807->99799 99809 c355d6 __fcloseall 83 API calls 99807->99809 99809->99799 99812 c78ea0 99812->99799 99814 c355d6 __fcloseall 83 API calls 99812->99814 99814->99799 99816 c79040 99815->99816 99818 c79029 __tzset_nolock _memmove 99815->99818 99817 c35812 __fread_nolock 74 API calls 99816->99817 99817->99818 99818->99792 99820 c3594c __malloc_crt 58 API calls 99819->99820 99821 c78c42 99820->99821 99822 c3594c __malloc_crt 58 API calls 99821->99822 99823 c78c56 99822->99823 99824 c3594c __malloc_crt 58 API calls 99823->99824 99825 c78c6a 99824->99825 99826 c78f97 58 API calls 99825->99826 99827 c78c7d 99825->99827 99826->99827 99827->99802 99827->99803 99832 c78eca 99828->99832 99829 c78f82 99861 c791bf 99829->99861 99830 c78c8f 74 API calls 99830->99832 99832->99829 99832->99830 99835 c78e8c 99832->99835 99857 c7909c 99832->99857 99865 c78d2b 74 API calls 99832->99865 99836 c78f97 99835->99836 99837 c78fa4 99836->99837 99839 c78faa 99836->99839 99838 c32f95 _free 58 API calls 99837->99838 99838->99839 99840 c78fbb 99839->99840 99842 c32f95 _free 58 API calls 99839->99842 99841 c78e93 99840->99841 99843 c32f95 _free 58 API calls 99840->99843 99841->99812 99844 c355d6 99841->99844 99842->99840 99843->99841 99845 c355e2 ___lock_fhandle 99844->99845 99846 c355f6 99845->99846 99847 c3560e 99845->99847 99914 c38d68 58 API calls __getptd_noexit 99846->99914 99850 c36e4e __lock_file 59 API calls 99847->99850 99853 c35606 ___lock_fhandle 99847->99853 99849 c355fb 99915 c38ff6 9 API calls strtoxl 99849->99915 99852 c35620 99850->99852 99898 c3556a 99852->99898 99853->99812 99858 c790ab 99857->99858 99860 c790eb 99857->99860 99858->99832 99858->99858 99860->99858 99866 c79172 99860->99866 99862 c791dd 99861->99862 99863 c791cc 99861->99863 99862->99835 99864 c34a93 80 API calls 99863->99864 99864->99862 99865->99832 99867 c7919e 99866->99867 99868 c791af 99866->99868 99870 c34a93 99867->99870 99868->99860 99871 c34a9f ___lock_fhandle 99870->99871 99872 c34ad5 99871->99872 99873 c34abd 99871->99873 99875 c34acd ___lock_fhandle 99871->99875 99876 c36e4e __lock_file 59 API calls 99872->99876 99895 c38d68 58 API calls __getptd_noexit 99873->99895 99875->99868 99877 c34adb 99876->99877 99883 c3493a 99877->99883 99878 c34ac2 99896 c38ff6 9 API calls strtoxl 99878->99896 99886 c34949 99883->99886 99889 c34967 99883->99889 99884 c34957 99885 c38d68 __flswbuf 58 API calls 99884->99885 99887 c3495c 99885->99887 99886->99884 99886->99889 99893 c34981 _memmove 99886->99893 99888 c38ff6 strtoxl 9 API calls 99887->99888 99888->99889 99897 c34b0d LeaveCriticalSection LeaveCriticalSection __wfsopen 99889->99897 99890 c3b05e __flsbuf 78 API calls 99890->99893 99891 c34c6d __flush 78 API calls 99891->99893 99892 c34916 __stbuf 58 API calls 99892->99893 99893->99889 99893->99890 99893->99891 99893->99892 99894 c3dac6 __write 78 API calls 99893->99894 99894->99893 99895->99878 99896->99875 99897->99875 99899 c35579 99898->99899 99900 c3558d 99898->99900 99953 c38d68 58 API calls __getptd_noexit 99899->99953 99901 c35589 99900->99901 99917 c34c6d 99900->99917 99916 c35645 LeaveCriticalSection LeaveCriticalSection __wfsopen 99901->99916 99903 c3557e 99954 c38ff6 9 API calls strtoxl 99903->99954 99909 c34916 __stbuf 58 API calls 99910 c355a7 99909->99910 99927 c40c52 99910->99927 99912 c355ad 99912->99901 99913 c32f95 _free 58 API calls 99912->99913 99913->99901 99914->99849 99915->99853 99916->99853 99918 c34c80 99917->99918 99919 c34ca4 99917->99919 99918->99919 99920 c34916 __stbuf 58 API calls 99918->99920 99923 c40dc7 99919->99923 99921 c34c9d 99920->99921 99955 c3dac6 99921->99955 99924 c355a1 99923->99924 99925 c40dd4 99923->99925 99924->99909 99925->99924 99926 c32f95 _free 58 API calls 99925->99926 99926->99924 99928 c40c5e ___lock_fhandle 99927->99928 99929 c40c82 99928->99929 99930 c40c6b 99928->99930 99932 c40d0d 99929->99932 99934 c40c92 99929->99934 100080 c38d34 58 API calls __getptd_noexit 99930->100080 100085 c38d34 58 API calls __getptd_noexit 99932->100085 99933 c40c70 100081 c38d68 58 API calls __getptd_noexit 99933->100081 99937 c40cb0 99934->99937 99938 c40cba 99934->99938 100082 c38d34 58 API calls __getptd_noexit 99937->100082 99940 c3d446 ___lock_fhandle 59 API calls 99938->99940 99943 c40cc0 99940->99943 99941 c40cb5 100086 c38d68 58 API calls __getptd_noexit 99941->100086 99945 c40cd3 99943->99945 99946 c40cde 99943->99946 99944 c40d19 100087 c38ff6 9 API calls strtoxl 99944->100087 100065 c40d2d 99945->100065 100083 c38d68 58 API calls __getptd_noexit 99946->100083 99947 c40c77 ___lock_fhandle 99947->99912 99951 c40cd9 100084 c40d05 LeaveCriticalSection __unlock_fhandle 99951->100084 99953->99903 99954->99901 99956 c3dad2 ___lock_fhandle 99955->99956 99957 c3dadf 99956->99957 99960 c3daf6 99956->99960 100056 c38d34 58 API calls __getptd_noexit 99957->100056 99959 c3db95 100062 c38d34 58 API calls __getptd_noexit 99959->100062 99960->99959 99962 c3db0a 99960->99962 99961 c3dae4 100057 c38d68 58 API calls __getptd_noexit 99961->100057 99965 c3db32 99962->99965 99966 c3db28 99962->99966 99983 c3d446 99965->99983 100058 c38d34 58 API calls __getptd_noexit 99966->100058 99967 c3db2d 100063 c38d68 58 API calls __getptd_noexit 99967->100063 99970 c3db38 99972 c3db4b 99970->99972 99973 c3db5e 99970->99973 99992 c3dbb5 99972->99992 100059 c38d68 58 API calls __getptd_noexit 99973->100059 99974 c3dba1 100064 c38ff6 9 API calls strtoxl 99974->100064 99978 c3daeb ___lock_fhandle 99978->99919 99979 c3db57 100061 c3db8d LeaveCriticalSection __unlock_fhandle 99979->100061 99980 c3db63 100060 c38d34 58 API calls __getptd_noexit 99980->100060 99984 c3d452 ___lock_fhandle 99983->99984 99985 c3d4a1 EnterCriticalSection 99984->99985 99987 c39e4b __lock 58 API calls 99984->99987 99986 c3d4c7 ___lock_fhandle 99985->99986 99986->99970 99988 c3d477 99987->99988 99989 c3d48f 99988->99989 99991 c3a06b ___lock_fhandle InitializeCriticalSectionAndSpinCount 99988->99991 99990 c3d4cb ___lock_fhandle LeaveCriticalSection 99989->99990 99990->99985 99991->99989 99993 c3dbc2 __ftell_nolock 99992->99993 99994 c3dc01 99993->99994 99995 c3dc20 99993->99995 100024 c3dbf6 99993->100024 99997 c38d34 __chsize_nolock 58 API calls 99994->99997 99998 c3dc78 99995->99998 99999 c3dc5c 99995->99999 99996 c3c836 ___crtMessageBoxW 6 API calls 100000 c3e416 99996->100000 100001 c3dc06 99997->100001 100003 c3dc91 99998->100003 100006 c41b11 __lseeki64_nolock 60 API calls 99998->100006 100002 c38d34 __chsize_nolock 58 API calls 99999->100002 100000->99979 100004 c38d68 __flswbuf 58 API calls 100001->100004 100005 c3dc61 100002->100005 100008 c45ebb __stbuf 58 API calls 100003->100008 100007 c3dc0d 100004->100007 100009 c38d68 __flswbuf 58 API calls 100005->100009 100006->100003 100010 c38ff6 strtoxl 9 API calls 100007->100010 100011 c3dc9f 100008->100011 100013 c3dc68 100009->100013 100010->100024 100012 c3dff8 100011->100012 100017 c39bec ____lc_codepage_func 58 API calls 100011->100017 100014 c3e016 100012->100014 100015 c3e38b WriteFile 100012->100015 100016 c38ff6 strtoxl 9 API calls 100013->100016 100018 c3e13a 100014->100018 100026 c3e02c 100014->100026 100019 c3dfeb GetLastError 100015->100019 100023 c3dfb8 100015->100023 100016->100024 100020 c3dccb GetConsoleMode 100017->100020 100030 c3e22f 100018->100030 100032 c3e145 100018->100032 100019->100023 100020->100012 100022 c3dd0a 100020->100022 100021 c3e3c4 100021->100024 100028 c38d68 __flswbuf 58 API calls 100021->100028 100022->100012 100025 c3dd1a GetConsoleCP 100022->100025 100023->100021 100023->100024 100029 c3e118 100023->100029 100024->99996 100025->100021 100053 c3dd49 100025->100053 100026->100021 100027 c3e09b WriteFile 100026->100027 100027->100019 100031 c3e0d8 100027->100031 100033 c3e3f2 100028->100033 100034 c3e123 100029->100034 100035 c3e3bb 100029->100035 100030->100021 100036 c3e2a4 WideCharToMultiByte 100030->100036 100031->100026 100037 c3e0fc 100031->100037 100032->100021 100038 c3e1aa WriteFile 100032->100038 100039 c38d34 __chsize_nolock 58 API calls 100033->100039 100041 c38d68 __flswbuf 58 API calls 100034->100041 100042 c38d47 __dosmaperr 58 API calls 100035->100042 100036->100019 100048 c3e2eb 100036->100048 100037->100023 100038->100019 100040 c3e1f9 100038->100040 100039->100024 100040->100023 100040->100032 100040->100037 100043 c3e128 100041->100043 100042->100024 100045 c38d34 __chsize_nolock 58 API calls 100043->100045 100044 c3e2f3 WriteFile 100047 c3e346 GetLastError 100044->100047 100044->100048 100045->100024 100046 c33835 __write_nolock 58 API calls 100046->100053 100047->100048 100048->100023 100048->100030 100048->100037 100048->100044 100049 c47cae WriteConsoleW CreateFileW __putwch_nolock 100054 c3de9f 100049->100054 100050 c4650a 60 API calls __write_nolock 100050->100053 100051 c3de32 WideCharToMultiByte 100051->100023 100052 c3de6d WriteFile 100051->100052 100052->100019 100052->100054 100053->100023 100053->100046 100053->100050 100053->100051 100053->100054 100054->100019 100054->100023 100054->100049 100054->100053 100055 c3dec7 WriteFile 100054->100055 100055->100019 100055->100054 100056->99961 100057->99978 100058->99967 100059->99980 100060->99979 100061->99978 100062->99967 100063->99974 100064->99978 100088 c3d703 100065->100088 100067 c40d91 100101 c3d67d 59 API calls 2 library calls 100067->100101 100069 c40d3b 100069->100067 100070 c40d6f 100069->100070 100073 c3d703 __lseeki64_nolock 58 API calls 100069->100073 100070->100067 100071 c3d703 __lseeki64_nolock 58 API calls 100070->100071 100074 c40d7b FindCloseChangeNotification 100071->100074 100072 c40d99 100075 c40dbb 100072->100075 100102 c38d47 58 API calls 3 library calls 100072->100102 100076 c40d66 100073->100076 100074->100067 100077 c40d87 GetLastError 100074->100077 100075->99951 100079 c3d703 __lseeki64_nolock 58 API calls 100076->100079 100077->100067 100079->100070 100080->99933 100081->99947 100082->99941 100083->99951 100084->99947 100085->99941 100086->99944 100087->99947 100089 c3d723 100088->100089 100090 c3d70e 100088->100090 100093 c38d34 __chsize_nolock 58 API calls 100089->100093 100095 c3d748 100089->100095 100091 c38d34 __chsize_nolock 58 API calls 100090->100091 100092 c3d713 100091->100092 100094 c38d68 __flswbuf 58 API calls 100092->100094 100096 c3d752 100093->100096 100099 c3d71b 100094->100099 100095->100069 100097 c38d68 __flswbuf 58 API calls 100096->100097 100098 c3d75a 100097->100098 100100 c38ff6 strtoxl 9 API calls 100098->100100 100099->100069 100100->100099 100101->100072 100102->100075 100165 c41b90 100103->100165 100106 c148f7 100171 c17eec 100106->100171 100107 c148da 100108 c17d2c 59 API calls 100107->100108 100110 c148e6 100108->100110 100167 c17886 100110->100167 100113 c309d5 100114 c41b90 __ftell_nolock 100113->100114 100115 c309e2 GetLongPathNameW 100114->100115 100116 c17d2c 59 API calls 100115->100116 100117 c1741d 100116->100117 100118 c1716b 100117->100118 100119 c177c7 59 API calls 100118->100119 100120 c1717d 100119->100120 100121 c148ae 60 API calls 100120->100121 100122 c17188 100121->100122 100123 c17193 100122->100123 100124 c4ecae 100122->100124 100126 c13f84 59 API calls 100123->100126 100128 c4ecc8 100124->100128 100185 c17a68 61 API calls 100124->100185 100127 c1719f 100126->100127 100179 c134c2 100127->100179 100130 c171b2 Mailbox 100130->98956 100132 c14f3d 136 API calls 100131->100132 100133 c169ef 100132->100133 100134 c4e45a 100133->100134 100135 c14f3d 136 API calls 100133->100135 100136 c797e5 122 API calls 100134->100136 100137 c16a03 100135->100137 100138 c4e46f 100136->100138 100137->100134 100139 c16a0b 100137->100139 100140 c4e490 100138->100140 100141 c4e473 100138->100141 100143 c16a17 100139->100143 100144 c4e47b 100139->100144 100142 c30ff6 Mailbox 59 API calls 100140->100142 100145 c14faa 84 API calls 100141->100145 100154 c4e4d5 Mailbox 100142->100154 100186 c16bec 100143->100186 100278 c74534 90 API calls _wprintf 100144->100278 100145->100144 100148 c4e489 100148->100140 100150 c4e689 100151 c32f95 _free 58 API calls 100150->100151 100152 c4e691 100151->100152 100153 c14faa 84 API calls 100152->100153 100159 c4e69a 100153->100159 100154->100150 100154->100159 100162 c17f41 59 API calls 100154->100162 100279 c6fc4d 59 API calls 2 library calls 100154->100279 100280 c6fb6e 61 API calls 2 library calls 100154->100280 100281 c77621 59 API calls Mailbox 100154->100281 100282 c1766f 59 API calls 2 library calls 100154->100282 100283 c174bd 59 API calls Mailbox 100154->100283 100158 c32f95 _free 58 API calls 100158->100159 100159->100158 100161 c14faa 84 API calls 100159->100161 100284 c6fcb1 89 API calls 4 library calls 100159->100284 100161->100159 100162->100154 100166 c148bb GetFullPathNameW 100165->100166 100166->100106 100166->100107 100168 c17894 100167->100168 100175 c17e8c 100168->100175 100170 c148f2 100170->100113 100172 c17f06 100171->100172 100174 c17ef9 100171->100174 100173 c30ff6 Mailbox 59 API calls 100172->100173 100173->100174 100174->100110 100176 c17e9a 100175->100176 100178 c17ea3 _memmove 100175->100178 100177 c17faf 59 API calls 100176->100177 100176->100178 100177->100178 100178->100170 100180 c134d4 100179->100180 100184 c134f3 _memmove 100179->100184 100182 c30ff6 Mailbox 59 API calls 100180->100182 100181 c30ff6 Mailbox 59 API calls 100183 c1350a 100181->100183 100182->100184 100183->100130 100184->100181 100185->100124 100187 c4e847 100186->100187 100188 c16c15 100186->100188 100376 c6fcb1 89 API calls 4 library calls 100187->100376 100290 c15906 60 API calls Mailbox 100188->100290 100191 c4e85a 100377 c6fcb1 89 API calls 4 library calls 100191->100377 100192 c16c37 100291 c15956 100192->100291 100195 c16c54 100197 c177c7 59 API calls 100195->100197 100199 c16c60 100197->100199 100198 c4e876 100201 c16cc1 100198->100201 100304 c30b9b 60 API calls __ftell_nolock 100199->100304 100203 c4e889 100201->100203 100204 c16ccf 100201->100204 100202 c16c6c 100205 c177c7 59 API calls 100202->100205 100206 c15dcf CloseHandle 100203->100206 100207 c177c7 59 API calls 100204->100207 100208 c16c78 100205->100208 100209 c4e895 100206->100209 100210 c16cd8 100207->100210 100212 c148ae 60 API calls 100208->100212 100213 c14f3d 136 API calls 100209->100213 100211 c177c7 59 API calls 100210->100211 100214 c16ce1 100211->100214 100215 c16c86 100212->100215 100216 c4e8b1 100213->100216 100314 c146f9 100214->100314 100305 c159b0 ReadFile SetFilePointerEx 100215->100305 100219 c4e8da 100216->100219 100220 c797e5 122 API calls 100216->100220 100378 c6fcb1 89 API calls 4 library calls 100219->100378 100224 c4e8cd 100220->100224 100221 c16cf8 100225 c17c8e 59 API calls 100221->100225 100223 c16cb2 100306 c15c4e 100223->100306 100227 c4e8d5 100224->100227 100228 c4e8f6 100224->100228 100229 c16d09 SetCurrentDirectoryW 100225->100229 100230 c14faa 84 API calls 100227->100230 100231 c14faa 84 API calls 100228->100231 100235 c16d1c Mailbox 100229->100235 100230->100219 100233 c4e8fb 100231->100233 100232 c16e6c Mailbox 100285 c15934 100232->100285 100234 c30ff6 Mailbox 59 API calls 100233->100234 100241 c4e92f 100234->100241 100237 c30ff6 Mailbox 59 API calls 100235->100237 100239 c16d2f 100237->100239 100238 c13bcd 100238->98818 100238->98842 100240 c1538e 59 API calls 100239->100240 100267 c16d3a Mailbox __NMSG_WRITE 100240->100267 100379 c1766f 59 API calls 2 library calls 100241->100379 100243 c16e47 100372 c15dcf 100243->100372 100245 c4eb69 100385 c77581 59 API calls Mailbox 100245->100385 100250 c4eb8b 100386 c7f835 59 API calls 2 library calls 100250->100386 100253 c4eb98 100255 c32f95 _free 58 API calls 100253->100255 100254 c4ec02 100389 c6fcb1 89 API calls 4 library calls 100254->100389 100255->100232 100259 c4ec1b 100259->100243 100260 c4ebfa 100388 c6fb07 59 API calls 4 library calls 100260->100388 100262 c17f41 59 API calls 100262->100267 100267->100243 100267->100254 100267->100260 100267->100262 100365 c159cd 67 API calls _wcscpy 100267->100365 100366 c170bd GetStringTypeW 100267->100366 100367 c1702c 60 API calls __wcsnicmp 100267->100367 100368 c1710a GetStringTypeW __NMSG_WRITE 100267->100368 100369 c3387d GetStringTypeW _iswctype 100267->100369 100370 c16a3c 165 API calls 3 library calls 100267->100370 100371 c17373 59 API calls Mailbox 100267->100371 100268 c17f41 59 API calls 100275 c4e978 Mailbox 100268->100275 100272 c4ebbb 100387 c6fcb1 89 API calls 4 library calls 100272->100387 100274 c4ebd4 100276 c32f95 _free 58 API calls 100274->100276 100275->100245 100275->100268 100275->100272 100380 c6fc4d 59 API calls 2 library calls 100275->100380 100381 c6fb6e 61 API calls 2 library calls 100275->100381 100382 c77621 59 API calls Mailbox 100275->100382 100383 c1766f 59 API calls 2 library calls 100275->100383 100384 c17373 59 API calls Mailbox 100275->100384 100277 c4e8f1 100276->100277 100277->100232 100278->100148 100279->100154 100280->100154 100281->100154 100282->100154 100283->100154 100284->100159 100286 c15dcf CloseHandle 100285->100286 100287 c1593c Mailbox 100286->100287 100288 c15dcf CloseHandle 100287->100288 100289 c1594b 100288->100289 100289->100238 100290->100192 100292 c15dcf CloseHandle 100291->100292 100293 c15962 100292->100293 100390 c15df9 100293->100390 100295 c159a4 100295->100191 100295->100195 100296 c15981 100296->100295 100398 c15770 100296->100398 100298 c15993 100415 c153db SetFilePointerEx SetFilePointerEx 100298->100415 100300 c1599a 100300->100295 100301 c4e030 100300->100301 100416 c73696 SetFilePointerEx SetFilePointerEx WriteFile 100301->100416 100303 c4e060 100303->100295 100304->100202 100305->100223 100311 c15c68 100306->100311 100307 c4e151 100430 c15dae SetFilePointerEx 100307->100430 100308 c15cef SetFilePointerEx 100429 c15dae SetFilePointerEx 100308->100429 100311->100307 100311->100308 100313 c15cc3 100311->100313 100312 c4e16b 100313->100201 100315 c177c7 59 API calls 100314->100315 100316 c1470f 100315->100316 100317 c177c7 59 API calls 100316->100317 100318 c14717 100317->100318 100319 c177c7 59 API calls 100318->100319 100320 c1471f 100319->100320 100321 c177c7 59 API calls 100320->100321 100322 c14727 100321->100322 100323 c1475b 100322->100323 100324 c4d8fb 100322->100324 100325 c179ab 59 API calls 100323->100325 100326 c181a7 59 API calls 100324->100326 100327 c14769 100325->100327 100328 c4d904 100326->100328 100329 c17e8c 59 API calls 100327->100329 100330 c17eec 59 API calls 100328->100330 100331 c14773 100329->100331 100333 c1479e 100330->100333 100332 c179ab 59 API calls 100331->100332 100331->100333 100336 c14794 100332->100336 100334 c147de 100333->100334 100337 c147bd 100333->100337 100347 c4d924 100333->100347 100431 c179ab 100334->100431 100340 c17e8c 59 API calls 100336->100340 100338 c17b52 59 API calls 100337->100338 100342 c147c7 100338->100342 100339 c147ef 100343 c14801 100339->100343 100345 c181a7 59 API calls 100339->100345 100340->100333 100341 c4d9f4 100344 c17d2c 59 API calls 100341->100344 100342->100334 100348 c179ab 59 API calls 100342->100348 100346 c14811 100343->100346 100349 c181a7 59 API calls 100343->100349 100355 c4d9b1 100344->100355 100345->100343 100351 c14818 100346->100351 100352 c181a7 59 API calls 100346->100352 100347->100341 100350 c4d9dd 100347->100350 100362 c4d95b 100347->100362 100348->100334 100349->100346 100350->100341 100357 c4d9c8 100350->100357 100353 c1481f Mailbox 100351->100353 100354 c181a7 59 API calls 100351->100354 100352->100351 100353->100221 100354->100353 100355->100334 100360 c17b52 59 API calls 100355->100360 100444 c17a84 59 API calls 2 library calls 100355->100444 100356 c4d9b9 100358 c17d2c 59 API calls 100356->100358 100359 c17d2c 59 API calls 100357->100359 100358->100355 100359->100355 100360->100355 100362->100356 100363 c4d9a4 100362->100363 100364 c17d2c 59 API calls 100363->100364 100364->100355 100365->100267 100366->100267 100367->100267 100368->100267 100369->100267 100370->100267 100371->100267 100373 c15dd9 100372->100373 100374 c15de8 100372->100374 100374->100373 100376->100191 100377->100198 100378->100277 100379->100275 100380->100275 100381->100275 100382->100275 100383->100275 100384->100275 100385->100250 100386->100253 100387->100274 100388->100254 100389->100259 100391 c15e12 CreateFileW 100390->100391 100392 c4e181 100390->100392 100394 c15e34 100391->100394 100393 c4e187 CreateFileW 100392->100393 100392->100394 100393->100394 100395 c4e1ad 100393->100395 100394->100296 100396 c15c4e 2 API calls 100395->100396 100397 c4e1b8 100396->100397 100397->100394 100399 c4dfce 100398->100399 100400 c1578b 100398->100400 100410 c1581a 100399->100410 100423 c15e3f 100399->100423 100401 c15c4e 2 API calls 100400->100401 100400->100410 100402 c157ad 100401->100402 100404 c1538e 59 API calls 100402->100404 100405 c157b7 100404->100405 100405->100399 100406 c157c4 100405->100406 100407 c30ff6 Mailbox 59 API calls 100406->100407 100408 c157cf 100407->100408 100409 c1538e 59 API calls 100408->100409 100411 c157da 100409->100411 100410->100298 100417 c15d20 100411->100417 100414 c15c4e 2 API calls 100414->100410 100415->100300 100416->100303 100418 c15d93 100417->100418 100419 c15d2e 100417->100419 100428 c15dae SetFilePointerEx 100418->100428 100421 c15807 100419->100421 100422 c15d66 ReadFile 100419->100422 100421->100414 100422->100419 100422->100421 100424 c15c4e 2 API calls 100423->100424 100425 c15e60 100424->100425 100426 c15c4e 2 API calls 100425->100426 100427 c15e74 100426->100427 100427->100410 100428->100419 100429->100313 100430->100312 100432 c17a17 100431->100432 100433 c179ba 100431->100433 100434 c17e8c 59 API calls 100432->100434 100433->100432 100435 c179c5 100433->100435 100440 c179e8 _memmove 100434->100440 100436 c179e0 100435->100436 100437 c4ef32 100435->100437 100445 c18087 59 API calls Mailbox 100436->100445 100446 c18189 100437->100446 100440->100339 100441 c4ef3c 100442 c30ff6 Mailbox 59 API calls 100441->100442 100443 c4ef5c 100442->100443 100444->100355 100445->100440 100447 c30ff6 Mailbox 59 API calls 100446->100447 100448 c18193 100447->100448 100448->100441 100449->98967 100451 c16ef5 100450->100451 100455 c17009 100450->100455 100452 c30ff6 Mailbox 59 API calls 100451->100452 100451->100455 100454 c16f1c 100452->100454 100453 c30ff6 Mailbox 59 API calls 100456 c16f91 100453->100456 100454->100453 100455->98971 100456->100455 100463 c163a0 94 API calls 2 library calls 100456->100463 100464 c174bd 59 API calls Mailbox 100456->100464 100465 c66ac9 59 API calls Mailbox 100456->100465 100466 c1766f 59 API calls 2 library calls 100456->100466 100461->98973 100462->98975 100463->100456 100464->100456 100465->100456 100466->100456 100467->98989 100468->98990 100470 c14227 100469->100470 100471 c4d638 100469->100471 100471->100470 100558->99079 100559->99079 100563->99016 100564->99016 100565->99016 101004 c13633 101005 c1366a 101004->101005 101006 c136e7 101005->101006 101007 c13688 101005->101007 101008 c136e5 101005->101008 101010 c4d31c 101006->101010 101011 c136ed 101006->101011 101012 c13695 101007->101012 101013 c1375d PostQuitMessage 101007->101013 101009 c136ca DefWindowProcW 101008->101009 101019 c136d8 101009->101019 101054 c211d0 10 API calls Mailbox 101010->101054 101014 c136f2 101011->101014 101015 c13715 SetTimer RegisterWindowMessageW 101011->101015 101016 c136a0 101012->101016 101017 c4d38f 101012->101017 101013->101019 101020 c136f9 KillTimer 101014->101020 101021 c4d2bf 101014->101021 101015->101019 101022 c1373e CreatePopupMenu 101015->101022 101023 c13767 101016->101023 101024 c136a8 101016->101024 101058 c72a16 71 API calls _memset 101017->101058 101049 c144cb Shell_NotifyIconW _memset 101020->101049 101027 c4d2c4 101021->101027 101028 c4d2f8 MoveWindow 101021->101028 101022->101019 101052 c14531 64 API calls _memset 101023->101052 101030 c4d374 101024->101030 101031 c136b3 101024->101031 101026 c4d343 101055 c211f3 341 API calls Mailbox 101026->101055 101036 c4d2e7 SetFocus 101027->101036 101037 c4d2c8 101027->101037 101028->101019 101030->101009 101057 c6817e 59 API calls Mailbox 101030->101057 101039 c1374b 101031->101039 101040 c136be 101031->101040 101032 c4d3a1 101032->101009 101032->101019 101035 c1375b 101035->101019 101036->101019 101037->101040 101041 c4d2d1 101037->101041 101038 c1370c 101050 c13114 DeleteObject DestroyWindow Mailbox 101038->101050 101051 c145df 81 API calls _memset 101039->101051 101040->101009 101056 c144cb Shell_NotifyIconW _memset 101040->101056 101053 c211d0 10 API calls Mailbox 101041->101053 101047 c4d368 101048 c143db 68 API calls 101047->101048 101048->101008 101049->101038 101050->101019 101051->101035 101052->101035 101053->101019 101054->101026 101055->101040 101056->101047 101057->101008 101058->101032 101059 c4ff06 101060 c4ff10 101059->101060 101096 c1ac90 Mailbox _memmove 101059->101096 101250 c18e34 59 API calls Mailbox 101060->101250 101064 c30ff6 59 API calls Mailbox 101084 c1a097 Mailbox 101064->101084 101067 c1b5d5 101069 c181a7 59 API calls 101067->101069 101080 c1a1b7 101069->101080 101070 c5047f 101254 c7a0b5 89 API calls 4 library calls 101070->101254 101071 c1b5da 101260 c7a0b5 89 API calls 4 library calls 101071->101260 101073 c177c7 59 API calls 101073->101084 101075 c17f41 59 API calls 101075->101096 101076 c181a7 59 API calls 101076->101084 101078 c5048e 101079 c32f80 67 API calls __cinit 101079->101084 101082 c67405 59 API calls 101082->101084 101083 c666f4 Mailbox 59 API calls 101083->101080 101084->101064 101084->101067 101084->101070 101084->101071 101084->101073 101084->101076 101084->101079 101084->101080 101084->101082 101085 c50e00 101084->101085 101088 c1a6ba 101084->101088 101244 c1ca20 341 API calls 2 library calls 101084->101244 101245 c1ba60 60 API calls Mailbox 101084->101245 101259 c7a0b5 89 API calls 4 library calls 101085->101259 101087 c8bf80 341 API calls 101087->101096 101258 c7a0b5 89 API calls 4 library calls 101088->101258 101090 c30ff6 59 API calls Mailbox 101090->101096 101091 c1b416 101249 c1f803 341 API calls 101091->101249 101092 c1a000 341 API calls 101092->101096 101094 c50c94 101256 c19df0 59 API calls Mailbox 101094->101256 101096->101075 101096->101080 101096->101084 101096->101087 101096->101090 101096->101091 101096->101092 101096->101094 101097 c50ca2 101096->101097 101100 c1b37c 101096->101100 101105 c1b685 101096->101105 101108 c1ade2 Mailbox 101096->101108 101203 c8c5f4 101096->101203 101235 c77be0 101096->101235 101241 c666f4 101096->101241 101251 c67405 59 API calls 101096->101251 101252 c8c4a7 85 API calls 2 library calls 101096->101252 101257 c7a0b5 89 API calls 4 library calls 101097->101257 101099 c50c86 101099->101080 101099->101083 101247 c19e9c 60 API calls Mailbox 101100->101247 101102 c1b38d 101248 c19e9c 60 API calls Mailbox 101102->101248 101255 c7a0b5 89 API calls 4 library calls 101105->101255 101108->101080 101108->101099 101108->101105 101109 c500e0 VariantClear 101108->101109 101113 c22123 101108->101113 101153 c7d2e6 101108->101153 101200 c8e237 101108->101200 101246 c19df0 59 API calls Mailbox 101108->101246 101253 c67405 59 API calls 101108->101253 101109->101108 101261 c19bf8 101113->101261 101117 c30ff6 Mailbox 59 API calls 101118 c22154 101117->101118 101120 c22164 101118->101120 101289 c15906 60 API calls Mailbox 101118->101289 101119 c569af 101130 c22189 101119->101130 101293 c7f7df 59 API calls 101119->101293 101122 c19997 84 API calls 101120->101122 101124 c22172 101122->101124 101125 c15956 67 API calls 101124->101125 101127 c22181 101125->101127 101126 c569f7 101128 c22196 101126->101128 101129 c569ff 101126->101129 101127->101119 101127->101130 101292 c15a1a CloseHandle 101127->101292 101131 c15e3f 2 API calls 101128->101131 101295 c19c9c 59 API calls 101129->101295 101130->101128 101294 c19c9c 59 API calls 101130->101294 101134 c2219d 101131->101134 101135 c56a11 101134->101135 101136 c221b7 101134->101136 101138 c30ff6 Mailbox 59 API calls 101135->101138 101137 c177c7 59 API calls 101136->101137 101140 c221bf 101137->101140 101139 c56a17 101138->101139 101141 c56a2b 101139->101141 101296 c159b0 ReadFile SetFilePointerEx 101139->101296 101274 c156d2 101140->101274 101147 c56a2f _memmove 101141->101147 101297 c7794e 59 API calls 2 library calls 101141->101297 101145 c221ce 101145->101147 101290 c19b9c 59 API calls Mailbox 101145->101290 101148 c221e2 Mailbox 101149 c2221c 101148->101149 101150 c15dcf CloseHandle 101148->101150 101149->101108 101151 c22210 101150->101151 101151->101149 101291 c15a1a CloseHandle 101151->101291 101154 c7d310 101153->101154 101155 c7d305 101153->101155 101159 c177c7 59 API calls 101154->101159 101189 c7d3ea Mailbox 101154->101189 101321 c19c9c 59 API calls 101155->101321 101157 c30ff6 Mailbox 59 API calls 101158 c7d433 101157->101158 101160 c7d43f 101158->101160 101324 c15906 60 API calls Mailbox 101158->101324 101161 c7d334 101159->101161 101165 c19997 84 API calls 101160->101165 101163 c177c7 59 API calls 101161->101163 101164 c7d33d 101163->101164 101166 c19997 84 API calls 101164->101166 101167 c7d457 101165->101167 101169 c7d349 101166->101169 101168 c15956 67 API calls 101167->101168 101170 c7d466 101168->101170 101171 c146f9 59 API calls 101169->101171 101172 c7d49e 101170->101172 101173 c7d46a GetLastError 101170->101173 101174 c7d35e 101171->101174 101178 c7d500 101172->101178 101179 c7d4c9 101172->101179 101175 c7d483 101173->101175 101176 c17c8e 59 API calls 101174->101176 101196 c7d3f3 Mailbox 101175->101196 101325 c15a1a CloseHandle 101175->101325 101177 c7d391 101176->101177 101181 c7d3e3 101177->101181 101186 c73e73 3 API calls 101177->101186 101182 c30ff6 Mailbox 59 API calls 101178->101182 101180 c30ff6 Mailbox 59 API calls 101179->101180 101183 c7d4ce 101180->101183 101323 c19c9c 59 API calls 101181->101323 101187 c7d505 101182->101187 101188 c7d4df 101183->101188 101191 c177c7 59 API calls 101183->101191 101190 c7d3a1 101186->101190 101193 c177c7 59 API calls 101187->101193 101187->101196 101326 c7f835 59 API calls 2 library calls 101188->101326 101189->101157 101189->101196 101190->101181 101192 c7d3a5 101190->101192 101191->101188 101195 c17f41 59 API calls 101192->101195 101193->101196 101197 c7d3b2 101195->101197 101196->101108 101322 c73c66 63 API calls Mailbox 101197->101322 101199 c7d3bb Mailbox 101199->101181 101201 c8cdf1 130 API calls 101200->101201 101202 c8e247 101201->101202 101202->101108 101204 c177c7 59 API calls 101203->101204 101205 c8c608 101204->101205 101206 c177c7 59 API calls 101205->101206 101207 c8c610 101206->101207 101208 c177c7 59 API calls 101207->101208 101209 c8c618 101208->101209 101210 c19997 84 API calls 101209->101210 101234 c8c626 101210->101234 101211 c17a84 59 API calls 101211->101234 101212 c17d2c 59 API calls 101212->101234 101213 c8c80f 101214 c8c83c Mailbox 101213->101214 101329 c19b9c 59 API calls Mailbox 101213->101329 101214->101096 101216 c8c7f6 101218 c17e0b 59 API calls 101216->101218 101217 c181a7 59 API calls 101217->101234 101220 c8c803 101218->101220 101219 c8c811 101221 c17e0b 59 API calls 101219->101221 101223 c17c8e 59 API calls 101220->101223 101224 c8c820 101221->101224 101222 c17faf 59 API calls 101226 c8c6bd CharUpperBuffW 101222->101226 101223->101213 101227 c17c8e 59 API calls 101224->101227 101225 c17faf 59 API calls 101228 c8c77d CharUpperBuffW 101225->101228 101327 c1859a 68 API calls 101226->101327 101227->101213 101328 c1c707 69 API calls 2 library calls 101228->101328 101231 c19997 84 API calls 101231->101234 101232 c17e0b 59 API calls 101232->101234 101233 c17c8e 59 API calls 101233->101234 101234->101211 101234->101212 101234->101213 101234->101214 101234->101216 101234->101217 101234->101219 101234->101222 101234->101225 101234->101231 101234->101232 101234->101233 101236 c77bec 101235->101236 101237 c30ff6 Mailbox 59 API calls 101236->101237 101238 c77bfa 101237->101238 101239 c77c08 101238->101239 101240 c177c7 59 API calls 101238->101240 101239->101096 101240->101239 101330 c66636 101241->101330 101243 c66702 101243->101096 101244->101084 101245->101084 101246->101108 101247->101102 101248->101091 101249->101105 101250->101096 101251->101096 101252->101096 101253->101108 101254->101078 101255->101099 101256->101099 101257->101099 101258->101080 101259->101071 101260->101080 101262 c19c08 101261->101262 101263 c4fbff 101261->101263 101268 c30ff6 Mailbox 59 API calls 101262->101268 101264 c17d2c 59 API calls 101263->101264 101266 c4fc10 101263->101266 101264->101266 101265 c17eec 59 API calls 101267 c4fc1a 101265->101267 101266->101265 101271 c19c34 101267->101271 101272 c177c7 59 API calls 101267->101272 101269 c19c1b 101268->101269 101269->101267 101270 c19c26 101269->101270 101270->101271 101273 c17f41 59 API calls 101270->101273 101271->101117 101271->101119 101272->101271 101273->101271 101275 c15702 101274->101275 101276 c156dd 101274->101276 101277 c17eec 59 API calls 101275->101277 101276->101275 101281 c156ec 101276->101281 101280 c7349a 101277->101280 101278 c734c9 101278->101145 101280->101278 101298 c73436 ReadFile SetFilePointerEx 101280->101298 101299 c17a84 59 API calls 2 library calls 101280->101299 101300 c15c18 101281->101300 101288 c735d8 Mailbox 101288->101145 101289->101120 101290->101148 101291->101149 101292->101119 101293->101119 101294->101126 101295->101134 101296->101141 101297->101147 101298->101280 101299->101280 101301 c30ff6 Mailbox 59 API calls 101300->101301 101302 c15c2b 101301->101302 101303 c30ff6 Mailbox 59 API calls 101302->101303 101304 c15c37 101303->101304 101305 c15632 101304->101305 101312 c15a2f 101305->101312 101307 c15674 101307->101288 101311 c1793a 61 API calls Mailbox 101307->101311 101308 c15d20 2 API calls 101309 c15643 101308->101309 101309->101307 101309->101308 101319 c15bda 59 API calls 2 library calls 101309->101319 101311->101288 101313 c4e065 101312->101313 101314 c15a40 101312->101314 101320 c66443 59 API calls Mailbox 101313->101320 101314->101309 101316 c4e06f 101317 c30ff6 Mailbox 59 API calls 101316->101317 101318 c4e07b 101317->101318 101319->101309 101320->101316 101321->101154 101322->101199 101323->101189 101324->101160 101325->101196 101326->101196 101327->101234 101328->101234 101329->101214 101331 c66641 101330->101331 101332 c6665e 101330->101332 101331->101332 101334 c66621 59 API calls Mailbox 101331->101334 101332->101243 101334->101331 101335 c50226 101343 c1ade2 Mailbox 101335->101343 101337 c50c86 101338 c666f4 Mailbox 59 API calls 101337->101338 101339 c50c8f 101338->101339 101341 c500e0 VariantClear 101341->101343 101342 c1b6c1 101350 c7a0b5 89 API calls 4 library calls 101342->101350 101343->101337 101343->101339 101343->101341 101343->101342 101345 c7d2e6 101 API calls 101343->101345 101346 c22123 95 API calls 101343->101346 101347 c8e237 130 API calls 101343->101347 101348 c19df0 59 API calls Mailbox 101343->101348 101349 c67405 59 API calls 101343->101349 101345->101343 101346->101343 101347->101343 101348->101343 101349->101343 101350->101337 101351 c11055 101356 c12649 101351->101356 101354 c32f80 __cinit 67 API calls 101355 c11064 101354->101355 101357 c177c7 59 API calls 101356->101357 101358 c126b7 101357->101358 101363 c13582 101358->101363 101361 c12754 101362 c1105a 101361->101362 101366 c13416 59 API calls 2 library calls 101361->101366 101362->101354 101367 c135b0 101363->101367 101366->101361 101368 c135bd 101367->101368 101369 c135a1 101367->101369 101368->101369 101370 c135c4 RegOpenKeyExW 101368->101370 101369->101361 101370->101369 101371 c135de RegQueryValueExW 101370->101371 101372 c13614 RegCloseKey 101371->101372 101373 c135ff 101371->101373 101372->101369 101373->101372 101374 c11066 101379 c1f8cf 101374->101379 101376 c1106c 101377 c32f80 __cinit 67 API calls 101376->101377 101378 c11076 101377->101378 101380 c1f8f0 101379->101380 101412 c30143 101380->101412 101384 c1f937 101385 c177c7 59 API calls 101384->101385 101386 c1f941 101385->101386 101387 c177c7 59 API calls 101386->101387 101388 c1f94b 101387->101388 101389 c177c7 59 API calls 101388->101389 101390 c1f955 101389->101390 101391 c177c7 59 API calls 101390->101391 101392 c1f993 101391->101392 101393 c177c7 59 API calls 101392->101393 101394 c1fa5e 101393->101394 101422 c260e7 101394->101422 101398 c1fa90 101399 c177c7 59 API calls 101398->101399 101400 c1fa9a 101399->101400 101450 c2ffde 101400->101450 101402 c1fae1 101403 c1faf1 GetStdHandle 101402->101403 101404 c549d5 101403->101404 101405 c1fb3d 101403->101405 101404->101405 101407 c549de 101404->101407 101406 c1fb45 OleInitialize 101405->101406 101406->101376 101457 c76dda 64 API calls Mailbox 101407->101457 101409 c549e5 101458 c774a9 CreateThread 101409->101458 101411 c549f1 CloseHandle 101411->101406 101459 c3021c 101412->101459 101415 c3021c 59 API calls 101416 c30185 101415->101416 101417 c177c7 59 API calls 101416->101417 101418 c30191 101417->101418 101419 c17d2c 59 API calls 101418->101419 101420 c1f8f6 101419->101420 101421 c303a2 6 API calls 101420->101421 101421->101384 101423 c177c7 59 API calls 101422->101423 101424 c260f7 101423->101424 101425 c177c7 59 API calls 101424->101425 101426 c260ff 101425->101426 101466 c25bfd 101426->101466 101429 c25bfd 59 API calls 101430 c2610f 101429->101430 101431 c177c7 59 API calls 101430->101431 101432 c2611a 101431->101432 101433 c30ff6 Mailbox 59 API calls 101432->101433 101434 c1fa68 101433->101434 101435 c26259 101434->101435 101436 c26267 101435->101436 101437 c177c7 59 API calls 101436->101437 101438 c26272 101437->101438 101439 c177c7 59 API calls 101438->101439 101440 c2627d 101439->101440 101441 c177c7 59 API calls 101440->101441 101442 c26288 101441->101442 101443 c177c7 59 API calls 101442->101443 101444 c26293 101443->101444 101445 c25bfd 59 API calls 101444->101445 101446 c2629e 101445->101446 101447 c30ff6 Mailbox 59 API calls 101446->101447 101448 c262a5 RegisterWindowMessageW 101447->101448 101448->101398 101451 c65cc3 101450->101451 101452 c2ffee 101450->101452 101469 c79d71 60 API calls 101451->101469 101453 c30ff6 Mailbox 59 API calls 101452->101453 101456 c2fff6 101453->101456 101455 c65cce 101456->101402 101457->101409 101458->101411 101470 c7748f 65 API calls 101458->101470 101460 c177c7 59 API calls 101459->101460 101461 c30227 101460->101461 101462 c177c7 59 API calls 101461->101462 101463 c3022f 101462->101463 101464 c177c7 59 API calls 101463->101464 101465 c3017b 101464->101465 101465->101415 101467 c177c7 59 API calls 101466->101467 101468 c25c05 101467->101468 101468->101429 101469->101455 101471 c11016 101476 c14ad2 101471->101476 101474 c32f80 __cinit 67 API calls 101475 c11025 101474->101475 101477 c30ff6 Mailbox 59 API calls 101476->101477 101478 c14ada 101477->101478 101479 c1101b 101478->101479 101483 c14a94 101478->101483 101479->101474 101484 c14aaf 101483->101484 101485 c14a9d 101483->101485 101487 c14afe 101484->101487 101486 c32f80 __cinit 67 API calls 101485->101486 101486->101484 101488 c177c7 59 API calls 101487->101488 101489 c14b16 GetVersionExW 101488->101489 101490 c17d2c 59 API calls 101489->101490 101491 c14b59 101490->101491 101492 c17e8c 59 API calls 101491->101492 101502 c14b86 101491->101502 101493 c14b7a 101492->101493 101494 c17886 59 API calls 101493->101494 101494->101502 101495 c14bf1 GetCurrentProcess IsWow64Process 101496 c14c0a 101495->101496 101498 c14c20 101496->101498 101499 c14c89 GetSystemInfo 101496->101499 101497 c4dc8d 101511 c14c95 101498->101511 101501 c14c56 101499->101501 101501->101479 101502->101495 101502->101497 101504 c14c32 101506 c14c95 2 API calls 101504->101506 101505 c14c7d GetSystemInfo 101507 c14c47 101505->101507 101508 c14c3a GetNativeSystemInfo 101506->101508 101507->101501 101509 c14c4d FreeLibrary 101507->101509 101508->101507 101509->101501 101512 c14c2e 101511->101512 101513 c14c9e LoadLibraryA 101511->101513 101512->101504 101512->101505 101513->101512 101514 c14caf GetProcAddress 101513->101514 101514->101512 101515 1482410 101529 1480000 101515->101529 101517 14824cf 101532 1482300 101517->101532 101535 1483500 GetPEB 101529->101535 101531 148068b 101531->101517 101533 1482309 Sleep 101532->101533 101534 1482317 101533->101534 101536 148352a 101535->101536 101536->101531 101537 c1e70b 101540 c1d260 101537->101540 101539 c1e719 101541 c1d4dd 101540->101541 101542 c1d27d 101540->101542 101554 c1d6ab 101541->101554 101589 c7a0b5 89 API calls 4 library calls 101541->101589 101543 c52abb 101542->101543 101544 c52b0a 101542->101544 101549 c1d2a4 101542->101549 101547 c52abe 101543->101547 101555 c52ad9 101543->101555 101584 c8a6fb 341 API calls __cinit 101544->101584 101548 c52aca 101547->101548 101547->101549 101582 c8ad0f 341 API calls 101548->101582 101549->101541 101551 c32f80 __cinit 67 API calls 101549->101551 101549->101554 101556 c1d594 101549->101556 101561 c52c26 101549->101561 101565 c18620 69 API calls 101549->101565 101571 c1a000 341 API calls 101549->101571 101572 c181a7 59 API calls 101549->101572 101574 c188a0 68 API calls __cinit 101549->101574 101575 c186a2 68 API calls 101549->101575 101577 c1859a 68 API calls 101549->101577 101578 c1d0dc 341 API calls 101549->101578 101579 c19f3a 59 API calls Mailbox 101549->101579 101580 c1d060 89 API calls 101549->101580 101581 c1cedd 341 API calls 101549->101581 101585 c18bb2 68 API calls 101549->101585 101586 c19e9c 60 API calls Mailbox 101549->101586 101587 c66d03 60 API calls 101549->101587 101551->101549 101553 c52cdf 101553->101553 101554->101539 101555->101541 101583 c8b1b7 341 API calls 3 library calls 101555->101583 101576 c18bb2 68 API calls 101556->101576 101560 c1d5a3 101560->101539 101588 c8aa66 89 API calls 101561->101588 101565->101549 101571->101549 101572->101549 101574->101549 101575->101549 101576->101560 101577->101549 101578->101549 101579->101549 101580->101549 101581->101549 101582->101554 101583->101541 101584->101549 101585->101549 101586->101549 101587->101549 101588->101541 101589->101553 101590 c1568a 101591 c15c18 59 API calls 101590->101591 101592 c1569c 101591->101592 101593 c15632 61 API calls 101592->101593 101594 c156aa 101593->101594 101596 c156ba Mailbox 101594->101596 101597 c181c1 MultiByteToWideChar 101594->101597 101598 c181e7 101597->101598 101599 c1822e 101597->101599 101601 c30ff6 Mailbox 59 API calls 101598->101601 101600 c17eec 59 API calls 101599->101600 101604 c18220 101600->101604 101602 c181fc MultiByteToWideChar 101601->101602 101605 c178ad 59 API calls 2 library calls 101602->101605 101604->101596 101605->101604 101606 c1107d 101611 c171eb 101606->101611 101608 c1108c 101609 c32f80 __cinit 67 API calls 101608->101609 101610 c11096 101609->101610 101612 c171fb __ftell_nolock 101611->101612 101613 c177c7 59 API calls 101612->101613 101614 c172b1 101613->101614 101615 c14864 61 API calls 101614->101615 101616 c172ba 101615->101616 101642 c3074f 101616->101642 101619 c17e0b 59 API calls 101620 c172d3 101619->101620 101621 c13f84 59 API calls 101620->101621 101622 c172e2 101621->101622 101623 c177c7 59 API calls 101622->101623 101624 c172eb 101623->101624 101625 c17eec 59 API calls 101624->101625 101626 c172f4 RegOpenKeyExW 101625->101626 101627 c4ecda RegQueryValueExW 101626->101627 101632 c17316 Mailbox 101626->101632 101628 c4ecf7 101627->101628 101629 c4ed6c RegCloseKey 101627->101629 101630 c30ff6 Mailbox 59 API calls 101628->101630 101629->101632 101641 c4ed7e _wcscat Mailbox __NMSG_WRITE 101629->101641 101631 c4ed10 101630->101631 101633 c1538e 59 API calls 101631->101633 101632->101608 101634 c4ed1b RegQueryValueExW 101633->101634 101636 c4ed38 101634->101636 101638 c4ed52 101634->101638 101635 c17b52 59 API calls 101635->101641 101637 c17d2c 59 API calls 101636->101637 101637->101638 101638->101629 101639 c17f41 59 API calls 101639->101641 101640 c13f84 59 API calls 101640->101641 101641->101632 101641->101635 101641->101639 101641->101640 101643 c41b90 __ftell_nolock 101642->101643 101644 c3075c GetFullPathNameW 101643->101644 101645 c3077e 101644->101645 101646 c17d2c 59 API calls 101645->101646 101647 c172c5 101646->101647 101647->101619

              Executed Functions

              Function 00C13B4C Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153windowCOMMON
              Download Yara Rule

              Control-flow Graph

              APIs
              • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00C13B7A
              • IsDebuggerPresent.KERNEL32 ref: 00C13B8C
              • GetFullPathNameW.KERNEL32(00007FFF,?,?,00CD62F8,00CD62E0,?,?), ref: 00C13BFD
                • Part of subcall function 00C17D2C: _memmove.LIBCMT ref: 00C17D66
                • Part of subcall function 00C20A8D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00C13C26,00CD62F8,?,?,?), ref: 00C20ACE
              • SetCurrentDirectoryW.KERNEL32(?), ref: 00C13C81
              • MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,00CC93F0,00000010), ref: 00C4D4BC
              • SetCurrentDirectoryW.KERNEL32(?,00CD62F8,?,?,?), ref: 00C4D4F4
              • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00CC5D40,00CD62F8,?,?,?), ref: 00C4D57A
              • ShellExecuteW.SHELL32(00000000,?,?), ref: 00C4D581
                • Part of subcall function 00C13A58: GetSysColorBrush.USER32(0000000F), ref: 00C13A62
                • Part of subcall function 00C13A58: LoadCursorW.USER32(00000000,00007F00), ref: 00C13A71
                • Part of subcall function 00C13A58: LoadIconW.USER32(00000063), ref: 00C13A88
                • Part of subcall function 00C13A58: LoadIconW.USER32(000000A4), ref: 00C13A9A
                • Part of subcall function 00C13A58: LoadIconW.USER32(000000A2), ref: 00C13AAC
                • Part of subcall function 00C13A58: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00C13AD2
                • Part of subcall function 00C13A58: RegisterClassExW.USER32(?), ref: 00C13B28
                • Part of subcall function 00C139E7: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00C13A15
                • Part of subcall function 00C139E7: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00C13A36
                • Part of subcall function 00C139E7: ShowWindow.USER32(00000000,?,?), ref: 00C13A4A
                • Part of subcall function 00C139E7: ShowWindow.USER32(00000000,?,?), ref: 00C13A53
                • Part of subcall function 00C143DB: _memset.LIBCMT ref: 00C14401
                • Part of subcall function 00C143DB: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00C144A6
              Strings
              • This is a third-party compiled AutoIt script., xrefs: 00C4D4B4
              • runas, xrefs: 00C4D575
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
              • String ID: This is a third-party compiled AutoIt script.$runas
              • API String ID: 529118366-3287110873
              • Opcode ID: 527fcd5ca5a210b1f4402c9432a773105ff4aaf9383f6c37f7b9a62b0ebb170a
              • Instruction ID: 6298a1bb65d7dbf2e37b79d9dfdec5d1f760e3ccb72b6be4f25f9efb1a3e8aa0
              • Opcode Fuzzy Hash: 527fcd5ca5a210b1f4402c9432a773105ff4aaf9383f6c37f7b9a62b0ebb170a
              • Instruction Fuzzy Hash: 2151EB71904288AECF11EBB4DC19FED7B75AF06304B04427BF461A21A2DB748786FB61
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C14AFE Relevance: 10.7, APIs: 7, Instructions: 223COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 996 c14afe-c14b5e call c177c7 GetVersionExW call c17d2c 1001 c14b64 996->1001 1002 c14c69-c14c6b 996->1002 1004 c14b67-c14b6c 1001->1004 1003 c4db90-c4db9c 1002->1003 1007 c4db9d-c4dba1 1003->1007 1005 c14c70-c14c71 1004->1005 1006 c14b72 1004->1006 1010 c14b73-c14baa call c17e8c call c17886 1005->1010 1006->1010 1008 c4dba4-c4dbb0 1007->1008 1009 c4dba3 1007->1009 1008->1007 1011 c4dbb2-c4dbb7 1008->1011 1009->1008 1019 c14bb0-c14bb1 1010->1019 1020 c4dc8d-c4dc90 1010->1020 1011->1004 1013 c4dbbd-c4dbc4 1011->1013 1013->1003 1015 c4dbc6 1013->1015 1018 c4dbcb-c4dbce 1015->1018 1021 c14bf1-c14c08 GetCurrentProcess IsWow64Process 1018->1021 1022 c4dbd4-c4dbf2 1018->1022 1019->1018 1023 c14bb7-c14bc2 1019->1023 1024 c4dc92 1020->1024 1025 c4dca9-c4dcad 1020->1025 1032 c14c0a 1021->1032 1033 c14c0d-c14c1e 1021->1033 1022->1021 1026 c4dbf8-c4dbfe 1022->1026 1027 c4dc13-c4dc19 1023->1027 1028 c14bc8-c14bca 1023->1028 1029 c4dc95 1024->1029 1030 c4dcaf-c4dcb8 1025->1030 1031 c4dc98-c4dca1 1025->1031 1034 c4dc00-c4dc03 1026->1034 1035 c4dc08-c4dc0e 1026->1035 1038 c4dc23-c4dc29 1027->1038 1039 c4dc1b-c4dc1e 1027->1039 1036 c14bd0-c14bd3 1028->1036 1037 c4dc2e-c4dc3a 1028->1037 1029->1031 1030->1029 1040 c4dcba-c4dcbd 1030->1040 1031->1025 1032->1033 1041 c14c20-c14c30 call c14c95 1033->1041 1042 c14c89-c14c93 GetSystemInfo 1033->1042 1034->1021 1035->1021 1044 c14bd9-c14be8 1036->1044 1045 c4dc5a-c4dc5d 1036->1045 1047 c4dc44-c4dc4a 1037->1047 1048 c4dc3c-c4dc3f 1037->1048 1038->1021 1039->1021 1040->1031 1053 c14c32-c14c3f call c14c95 1041->1053 1054 c14c7d-c14c87 GetSystemInfo 1041->1054 1046 c14c56-c14c66 1042->1046 1051 c4dc4f-c4dc55 1044->1051 1052 c14bee 1044->1052 1045->1021 1050 c4dc63-c4dc78 1045->1050 1047->1021 1048->1021 1055 c4dc82-c4dc88 1050->1055 1056 c4dc7a-c4dc7d 1050->1056 1051->1021 1052->1021 1061 c14c41-c14c45 GetNativeSystemInfo 1053->1061 1062 c14c76-c14c7b 1053->1062 1058 c14c47-c14c4b 1054->1058 1055->1021 1056->1021 1058->1046 1060 c14c4d-c14c50 FreeLibrary 1058->1060 1060->1046 1061->1058 1062->1061
              APIs
              • GetVersionExW.KERNEL32(?), ref: 00C14B2B
                • Part of subcall function 00C17D2C: _memmove.LIBCMT ref: 00C17D66
              • GetCurrentProcess.KERNEL32(?,00C9FAEC,00000000,00000000,?), ref: 00C14BF8
              • IsWow64Process.KERNEL32(00000000), ref: 00C14BFF
              • GetNativeSystemInfo.KERNELBASE(00000000), ref: 00C14C45
              • FreeLibrary.KERNEL32(00000000), ref: 00C14C50
              • GetSystemInfo.KERNEL32(00000000), ref: 00C14C81
              • GetSystemInfo.KERNEL32(00000000), ref: 00C14C8D
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
              • String ID:
              • API String ID: 1986165174-0
              • Opcode ID: cd47247a20c4a228f6d769b2fb6b9847dea42bd33bcb5d5d0c565eeaee19633b
              • Instruction ID: 141daca87bf05d483f3ba670bdb46e320cb47a55209566b8420f9a7a287bfe15
              • Opcode Fuzzy Hash: cd47247a20c4a228f6d769b2fb6b9847dea42bd33bcb5d5d0c565eeaee19633b
              • Instruction Fuzzy Hash: 8F91C73154EBC0DEC735DB6895A12EABFE4BF27300B444D9ED0DB93A41D220E988E759
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C14FE9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1063 c14fe9-c15001 CreateStreamOnHGlobal 1064 c15021-c15026 1063->1064 1065 c15003-c1501a FindResourceExW 1063->1065 1066 c15020 1065->1066 1067 c4dd5c-c4dd6b LoadResource 1065->1067 1066->1064 1067->1066 1068 c4dd71-c4dd7f SizeofResource 1067->1068 1068->1066 1069 c4dd85-c4dd90 LockResource 1068->1069 1069->1066 1070 c4dd96-c4ddb4 1069->1070 1070->1066
              APIs
              • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00C14EEE,?,?,00000000,00000000), ref: 00C14FF9
              • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00C14EEE,?,?,00000000,00000000), ref: 00C15010
              • LoadResource.KERNEL32(?,00000000,?,?,00C14EEE,?,?,00000000,00000000,?,?,?,?,?,?,00C14F8F), ref: 00C4DD60
              • SizeofResource.KERNEL32(?,00000000,?,?,00C14EEE,?,?,00000000,00000000,?,?,?,?,?,?,00C14F8F), ref: 00C4DD75
              • LockResource.KERNEL32(00C14EEE,?,?,00C14EEE,?,?,00000000,00000000,?,?,?,?,?,?,00C14F8F,00000000), ref: 00C4DD88
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
              • String ID: SCRIPT
              • API String ID: 3051347437-3967369404
              • Opcode ID: 603628707dd3245e01a9e08837fee4538efe986c837b2a353f77eb670985c64b
              • Instruction ID: 5150f329ac6c15b96385f3ae21b8494450a5851feff78e438ff46e53abf70967
              • Opcode Fuzzy Hash: 603628707dd3245e01a9e08837fee4538efe986c837b2a353f77eb670985c64b
              • Instruction Fuzzy Hash: FC117C75200B00BFE7218B65DC58F6B7BBAEBCAB11F20416DF416C6260DBB1EC419670
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C74696 Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON
              Download Yara Rule
              APIs
              • GetFileAttributesW.KERNELBASE(?,00C4E7C1), ref: 00C746A6
              • FindFirstFileW.KERNELBASE(?,?), ref: 00C746B7
              • FindClose.KERNEL32(00000000), ref: 00C746C7
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: FileFind$AttributesCloseFirst
              • String ID:
              • API String ID: 48322524-0
              • Opcode ID: 420bab4d1e85da9d9d50ae8ffb64f813b75c7327bdd41793024726552eabcdfb
              • Instruction ID: de83a9018f82a70a22e633dc2677f31ed472f2e6fddb528582ae72d3f7425f30
              • Opcode Fuzzy Hash: 420bab4d1e85da9d9d50ae8ffb64f813b75c7327bdd41793024726552eabcdfb
              • Instruction Fuzzy Hash: 8DE020314108009B46146738EC4E6EE775CDE06335F10471BF939C10F0E7B05D5085D5
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C1E800 Relevance: 2.4, Strings: 1, Instructions: 1102COMMON
              Download Yara Rule
              Strings
              • Variable must be of type 'Object'., xrefs: 00C5428C
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID:
              • String ID: Variable must be of type 'Object'.
              • API String ID: 0-109567571
              • Opcode ID: c41f5987b98cc8a2e0dee2916ff4c2e868ee7c52ab273b03fbe1358bf9a6b759
              • Instruction ID: a3af3f82e3afd58205186cde0c79baab042626fa94da2f0ffc73f17369bedc25
              • Opcode Fuzzy Hash: c41f5987b98cc8a2e0dee2916ff4c2e868ee7c52ab273b03fbe1358bf9a6b759
              • Instruction Fuzzy Hash: 9BA26A74A04205CBCB24CF58C880AEEB7B1FF4A314F648169ED16AB351D735ADC6EB91
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C20B30 Relevance: 57.3, APIs: 27, Strings: 5, Instructions: 1300windowsleeptimeCOMMON
              Download Yara Rule
              APIs
              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00C20BBB
              • timeGetTime.WINMM ref: 00C20E76
              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00C20FB3
              • TranslateMessage.USER32(?), ref: 00C20FC7
              • DispatchMessageW.USER32(?), ref: 00C20FD5
              • Sleep.KERNEL32(0000000A), ref: 00C20FDF
              • LockWindowUpdate.USER32(00000000,?,?), ref: 00C2105A
              • DestroyWindow.USER32 ref: 00C21066
              • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00C21080
              • Sleep.KERNEL32(0000000A,?,?), ref: 00C552AD
              • TranslateMessage.USER32(?), ref: 00C5608A
              • DispatchMessageW.USER32(?), ref: 00C56098
              • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00C560AC
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: Message$DispatchPeekSleepTranslateWindow$DestroyLockTimeUpdatetime
              • String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
              • API String ID: 4003667617-3242690629
              • Opcode ID: 5ebbbbdc3580085b851530998f07103ed00166f9f32aedacd65ba1e412755453
              • Instruction ID: 0f774601e4d3512d8743ad850db239e971cf72e7772d1859b0d3610fa95dc138
              • Opcode Fuzzy Hash: 5ebbbbdc3580085b851530998f07103ed00166f9f32aedacd65ba1e412755453
              • Instruction Fuzzy Hash: 2CB2E274608741DFD724CF24C894BAEB7E1BF85304F14491EF89A872A1DB70E989DB86
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C793DF Relevance: 19.8, APIs: 13, Instructions: 322fileCOMMON
              Download Yara Rule

              Control-flow Graph

              APIs
                • Part of subcall function 00C791E9: __time64.LIBCMT ref: 00C791F3
                • Part of subcall function 00C15045: _fseek.LIBCMT ref: 00C1505D
              • __wsplitpath.LIBCMT ref: 00C794BE
                • Part of subcall function 00C3432E: __wsplitpath_helper.LIBCMT ref: 00C3436E
              • _wcscpy.LIBCMT ref: 00C794D1
              • _wcscat.LIBCMT ref: 00C794E4
              • __wsplitpath.LIBCMT ref: 00C79509
              • _wcscat.LIBCMT ref: 00C7951F
              • _wcscat.LIBCMT ref: 00C79532
                • Part of subcall function 00C7922F: _memmove.LIBCMT ref: 00C79268
                • Part of subcall function 00C7922F: _memmove.LIBCMT ref: 00C79277
              • _wcscmp.LIBCMT ref: 00C79479
                • Part of subcall function 00C799BE: _wcscmp.LIBCMT ref: 00C79AAE
                • Part of subcall function 00C799BE: _wcscmp.LIBCMT ref: 00C79AC1
              • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00C796DC
              • _wcsncpy.LIBCMT ref: 00C7974F
              • DeleteFileW.KERNEL32(?,?), ref: 00C79785
              • CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00C7979B
              • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00C797AC
              • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00C797BE
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
              • String ID:
              • API String ID: 1500180987-0
              • Opcode ID: 7d8c757d9a0869e986e319a0267e2533d89fb9f1de9485c9b46d28f6b159b0c8
              • Instruction ID: 097d1b701f36c4fddd8f55897437ca4b1abde7ba5558949f07870f505408865b
              • Opcode Fuzzy Hash: 7d8c757d9a0869e986e319a0267e2533d89fb9f1de9485c9b46d28f6b159b0c8
              • Instruction Fuzzy Hash: 0BC12BB1D00229AADF25DF95CC85EDEB7BDEF49300F0080AAF609E7151DB309A859F65
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C13015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 72windowregistryCOMMON
              Download Yara Rule

              Control-flow Graph

              APIs
              • GetSysColorBrush.USER32(0000000F), ref: 00C13074
              • RegisterClassExW.USER32(00000030), ref: 00C1309E
              • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00C130AF
              • InitCommonControlsEx.COMCTL32(?), ref: 00C130CC
              • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00C130DC
              • LoadIconW.USER32(000000A9), ref: 00C130F2
              • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00C13101
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
              • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
              • API String ID: 2914291525-1005189915
              • Opcode ID: dfc0fe1e37e5339e9bb58280e168cb7d1fba1a964074bfd180cb23056d4a86f6
              • Instruction ID: e608f169b4ecf08dafe86a966520047248f7110c58089bd7e737fc238e7e14f2
              • Opcode Fuzzy Hash: dfc0fe1e37e5339e9bb58280e168cb7d1fba1a964074bfd180cb23056d4a86f6
              • Instruction Fuzzy Hash: 2B3104B1841309AFDB509FA4EC89BCDBBF4FB09310F10456EE590E62A0E7B94596CF91
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C13041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54windowregistryCOMMON
              Download Yara Rule

              Control-flow Graph

              APIs
              • GetSysColorBrush.USER32(0000000F), ref: 00C13074
              • RegisterClassExW.USER32(00000030), ref: 00C1309E
              • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00C130AF
              • InitCommonControlsEx.COMCTL32(?), ref: 00C130CC
              • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00C130DC
              • LoadIconW.USER32(000000A9), ref: 00C130F2
              • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00C13101
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
              • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
              • API String ID: 2914291525-1005189915
              • Opcode ID: 17cb6d2522c34076a615b8339daae4e19d6c5b53024a2e25eae2318129a9886a
              • Instruction ID: 3864aa26b39fb2a2def087718ac03e0d2cd3330b1a8864bbe84cc6d1561e6ae0
              • Opcode Fuzzy Hash: 17cb6d2522c34076a615b8339daae4e19d6c5b53024a2e25eae2318129a9886a
              • Instruction Fuzzy Hash: F921AEB1901218AFDB009FA4EC89B9DBBF8FB08700F10412BEA10E62A0D7B54555DF91
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C171EB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
              Download Yara Rule

              Control-flow Graph

              APIs
                • Part of subcall function 00C14864: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00CD62F8,?,00C137C0,?), ref: 00C14882
                • Part of subcall function 00C3074F: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00C172C5), ref: 00C30771
              • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00C17308
              • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00C4ECF1
              • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00C4ED32
              • RegCloseKey.ADVAPI32(?), ref: 00C4ED70
              • _wcscat.LIBCMT ref: 00C4EDC9
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
              • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
              • API String ID: 2673923337-2727554177
              • Opcode ID: b895e7c761b343bbd6e884acc5f41a18721a3bb513ea2724664b658eecff9fd6
              • Instruction ID: fae803f136eebc58497f8612eba5b90719fe41b5a6ba62c8e5b39a46d2a78c2a
              • Opcode Fuzzy Hash: b895e7c761b343bbd6e884acc5f41a18721a3bb513ea2724664b658eecff9fd6
              • Instruction Fuzzy Hash: 64713971509341DEC714EF65D885AAFB7F8FF99340F84062EF455831A0EB309A89EBA1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C13A58 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71windowregistryCOMMON
              Download Yara Rule

              Control-flow Graph

              APIs
              • GetSysColorBrush.USER32(0000000F), ref: 00C13A62
              • LoadCursorW.USER32(00000000,00007F00), ref: 00C13A71
              • LoadIconW.USER32(00000063), ref: 00C13A88
              • LoadIconW.USER32(000000A4), ref: 00C13A9A
              • LoadIconW.USER32(000000A2), ref: 00C13AAC
              • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00C13AD2
              • RegisterClassExW.USER32(?), ref: 00C13B28
                • Part of subcall function 00C13041: GetSysColorBrush.USER32(0000000F), ref: 00C13074
                • Part of subcall function 00C13041: RegisterClassExW.USER32(00000030), ref: 00C1309E
                • Part of subcall function 00C13041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00C130AF
                • Part of subcall function 00C13041: InitCommonControlsEx.COMCTL32(?), ref: 00C130CC
                • Part of subcall function 00C13041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00C130DC
                • Part of subcall function 00C13041: LoadIconW.USER32(000000A9), ref: 00C130F2
                • Part of subcall function 00C13041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00C13101
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
              • String ID: #$0$AutoIt v3
              • API String ID: 423443420-4155596026
              • Opcode ID: 5193a9b37a0c469ee528d49b605c2993b746db74661f1db63f997b52212d96a4
              • Instruction ID: 076c25f040c2479d626a8953cecceba22c6322e9517787d6cece5f3d02aea499
              • Opcode Fuzzy Hash: 5193a9b37a0c469ee528d49b605c2993b746db74661f1db63f997b52212d96a4
              • Instruction Fuzzy Hash: FA2126B1A02308AFEB10AFA4EC09B9DBBB5FB08715F10412BF504E62A0D7B65654DF94
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C13633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151windowtimeregistryCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 767 c13633-c13681 769 c136e1-c136e3 767->769 770 c13683-c13686 767->770 769->770 773 c136e5 769->773 771 c136e7 770->771 772 c13688-c1368f 770->772 775 c4d31c-c4d34a call c211d0 call c211f3 771->775 776 c136ed-c136f0 771->776 777 c13695-c1369a 772->777 778 c1375d-c13765 PostQuitMessage 772->778 774 c136ca-c136d2 DefWindowProcW 773->774 784 c136d8-c136de 774->784 814 c4d34f-c4d356 775->814 779 c136f2-c136f3 776->779 780 c13715-c1373c SetTimer RegisterWindowMessageW 776->780 781 c136a0-c136a2 777->781 782 c4d38f-c4d3a3 call c72a16 777->782 785 c13711-c13713 778->785 786 c136f9-c1370c KillTimer call c144cb call c13114 779->786 787 c4d2bf-c4d2c2 779->787 780->785 788 c1373e-c13749 CreatePopupMenu 780->788 789 c13767-c13776 call c14531 781->789 790 c136a8-c136ad 781->790 782->785 808 c4d3a9 782->808 785->784 786->785 793 c4d2c4-c4d2c6 787->793 794 c4d2f8-c4d317 MoveWindow 787->794 788->785 789->785 796 c4d374-c4d37b 790->796 797 c136b3-c136b8 790->797 802 c4d2e7-c4d2f3 SetFocus 793->802 803 c4d2c8-c4d2cb 793->803 794->785 796->774 805 c4d381-c4d38a call c6817e 796->805 806 c1374b-c1375b call c145df 797->806 807 c136be-c136c4 797->807 802->785 803->807 810 c4d2d1-c4d2e2 call c211d0 803->810 805->774 806->785 807->774 807->814 808->774 810->785 814->774 815 c4d35c-c4d36f call c144cb call c143db 814->815 815->774
              APIs
              • DefWindowProcW.USER32(?,?,?,?), ref: 00C136D2
              • KillTimer.USER32(?,00000001), ref: 00C136FC
              • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00C1371F
              • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00C1372A
              • CreatePopupMenu.USER32 ref: 00C1373E
              • PostQuitMessage.USER32(00000000), ref: 00C1375F
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
              • String ID: TaskbarCreated
              • API String ID: 129472671-2362178303
              • Opcode ID: 91edd39a8a047866894ca10730ede94e90ace668178311ae5b21272b13400fe4
              • Instruction ID: ac2738858a9b76287caef849e45248088ad451b7da593eeb3b556598fac401f6
              • Opcode Fuzzy Hash: 91edd39a8a047866894ca10730ede94e90ace668178311ae5b21272b13400fe4
              • Instruction Fuzzy Hash: FC41D2B2204185ABDF246F64ED49BFE3765FB03304F14012BFA12962E1DA649F91F7A1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C13778 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267COMMON
              Download Yara Rule

              Control-flow Graph

              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
              • String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW
              • API String ID: 1825951767-3513169116
              • Opcode ID: 4d54f9f6ca11f9ad3564e1138486343b2437c55e0928db2dad0003b641d74f8e
              • Instruction ID: 2058fb9d42932ec54d60b9237f62d477b7e97965aa93edc5f4601fa23d286712
              • Opcode Fuzzy Hash: 4d54f9f6ca11f9ad3564e1138486343b2437c55e0928db2dad0003b641d74f8e
              • Instruction Fuzzy Hash: 73A17E729102699ADF04EFA0CC95EEEB779BF16304F10042AF416B7191DF749A89FB60
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01482650 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 942 1482650-14826fe call 1480000 945 1482705-148272b call 1483560 CreateFileW 942->945 948 148272d 945->948 949 1482732-1482742 945->949 950 148287d-1482881 948->950 954 1482749-1482763 VirtualAlloc 949->954 955 1482744 949->955 951 14828c3-14828c6 950->951 952 1482883-1482887 950->952 956 14828c9-14828d0 951->956 957 1482889-148288c 952->957 958 1482893-1482897 952->958 959 148276a-1482781 ReadFile 954->959 960 1482765 954->960 955->950 961 14828d2-14828dd 956->961 962 1482925-148293a 956->962 957->958 963 1482899-14828a3 958->963 964 14828a7-14828ab 958->964 967 1482788-14827c8 VirtualAlloc 959->967 968 1482783 959->968 960->950 969 14828df 961->969 970 14828e1-14828ed 961->970 971 148294a-1482952 962->971 972 148293c-1482947 VirtualFree 962->972 963->964 965 14828bb 964->965 966 14828ad-14828b7 964->966 965->951 966->965 973 14827ca 967->973 974 14827cf-14827ea call 14837b0 967->974 968->950 969->962 975 14828ef-14828ff 970->975 976 1482901-148290d 970->976 972->971 973->950 982 14827f5-14827ff 974->982 978 1482923 975->978 979 148291a-1482920 976->979 980 148290f-1482918 976->980 978->956 979->978 980->978 983 1482801-1482830 call 14837b0 982->983 984 1482832-1482846 call 14835c0 982->984 983->982 989 1482848 984->989 990 148284a-148284e 984->990 989->950 992 148285a-148285e 990->992 993 1482850-1482854 FindCloseChangeNotification 990->993 994 148286e-1482877 992->994 995 1482860-148286b VirtualFree 992->995 993->992 994->945 994->950 995->994
              APIs
              • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 01482721
              • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 01482947
              Memory Dump Source
              • Source File: 00000000.00000002.1204928700.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_1480000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: CreateFileFreeVirtual
              • String ID:
              • API String ID: 204039940-0
              • Opcode ID: 1376b1c019e97a58b345df4903236ecb5f0b8c205347a8d20aa61bd2a2b0f564
              • Instruction ID: 4cb386c0721324708ad33cf9b8298a1098b43039c9db08c8f43d8d6ec789bcc6
              • Opcode Fuzzy Hash: 1376b1c019e97a58b345df4903236ecb5f0b8c205347a8d20aa61bd2a2b0f564
              • Instruction Fuzzy Hash: 76A10674E00209EBDF14EFA5C894FAEBBB5FF48304F20815AE615BB290D7B59A41CB54
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C139E7 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1073 c139e7-c13a57 CreateWindowExW * 2 ShowWindow * 2
              APIs
              • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00C13A15
              • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00C13A36
              • ShowWindow.USER32(00000000,?,?), ref: 00C13A4A
              • ShowWindow.USER32(00000000,?,?), ref: 00C13A53
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: Window$CreateShow
              • String ID: AutoIt v3$edit
              • API String ID: 1584632944-3779509399
              • Opcode ID: e2cee568efbf3cef114f597ed060192b83ded48032205cbe84b070a2b8ffdba2
              • Instruction ID: d848822728be8a5f435cc5a0fa10c481acebbac8180b19a6d05434bc04b0225e
              • Opcode Fuzzy Hash: e2cee568efbf3cef114f597ed060192b83ded48032205cbe84b070a2b8ffdba2
              • Instruction Fuzzy Hash: A1F0DA716422907EEE3117676C8DF6B7F7DD7C6F50B01412FB904E2170C6A61851DAB0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01482410 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 146fileCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1074 1482410-1482545 call 1480000 call 1482300 CreateFileW 1081 148254c-148255c 1074->1081 1082 1482547 1074->1082 1085 148255e 1081->1085 1086 1482563-148257d VirtualAlloc 1081->1086 1083 14825fc-1482601 1082->1083 1085->1083 1087 148257f 1086->1087 1088 1482581-1482598 ReadFile 1086->1088 1087->1083 1089 148259a 1088->1089 1090 148259c-14825d6 call 1482340 call 1481300 1088->1090 1089->1083 1095 14825d8-14825ed call 1482390 1090->1095 1096 14825f2-14825fa ExitProcess 1090->1096 1095->1096 1096->1083
              APIs
                • Part of subcall function 01482300: Sleep.KERNELBASE(000001F4), ref: 01482311
              • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 0148253B
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1204928700.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_1480000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: CreateFileSleep
              • String ID: LGHFWINN13PLF4
              • API String ID: 2694422964-1878793650
              • Opcode ID: 623965183ba1e62b6b106ffbee0c7f2c55713ae24b5545a751c783eba91ed2e3
              • Instruction ID: 4fccf0737a66e37a1a0a018a1633c709f68a3b1af5aa3a7f8f3b0b0580857d48
              • Opcode Fuzzy Hash: 623965183ba1e62b6b106ffbee0c7f2c55713ae24b5545a751c783eba91ed2e3
              • Instruction Fuzzy Hash: 03518F70D04249EBEF11EBA4C865BEEBB79AF18300F004199E609BB2D0D7B91B45CB65
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C1410D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1098 c1410d-c14123 1099 c14200-c14204 1098->1099 1100 c14129-c1413e call c17b76 1098->1100 1103 c14144-c14164 call c17d2c 1100->1103 1104 c4d5dd-c4d5ec LoadStringW 1100->1104 1107 c4d5f7-c4d60f call c17c8e call c17143 1103->1107 1108 c1416a-c1416e 1103->1108 1104->1107 1118 c1417e-c141fb call c33020 call c1463e call c32ffc Shell_NotifyIconW call c15a64 1107->1118 1120 c4d615-c4d633 call c17e0b call c17143 call c17e0b 1107->1120 1110 c14205-c1420e call c181a7 1108->1110 1111 c14174-c14179 call c17c8e 1108->1111 1110->1118 1111->1118 1118->1099 1120->1118
              APIs
              • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00C4D5EC
                • Part of subcall function 00C17D2C: _memmove.LIBCMT ref: 00C17D66
              • _memset.LIBCMT ref: 00C1418D
              • _wcscpy.LIBCMT ref: 00C141E1
              • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00C141F1
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
              • String ID: Line:
              • API String ID: 3942752672-1585850449
              • Opcode ID: e4d190404790356a29664c91fcb232c58d6717c1cdf1f6447b04c56c110ad946
              • Instruction ID: 13e4d172cc07fd6a6029989d6f1d59351e4adc4e1d6ebb44da0309ced5ceefc2
              • Opcode Fuzzy Hash: e4d190404790356a29664c91fcb232c58d6717c1cdf1f6447b04c56c110ad946
              • Instruction Fuzzy Hash: EE31C271009314AAD725EB60DC46FDF77E8AF46310F20461FF195921A1EF74A688EB92
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C3564D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1133 c3564d-c35666 1134 c35683 1133->1134 1135 c35668-c3566d 1133->1135 1137 c35685-c3568b 1134->1137 1135->1134 1136 c3566f-c35671 1135->1136 1138 c35673-c35678 call c38d68 1136->1138 1139 c3568c-c35691 1136->1139 1150 c3567e call c38ff6 1138->1150 1141 c35693-c3569d 1139->1141 1142 c3569f-c356a3 1139->1142 1141->1142 1144 c356c3-c356d2 1141->1144 1145 c356b3-c356b5 1142->1145 1146 c356a5-c356b0 call c33020 1142->1146 1148 c356d4-c356d7 1144->1148 1149 c356d9 1144->1149 1145->1138 1147 c356b7-c356c1 1145->1147 1146->1145 1147->1138 1147->1144 1152 c356de-c356e3 1148->1152 1149->1152 1150->1134 1155 c356e9-c356f0 1152->1155 1156 c357cc-c357cf 1152->1156 1157 c356f2-c356fa 1155->1157 1158 c35731-c35733 1155->1158 1156->1137 1157->1158 1161 c356fc 1157->1161 1159 c35735-c35737 1158->1159 1160 c3579d-c3579e call c40df7 1158->1160 1162 c3575b-c35766 1159->1162 1163 c35739-c35741 1159->1163 1169 c357a3-c357a7 1160->1169 1165 c35702-c35704 1161->1165 1166 c357fa 1161->1166 1170 c3576a-c3576d 1162->1170 1171 c35768 1162->1171 1167 c35743-c3574f 1163->1167 1168 c35751-c35755 1163->1168 1172 c35706-c35708 1165->1172 1173 c3570b-c35710 1165->1173 1174 c357fe-c35807 1166->1174 1175 c35757-c35759 1167->1175 1168->1175 1169->1174 1176 c357a9-c357ae 1169->1176 1177 c357d4-c357d8 1170->1177 1178 c3576f-c3577b call c34916 call c410ab 1170->1178 1171->1170 1172->1173 1173->1177 1179 c35716-c3572f call c40f18 1173->1179 1174->1137 1175->1170 1176->1177 1180 c357b0-c357c1 1176->1180 1181 c357ea-c357f5 call c38d68 1177->1181 1182 c357da-c357e7 call c33020 1177->1182 1194 c35780-c35785 1178->1194 1193 c35792-c3579b 1179->1193 1185 c357c4-c357c6 1180->1185 1181->1150 1182->1181 1185->1155 1185->1156 1193->1185 1195 c3578b-c3578e 1194->1195 1196 c3580c-c35810 1194->1196 1195->1166 1197 c35790 1195->1197 1196->1174 1197->1193
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
              • String ID:
              • API String ID: 1559183368-0
              • Opcode ID: cbc132a2d90f1fa170c901e77712e707e3c45fd9b9f6dd10e42efcbbdaed9f46
              • Instruction ID: e9907fa8d3b863190972de8045cb17cdb93b00b3834854a80ccb868027b14554
              • Opcode Fuzzy Hash: cbc132a2d90f1fa170c901e77712e707e3c45fd9b9f6dd10e42efcbbdaed9f46
              • Instruction Fuzzy Hash: 8651C130A30B05DFDB289FB9C8856AEB7B5AF41320F648729F839972D0D7719E519B40
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C169CA Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00C14F3D: LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,00CD62F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00C14F6F
              • _free.LIBCMT ref: 00C4E68C
              • _free.LIBCMT ref: 00C4E6D3
                • Part of subcall function 00C16BEC: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00C16D0D
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: _free$CurrentDirectoryLibraryLoad
              • String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
              • API String ID: 2861923089-1757145024
              • Opcode ID: 8895642858d9b63a35ae94f1d23b777c67c867a225c8337448d13b3673982c1f
              • Instruction ID: dfaeaa674cb3a391d33ea467ce12abba71148fb802415e2b04e5ef41ef911325
              • Opcode Fuzzy Hash: 8895642858d9b63a35ae94f1d23b777c67c867a225c8337448d13b3673982c1f
              • Instruction Fuzzy Hash: 0E918F71910219EFCF04EFA4CC919EDB7B4FF19314F15846AF816AB291DB30AA45EB60
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C135B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON
              Download Yara Rule
              APIs
              • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,00C135A1,SwapMouseButtons,00000004,?), ref: 00C135D4
              • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,00C135A1,SwapMouseButtons,00000004,?,?,?,?,00C12754), ref: 00C135F5
              • RegCloseKey.KERNELBASE(00000000,?,?,00C135A1,SwapMouseButtons,00000004,?,?,?,?,00C12754), ref: 00C13617
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: CloseOpenQueryValue
              • String ID: Control Panel\Mouse
              • API String ID: 3677997916-824357125
              • Opcode ID: f890b1122df5699a98e7d1a85d2b11ab3c1657eb2a27263666fa1793a4730f4a
              • Instruction ID: a444fbc3dfb96eaceb32aa03146ce8bd1bf613cef9e77ac8ba2ee4dfed470285
              • Opcode Fuzzy Hash: f890b1122df5699a98e7d1a85d2b11ab3c1657eb2a27263666fa1793a4730f4a
              • Instruction Fuzzy Hash: BB114871610248BFDB208F64DC84AEEB7BCFF46744F00546AF805D7210D2719F95A764
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01481300 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
              Download Yara Rule
              APIs
              • CreateProcessW.KERNELBASE(?,00000000), ref: 01481B2D
              • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 01481B51
              • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 01481B73
              Memory Dump Source
              • Source File: 00000000.00000002.1204928700.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_1480000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: Process$ContextCreateMemoryReadThreadWow64
              • String ID:
              • API String ID: 2438371351-0
              • Opcode ID: 91de96a0508c6d9b88b93d6c14255c09b3dee72855056c89e06ebe7f8a996ab2
              • Instruction ID: 1d7f14e01362f3c56bf3d79a15681f4f94eb22bfadb115e0f313de99b54f1066
              • Opcode Fuzzy Hash: 91de96a0508c6d9b88b93d6c14255c09b3dee72855056c89e06ebe7f8a996ab2
              • Instruction Fuzzy Hash: DE620F30A14258DBEB24DFA4C850BDEB772EF58700F1091AAD10DEB3A4E7759E81CB59
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C797E5 Relevance: 6.2, APIs: 4, Instructions: 155COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00C15045: _fseek.LIBCMT ref: 00C1505D
                • Part of subcall function 00C799BE: _wcscmp.LIBCMT ref: 00C79AAE
                • Part of subcall function 00C799BE: _wcscmp.LIBCMT ref: 00C79AC1
              • _free.LIBCMT ref: 00C7992C
              • _free.LIBCMT ref: 00C79933
              • _free.LIBCMT ref: 00C7999E
                • Part of subcall function 00C32F95: RtlFreeHeap.NTDLL(00000000,00000000,?,00C39C64), ref: 00C32FA9
                • Part of subcall function 00C32F95: GetLastError.KERNEL32(00000000,?,00C39C64), ref: 00C32FBB
              • _free.LIBCMT ref: 00C799A6
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
              • String ID:
              • API String ID: 1552873950-0
              • Opcode ID: 524c7517910f68098ecd1505304e53dc2ab353584dbe7d24e86b344c5f7c1620
              • Instruction ID: e33b4cef47965e6a551ea771024cd1e3948bf1d6db56d499ded9d48349ab8d19
              • Opcode Fuzzy Hash: 524c7517910f68098ecd1505304e53dc2ab353584dbe7d24e86b344c5f7c1620
              • Instruction Fuzzy Hash: DA5160B1904618AFDF249FA4CC41A9EBB79EF48310F0044AEF20DA7281DB315E80DF59
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C3493A Relevance: 6.1, APIs: 4, Instructions: 136COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: __flsbuf__flush__getptd_noexit__write_memmove
              • String ID:
              • API String ID: 2782032738-0
              • Opcode ID: 14470a6213cb86a88b8286372661136e60ed3d9327b1e96cf2061ba74b92ecb7
              • Instruction ID: 0faa396297e0aa2844fbdd0280cb14a239eacb3b46c98ff384ff66e2ac8f749f
              • Opcode Fuzzy Hash: 14470a6213cb86a88b8286372661136e60ed3d9327b1e96cf2061ba74b92ecb7
              • Instruction Fuzzy Hash: 9941D9716607059BDF1CCEA9C880AAF7BAAEF84360F24817DE865C7650D770FE419B44
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C173E5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 00C4EE62
              • GetOpenFileNameW.COMDLG32(?), ref: 00C4EEAC
                • Part of subcall function 00C148AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00C148A1,?,?,00C137C0,?), ref: 00C148CE
                • Part of subcall function 00C309D5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00C309F4
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: Name$Path$FileFullLongOpen_memset
              • String ID: X
              • API String ID: 3777226403-3081909835
              • Opcode ID: 4a8d4b7d9dfdef68bae938936c22cc1c534840ef9bd4cf7aa9a5410d1fce5a96
              • Instruction ID: 4e30efd02bf37057d80cc06211112e1b8c9de299d659cc601b0894074a4a174c
              • Opcode Fuzzy Hash: 4a8d4b7d9dfdef68bae938936c22cc1c534840ef9bd4cf7aa9a5410d1fce5a96
              • Instruction Fuzzy Hash: 3521C6719102589BCF11DF94C845BEE7BF8AF49310F10405AE408E7281DBB459899F91
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C7901B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: __fread_nolock_memmove
              • String ID: EA06
              • API String ID: 1988441806-3962188686
              • Opcode ID: 0585c9189db2d534b58416c80d11795729cd0f43df4e3641882d1e311e032cd7
              • Instruction ID: cbf2bedf4f44dcd09eed8c856a3152f411365801b07aa7080660a988b127f629
              • Opcode Fuzzy Hash: 0585c9189db2d534b58416c80d11795729cd0f43df4e3641882d1e311e032cd7
              • Instruction Fuzzy Hash: C901F9718142186EDB28C6A8C816FEEBBF8DB05301F00819EF552D2181E575A70497A0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C79B6D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON
              Download Yara Rule
              APIs
              • GetTempPathW.KERNEL32(00000104,?), ref: 00C79B82
              • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00C79B99
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: Temp$FileNamePath
              • String ID: aut
              • API String ID: 3285503233-3010740371
              • Opcode ID: 34c2938df0c5c8a2e66e0ec946389545281a165c8ec55603183731ce04d51b4e
              • Instruction ID: a273416e60173ddabcbf4c91dea6f5ee7ade381a30b49a15beb560247eefd356
              • Opcode Fuzzy Hash: 34c2938df0c5c8a2e66e0ec946389545281a165c8ec55603183731ce04d51b4e
              • Instruction Fuzzy Hash: 41D05E7954030DABDB10DB90DC0EF9A772CE704704F0042B6BE94D10A1DEB095998B95
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C8CDF1 Relevance: 4.9, APIs: 3, Instructions: 392COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c344a725d468b06d3d2ba3a9de00660d757fc42aec3723a887ced17f0fe00190
              • Instruction ID: 42e1e90c9bf5afd8840b6c06ab0289b2622c7e0597a1c59d0c6cb7af4b58aa11
              • Opcode Fuzzy Hash: c344a725d468b06d3d2ba3a9de00660d757fc42aec3723a887ced17f0fe00190
              • Instruction Fuzzy Hash: 41F149705083019FC714EF28C484A6ABBE5FF89318F14896EF89A9B291D731E945DF86
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C1F8CF Relevance: 4.7, APIs: 3, Instructions: 168comCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00C303A2: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00C303D3
                • Part of subcall function 00C303A2: MapVirtualKeyW.USER32(00000010,00000000), ref: 00C303DB
                • Part of subcall function 00C303A2: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00C303E6
                • Part of subcall function 00C303A2: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00C303F1
                • Part of subcall function 00C303A2: MapVirtualKeyW.USER32(00000011,00000000), ref: 00C303F9
                • Part of subcall function 00C303A2: MapVirtualKeyW.USER32(00000012,00000000), ref: 00C30401
                • Part of subcall function 00C26259: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,00C1FA90), ref: 00C262B4
              • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00C1FB2D
              • OleInitialize.OLE32(00000000), ref: 00C1FBAA
              • CloseHandle.KERNEL32(00000000), ref: 00C549F2
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
              • String ID:
              • API String ID: 1986988660-0
              • Opcode ID: 51cb3ad4e2bc8c1e61c63f32618b00f17185fd1e6e73fa5339264f07018d4e1d
              • Instruction ID: 99c5f90c661f0e39c888756d0c6f4bd43966519f2afb81c020db21a1df51e449
              • Opcode Fuzzy Hash: 51cb3ad4e2bc8c1e61c63f32618b00f17185fd1e6e73fa5339264f07018d4e1d
              • Instruction Fuzzy Hash: F781A5B09062448FCB84EF79EA9576DBBE4EB89308711812FE519C73B2EB358445DF50
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C143DB Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 00C14401
              • Shell_NotifyIconW.SHELL32(00000000,?), ref: 00C144A6
              • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00C144C3
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: IconNotifyShell_$_memset
              • String ID:
              • API String ID: 1505330794-0
              • Opcode ID: 441ee0e2e6429c491860943e692c8868365054631837f4f476719df99e731b7d
              • Instruction ID: 8981aba0603a740d265adb60583323c8a832b11d219f49e90a8b969e766d1e13
              • Opcode Fuzzy Hash: 441ee0e2e6429c491860943e692c8868365054631837f4f476719df99e731b7d
              • Instruction Fuzzy Hash: 40316DB15057019FD724DF24D8847DBBBE8FB4A308F00092EF59AC3251E775AA88DB96
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C3594C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • __FF_MSGBANNER.LIBCMT ref: 00C35963
                • Part of subcall function 00C3A3AB: __NMSG_WRITE.LIBCMT ref: 00C3A3D2
                • Part of subcall function 00C3A3AB: __NMSG_WRITE.LIBCMT ref: 00C3A3DC
              • __NMSG_WRITE.LIBCMT ref: 00C3596A
                • Part of subcall function 00C3A408: GetModuleFileNameW.KERNEL32(00000000,00CD43BA,00000104,?,00000001,00000000), ref: 00C3A49A
                • Part of subcall function 00C3A408: ___crtMessageBoxW.LIBCMT ref: 00C3A548
                • Part of subcall function 00C332DF: ___crtCorExitProcess.LIBCMT ref: 00C332E5
                • Part of subcall function 00C332DF: ExitProcess.KERNEL32 ref: 00C332EE
                • Part of subcall function 00C38D68: __getptd_noexit.LIBCMT ref: 00C38D68
              • RtlAllocateHeap.NTDLL(01650000,00000000,00000001,00000000,?,?,?,00C31013,?), ref: 00C3598F
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
              • String ID:
              • API String ID: 1372826849-0
              • Opcode ID: 530e4c62163bd2826f36ca07582e5d4e299e43692036077d954922ab1f7dd056
              • Instruction ID: 21451e33a59f12cd1222d94e15c0654e4afc9dd0f98fd081b6116b1eafc7f39c
              • Opcode Fuzzy Hash: 530e4c62163bd2826f36ca07582e5d4e299e43692036077d954922ab1f7dd056
              • Instruction Fuzzy Hash: 7D012431331B12DFE6253B35EC42B6E73888F42B31F50002BF910AB1D1DE709E02A260
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C79B2C Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON
              Download Yara Rule
              APIs
              • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,00C797D2,?,?,?,?,?,00000004), ref: 00C79B45
              • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00C797D2,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 00C79B5B
              • CloseHandle.KERNEL32(00000000,?,00C797D2,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00C79B62
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: File$CloseCreateHandleTime
              • String ID:
              • API String ID: 3397143404-0
              • Opcode ID: b04d17592822e8ceb639015ba5c78fa17fbb363b0c94f404b61fed70e36f918d
              • Instruction ID: e93fbe4f0551b35cdfb816789db05dc887919a922491290aabc06a85b8491263
              • Opcode Fuzzy Hash: b04d17592822e8ceb639015ba5c78fa17fbb363b0c94f404b61fed70e36f918d
              • Instruction Fuzzy Hash: 95E08632180214F7EB311B64EC0DFDE7B18EB05761F108125FB24A90E087B1662297D8
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C78F97 Relevance: 4.5, APIs: 3, Instructions: 22COMMON
              Download Yara Rule
              APIs
              • _free.LIBCMT ref: 00C78FA5
                • Part of subcall function 00C32F95: RtlFreeHeap.NTDLL(00000000,00000000,?,00C39C64), ref: 00C32FA9
                • Part of subcall function 00C32F95: GetLastError.KERNEL32(00000000,?,00C39C64), ref: 00C32FBB
              • _free.LIBCMT ref: 00C78FB6
              • _free.LIBCMT ref: 00C78FC8
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: _free$ErrorFreeHeapLast
              • String ID:
              • API String ID: 776569668-0
              • Opcode ID: 7d3b2028e624efae88516297b2f19128b0b5a47fb3bf7ffb404a5919715f4e12
              • Instruction ID: 7b13e3866287f52ef823e25e1c08d268a6f60fc76dba6d5416ce3c3352acd518
              • Opcode Fuzzy Hash: 7d3b2028e624efae88516297b2f19128b0b5a47fb3bf7ffb404a5919715f4e12
              • Instruction Fuzzy Hash: 27E0C2B12087104ACE20A5F8AD04AA317EE1F4C360B08080DF51DDB142CE24E940A424
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C1AB23 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID:
              • String ID: CALL
              • API String ID: 0-4196123274
              • Opcode ID: d1237d5c55457b12fef2603115e4559445d65aff33266903929ce42eac112c54
              • Instruction ID: e2da2397317b112cd8c0dfde80a6c92d481ac455bc4fc441818e9b1d3d992b51
              • Opcode Fuzzy Hash: d1237d5c55457b12fef2603115e4559445d65aff33266903929ce42eac112c54
              • Instruction Fuzzy Hash: 81223974509241DFC724DF14C494BAAB7E1FF8A304F24895DE89A8B362D731ED85EB82
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C14DD0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: _memmove
              • String ID: EA06
              • API String ID: 4104443479-3962188686
              • Opcode ID: 4a84d486d902b05df02ad60648ddc4172e7dcbf29316d71b432e3570bb88d8b4
              • Instruction ID: c2a1738d65ba45ba663e340ca68914cc8743cd15898fa48db372201fafd1c7ab
              • Opcode Fuzzy Hash: 4a84d486d902b05df02ad60648ddc4172e7dcbf29316d71b432e3570bb88d8b4
              • Instruction Fuzzy Hash: D1416F71A045549BCF295BA4C891BFEFFA6AF47300F684075E8429B282C6319EC1B7E1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C1492E Relevance: 3.1, APIs: 2, Instructions: 59COMMON
              Download Yara Rule
              APIs
              • IsThemeActive.UXTHEME ref: 00C14992
                • Part of subcall function 00C335AC: __lock.LIBCMT ref: 00C335B2
                • Part of subcall function 00C335AC: DecodePointer.KERNEL32(00000001,?,00C149A7,00C681BC), ref: 00C335BE
                • Part of subcall function 00C335AC: EncodePointer.KERNEL32(?,?,00C149A7,00C681BC), ref: 00C335C9
                • Part of subcall function 00C14A5B: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00C14A73
                • Part of subcall function 00C14A5B: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00C14A88
                • Part of subcall function 00C13B4C: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00C13B7A
                • Part of subcall function 00C13B4C: IsDebuggerPresent.KERNEL32 ref: 00C13B8C
                • Part of subcall function 00C13B4C: GetFullPathNameW.KERNEL32(00007FFF,?,?,00CD62F8,00CD62E0,?,?), ref: 00C13BFD
                • Part of subcall function 00C13B4C: SetCurrentDirectoryW.KERNEL32(?), ref: 00C13C81
              • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00C149D2
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
              • String ID:
              • API String ID: 1438897964-0
              • Opcode ID: b87c2e73210d3c212db33f51c4d1b0d7da626cd85d7aaf466e07c6754fd4eb85
              • Instruction ID: 00739215e640331406ecb9713262ba2dccf2f56482bed2d14a1400cb0ddcf6a4
              • Opcode Fuzzy Hash: b87c2e73210d3c212db33f51c4d1b0d7da626cd85d7aaf466e07c6754fd4eb85
              • Instruction Fuzzy Hash: E31167719193119BC700EF29E845A4EFBE8EF99710F00461FF085872A1DB709689EB92
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C15DF9 Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON
              Download Yara Rule
              APIs
              • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000,?,00C15981,?,?,?,?), ref: 00C15E27
              • CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,00000000,?,00C15981,?,?,?,?), ref: 00C4E19C
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: CreateFile
              • String ID:
              • API String ID: 823142352-0
              • Opcode ID: e9231192f58f8cdf0a4bd159d861e0df1cbd950dfce1d536a51937e30f1458d5
              • Instruction ID: 3379d57211e1797862533ad428612f685c14812c8a6e9965fb3f550da8a5a034
              • Opcode Fuzzy Hash: e9231192f58f8cdf0a4bd159d861e0df1cbd950dfce1d536a51937e30f1458d5
              • Instruction Fuzzy Hash: 7B015670684708FEF7641E14CC8AFA63A9CBF05768F10C319BAF55A1E0C6B45E859B54
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C30FF6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE
              Download Yara Rule
              APIs
                • Part of subcall function 00C3594C: __FF_MSGBANNER.LIBCMT ref: 00C35963
                • Part of subcall function 00C3594C: __NMSG_WRITE.LIBCMT ref: 00C3596A
                • Part of subcall function 00C3594C: RtlAllocateHeap.NTDLL(01650000,00000000,00000001,00000000,?,?,?,00C31013,?), ref: 00C3598F
              • std::exception::exception.LIBCMT ref: 00C3102C
              • __CxxThrowException@8.LIBCMT ref: 00C31041
                • Part of subcall function 00C387DB: RaiseException.KERNEL32(?,?,?,00CCBAF8,00000000,?,?,?,?,00C31046,?,00CCBAF8,?,00000001), ref: 00C38830
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
              • String ID:
              • API String ID: 3902256705-0
              • Opcode ID: 9ed5dd9ff131d32d077a3e3e7fa0b85dbc05aa83e74b35ab1536dcb1f793e771
              • Instruction ID: 76e3f7c4c45942198dcba773063d4865ad1b2bcf5aa3cabeb45abf936c3fb42e
              • Opcode Fuzzy Hash: 9ed5dd9ff131d32d077a3e3e7fa0b85dbc05aa83e74b35ab1536dcb1f793e771
              • Instruction Fuzzy Hash: 61F0C87551035DAACB24BAD8EC06ADF77AC9F01355F140425FC14A6992DFB18B84E2E0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C3582D Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: __lock_file_memset
              • String ID:
              • API String ID: 26237723-0
              • Opcode ID: 41d83557b4b0d21a924a6b0283079a93664c53c85e92f00563de4d5c4ac0c9d5
              • Instruction ID: 6cceeeca945221821f70b8073fc79c087605c51197058c8d3caf561ec26ca8f5
              • Opcode Fuzzy Hash: 41d83557b4b0d21a924a6b0283079a93664c53c85e92f00563de4d5c4ac0c9d5
              • Instruction Fuzzy Hash: 15014471C50709EBCF12AF698C0699E7B61AF44360F158215F8245B1E1DB358A11EB92
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C355D6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE
              Download Yara Rule
              APIs
                • Part of subcall function 00C38D68: __getptd_noexit.LIBCMT ref: 00C38D68
              • __lock_file.LIBCMT ref: 00C3561B
                • Part of subcall function 00C36E4E: __lock.LIBCMT ref: 00C36E71
              • __fclose_nolock.LIBCMT ref: 00C35626
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
              • String ID:
              • API String ID: 2800547568-0
              • Opcode ID: 6e8ee60dcbf70475fc9d0d9e4176e670b6f995e4bbf3c548757aaeb44f1f1e3d
              • Instruction ID: 9ba7be135b2095cbb1a487e223202053e55d466211b0e65db84a200c07556f35
              • Opcode Fuzzy Hash: 6e8ee60dcbf70475fc9d0d9e4176e670b6f995e4bbf3c548757aaeb44f1f1e3d
              • Instruction Fuzzy Hash: 1DF0B4B1924B059BD721AF758C037AEB7B16F40334F558209F825AB2C1CF7C8A05AB95
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C181C1 Relevance: 2.6, APIs: 2, Instructions: 54COMMON
              Download Yara Rule
              APIs
              • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000001,00000000,00000000,?,?,?,00C1558F,?,?,?,?,?), ref: 00C181DA
              • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000001,00000000,?,?,?,00C1558F,?,?,?,?,?), ref: 00C1820D
                • Part of subcall function 00C178AD: _memmove.LIBCMT ref: 00C178E9
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: ByteCharMultiWide$_memmove
              • String ID:
              • API String ID: 3033907384-0
              • Opcode ID: 8a1bd0d02f90f3c088f0c5efd27a0a9f9d07c1bb85884ac75f26af6d0c356d93
              • Instruction ID: 6418da2c6248141c5a8ed8a1d48327a7fe8ea68b3debb2619c33d9a9bc65d35e
              • Opcode Fuzzy Hash: 8a1bd0d02f90f3c088f0c5efd27a0a9f9d07c1bb85884ac75f26af6d0c356d93
              • Instruction Fuzzy Hash: 2201AD31205204BFEB256A25DD4AFBF3B6DEF8A760F20812AFD05CD190DE309840A6B1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 014812FD Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON
              Download Yara Rule
              APIs
              • CreateProcessW.KERNELBASE(?,00000000), ref: 01481B2D
              • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 01481B51
              • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 01481B73
              Memory Dump Source
              • Source File: 00000000.00000002.1204928700.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_1480000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: Process$ContextCreateMemoryReadThreadWow64
              • String ID:
              • API String ID: 2438371351-0
              • Opcode ID: 1e5ff81ed8f871418fabb2f1fb9f15c50bab29dc79b391b745a61db8bf218849
              • Instruction ID: 67a3f6b99069d951b81a8618063ebf6d5e362bc74d6a82036265ff54fb3be580
              • Opcode Fuzzy Hash: 1e5ff81ed8f871418fabb2f1fb9f15c50bab29dc79b391b745a61db8bf218849
              • Instruction Fuzzy Hash: 2712DD24E24658C6EB24DF64D8507DEB232EF68700F1091E9910DEB7A4E77A4F81CF5A
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C22123 Relevance: 1.7, APIs: 1, Instructions: 171COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 813512e17110b994e31f5d2813a42748cfcd22c50a5567052487dffa18ef7fec
              • Instruction ID: 86c58d7255f7a91678b74842ef982ed94b5c8a6b427b042951fafc4ee7890e41
              • Opcode Fuzzy Hash: 813512e17110b994e31f5d2813a42748cfcd22c50a5567052487dffa18ef7fec
              • Instruction Fuzzy Hash: C051A035600614EFCF14EB68C991EAE77A6AF85310F148168F856AB382CB30EE45FB55
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C15C4E Relevance: 1.6, APIs: 1, Instructions: 97COMMON
              Download Yara Rule
              APIs
              • SetFilePointerEx.KERNELBASE(?,?,00000001,00000000,00000000,?,?,00000000), ref: 00C15CF6
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: FilePointer
              • String ID:
              • API String ID: 973152223-0
              • Opcode ID: 2316661f28132e0b578be2268909864b1ee919d64a8df7834ba4fcff200998c9
              • Instruction ID: 539f644e1ec64687fa9b77d61c7a279909fa28b8f5477e914d0a9e54194b318f
              • Opcode Fuzzy Hash: 2316661f28132e0b578be2268909864b1ee919d64a8df7834ba4fcff200998c9
              • Instruction Fuzzy Hash: 86313C71A00B19EFCB18DF2DD49469DB7B5FF89310F148629D82993710D771A9A0EBD0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C500D6 Relevance: 1.6, APIs: 1, Instructions: 88COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: ClearVariant
              • String ID:
              • API String ID: 1473721057-0
              • Opcode ID: b36234af5027478d0fb3fe6933e55f7c08dc88315ee5c966581b748475830d28
              • Instruction ID: fab09198797bd50d6aec8d04b06d6bec85eb84190993d4284d53716dffe49753
              • Opcode Fuzzy Hash: b36234af5027478d0fb3fe6933e55f7c08dc88315ee5c966581b748475830d28
              • Instruction Fuzzy Hash: F4410674508751DFDB24DF14C484B5ABBE0BF46318F1988ACE8998B762C332EC89DB56
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C14F3D Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00C14D13: FreeLibrary.KERNEL32(00000000,?), ref: 00C14D4D
                • Part of subcall function 00C3548B: __wfsopen.LIBCMT ref: 00C35496
              • LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,00CD62F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00C14F6F
                • Part of subcall function 00C14CC8: FreeLibrary.KERNEL32(00000000), ref: 00C14D02
                • Part of subcall function 00C14DD0: _memmove.LIBCMT ref: 00C14E1A
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: Library$Free$Load__wfsopen_memmove
              • String ID:
              • API String ID: 1396898556-0
              • Opcode ID: 7b6c1ca8d1e0f2284777b70df6cc2750c8aa8890d6f4901e5d445442dadfb2eb
              • Instruction ID: 847acb54c3dbb1143ca979000df28fcb32bedb91f74b172188d4e34088da4949
              • Opcode Fuzzy Hash: 7b6c1ca8d1e0f2284777b70df6cc2750c8aa8890d6f4901e5d445442dadfb2eb
              • Instruction Fuzzy Hash: 0611E731600605ABCF18BFB4DC16BEE77A49F45710F20842DF542A62C1DA719A46B7A0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C501AF Relevance: 1.6, APIs: 1, Instructions: 63COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: ClearVariant
              • String ID:
              • API String ID: 1473721057-0
              • Opcode ID: 1d158de2c2b21c9853d1e27be31df5abee9ca41d0353fcbf3e5c6775623f1bbc
              • Instruction ID: 6257d2500948f973e904b3f24a5b18836c35343ba94c3b039f3579912c581b41
              • Opcode Fuzzy Hash: 1d158de2c2b21c9853d1e27be31df5abee9ca41d0353fcbf3e5c6775623f1bbc
              • Instruction Fuzzy Hash: 042122B4508341DFCB24DF54C448B5ABBE0BF8A304F08896CE89A87721D731E899EB53
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C15D20 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON
              Download Yara Rule
              APIs
              • ReadFile.KERNELBASE(?,?,00010000,?,00000000,00000000,?,00010000,?,00C15807,00000000,00010000,00000000,00000000,00000000,00000000), ref: 00C15D76
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: FileRead
              • String ID:
              • API String ID: 2738559852-0
              • Opcode ID: 02e446a4f180a6092ce3e5a44bf07f3c0387d1e6bda03c21753a6edfbfd9208d
              • Instruction ID: 3c875626b2c3bbedab8d76a9e08c286a24c8c6f10ccb42e125e2f78cf99e4b33
              • Opcode Fuzzy Hash: 02e446a4f180a6092ce3e5a44bf07f3c0387d1e6bda03c21753a6edfbfd9208d
              • Instruction Fuzzy Hash: D5113A71200B01DFD3309F15E588BA6B7F5EF86750F10C92EE4AA86A50D770E985DB60
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C34A93 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
              Download Yara Rule
              APIs
              • __lock_file.LIBCMT ref: 00C34AD6
                • Part of subcall function 00C38D68: __getptd_noexit.LIBCMT ref: 00C38D68
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: __getptd_noexit__lock_file
              • String ID:
              • API String ID: 2597487223-0
              • Opcode ID: 74b21596b0c4184c50b5e1b4321864bab124d4701dcc01ecd72e7aa13b5e4c7d
              • Instruction ID: c1a6d76b79faf799a1ff51b560ac1a7426a56b3f1a6383d08c688b874a172bbe
              • Opcode Fuzzy Hash: 74b21596b0c4184c50b5e1b4321864bab124d4701dcc01ecd72e7aa13b5e4c7d
              • Instruction Fuzzy Hash: 8CF0FF31820309ABDF65BFA4CC0239E77A1AF00329F088114F424AA0D1CB788E10FF40
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C14FAA Relevance: 1.5, APIs: 1, Instructions: 28COMMON
              Download Yara Rule
              APIs
              • FreeLibrary.KERNEL32(?,?,00CD62F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00C14FDE
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: FreeLibrary
              • String ID:
              • API String ID: 3664257935-0
              • Opcode ID: 31411ff6cfdc91cbede5d4e6d9225b075eed5118325c2f12b1553ad9dd96cb56
              • Instruction ID: 17366c71ed4305f4a6a29af5f718a1a086a8ca5eecd8a05fb55d60334ba70f6e
              • Opcode Fuzzy Hash: 31411ff6cfdc91cbede5d4e6d9225b075eed5118325c2f12b1553ad9dd96cb56
              • Instruction Fuzzy Hash: 7CF03971105712CFCB389FA5E494896BBE1BF063693208A3EE1E682710C731A995EF40
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C309D5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
              Download Yara Rule
              APIs
              • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00C309F4
                • Part of subcall function 00C17D2C: _memmove.LIBCMT ref: 00C17D66
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: LongNamePath_memmove
              • String ID:
              • API String ID: 2514874351-0
              • Opcode ID: fc47f53c2fb6bb26485769e28fe7467c7a5bf63686c41e5dc2b06ff3e43f6c22
              • Instruction ID: 2f9a51a383883c547c380019ee6c38b0e2950993548c4fdac905fcff8f5da22b
              • Opcode Fuzzy Hash: fc47f53c2fb6bb26485769e28fe7467c7a5bf63686c41e5dc2b06ff3e43f6c22
              • Instruction Fuzzy Hash: 41E0CD7690422C57C720E6989C05FFA77EDDF89790F0401B6FC4CD7204D9609CC19690
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C79129 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: __fread_nolock
              • String ID:
              • API String ID: 2638373210-0
              • Opcode ID: 7603a7e23398706fbe611478ecf9e3358d47b441acc83f726054c373298f7434
              • Instruction ID: c8441ada4ec0a0ecaeea1580c2e46bd94a1fd04c43153ea4bce2466f0e610398
              • Opcode Fuzzy Hash: 7603a7e23398706fbe611478ecf9e3358d47b441acc83f726054c373298f7434
              • Instruction Fuzzy Hash: AFE09AB0214B009FDB388A24D811BE373E0EB06315F00081CF2AA83342EB62B8418B59
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C15DAE Relevance: 1.5, APIs: 1, Instructions: 16COMMON
              Download Yara Rule
              APIs
              • SetFilePointerEx.KERNELBASE(?,00000000,00000000,?,00000001,?,?,?,00C4E16B,?,?,00000000), ref: 00C15DBF
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: FilePointer
              • String ID:
              • API String ID: 973152223-0
              • Opcode ID: f914e046b6292216b8a9e386c4663355492030403bcded947756e6877b6b2a3b
              • Instruction ID: 03aead5ea716694c64ae05d8e1aff65d3090e75ac90394abbc456d8eb38106c4
              • Opcode Fuzzy Hash: f914e046b6292216b8a9e386c4663355492030403bcded947756e6877b6b2a3b
              • Instruction Fuzzy Hash: 88D0C77464020CBFEB10DB80DC46FAD777CD705710F100195FD0496290D6B27D508795
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C3548B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: __wfsopen
              • String ID:
              • API String ID: 197181222-0
              • Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
              • Instruction ID: f938e8ed4c9927061d2e6493abb960a16e89dc607eaff9bf6564beafcfb3dd2c
              • Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
              • Instruction Fuzzy Hash: 12B0927A84020C77DE012E82EC02A593B199B40678F808020FB0C28162A673A6A0A689
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C7D2E6 Relevance: 1.4, APIs: 1, Instructions: 198COMMON
              Download Yara Rule
              APIs
              • GetLastError.KERNEL32(00000002,00000000), ref: 00C7D46A
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: ErrorLast
              • String ID:
              • API String ID: 1452528299-0
              • Opcode ID: 781d8eefb94c425facd4055280779776c7f91454d2b7201299f41833d2c70cdd
              • Instruction ID: a1c1f53a5547bb30ca275c41b10ad838ffa1a3bd1a4bfdb756b7de3ffd153861
              • Opcode Fuzzy Hash: 781d8eefb94c425facd4055280779776c7f91454d2b7201299f41833d2c70cdd
              • Instruction Fuzzy Hash: 9E7153702043028FC714EF64D491AAEB7F5AF89314F04856DF59B9B2A1DB30EE49EB52
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C30E48 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: AllocVirtual
              • String ID:
              • API String ID: 4275171209-0
              • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
              • Instruction ID: 722ad1a6659abbf0d1660eb698e362e25e169955aa02b8a753c3652de234bb4e
              • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
              • Instruction Fuzzy Hash: 1A31E176A10105DBC718DF49C4A0969F7A6FF59300F388AA5E49ACB651DB30EEC1CB80
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01482300 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
              Download Yara Rule
              APIs
              • Sleep.KERNELBASE(000001F4), ref: 01482311
              Memory Dump Source
              • Source File: 00000000.00000002.1204928700.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_1480000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: Sleep
              • String ID:
              • API String ID: 3472027048-0
              • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
              • Instruction ID: 3c60dcfab2b1a3da215ef8dba1f44870cf46c2e6e3ddeb82c3e3f4086bc6a58c
              • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
              • Instruction Fuzzy Hash: E4E0E67494010DDFDB00EFB4D6496AE7FB4EF04302F100561FD01D2281D6709D50CA62
              Uniqueness

              Uniqueness Score: -1.00%

              Non-executed Functions

              Function 00C9CDAC Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 637windowkeyboardCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00C12612: GetWindowLongW.USER32(?,000000EB), ref: 00C12623
              • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00C9CE50
              • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00C9CE91
              • GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 00C9CED6
              • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00C9CF00
              • SendMessageW.USER32 ref: 00C9CF29
              • _wcsncpy.LIBCMT ref: 00C9CFA1
              • GetKeyState.USER32(00000011), ref: 00C9CFC2
              • GetKeyState.USER32(00000009), ref: 00C9CFCF
              • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00C9CFE5
              • GetKeyState.USER32(00000010), ref: 00C9CFEF
              • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00C9D018
              • SendMessageW.USER32 ref: 00C9D03F
              • SendMessageW.USER32(?,00001030,?,00C9B602), ref: 00C9D145
              • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00C9D15B
              • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00C9D16E
              • SetCapture.USER32(?), ref: 00C9D177
              • ClientToScreen.USER32(?,?), ref: 00C9D1DC
              • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00C9D1E9
              • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00C9D203
              • ReleaseCapture.USER32 ref: 00C9D20E
              • GetCursorPos.USER32(?), ref: 00C9D248
              • ScreenToClient.USER32(?,?), ref: 00C9D255
              • SendMessageW.USER32(?,00001012,00000000,?), ref: 00C9D2B1
              • SendMessageW.USER32 ref: 00C9D2DF
              • SendMessageW.USER32(?,00001111,00000000,?), ref: 00C9D31C
              • SendMessageW.USER32 ref: 00C9D34B
              • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00C9D36C
              • SendMessageW.USER32(?,0000110B,00000009,?), ref: 00C9D37B
              • GetCursorPos.USER32(?), ref: 00C9D39B
              • ScreenToClient.USER32(?,?), ref: 00C9D3A8
              • GetParent.USER32(?), ref: 00C9D3C8
              • SendMessageW.USER32(?,00001012,00000000,?), ref: 00C9D431
              • SendMessageW.USER32 ref: 00C9D462
              • ClientToScreen.USER32(?,?), ref: 00C9D4C0
              • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00C9D4F0
              • SendMessageW.USER32(?,00001111,00000000,?), ref: 00C9D51A
              • SendMessageW.USER32 ref: 00C9D53D
              • ClientToScreen.USER32(?,?), ref: 00C9D58F
              • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00C9D5C3
                • Part of subcall function 00C125DB: GetWindowLongW.USER32(?,000000EB), ref: 00C125EC
              • GetWindowLongW.USER32(?,000000F0), ref: 00C9D65F
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
              • String ID: @GUI_DRAGID$F
              • API String ID: 3977979337-4164748364
              • Opcode ID: 1adae039a7d55fd47ced0e4fc1d32c057236307afc2a870842230b2309be4b53
              • Instruction ID: b968fd7f0b20d993d9486bacab7a1d62a6da37d485f1a5f3dcef8b838494c22f
              • Opcode Fuzzy Hash: 1adae039a7d55fd47ced0e4fc1d32c057236307afc2a870842230b2309be4b53
              • Instruction Fuzzy Hash: 5F42CD70204340AFDB21CF28C898FAABBE6FF49314F14051EF6A6972A1C731D951DB92
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C9804A Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 571windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(?,00000400,00000000,00000000), ref: 00C9873F
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: MessageSend
              • String ID: %d/%02d/%02d
              • API String ID: 3850602802-328681919
              • Opcode ID: 170096089a00146fb467f7fe268075f46a7cee0ec9c8e8bbb2958d954e0760d6
              • Instruction ID: 8aaf520d0739e87fe2d9c090f007278ed9ab9578b7e0d5a578034afc4731d41f
              • Opcode Fuzzy Hash: 170096089a00146fb467f7fe268075f46a7cee0ec9c8e8bbb2958d954e0760d6
              • Instruction Fuzzy Hash: A912A071500608ABEF258F65CC4DFAE7BB5EF46710F204169F916DB2A1DB708949CB10
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C2710E Relevance: 48.8, APIs: 19, Strings: 6, Instructions: 5093COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: _memmove$_memset
              • String ID: DEFINE$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)
              • API String ID: 1357608183-1798697756
              • Opcode ID: 378ea7f97f2e3350277c845783b2be4e66c8b26e7cc9c2b9735d0cb276353fa4
              • Instruction ID: d4dbbdb87e544a1a292388b5f0608a6e030a0bf55b4c5c926db07ef081b79473
              • Opcode Fuzzy Hash: 378ea7f97f2e3350277c845783b2be4e66c8b26e7cc9c2b9735d0cb276353fa4
              • Instruction Fuzzy Hash: 3E93A071A0421ADFDB24CF98D8C1BADB7B1FF48710F25816AE955EB290E7709E81DB40
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C14A35 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON
              Download Yara Rule
              APIs
              • GetForegroundWindow.USER32(00000000,?), ref: 00C14A3D
              • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00C4DA8E
              • IsIconic.USER32(?), ref: 00C4DA97
              • ShowWindow.USER32(?,00000009), ref: 00C4DAA4
              • SetForegroundWindow.USER32(?), ref: 00C4DAAE
              • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00C4DAC4
              • GetCurrentThreadId.KERNEL32 ref: 00C4DACB
              • GetWindowThreadProcessId.USER32(?,00000000), ref: 00C4DAD7
              • AttachThreadInput.USER32(?,00000000,00000001), ref: 00C4DAE8
              • AttachThreadInput.USER32(?,00000000,00000001), ref: 00C4DAF0
              • AttachThreadInput.USER32(00000000,?,00000001), ref: 00C4DAF8
              • SetForegroundWindow.USER32(?), ref: 00C4DAFB
              • MapVirtualKeyW.USER32(00000012,00000000), ref: 00C4DB10
              • keybd_event.USER32(00000012,00000000), ref: 00C4DB1B
              • MapVirtualKeyW.USER32(00000012,00000000), ref: 00C4DB25
              • keybd_event.USER32(00000012,00000000), ref: 00C4DB2A
              • MapVirtualKeyW.USER32(00000012,00000000), ref: 00C4DB33
              • keybd_event.USER32(00000012,00000000), ref: 00C4DB38
              • MapVirtualKeyW.USER32(00000012,00000000), ref: 00C4DB42
              • keybd_event.USER32(00000012,00000000), ref: 00C4DB47
              • SetForegroundWindow.USER32(?), ref: 00C4DB4A
              • AttachThreadInput.USER32(?,?,00000000), ref: 00C4DB71
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
              • String ID: Shell_TrayWnd
              • API String ID: 4125248594-2988720461
              • Opcode ID: 3acee00a5eb37630ad8f03dd01cc8e4535c89f49886eec0402b3e15d3b63fa42
              • Instruction ID: 936018175a04356f001c3cdce363495939234cf0151fa6736c6f27ba415b0d14
              • Opcode Fuzzy Hash: 3acee00a5eb37630ad8f03dd01cc8e4535c89f49886eec0402b3e15d3b63fa42
              • Instruction Fuzzy Hash: 54318671A40318BFEB216FA19C4DF7F3E6CEB44B50F11406AFA05EA1D0C6B05D51ABA1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C68858 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00C68CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00C68D0D
                • Part of subcall function 00C68CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00C68D3A
                • Part of subcall function 00C68CC3: GetLastError.KERNEL32 ref: 00C68D47
              • _memset.LIBCMT ref: 00C6889B
              • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 00C688ED
              • CloseHandle.KERNEL32(?), ref: 00C688FE
              • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00C68915
              • GetProcessWindowStation.USER32 ref: 00C6892E
              • SetProcessWindowStation.USER32(00000000), ref: 00C68938
              • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00C68952
                • Part of subcall function 00C68713: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00C68851), ref: 00C68728
                • Part of subcall function 00C68713: CloseHandle.KERNEL32(?,?,00C68851), ref: 00C6873A
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
              • String ID: $default$winsta0
              • API String ID: 2063423040-1027155976
              • Opcode ID: fa84c73ceee79413678d50e30cf524b4d32c7af016e8cbc63b90c2a9c1d9c368
              • Instruction ID: 6bdef2247cffe1b689b032b7b8867f7af1a2462736efc6742d4b89e2331c5bd1
              • Opcode Fuzzy Hash: fa84c73ceee79413678d50e30cf524b4d32c7af016e8cbc63b90c2a9c1d9c368
              • Instruction Fuzzy Hash: CA812371940209AFDF21DFE4DD89AEE7B78EF04304F18425AFD24A6161DB358E19EB60
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C8425A Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON
              Download Yara Rule
              APIs
              • OpenClipboard.USER32(00C9F910), ref: 00C84284
              • IsClipboardFormatAvailable.USER32(0000000D), ref: 00C84292
              • GetClipboardData.USER32(0000000D), ref: 00C8429A
              • CloseClipboard.USER32 ref: 00C842A6
              • GlobalLock.KERNEL32(00000000), ref: 00C842C2
              • CloseClipboard.USER32 ref: 00C842CC
              • GlobalUnlock.KERNEL32(00000000,00000000), ref: 00C842E1
              • IsClipboardFormatAvailable.USER32(00000001), ref: 00C842EE
              • GetClipboardData.USER32(00000001), ref: 00C842F6
              • GlobalLock.KERNEL32(00000000), ref: 00C84303
              • GlobalUnlock.KERNEL32(00000000,00000000,?), ref: 00C84337
              • CloseClipboard.USER32 ref: 00C84447
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
              • String ID:
              • API String ID: 3222323430-0
              • Opcode ID: 7879c6b943a537bdb1ffae4e5d79fedb07a4f01647c82cfb6f66117ab822cffa
              • Instruction ID: 67df17841d2b6387758f3b583b934eefe885a19e86a25d8d8448521b0d67f3aa
              • Opcode Fuzzy Hash: 7879c6b943a537bdb1ffae4e5d79fedb07a4f01647c82cfb6f66117ab822cffa
              • Instruction Fuzzy Hash: C0519171204302ABD315FF60EC9AFAF77A8AF84B04F10452EF556D21E1DB70D906AB66
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C7C9C7 Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON
              Download Yara Rule
              APIs
              • FindFirstFileW.KERNEL32(?,?), ref: 00C7C9F8
              • FindClose.KERNEL32(00000000), ref: 00C7CA4C
              • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00C7CA71
              • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00C7CA88
              • FileTimeToSystemTime.KERNEL32(?,?), ref: 00C7CAAF
              • __swprintf.LIBCMT ref: 00C7CAFB
              • __swprintf.LIBCMT ref: 00C7CB3E
                • Part of subcall function 00C17F41: _memmove.LIBCMT ref: 00C17F82
              • __swprintf.LIBCMT ref: 00C7CB92
                • Part of subcall function 00C338D8: __woutput_l.LIBCMT ref: 00C33931
              • __swprintf.LIBCMT ref: 00C7CBE0
                • Part of subcall function 00C338D8: __flsbuf.LIBCMT ref: 00C33953
                • Part of subcall function 00C338D8: __flsbuf.LIBCMT ref: 00C3396B
              • __swprintf.LIBCMT ref: 00C7CC2F
              • __swprintf.LIBCMT ref: 00C7CC7E
              • __swprintf.LIBCMT ref: 00C7CCCD
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
              • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
              • API String ID: 3953360268-2428617273
              • Opcode ID: 5c061f4b1ad9117621c8d2daae3cae3dfd8424390d59c8946076dc1dbc5842aa
              • Instruction ID: f10b11c4d01f1677b13f9f2d027f46fece3dc5fe0e91330756b8979279813b8a
              • Opcode Fuzzy Hash: 5c061f4b1ad9117621c8d2daae3cae3dfd8424390d59c8946076dc1dbc5842aa
              • Instruction Fuzzy Hash: 76A140B1508305ABC710EB64C895EAFB7ECEF99700F40491DF596C3191EA34DA49EB62
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C7F200 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON
              Download Yara Rule
              APIs
              • FindFirstFileW.KERNEL32(?,?,771A8FB0,?,00000000), ref: 00C7F221
              • _wcscmp.LIBCMT ref: 00C7F236
              • _wcscmp.LIBCMT ref: 00C7F24D
              • GetFileAttributesW.KERNEL32(?), ref: 00C7F25F
              • SetFileAttributesW.KERNEL32(?,?), ref: 00C7F279
              • FindNextFileW.KERNEL32(00000000,?), ref: 00C7F291
              • FindClose.KERNEL32(00000000), ref: 00C7F29C
              • FindFirstFileW.KERNEL32(*.*,?), ref: 00C7F2B8
              • _wcscmp.LIBCMT ref: 00C7F2DF
              • _wcscmp.LIBCMT ref: 00C7F2F6
              • SetCurrentDirectoryW.KERNEL32(?), ref: 00C7F308
              • SetCurrentDirectoryW.KERNEL32(00CCA5A0), ref: 00C7F326
              • FindNextFileW.KERNEL32(00000000,00000010), ref: 00C7F330
              • FindClose.KERNEL32(00000000), ref: 00C7F33D
              • FindClose.KERNEL32(00000000), ref: 00C7F34F
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
              • String ID: *.*
              • API String ID: 1803514871-438819550
              • Opcode ID: efeed927c4c80b31691bb945c93ec6feb59e4ffa4e6af621603580551207dba6
              • Instruction ID: cb4f0a7e3645bcd6393d37edd6d425f9f31e16320798392081d765e1aabf4aba
              • Opcode Fuzzy Hash: efeed927c4c80b31691bb945c93ec6feb59e4ffa4e6af621603580551207dba6
              • Instruction Fuzzy Hash: 7F31A5765006196BDB10DBB4DC8DBEE77ACAF09360F14817EE928D30A0EB34DB46CA54
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C90AE2 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
              Download Yara Rule
              APIs
              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00C90BDE
              • RegCreateKeyExW.ADVAPI32(?,?,00000000,00C9F910,00000000,?,00000000,?,?), ref: 00C90C4C
              • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00C90C94
              • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00C90D1D
              • RegCloseKey.ADVAPI32(?), ref: 00C9103D
              • RegCloseKey.ADVAPI32(00000000), ref: 00C9104A
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: Close$ConnectCreateRegistryValue
              • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
              • API String ID: 536824911-966354055
              • Opcode ID: 6c7f264dee07ad610caa9f1c8509987dcf76b2bf2b9f04e62398ff02f0d8d7c4
              • Instruction ID: e093137edfd87eaa887716c97e916e1be154fda79145d97d9f57e02ab08f2fdd
              • Opcode Fuzzy Hash: 6c7f264dee07ad610caa9f1c8509987dcf76b2bf2b9f04e62398ff02f0d8d7c4
              • Instruction Fuzzy Hash: A10258752006519FCB14EF24C895E6AB7E5FF89710F14885DF89A9B3A2CB30ED41EB81
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C7F35D Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON
              Download Yara Rule
              APIs
              • FindFirstFileW.KERNEL32(?,?,771A8FB0,?,00000000), ref: 00C7F37E
              • _wcscmp.LIBCMT ref: 00C7F393
              • _wcscmp.LIBCMT ref: 00C7F3AA
                • Part of subcall function 00C745C1: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00C745DC
              • FindNextFileW.KERNEL32(00000000,?), ref: 00C7F3D9
              • FindClose.KERNEL32(00000000), ref: 00C7F3E4
              • FindFirstFileW.KERNEL32(*.*,?), ref: 00C7F400
              • _wcscmp.LIBCMT ref: 00C7F427
              • _wcscmp.LIBCMT ref: 00C7F43E
              • SetCurrentDirectoryW.KERNEL32(?), ref: 00C7F450
              • SetCurrentDirectoryW.KERNEL32(00CCA5A0), ref: 00C7F46E
              • FindNextFileW.KERNEL32(00000000,00000010), ref: 00C7F478
              • FindClose.KERNEL32(00000000), ref: 00C7F485
              • FindClose.KERNEL32(00000000), ref: 00C7F497
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
              • String ID: *.*
              • API String ID: 1824444939-438819550
              • Opcode ID: 199d3f61a829ce7c31afa95f0fdc818bb176e27846094565806918899907f976
              • Instruction ID: e050ebffdc8f61b30624b9f8cd093d55b01997b0c643908118cbb533beb17e8e
              • Opcode Fuzzy Hash: 199d3f61a829ce7c31afa95f0fdc818bb176e27846094565806918899907f976
              • Instruction Fuzzy Hash: 7431B17150161D6BCB109B74EC89BEE77AC9F09364F14817EE828E20A0DB34DB86DA64
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C681F7 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00C6874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00C68766
                • Part of subcall function 00C6874A: GetLastError.KERNEL32(?,00C6822A,?,?,?), ref: 00C68770
                • Part of subcall function 00C6874A: GetProcessHeap.KERNEL32(00000008,?,?,00C6822A,?,?,?), ref: 00C6877F
                • Part of subcall function 00C6874A: HeapAlloc.KERNEL32(00000000,?,00C6822A,?,?,?), ref: 00C68786
                • Part of subcall function 00C6874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00C6879D
                • Part of subcall function 00C687E7: GetProcessHeap.KERNEL32(00000008,00C68240,00000000,00000000,?,00C68240,?), ref: 00C687F3
                • Part of subcall function 00C687E7: HeapAlloc.KERNEL32(00000000,?,00C68240,?), ref: 00C687FA
                • Part of subcall function 00C687E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00C68240,?), ref: 00C6880B
              • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00C6825B
              • _memset.LIBCMT ref: 00C68270
              • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00C6828F
              • GetLengthSid.ADVAPI32(?), ref: 00C682A0
              • GetAce.ADVAPI32(?,00000000,?), ref: 00C682DD
              • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00C682F9
              • GetLengthSid.ADVAPI32(?), ref: 00C68316
              • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00C68325
              • HeapAlloc.KERNEL32(00000000), ref: 00C6832C
              • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00C6834D
              • CopySid.ADVAPI32(00000000), ref: 00C68354
              • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00C68385
              • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00C683AB
              • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00C683BF
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
              • String ID:
              • API String ID: 3996160137-0
              • Opcode ID: 5eaaf1b9b04399048e6cd454baae13b7b61805a573409c589740f3d169658e7d
              • Instruction ID: c7944f2f0aa02784e97ee67d90dbcba3224c5457ad6e3d46e3ca4b525dd90dfb
              • Opcode Fuzzy Hash: 5eaaf1b9b04399048e6cd454baae13b7b61805a573409c589740f3d169658e7d
              • Instruction Fuzzy Hash: 04613E71900209ABDF109F94DC85AAEBB79FF04700F14826AF825E6261DB319A15CB60
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C26843 Relevance: 18.4, Strings: 14, Instructions: 883COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID:
              • String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)
              • API String ID: 0-4052911093
              • Opcode ID: f19ebb36e85bc083101241d1d5ab618e0dcb8f6de20ef87d0b3a5ef39e46705a
              • Instruction ID: 08fe60700428d550925496cc201f9b80d0ff725d63aba6b4120929052cc41b6d
              • Opcode Fuzzy Hash: f19ebb36e85bc083101241d1d5ab618e0dcb8f6de20ef87d0b3a5ef39e46705a
              • Instruction Fuzzy Hash: 1A728275E00229DBDF24CF59D8807AEB7B5FF48310F18816AE855EB690DB709E81DB90
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C90665 Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00C910A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00C90038,?,?), ref: 00C910BC
              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00C90737
                • Part of subcall function 00C19997: __itow.LIBCMT ref: 00C199C2
                • Part of subcall function 00C19997: __swprintf.LIBCMT ref: 00C19A0C
              • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00C907D6
              • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00C9086E
              • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00C90AAD
              • RegCloseKey.ADVAPI32(00000000), ref: 00C90ABA
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
              • String ID:
              • API String ID: 1240663315-0
              • Opcode ID: 917df84011df58db809d3f4a54c3a2c9da1fadae6e0888039f4b27807bee76cd
              • Instruction ID: c3603eda878a2011f73b242cabcd9ea8ee136ba0d57e6e6e657e36d289cba240
              • Opcode Fuzzy Hash: 917df84011df58db809d3f4a54c3a2c9da1fadae6e0888039f4b27807bee76cd
              • Instruction Fuzzy Hash: 28E17C31204210AFCB14DF28C895E6EBBE9EF89714F14856DF45ADB2A2DB30ED01DB91
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C70219 Relevance: 16.6, APIs: 11, Instructions: 120keyboardCOMMON
              Download Yara Rule
              APIs
              • GetKeyboardState.USER32(?), ref: 00C70241
              • GetAsyncKeyState.USER32(000000A0), ref: 00C702C2
              • GetKeyState.USER32(000000A0), ref: 00C702DD
              • GetAsyncKeyState.USER32(000000A1), ref: 00C702F7
              • GetKeyState.USER32(000000A1), ref: 00C7030C
              • GetAsyncKeyState.USER32(00000011), ref: 00C70324
              • GetKeyState.USER32(00000011), ref: 00C70336
              • GetAsyncKeyState.USER32(00000012), ref: 00C7034E
              • GetKeyState.USER32(00000012), ref: 00C70360
              • GetAsyncKeyState.USER32(0000005B), ref: 00C70378
              • GetKeyState.USER32(0000005B), ref: 00C7038A
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: State$Async$Keyboard
              • String ID:
              • API String ID: 541375521-0
              • Opcode ID: 08f87a92851d2b6504cf5a88984a5747efb5958396739a5ab6396bf895856e13
              • Instruction ID: 94c58bf87d317a81de3197a6f2a1ac78420b0305e8920303a1794ea5e333ace8
              • Opcode Fuzzy Hash: 08f87a92851d2b6504cf5a88984a5747efb5958396739a5ab6396bf895856e13
              • Instruction Fuzzy Hash: 8E41C9245047C9EEFF318A6488083B5BEA07F11340F28C09ED5DE866D3E7945BD487A2
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C886D0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00C19997: __itow.LIBCMT ref: 00C199C2
                • Part of subcall function 00C19997: __swprintf.LIBCMT ref: 00C19A0C
              • CoInitialize.OLE32 ref: 00C88718
              • CoUninitialize.OLE32 ref: 00C88723
              • CoCreateInstance.OLE32(?,00000000,00000017,00CA2BEC,?), ref: 00C88783
              • IIDFromString.OLE32(?,?), ref: 00C887F6
              • VariantInit.OLEAUT32(?), ref: 00C88890
              • VariantClear.OLEAUT32(?), ref: 00C888F1
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
              • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
              • API String ID: 834269672-1287834457
              • Opcode ID: 9c06e1af6fa39110d75060f9fd086ef3ee2f0ef47c74a78c1ab6df1a4e5670be
              • Instruction ID: 3e6a39a759d1d6c4ddff0cae23a727c18354b17061d55ff1f41ead2293c68985
              • Opcode Fuzzy Hash: 9c06e1af6fa39110d75060f9fd086ef3ee2f0ef47c74a78c1ab6df1a4e5670be
              • Instruction Fuzzy Hash: 1F61BE706083019FD710EF25C888B6EBBE4EF49718F90481DF9959B691CB70ED48DB96
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C84458 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: Clipboard$AllocCloseEmptyGlobalOpen
              • String ID:
              • API String ID: 1737998785-0
              • Opcode ID: 40d69bd675579aa2e5a83391e8e2bb67193bc6b8e428f0bde875fccb5836f7cb
              • Instruction ID: f1fba71ca99d498d203cefaef6e67e8bf83489fc1a02cb758cd0069153820a06
              • Opcode Fuzzy Hash: 40d69bd675579aa2e5a83391e8e2bb67193bc6b8e428f0bde875fccb5836f7cb
              • Instruction Fuzzy Hash: AC21B035200211AFDB14AF60EC5DB6D7BA9EF44724F10802BF946DB2B1CB30AD01EB59
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C73A2B Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00C148AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00C148A1,?,?,00C137C0,?), ref: 00C148CE
                • Part of subcall function 00C74CD3: GetFileAttributesW.KERNEL32(?,00C73947), ref: 00C74CD4
              • FindFirstFileW.KERNEL32(?,?), ref: 00C73ADF
              • DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 00C73B87
              • MoveFileW.KERNEL32(?,?), ref: 00C73B9A
              • DeleteFileW.KERNEL32(?,?,?,?,?), ref: 00C73BB7
              • FindNextFileW.KERNEL32(00000000,00000010), ref: 00C73BD9
              • FindClose.KERNEL32(00000000,?,?,?,?), ref: 00C73BF5
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
              • String ID: \*.*
              • API String ID: 4002782344-1173974218
              • Opcode ID: 9cf436e2b35310c059e9c22b79d076e4b6017c6d03def9d5c28e799cb0a6bcbc
              • Instruction ID: e937d56bc740e607f62810429adb2954c5fd2c03b57bee71f5be3ee763cc4bcb
              • Opcode Fuzzy Hash: 9cf436e2b35310c059e9c22b79d076e4b6017c6d03def9d5c28e799cb0a6bcbc
              • Instruction Fuzzy Hash: 02517F3180528D9BCF15EBA0CD929EDB779AF15300F6481A9E45677091EF306F4AFBA0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C7F65E Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00C17F41: _memmove.LIBCMT ref: 00C17F82
              • FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 00C7F6AB
              • Sleep.KERNEL32(0000000A), ref: 00C7F6DB
              • _wcscmp.LIBCMT ref: 00C7F6EF
              • _wcscmp.LIBCMT ref: 00C7F70A
              • FindNextFileW.KERNEL32(?,?), ref: 00C7F7A8
              • FindClose.KERNEL32(00000000), ref: 00C7F7BE
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
              • String ID: *.*
              • API String ID: 713712311-438819550
              • Opcode ID: 86bf6a4317c843bfd74df11edbd8d356343ca01721d616ffe152ec51adbc2ea7
              • Instruction ID: 005b9865007056c7cb8a8af99928d48d9a19501a805af44ce7ce2bd03a966519
              • Opcode Fuzzy Hash: 86bf6a4317c843bfd74df11edbd8d356343ca01721d616ffe152ec51adbc2ea7
              • Instruction Fuzzy Hash: 7341637190420A9FCF15DF64CC89BEEBBB4FF05310F14856AE819A7190DB309E85DB90
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C24140 Relevance: 11.6, APIs: 1, Strings: 5, Instructions: 1132COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID:
              • String ID: ERCP$VUUU$VUUU$VUUU$VUUU
              • API String ID: 0-1546025612
              • Opcode ID: f267a3da627f72df9cacb728aa05a32337fd8855ab7d0fcd8807d4bc8186c0b1
              • Instruction ID: 15eedb850dac14db073aba79bc01a6dd1553d8410541c2002380f5f95d271ec7
              • Opcode Fuzzy Hash: f267a3da627f72df9cacb728aa05a32337fd8855ab7d0fcd8807d4bc8186c0b1
              • Instruction Fuzzy Hash: C9A2C174E0422ACBDF28CF59E9807ADB7B1BF54305F1482A9D866A7A80D7709EC5CF44
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C258C0 Relevance: 11.0, APIs: 7, Instructions: 532COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: _memmove
              • String ID:
              • API String ID: 4104443479-0
              • Opcode ID: 61a6da75650a597c0d27feaed098b703f78cbb830b95a9bedb9bc53a64056c65
              • Instruction ID: 0bcae36aa7a8304e7ebf44a310d6ddce49320dabfb61e67c4b67c45dcdb5279d
              • Opcode Fuzzy Hash: 61a6da75650a597c0d27feaed098b703f78cbb830b95a9bedb9bc53a64056c65
              • Instruction Fuzzy Hash: 4012AA70A00619EFDF14DFA5D981AEEB3F5FF48300F204629E806A7291EB35AE51DB50
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C7545F Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00C68CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00C68D0D
                • Part of subcall function 00C68CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00C68D3A
                • Part of subcall function 00C68CC3: GetLastError.KERNEL32 ref: 00C68D47
              • ExitWindowsEx.USER32(?,00000000), ref: 00C7549B
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
              • String ID: $@$SeShutdownPrivilege
              • API String ID: 2234035333-194228
              • Opcode ID: c143b2effb17372c9f5940db0eb6beb05a0c1f173832012962256f7c519c41a3
              • Instruction ID: 2d946dc7561ca5edc0f918c419678654edad34075a55b2b0124917860bcb164a
              • Opcode Fuzzy Hash: c143b2effb17372c9f5940db0eb6beb05a0c1f173832012962256f7c519c41a3
              • Instruction Fuzzy Hash: 4601F232A95B156AE7386779EC8BBBA7258EB04352F248175FD1EE20D2DAD05D8081A0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C86596 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON
              Download Yara Rule
              APIs
              • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00C865EF
              • WSAGetLastError.WSOCK32(00000000), ref: 00C865FE
              • bind.WSOCK32(00000000,?,00000010), ref: 00C8661A
              • listen.WSOCK32(00000000,00000005), ref: 00C86629
              • WSAGetLastError.WSOCK32(00000000), ref: 00C86643
              • closesocket.WSOCK32(00000000,00000000), ref: 00C86657
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: ErrorLast$bindclosesocketlistensocket
              • String ID:
              • API String ID: 1279440585-0
              • Opcode ID: d3796b6bd7da1fd03734218fa50d25019235aa99091a5ed9e402e132a04ad524
              • Instruction ID: 46b331d090178612204101e7c309cc0337c3d6bfce00a1d0ad94947797ecafa5
              • Opcode Fuzzy Hash: d3796b6bd7da1fd03734218fa50d25019235aa99091a5ed9e402e132a04ad524
              • Instruction Fuzzy Hash: EF21A0306002009FCB10EF64C899B6EB7A9EF45324F14816AF966E73D1DB70AD41EB55
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C25680 Relevance: 8.0, APIs: 5, Instructions: 516COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00C30FF6: std::exception::exception.LIBCMT ref: 00C3102C
                • Part of subcall function 00C30FF6: __CxxThrowException@8.LIBCMT ref: 00C31041
              • _memmove.LIBCMT ref: 00C6062F
              • _memmove.LIBCMT ref: 00C60744
              • _memmove.LIBCMT ref: 00C607EB
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: _memmove$Exception@8Throwstd::exception::exception
              • String ID:
              • API String ID: 1300846289-0
              • Opcode ID: 18c1b3d80e498918661f16c9f20f645687f8fb75f21021ef13990839ca816c6b
              • Instruction ID: 99f4c5c0c5ce464aa85e347334781af02c2fd79e3ac36c08fbb4e6cc2f5dce30
              • Opcode Fuzzy Hash: 18c1b3d80e498918661f16c9f20f645687f8fb75f21021ef13990839ca816c6b
              • Instruction Fuzzy Hash: 20029FB1A00209DFCF14DF64D981AAFBBB5FF44300F248069E806EB295EB31DA55DB91
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C11287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00C12612: GetWindowLongW.USER32(?,000000EB), ref: 00C12623
              • DefDlgProcW.USER32(?,?,?,?,?), ref: 00C119FA
              • GetSysColor.USER32(0000000F), ref: 00C11A4E
              • SetBkColor.GDI32(?,00000000), ref: 00C11A61
                • Part of subcall function 00C11290: DefDlgProcW.USER32(?,00000020,?), ref: 00C112D8
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: ColorProc$LongWindow
              • String ID:
              • API String ID: 3744519093-0
              • Opcode ID: 6f62c53354671f49881a94913542a8a44caaa46f216a7412faa31fbf00aa7d99
              • Instruction ID: ad64f23269c9a53f894bda90c3d60b2020b4fa8b2383b84d620ffd48f29d9a60
              • Opcode Fuzzy Hash: 6f62c53354671f49881a94913542a8a44caaa46f216a7412faa31fbf00aa7d99
              • Instruction Fuzzy Hash: 76A11871106545BFDA28AB2A5C88EFF399DEF43341B1C011AFE22D6191CA1DDE81F2B5
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C86A5A Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00C880A0: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00C880CB
              • socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00C86AB1
              • WSAGetLastError.WSOCK32(00000000), ref: 00C86ADA
              • bind.WSOCK32(00000000,?,00000010), ref: 00C86B13
              • WSAGetLastError.WSOCK32(00000000), ref: 00C86B20
              • closesocket.WSOCK32(00000000,00000000), ref: 00C86B34
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: ErrorLast$bindclosesocketinet_addrsocket
              • String ID:
              • API String ID: 99427753-0
              • Opcode ID: a02db967aa07583c85b713aaa1a311555280ea414f660e13f87dce1a7dd09ef4
              • Instruction ID: b023330ac24343ad7cf7773e3352c720bc179e505c3bb4d5f947fd2052422328
              • Opcode Fuzzy Hash: a02db967aa07583c85b713aaa1a311555280ea414f660e13f87dce1a7dd09ef4
              • Instruction Fuzzy Hash: 6441E075A00210AFEB10BF649C96FAE77A9DF06714F04805DF95AAB3C2CA709D41B791
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C955FD Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: Window$EnabledForegroundIconicVisibleZoomed
              • String ID:
              • API String ID: 292994002-0
              • Opcode ID: 2bed808f67a3543f2714df2f1cabcb73d38c8f8b98a99d9edeada2e200901a6e
              • Instruction ID: d2d48058abc03676aa686e0d0f8b0f5e6ecffbbba9fc6a1c57513aaeadfc29b4
              • Opcode Fuzzy Hash: 2bed808f67a3543f2714df2f1cabcb73d38c8f8b98a99d9edeada2e200901a6e
              • Instruction Fuzzy Hash: CD119031300A106FEB221F26DC5CB6E77A9EF45721B454029F856D7341CB709E429BA5
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C8C304 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON
              Download Yara Rule
              APIs
              • LoadLibraryA.KERNEL32(kernel32.dll,?,00C51D88,?), ref: 00C8C312
              • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00C8C324
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: AddressLibraryLoadProc
              • String ID: GetSystemWow64DirectoryW$kernel32.dll
              • API String ID: 2574300362-1816364905
              • Opcode ID: b174184d231db5332658dfe378718411ab5a7168b2c97edd33a4d1b7657498bc
              • Instruction ID: 56a64adc3206e83b56a3820606ef06f5d9d81ad112e959c4bbe6eaffdb8c2453
              • Opcode Fuzzy Hash: b174184d231db5332658dfe378718411ab5a7168b2c97edd33a4d1b7657498bc
              • Instruction Fuzzy Hash: CFE0E674600713CFDB205F65D848B8A76D4EB09759B50C43DD466D2160D770D942C770
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C23190 Relevance: 6.6, APIs: 4, Instructions: 587COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: __itow__swprintf
              • String ID:
              • API String ID: 674341424-0
              • Opcode ID: 06ebd7f1ba1c707af27332a3f8017202897814a33303cfc3dd5e64628c0ed15e
              • Instruction ID: 82e14fc39844aba00ad9db12d352b1526e47c68410feb07ddb847d8a2b03988a
              • Opcode Fuzzy Hash: 06ebd7f1ba1c707af27332a3f8017202897814a33303cfc3dd5e64628c0ed15e
              • Instruction Fuzzy Hash: D322AB716083519FC724DF24D891BAFB7E5BF84300F10492DF89A97291DB34EA89DB92
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C8F121 Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON
              Download Yara Rule
              APIs
              • CreateToolhelp32Snapshot.KERNEL32 ref: 00C8F151
              • Process32FirstW.KERNEL32(00000000,?), ref: 00C8F15F
                • Part of subcall function 00C17F41: _memmove.LIBCMT ref: 00C17F82
              • Process32NextW.KERNEL32(00000000,?), ref: 00C8F21F
              • CloseHandle.KERNEL32(00000000,?,?,?), ref: 00C8F22E
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
              • String ID:
              • API String ID: 2576544623-0
              • Opcode ID: 48a647e5023cfdafbaaee30f811396d6e6a5a1073764041f35db5fefb50269ca
              • Instruction ID: 13e82237e71ca9a3d830babafb7d76508c85ba42761c32f9f6cdb92fe46b14dc
              • Opcode Fuzzy Hash: 48a647e5023cfdafbaaee30f811396d6e6a5a1073764041f35db5fefb50269ca
              • Instruction Fuzzy Hash: 2A517E715083019FD310EF20DC85EAFBBE8EF95714F10492DF495972A1EB70AA49EB92
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C740B1 Relevance: 6.1, APIs: 4, Instructions: 65fileCOMMON
              Download Yara Rule
              APIs
              • CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 00C740D1
              • _memset.LIBCMT ref: 00C740F2
              • DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 00C74144
              • CloseHandle.KERNEL32(00000000), ref: 00C7414D
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: CloseControlCreateDeviceFileHandle_memset
              • String ID:
              • API String ID: 1157408455-0
              • Opcode ID: df05d1b0637abcc2f6badc65e182d634d37caad68626bd20493e964d2a67861e
              • Instruction ID: dcefbbe7ba056b1cf1d6bbb20092b7f59b76e6f8f42c7674275a8859ba118a0c
              • Opcode Fuzzy Hash: df05d1b0637abcc2f6badc65e182d634d37caad68626bd20493e964d2a67861e
              • Instruction Fuzzy Hash: AE11CA759012287AD7309BA5AC4DFAFBB7CEF44760F1041AAF908D7190D6744F80CBA4
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C6EB07 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON
              Download Yara Rule
              APIs
              • lstrlenW.KERNEL32(?,?,?,00000000), ref: 00C6EB19
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: lstrlen
              • String ID: ($|
              • API String ID: 1659193697-1631851259
              • Opcode ID: 09a54b678ace9e3478248a10cf5a8caff1e702c39dc86a49ae07ca8cb641e710
              • Instruction ID: 0050e18c187515884b6aec8bd92dd401c005d646e45d50e89a49ee2316a909c9
              • Opcode Fuzzy Hash: 09a54b678ace9e3478248a10cf5a8caff1e702c39dc86a49ae07ca8cb641e710
              • Instruction Fuzzy Hash: 16323679A00605DFCB28CF59D481A6AB7F1FF48310B15C56EE8AADB3A1E770E941CB44
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C825E2 Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON
              Download Yara Rule
              APIs
              • InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000), ref: 00C826D5
              • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00C8270C
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: Internet$AvailableDataFileQueryRead
              • String ID:
              • API String ID: 599397726-0
              • Opcode ID: e7602d6aeb9e92a8d5fcef2cec96c499aa4a9fa801084c86aab97b7478386a95
              • Instruction ID: 3d1f299a38e659492b8e8f6dbb35bb7102971e0f2715ac01aac97950bb7a124d
              • Opcode Fuzzy Hash: e7602d6aeb9e92a8d5fcef2cec96c499aa4a9fa801084c86aab97b7478386a95
              • Instruction Fuzzy Hash: 7941C875500209BFEB20EE95DC89FBFB7BCEB4071CF10406EF615A6140EA71AE41A758
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C7B59E Relevance: 4.6, APIs: 3, Instructions: 73COMMON
              Download Yara Rule
              APIs
              • SetErrorMode.KERNEL32(00000001), ref: 00C7B5AE
              • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00C7B608
              • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 00C7B655
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: ErrorMode$DiskFreeSpace
              • String ID:
              • API String ID: 1682464887-0
              • Opcode ID: 2cdac58d55ac3c682b5daa0786317fc7b20d69ab19c51c87b6c1d9a462304a48
              • Instruction ID: 2d885ed062bf6e924d938a4367e8db772f5e41eb8746a8cc7d0384cd2435eb7d
              • Opcode Fuzzy Hash: 2cdac58d55ac3c682b5daa0786317fc7b20d69ab19c51c87b6c1d9a462304a48
              • Instruction Fuzzy Hash: 51215E35A00518EFCB00EFA5D884BEDBBB8FF49310F1480AAE945EB351DB319956DB51
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C68CC3 Relevance: 4.6, APIs: 3, Instructions: 67COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00C30FF6: std::exception::exception.LIBCMT ref: 00C3102C
                • Part of subcall function 00C30FF6: __CxxThrowException@8.LIBCMT ref: 00C31041
              • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00C68D0D
              • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00C68D3A
              • GetLastError.KERNEL32 ref: 00C68D47
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
              • String ID:
              • API String ID: 1922334811-0
              • Opcode ID: 84735af93f803ad4f1acdca98fadc2f77145b9d551f113ecc4473636cd581785
              • Instruction ID: 818da93f653f3712e09899a03d619395ca1d4d09b045ae6b45e40840ea036b89
              • Opcode Fuzzy Hash: 84735af93f803ad4f1acdca98fadc2f77145b9d551f113ecc4473636cd581785
              • Instruction Fuzzy Hash: 9C1191B2414209AFD728DF54DCC5E6BB7BCFB44710B20862EF45693651EB70AC458A60
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C74C03 Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON
              Download Yara Rule
              APIs
              • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00C74C2C
              • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00C74C43
              • FreeSid.ADVAPI32(?), ref: 00C74C53
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: AllocateCheckFreeInitializeMembershipToken
              • String ID:
              • API String ID: 3429775523-0
              • Opcode ID: 385f274a6caacc0bea90430656ee5af46be9893a17fddc523cbdbab58d84b68e
              • Instruction ID: c5a214dc519258d13068f86f9891eab82e6f9f2a7a651b692367a75027a05d85
              • Opcode Fuzzy Hash: 385f274a6caacc0bea90430656ee5af46be9893a17fddc523cbdbab58d84b68e
              • Instruction Fuzzy Hash: 8DF04975A1130CBFDF04DFF0DC89BAEBBBCEF08201F1044A9A901E2181E770AA048B50
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C1E060 Relevance: 3.5, APIs: 2, Instructions: 539COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4590d7f25ebace37fbff383061fac3d5af6e942ca5a0bdb91cf940b569c01a24
              • Instruction ID: e7fd98cd9657f1a61f8578b5648854b82baf6b9e5bad243bda0766d0ada918b1
              • Opcode Fuzzy Hash: 4590d7f25ebace37fbff383061fac3d5af6e942ca5a0bdb91cf940b569c01a24
              • Instruction Fuzzy Hash: B9229D74A00216DFDB24DF54C490AEEB7B1FF0A300F248569EC669B351E734AAC5EB91
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C7C93C Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON
              Download Yara Rule
              APIs
              • FindFirstFileW.KERNEL32(?,?), ref: 00C7C966
              • FindClose.KERNEL32(00000000), ref: 00C7C996
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: Find$CloseFileFirst
              • String ID:
              • API String ID: 2295610775-0
              • Opcode ID: 84f6bffc76589a5cbeb700320ffa729714ca070ab1954f5ff41919bff4cad564
              • Instruction ID: d75446b7936d67f1961846c99b73c539266abefbec02fa5511d9ac14328723b1
              • Opcode Fuzzy Hash: 84f6bffc76589a5cbeb700320ffa729714ca070ab1954f5ff41919bff4cad564
              • Instruction Fuzzy Hash: CD11A1326106009FD710EF29C889A6EF7E9FF85320F00851EF9A9D72A1DB30AC05DB81
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C7A2D5 Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON
              Download Yara Rule
              APIs
              • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,00C8977D,?,00C9FB84,?), ref: 00C7A302
              • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,00C8977D,?,00C9FB84,?), ref: 00C7A314
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: ErrorFormatLastMessage
              • String ID:
              • API String ID: 3479602957-0
              • Opcode ID: cf8645349eeddb7292e7e05892ac096170455cf487cc4774ed73d10f5359cf88
              • Instruction ID: a671302dc5d40ec9dd9a6a3535f449c91f0db32c2e8d8c43445fd6cfa8250a90
              • Opcode Fuzzy Hash: cf8645349eeddb7292e7e05892ac096170455cf487cc4774ed73d10f5359cf88
              • Instruction Fuzzy Hash: FAF0823554422DBBDB109FA4CC48FEE776DFF09761F00826AB919D6191D6309940DBA1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C68713 Relevance: 3.0, APIs: 2, Instructions: 22COMMON
              Download Yara Rule
              APIs
              • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00C68851), ref: 00C68728
              • CloseHandle.KERNEL32(?,?,00C68851), ref: 00C6873A
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: AdjustCloseHandlePrivilegesToken
              • String ID:
              • API String ID: 81990902-0
              • Opcode ID: 8ce47784546492145eb05c39f022ae721191b142913ffb66f8d9b7386719c797
              • Instruction ID: c05c0b4df0bc96a27f1c6d18b0c6370653fe29b42bd80fd0d1d121f3fc192fd0
              • Opcode Fuzzy Hash: 8ce47784546492145eb05c39f022ae721191b142913ffb66f8d9b7386719c797
              • Instruction Fuzzy Hash: 92E0B676010610EFE7262B60EC09E7B7BA9EB04350B24892EB996C0470DB62AC91EB10
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C3A395 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • SetUnhandledExceptionFilter.KERNEL32(00000000,?,00C38F97,?,?,?,00000001), ref: 00C3A39A
              • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 00C3A3A3
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: ExceptionFilterUnhandled
              • String ID:
              • API String ID: 3192549508-0
              • Opcode ID: 494a222a0648cce14168f1330f0500f275f8d33183b26a94f5000dcd9c738b0e
              • Instruction ID: 2b1b7b08e841003e27d8b5c78594a10929d94d6b13a1f19c30996b8a74d39391
              • Opcode Fuzzy Hash: 494a222a0648cce14168f1330f0500f275f8d33183b26a94f5000dcd9c738b0e
              • Instruction Fuzzy Hash: 80B09231054208EBCA002BA1EC0DB8C3F68FB44BA2F404026F60DC4070CB6654A28A91
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C3F419 Relevance: 2.1, APIs: 1, Instructions: 645COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6378527684d87364da35d07a80f82d3aa18cff836760715a603a6d9ce457831c
              • Instruction ID: 9e7089ee4bdbc3f9e5a8be0d0f13745d342e2af6bcf6f0ab4389ca218e401656
              • Opcode Fuzzy Hash: 6378527684d87364da35d07a80f82d3aa18cff836760715a603a6d9ce457831c
              • Instruction Fuzzy Hash: 0332F571D69F414ED7235635DC32339A249AFB73C8F15DB3BE829B69A6EB28C5834100
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C4267E Relevance: 1.8, APIs: 1, Instructions: 294COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 85070980f6c0d752495fdff8d1882f73b0aa683463af42a2e9eaa9faa0ac510f
              • Instruction ID: ec29fb4d5183c6dc4848412b9de83b3b580c0475d9c162f0835be50735dc367f
              • Opcode Fuzzy Hash: 85070980f6c0d752495fdff8d1882f73b0aa683463af42a2e9eaa9faa0ac510f
              • Instruction Fuzzy Hash: 67B1F220D2AF414DD7639639883133ABB5CAFBB2D9F91D71BFC2675D22EB2185838141
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C78B13 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
              Download Yara Rule
              APIs
              • __time64.LIBCMT ref: 00C78B25
                • Part of subcall function 00C3543A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00C791F8,00000000,?,?,?,?,00C793A9,00000000,?), ref: 00C35443
                • Part of subcall function 00C3543A: __aulldiv.LIBCMT ref: 00C35463
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: Time$FileSystem__aulldiv__time64
              • String ID:
              • API String ID: 2893107130-0
              • Opcode ID: 4909161c3edbf8d3ef5d33adea7cb1e362b68b10a800b78d98afac87dc20d8ae
              • Instruction ID: 4f40e41e882ff60996beb86420b6a498c3a2eea71636b846b2129935744f8f66
              • Opcode Fuzzy Hash: 4909161c3edbf8d3ef5d33adea7cb1e362b68b10a800b78d98afac87dc20d8ae
              • Instruction Fuzzy Hash: 5C21E4726355108FC729CF25D841B52B3E1EBA4321B288F6DD1F9CB2D0DA34B905CB94
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C841FD Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
              Download Yara Rule
              APIs
              • BlockInput.USER32(00000001), ref: 00C84218
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: BlockInput
              • String ID:
              • API String ID: 3456056419-0
              • Opcode ID: 0f4d8b1387204be520eb237467e635838f26d142eb05165aa8bf149fcb072228
              • Instruction ID: a91fb55640158154eff7ef4001b9e098f59a2b5b2207b81480499efb8c6bf9db
              • Opcode Fuzzy Hash: 0f4d8b1387204be520eb237467e635838f26d142eb05165aa8bf149fcb072228
              • Instruction Fuzzy Hash: 5DE04F312442159FC710EF5AD855A9AF7E8EF95760F00802AFC4AC7352DA70F8419BA1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C74EC9 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
              Download Yara Rule
              APIs
              • mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 00C74EEC
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: mouse_event
              • String ID:
              • API String ID: 2434400541-0
              • Opcode ID: 03c454a28636a9108160a5adf888fc86fbb5ceccf6ecdb23243208f3cb723250
              • Instruction ID: c3e0485a9e275dfbc01d5adfca7b9955a6cbba714c26bba0ab52ff11513812cc
              • Opcode Fuzzy Hash: 03c454a28636a9108160a5adf888fc86fbb5ceccf6ecdb23243208f3cb723250
              • Instruction Fuzzy Hash: 88D05E981A06147AFC1C4B209C5FF77910CF3007A1FD0C14AB11AC90C1DAD06D516530
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C68C93 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
              Download Yara Rule
              APIs
              • LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00C688D1), ref: 00C68CB3
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: LogonUser
              • String ID:
              • API String ID: 1244722697-0
              • Opcode ID: 11c099b1a7fbe036bc7075f667a5c2fd247b9242ac981614a1cd8cc30a136287
              • Instruction ID: 0ee946abdd76bea952c23f71c8427e7555c38549c773f4883e44232c2bb4d16a
              • Opcode Fuzzy Hash: 11c099b1a7fbe036bc7075f667a5c2fd247b9242ac981614a1cd8cc30a136287
              • Instruction Fuzzy Hash: 73D05E3226450EABEF018EA4DC05EAE3B69EB04B01F408111FE15C50A1C775D835AB60
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C52230 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
              Download Yara Rule
              APIs
              • GetUserNameW.ADVAPI32(?,?), ref: 00C52242
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: NameUser
              • String ID:
              • API String ID: 2645101109-0
              • Opcode ID: baa4a9eaf00c9705f233b78443488889976749a51eae5c273bc3fab1334da891
              • Instruction ID: c0c02375ec98135ac03d6c3da7f8f104502afd13cd0d63e6bec5b6c0ceccd063
              • Opcode Fuzzy Hash: baa4a9eaf00c9705f233b78443488889976749a51eae5c273bc3fab1334da891
              • Instruction Fuzzy Hash: EEC04CF5800109DBDB05DB90D98CEEE77BCAB04305F144056A501F2100D7749B448A71
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C3A364 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
              Download Yara Rule
              APIs
              • SetUnhandledExceptionFilter.KERNEL32(?), ref: 00C3A36A
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: ExceptionFilterUnhandled
              • String ID:
              • API String ID: 3192549508-0
              • Opcode ID: 636273fcc5d75cba38d821d6b2c9e8dbadf2f01555d4246a9db4fc54d23339ca
              • Instruction ID: f05f6767ecc3c7bb64b0a94145c461a2b99be22b8da50cb36656a227a1fbff7f
              • Opcode Fuzzy Hash: 636273fcc5d75cba38d821d6b2c9e8dbadf2f01555d4246a9db4fc54d23339ca
              • Instruction Fuzzy Hash: D2A0123000010CE78A001B51EC085487F5CE6001907004021F40C80031873254514580
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C28A0E Relevance: .6, Instructions: 608COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8296ab031057cffadd6bbdaae437cee75d94f70b3db3df51a9b692b348a2ff1f
              • Instruction ID: 72e5ba0d38f0243fb156b0436eacb6119e7fe254fa17c490f07a41d64379862e
              • Opcode Fuzzy Hash: 8296ab031057cffadd6bbdaae437cee75d94f70b3db3df51a9b692b348a2ff1f
              • Instruction Fuzzy Hash: A9223930906626CBDF388F1DE4D467D77A1EF01304F78456AD8629BA91DB30DE89CB60
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C32405 Relevance: .3, Instructions: 345COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
              • Instruction ID: cb7aec7612a3fd84eb825afd01636a1afc32c3b05456d01a6222a5a2675c6ba7
              • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
              • Instruction Fuzzy Hash: 83C1923222519309DF2D867AD43503EBAE15EA27B1B1E075DE8B3CB5D4EF20D624E620
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C3283A Relevance: .3, Instructions: 341COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
              • Instruction ID: 96611e49f8b5a3b456abeb0342bda9e19f63cad4909dc7756a0d18296fafde71
              • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
              • Instruction Fuzzy Hash: 9EC191322151930ADF2D463A943413EFBE15BA27B1B1E176DE8B3DB5D4EF20D624E620
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C31BB8 Relevance: .3, Instructions: 323COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
              • Instruction ID: c0594cba01251356473d4c5f2f37de2ee08d6b0e5d7af8b12df148796ea93827
              • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
              • Instruction Fuzzy Hash: 8BC171322291930DDF6D467A943403EBBE15AA27B171E1B6DECB3CB5D4EF20D624D620
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01483670 Relevance: .1, Instructions: 92COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1204928700.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_1480000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
              • Instruction ID: 8bfc6acbc4016de2a8a2dcd12a91ff8bb64848ac446a8ff12c252c6994e00aa5
              • Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
              • Instruction Fuzzy Hash: 6341D371D1051CEBCF48CFADC991AEEBBF2AF88201F548299D516AB345D730AB41DB40
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01483560 Relevance: .0, Instructions: 35COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1204928700.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_1480000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
              • Instruction ID: 66ebf56cdb7b5adba3efbcb1a563828d34732f457003a2c89e58b09943fbb253
              • Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
              • Instruction Fuzzy Hash: 4F019278A01109EFCB44EF99C5909AEF7B5FB48710F60859AE809A7711D730EE41DB90
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01483500 Relevance: .0, Instructions: 35COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1204928700.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_1480000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
              • Instruction ID: 95de0f256c46e9bbebbef7d51276b23287dce15a6b752ff0f865440f33548d81
              • Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
              • Instruction Fuzzy Hash: EA019278A04109EFCB48EF98C5909AEF7B5FB48710F20859AE819A7711E730EE41DB90
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01481ED0 Relevance: .0, Instructions: 6COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1204928700.0000000001480000.00000040.00001000.00020000.00000000.sdmp, Offset: 01480000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_1480000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
              • Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
              • Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
              • Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C937F3 Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON
              Download Yara Rule
              APIs
              • CharUpperBuffW.USER32(?,?,00C9F910), ref: 00C938AF
              • IsWindowVisible.USER32(?), ref: 00C938D3
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: BuffCharUpperVisibleWindow
              • String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
              • API String ID: 4105515805-45149045
              • Opcode ID: f7635a13f9afd26fa2cd3faaa924b1af678b2f3cee7e834004ef35ee1084830a
              • Instruction ID: e1742e776831fcb6c67d2220622090ae8045b22247150dbe990238781199af98
              • Opcode Fuzzy Hash: f7635a13f9afd26fa2cd3faaa924b1af678b2f3cee7e834004ef35ee1084830a
              • Instruction Fuzzy Hash: 71D18F302043459BCF14EF51C469B6EB7E9EF94344F14455CF8965B2A2CB31EE4AEB82
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C9A849 Relevance: 49.8, APIs: 33, Instructions: 274COMMON
              Download Yara Rule
              APIs
              • SetTextColor.GDI32(?,00000000), ref: 00C9A89F
              • GetSysColorBrush.USER32(0000000F), ref: 00C9A8D0
              • GetSysColor.USER32(0000000F), ref: 00C9A8DC
              • SetBkColor.GDI32(?,000000FF), ref: 00C9A8F6
              • SelectObject.GDI32(?,?), ref: 00C9A905
              • InflateRect.USER32(?,000000FF,000000FF), ref: 00C9A930
              • GetSysColor.USER32(00000010), ref: 00C9A938
              • CreateSolidBrush.GDI32(00000000), ref: 00C9A93F
              • FrameRect.USER32(?,?,00000000), ref: 00C9A94E
              • DeleteObject.GDI32(00000000), ref: 00C9A955
              • InflateRect.USER32(?,000000FE,000000FE), ref: 00C9A9A0
              • FillRect.USER32(?,?,?), ref: 00C9A9D2
              • GetWindowLongW.USER32(?,000000F0), ref: 00C9A9FD
                • Part of subcall function 00C9AB60: GetSysColor.USER32(00000012), ref: 00C9AB99
                • Part of subcall function 00C9AB60: SetTextColor.GDI32(?,?), ref: 00C9AB9D
                • Part of subcall function 00C9AB60: GetSysColorBrush.USER32(0000000F), ref: 00C9ABB3
                • Part of subcall function 00C9AB60: GetSysColor.USER32(0000000F), ref: 00C9ABBE
                • Part of subcall function 00C9AB60: GetSysColor.USER32(00000011), ref: 00C9ABDB
                • Part of subcall function 00C9AB60: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00C9ABE9
                • Part of subcall function 00C9AB60: SelectObject.GDI32(?,00000000), ref: 00C9ABFA
                • Part of subcall function 00C9AB60: SetBkColor.GDI32(?,00000000), ref: 00C9AC03
                • Part of subcall function 00C9AB60: SelectObject.GDI32(?,?), ref: 00C9AC10
                • Part of subcall function 00C9AB60: InflateRect.USER32(?,000000FF,000000FF), ref: 00C9AC2F
                • Part of subcall function 00C9AB60: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00C9AC46
                • Part of subcall function 00C9AB60: GetWindowLongW.USER32(00000000,000000F0), ref: 00C9AC5B
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
              • String ID:
              • API String ID: 4124339563-0
              • Opcode ID: cc46a4fb5e8d69bf272ed6f6c6bd8178c816f15ab3d12f22467ba3fa4870a3b2
              • Instruction ID: 1462e9131764357d571c4e9a96df79a5736419d7a5beb9bebeb2ee8bc0715283
              • Opcode Fuzzy Hash: cc46a4fb5e8d69bf272ed6f6c6bd8178c816f15ab3d12f22467ba3fa4870a3b2
              • Instruction Fuzzy Hash: 1FA15B72008305AFDB109F64DC0CB6F7BA9FB88321F114A2EF962D61A1D771D946CB92
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C12C18 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON
              Download Yara Rule
              APIs
              • DestroyWindow.USER32(?,?,?), ref: 00C12CA2
              • DeleteObject.GDI32(00000000), ref: 00C12CE8
              • DeleteObject.GDI32(00000000), ref: 00C12CF3
              • DestroyIcon.USER32(00000000,?,?,?), ref: 00C12CFE
              • DestroyWindow.USER32(00000000,?,?,?), ref: 00C12D09
              • SendMessageW.USER32(?,00001308,?,00000000), ref: 00C4C68B
              • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00C4C6C4
              • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00C4CAED
                • Part of subcall function 00C11B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00C12036,?,00000000,?,?,?,?,00C116CB,00000000,?), ref: 00C11B9A
              • SendMessageW.USER32(?,00001053), ref: 00C4CB2A
              • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00C4CB41
              • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 00C4CB57
              • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 00C4CB62
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
              • String ID: 0
              • API String ID: 464785882-4108050209
              • Opcode ID: 0a98666424a007d30a75fbb22b9c653d8fd00052b5a08d12626537181a288ab8
              • Instruction ID: 102634b8e4afd620dc90c24ef7c7a29b758c355e4bf03de4585269ee44847fc7
              • Opcode Fuzzy Hash: 0a98666424a007d30a75fbb22b9c653d8fd00052b5a08d12626537181a288ab8
              • Instruction Fuzzy Hash: CB129B34601201EFDB60CF24C898BA9BBE5FF05310F544569F9A5DB262C731ED92EB91
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C877BE Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON
              Download Yara Rule
              APIs
              • DestroyWindow.USER32(00000000), ref: 00C877F1
              • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00C878B0
              • SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 00C878EE
              • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 00C87900
              • CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00C87946
              • GetClientRect.USER32(00000000,?), ref: 00C87952
              • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00C87996
              • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00C879A5
              • GetStockObject.GDI32(00000011), ref: 00C879B5
              • SelectObject.GDI32(00000000,00000000), ref: 00C879B9
              • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 00C879C9
              • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00C879D2
              • DeleteDC.GDI32(00000000), ref: 00C879DB
              • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00C87A07
              • SendMessageW.USER32(00000030,00000000,00000001), ref: 00C87A1E
              • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00C87A59
              • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00C87A6D
              • SendMessageW.USER32(00000404,00000001,00000000), ref: 00C87A7E
              • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 00C87AAE
              • GetStockObject.GDI32(00000011), ref: 00C87AB9
              • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00C87AC4
              • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 00C87ACE
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
              • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
              • API String ID: 2910397461-517079104
              • Opcode ID: acddf17525eb404d57c47d1c431cec1512365179f5784f23b33194052b4238f6
              • Instruction ID: 59032e1c5aad16ebcac3b84ef46405243036cec0c573a173772a8e7a8a1af048
              • Opcode Fuzzy Hash: acddf17525eb404d57c47d1c431cec1512365179f5784f23b33194052b4238f6
              • Instruction Fuzzy Hash: C4A1A271A40209BFEB14DBA4DC4AFAE7BB9EB45714F10421AFA15E72E0D770AD01CB64
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C7AF7B Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON
              Download Yara Rule
              APIs
              • SetErrorMode.KERNEL32(00000001), ref: 00C7AF89
              • GetDriveTypeW.KERNEL32(?,00C9FAC0,?,\\.\,00C9F910), ref: 00C7B066
              • SetErrorMode.KERNEL32(00000000,00C9FAC0,?,\\.\,00C9F910), ref: 00C7B1C4
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: ErrorMode$DriveType
              • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
              • API String ID: 2907320926-4222207086
              • Opcode ID: f95501f9c56c0f8ece5d6fed1ea373d3eb3645482663f98620a0ec6e24dc3bea
              • Instruction ID: 8339d5b2b84dec8fc7f89d44cd07bffcb62cec2716e00310f5edeb2d694f95e8
              • Opcode Fuzzy Hash: f95501f9c56c0f8ece5d6fed1ea373d3eb3645482663f98620a0ec6e24dc3bea
              • Instruction Fuzzy Hash: 7751C370684349ABCB04DB11C9AAFBD77B1FF55385760C02AF41EA7690C7359E42EB42
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C16A3C Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: __wcsnicmp
              • String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
              • API String ID: 1038674560-86951937
              • Opcode ID: 567ddb6be7f37c6bb3efe6560ea29216b2b1b21db0baa31cae0f62e086365baa
              • Instruction ID: c65a90d522198edd51761b7ac5bd06e26fc0a6e97172a82d8c92eaa1c7498249
              • Opcode Fuzzy Hash: 567ddb6be7f37c6bb3efe6560ea29216b2b1b21db0baa31cae0f62e086365baa
              • Instruction Fuzzy Hash: 30810670644255BBCB20AF65CC82FFE77A8BF16714F044125FD45AA1C2EB60DB92F2A1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C9AB60 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON
              Download Yara Rule
              APIs
              • GetSysColor.USER32(00000012), ref: 00C9AB99
              • SetTextColor.GDI32(?,?), ref: 00C9AB9D
              • GetSysColorBrush.USER32(0000000F), ref: 00C9ABB3
              • GetSysColor.USER32(0000000F), ref: 00C9ABBE
              • CreateSolidBrush.GDI32(?), ref: 00C9ABC3
              • GetSysColor.USER32(00000011), ref: 00C9ABDB
              • CreatePen.GDI32(00000000,00000001,00743C00), ref: 00C9ABE9
              • SelectObject.GDI32(?,00000000), ref: 00C9ABFA
              • SetBkColor.GDI32(?,00000000), ref: 00C9AC03
              • SelectObject.GDI32(?,?), ref: 00C9AC10
              • InflateRect.USER32(?,000000FF,000000FF), ref: 00C9AC2F
              • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00C9AC46
              • GetWindowLongW.USER32(00000000,000000F0), ref: 00C9AC5B
              • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00C9ACA7
              • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00C9ACCE
              • InflateRect.USER32(?,000000FD,000000FD), ref: 00C9ACEC
              • DrawFocusRect.USER32(?,?), ref: 00C9ACF7
              • GetSysColor.USER32(00000011), ref: 00C9AD05
              • SetTextColor.GDI32(?,00000000), ref: 00C9AD0D
              • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 00C9AD21
              • SelectObject.GDI32(?,00C9A869), ref: 00C9AD38
              • DeleteObject.GDI32(?), ref: 00C9AD43
              • SelectObject.GDI32(?,?), ref: 00C9AD49
              • DeleteObject.GDI32(?), ref: 00C9AD4E
              • SetTextColor.GDI32(?,?), ref: 00C9AD54
              • SetBkColor.GDI32(?,?), ref: 00C9AD5E
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
              • String ID:
              • API String ID: 1996641542-0
              • Opcode ID: 1fe27fbc6221cfc06df35e44f2643a577b413a8b85a798700eb9c6cccffed021
              • Instruction ID: f2620433dd0a522a6f9b8568cda55211629646c1e7a1e1bc2ca0840390d073cb
              • Opcode Fuzzy Hash: 1fe27fbc6221cfc06df35e44f2643a577b413a8b85a798700eb9c6cccffed021
              • Instruction Fuzzy Hash: 61612D71900218EFDF119FA8DC4CFAE7B79EB08320F21416AF915EB2A1D6759E41DB90
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C98C44 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00C98D34
              • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00C98D45
              • CharNextW.USER32(0000014E), ref: 00C98D74
              • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00C98DB5
              • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00C98DCB
              • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00C98DDC
              • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00C98DF9
              • SetWindowTextW.USER32(?,0000014E), ref: 00C98E45
              • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00C98E5B
              • SendMessageW.USER32(?,00001002,00000000,?), ref: 00C98E8C
              • _memset.LIBCMT ref: 00C98EB1
              • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00C98EFA
              • _memset.LIBCMT ref: 00C98F59
              • SendMessageW.USER32(?,00001053,000000FF,?), ref: 00C98F83
              • SendMessageW.USER32(?,00001074,?,00000001), ref: 00C98FDB
              • SendMessageW.USER32(?,0000133D,?,?), ref: 00C99088
              • InvalidateRect.USER32(?,00000000,00000001), ref: 00C990AA
              • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00C990F4
              • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00C99121
              • DrawMenuBar.USER32(?), ref: 00C99130
              • SetWindowTextW.USER32(?,0000014E), ref: 00C99158
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
              • String ID: 0
              • API String ID: 1073566785-4108050209
              • Opcode ID: 69a0b78fe2944b6ef0416813cfa999919be7414b8c695a9006dff17c6cb00c9d
              • Instruction ID: 22bea3729bd290f492875bda9d14c43b6ab93e47054deb3e6abd4cb2643ae326
              • Opcode Fuzzy Hash: 69a0b78fe2944b6ef0416813cfa999919be7414b8c695a9006dff17c6cb00c9d
              • Instruction Fuzzy Hash: A0E16F75901219ABDF209F65CC8CBEE7B79FF06710F10815AF9259B290DB708A85DF60
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C94B16 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
              Download Yara Rule
              APIs
              • GetCursorPos.USER32(?), ref: 00C94C51
              • GetDesktopWindow.USER32 ref: 00C94C66
              • GetWindowRect.USER32(00000000), ref: 00C94C6D
              • GetWindowLongW.USER32(?,000000F0), ref: 00C94CCF
              • DestroyWindow.USER32(?), ref: 00C94CFB
              • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00C94D24
              • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00C94D42
              • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00C94D68
              • SendMessageW.USER32(?,00000421,?,?), ref: 00C94D7D
              • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00C94D90
              • IsWindowVisible.USER32(?), ref: 00C94DB0
              • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00C94DCB
              • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00C94DDF
              • GetWindowRect.USER32(?,?), ref: 00C94DF7
              • MonitorFromPoint.USER32(?,?,00000002), ref: 00C94E1D
              • GetMonitorInfoW.USER32(00000000,?), ref: 00C94E37
              • CopyRect.USER32(?,?), ref: 00C94E4E
              • SendMessageW.USER32(?,00000412,00000000), ref: 00C94EB9
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
              • String ID: ($0$tooltips_class32
              • API String ID: 698492251-4156429822
              • Opcode ID: a3af5477351d95503a8237a2688bfcbecd30876cc13714ec41d9a6aa1376350a
              • Instruction ID: 5c464712b3bbfda09e75168195977c517d490f3d4fe878c71172bea7fdef2e17
              • Opcode Fuzzy Hash: a3af5477351d95503a8237a2688bfcbecd30876cc13714ec41d9a6aa1376350a
              • Instruction Fuzzy Hash: 2BB15671608340AFDB08DF24C849F6ABBE4FF89714F00891DF5999B2A1DB70E946DB91
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C746D6 Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON
              Download Yara Rule
              APIs
              • GetFileVersionInfoSizeW.VERSION(?,?), ref: 00C746E8
              • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00C7470E
              • _wcscpy.LIBCMT ref: 00C7473C
              • _wcscmp.LIBCMT ref: 00C74747
              • _wcscat.LIBCMT ref: 00C7475D
              • _wcsstr.LIBCMT ref: 00C74768
              • VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00C74784
              • _wcscat.LIBCMT ref: 00C747CD
              • _wcscat.LIBCMT ref: 00C747D4
              • _wcsncpy.LIBCMT ref: 00C747FF
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
              • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
              • API String ID: 699586101-1459072770
              • Opcode ID: c2ec4fb2c2a8c782b2db227081b153ffffe694ba38f086d5289d4c48ac0867a4
              • Instruction ID: 56e0735f261730973eab8f5ceb760e4a4ebbe0c7b77bedff028bc5806cef4567
              • Opcode Fuzzy Hash: c2ec4fb2c2a8c782b2db227081b153ffffe694ba38f086d5289d4c48ac0867a4
              • Instruction Fuzzy Hash: 424128326102247BDB18BBB48C47FBF77BCDF05710F04406AF908E6182EF319A01A6A5
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C127D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON
              Download Yara Rule
              APIs
              • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00C128BC
              • GetSystemMetrics.USER32(00000007), ref: 00C128C4
              • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00C128EF
              • GetSystemMetrics.USER32(00000008), ref: 00C128F7
              • GetSystemMetrics.USER32(00000004), ref: 00C1291C
              • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00C12939
              • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00C12949
              • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00C1297C
              • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00C12990
              • GetClientRect.USER32(00000000,000000FF), ref: 00C129AE
              • GetStockObject.GDI32(00000011), ref: 00C129CA
              • SendMessageW.USER32(00000000,00000030,00000000), ref: 00C129D5
                • Part of subcall function 00C12344: GetCursorPos.USER32(?), ref: 00C12357
                • Part of subcall function 00C12344: ScreenToClient.USER32(00CD67B0,?), ref: 00C12374
                • Part of subcall function 00C12344: GetAsyncKeyState.USER32(00000001), ref: 00C12399
                • Part of subcall function 00C12344: GetAsyncKeyState.USER32(00000002), ref: 00C123A7
              • SetTimer.USER32(00000000,00000000,00000028,00C11256), ref: 00C129FC
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
              • String ID: AutoIt v3 GUI
              • API String ID: 1458621304-248962490
              • Opcode ID: 5c7e2074a10730033d50594286e02e38497c05b7807abac6148adc4a265cc81b
              • Instruction ID: 2b4edfbdc71fe57232df7b243b1edb18b285255bafb58392b826fd3ddf7497c4
              • Opcode Fuzzy Hash: 5c7e2074a10730033d50594286e02e38497c05b7807abac6148adc4a265cc81b
              • Instruction Fuzzy Hash: 97B16E7560120AEFDB14DFA8DC89BED7BB4FB08314F10812AFA15E62E0DB749951EB50
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C94069 Relevance: 28.3, APIs: 3, Strings: 13, Instructions: 283windowCOMMON
              Download Yara Rule
              APIs
              • CharUpperBuffW.USER32(?,?), ref: 00C940F6
              • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00C941B6
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: BuffCharMessageSendUpper
              • String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
              • API String ID: 3974292440-719923060
              • Opcode ID: 89eee0d0b8c374424f071bd3656cc5af27d57ced5f58be4b5394e01c2974f790
              • Instruction ID: 81a3aad4f1399c13a23def73cc1bddc4999def1c667e56b46847f78e78dd553a
              • Opcode Fuzzy Hash: 89eee0d0b8c374424f071bd3656cc5af27d57ced5f58be4b5394e01c2974f790
              • Instruction Fuzzy Hash: 96A17E702143019BCF18EF60C965E6AB3E9FF85314F14496CB8A69B6D2DB30ED46EB41
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C852F0 Relevance: 27.1, APIs: 18, Instructions: 124COMMON
              Download Yara Rule
              APIs
              • LoadCursorW.USER32(00000000,00007F89), ref: 00C85309
              • LoadCursorW.USER32(00000000,00007F8A), ref: 00C85314
              • LoadCursorW.USER32(00000000,00007F00), ref: 00C8531F
              • LoadCursorW.USER32(00000000,00007F03), ref: 00C8532A
              • LoadCursorW.USER32(00000000,00007F8B), ref: 00C85335
              • LoadCursorW.USER32(00000000,00007F01), ref: 00C85340
              • LoadCursorW.USER32(00000000,00007F81), ref: 00C8534B
              • LoadCursorW.USER32(00000000,00007F88), ref: 00C85356
              • LoadCursorW.USER32(00000000,00007F80), ref: 00C85361
              • LoadCursorW.USER32(00000000,00007F86), ref: 00C8536C
              • LoadCursorW.USER32(00000000,00007F83), ref: 00C85377
              • LoadCursorW.USER32(00000000,00007F85), ref: 00C85382
              • LoadCursorW.USER32(00000000,00007F82), ref: 00C8538D
              • LoadCursorW.USER32(00000000,00007F84), ref: 00C85398
              • LoadCursorW.USER32(00000000,00007F04), ref: 00C853A3
              • LoadCursorW.USER32(00000000,00007F02), ref: 00C853AE
              • GetCursorInfo.USER32(?), ref: 00C853BE
              • GetLastError.KERNEL32(00000001,00000000), ref: 00C853E9
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: Cursor$Load$ErrorInfoLast
              • String ID:
              • API String ID: 3215588206-0
              • Opcode ID: 40cf498c227e719c80890d0fe7429b1c514474e44a9951dcc7bbc65b85f597a4
              • Instruction ID: a105d68cf4f663c662dcd861544fd8c154318860839b3ca8da9abaa412be0074
              • Opcode Fuzzy Hash: 40cf498c227e719c80890d0fe7429b1c514474e44a9951dcc7bbc65b85f597a4
              • Instruction Fuzzy Hash: 9F418470E043196ADB109FBA8C4996FFFF8EF91B10B10452FE519E7290DAB8A501CF65
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C6AA64 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON
              Download Yara Rule
              APIs
              • GetClassNameW.USER32(?,?,00000100), ref: 00C6AAA5
              • __swprintf.LIBCMT ref: 00C6AB46
              • _wcscmp.LIBCMT ref: 00C6AB59
              • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00C6ABAE
              • _wcscmp.LIBCMT ref: 00C6ABEA
              • GetClassNameW.USER32(?,?,00000400), ref: 00C6AC21
              • GetDlgCtrlID.USER32(?), ref: 00C6AC73
              • GetWindowRect.USER32(?,?), ref: 00C6ACA9
              • GetParent.USER32(?), ref: 00C6ACC7
              • ScreenToClient.USER32(00000000), ref: 00C6ACCE
              • GetClassNameW.USER32(?,?,00000100), ref: 00C6AD48
              • _wcscmp.LIBCMT ref: 00C6AD5C
              • GetWindowTextW.USER32(?,?,00000400), ref: 00C6AD82
              • _wcscmp.LIBCMT ref: 00C6AD96
                • Part of subcall function 00C3386C: _iswctype.LIBCMT ref: 00C33874
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
              • String ID: %s%u
              • API String ID: 3744389584-679674701
              • Opcode ID: 273c5bc6add6e8cb2fd91505f00c68cb65cb8a8b34bae4b61b6c3687b22f35c8
              • Instruction ID: 6ae33a3615cfd956f1cc975194a2c666cf1d182b35660aa54a1a0e3845591948
              • Opcode Fuzzy Hash: 273c5bc6add6e8cb2fd91505f00c68cb65cb8a8b34bae4b61b6c3687b22f35c8
              • Instruction Fuzzy Hash: 84A1D071204306AFD724DF64C8C4BAAB7E8FF44315F10462AF9A9E2191D730EA56DF92
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C6B397 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON
              Download Yara Rule
              APIs
              • GetClassNameW.USER32(00000008,?,00000400), ref: 00C6B3DB
              • _wcscmp.LIBCMT ref: 00C6B3EC
              • GetWindowTextW.USER32(00000001,?,00000400), ref: 00C6B414
              • CharUpperBuffW.USER32(?,00000000), ref: 00C6B431
              • _wcscmp.LIBCMT ref: 00C6B44F
              • _wcsstr.LIBCMT ref: 00C6B460
              • GetClassNameW.USER32(00000018,?,00000400), ref: 00C6B498
              • _wcscmp.LIBCMT ref: 00C6B4A8
              • GetWindowTextW.USER32(00000002,?,00000400), ref: 00C6B4CF
              • GetClassNameW.USER32(00000018,?,00000400), ref: 00C6B518
              • _wcscmp.LIBCMT ref: 00C6B528
              • GetClassNameW.USER32(00000010,?,00000400), ref: 00C6B550
              • GetWindowRect.USER32(00000004,?), ref: 00C6B5B9
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
              • String ID: @$ThumbnailClass
              • API String ID: 1788623398-1539354611
              • Opcode ID: d5d596b6ff65b7a42287d91b4b066fcd11c75733a5ac0021252b754747afe592
              • Instruction ID: 9699b50546e38ff6abf13975765d13df951bc525294256588dc735a3c62d6fad
              • Opcode Fuzzy Hash: d5d596b6ff65b7a42287d91b4b066fcd11c75733a5ac0021252b754747afe592
              • Instruction Fuzzy Hash: 5B819E711083059BDB24DF14C9C5FAA7BE8EF44314F04856AFD9ADA0A2DB30DE86DB61
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C6B1E0 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: __wcsnicmp
              • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
              • API String ID: 1038674560-1810252412
              • Opcode ID: f8af1b633e9bc1154123fcb60f551069d6139cf2cd543cb54f0f498aa5af3e1b
              • Instruction ID: 4a7efdcd508bdba676407eb4bc563d636d7016d6af785c188b234d27af5504c9
              • Opcode Fuzzy Hash: f8af1b633e9bc1154123fcb60f551069d6139cf2cd543cb54f0f498aa5af3e1b
              • Instruction Fuzzy Hash: 9231A131A48205A6DB24FA60CD97FEE77B8DF21750F600129F451B10E2EF616F85F691
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C6C4C1 Relevance: 25.7, APIs: 17, Instructions: 169windowtimeCOMMON
              Download Yara Rule
              APIs
              • LoadIconW.USER32(00000063), ref: 00C6C4D4
              • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00C6C4E6
              • SetWindowTextW.USER32(?,?), ref: 00C6C4FD
              • GetDlgItem.USER32(?,000003EA), ref: 00C6C512
              • SetWindowTextW.USER32(00000000,?), ref: 00C6C518
              • GetDlgItem.USER32(?,000003E9), ref: 00C6C528
              • SetWindowTextW.USER32(00000000,?), ref: 00C6C52E
              • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00C6C54F
              • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00C6C569
              • GetWindowRect.USER32(?,?), ref: 00C6C572
              • SetWindowTextW.USER32(?,?), ref: 00C6C5DD
              • GetDesktopWindow.USER32 ref: 00C6C5E3
              • GetWindowRect.USER32(00000000), ref: 00C6C5EA
              • MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 00C6C636
              • GetClientRect.USER32(?,?), ref: 00C6C643
              • PostMessageW.USER32(?,00000005,00000000,00000000), ref: 00C6C668
              • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00C6C693
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
              • String ID:
              • API String ID: 3869813825-0
              • Opcode ID: b820d2e75446e4c34349f79af9dbc12bade5bdeddbccf0a08b6661c5db5864d1
              • Instruction ID: ae3d58b73abf63e2851e22d1e4418c87c2894d5111b96a60317e21474057efd4
              • Opcode Fuzzy Hash: b820d2e75446e4c34349f79af9dbc12bade5bdeddbccf0a08b6661c5db5864d1
              • Instruction Fuzzy Hash: B3516971A00709AFDB20DFA8CDC9B7EBBB5FB04704F00492DE692A25A0C774AA15DB50
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C9A428 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 00C9A4C8
              • DestroyWindow.USER32(?,?), ref: 00C9A542
                • Part of subcall function 00C17D2C: _memmove.LIBCMT ref: 00C17D66
              • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00C9A5BC
              • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00C9A5DE
              • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00C9A5F1
              • DestroyWindow.USER32(00000000), ref: 00C9A613
              • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00C10000,00000000), ref: 00C9A64A
              • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00C9A663
              • GetDesktopWindow.USER32 ref: 00C9A67C
              • GetWindowRect.USER32(00000000), ref: 00C9A683
              • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00C9A69B
              • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00C9A6B3
                • Part of subcall function 00C125DB: GetWindowLongW.USER32(?,000000EB), ref: 00C125EC
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
              • String ID: 0$tooltips_class32
              • API String ID: 1297703922-3619404913
              • Opcode ID: acce3f2dc7d1c0a0d2fc041577e11135785dbfc21d9efabc6b3058cb37e31976
              • Instruction ID: 7e6dbe1a1ba5dc7bbd439ec45ed640644a1e40c4280a0dc1af63d7c33cd68fd0
              • Opcode Fuzzy Hash: acce3f2dc7d1c0a0d2fc041577e11135785dbfc21d9efabc6b3058cb37e31976
              • Instruction Fuzzy Hash: 11718B71144245AFDB20DF28CC49FAA7BF5FB89304F08452EF995872A1D770EA42DB52
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C9C8EE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 181windowfileCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00C12612: GetWindowLongW.USER32(?,000000EB), ref: 00C12623
              • DragQueryPoint.SHELL32(?,?), ref: 00C9C917
                • Part of subcall function 00C9ADF1: ClientToScreen.USER32(?,?), ref: 00C9AE1A
                • Part of subcall function 00C9ADF1: GetWindowRect.USER32(?,?), ref: 00C9AE90
                • Part of subcall function 00C9ADF1: PtInRect.USER32(?,?,00C9C304), ref: 00C9AEA0
              • SendMessageW.USER32(?,000000B0,?,?), ref: 00C9C980
              • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00C9C98B
              • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00C9C9AE
              • _wcscat.LIBCMT ref: 00C9C9DE
              • SendMessageW.USER32(?,000000C2,00000001,?), ref: 00C9C9F5
              • SendMessageW.USER32(?,000000B0,?,?), ref: 00C9CA0E
              • SendMessageW.USER32(?,000000B1,?,?), ref: 00C9CA25
              • SendMessageW.USER32(?,000000B1,?,?), ref: 00C9CA47
              • DragFinish.SHELL32(?), ref: 00C9CA4E
              • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00C9CB41
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
              • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
              • API String ID: 169749273-3440237614
              • Opcode ID: 3cfc794a89dcd48a97374d69599e2ed0746a97766b67baa5ebea0ab74819219d
              • Instruction ID: 248c493ba1657bb749a1c548e7275fed4ee268a9c6283fc794d34092cd142d81
              • Opcode Fuzzy Hash: 3cfc794a89dcd48a97374d69599e2ed0746a97766b67baa5ebea0ab74819219d
              • Instruction Fuzzy Hash: 93615C71108305AFC701EF64DC89E9FBBF9EF89710F000A6EF591961A1DB709A49EB52
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C94619 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON
              Download Yara Rule
              APIs
              • CharUpperBuffW.USER32(?,?), ref: 00C946AB
              • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00C946F6
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: BuffCharMessageSendUpper
              • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
              • API String ID: 3974292440-4258414348
              • Opcode ID: d7d5814f9e69df34a4feff9f44d372dbf2274f04e32b47256346696cb1b13c5d
              • Instruction ID: 28e1bb1b85f867727ee1dbd1d8564738b3138d974ee686f2a4c98aff24873ad5
              • Opcode Fuzzy Hash: d7d5814f9e69df34a4feff9f44d372dbf2274f04e32b47256346696cb1b13c5d
              • Instruction Fuzzy Hash: 35915C742047019BCF18EF50C465EAEB7A5AF85314F14485CF8965B7A2CB31ED4AEB82
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C9BAB8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON
              Download Yara Rule
              APIs
              • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00C9BB6E
              • LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00C99431), ref: 00C9BBCA
              • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00C9BC03
              • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00C9BC46
              • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00C9BC7D
              • FreeLibrary.KERNEL32(?), ref: 00C9BC89
              • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00C9BC99
              • DestroyIcon.USER32(?,?,?,?,?,00C99431), ref: 00C9BCA8
              • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00C9BCC5
              • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00C9BCD1
                • Part of subcall function 00C3313D: __wcsicmp_l.LIBCMT ref: 00C331C6
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
              • String ID: .dll$.exe$.icl
              • API String ID: 1212759294-1154884017
              • Opcode ID: 76956fb4c73b2c732df849d73841ba55086910c2a4c65305bfb7a44a6d3cba91
              • Instruction ID: 7dea6397853ed008eb096e009de7e6418da5cd121728ebb5217fdc5ceb622e4c
              • Opcode Fuzzy Hash: 76956fb4c73b2c732df849d73841ba55086910c2a4c65305bfb7a44a6d3cba91
              • Instruction Fuzzy Hash: BC61D071600619BBEF14DF64DD8AFBE77A8EB08721F10411AF925D61C0DB74AE90DBA0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C8762D Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 160windowCOMMON
              Download Yara Rule
              APIs
              • GetDC.USER32(00000000), ref: 00C876A2
              • CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 00C876AE
              • CreateCompatibleDC.GDI32(?), ref: 00C876BA
              • SelectObject.GDI32(00000000,?), ref: 00C876C7
              • StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,rrrrrrrrrrrrrrrr), ref: 00C8771B
              • GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00C87757
              • GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00C8777B
              • SelectObject.GDI32(00000006,?), ref: 00C87783
              • DeleteObject.GDI32(?), ref: 00C8778C
              • DeleteDC.GDI32(00000006), ref: 00C87793
              • ReleaseDC.USER32(00000000,?), ref: 00C8779E
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
              • String ID: ($rrrrrrrrrrrrrrrr
              • API String ID: 2598888154-1895780940
              • Opcode ID: f8d774e092bf252d07dac2ef79d8e7ab5132e506cc6ca653da576cf9896b43fa
              • Instruction ID: 18dd46064e9dbe9497093ce3af0f9a0154677e0b5dfff0f62eca8bab9092707f
              • Opcode Fuzzy Hash: f8d774e092bf252d07dac2ef79d8e7ab5132e506cc6ca653da576cf9896b43fa
              • Instruction Fuzzy Hash: 9B515A75904209EFCB15DFA8CC89FAEBBB9EF48310F24852EF959D7210D631A941CB50
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C7A5BD Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00C19997: __itow.LIBCMT ref: 00C199C2
                • Part of subcall function 00C19997: __swprintf.LIBCMT ref: 00C19A0C
              • CharLowerBuffW.USER32(?,?), ref: 00C7A636
              • GetDriveTypeW.KERNEL32 ref: 00C7A683
              • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00C7A6CB
              • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00C7A702
              • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00C7A730
                • Part of subcall function 00C17D2C: _memmove.LIBCMT ref: 00C17D66
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
              • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
              • API String ID: 2698844021-4113822522
              • Opcode ID: fc1669c91259e8c6b3dde1a23b8db9cb5b9388bf814b1f606e80cfcd96ab3d2e
              • Instruction ID: 6e2d54f7ed849dcb27a2212e1ce3adece4336cff220bcadc5a3ce6e143845a45
              • Opcode Fuzzy Hash: fc1669c91259e8c6b3dde1a23b8db9cb5b9388bf814b1f606e80cfcd96ab3d2e
              • Instruction Fuzzy Hash: E7514B711043049FC704EF20C8919AEB7F4EF85718F14896DF89A972A1DB31AE4AEB42
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C7A45A Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON
              Download Yara Rule
              APIs
              • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00C7A47A
              • __swprintf.LIBCMT ref: 00C7A49C
              • CreateDirectoryW.KERNEL32(?,00000000), ref: 00C7A4D9
              • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00C7A4FE
              • _memset.LIBCMT ref: 00C7A51D
              • _wcsncpy.LIBCMT ref: 00C7A559
              • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00C7A58E
              • CloseHandle.KERNEL32(00000000), ref: 00C7A599
              • RemoveDirectoryW.KERNEL32(?), ref: 00C7A5A2
              • CloseHandle.KERNEL32(00000000), ref: 00C7A5AC
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
              • String ID: :$\$\??\%s
              • API String ID: 2733774712-3457252023
              • Opcode ID: 9f8c0718c9b3f63b9013894f00af4a26d090e93592d68b7a9cb71223b2036ebc
              • Instruction ID: 07173baacd354d2f4ec73463016ba166c20fae5e3cfb631f9d4a3434ae440af5
              • Opcode Fuzzy Hash: 9f8c0718c9b3f63b9013894f00af4a26d090e93592d68b7a9cb71223b2036ebc
              • Instruction Fuzzy Hash: 503190B6500119ABDB219FA0DC49FEF77BCEF88701F1041BAFA18D2160E77497458B25
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C9C49C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00C12612: GetWindowLongW.USER32(?,000000EB), ref: 00C12623
              • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00C9C4EC
              • GetFocus.USER32 ref: 00C9C4FC
              • GetDlgCtrlID.USER32(00000000), ref: 00C9C507
              • _memset.LIBCMT ref: 00C9C632
              • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00C9C65D
              • GetMenuItemCount.USER32(?), ref: 00C9C67D
              • GetMenuItemID.USER32(?,00000000), ref: 00C9C690
              • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00C9C6C4
              • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00C9C70C
              • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00C9C744
              • DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 00C9C779
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
              • String ID: 0
              • API String ID: 1296962147-4108050209
              • Opcode ID: aa8ffb1d5a2935d31d779d344dd3b2dfc86370670d53a676a05775491208aac0
              • Instruction ID: 5b2510faf69e19865f0b51092e633350b8eed7d997fafc61af3f72fe73f7dd78
              • Opcode Fuzzy Hash: aa8ffb1d5a2935d31d779d344dd3b2dfc86370670d53a676a05775491208aac0
              • Instruction Fuzzy Hash: D2817E70208345AFDB10CF24C9C8A6FBBE5FB88714F10492EF9A597291D730DA15DBA2
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C683F4 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00C6874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00C68766
                • Part of subcall function 00C6874A: GetLastError.KERNEL32(?,00C6822A,?,?,?), ref: 00C68770
                • Part of subcall function 00C6874A: GetProcessHeap.KERNEL32(00000008,?,?,00C6822A,?,?,?), ref: 00C6877F
                • Part of subcall function 00C6874A: HeapAlloc.KERNEL32(00000000,?,00C6822A,?,?,?), ref: 00C68786
                • Part of subcall function 00C6874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00C6879D
                • Part of subcall function 00C687E7: GetProcessHeap.KERNEL32(00000008,00C68240,00000000,00000000,?,00C68240,?), ref: 00C687F3
                • Part of subcall function 00C687E7: HeapAlloc.KERNEL32(00000000,?,00C68240,?), ref: 00C687FA
                • Part of subcall function 00C687E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00C68240,?), ref: 00C6880B
              • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00C68458
              • _memset.LIBCMT ref: 00C6846D
              • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00C6848C
              • GetLengthSid.ADVAPI32(?), ref: 00C6849D
              • GetAce.ADVAPI32(?,00000000,?), ref: 00C684DA
              • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00C684F6
              • GetLengthSid.ADVAPI32(?), ref: 00C68513
              • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00C68522
              • HeapAlloc.KERNEL32(00000000), ref: 00C68529
              • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00C6854A
              • CopySid.ADVAPI32(00000000), ref: 00C68551
              • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00C68582
              • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00C685A8
              • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00C685BC
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
              • String ID:
              • API String ID: 3996160137-0
              • Opcode ID: 4fe20556813b3d7888a63f80db838996dda8030b396d1cb633d931dc7ac19ded
              • Instruction ID: 000f840d529395e3ad61ebce2d6ac6b123e1d3bc47e980a370e7b292589c8eb4
              • Opcode Fuzzy Hash: 4fe20556813b3d7888a63f80db838996dda8030b396d1cb633d931dc7ac19ded
              • Instruction Fuzzy Hash: 81611D71900209ABDF10DF94DC85AAEBBB9FF04700F14826EF925E6291DB319A19DF60
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C7A0B5 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 156COMMON
              Download Yara Rule
              APIs
              • LoadStringW.USER32(00000066,?,00000FFF,00C9FB78), ref: 00C7A0FC
                • Part of subcall function 00C17F41: _memmove.LIBCMT ref: 00C17F82
              • LoadStringW.USER32(?,?,00000FFF,?), ref: 00C7A11E
              • __swprintf.LIBCMT ref: 00C7A177
              • __swprintf.LIBCMT ref: 00C7A190
              • _wprintf.LIBCMT ref: 00C7A246
              • _wprintf.LIBCMT ref: 00C7A264
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: LoadString__swprintf_wprintf$_memmove
              • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
              • API String ID: 311963372-2391861430
              • Opcode ID: 8703ff201afe36b581401e0e227ba36f93a42c0e68c53eefa8bf1fdbb828c9c2
              • Instruction ID: bef4b2b9c1f6e4fdd942cec05d8a5b95d2ed36e6b80bdf14f7cfd855d69b57bc
              • Opcode Fuzzy Hash: 8703ff201afe36b581401e0e227ba36f93a42c0e68c53eefa8bf1fdbb828c9c2
              • Instruction Fuzzy Hash: C5516D71900209BBCF15EBE0CD86EEEB779AF05300F104265F519720A2EB316F99EB61
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C16BEC Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00C30B9B: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00C16C6C,?,00008000), ref: 00C30BB7
                • Part of subcall function 00C148AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00C148A1,?,?,00C137C0,?), ref: 00C148CE
              • SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00C16D0D
              • SetCurrentDirectoryW.KERNEL32(?), ref: 00C16E5A
                • Part of subcall function 00C159CD: _wcscpy.LIBCMT ref: 00C15A05
                • Part of subcall function 00C3387D: _iswctype.LIBCMT ref: 00C33885
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
              • String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
              • API String ID: 537147316-1018226102
              • Opcode ID: 454e22968fa136d19cc1f87e8a497d6e0be902cfa240ae0a457b874d1cf6ddb4
              • Instruction ID: 7787fe3d07d3f945fafabcc881f2026dd6d7f39c811398b5232ce3e8fb962ff7
              • Opcode Fuzzy Hash: 454e22968fa136d19cc1f87e8a497d6e0be902cfa240ae0a457b874d1cf6ddb4
              • Instruction Fuzzy Hash: 51027D31108341DFC724EF24C891AAFBBE5BF9A354F14491DF496972A1DB30DA89EB42
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C145DF Relevance: 19.7, APIs: 13, Instructions: 215windowCOMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 00C145F9
              • GetMenuItemCount.USER32(00CD6890), ref: 00C4D7CD
              • GetMenuItemCount.USER32(00CD6890), ref: 00C4D87D
              • GetCursorPos.USER32(?), ref: 00C4D8C1
              • SetForegroundWindow.USER32(00000000), ref: 00C4D8CA
              • TrackPopupMenuEx.USER32(00CD6890,00000000,?,00000000,00000000,00000000), ref: 00C4D8DD
              • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00C4D8E9
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow_memset
              • String ID:
              • API String ID: 2751501086-0
              • Opcode ID: 919323e5a35d670ac15f1b43dcef72bc9444025da46bd0097ca68064e51d4070
              • Instruction ID: 3e240cf62a0c99164fbacfe0d74f807b2286f54324d7e63461a4f29cad0e0384
              • Opcode Fuzzy Hash: 919323e5a35d670ac15f1b43dcef72bc9444025da46bd0097ca68064e51d4070
              • Instruction Fuzzy Hash: E871F570640205BFEB24AF15DC89FEABF64FF05368F204216F52AA61E1C7B16950EB90
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C910A5 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON
              Download Yara Rule
              APIs
              • CharUpperBuffW.USER32(?,?,?,?,?,?,?,00C90038,?,?), ref: 00C910BC
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: BuffCharUpper
              • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
              • API String ID: 3964851224-909552448
              • Opcode ID: e5dfc37357221b819203e5db835840653d7880337c51b51f81fcd7a520c72112
              • Instruction ID: 2d5e39658f5694cfb44d8ae7e7c71d72a24301f2c45af485db614a0f362bb5f0
              • Opcode Fuzzy Hash: e5dfc37357221b819203e5db835840653d7880337c51b51f81fcd7a520c72112
              • Instruction Fuzzy Hash: E9415B7115024BDBCF10EF90D8A6AEF3778AF11310F184458FCA15B291DB30AE5AEB60
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C75569 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00C17D2C: _memmove.LIBCMT ref: 00C17D66
                • Part of subcall function 00C17A84: _memmove.LIBCMT ref: 00C17B0D
              • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00C755D2
              • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00C755E8
              • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00C755F9
              • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00C7560B
              • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00C7561C
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: SendString$_memmove
              • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
              • API String ID: 2279737902-1007645807
              • Opcode ID: dcade05f36b3e1c9dda2523791e87ae772f60a3f5d97867a0e023c4c860a25a6
              • Instruction ID: 0224857e979e74b36f6121cbc862668f7c3e13c215df37a7c1a5f8b67dc749be
              • Opcode Fuzzy Hash: dcade05f36b3e1c9dda2523791e87ae772f60a3f5d97867a0e023c4c860a25a6
              • Instruction Fuzzy Hash: 6811C420A901AD79D720B7A1CC5EEFFBB7CEF92B44F44052DB415A20E1DEA08E45E5A1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C748F3 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
              • String ID: 0.0.0.0
              • API String ID: 208665112-3771769585
              • Opcode ID: 8b10a1d1e2960f9f8ed2eec29f5ba312223b8aff6ad5960d652e0f2a5fd2062a
              • Instruction ID: 1680b853987a2e211dd58c97a129d8b6acdcbf71ec4f76afb3ed2fcf60a6b04c
              • Opcode Fuzzy Hash: 8b10a1d1e2960f9f8ed2eec29f5ba312223b8aff6ad5960d652e0f2a5fd2062a
              • Instruction Fuzzy Hash: 1C11D231A14114AFCB28EB64EC4AFDF77BCDB01710F0441BAF518D60A1EF709A829661
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C75217 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
              Download Yara Rule
              APIs
              • timeGetTime.WINMM ref: 00C7521C
                • Part of subcall function 00C30719: timeGetTime.WINMM(?,75A4B400,00C20FF9), ref: 00C3071D
              • Sleep.KERNEL32(0000000A), ref: 00C75248
              • EnumThreadWindows.USER32(?,Function_000651CA,00000000), ref: 00C7526C
              • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00C7528E
              • SetActiveWindow.USER32 ref: 00C752AD
              • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00C752BB
              • SendMessageW.USER32(00000010,00000000,00000000), ref: 00C752DA
              • Sleep.KERNEL32(000000FA), ref: 00C752E5
              • IsWindow.USER32 ref: 00C752F1
              • EndDialog.USER32(00000000), ref: 00C75302
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
              • String ID: BUTTON
              • API String ID: 1194449130-3405671355
              • Opcode ID: 82f9dce4636468a2f5c5b88cce5d7b3b9d77cc019816afc953f32e3cc80f290c
              • Instruction ID: 92360570818b81882ff67d865e4d1359c18b3002766a11cb2ffa6b8215201a13
              • Opcode Fuzzy Hash: 82f9dce4636468a2f5c5b88cce5d7b3b9d77cc019816afc953f32e3cc80f290c
              • Instruction Fuzzy Hash: 1621AE70205B05AFE7005B70EC8DB2E3B6AEB44386F10447BF409C11B5EBB19D11DB62
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C7D7F8 Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00C19997: __itow.LIBCMT ref: 00C199C2
                • Part of subcall function 00C19997: __swprintf.LIBCMT ref: 00C19A0C
              • CoInitialize.OLE32(00000000), ref: 00C7D855
              • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00C7D8E8
              • SHGetDesktopFolder.SHELL32(?), ref: 00C7D8FC
              • CoCreateInstance.OLE32(00CA2D7C,00000000,00000001,00CCA89C,?), ref: 00C7D948
              • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00C7D9B7
              • CoTaskMemFree.OLE32(?,?), ref: 00C7DA0F
              • _memset.LIBCMT ref: 00C7DA4C
              • SHBrowseForFolderW.SHELL32(?), ref: 00C7DA88
              • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00C7DAAB
              • CoTaskMemFree.OLE32(00000000), ref: 00C7DAB2
              • CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 00C7DAE9
              • CoUninitialize.OLE32(00000001,00000000), ref: 00C7DAEB
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
              • String ID:
              • API String ID: 1246142700-0
              • Opcode ID: bd99c991afa4f02f026f62d4401cc885b3fe5e082ac4b206d20d44faf4652d08
              • Instruction ID: e4b61d5f90f48d60030bc08e7f2d21abae6d6b2254d13e69d989ec9624e0fc1e
              • Opcode Fuzzy Hash: bd99c991afa4f02f026f62d4401cc885b3fe5e082ac4b206d20d44faf4652d08
              • Instruction Fuzzy Hash: A6B11D75A00109AFDB04DFA4C898EAEBBB9FF49314F048469F50AEB251DB30EE41DB50
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C7052C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON
              Download Yara Rule
              APIs
              • GetKeyboardState.USER32(?), ref: 00C705A7
              • SetKeyboardState.USER32(?), ref: 00C70612
              • GetAsyncKeyState.USER32(000000A0), ref: 00C70632
              • GetKeyState.USER32(000000A0), ref: 00C70649
              • GetAsyncKeyState.USER32(000000A1), ref: 00C70678
              • GetKeyState.USER32(000000A1), ref: 00C70689
              • GetAsyncKeyState.USER32(00000011), ref: 00C706B5
              • GetKeyState.USER32(00000011), ref: 00C706C3
              • GetAsyncKeyState.USER32(00000012), ref: 00C706EC
              • GetKeyState.USER32(00000012), ref: 00C706FA
              • GetAsyncKeyState.USER32(0000005B), ref: 00C70723
              • GetKeyState.USER32(0000005B), ref: 00C70731
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: State$Async$Keyboard
              • String ID:
              • API String ID: 541375521-0
              • Opcode ID: 1b35fb8971482fd8a7603812848adb11f77eef5c330ea3fb402bacfdb2aef2ca
              • Instruction ID: 05b0cdd002088ac27862e3bf4519d0b879e35e9daf0124470ae8d3fd6924e72e
              • Opcode Fuzzy Hash: 1b35fb8971482fd8a7603812848adb11f77eef5c330ea3fb402bacfdb2aef2ca
              • Instruction Fuzzy Hash: 09510D20A0478459FB34DBB488547EEBFB49F01380F18C59ED9DA5B1C2DA649B4CCF55
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C6C72A Relevance: 18.2, APIs: 12, Instructions: 174COMMON
              Download Yara Rule
              APIs
              • GetDlgItem.USER32(?,00000001), ref: 00C6C746
              • GetWindowRect.USER32(00000000,?), ref: 00C6C758
              • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 00C6C7B6
              • GetDlgItem.USER32(?,00000002), ref: 00C6C7C1
              • GetWindowRect.USER32(00000000,?), ref: 00C6C7D3
              • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 00C6C827
              • GetDlgItem.USER32(?,000003E9), ref: 00C6C835
              • GetWindowRect.USER32(00000000,?), ref: 00C6C846
              • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 00C6C889
              • GetDlgItem.USER32(?,000003EA), ref: 00C6C897
              • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00C6C8B4
              • InvalidateRect.USER32(?,00000000,00000001), ref: 00C6C8C1
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: Window$ItemMoveRect$Invalidate
              • String ID:
              • API String ID: 3096461208-0
              • Opcode ID: a5172204bbe8b1f61bda8538a9f0d255c38f7c9b3e9928ec7e74e3d1b7179ae5
              • Instruction ID: c7e5415e934d52cda23d925763a75372417a1f73ce6d1f90984b0eee0c617097
              • Opcode Fuzzy Hash: a5172204bbe8b1f61bda8538a9f0d255c38f7c9b3e9928ec7e74e3d1b7179ae5
              • Instruction Fuzzy Hash: 7A512D71B00205ABDB18CFA9DDD9BAEBBBAEB88311F14812DF516D7290D7709E41CB50
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C1201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00C11B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00C12036,?,00000000,?,?,?,?,00C116CB,00000000,?), ref: 00C11B9A
              • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 00C120D3
              • KillTimer.USER32(-00000001,?,?,?,?,00C116CB,00000000,?,?,00C11AE2,?,?), ref: 00C1216E
              • DestroyAcceleratorTable.USER32(00000000), ref: 00C4BEF6
              • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00C116CB,00000000,?,?,00C11AE2,?,?), ref: 00C4BF27
              • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00C116CB,00000000,?,?,00C11AE2,?,?), ref: 00C4BF3E
              • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00C116CB,00000000,?,?,00C11AE2,?,?), ref: 00C4BF5A
              • DeleteObject.GDI32(00000000), ref: 00C4BF6C
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
              • String ID:
              • API String ID: 641708696-0
              • Opcode ID: 97acc0c21679b67a928eb455522d0092b2d3891acfeb55df438f86c5b4e786e6
              • Instruction ID: 91c732483af832833ffdde3eb96a43475a7dce1612e3081e10a699cd6f4be49b
              • Opcode Fuzzy Hash: 97acc0c21679b67a928eb455522d0092b2d3891acfeb55df438f86c5b4e786e6
              • Instruction Fuzzy Hash: 2C619638101600EFDB259F55DD48B6AB7F1FB46312F20852EE15286AA0C775AEA1FF80
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C121A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00C125DB: GetWindowLongW.USER32(?,000000EB), ref: 00C125EC
              • GetSysColor.USER32(0000000F), ref: 00C121D3
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: ColorLongWindow
              • String ID:
              • API String ID: 259745315-0
              • Opcode ID: a157809718b2333301108743e2ab257efd7f71f493126190a3a303b59d7ed6d0
              • Instruction ID: f975f7ebe6a6a65a7984c214e1c48e7e442e1ebd4d3965a2c2d586a0ec9f7f88
              • Opcode Fuzzy Hash: a157809718b2333301108743e2ab257efd7f71f493126190a3a303b59d7ed6d0
              • Instruction Fuzzy Hash: 5E416F35100140EADB255F28EC88BFD3B65EB07371F284266FD758A1E6C7318D92EB61
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C7AB12 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON
              Download Yara Rule
              APIs
              • CharLowerBuffW.USER32(?,?,00C9F910), ref: 00C7AB76
              • GetDriveTypeW.KERNEL32(00000061,00CCA620,00000061), ref: 00C7AC40
              • _wcscpy.LIBCMT ref: 00C7AC6A
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: BuffCharDriveLowerType_wcscpy
              • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
              • API String ID: 2820617543-1000479233
              • Opcode ID: 4490d6028f583c6eeb8125b79c6a81d8e9af64a94b22d2fb524de16527f0129c
              • Instruction ID: ca8e32f3a3e11f0d9a3f126c803fe68e1e3037e13183e0655d96dfec8df668d0
              • Opcode Fuzzy Hash: 4490d6028f583c6eeb8125b79c6a81d8e9af64a94b22d2fb524de16527f0129c
              • Instruction Fuzzy Hash: 4651AE311183059BC720EF14C895EAFB7E5EF95304F14882DF49A972A2DB31DE4AEA53
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C19997 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: __i64tow__itow__swprintf
              • String ID: %.15g$0x%p$False$True
              • API String ID: 421087845-2263619337
              • Opcode ID: 584ed55014028e092056896d452cdfcace1841d4707dfe1f5042e77615f95ebf
              • Instruction ID: e341779170865bec5bcb3b9846ed32922d42ad9d27cea3729381b249b6f81d17
              • Opcode Fuzzy Hash: 584ed55014028e092056896d452cdfcace1841d4707dfe1f5042e77615f95ebf
              • Instruction Fuzzy Hash: 8F41E471614205AFDB24EF78D842FBA73F8FB45300F20486EE549D7291EA719982AB11
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C973C1 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 00C973D9
              • CreateMenu.USER32 ref: 00C973F4
              • SetMenu.USER32(?,00000000), ref: 00C97403
              • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00C97490
              • IsMenu.USER32(?), ref: 00C974A6
              • CreatePopupMenu.USER32 ref: 00C974B0
              • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00C974DD
              • DrawMenuBar.USER32 ref: 00C974E5
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
              • String ID: 0$F
              • API String ID: 176399719-3044882817
              • Opcode ID: 27ebde2e72d9559b455f4098301398df964d618335d5c5687dac70a8d59b8428
              • Instruction ID: 2dcef1bd48de02d2155f8dda4255579e628d2bfbb390b5e6954f3f0fdc066c53
              • Opcode Fuzzy Hash: 27ebde2e72d9559b455f4098301398df964d618335d5c5687dac70a8d59b8428
              • Instruction Fuzzy Hash: 6A415674A12209EFDF20DF64D888B9ABBB9FF49300F15412AF95597361D731AA20DF50
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C9772A Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
              Download Yara Rule
              APIs
              • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00C977CD
              • CreateCompatibleDC.GDI32(00000000), ref: 00C977D4
              • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00C977E7
              • SelectObject.GDI32(00000000,00000000), ref: 00C977EF
              • GetPixel.GDI32(00000000,00000000,00000000), ref: 00C977FA
              • DeleteDC.GDI32(00000000), ref: 00C97803
              • GetWindowLongW.USER32(?,000000EC), ref: 00C9780D
              • SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 00C97821
              • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 00C9782D
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
              • String ID: static
              • API String ID: 2559357485-2160076837
              • Opcode ID: 196376d325e538924306b74e17f23ede494a79b0d517b511a7f1198f63fe6e82
              • Instruction ID: 032f93e18e15c8bc8671cf79e995b3c522c7da71c622d5975a5260032d480229
              • Opcode Fuzzy Hash: 196376d325e538924306b74e17f23ede494a79b0d517b511a7f1198f63fe6e82
              • Instruction Fuzzy Hash: 89315A31115215ABDF129FA4DC0DFDE3B69EF09360F110329FA25E60A0C731D922DBA4
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C37040 Relevance: 16.8, APIs: 11, Instructions: 258COMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 00C3707B
                • Part of subcall function 00C38D68: __getptd_noexit.LIBCMT ref: 00C38D68
              • __gmtime64_s.LIBCMT ref: 00C37114
              • __gmtime64_s.LIBCMT ref: 00C3714A
              • __gmtime64_s.LIBCMT ref: 00C37167
              • __allrem.LIBCMT ref: 00C371BD
              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00C371D9
              • __allrem.LIBCMT ref: 00C371F0
              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00C3720E
              • __allrem.LIBCMT ref: 00C37225
              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00C37243
              • __invoke_watson.LIBCMT ref: 00C372B4
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
              • String ID:
              • API String ID: 384356119-0
              • Opcode ID: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
              • Instruction ID: 6c59b272d94d963e313029a5318213311287dde9a1085baabc820b0e05d80673
              • Opcode Fuzzy Hash: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
              • Instruction Fuzzy Hash: 0771FBB2A14717EBE7289F79CC81B5BB3A4BF55320F14432AF824E7681E771DA409790
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C72A16 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 00C72A31
              • GetMenuItemInfoW.USER32(00CD6890,000000FF,00000000,00000030), ref: 00C72A92
              • SetMenuItemInfoW.USER32(00CD6890,00000004,00000000,00000030), ref: 00C72AC8
              • Sleep.KERNEL32(000001F4), ref: 00C72ADA
              • GetMenuItemCount.USER32(?), ref: 00C72B1E
              • GetMenuItemID.USER32(?,00000000), ref: 00C72B3A
              • GetMenuItemID.USER32(?,-00000001), ref: 00C72B64
              • GetMenuItemID.USER32(?,?), ref: 00C72BA9
              • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00C72BEF
              • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00C72C03
              • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00C72C24
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
              • String ID:
              • API String ID: 4176008265-0
              • Opcode ID: 634816843d7118819d6d8cba8235475dbf9288e55012096692deb60c9d9c091f
              • Instruction ID: 2ad950c3832e9657b18f29b023afac9517c47d2006d1673ec7c3b59ca5664786
              • Opcode Fuzzy Hash: 634816843d7118819d6d8cba8235475dbf9288e55012096692deb60c9d9c091f
              • Instruction Fuzzy Hash: EE61B4B0900249AFDB21CF64CC88EBEBBB8FB55314F14845AF856D7251D731AE46EB21
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C97192 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00C97214
              • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00C97217
              • GetWindowLongW.USER32(?,000000F0), ref: 00C9723B
              • _memset.LIBCMT ref: 00C9724C
              • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00C9725E
              • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00C972D6
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: MessageSend$LongWindow_memset
              • String ID:
              • API String ID: 830647256-0
              • Opcode ID: 02ce3aa9717e97712bd8af3e9f4264ce2f0bf96982f30585110a4b2b1dfa0646
              • Instruction ID: e0d03e9a77c2766fd6652046eec6940565ace5ef440006274dc55f64962d32ce
              • Opcode Fuzzy Hash: 02ce3aa9717e97712bd8af3e9f4264ce2f0bf96982f30585110a4b2b1dfa0646
              • Instruction Fuzzy Hash: 41615C75A00248AFDB10DFA4CC85FEE77F8EB09710F14415AFA14A72A1D774AE45EB60
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C6710E Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON
              Download Yara Rule
              APIs
              • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00C67135
              • SafeArrayAllocData.OLEAUT32(?), ref: 00C6718E
              • VariantInit.OLEAUT32(?), ref: 00C671A0
              • SafeArrayAccessData.OLEAUT32(?,?), ref: 00C671C0
              • VariantCopy.OLEAUT32(?,?), ref: 00C67213
              • SafeArrayUnaccessData.OLEAUT32(?), ref: 00C67227
              • VariantClear.OLEAUT32(?), ref: 00C6723C
              • SafeArrayDestroyData.OLEAUT32(?), ref: 00C67249
              • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00C67252
              • VariantClear.OLEAUT32(?), ref: 00C67264
              • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00C6726F
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
              • String ID:
              • API String ID: 2706829360-0
              • Opcode ID: 88b307d86c3b8558ccc9a9179a4ef5a763880239c83acd80af49bace4f527315
              • Instruction ID: bce714c31c2aa196d7cf91998bef4ba809e73ede55ca162d39313a94f822b833
              • Opcode Fuzzy Hash: 88b307d86c3b8558ccc9a9179a4ef5a763880239c83acd80af49bace4f527315
              • Instruction Fuzzy Hash: 98415F35A04119EFCF10DF64D898AEEBBB9EF48354F008569F915E7261CB30E946DB90
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C85A45 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON
              Download Yara Rule
              APIs
              • WSAStartup.WSOCK32(00000101,?), ref: 00C85AA6
              • inet_addr.WSOCK32(?,?,?), ref: 00C85AEB
              • gethostbyname.WSOCK32(?), ref: 00C85AF7
              • IcmpCreateFile.IPHLPAPI ref: 00C85B05
              • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00C85B75
              • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00C85B8B
              • IcmpCloseHandle.IPHLPAPI(00000000), ref: 00C85C00
              • WSACleanup.WSOCK32 ref: 00C85C06
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
              • String ID: Ping
              • API String ID: 1028309954-2246546115
              • Opcode ID: bc2f02c1333f55c08b28adc28cce1c7d9c0a3257e175da98d4d95c1891e2bb05
              • Instruction ID: c621984a4aaede07b50097e4455674af454a8ebfdecab305c7fdd7e05b3803fe
              • Opcode Fuzzy Hash: bc2f02c1333f55c08b28adc28cce1c7d9c0a3257e175da98d4d95c1891e2bb05
              • Instruction Fuzzy Hash: EE51A0316047009FD721AF25CC89B6EBBE0EF49714F14892AF566DB2A1DBB0ED40EB45
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C7B72E Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON
              Download Yara Rule
              APIs
              • SetErrorMode.KERNEL32(00000001), ref: 00C7B73B
              • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00C7B7B1
              • GetLastError.KERNEL32 ref: 00C7B7BB
              • SetErrorMode.KERNEL32(00000000,READY), ref: 00C7B828
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: Error$Mode$DiskFreeLastSpace
              • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
              • API String ID: 4194297153-14809454
              • Opcode ID: 12f4b700a50a3886f16f87f5c0463154a4b2d3abf082bcd2f61d652a9a174ae4
              • Instruction ID: a4e46cdc79953f4f04e0cb3f8d6df3de8daef03f14c8bec5417565871d8f92b4
              • Opcode Fuzzy Hash: 12f4b700a50a3886f16f87f5c0463154a4b2d3abf082bcd2f61d652a9a174ae4
              • Instruction Fuzzy Hash: BD318035A002099FDB14EF64C889BBE77B8EF45704F10806AF51AD7291DB719E42D751
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C69471 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00C17F41: _memmove.LIBCMT ref: 00C17F82
                • Part of subcall function 00C6B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00C6B0E7
              • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00C694F6
              • GetDlgCtrlID.USER32 ref: 00C69501
              • GetParent.USER32 ref: 00C6951D
              • SendMessageW.USER32(00000000,?,00000111,?), ref: 00C69520
              • GetDlgCtrlID.USER32(?), ref: 00C69529
              • GetParent.USER32(?), ref: 00C69545
              • SendMessageW.USER32(00000000,?,?,00000111), ref: 00C69548
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: MessageSend$CtrlParent$ClassName_memmove
              • String ID: ComboBox$ListBox
              • API String ID: 1536045017-1403004172
              • Opcode ID: 09f16260cdd515a8ea0becd6d5482538c246f4aed44d6a9265a0630edc78c758
              • Instruction ID: 1ee60fb1d0bf86a7c1618ad821565e826da811241e8cd8986109d1118c344ff0
              • Opcode Fuzzy Hash: 09f16260cdd515a8ea0becd6d5482538c246f4aed44d6a9265a0630edc78c758
              • Instruction Fuzzy Hash: 7621C770900208BBCF159BA4CCC9EFEBB79EF45300F10426AF562972E1DB75595AEB20
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C6955C Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00C17F41: _memmove.LIBCMT ref: 00C17F82
                • Part of subcall function 00C6B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00C6B0E7
              • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 00C695DF
              • GetDlgCtrlID.USER32 ref: 00C695EA
              • GetParent.USER32 ref: 00C69606
              • SendMessageW.USER32(00000000,?,00000111,?), ref: 00C69609
              • GetDlgCtrlID.USER32(?), ref: 00C69612
              • GetParent.USER32(?), ref: 00C6962E
              • SendMessageW.USER32(00000000,?,?,00000111), ref: 00C69631
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: MessageSend$CtrlParent$ClassName_memmove
              • String ID: ComboBox$ListBox
              • API String ID: 1536045017-1403004172
              • Opcode ID: 510ea7a33653a49ab9b29aaf9d307372c2343e6d2515f70529ca792d9cdfb473
              • Instruction ID: ababc3bc17c4253f2778916574b45cd74064cf747ec1eb5417225906e2a5af8c
              • Opcode Fuzzy Hash: 510ea7a33653a49ab9b29aaf9d307372c2343e6d2515f70529ca792d9cdfb473
              • Instruction Fuzzy Hash: DB21C875A00208BBDF11AB60CCC9FFEBB79EF45300F10015AF522971A1DB75995AEB20
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C69645 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON
              Download Yara Rule
              APIs
              • GetParent.USER32 ref: 00C69651
              • GetClassNameW.USER32(00000000,?,00000100), ref: 00C69666
              • _wcscmp.LIBCMT ref: 00C69678
              • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00C696F3
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: ClassMessageNameParentSend_wcscmp
              • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
              • API String ID: 1704125052-3381328864
              • Opcode ID: 806be9d780461a5cddd80e1582cb8ee9349f46cd1e84552afd63dde78b665d20
              • Instruction ID: 212c317e78eca10dc47a4b4a502324a017b81a55cc52a11af39c505ae92b5ba2
              • Opcode Fuzzy Hash: 806be9d780461a5cddd80e1582cb8ee9349f46cd1e84552afd63dde78b665d20
              • Instruction Fuzzy Hash: 5B110C76248347BAFA212621DC4FFAA779CDB05770F20017BF910E50E1FEB1AA515A58
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C88BC0 Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON
              Download Yara Rule
              APIs
              • VariantInit.OLEAUT32(?), ref: 00C88BEC
              • CoInitialize.OLE32(00000000), ref: 00C88C19
              • CoUninitialize.OLE32 ref: 00C88C23
              • GetRunningObjectTable.OLE32(00000000,?), ref: 00C88D23
              • SetErrorMode.KERNEL32(00000001,00000029), ref: 00C88E50
              • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,00CA2C0C), ref: 00C88E84
              • CoGetObject.OLE32(?,00000000,00CA2C0C,?), ref: 00C88EA7
              • SetErrorMode.KERNEL32(00000000), ref: 00C88EBA
              • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00C88F3A
              • VariantClear.OLEAUT32(?), ref: 00C88F4A
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
              • String ID:
              • API String ID: 2395222682-0
              • Opcode ID: c99ec10b71f154d112d34adfe7ec709cb396a9ca7175b0b8dacf0f35d4013cae
              • Instruction ID: 34ded4457802687b719974d8716b94d3969c9cb6abf63d6e6e06c8fe88ced0af
              • Opcode Fuzzy Hash: c99ec10b71f154d112d34adfe7ec709cb396a9ca7175b0b8dacf0f35d4013cae
              • Instruction Fuzzy Hash: 04C12271208305AFD700EF64C884A2BB7E9FF89748F00496DF58A9B251DB31ED4ACB56
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C74189 Relevance: 15.1, APIs: 10, Instructions: 108windowCOMMON
              Download Yara Rule
              APIs
              • __swprintf.LIBCMT ref: 00C7419D
              • __swprintf.LIBCMT ref: 00C741AA
                • Part of subcall function 00C338D8: __woutput_l.LIBCMT ref: 00C33931
              • FindResourceW.KERNEL32(?,?,0000000E), ref: 00C741D4
              • LoadResource.KERNEL32(?,00000000), ref: 00C741E0
              • LockResource.KERNEL32(00000000), ref: 00C741ED
              • FindResourceW.KERNEL32(?,?,00000003), ref: 00C7420D
              • LoadResource.KERNEL32(?,00000000), ref: 00C7421F
              • SizeofResource.KERNEL32(?,00000000), ref: 00C7422E
              • LockResource.KERNEL32(?), ref: 00C7423A
              • CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 00C7429B
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
              • String ID:
              • API String ID: 1433390588-0
              • Opcode ID: 0562c553d9f4185319ae2e307c7776c14adcda1376522b82f81e317d0932e285
              • Instruction ID: 5281d82d7113c8551c035b16e0dc8d2b37532a389b2092d06965d0a28de78139
              • Opcode Fuzzy Hash: 0562c553d9f4185319ae2e307c7776c14adcda1376522b82f81e317d0932e285
              • Instruction Fuzzy Hash: 6531927160521AABDB199F61EC48FBF7BACEF04301F00852AF919D2151E770DA628BA1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C716DE Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON
              Download Yara Rule
              APIs
              • GetCurrentThreadId.KERNEL32 ref: 00C71700
              • GetForegroundWindow.USER32(00000000,?,?,?,?,?,00C70778,?,00000001), ref: 00C71714
              • GetWindowThreadProcessId.USER32(00000000), ref: 00C7171B
              • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00C70778,?,00000001), ref: 00C7172A
              • GetWindowThreadProcessId.USER32(?,00000000), ref: 00C7173C
              • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00C70778,?,00000001), ref: 00C71755
              • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00C70778,?,00000001), ref: 00C71767
              • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00C70778,?,00000001), ref: 00C717AC
              • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00C70778,?,00000001), ref: 00C717C1
              • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00C70778,?,00000001), ref: 00C717CC
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: Thread$AttachInput$Window$Process$CurrentForeground
              • String ID:
              • API String ID: 2156557900-0
              • Opcode ID: d72b13255776d47dc42fba6664e7baad45fb5b4758ba8b79ac9f0ab4aec29b41
              • Instruction ID: 9f69d79f602664050f5b8e0c5e5d0bdb05bef3b0ad2385d52c12056498856f25
              • Opcode Fuzzy Hash: d72b13255776d47dc42fba6664e7baad45fb5b4758ba8b79ac9f0ab4aec29b41
              • Instruction Fuzzy Hash: A531BF75601304BBEB259F68DC8CB6D3BADEB15711F15812AFC18D62A0E7B09E408B60
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C1FBBD Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON
              Download Yara Rule
              APIs
              • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00C1FC06
              • OleUninitialize.OLE32(?,00000000), ref: 00C1FCA5
              • UnregisterHotKey.USER32(?), ref: 00C1FDFC
              • DestroyWindow.USER32(?), ref: 00C54A00
              • FreeLibrary.KERNEL32(?), ref: 00C54A65
              • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00C54A92
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
              • String ID: close all
              • API String ID: 469580280-3243417748
              • Opcode ID: 6e81201f8617b39a7921b77787145fc41a1b3bd713c83da4ee7387953d2a8f4e
              • Instruction ID: 9907a0adb6e32abd82e8e85f9b695d24cffcaa3313b3ce2a13b73c82d4aae640
              • Opcode Fuzzy Hash: 6e81201f8617b39a7921b77787145fc41a1b3bd713c83da4ee7387953d2a8f4e
              • Instruction Fuzzy Hash: 3AA18F35701212CFCB29EF14C4A5BA9F364AF05705F1442ADE81AAB251CB30AD97EF98
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C6A693 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON
              Download Yara Rule
              APIs
              • EnumChildWindows.USER32(?,00C6AA64), ref: 00C6A9A2
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: ChildEnumWindows
              • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
              • API String ID: 3555792229-1603158881
              • Opcode ID: b6ad39696783bb9995acd402c9249641a9cb27a3f3b922f231562d0d9a29f6a5
              • Instruction ID: cbeacf23bd62599e99bbfb0d91f10cac3584bf7e659899d489702d34dfb89594
              • Opcode Fuzzy Hash: b6ad39696783bb9995acd402c9249641a9cb27a3f3b922f231562d0d9a29f6a5
              • Instruction Fuzzy Hash: D6916571600646EBDB28DF60C4D1BE9FBB5FF04304F608119E49AB7191DB306A99EF91
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C12E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON
              Download Yara Rule
              APIs
              • SetWindowLongW.USER32(?,000000EB), ref: 00C12EAE
                • Part of subcall function 00C11DB3: GetClientRect.USER32(?,?), ref: 00C11DDC
                • Part of subcall function 00C11DB3: GetWindowRect.USER32(?,?), ref: 00C11E1D
                • Part of subcall function 00C11DB3: ScreenToClient.USER32(?,?), ref: 00C11E45
              • GetDC.USER32 ref: 00C4CF82
              • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00C4CF95
              • SelectObject.GDI32(00000000,00000000), ref: 00C4CFA3
              • SelectObject.GDI32(00000000,00000000), ref: 00C4CFB8
              • ReleaseDC.USER32(?,00000000), ref: 00C4CFC0
              • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00C4D04B
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
              • String ID: U
              • API String ID: 4009187628-3372436214
              • Opcode ID: 0b1774af1c616d20d36bd4d56a4580ca05fc74ac8b04923000ef1dde622a9773
              • Instruction ID: d8436712f714cc6d2ab4484248d0075f9da99ca7ccc2138c456d210e6dc3ad60
              • Opcode Fuzzy Hash: 0b1774af1c616d20d36bd4d56a4580ca05fc74ac8b04923000ef1dde622a9773
              • Instruction Fuzzy Hash: AA71D230501205DFCF21DFA4C884AEA3BB6FF49311F14426AED669B1A5C7358D96EB60
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C9C27C Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00C12612: GetWindowLongW.USER32(?,000000EB), ref: 00C12623
                • Part of subcall function 00C12344: GetCursorPos.USER32(?), ref: 00C12357
                • Part of subcall function 00C12344: ScreenToClient.USER32(00CD67B0,?), ref: 00C12374
                • Part of subcall function 00C12344: GetAsyncKeyState.USER32(00000001), ref: 00C12399
                • Part of subcall function 00C12344: GetAsyncKeyState.USER32(00000002), ref: 00C123A7
              • ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?), ref: 00C9C2E4
              • ImageList_EndDrag.COMCTL32 ref: 00C9C2EA
              • ReleaseCapture.USER32 ref: 00C9C2F0
              • SetWindowTextW.USER32(?,00000000), ref: 00C9C39A
              • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00C9C3AD
              • DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?), ref: 00C9C48F
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
              • String ID: @GUI_DRAGFILE$@GUI_DROPID
              • API String ID: 1924731296-2107944366
              • Opcode ID: 9be56bde65873c7df453fcdd04fca657ded607904f4ded2ca260150f571ce44a
              • Instruction ID: 64fe05fd25847cbc32b25ecc96443b2979c56da46546cac7eac5fc65d69b60ad
              • Opcode Fuzzy Hash: 9be56bde65873c7df453fcdd04fca657ded607904f4ded2ca260150f571ce44a
              • Instruction Fuzzy Hash: C9515C70204304AFDB14EF24CC99FAE7BE5EB89310F00452EF5558B2E1DB71A959EB52
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C88F5B Relevance: 13.9, APIs: 9, Instructions: 438COMMON
              Download Yara Rule
              APIs
              • GetModuleFileNameW.KERNEL32(?,?,00000104,?,00C9F910), ref: 00C8903D
              • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,00C9F910), ref: 00C89071
              • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00C891EB
              • SysFreeString.OLEAUT32(?), ref: 00C89215
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: Free$FileLibraryModuleNamePathQueryStringType
              • String ID:
              • API String ID: 560350794-0
              • Opcode ID: 13dfdf095ef9adad4a4dfe149090b33535b0c6dad2f749be646ec2ee3787f925
              • Instruction ID: f4ffe5a8466bcef2aad48aec3541b31e54740715c857aa32176ea17280b64663
              • Opcode Fuzzy Hash: 13dfdf095ef9adad4a4dfe149090b33535b0c6dad2f749be646ec2ee3787f925
              • Instruction Fuzzy Hash: 10F12A71A00109EFDB14EF94C888EBEB7B9FF49318F148059F516AB261CB31AE45DB54
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C8F9A8 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 00C8F9C9
              • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00C8FB5C
              • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00C8FB80
              • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00C8FBC0
              • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00C8FBE2
              • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00C8FD5E
              • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 00C8FD90
              • CloseHandle.KERNEL32(?), ref: 00C8FDBF
              • CloseHandle.KERNEL32(?), ref: 00C8FE36
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
              • String ID:
              • API String ID: 4090791747-0
              • Opcode ID: 283300c28452c5e0d1368e841ded0d2d978aaf6234308732426688e03cc52507
              • Instruction ID: 1d028286e0ca0f718bdad2fd8bd9773a785e3e31a89abd1a4a9d51f3e3acdec0
              • Opcode Fuzzy Hash: 283300c28452c5e0d1368e841ded0d2d978aaf6234308732426688e03cc52507
              • Instruction Fuzzy Hash: A1E1A0312043119FCB24EF24C491B6EBBE1EF85314F14856DF89A8B2A2DB31DD46EB56
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C74F63 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00C748AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00C738D3,?), ref: 00C748C7
                • Part of subcall function 00C748AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00C738D3,?), ref: 00C748E0
                • Part of subcall function 00C74CD3: GetFileAttributesW.KERNEL32(?,00C73947), ref: 00C74CD4
              • lstrcmpiW.KERNEL32(?,?), ref: 00C74FE2
              • _wcscmp.LIBCMT ref: 00C74FFC
              • MoveFileW.KERNEL32(?,?), ref: 00C75017
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
              • String ID:
              • API String ID: 793581249-0
              • Opcode ID: 32b4883eafb4863b8028b11ee4949f3c15367ac7904ccf947b8831e74bc8c3aa
              • Instruction ID: 0a79e4f7657b5cb117ed3686bd6e9e4baa358fc88a87fd8b6521c10a0c0c74be
              • Opcode Fuzzy Hash: 32b4883eafb4863b8028b11ee4949f3c15367ac7904ccf947b8831e74bc8c3aa
              • Instruction Fuzzy Hash: F85196B25087859BC724EBA0CC819DFB3ECAF85341F00492EF199D7191EF74A289D766
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C988B4 Relevance: 13.7, APIs: 9, Instructions: 168COMMON
              Download Yara Rule
              APIs
              • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00C9896E
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: InvalidateRect
              • String ID:
              • API String ID: 634782764-0
              • Opcode ID: ca705952b007392234f93314ab1c33b5989993cdde558c7fc2acbf2168b627d1
              • Instruction ID: 7674562aff7816241a4687f9d2d4d9125e33bc383944828f2e6d9030c5ab23fe
              • Opcode Fuzzy Hash: ca705952b007392234f93314ab1c33b5989993cdde558c7fc2acbf2168b627d1
              • Instruction Fuzzy Hash: D251A130600208BBDF209F29CC8DBAD7B65AB06360F604116F525E71E1DF75AA98EB95
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C12B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON
              Download Yara Rule
              APIs
              • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 00C4C547
              • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00C4C569
              • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00C4C581
              • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 00C4C59F
              • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00C4C5C0
              • DestroyIcon.USER32(00000000), ref: 00C4C5CF
              • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00C4C5EC
              • DestroyIcon.USER32(?), ref: 00C4C5FB
                • Part of subcall function 00C9A71E: DeleteObject.GDI32(00000000), ref: 00C9A757
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
              • String ID:
              • API String ID: 2819616528-0
              • Opcode ID: fdea3f0b263a745e1101e006626e759b225db3357f0661493593022474cc994f
              • Instruction ID: ef1af987d6cbfa9d6c207b910fbee8029b307fcc962b168d7412c97508dd59ea
              • Opcode Fuzzy Hash: fdea3f0b263a745e1101e006626e759b225db3357f0661493593022474cc994f
              • Instruction Fuzzy Hash: 61513678A01209AFDB24DF25CC85FAE77B5EB59310F104529F912972A0DB70EAA1EB50
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C68E03 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
              Download Yara Rule
              APIs
              • GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,00C68A84,00000B00,?,?), ref: 00C68E0C
              • HeapAlloc.KERNEL32(00000000,?,00C68A84,00000B00,?,?), ref: 00C68E13
              • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00C68A84,00000B00,?,?), ref: 00C68E28
              • GetCurrentProcess.KERNEL32(?,00000000,?,00C68A84,00000B00,?,?), ref: 00C68E30
              • DuplicateHandle.KERNEL32(00000000,?,00C68A84,00000B00,?,?), ref: 00C68E33
              • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00C68A84,00000B00,?,?), ref: 00C68E43
              • GetCurrentProcess.KERNEL32(00C68A84,00000000,?,00C68A84,00000B00,?,?), ref: 00C68E4B
              • DuplicateHandle.KERNEL32(00000000,?,00C68A84,00000B00,?,?), ref: 00C68E4E
              • CreateThread.KERNEL32(00000000,00000000,00C68E74,00000000,00000000,00000000), ref: 00C68E68
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
              • String ID:
              • API String ID: 1957940570-0
              • Opcode ID: 09f7c5a269c210e38c94ab43fd591c7905fffe5edb143501e98133af13b604a8
              • Instruction ID: df98d646d53226e325b31510071b63a2475a13dcb2e18025be7c2a2d178d4804
              • Opcode Fuzzy Hash: 09f7c5a269c210e38c94ab43fd591c7905fffe5edb143501e98133af13b604a8
              • Instruction Fuzzy Hash: 7401BBB5240308FFEB10ABA5DC4DF6F3BACEB89711F104426FA05DB1A1CA719801CB64
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C89428 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 263COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: Variant$ClearInit$_memset
              • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
              • API String ID: 2862541840-625585964
              • Opcode ID: de71ad74fe07de66abcd3eba54e0dc614912ccbc5a6852a6369aa9ca564fffd5
              • Instruction ID: a2939ea911aeb287f9588756da7708ef9e9f3004a4e52e55c1a58a3d93851eb8
              • Opcode Fuzzy Hash: de71ad74fe07de66abcd3eba54e0dc614912ccbc5a6852a6369aa9ca564fffd5
              • Instruction Fuzzy Hash: B291C271A00219AFDF24EFA5C848FAEB7B8EF85318F148119F515AB280D7709A45CFA4
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C89A72 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00C67652: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00C6758C,80070057,?,?,?,00C6799D), ref: 00C6766F
                • Part of subcall function 00C67652: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00C6758C,80070057,?,?), ref: 00C6768A
                • Part of subcall function 00C67652: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00C6758C,80070057,?,?), ref: 00C67698
                • Part of subcall function 00C67652: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00C6758C,80070057,?), ref: 00C676A8
              • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 00C89B1B
              • _memset.LIBCMT ref: 00C89B28
              • _memset.LIBCMT ref: 00C89C6B
              • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 00C89C97
              • CoTaskMemFree.OLE32(?), ref: 00C89CA2
              Strings
              • NULL Pointer assignment, xrefs: 00C89CF0
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
              • String ID: NULL Pointer assignment
              • API String ID: 1300414916-2785691316
              • Opcode ID: d472684775d185166e9508982b8e253a715d6f514f9dbf52497051eac4a00a8e
              • Instruction ID: 9a85e185c7c9729f7c635ce18f058d65e37b96a3d876f0303bbfef6d64ba4b6c
              • Opcode Fuzzy Hash: d472684775d185166e9508982b8e253a715d6f514f9dbf52497051eac4a00a8e
              • Instruction Fuzzy Hash: 91914971D00229EBDF10EFA5DC84AEEBBB9EF09714F20415AF419A7281DB315A45DFA0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C96FEF Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00C97093
              • SendMessageW.USER32(?,00001036,00000000,?), ref: 00C970A7
              • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00C970C1
              • _wcscat.LIBCMT ref: 00C9711C
              • SendMessageW.USER32(?,00001057,00000000,?), ref: 00C97133
              • SendMessageW.USER32(?,00001061,?,0000000F), ref: 00C97161
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: MessageSend$Window_wcscat
              • String ID: SysListView32
              • API String ID: 307300125-78025650
              • Opcode ID: 0c34ba411a89f43b40f0b043d365b39d5c9a2d2a787e3327fb1ffa4d6658d67f
              • Instruction ID: d96af98346b0d3999030f4e8b32f58d969a8e1e9f4299dfbf01f7316c459471b
              • Opcode Fuzzy Hash: 0c34ba411a89f43b40f0b043d365b39d5c9a2d2a787e3327fb1ffa4d6658d67f
              • Instruction Fuzzy Hash: 8041A571A14308AFDF219FA4CC89BEE77B8EF08350F10056AF554E7191D7719E859B50
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C8EC47 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00C73E91: CreateToolhelp32Snapshot.KERNEL32 ref: 00C73EB6
                • Part of subcall function 00C73E91: Process32FirstW.KERNEL32(00000000,?), ref: 00C73EC4
                • Part of subcall function 00C73E91: CloseHandle.KERNEL32(00000000), ref: 00C73F8E
              • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00C8ECB8
              • GetLastError.KERNEL32 ref: 00C8ECCB
              • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00C8ECFA
              • TerminateProcess.KERNEL32(00000000,00000000), ref: 00C8ED77
              • GetLastError.KERNEL32(00000000), ref: 00C8ED82
              • CloseHandle.KERNEL32(00000000), ref: 00C8EDB7
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
              • String ID: SeDebugPrivilege
              • API String ID: 2533919879-2896544425
              • Opcode ID: febd83abb034fa7066c828ee33bcf248eac0acb8d3ff4490d54139b53765988f
              • Instruction ID: e5e27fdbfd1fb69d9f548d7d72bd1d011b604fd2a761b436bb121331aacdcaaa
              • Opcode Fuzzy Hash: febd83abb034fa7066c828ee33bcf248eac0acb8d3ff4490d54139b53765988f
              • Instruction Fuzzy Hash: 5E41DF702002009FDB24EF24CC95F6EB7A5EF81714F08801EF8469B2D2DB74AD09EB96
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C73226 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON
              Download Yara Rule
              APIs
              • LoadIconW.USER32(00000000,00007F03), ref: 00C732C5
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: IconLoad
              • String ID: blank$info$question$stop$warning
              • API String ID: 2457776203-404129466
              • Opcode ID: 301bf7c989ce28d6c03e25c0b9b6382adcc3eb04674c31cb7b0cc0fd64410cca
              • Instruction ID: 0deec185ce6b92ef5b00b196e149fc4de7821544e81d85080b068eeb1d11e731
              • Opcode Fuzzy Hash: 301bf7c989ce28d6c03e25c0b9b6382adcc3eb04674c31cb7b0cc0fd64410cca
              • Instruction Fuzzy Hash: CB113A312483DABBE7015B55DC47EAEB39CDF19374F20402EF918AA1C3E6715F4066A5
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C74534 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON
              Download Yara Rule
              APIs
              • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00C7454E
              • LoadStringW.USER32(00000000), ref: 00C74555
              • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00C7456B
              • LoadStringW.USER32(00000000), ref: 00C74572
              • _wprintf.LIBCMT ref: 00C74598
              • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00C745B6
              Strings
              • %s (%d) : ==> %s: %s %s, xrefs: 00C74593
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: HandleLoadModuleString$Message_wprintf
              • String ID: %s (%d) : ==> %s: %s %s
              • API String ID: 3648134473-3128320259
              • Opcode ID: 243bfd26b689006d44da15c3ffbf9a5f70355213f92c4684858ec0f285e0e52b
              • Instruction ID: c63d4fa3867b2bbc66dfcb5424df0ec84da66b09e306865ecab2a635f6e9f84c
              • Opcode Fuzzy Hash: 243bfd26b689006d44da15c3ffbf9a5f70355213f92c4684858ec0f285e0e52b
              • Instruction Fuzzy Hash: CB0144F2500208BFE750A791DD8DFFA776CD708301F0005AAB749D2051E6745E858B70
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C9D74C Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00C12612: GetWindowLongW.USER32(?,000000EB), ref: 00C12623
              • GetSystemMetrics.USER32(0000000F), ref: 00C9D78A
              • GetSystemMetrics.USER32(0000000F), ref: 00C9D7AA
              • MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 00C9D9E5
              • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00C9DA03
              • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00C9DA24
              • ShowWindow.USER32(00000003,00000000), ref: 00C9DA43
              • InvalidateRect.USER32(?,00000000,00000001), ref: 00C9DA68
              • DefDlgProcW.USER32(?,00000005,?,?), ref: 00C9DA8B
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
              • String ID:
              • API String ID: 1211466189-0
              • Opcode ID: 763e133d080d09ed768b98a348ad9b861151fd662d77e4d32cdfaae53c21b439
              • Instruction ID: 0716505efb2f637e9cece0a3a76925717095b52a1d32caa23091b4eade372784
              • Opcode Fuzzy Hash: 763e133d080d09ed768b98a348ad9b861151fd662d77e4d32cdfaae53c21b439
              • Instruction Fuzzy Hash: F3B1AA71600215EBDF14CF69C9C97BD7BB1FF04701F09806AEC5AAB295DB34AA60DB90
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C12A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON
              Download Yara Rule
              APIs
              • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00C4C417,00000004,00000000,00000000,00000000), ref: 00C12ACF
              • ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,00C4C417,00000004,00000000,00000000,00000000,000000FF), ref: 00C12B17
              • ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,00C4C417,00000004,00000000,00000000,00000000), ref: 00C4C46A
              • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00C4C417,00000004,00000000,00000000,00000000), ref: 00C4C4D6
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: ShowWindow
              • String ID:
              • API String ID: 1268545403-0
              • Opcode ID: 45f18ee4c08d341fb4b9397d2ae3d124acd292ddcf0de16f6391f2316e63dbae
              • Instruction ID: 59bc557fd712eb651c7adb8f365f0ff08532f4b8992e4376c1785db2ab047af5
              • Opcode Fuzzy Hash: 45f18ee4c08d341fb4b9397d2ae3d124acd292ddcf0de16f6391f2316e63dbae
              • Instruction Fuzzy Hash: FD412B392087809BC7398B298DDC7FA7B92BF47300F14841EE06786570D63599E2F720
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C77368 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON
              Download Yara Rule
              APIs
              • InterlockedExchange.KERNEL32(?,000001F5), ref: 00C7737F
                • Part of subcall function 00C30FF6: std::exception::exception.LIBCMT ref: 00C3102C
                • Part of subcall function 00C30FF6: __CxxThrowException@8.LIBCMT ref: 00C31041
              • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00C773B6
              • EnterCriticalSection.KERNEL32(?), ref: 00C773D2
              • _memmove.LIBCMT ref: 00C77420
              • _memmove.LIBCMT ref: 00C7743D
              • LeaveCriticalSection.KERNEL32(?), ref: 00C7744C
              • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 00C77461
              • InterlockedExchange.KERNEL32(?,000001F6), ref: 00C77480
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
              • String ID:
              • API String ID: 256516436-0
              • Opcode ID: 0bb96ee8c5311bdd3b214671a6065d360240925d91f6b4e67bb8d2b35e400d4c
              • Instruction ID: 656f2aebd9d7d9ab6ca94f1336602425632a75b9fddf501e3aa53cbf97c9979c
              • Opcode Fuzzy Hash: 0bb96ee8c5311bdd3b214671a6065d360240925d91f6b4e67bb8d2b35e400d4c
              • Instruction Fuzzy Hash: 21317031904205EBCF10DFA4DD89BAE7B78EF44710F2441AAF904EB256DB309A11DBA0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C96442 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
              Download Yara Rule
              APIs
              • DeleteObject.GDI32(00000000), ref: 00C9645A
              • GetDC.USER32(00000000), ref: 00C96462
              • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00C9646D
              • ReleaseDC.USER32(00000000,00000000), ref: 00C96479
              • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00C964B5
              • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00C964C6
              • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00C99299,?,?,000000FF,00000000,?,000000FF,?), ref: 00C96500
              • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00C96520
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
              • String ID:
              • API String ID: 3864802216-0
              • Opcode ID: 034300a3da86978e37aebc2641ea373c0c18ab87246466aad38d907ea67501d9
              • Instruction ID: d5cf8467ef73ae8dbe6a4b570322feafcf279b00fcc72551d74e1e4940ec32c1
              • Opcode Fuzzy Hash: 034300a3da86978e37aebc2641ea373c0c18ab87246466aad38d907ea67501d9
              • Instruction Fuzzy Hash: FD318B72200214BFEF108F50CC8AFEA3FA9EF09761F04006AFE08DA295C6759D52CB60
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C6C072 Relevance: 12.1, APIs: 8, Instructions: 92COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: _memcmp
              • String ID:
              • API String ID: 2931989736-0
              • Opcode ID: f7fd7ad3733e216fb03678cc781207a217c81ce7e3a7c5cfb74be0e772270765
              • Instruction ID: b96a3826ffaeb3d5310bb1bbfaad7fb7abcd8fad02fd579aa2683105ca8b241d
              • Opcode Fuzzy Hash: f7fd7ad3733e216fb03678cc781207a217c81ce7e3a7c5cfb74be0e772270765
              • Instruction Fuzzy Hash: 41218071A40216BBA634B5259DC7FBF23ACEF223A8F084020FD4696283E751DE1192A5
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C7ED8E Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00C19997: __itow.LIBCMT ref: 00C199C2
                • Part of subcall function 00C19997: __swprintf.LIBCMT ref: 00C19A0C
                • Part of subcall function 00C2FEC6: _wcscpy.LIBCMT ref: 00C2FEE9
              • _wcstok.LIBCMT ref: 00C7EEFF
              • _wcscpy.LIBCMT ref: 00C7EF8E
              • _memset.LIBCMT ref: 00C7EFC1
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: _wcscpy$__itow__swprintf_memset_wcstok
              • String ID: X
              • API String ID: 774024439-3081909835
              • Opcode ID: e6931869fe823b2a8a827783367e587ca7f3aa935d691aa4b1d4a4e824ab83d3
              • Instruction ID: 032e2c7c5296104c176700f7885ea5ddb01bb389ed6d3267d742c113750dac5b
              • Opcode Fuzzy Hash: e6931869fe823b2a8a827783367e587ca7f3aa935d691aa4b1d4a4e824ab83d3
              • Instruction Fuzzy Hash: 63C14E716083409FC724EF64C895A9EB7E4FF85310F04896DF899972A2DB30ED45EB92
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C86E17 Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON
              Download Yara Rule
              APIs
              • __WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00C86F14
              • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00C86F35
              • WSAGetLastError.WSOCK32(00000000), ref: 00C86F48
              • htons.WSOCK32(?,?,?,00000000,?), ref: 00C86FFE
              • inet_ntoa.WSOCK32(?), ref: 00C86FBB
                • Part of subcall function 00C6AE14: _strlen.LIBCMT ref: 00C6AE1E
                • Part of subcall function 00C6AE14: _memmove.LIBCMT ref: 00C6AE40
              • _strlen.LIBCMT ref: 00C87058
              • _memmove.LIBCMT ref: 00C870C1
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
              • String ID:
              • API String ID: 3619996494-0
              • Opcode ID: e6c43a65a90cbb5b0fb76dd29b90bc349d14e3dfa0599615266f30553e579d21
              • Instruction ID: 4474218b10e5d16f0dc2b31d5017faa48b26c9a47d64591de2e8d634fc9f65c6
              • Opcode Fuzzy Hash: e6c43a65a90cbb5b0fb76dd29b90bc349d14e3dfa0599615266f30553e579d21
              • Instruction Fuzzy Hash: C981F031508300ABC710EB24CC95FAFB7A9EF85718F104A1DF5569B2A2DB70DE45E792
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C11424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 285213ac97d425c351e7c5f620085cc383060f889930178138adb8d57f60f9db
              • Instruction ID: f0cda4b4a10d3942ddb32385ae9bd8ddf404cd935ef572eefcc40ef59be8ae2d
              • Opcode Fuzzy Hash: 285213ac97d425c351e7c5f620085cc383060f889930178138adb8d57f60f9db
              • Instruction Fuzzy Hash: 6D716030900109EFDB04DF59CC49AFEBB79FF86310F188159FA25AA251C734AA51EFA4
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C9B60B Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON
              Download Yara Rule
              APIs
              • IsWindow.USER32(016653F0), ref: 00C9B6A5
              • IsWindowEnabled.USER32(016653F0), ref: 00C9B6B1
              • SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 00C9B795
              • SendMessageW.USER32(016653F0,000000B0,?,?), ref: 00C9B7CC
              • IsDlgButtonChecked.USER32(?,?), ref: 00C9B809
              • GetWindowLongW.USER32(016653F0,000000EC), ref: 00C9B82B
              • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00C9B843
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: MessageSendWindow$ButtonCheckedEnabledLong
              • String ID:
              • API String ID: 4072528602-0
              • Opcode ID: 12d686199eaad40151bf54b0712d579a5402671a5773759673c04ab054f63c5f
              • Instruction ID: 95666abe94e8e44caa6f2cf67bff096542037101f9a3869c41e8237900483ce6
              • Opcode Fuzzy Hash: 12d686199eaad40151bf54b0712d579a5402671a5773759673c04ab054f63c5f
              • Instruction Fuzzy Hash: 4371AE74600204BFDF249FA4DAD8FBA7BB9FB49300F14016AF965972A1C731AE51DB60
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C8F732 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 00C8F75C
              • _memset.LIBCMT ref: 00C8F825
              • ShellExecuteExW.SHELL32(?), ref: 00C8F86A
                • Part of subcall function 00C19997: __itow.LIBCMT ref: 00C199C2
                • Part of subcall function 00C19997: __swprintf.LIBCMT ref: 00C19A0C
                • Part of subcall function 00C2FEC6: _wcscpy.LIBCMT ref: 00C2FEE9
              • GetProcessId.KERNEL32(00000000), ref: 00C8F8E1
              • CloseHandle.KERNEL32(00000000), ref: 00C8F910
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
              • String ID: @
              • API String ID: 3522835683-2766056989
              • Opcode ID: cb65dc6f71b7b0d9046ed954928515928e9a82af8eb618a33cbb719df3d69b91
              • Instruction ID: bad9bc95bf3080ab1c9f9eb27a3c73bebfea00c742006b9ae538f2f4c6a04371
              • Opcode Fuzzy Hash: cb65dc6f71b7b0d9046ed954928515928e9a82af8eb618a33cbb719df3d69b91
              • Instruction Fuzzy Hash: 7D61A075A00619DFCB14EF54C490AADBBF1FF49314F14806DE85AAB391CB30AE82DB94
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C7145D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON
              Download Yara Rule
              APIs
              • GetParent.USER32(?), ref: 00C7149C
              • GetKeyboardState.USER32(?), ref: 00C714B1
              • SetKeyboardState.USER32(?), ref: 00C71512
              • PostMessageW.USER32(?,00000101,00000010,?), ref: 00C71540
              • PostMessageW.USER32(?,00000101,00000011,?), ref: 00C7155F
              • PostMessageW.USER32(?,00000101,00000012,?), ref: 00C715A5
              • PostMessageW.USER32(?,00000101,0000005B,?), ref: 00C715C8
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: MessagePost$KeyboardState$Parent
              • String ID:
              • API String ID: 87235514-0
              • Opcode ID: b6235255fa92c67c1f65daeb39d4568c949b64a83fb0b10cd1a31e93afd81d5c
              • Instruction ID: d756cc61e93868f6418d061ba5f448624a900bfdbc88c3dfb6d2f26cf802958f
              • Opcode Fuzzy Hash: b6235255fa92c67c1f65daeb39d4568c949b64a83fb0b10cd1a31e93afd81d5c
              • Instruction Fuzzy Hash: 7751E3A06147D53EFB3A463D8C45BBA7FE96B46304F0CC489F9E9598C2C298DE84D750
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C71276 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON
              Download Yara Rule
              APIs
              • GetParent.USER32(00000000), ref: 00C712B5
              • GetKeyboardState.USER32(?), ref: 00C712CA
              • SetKeyboardState.USER32(?), ref: 00C7132B
              • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00C71357
              • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00C71374
              • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00C713B8
              • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00C713D9
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: MessagePost$KeyboardState$Parent
              • String ID:
              • API String ID: 87235514-0
              • Opcode ID: dff2e2c084fd735757367873e8dd13371759cbe69381bd28e6c43b6a8c5b9b96
              • Instruction ID: b10c0b3c4347276c13132e55e89decfab66fe065c718d38953dca31bc9d5b99c
              • Opcode Fuzzy Hash: dff2e2c084fd735757367873e8dd13371759cbe69381bd28e6c43b6a8c5b9b96
              • Instruction Fuzzy Hash: 6351F4A05047D53DFB3687298C45B7ABFA96B06300F0CC589E9EC9A8D2D394EE94E750
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C7589F Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: _wcsncpy$LocalTime
              • String ID:
              • API String ID: 2945705084-0
              • Opcode ID: 64239d8da05b6aaa927286c3541f86c0bb447c36abe3ab3ecd3aadf66b0ad0f4
              • Instruction ID: 29ea80be908269e375ca4d7e1a3f46fcdcc1b2d3028505c3addc554067054f48
              • Opcode Fuzzy Hash: 64239d8da05b6aaa927286c3541f86c0bb447c36abe3ab3ecd3aadf66b0ad0f4
              • Instruction Fuzzy Hash: 7C418175C30628B6CB11FBB488869CFB3B89F05310F508966F618E3221E634E755D7E9
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C738AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00C748AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00C738D3,?), ref: 00C748C7
                • Part of subcall function 00C748AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00C738D3,?), ref: 00C748E0
              • lstrcmpiW.KERNEL32(?,?), ref: 00C738F3
              • _wcscmp.LIBCMT ref: 00C7390F
              • MoveFileW.KERNEL32(?,?), ref: 00C73927
              • _wcscat.LIBCMT ref: 00C7396F
              • SHFileOperationW.SHELL32(?), ref: 00C739DB
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
              • String ID: \*.*
              • API String ID: 1377345388-1173974218
              • Opcode ID: 57740039d6dd81aa349d1b38808e8de6fe031b2fb82dd4c5335c8579f53b99dc
              • Instruction ID: ad1cc7441accbe95be46e15001e49dd6246fd6808d1ef427cabdb092d4d16a8b
              • Opcode Fuzzy Hash: 57740039d6dd81aa349d1b38808e8de6fe031b2fb82dd4c5335c8579f53b99dc
              • Instruction Fuzzy Hash: 8141C3721083849EC751EF60C445ADFB7ECAF88340F04492EB599C7151EB74D388D752
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C97500 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 00C97519
              • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00C975C0
              • IsMenu.USER32(?), ref: 00C975D8
              • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00C97620
              • DrawMenuBar.USER32 ref: 00C97633
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: Menu$Item$DrawInfoInsert_memset
              • String ID: 0
              • API String ID: 3866635326-4108050209
              • Opcode ID: efd804762fc799fa4b249457ab57001df4f46d28902969257dbae0f3df68dde1
              • Instruction ID: 50be244ddb67cfe7be8a9c4036b59f9273ac03a8e2560ae6a4bee9a79703de33
              • Opcode Fuzzy Hash: efd804762fc799fa4b249457ab57001df4f46d28902969257dbae0f3df68dde1
              • Instruction Fuzzy Hash: 80413975A16608EFDF10DF54D888E9ABBF8FB08310F04822AF92597690D730AE50DF90
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C9122D Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON
              Download Yara Rule
              APIs
              • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 00C9125C
              • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00C91286
              • FreeLibrary.KERNEL32(00000000), ref: 00C9133D
                • Part of subcall function 00C9122D: RegCloseKey.ADVAPI32(?), ref: 00C912A3
                • Part of subcall function 00C9122D: FreeLibrary.KERNEL32(?), ref: 00C912F5
                • Part of subcall function 00C9122D: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00C91318
              • RegDeleteKeyW.ADVAPI32(?,?), ref: 00C912E0
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: EnumFreeLibrary$CloseDeleteOpen
              • String ID:
              • API String ID: 395352322-0
              • Opcode ID: ad8f5cf715ffabf937cac5cc10a73eafa2819e57ffcc4c69bd63a944bc20aa04
              • Instruction ID: 25a48ab0074c9ab0c9026afb48bb98001b70b8dc076112a3e2d55f4c36ca84d0
              • Opcode Fuzzy Hash: ad8f5cf715ffabf937cac5cc10a73eafa2819e57ffcc4c69bd63a944bc20aa04
              • Instruction Fuzzy Hash: 56310D71A0111ABFDF159B90DC8AAFEB7BCEF08300F04016AE912E2151DA749F459AA0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C9653C Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00C9655B
              • GetWindowLongW.USER32(016653F0,000000F0), ref: 00C9658E
              • GetWindowLongW.USER32(016653F0,000000F0), ref: 00C965C3
              • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00C965F5
              • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00C9661F
              • GetWindowLongW.USER32(00000000,000000F0), ref: 00C96630
              • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00C9664A
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: LongWindow$MessageSend
              • String ID:
              • API String ID: 2178440468-0
              • Opcode ID: 589216c3bf65a103991cd6c3eb9ca6b09b38046940ad1f50b15d01f28bcd3b7b
              • Instruction ID: 15b055ae7b590a1f435800b3b22cf6b107f4c7d897498f2197367e18c3fc251b
              • Opcode Fuzzy Hash: 589216c3bf65a103991cd6c3eb9ca6b09b38046940ad1f50b15d01f28bcd3b7b
              • Instruction Fuzzy Hash: 8D31EF30604254AFDF218F28DC89F593BE1BB4A750F1A01A9F521CB2F6CB71E940EB51
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C86486 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00C880A0: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00C880CB
              • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00C864D9
              • WSAGetLastError.WSOCK32(00000000), ref: 00C864E8
              • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00C86521
              • connect.WSOCK32(00000000,?,00000010), ref: 00C8652A
              • WSAGetLastError.WSOCK32 ref: 00C86534
              • closesocket.WSOCK32(00000000), ref: 00C8655D
              • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00C86576
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
              • String ID:
              • API String ID: 910771015-0
              • Opcode ID: b47ac06faeb65c44a4ff3796690fdd561b555778a9e57ab1fa3f6927075ae0a3
              • Instruction ID: e60b29cbe0390b9540bb09a4ebd946c53fb5662d9830beddc73115d39b147275
              • Opcode Fuzzy Hash: b47ac06faeb65c44a4ff3796690fdd561b555778a9e57ab1fa3f6927075ae0a3
              • Instruction Fuzzy Hash: 8331D331600118AFDB10AF64CC89BBE7BA9EF45318F044029F905D7291DB74AD45DBA5
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C6E0B5 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON
              Download Yara Rule
              APIs
              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00C6E0FA
              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00C6E120
              • SysAllocString.OLEAUT32(00000000), ref: 00C6E123
              • SysAllocString.OLEAUT32 ref: 00C6E144
              • SysFreeString.OLEAUT32 ref: 00C6E14D
              • StringFromGUID2.OLE32(?,?,00000028), ref: 00C6E167
              • SysAllocString.OLEAUT32(?), ref: 00C6E175
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
              • String ID:
              • API String ID: 3761583154-0
              • Opcode ID: 7ee469a19eec93a88c5267094512ec47aec056a9f025b69bc62d52bd33a07682
              • Instruction ID: 37f6a12458426fbbd8f3230d6d48a67b26b6b3317d48df26ac3124d79c8a039f
              • Opcode Fuzzy Hash: 7ee469a19eec93a88c5267094512ec47aec056a9f025b69bc62d52bd33a07682
              • Instruction Fuzzy Hash: 74215675604108AFDB209FA9DCC8EAF77ECEB0A760B108136F915CB261DA70DD41DB64
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C9783C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00C11D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00C11D73
                • Part of subcall function 00C11D35: GetStockObject.GDI32(00000011), ref: 00C11D87
                • Part of subcall function 00C11D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00C11D91
              • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00C978A1
              • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00C978AE
              • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00C978B9
              • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00C978C8
              • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00C978D4
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: MessageSend$CreateObjectStockWindow
              • String ID: Msctls_Progress32
              • API String ID: 1025951953-3636473452
              • Opcode ID: 8b9ec10481fb0347ff37930f457dad22254919b626842fabbb9a264dc6bcc9d9
              • Instruction ID: a9aed587f60c3fdb085ab777c5999c924a24e3a0ca5e8aeb4111668a07bdaa5f
              • Opcode Fuzzy Hash: 8b9ec10481fb0347ff37930f457dad22254919b626842fabbb9a264dc6bcc9d9
              • Instruction Fuzzy Hash: 7B1160B2550219BFEF159F64CC89EEB7F6DEF08758F014215FA14A6090C772AC21DBA4
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C341C9 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,00C34292,?), ref: 00C341E3
              • GetProcAddress.KERNEL32(00000000), ref: 00C341EA
              • EncodePointer.KERNEL32(00000000), ref: 00C341F6
              • DecodePointer.KERNEL32(00000001,00C34292,?), ref: 00C34213
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
              • String ID: RoInitialize$combase.dll
              • API String ID: 3489934621-340411864
              • Opcode ID: ec6a98c6247410733b8d5fc868da4f6b434d983e862417f81275b23ff2243346
              • Instruction ID: 789784763818f587eae396fc3ff588ef61455017360a042b265aca0395acf71f
              • Opcode Fuzzy Hash: ec6a98c6247410733b8d5fc868da4f6b434d983e862417f81275b23ff2243346
              • Instruction Fuzzy Hash: 77E01AB0A91301AFEF245BB4EC0DB0C3BA4B721B06F50443AB621E50B0DBB55092CF00
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C3429E Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00C341B8), ref: 00C342B8
              • GetProcAddress.KERNEL32(00000000), ref: 00C342BF
              • EncodePointer.KERNEL32(00000000), ref: 00C342CA
              • DecodePointer.KERNEL32(00C341B8), ref: 00C342E5
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
              • String ID: RoUninitialize$combase.dll
              • API String ID: 3489934621-2819208100
              • Opcode ID: a2798e4d76cc17a960007c43f2edee9ad9f4ebdaaac68994efee79817554a877
              • Instruction ID: 7923a93c80a37b3cdf034f69f9a52526e4c1d1340298043609af5b4d6dc49cf8
              • Opcode Fuzzy Hash: a2798e4d76cc17a960007c43f2edee9ad9f4ebdaaac68994efee79817554a877
              • Instruction Fuzzy Hash: 31E0B678992312ABEB189B64EC0DF0D3BA4B725B46F10403AF211F10B0CBB59581CA14
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C7675A Relevance: 9.2, APIs: 6, Instructions: 205COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: _memmove$__itow__swprintf
              • String ID:
              • API String ID: 3253778849-0
              • Opcode ID: be9e9659bc49a34433a661a089660e21b8c8e2966a4e4c95ee9d5e5479616cb9
              • Instruction ID: c1ab7688c97abf78ec91b5d4aa9a2a1af3157087e2a91aeac5034e88c2e1b76d
              • Opcode Fuzzy Hash: be9e9659bc49a34433a661a089660e21b8c8e2966a4e4c95ee9d5e5479616cb9
              • Instruction Fuzzy Hash: 9861CD3050465A9BCF15EF20CC92EFE37A4EF45308F088559F95A5B292DB30AD81EB91
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C9046F Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00C17F41: _memmove.LIBCMT ref: 00C17F82
                • Part of subcall function 00C910A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00C90038,?,?), ref: 00C910BC
              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00C90548
              • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00C90588
              • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00C905AB
              • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00C905D4
              • RegCloseKey.ADVAPI32(?,?,00000000), ref: 00C90617
              • RegCloseKey.ADVAPI32(00000000), ref: 00C90624
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
              • String ID:
              • API String ID: 4046560759-0
              • Opcode ID: ceaf0eeabe53c78b825612b2e48ada2c55b85193e955f44168d8b74be4a9d414
              • Instruction ID: 5ce74bf71e32232d700d9d40346f120f9b990241cea00a1343552f6a4e9cf313
              • Opcode Fuzzy Hash: ceaf0eeabe53c78b825612b2e48ada2c55b85193e955f44168d8b74be4a9d414
              • Instruction Fuzzy Hash: 02516C31208240AFCB14EF54C889EAFBBE9FF85714F14491DF895871A1DB31EA45EB52
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C95A20 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON
              Download Yara Rule
              APIs
              • GetMenu.USER32(?), ref: 00C95A82
              • GetMenuItemCount.USER32(00000000), ref: 00C95AB9
              • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00C95AE1
              • GetMenuItemID.USER32(?,?), ref: 00C95B50
              • GetSubMenu.USER32(?,?), ref: 00C95B5E
              • PostMessageW.USER32(?,00000111,?,00000000), ref: 00C95BAF
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: Menu$Item$CountMessagePostString
              • String ID:
              • API String ID: 650687236-0
              • Opcode ID: 20bbe35d5a2c65d890db4e59b9cf06f2271b516cd8a47284752d8d2ef2961f26
              • Instruction ID: 797b2f6b477ca8cc9f6e00d290f9d38813bae8e843d2e99eefd00c85a7abf6fc
              • Opcode Fuzzy Hash: 20bbe35d5a2c65d890db4e59b9cf06f2271b516cd8a47284752d8d2ef2961f26
              • Instruction Fuzzy Hash: D9518035A00615EFCF12EFA4C859AAEB7B5EF48310F1044AAF915B7351CB70AE41EB91
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C6F3DD Relevance: 9.2, APIs: 6, Instructions: 159COMMON
              Download Yara Rule
              APIs
              • VariantInit.OLEAUT32(?), ref: 00C6F3F7
              • VariantClear.OLEAUT32(00000013), ref: 00C6F469
              • VariantClear.OLEAUT32(00000000), ref: 00C6F4C4
              • _memmove.LIBCMT ref: 00C6F4EE
              • VariantClear.OLEAUT32(?), ref: 00C6F53B
              • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00C6F569
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: Variant$Clear$ChangeInitType_memmove
              • String ID:
              • API String ID: 1101466143-0
              • Opcode ID: a5fcbfa9e9e4e3abc04c980679bcef9ada4ad94b275a817b568843ab07c9ff09
              • Instruction ID: e0cfa2509f494092827bc40315d1013d139535f012e98eee74ef58be5b8fb57d
              • Opcode Fuzzy Hash: a5fcbfa9e9e4e3abc04c980679bcef9ada4ad94b275a817b568843ab07c9ff09
              • Instruction Fuzzy Hash: 03514CB5A00209DFDB24CF58D884AAAB7B8FF4C354B15856EE959DB310D730E952CBA0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C726F9 Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 00C72747
              • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00C72792
              • IsMenu.USER32(00000000), ref: 00C727B2
              • CreatePopupMenu.USER32 ref: 00C727E6
              • GetMenuItemCount.USER32(000000FF), ref: 00C72844
              • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00C72875
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
              • String ID:
              • API String ID: 3311875123-0
              • Opcode ID: 531fffce25f8e70fe6c9637330b248ba01726a7ffcea0987a54ef1008293d227
              • Instruction ID: 0c3595495e4ef141cd63b4487b032b7b6729a528e5aedd7555da62509f4f7659
              • Opcode Fuzzy Hash: 531fffce25f8e70fe6c9637330b248ba01726a7ffcea0987a54ef1008293d227
              • Instruction Fuzzy Hash: C251A071A00305DFDF24CF69D888BADBBF4EF44314F108269E4699B2D1D7728A45CB52
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C11765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00C12612: GetWindowLongW.USER32(?,000000EB), ref: 00C12623
              • BeginPaint.USER32(?,?,?,?,?,?), ref: 00C1179A
              • GetWindowRect.USER32(?,?), ref: 00C117FE
              • ScreenToClient.USER32(?,?), ref: 00C1181B
              • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00C1182C
              • EndPaint.USER32(?,?), ref: 00C11876
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: PaintWindow$BeginClientLongRectScreenViewport
              • String ID:
              • API String ID: 1827037458-0
              • Opcode ID: 6743028cbaabea5a893ab1e32ed5c5895c74b676c493649debb4859dadc81c85
              • Instruction ID: afc357ab56b38f65dfa6bf1867fa4ffac08c9119e4aefe2ad370539017e308f0
              • Opcode Fuzzy Hash: 6743028cbaabea5a893ab1e32ed5c5895c74b676c493649debb4859dadc81c85
              • Instruction Fuzzy Hash: 524190701043019FD710DF25CC88BBA7BE8FB4A724F184629FAA4862E1C7349986EB61
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C9B958 Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON
              Download Yara Rule
              APIs
              • ShowWindow.USER32(00CD67B0,00000000,016653F0,?,?,00CD67B0,?,00C9B862,?,?), ref: 00C9B9CC
              • EnableWindow.USER32(00000000,00000000), ref: 00C9B9F0
              • ShowWindow.USER32(00CD67B0,00000000,016653F0,?,?,00CD67B0,?,00C9B862,?,?), ref: 00C9BA50
              • ShowWindow.USER32(00000000,00000004,?,00C9B862,?,?), ref: 00C9BA62
              • EnableWindow.USER32(00000000,00000001), ref: 00C9BA86
              • SendMessageW.USER32(?,0000130C,?,00000000), ref: 00C9BAA9
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: Window$Show$Enable$MessageSend
              • String ID:
              • API String ID: 642888154-0
              • Opcode ID: 1a67f6db947a06d8143b3e8d7f8fedc9bec728b3f8c48433788458fe5cf24a5e
              • Instruction ID: 89c3afc25b434a725727ee035ebcadbeba0384bbe850bc6a8735273ac4feb51f
              • Opcode Fuzzy Hash: 1a67f6db947a06d8143b3e8d7f8fedc9bec728b3f8c48433788458fe5cf24a5e
              • Instruction Fuzzy Hash: A0414F30600241BFDF22CF54D58DB997BF0BB05310F1941A9EA588F2A2CB31AD56DB51
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C873B1 Relevance: 9.1, APIs: 6, Instructions: 97COMMON
              Download Yara Rule
              APIs
              • GetForegroundWindow.USER32(?,?,?,?,?,?,00C85134,?,?,00000000,00000001), ref: 00C873BF
                • Part of subcall function 00C83C94: GetWindowRect.USER32(?,?), ref: 00C83CA7
              • GetDesktopWindow.USER32 ref: 00C873E9
              • GetWindowRect.USER32(00000000), ref: 00C873F0
              • mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00C87422
                • Part of subcall function 00C754E6: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00C7555E
              • GetCursorPos.USER32(?), ref: 00C8744E
              • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00C874AC
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
              • String ID:
              • API String ID: 4137160315-0
              • Opcode ID: 7ae4fc8736e6cd539c1b48d3e3c8085ab10159aaf185d5a45bba03784debe81a
              • Instruction ID: 6ddf6057439fa03426d820326b1aaeb70f541be604ab495232377c512d8acc5c
              • Opcode Fuzzy Hash: 7ae4fc8736e6cd539c1b48d3e3c8085ab10159aaf185d5a45bba03784debe81a
              • Instruction Fuzzy Hash: FD31F272508305ABC720EF14D849F9FBBA9FF88304F104A1AF498D7191D670EA49CB92
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C68D5B Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00C685F1: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00C68608
                • Part of subcall function 00C685F1: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00C68612
                • Part of subcall function 00C685F1: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00C68621
                • Part of subcall function 00C685F1: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00C68628
                • Part of subcall function 00C685F1: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00C6863E
              • GetLengthSid.ADVAPI32(?,00000000,00C68977), ref: 00C68DAC
              • GetProcessHeap.KERNEL32(00000008,00000000), ref: 00C68DB8
              • HeapAlloc.KERNEL32(00000000), ref: 00C68DBF
              • CopySid.ADVAPI32(00000000,00000000,?), ref: 00C68DD8
              • GetProcessHeap.KERNEL32(00000000,00000000,00C68977), ref: 00C68DEC
              • HeapFree.KERNEL32(00000000), ref: 00C68DF3
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
              • String ID:
              • API String ID: 3008561057-0
              • Opcode ID: 2e6b380ffc14d520dec1561912ef4b58744702c566d1c4001ed88127389795de
              • Instruction ID: 023fb42d3b0dd1c4a67e55d39f73fa075e7ac9bf3bb11f1e8dadd5f22eaa9ca1
              • Opcode Fuzzy Hash: 2e6b380ffc14d520dec1561912ef4b58744702c566d1c4001ed88127389795de
              • Instruction Fuzzy Hash: 6E11BE71500606FFDB209FA4CC8DBAE7BA9EF55315F10422EE855D7250DB329A0ADBB0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C68AF9 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON
              Download Yara Rule
              APIs
              • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00C68B2A
              • OpenProcessToken.ADVAPI32(00000000), ref: 00C68B31
              • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00C68B40
              • CloseHandle.KERNEL32(00000004), ref: 00C68B4B
              • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00C68B7A
              • DestroyEnvironmentBlock.USERENV(00000000), ref: 00C68B8E
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
              • String ID:
              • API String ID: 1413079979-0
              • Opcode ID: 34150b4bb1248cdc472e057d7d0428870e47a9a2e63255bb1c527ac176389de3
              • Instruction ID: 3f40437b08ac1e52eba9eff513c5bebc23e3b05316c391b00a80a2ccb54e9a88
              • Opcode Fuzzy Hash: 34150b4bb1248cdc472e057d7d0428870e47a9a2e63255bb1c527ac176389de3
              • Instruction Fuzzy Hash: 3B115CB2500209ABDF118FA4DD89FDE7BA9EF48304F044169FE04A2160C7758E659B60
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C9C19A Relevance: 9.0, APIs: 6, Instructions: 49COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00C112F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00C1134D
                • Part of subcall function 00C112F3: SelectObject.GDI32(?,00000000), ref: 00C1135C
                • Part of subcall function 00C112F3: BeginPath.GDI32(?), ref: 00C11373
                • Part of subcall function 00C112F3: SelectObject.GDI32(?,00000000), ref: 00C1139C
              • MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 00C9C1C4
              • LineTo.GDI32(00000000,00000003,?), ref: 00C9C1D8
              • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 00C9C1E6
              • LineTo.GDI32(00000000,00000000,?), ref: 00C9C1F6
              • EndPath.GDI32(00000000), ref: 00C9C206
              • StrokePath.GDI32(00000000), ref: 00C9C216
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
              • String ID:
              • API String ID: 43455801-0
              • Opcode ID: c5b6a5ac27958f6408bb77deb27a50925355682965f38e5fb1bc98b76751ddee
              • Instruction ID: 1cdbf29b64fea2a043246dabd40f21c0fd9a30ab57376c9a0e4b2d91ac6bd36d
              • Opcode Fuzzy Hash: c5b6a5ac27958f6408bb77deb27a50925355682965f38e5fb1bc98b76751ddee
              • Instruction Fuzzy Hash: 7711097640010DBFEF119F90DC88FAE7FADEB08354F048026BA188A1A1C7719E55EBA0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C303A2 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
              Download Yara Rule
              APIs
              • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00C303D3
              • MapVirtualKeyW.USER32(00000010,00000000), ref: 00C303DB
              • MapVirtualKeyW.USER32(000000A0,00000000), ref: 00C303E6
              • MapVirtualKeyW.USER32(000000A1,00000000), ref: 00C303F1
              • MapVirtualKeyW.USER32(00000011,00000000), ref: 00C303F9
              • MapVirtualKeyW.USER32(00000012,00000000), ref: 00C30401
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: Virtual
              • String ID:
              • API String ID: 4278518827-0
              • Opcode ID: fc17ef7a635e52380f69e357eda00edf8ed1988be418d017a0495cfcdae8468b
              • Instruction ID: 89d85e25152b73394363d44d3913847edf830fd37ea548ee8650d962df9a37a7
              • Opcode Fuzzy Hash: fc17ef7a635e52380f69e357eda00edf8ed1988be418d017a0495cfcdae8468b
              • Instruction Fuzzy Hash: 4E0148B09017597DE3008F5A8C85B56FEB8FF19354F00415BA15887941C7B5A864CBE5
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C7568B Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON
              Download Yara Rule
              APIs
              • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00C7569B
              • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00C756B1
              • GetWindowThreadProcessId.USER32(?,?), ref: 00C756C0
              • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00C756CF
              • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00C756D9
              • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00C756E0
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
              • String ID:
              • API String ID: 839392675-0
              • Opcode ID: 5b8e187c6d8b451168b08a68e8ccd8a05bfc7de24e3534fe67ecb9501031700e
              • Instruction ID: a911e2f96171d70341b00f60980c9e72e0ef90d810f8c455603cb2c1e01ab3a7
              • Opcode Fuzzy Hash: 5b8e187c6d8b451168b08a68e8ccd8a05bfc7de24e3534fe67ecb9501031700e
              • Instruction Fuzzy Hash: DEF03032241258BBE7215BA2DC0DFEF7B7CEFC6B11F00016EFA04D1060D7A15A0286B5
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C774D2 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • InterlockedExchange.KERNEL32(?,?), ref: 00C774E5
              • EnterCriticalSection.KERNEL32(?,?,00C21044,?,?), ref: 00C774F6
              • TerminateThread.KERNEL32(00000000,000001F6,?,00C21044,?,?), ref: 00C77503
              • WaitForSingleObject.KERNEL32(00000000,000003E8,?,00C21044,?,?), ref: 00C77510
                • Part of subcall function 00C76ED7: CloseHandle.KERNEL32(00000000,?,00C7751D,?,00C21044,?,?), ref: 00C76EE1
              • InterlockedExchange.KERNEL32(?,000001F6), ref: 00C77523
              • LeaveCriticalSection.KERNEL32(?,?,00C21044,?,?), ref: 00C7752A
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
              • String ID:
              • API String ID: 3495660284-0
              • Opcode ID: 7ab1756b1b52eea2269aecd997291079406a0dc3a16f2606f8cc46b53d750e62
              • Instruction ID: 4f733204d983cab4d5cc1bce95cd648a4955d036304f9e065ea6cdab1b3f4709
              • Opcode Fuzzy Hash: 7ab1756b1b52eea2269aecd997291079406a0dc3a16f2606f8cc46b53d750e62
              • Instruction Fuzzy Hash: E4F05E3A140A12EBDB111B64FC8CBEF772AEF45702B10063BF202D14B1CB756912CBA0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C68E74 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
              Download Yara Rule
              APIs
              • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00C68E7F
              • UnloadUserProfile.USERENV(?,?), ref: 00C68E8B
              • CloseHandle.KERNEL32(?), ref: 00C68E94
              • CloseHandle.KERNEL32(?), ref: 00C68E9C
              • GetProcessHeap.KERNEL32(00000000,?), ref: 00C68EA5
              • HeapFree.KERNEL32(00000000), ref: 00C68EAC
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
              • String ID:
              • API String ID: 146765662-0
              • Opcode ID: 1e95c315ee17b5e7dbd14053c5972e87d6e313eaf45be1d1be4b60e74b6592be
              • Instruction ID: c2ae64abe0ab52dfd0149d9321a0959099f70773d5231b3415b0c11393dad4a1
              • Opcode Fuzzy Hash: 1e95c315ee17b5e7dbd14053c5972e87d6e313eaf45be1d1be4b60e74b6592be
              • Instruction Fuzzy Hash: 01E05276104505FBDA021FF5EC0CB5EBB69FB89762B60863AF219C1470CB369462DB90
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C88902 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON
              Download Yara Rule
              APIs
              • VariantInit.OLEAUT32(?), ref: 00C88928
              • CharUpperBuffW.USER32(?,?), ref: 00C88A37
              • VariantClear.OLEAUT32(?), ref: 00C88BAF
                • Part of subcall function 00C77804: VariantInit.OLEAUT32(00000000), ref: 00C77844
                • Part of subcall function 00C77804: VariantCopy.OLEAUT32(00000000,?), ref: 00C7784D
                • Part of subcall function 00C77804: VariantClear.OLEAUT32(00000000), ref: 00C77859
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: Variant$ClearInit$BuffCharCopyUpper
              • String ID: AUTOIT.ERROR$Incorrect Parameter format
              • API String ID: 4237274167-1221869570
              • Opcode ID: 779cc6161c4ba73491f3bebe84cbe06f8cd7e068055daee60897eacb02dcaec2
              • Instruction ID: f5b59259092d903e23b8341857675959589e5e477da11d8756381546d5f91fba
              • Opcode Fuzzy Hash: 779cc6161c4ba73491f3bebe84cbe06f8cd7e068055daee60897eacb02dcaec2
              • Instruction Fuzzy Hash: AE917F716083019FC710EF24C48596ABBE4EFC9718F14496EF89A8B361DB31E94ADB52
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C72F86 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00C2FEC6: _wcscpy.LIBCMT ref: 00C2FEE9
              • _memset.LIBCMT ref: 00C73077
              • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00C730A6
              • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00C73159
              • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00C73187
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: ItemMenu$Info$Default_memset_wcscpy
              • String ID: 0
              • API String ID: 4152858687-4108050209
              • Opcode ID: 434df7882ce0a43d9a1da583732afbf545a5efe9fa96a533c327935e7cd5a661
              • Instruction ID: fce5193d947f905b78b888940db46a9d9532449e5d7f4348475d4fcbfc872b40
              • Opcode Fuzzy Hash: 434df7882ce0a43d9a1da583732afbf545a5efe9fa96a533c327935e7cd5a661
              • Instruction Fuzzy Hash: 6751AF716083809FD7259F28C845A6FBBE4EF45360F448A2EF8A9D31A1DB70CB44E752
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C6DA5D Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121comlibraryloaderCOMMON
              Download Yara Rule
              APIs
              • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00C6DAC5
              • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00C6DAFB
              • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00C6DB0C
              • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00C6DB8E
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: ErrorMode$AddressCreateInstanceProc
              • String ID: DllGetClassObject
              • API String ID: 753597075-1075368562
              • Opcode ID: 866a95ba65c6eb938f5ec0fb65b7e7b8dc0f2265c74bac589a313401b415ab60
              • Instruction ID: beb18c1cf3cb896f7df21d650b4e5851acb8d43888c75baaffa4325ca4e55e3d
              • Opcode Fuzzy Hash: 866a95ba65c6eb938f5ec0fb65b7e7b8dc0f2265c74bac589a313401b415ab60
              • Instruction Fuzzy Hash: 74415671A00204DFDB25CF55D8C8B9A7BA9EF85350F1540AEAD06DF209D7B1DA44DBA0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C72C42 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 00C72CAF
              • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00C72CCB
              • DeleteMenu.USER32(?,00000007,00000000), ref: 00C72D11
              • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00CD6890,00000000), ref: 00C72D5A
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: Menu$Delete$InfoItem_memset
              • String ID: 0
              • API String ID: 1173514356-4108050209
              • Opcode ID: b4886ae3501a577992a5e6173739bcd49a52a64aefb30cf3e387906e15ae284e
              • Instruction ID: 86372459375f0ef17ea832635b7538b3e86ab549b693a2736be8c7447a379578
              • Opcode Fuzzy Hash: b4886ae3501a577992a5e6173739bcd49a52a64aefb30cf3e387906e15ae284e
              • Instruction Fuzzy Hash: FC4180312043019FD724DF25C845B5ABBE8FF95320F14865EF97997291D770E905CB92
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C8DAB9 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON
              Download Yara Rule
              APIs
              • CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00C8DAD9
                • Part of subcall function 00C179AB: _memmove.LIBCMT ref: 00C179F9
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: BuffCharLower_memmove
              • String ID: cdecl$none$stdcall$winapi
              • API String ID: 3425801089-567219261
              • Opcode ID: e122462a70081726ac8947e251a53d45c11e7ee4109acea05cd2f40ea0f9b724
              • Instruction ID: 19ef1d8d8d2c64a990ae87e32e7115d22cfd547b49873a2ee12157221d85b060
              • Opcode Fuzzy Hash: e122462a70081726ac8947e251a53d45c11e7ee4109acea05cd2f40ea0f9b724
              • Instruction Fuzzy Hash: FD317071500619AFCF10EF94C8919FEB3B5FF05314F108629E876A76D1DB31AA46EB84
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C69372 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00C17F41: _memmove.LIBCMT ref: 00C17F82
                • Part of subcall function 00C6B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00C6B0E7
              • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00C693F6
              • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00C69409
              • SendMessageW.USER32(?,00000189,?,00000000), ref: 00C69439
                • Part of subcall function 00C17D2C: _memmove.LIBCMT ref: 00C17D66
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: MessageSend$_memmove$ClassName
              • String ID: ComboBox$ListBox
              • API String ID: 365058703-1403004172
              • Opcode ID: 770e098071f6a8c89abeb854c042a2e20c94f742fa0c89da10ecf8a72a9d4105
              • Instruction ID: a33a2ec64de5aea12da51980b115802d369f0ac83626d986bd5cc6ab6520ce41
              • Opcode Fuzzy Hash: 770e098071f6a8c89abeb854c042a2e20c94f742fa0c89da10ecf8a72a9d4105
              • Instruction Fuzzy Hash: 6721E471900108BADB24ABB0DCC9DFFB77CDF46350B104229F925972E0DF354A4AA610
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C96656 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00C11D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00C11D73
                • Part of subcall function 00C11D35: GetStockObject.GDI32(00000011), ref: 00C11D87
                • Part of subcall function 00C11D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00C11D91
              • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00C966D0
              • LoadLibraryW.KERNEL32(?), ref: 00C966D7
              • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00C966EC
              • DestroyWindow.USER32(?), ref: 00C966F4
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
              • String ID: SysAnimate32
              • API String ID: 4146253029-1011021900
              • Opcode ID: 8f04509c9ed54f58659f2948fb822d276e349dba8eca7a021c027749a05f4f66
              • Instruction ID: 53367f90b607a0c94df1db03d72032493b1b6e2dfe7cbbae5bb229aab443826f
              • Opcode Fuzzy Hash: 8f04509c9ed54f58659f2948fb822d276e349dba8eca7a021c027749a05f4f66
              • Instruction Fuzzy Hash: CA219D71210206EBEF104FA4EC88FBB77ADEB59368F10462AF961D21E0D771CD51A760
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C7703E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
              Download Yara Rule
              APIs
              • GetStdHandle.KERNEL32(0000000C), ref: 00C7705E
              • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00C77091
              • GetStdHandle.KERNEL32(0000000C), ref: 00C770A3
              • CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00C770DD
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: CreateHandle$FilePipe
              • String ID: nul
              • API String ID: 4209266947-2873401336
              • Opcode ID: 8523db3c67f8fc3e92721586a4a8d19bcaf8b6c20703fa71465fe053b00fb7e2
              • Instruction ID: b1c68ef2650406eec852f493ba87ce8c937fe5f53a5aaa8969ad9e9792bffa6b
              • Opcode Fuzzy Hash: 8523db3c67f8fc3e92721586a4a8d19bcaf8b6c20703fa71465fe053b00fb7e2
              • Instruction Fuzzy Hash: 18214F74604209ABDF209F79DC09B9E7BA8BF44720F20872AF8B5D72D0D77199518B60
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C7710C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
              Download Yara Rule
              APIs
              • GetStdHandle.KERNEL32(000000F6), ref: 00C7712B
              • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00C7715D
              • GetStdHandle.KERNEL32(000000F6), ref: 00C7716E
              • CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00C771A8
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: CreateHandle$FilePipe
              • String ID: nul
              • API String ID: 4209266947-2873401336
              • Opcode ID: ab739fdeb5ed63f6f03e2030b77bd7ddf461b6c0aaa29b92b41b73602d92226f
              • Instruction ID: 5569086fa4c201bcdaa1fe1058f647a30c8113b8b6a6728c80711008c605e2dd
              • Opcode Fuzzy Hash: ab739fdeb5ed63f6f03e2030b77bd7ddf461b6c0aaa29b92b41b73602d92226f
              • Instruction Fuzzy Hash: 7621A1755042099BDF209F699C08BAEB7A8AF55720F60871AFCB9D32D0D7709951CB60
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C7AEAB Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON
              Download Yara Rule
              APIs
              • SetErrorMode.KERNEL32(00000001), ref: 00C7AEBF
              • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00C7AF13
              • __swprintf.LIBCMT ref: 00C7AF2C
              • SetErrorMode.KERNEL32(00000000,00000001,00000000,00C9F910), ref: 00C7AF6A
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: ErrorMode$InformationVolume__swprintf
              • String ID: %lu
              • API String ID: 3164766367-685833217
              • Opcode ID: bfe31d88cd62cccc7854f10cc2eab88b4fe1a38c6e57223483b44a767d45f6fa
              • Instruction ID: 136285f74f1e12541c33f83e557d27a6439c5264f51352129f2ea28ffcdc995f
              • Opcode Fuzzy Hash: bfe31d88cd62cccc7854f10cc2eab88b4fe1a38c6e57223483b44a767d45f6fa
              • Instruction Fuzzy Hash: 2D216831600109AFCB10DF55CD85EEE77B8EF89704B1040A9F909DB251DB31EE41EB61
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C6A52F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68windowCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00C17D2C: _memmove.LIBCMT ref: 00C17D66
                • Part of subcall function 00C6A37C: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00C6A399
                • Part of subcall function 00C6A37C: GetWindowThreadProcessId.USER32(?,00000000), ref: 00C6A3AC
                • Part of subcall function 00C6A37C: GetCurrentThreadId.KERNEL32 ref: 00C6A3B3
                • Part of subcall function 00C6A37C: AttachThreadInput.USER32(00000000), ref: 00C6A3BA
              • GetFocus.USER32 ref: 00C6A554
                • Part of subcall function 00C6A3C5: GetParent.USER32(?), ref: 00C6A3D3
              • GetClassNameW.USER32(?,?,00000100), ref: 00C6A59D
              • EnumChildWindows.USER32(?,00C6A615), ref: 00C6A5C5
              • __swprintf.LIBCMT ref: 00C6A5DF
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf_memmove
              • String ID: %s%d
              • API String ID: 1941087503-1110647743
              • Opcode ID: 669f57d2489b36ba3517cfff025909a1b7d0796112c3fe5dda1520f2618fa28d
              • Instruction ID: 39e555b3b8a157ebac8adb8a7de3eaac56d150eeb45c65088b05a14de14597b7
              • Opcode Fuzzy Hash: 669f57d2489b36ba3517cfff025909a1b7d0796112c3fe5dda1520f2618fa28d
              • Instruction Fuzzy Hash: 4611B471200208BBDF217FA4DCC9FEE7778AF49700F044079F908AA192CA709946AF75
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C72017 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON
              Download Yara Rule
              APIs
              • CharUpperBuffW.USER32(?,?), ref: 00C72048
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: BuffCharUpper
              • String ID: APPEND$EXISTS$KEYS$REMOVE
              • API String ID: 3964851224-769500911
              • Opcode ID: 5e1b9a419f3c24dd0baef86c5bb637362aff15b242bc87d56249f21e365373ff
              • Instruction ID: fcc841753e8548013a26d5e7d3acb4a1ff4fbade0e40588e469facbbe5947a13
              • Opcode Fuzzy Hash: 5e1b9a419f3c24dd0baef86c5bb637362aff15b242bc87d56249f21e365373ff
              • Instruction Fuzzy Hash: 98115E75910109DFCF00EFA4D8519EEB7B4FF15304F108469D855A7251DB325A06EB50
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C8EE69 Relevance: 7.7, APIs: 5, Instructions: 247COMMON
              Download Yara Rule
              APIs
              • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00C8EF1B
              • GetProcessIoCounters.KERNEL32(00000000,?), ref: 00C8EF4B
              • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 00C8F07E
              • CloseHandle.KERNEL32(?), ref: 00C8F0FF
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: Process$CloseCountersHandleInfoMemoryOpen
              • String ID:
              • API String ID: 2364364464-0
              • Opcode ID: c7febd6ba1f844fe7d5a8991e3ab3090c58bd5a33ea5ccd8302df017de6bdd96
              • Instruction ID: 851a83e001690fe649ec1adbefe7b4b8067f491474de862f3d4f2061cac15ea8
              • Opcode Fuzzy Hash: c7febd6ba1f844fe7d5a8991e3ab3090c58bd5a33ea5ccd8302df017de6bdd96
              • Instruction Fuzzy Hash: CE81A1716043009FD720EF28C896B6EB7E5EF89710F10881DF599DB392DB70AD45AB86
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C902C2 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00C17F41: _memmove.LIBCMT ref: 00C17F82
                • Part of subcall function 00C910A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00C90038,?,?), ref: 00C910BC
              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00C90388
              • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00C903C7
              • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00C9040E
              • RegCloseKey.ADVAPI32(?,?), ref: 00C9043A
              • RegCloseKey.ADVAPI32(00000000), ref: 00C90447
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
              • String ID:
              • API String ID: 3440857362-0
              • Opcode ID: 291de515714ec042fdf8bab63995196b423fd8659b8aa0441c74a148d2643777
              • Instruction ID: b709e0503a5a828aa515ea4b6e1f4a940498872f62ac30057dfdb87fc7bd48f9
              • Opcode Fuzzy Hash: 291de515714ec042fdf8bab63995196b423fd8659b8aa0441c74a148d2643777
              • Instruction Fuzzy Hash: DE515D31208205AFDB14EF54C885FAEB7E8FF84704F14892DF596872A1DB30E945EB52
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C8DBDC Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00C19997: __itow.LIBCMT ref: 00C199C2
                • Part of subcall function 00C19997: __swprintf.LIBCMT ref: 00C19A0C
              • LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00C8DC3B
              • GetProcAddress.KERNEL32(00000000,?), ref: 00C8DCBE
              • GetProcAddress.KERNEL32(00000000,00000000), ref: 00C8DCDA
              • GetProcAddress.KERNEL32(00000000,?), ref: 00C8DD1B
              • FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00C8DD35
                • Part of subcall function 00C15B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00C77B20,?,?,00000000), ref: 00C15B8C
                • Part of subcall function 00C15B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00C77B20,?,?,00000000,?,?), ref: 00C15BB0
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
              • String ID:
              • API String ID: 327935632-0
              • Opcode ID: 2d3c373aaf8fe98ee30ffcfa3f052ae85b85fd7e012f76de11449815ccc1bbe7
              • Instruction ID: db73b26bbd89dbd2699dcfba7b0ca010830a78696576df1ea64f5b970fdee39d
              • Opcode Fuzzy Hash: 2d3c373aaf8fe98ee30ffcfa3f052ae85b85fd7e012f76de11449815ccc1bbe7
              • Instruction Fuzzy Hash: A8512A75A00205DFCB00EF68C4949ADB7F5FF59314B14806AE81AAB361DB30EE85EF91
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C7E7DC Relevance: 7.6, APIs: 5, Instructions: 135COMMON
              Download Yara Rule
              APIs
              • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00C7E88A
              • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 00C7E8B3
              • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00C7E8F2
                • Part of subcall function 00C19997: __itow.LIBCMT ref: 00C199C2
                • Part of subcall function 00C19997: __swprintf.LIBCMT ref: 00C19A0C
              • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00C7E917
              • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00C7E91F
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
              • String ID:
              • API String ID: 1389676194-0
              • Opcode ID: 90523cbcccbd9511e758aa3571ec3eadfccc67ac326fbad08b399d5128020f5d
              • Instruction ID: 8a7fab0d7e3eddf535b217dfe13a6d59c0d7badb30d0d89b38f397e8f6964176
              • Opcode Fuzzy Hash: 90523cbcccbd9511e758aa3571ec3eadfccc67ac326fbad08b399d5128020f5d
              • Instruction Fuzzy Hash: 5B512B35A00205DFCF05EF64C995AAEBBF5EF09314F1480A9E849AB362CB31ED51EB51
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C9A2C5 Relevance: 7.6, APIs: 5, Instructions: 130COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b950666e6e512a656ee36c44681303328a21e2c637b0d9faea8c975d605c6d19
              • Instruction ID: 203bd1f08eab9707a22a2425522805209820cc835f2c0d93fbbcb4ba0ed8726c
              • Opcode Fuzzy Hash: b950666e6e512a656ee36c44681303328a21e2c637b0d9faea8c975d605c6d19
              • Instruction Fuzzy Hash: 91419E35900214AFDB20DF28CC4CBA9BBA8FB09320F154166F966A72E1D770EE51DA91
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C12344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON
              Download Yara Rule
              APIs
              • GetCursorPos.USER32(?), ref: 00C12357
              • ScreenToClient.USER32(00CD67B0,?), ref: 00C12374
              • GetAsyncKeyState.USER32(00000001), ref: 00C12399
              • GetAsyncKeyState.USER32(00000002), ref: 00C123A7
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: AsyncState$ClientCursorScreen
              • String ID:
              • API String ID: 4210589936-0
              • Opcode ID: 797c436a10022b4272b53051d673f95e6794e64fdd45b5748f36419d5e84fce7
              • Instruction ID: 492af3d7981364c69b506864c22f60eb9690d087d50f63683c862721a6b75572
              • Opcode Fuzzy Hash: 797c436a10022b4272b53051d673f95e6794e64fdd45b5748f36419d5e84fce7
              • Instruction Fuzzy Hash: E8417139504119FBDF159F65C888BEDBB74FB06360F50431AF834922B0C7745AA0EBA1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C66920 Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON
              Download Yara Rule
              APIs
              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00C6695D
              • TranslateAcceleratorW.USER32(?,?,?), ref: 00C669A9
              • TranslateMessage.USER32(?), ref: 00C669D2
              • DispatchMessageW.USER32(?), ref: 00C669DC
              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00C669EB
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: Message$PeekTranslate$AcceleratorDispatch
              • String ID:
              • API String ID: 2108273632-0
              • Opcode ID: 6c69af728992796dbf99ee47069418fdca3400d42324fed7e21ba6f32c1a5e2a
              • Instruction ID: f9a7ce1367b7cb351309a7941e69d0707ad812fd801542846d6eac4b0ae2e1e0
              • Opcode Fuzzy Hash: 6c69af728992796dbf99ee47069418fdca3400d42324fed7e21ba6f32c1a5e2a
              • Instruction Fuzzy Hash: 9B318571501246AADB30CFB5DCC8BBABBBCAB01304F14416AE831D31A1D7759996EB90
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C68F01 Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON
              Download Yara Rule
              APIs
              • GetWindowRect.USER32(?,?), ref: 00C68F12
              • PostMessageW.USER32(?,00000201,00000001), ref: 00C68FBC
              • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00C68FC4
              • PostMessageW.USER32(?,00000202,00000000), ref: 00C68FD2
              • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00C68FDA
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: MessagePostSleep$RectWindow
              • String ID:
              • API String ID: 3382505437-0
              • Opcode ID: 21e3d80b0ed633579305c3803e4618abc39beff68ed22bd423a20fc71e1ec1f0
              • Instruction ID: 370d8aeda294a320db99e53dc4d30b15c1e4f9cb35e098a671234cd17de82136
              • Opcode Fuzzy Hash: 21e3d80b0ed633579305c3803e4618abc39beff68ed22bd423a20fc71e1ec1f0
              • Instruction Fuzzy Hash: 6A31C071500219EFDF24CFA8D98CB9E7BB6EB04315F104229F925E61D0C7B09A58DB91
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C6B6AF Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON
              Download Yara Rule
              APIs
              • IsWindowVisible.USER32(?), ref: 00C6B6C7
              • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00C6B6E4
              • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00C6B71C
              • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00C6B742
              • _wcsstr.LIBCMT ref: 00C6B74C
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
              • String ID:
              • API String ID: 3902887630-0
              • Opcode ID: a69b16ec0be9a0656deb99b3f7f64fa109b883405fe60836b22ecc9bb481b192
              • Instruction ID: dcf9e8141a60d88a15bce45b9acafa0773b6bbd23591c39d9a0ca07497dbb79f
              • Opcode Fuzzy Hash: a69b16ec0be9a0656deb99b3f7f64fa109b883405fe60836b22ecc9bb481b192
              • Instruction Fuzzy Hash: 1521D732204244BBEB255B79DC89F7F7BA8DF49710F10407EFD05CA1A1EB61DD8196A0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C9B405 Relevance: 7.6, APIs: 5, Instructions: 85COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00C12612: GetWindowLongW.USER32(?,000000EB), ref: 00C12623
              • GetWindowLongW.USER32(?,000000F0), ref: 00C9B44C
              • SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 00C9B471
              • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00C9B489
              • GetSystemMetrics.USER32(00000004), ref: 00C9B4B2
              • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00C81184,00000000), ref: 00C9B4D0
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: Window$Long$MetricsSystem
              • String ID:
              • API String ID: 2294984445-0
              • Opcode ID: 494149dec0be98be7ad791224423e23b2b8243e146638f5be5d80507db223bb7
              • Instruction ID: a33cd7cb6a21f58e1e530cce74dd5dd6866f24b7be58f3fbc14cfe75c9b0840d
              • Opcode Fuzzy Hash: 494149dec0be98be7ad791224423e23b2b8243e146638f5be5d80507db223bb7
              • Instruction Fuzzy Hash: 07218D71A10255BFCF108F39AD0CB6A3BA4EB05720B11472AF936C61E1E7309D21EB90
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C697E9 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00C69802
                • Part of subcall function 00C17D2C: _memmove.LIBCMT ref: 00C17D66
              • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00C69834
              • __itow.LIBCMT ref: 00C6984C
              • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00C69874
              • __itow.LIBCMT ref: 00C69885
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: MessageSend$__itow$_memmove
              • String ID:
              • API String ID: 2983881199-0
              • Opcode ID: 4f4bbaed5f106a9d92eeaa178368864743b0c0a5beffcbc01fb46db9839eb2f2
              • Instruction ID: d709fcdd411c4e101caebd76f7dd7b491754e073a1e8b84ebede324970d1b436
              • Opcode Fuzzy Hash: 4f4bbaed5f106a9d92eeaa178368864743b0c0a5beffcbc01fb46db9839eb2f2
              • Instruction Fuzzy Hash: 08218331B00308ABDB20AA659CCAEEE7BBDEF4E710F044069F905DB291D6708E45E791
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C112F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON
              Download Yara Rule
              APIs
              • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00C1134D
              • SelectObject.GDI32(?,00000000), ref: 00C1135C
              • BeginPath.GDI32(?), ref: 00C11373
              • SelectObject.GDI32(?,00000000), ref: 00C1139C
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: ObjectSelect$BeginCreatePath
              • String ID:
              • API String ID: 3225163088-0
              • Opcode ID: 5abaa9b617b356bfa2ffd9926c6f5c867ff6bec0a244a7cfd26e9d17bf0b7d90
              • Instruction ID: 3ff63e1d81a4597ce26845a89c1e30d28a815dcb42d99c30ca6436a0422171f7
              • Opcode Fuzzy Hash: 5abaa9b617b356bfa2ffd9926c6f5c867ff6bec0a244a7cfd26e9d17bf0b7d90
              • Instruction Fuzzy Hash: CC213C70801208EBDB119F65EC087AD7BB8FB01321F58822BF920965F4D77599A1EB90
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C6C161 Relevance: 7.6, APIs: 5, Instructions: 61COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: _memcmp
              • String ID:
              • API String ID: 2931989736-0
              • Opcode ID: edfcb93fc08144f19a339cf2658fba9657108a22ba46ebc60649dc6050b4564e
              • Instruction ID: 09287616b70bfcea0456c21786756c80a1927236848a54eb8fb9c631b0b115e1
              • Opcode Fuzzy Hash: edfcb93fc08144f19a339cf2658fba9657108a22ba46ebc60649dc6050b4564e
              • Instruction Fuzzy Hash: 8F01B5B26051167BE224B6255CC2FBF73ACDB633A8F084021FD5596283E650EF1192E0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C74D35 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON
              Download Yara Rule
              APIs
              • GetCurrentThreadId.KERNEL32 ref: 00C74D5C
              • __beginthreadex.LIBCMT ref: 00C74D7A
              • MessageBoxW.USER32(?,?,?,?), ref: 00C74D8F
              • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00C74DA5
              • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00C74DAC
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
              • String ID:
              • API String ID: 3824534824-0
              • Opcode ID: 077a2ec5289ee041e9e8411ac191f38bbef4394ac237b008ada528ee592619c9
              • Instruction ID: 58fecf5705097137bbec45fe464571c3390614f3d4c007d5f13ace2984e88bf4
              • Opcode Fuzzy Hash: 077a2ec5289ee041e9e8411ac191f38bbef4394ac237b008ada528ee592619c9
              • Instruction Fuzzy Hash: 591104B2904249BFC7159BBCDC08BEE7FACEB45320F14826AF928D3261D7758D4087A0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C6874A Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON
              Download Yara Rule
              APIs
              • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00C68766
              • GetLastError.KERNEL32(?,00C6822A,?,?,?), ref: 00C68770
              • GetProcessHeap.KERNEL32(00000008,?,?,00C6822A,?,?,?), ref: 00C6877F
              • HeapAlloc.KERNEL32(00000000,?,00C6822A,?,?,?), ref: 00C68786
              • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00C6879D
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
              • String ID:
              • API String ID: 842720411-0
              • Opcode ID: 8498e78f9f32adec0ed47ea1ec31ef105ec70f8fb00c58025578416de64fa54d
              • Instruction ID: f686597092dcdba8da028cbd2ae4650ef0988ecabb441f30bc23bce530ec6d2c
              • Opcode Fuzzy Hash: 8498e78f9f32adec0ed47ea1ec31ef105ec70f8fb00c58025578416de64fa54d
              • Instruction Fuzzy Hash: 91014B71200204FFDB204FA6DC8CE6F7BACFF89755B20052AF849D2260DA318D05CA60
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C754E6 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON
              Download Yara Rule
              APIs
              • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00C75502
              • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00C75510
              • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00C75518
              • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00C75522
              • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00C7555E
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: PerformanceQuery$CounterSleep$Frequency
              • String ID:
              • API String ID: 2833360925-0
              • Opcode ID: 053a33c4617a2b44083257d3e06dbc828c8128c7a4ff1c67b6148ba9571c6c9d
              • Instruction ID: 81adaaeeddf785f713a10ffba6a0bdda801c94b5423f5342af0eb70fa7091cf5
              • Opcode Fuzzy Hash: 053a33c4617a2b44083257d3e06dbc828c8128c7a4ff1c67b6148ba9571c6c9d
              • Instruction Fuzzy Hash: D8013532C00A29DBCF00EBE9E888BEDBB79FB09B01F00415AE915F2150DBB0965187A1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C67652 Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON
              Download Yara Rule
              APIs
              • CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00C6758C,80070057,?,?,?,00C6799D), ref: 00C6766F
              • ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00C6758C,80070057,?,?), ref: 00C6768A
              • lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00C6758C,80070057,?,?), ref: 00C67698
              • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00C6758C,80070057,?), ref: 00C676A8
              • CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00C6758C,80070057,?,?), ref: 00C676B4
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: From$Prog$FreeStringTasklstrcmpi
              • String ID:
              • API String ID: 3897988419-0
              • Opcode ID: 2c07e8a28f99e4185450ea9df65b890afd6fad49cab60c9088524003a91be8c8
              • Instruction ID: 9d7db366173b22e4ee3e3da58f0974d8a15b0c42bfc2510f786a349f0e05d9d1
              • Opcode Fuzzy Hash: 2c07e8a28f99e4185450ea9df65b890afd6fad49cab60c9088524003a91be8c8
              • Instruction Fuzzy Hash: E101D472600604BBDB204F18DC8CBAE7BACEB45B55F100629FD05D2221E7B1DE5187A0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C685F1 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
              Download Yara Rule
              APIs
              • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00C68608
              • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00C68612
              • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00C68621
              • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00C68628
              • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00C6863E
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: HeapInformationToken$AllocErrorLastProcess
              • String ID:
              • API String ID: 44706859-0
              • Opcode ID: 460b8e35d204f4e8c5a9c1c25a9091005a851e77f1d0ac1a57ff2e057eedfb9c
              • Instruction ID: 0c85c07b5ceaa85ca492784e3dbabf96c48cf99cbb3b0793c7b5abff61b20f3c
              • Opcode Fuzzy Hash: 460b8e35d204f4e8c5a9c1c25a9091005a851e77f1d0ac1a57ff2e057eedfb9c
              • Instruction Fuzzy Hash: 53F04F31241204AFEB200FA5DCCDF6F3BACEF89754B10462AF945C6160CB61DD46DA60
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C68652 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
              Download Yara Rule
              APIs
              • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00C68669
              • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00C68673
              • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00C68682
              • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00C68689
              • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00C6869F
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: HeapInformationToken$AllocErrorLastProcess
              • String ID:
              • API String ID: 44706859-0
              • Opcode ID: 90997b93dc7b677b2a4826c3658e94bbfa817c10e0029c8e294a37144d156664
              • Instruction ID: b4f7db61b9710c2aed03f44300c323828ed1b4bb08b86d01d83c1cbb0c96b935
              • Opcode Fuzzy Hash: 90997b93dc7b677b2a4826c3658e94bbfa817c10e0029c8e294a37144d156664
              • Instruction Fuzzy Hash: 77F04F71240204AFEB211FA5ECCDF6F3BACEF89758B10012AF955C6160CA65D946DA60
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C6C6A6 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON
              Download Yara Rule
              APIs
              • GetDlgItem.USER32(?,000003E9), ref: 00C6C6BA
              • GetWindowTextW.USER32(00000000,?,00000100), ref: 00C6C6D1
              • MessageBeep.USER32(00000000), ref: 00C6C6E9
              • KillTimer.USER32(?,0000040A), ref: 00C6C705
              • EndDialog.USER32(?,00000001), ref: 00C6C71F
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: BeepDialogItemKillMessageTextTimerWindow
              • String ID:
              • API String ID: 3741023627-0
              • Opcode ID: dde1ce8dae27b1ef4d599dbdbdcfb1012d6268e11a27a9de874137e97f873f8c
              • Instruction ID: a5f2094b0dadb1d8520b5564f1b8e89a1bba6af57aa4b0454535d256fa3e439f
              • Opcode Fuzzy Hash: dde1ce8dae27b1ef4d599dbdbdcfb1012d6268e11a27a9de874137e97f873f8c
              • Instruction Fuzzy Hash: 35014F70504704ABEB315B60EDCEBAA77B8BB00705F04066EB592E14E1DBE4AA558A80
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C113B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
              Download Yara Rule
              APIs
              • EndPath.GDI32(?), ref: 00C113BF
              • StrokeAndFillPath.GDI32(?,?,00C4BAD8,00000000,?), ref: 00C113DB
              • SelectObject.GDI32(?,00000000), ref: 00C113EE
              • DeleteObject.GDI32 ref: 00C11401
              • StrokePath.GDI32(?), ref: 00C1141C
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: Path$ObjectStroke$DeleteFillSelect
              • String ID:
              • API String ID: 2625713937-0
              • Opcode ID: c3585811116ec5e4c85c464230f6123416045a8e4e0957aa0201061d4c1a6436
              • Instruction ID: ba3ab7f4cb2e00002ba9c527fe7ddcbf173f27b8ff5e3d926fb71a2ee2bba46d
              • Opcode Fuzzy Hash: c3585811116ec5e4c85c464230f6123416045a8e4e0957aa0201061d4c1a6436
              • Instruction Fuzzy Hash: A1F0EC30005308EBDB115F66EC0C79C3FA8A702726F18C22AE969850F1C73559A6FF50
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C7C602 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON
              Download Yara Rule
              APIs
              • CoInitialize.OLE32(00000000), ref: 00C7C69D
              • CoCreateInstance.OLE32(00CA2D6C,00000000,00000001,00CA2BDC,?), ref: 00C7C6B5
                • Part of subcall function 00C17F41: _memmove.LIBCMT ref: 00C17F82
              • CoUninitialize.OLE32 ref: 00C7C922
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: CreateInitializeInstanceUninitialize_memmove
              • String ID: .lnk
              • API String ID: 2683427295-24824748
              • Opcode ID: 0905e1d5d33b2df677d13d8f1404b16e640fcdc7bacaaed403f2c4776e95bd6b
              • Instruction ID: 2fb83729d2930dbf398fb1ae85f38bb743f36fc95458cc85400d621b18e0fc4b
              • Opcode Fuzzy Hash: 0905e1d5d33b2df677d13d8f1404b16e640fcdc7bacaaed403f2c4776e95bd6b
              • Instruction Fuzzy Hash: 5AA13D71108205AFD700EF54C891EAFB7E8EF89304F00495CF156971A2DB70EA4AEB52
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C22E5B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00C30FF6: std::exception::exception.LIBCMT ref: 00C3102C
                • Part of subcall function 00C30FF6: __CxxThrowException@8.LIBCMT ref: 00C31041
                • Part of subcall function 00C17F41: _memmove.LIBCMT ref: 00C17F82
                • Part of subcall function 00C17BB1: _memmove.LIBCMT ref: 00C17C0B
              • __swprintf.LIBCMT ref: 00C2302D
              Strings
              • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00C22EC6
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
              • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
              • API String ID: 1943609520-557222456
              • Opcode ID: 474e619b84bc8e5b45666d7dc033c9be03b1fee0495cedba94c03eddb8eef6d4
              • Instruction ID: 21846193f1d9b6bc81ac1b6ee699a82cb1a2954e30cb5ee2b1c642537a7e6554
              • Opcode Fuzzy Hash: 474e619b84bc8e5b45666d7dc033c9be03b1fee0495cedba94c03eddb8eef6d4
              • Instruction Fuzzy Hash: 8E918E755083519FC718EF24D895DAEB7B4EF85740F000A1DF8529B2A1DB30EE88EB62
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C7BBA6 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00C148AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00C148A1,?,?,00C137C0,?), ref: 00C148CE
              • CoInitialize.OLE32(00000000), ref: 00C7BC26
              • CoCreateInstance.OLE32(00CA2D6C,00000000,00000001,00CA2BDC,?), ref: 00C7BC3F
              • CoUninitialize.OLE32 ref: 00C7BC5C
                • Part of subcall function 00C19997: __itow.LIBCMT ref: 00C199C2
                • Part of subcall function 00C19997: __swprintf.LIBCMT ref: 00C19A0C
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
              • String ID: .lnk
              • API String ID: 2126378814-24824748
              • Opcode ID: aa750d800ee5f34339da728f3cee54461a0f10f6b3b84d3bc432b84431b58041
              • Instruction ID: 3b5cf5251d2170f084cb31824a44561f234a571c2ae18a82219575c4b4163caa
              • Opcode Fuzzy Hash: aa750d800ee5f34339da728f3cee54461a0f10f6b3b84d3bc432b84431b58041
              • Instruction Fuzzy Hash: 99A135756043019FCB10DF14C494EAABBE5FF89314F148998F8AA9B3A1CB31ED45DB91
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C3524D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON
              Download Yara Rule
              APIs
              • __startOneArgErrorHandling.LIBCMT ref: 00C352DD
                • Part of subcall function 00C40340: __87except.LIBCMT ref: 00C4037B
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: ErrorHandling__87except__start
              • String ID: pow
              • API String ID: 2905807303-2276729525
              • Opcode ID: e37bd0860cdce4d320fcda9e581bdcc6ce021791b636fb8ec86aed1d06cb80c5
              • Instruction ID: f8645261888b8271e1a050c27fea1cf9657b961f0ce44cb8b8dfd8aea88f1e01
              • Opcode Fuzzy Hash: e37bd0860cdce4d320fcda9e581bdcc6ce021791b636fb8ec86aed1d06cb80c5
              • Instruction Fuzzy Hash: AA518B72A6DA0187CB117B25CD4137F2B94BB00750F308D58E6E5822F6EF758ED4EA86
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C3023B Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID:
              • String ID: #$+
              • API String ID: 0-2552117581
              • Opcode ID: 1d6e23ccd07539002b600474a3a358849375ce148d184ecf509b0c18893f799d
              • Instruction ID: 72562162c25120907ca57a4cd069d64d803a13abee55e300c32e1956fffc355c
              • Opcode Fuzzy Hash: 1d6e23ccd07539002b600474a3a358849375ce148d184ecf509b0c18893f799d
              • Instruction Fuzzy Hash: 91511176504646DFCF259F28C4986FE7BA4EF16310F284055F8A19B2E0D7349E82DB60
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C262F2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 143COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: _memset$_memmove
              • String ID: ERCP
              • API String ID: 2532777613-1384759551
              • Opcode ID: 79c77be46dca4eb84cab87f573ea945f71b2c3a96c4ebd9869d4b4e94c09ac25
              • Instruction ID: bd763a066f754a11a1a4e09eb269181473868eaf18bbd97d38c045a74fd2778e
              • Opcode Fuzzy Hash: 79c77be46dca4eb84cab87f573ea945f71b2c3a96c4ebd9869d4b4e94c09ac25
              • Instruction Fuzzy Hash: A451F671900719DFCB24DF65D881BAABBF4EF04314F24856EE99AC7640E770DA84CB90
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C97BB5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON
              Download Yara Rule
              APIs
              • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00C9F910,00000000,?,?,?,?), ref: 00C97C4E
              • GetWindowLongW.USER32 ref: 00C97C6B
              • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00C97C7B
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: Window$Long
              • String ID: SysTreeView32
              • API String ID: 847901565-1698111956
              • Opcode ID: 82b6a0ae6ecdd0855de73cc7fbf3419305f6dc7550d3922c2ebe5e5fe1e15e65
              • Instruction ID: 8a26dfee5ac945bd5fac3cc2b4db4e156da99c86eaf8fd136f1a5c6ea55b8e89
              • Opcode Fuzzy Hash: 82b6a0ae6ecdd0855de73cc7fbf3419305f6dc7550d3922c2ebe5e5fe1e15e65
              • Instruction Fuzzy Hash: F931BE31215206ABDF119F38DC49BEA77A9EF09324F244729F975E22E0C731E9519B50
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C97648 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00C976D0
              • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00C976E4
              • SendMessageW.USER32(?,00001002,00000000,?), ref: 00C97708
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: MessageSend$Window
              • String ID: SysMonthCal32
              • API String ID: 2326795674-1439706946
              • Opcode ID: 7de0c16aeb894c26cce00336cf8b27eba7132081f78eaaefe5db29da7613a7d7
              • Instruction ID: 9763d9f117859c23000e2a8de5092475a096ff9a54490faa06daaa185a781f95
              • Opcode Fuzzy Hash: 7de0c16aeb894c26cce00336cf8b27eba7132081f78eaaefe5db29da7613a7d7
              • Instruction Fuzzy Hash: D3219F32514219BBDF128FA4CC4AFEE3B69EF48714F110254FE15AB1D0DAB5A8519BA0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C96F1F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00C96FAA
              • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00C96FBA
              • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00C96FDF
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: MessageSend$MoveWindow
              • String ID: Listbox
              • API String ID: 3315199576-2633736733
              • Opcode ID: f95055d8edb939a38cacdedaedae77c4c9b66e51316440c3e58c7903bf910736
              • Instruction ID: 01c5c96c584984972f756a61168295618e5338477234c718ed7e3d2de955ac8c
              • Opcode Fuzzy Hash: f95055d8edb939a38cacdedaedae77c4c9b66e51316440c3e58c7903bf910736
              • Instruction Fuzzy Hash: F4218032610118BFDF118F94EC89FAB37AAEF89754F018128F9159B1D0C671AC519BA0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C9797D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00C979E1
              • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00C979F6
              • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00C97A03
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: MessageSend
              • String ID: msctls_trackbar32
              • API String ID: 3850602802-1010561917
              • Opcode ID: 4576a55a0515fd0009eb342e9740169ca3959bd940630055d7dd338dcb9e6d02
              • Instruction ID: f7a1b02a163589b5c38acd4d831ec645c8dc9836c7e15ec3382aa243be9b4c82
              • Opcode Fuzzy Hash: 4576a55a0515fd0009eb342e9740169ca3959bd940630055d7dd338dcb9e6d02
              • Instruction Fuzzy Hash: 3511E372254248BFEF109F74CC09FEB37A9EF89764F024629FA51A6090D6719851DB60
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C14C95 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
              Download Yara Rule
              APIs
              • LoadLibraryA.KERNEL32(kernel32.dll,?,00C14C2E), ref: 00C14CA3
              • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00C14CB5
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: AddressLibraryLoadProc
              • String ID: GetNativeSystemInfo$kernel32.dll
              • API String ID: 2574300362-192647395
              • Opcode ID: 5de7587896e9a3bb1b40bec1e52894a93895a72e1e36ea30f48f3622371460a1
              • Instruction ID: c3813c67a1b89e7ccae67493c53ecd44ae25f8db64a20f1ce681de50f5932d8c
              • Opcode Fuzzy Hash: 5de7587896e9a3bb1b40bec1e52894a93895a72e1e36ea30f48f3622371460a1
              • Instruction Fuzzy Hash: 6AD05E31610723CFDB209F31DE2C74A76E5AF067A1B25C83ED896D6160E770D8C1CA90
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C14D94 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
              Download Yara Rule
              APIs
              • LoadLibraryA.KERNEL32(kernel32.dll,?,00C14CE1,?), ref: 00C14DA2
              • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00C14DB4
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: AddressLibraryLoadProc
              • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
              • API String ID: 2574300362-1355242751
              • Opcode ID: dd87ded4fe0e0d3773cf703c6bf7de3ab26362f262dde5953ccb40c6bb6acbc9
              • Instruction ID: 8e0025d029b801301b84a4af91ff9c31bc383638c462502e4a5bec0e4dd047ed
              • Opcode Fuzzy Hash: dd87ded4fe0e0d3773cf703c6bf7de3ab26362f262dde5953ccb40c6bb6acbc9
              • Instruction Fuzzy Hash: 24D01731650713CFDB20AF31E80CB8A76E4AF06355B11883ED8D6D6160E770D8C1CA91
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C14D61 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
              Download Yara Rule
              APIs
              • LoadLibraryA.KERNEL32(kernel32.dll,?,00C14D2E,?,00C14F4F,?,00CD62F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00C14D6F
              • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00C14D81
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: AddressLibraryLoadProc
              • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
              • API String ID: 2574300362-3689287502
              • Opcode ID: e3e82153dbe1c457798d8ecae0fdbb4d79930f4feb58a0545cdd6faba6be934f
              • Instruction ID: aeb5bbb4bb4351b72e997f6331c3efac18efa27856778c51864c9507049bce74
              • Opcode Fuzzy Hash: e3e82153dbe1c457798d8ecae0fdbb4d79930f4feb58a0545cdd6faba6be934f
              • Instruction Fuzzy Hash: 1CD01731610713CFDB20AF31E80C75A76E8AF16352B21893ED496D6260E670D8C1CB91
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C91072 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
              Download Yara Rule
              APIs
              • LoadLibraryA.KERNEL32(advapi32.dll,?,00C912C1), ref: 00C91080
              • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00C91092
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: AddressLibraryLoadProc
              • String ID: RegDeleteKeyExW$advapi32.dll
              • API String ID: 2574300362-4033151799
              • Opcode ID: 90afc9fb4e9d5304e584c84bb395c390f1760b788422e13c053730067f873bd1
              • Instruction ID: df636198ef6dae90e772173af8c971c9bad1a97de1a48d7924b5cc2a44b82e66
              • Opcode Fuzzy Hash: 90afc9fb4e9d5304e584c84bb395c390f1760b788422e13c053730067f873bd1
              • Instruction Fuzzy Hash: 60D0E231510713CFDB209B75D81EB1A76E8AF05362B15883EE89ADA160E770C8C08A90
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C893F5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
              Download Yara Rule
              APIs
              • LoadLibraryA.KERNEL32(kernel32.dll,00000001,00C89009,?,00C9F910), ref: 00C89403
              • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00C89415
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: AddressLibraryLoadProc
              • String ID: GetModuleHandleExW$kernel32.dll
              • API String ID: 2574300362-199464113
              • Opcode ID: b0c69dbdc2db27cf90fd968e249af4667cc0edfacc406a0d105557ad8ff4766d
              • Instruction ID: 086ae4c487d2f0a3bcf75906eb04a731a4c395d07bbfde24e2d3409ea03f3585
              • Opcode Fuzzy Hash: b0c69dbdc2db27cf90fd968e249af4667cc0edfacc406a0d105557ad8ff4766d
              • Instruction Fuzzy Hash: 46D01735610717CFDB20AF31D94C71A76E5AF05355B15C83FE496D6560E670C881DB90
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C676C5 Relevance: 6.3, APIs: 4, Instructions: 333COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2c7456cffe0761f051c21db22a16a9f5473ee32f80362d4bf1cede0697c5f657
              • Instruction ID: af22c1a927d8a1fc614870b9f2d6f0167660c607d7a98a8461729a07b7f16f1b
              • Opcode Fuzzy Hash: 2c7456cffe0761f051c21db22a16a9f5473ee32f80362d4bf1cede0697c5f657
              • Instruction Fuzzy Hash: 28C15F75A04216EFCB24CF94C888E6EB7F5FF48718B118A99E815EB251D730DE81DB90
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C8E33E Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON
              Download Yara Rule
              APIs
              • CharLowerBuffW.USER32(?,?), ref: 00C8E3D2
              • CharLowerBuffW.USER32(?,?), ref: 00C8E415
                • Part of subcall function 00C8DAB9: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00C8DAD9
              • VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 00C8E615
              • _memmove.LIBCMT ref: 00C8E628
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: BuffCharLower$AllocVirtual_memmove
              • String ID:
              • API String ID: 3659485706-0
              • Opcode ID: 88093fd75655c4c23fe68b037418068cd1587019ba922102706370302e8ea57f
              • Instruction ID: f001aec9ba6272a9ca28a8ab79acee7f21b7991779980b9bdb1cfbb6b6b618bc
              • Opcode Fuzzy Hash: 88093fd75655c4c23fe68b037418068cd1587019ba922102706370302e8ea57f
              • Instruction Fuzzy Hash: 1CC179716083119FC714EF28C49096ABBE4FF89318F14896EF8999B351D730EA46DF86
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C883A8 Relevance: 6.3, APIs: 4, Instructions: 267COMMON
              Download Yara Rule
              APIs
              • CoInitialize.OLE32(00000000), ref: 00C883D8
              • CoUninitialize.OLE32 ref: 00C883E3
                • Part of subcall function 00C6DA5D: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00C6DAC5
              • VariantInit.OLEAUT32(?), ref: 00C883EE
              • VariantClear.OLEAUT32(?), ref: 00C886BF
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
              • String ID:
              • API String ID: 780911581-0
              • Opcode ID: d6481347396b9176fa6f5be2d76cbb61e8d78ea338b1c15bb53056b3a79fc03f
              • Instruction ID: 2886e44a7dbf10589f5061a4bd80e2bd8cdba067ec2492301d2e9a12c142290b
              • Opcode Fuzzy Hash: d6481347396b9176fa6f5be2d76cbb61e8d78ea338b1c15bb53056b3a79fc03f
              • Instruction Fuzzy Hash: 9DA158352047019FDB10EF14C895B5AB7E4FF89318F444448F99A9B7A2CB30ED44EB46
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C67A78 Relevance: 6.2, APIs: 4, Instructions: 231COMMON
              Download Yara Rule
              APIs
              • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00CA2C7C,?), ref: 00C67C32
              • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00CA2C7C,?), ref: 00C67C4A
              • CLSIDFromProgID.OLE32(?,?,00000000,00C9FB80,000000FF,?,00000000,00000800,00000000,?,00CA2C7C,?), ref: 00C67C6F
              • _memcmp.LIBCMT ref: 00C67C90
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: FromProg$FreeTask_memcmp
              • String ID:
              • API String ID: 314563124-0
              • Opcode ID: 5a4883fd54b56f1f38a34de0056b86c409ae6de5307c3a92275cf6f916e93cf4
              • Instruction ID: 3be07e2ed35a92691cfc55f37f6aca49b37f866a4708635fb4711fdefc8c78fe
              • Opcode Fuzzy Hash: 5a4883fd54b56f1f38a34de0056b86c409ae6de5307c3a92275cf6f916e93cf4
              • Instruction Fuzzy Hash: E7810971A00109EFCB14DF94C988EEEB7B9FF89315F204598E516AB250DB71AE46CB60
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C66DF3 Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: Variant$AllocClearCopyInitString
              • String ID:
              • API String ID: 2808897238-0
              • Opcode ID: fa5c4f6ac6db25f4aa027d2f8034ad525b70709b077f9a0cf77f5510ada8c20e
              • Instruction ID: 7598cfb041efafcb5f7c3d9d363c7c2e1c83b9a1bae7370c21eb5b4fffa5d2b4
              • Opcode Fuzzy Hash: fa5c4f6ac6db25f4aa027d2f8034ad525b70709b077f9a0cf77f5510ada8c20e
              • Instruction Fuzzy Hash: 7051A7316083019ADB34AFA6D8D5B6EB3E5EF49314F308D1FE556CB291DB709980AB11
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C99A63 Relevance: 6.1, APIs: 4, Instructions: 140COMMON
              Download Yara Rule
              APIs
              • GetWindowRect.USER32(0166EAF8,?), ref: 00C99AD2
              • ScreenToClient.USER32(00000002,00000002), ref: 00C99B05
              • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 00C99B72
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: Window$ClientMoveRectScreen
              • String ID:
              • API String ID: 3880355969-0
              • Opcode ID: 44c7a9dfd6e9e5e56764dcba7d41381c1a2fb35517b1e435946b9094f449daff
              • Instruction ID: 9fce324c3a4142f5389ebf70ab0d509956f256cbbd53a4a5a816866a2d0910b3
              • Opcode Fuzzy Hash: 44c7a9dfd6e9e5e56764dcba7d41381c1a2fb35517b1e435946b9094f449daff
              • Instruction Fuzzy Hash: E7514275A00209EFCF20DF58D884AAE7BB5FF55320F14815EF9259B2A0D734AE91DB90
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C86CBD Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON
              Download Yara Rule
              APIs
              • socket.WSOCK32(00000002,00000002,00000011), ref: 00C86CE4
              • WSAGetLastError.WSOCK32(00000000), ref: 00C86CF4
                • Part of subcall function 00C19997: __itow.LIBCMT ref: 00C199C2
                • Part of subcall function 00C19997: __swprintf.LIBCMT ref: 00C19A0C
              • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00C86D58
              • WSAGetLastError.WSOCK32(00000000), ref: 00C86D64
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: ErrorLast$__itow__swprintfsocket
              • String ID:
              • API String ID: 2214342067-0
              • Opcode ID: af41a9385283ad88d840ec3178a76348f55e1fc5d4d8cedce033b784dc69eb5c
              • Instruction ID: c628d0d8f4a36bff824acbb9fd9b47867259b7910642b684d4bc3c089ceee9e5
              • Opcode Fuzzy Hash: af41a9385283ad88d840ec3178a76348f55e1fc5d4d8cedce033b784dc69eb5c
              • Instruction Fuzzy Hash: 2741DE74740200AFEB20AF24CC96FBE77E5EF06B14F048019FA599B3C2DA709D41AB91
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C8672D Relevance: 6.1, APIs: 4, Instructions: 116COMMON
              Download Yara Rule
              APIs
              • #16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,00C9F910), ref: 00C867BA
              • _strlen.LIBCMT ref: 00C867EC
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: _strlen
              • String ID:
              • API String ID: 4218353326-0
              • Opcode ID: 99cbe56c11481924717a6bb2f8684afbc5c766a20fc9bd5686673e2c81bec1c6
              • Instruction ID: 52bf4fb02244c811e2ca22727587be7d9c8d3da52359254e7c95fc35fa69b85a
              • Opcode Fuzzy Hash: 99cbe56c11481924717a6bb2f8684afbc5c766a20fc9bd5686673e2c81bec1c6
              • Instruction Fuzzy Hash: 0A417131A00104AFCB14FBA4DCD5FAEB3A9EF45314F148169F82A972D2DB30AD45E794
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C7BA5F Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON
              Download Yara Rule
              APIs
              • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00C7BB09
              • GetLastError.KERNEL32(?,00000000), ref: 00C7BB2F
              • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00C7BB54
              • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00C7BB80
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: CreateHardLink$DeleteErrorFileLast
              • String ID:
              • API String ID: 3321077145-0
              • Opcode ID: baeae3ec6f2f5eb9b68514aecd50e899cce51f9694ea8aca6cb1db0959a1c8b3
              • Instruction ID: 19681d8c53bfc7d2c65ad961561489c72b6a52ed0a7eca67256669fa153144bc
              • Opcode Fuzzy Hash: baeae3ec6f2f5eb9b68514aecd50e899cce51f9694ea8aca6cb1db0959a1c8b3
              • Instruction Fuzzy Hash: 2C410439600610DFCB11EF15C595A9DBBE1EF8A320B198499EC4A9B362CB34FD41EB91
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C98AC0 Relevance: 6.1, APIs: 4, Instructions: 109COMMON
              Download Yara Rule
              APIs
              • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00C98B4D
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: InvalidateRect
              • String ID:
              • API String ID: 634782764-0
              • Opcode ID: f33254b59ce7b45d5f64cccdd2e7b1aeafb227800a48de967e9c5e2c9748a0de
              • Instruction ID: 8377e7c6bd2d8351ad850d8283684965fa74eb6e9708d3803fa6f67fad7fe916
              • Opcode Fuzzy Hash: f33254b59ce7b45d5f64cccdd2e7b1aeafb227800a48de967e9c5e2c9748a0de
              • Instruction Fuzzy Hash: 923194B4600204BFEF209A18CC9DFAD37A5EB07310F684516FA65D72E1CE31EA58D751
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C9ADF1 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON
              Download Yara Rule
              APIs
              • ClientToScreen.USER32(?,?), ref: 00C9AE1A
              • GetWindowRect.USER32(?,?), ref: 00C9AE90
              • PtInRect.USER32(?,?,00C9C304), ref: 00C9AEA0
              • MessageBeep.USER32(00000000), ref: 00C9AF11
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: Rect$BeepClientMessageScreenWindow
              • String ID:
              • API String ID: 1352109105-0
              • Opcode ID: 3049974c287261200a7e1f69add0dd2c7c01aaef8a75cf430d00942aec2ce578
              • Instruction ID: 1526537ae2a3f8060653f1808120155721428534c04ada7e25432ab6a41214ea
              • Opcode Fuzzy Hash: 3049974c287261200a7e1f69add0dd2c7c01aaef8a75cf430d00942aec2ce578
              • Instruction Fuzzy Hash: 28415D70600219DFCF11DF59C888B6DBBF5FB49350F1881AAE815DB251D730AA52DF92
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C70FE6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON
              Download Yara Rule
              APIs
              • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00C71037
              • SetKeyboardState.USER32(00000080,?,00000001), ref: 00C71053
              • PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 00C710B9
              • SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 00C7110B
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: KeyboardState$InputMessagePostSend
              • String ID:
              • API String ID: 432972143-0
              • Opcode ID: 5358b3009b71603e5b8b9b8f2b69210876832f0780f0815f6e8cd7415f594ee4
              • Instruction ID: c0d8c2ed5472443f2aca4c3c1fd0eb9135ba63c4367f80e72ad4a4f806c829c4
              • Opcode Fuzzy Hash: 5358b3009b71603e5b8b9b8f2b69210876832f0780f0815f6e8cd7415f594ee4
              • Instruction Fuzzy Hash: FA314D30E40688AEFF308B6E8C097FDBBA9AB44310F1CC21AE9A8521D1C3748AD59751
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C71121 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON
              Download Yara Rule
              APIs
              • GetKeyboardState.USER32(?,75A4C0D0,?,00008000), ref: 00C71176
              • SetKeyboardState.USER32(00000080,?,00008000), ref: 00C71192
              • PostMessageW.USER32(00000000,00000101,00000000), ref: 00C711F1
              • SendInput.USER32(00000001,?,0000001C,75A4C0D0,?,00008000), ref: 00C71243
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: KeyboardState$InputMessagePostSend
              • String ID:
              • API String ID: 432972143-0
              • Opcode ID: c0a0f312a690ecf9a8225a016f35da37617fd5105a2d460325785fab9e07e148
              • Instruction ID: 5dba764ac38b0495a2cece19bc4dee98fb2e33baadfbbbfb3e88dc57203c7177
              • Opcode Fuzzy Hash: c0a0f312a690ecf9a8225a016f35da37617fd5105a2d460325785fab9e07e148
              • Instruction Fuzzy Hash: 693109309406089BFF208A6E8809BFE7BA9AB45310F5CC31BE9A8961D1C3348E559751
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C46415 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00C4644B
              • __isleadbyte_l.LIBCMT ref: 00C46479
              • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00C464A7
              • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00C464DD
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
              • String ID:
              • API String ID: 3058430110-0
              • Opcode ID: d555473ded6abd8f5870c4f37f1e1f81ab80ac1159d52eb1988d74865d986577
              • Instruction ID: c4ff618b9fccc5fe1cef3dc98fb32c05b5f6420dd7e97290348760aa63bc8992
              • Opcode Fuzzy Hash: d555473ded6abd8f5870c4f37f1e1f81ab80ac1159d52eb1988d74865d986577
              • Instruction Fuzzy Hash: A431EF31600246AFDF25CF75CC44BAA7BA5FF42310F154429F864871A4EB31DE91DB92
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C95175 Relevance: 6.1, APIs: 4, Instructions: 95COMMON
              Download Yara Rule
              APIs
              • GetForegroundWindow.USER32 ref: 00C95189
                • Part of subcall function 00C7387D: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00C73897
                • Part of subcall function 00C7387D: GetCurrentThreadId.KERNEL32 ref: 00C7389E
                • Part of subcall function 00C7387D: AttachThreadInput.USER32(00000000,?,00C752A7), ref: 00C738A5
              • GetCaretPos.USER32(?), ref: 00C9519A
              • ClientToScreen.USER32(00000000,?), ref: 00C951D5
              • GetForegroundWindow.USER32 ref: 00C951DB
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
              • String ID:
              • API String ID: 2759813231-0
              • Opcode ID: a7c4ad4f549ac345d4a238b510a5ac73d39b62dfb71c6746c9c2343469a9ea82
              • Instruction ID: dfb5fbe7f08892ef9a7b93b6892cd1fb7110bc9ef56b6787a86982c425d072ba
              • Opcode Fuzzy Hash: a7c4ad4f549ac345d4a238b510a5ac73d39b62dfb71c6746c9c2343469a9ea82
              • Instruction Fuzzy Hash: B6311071900108AFDB10EFB5C885AEFB7F9EF99300F10406AE415E7251DA759E45DBA1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C9C788 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00C12612: GetWindowLongW.USER32(?,000000EB), ref: 00C12623
              • GetCursorPos.USER32(?), ref: 00C9C7C2
              • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00C4BBFB,?,?,?,?,?), ref: 00C9C7D7
              • GetCursorPos.USER32(?), ref: 00C9C824
              • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00C4BBFB,?,?,?), ref: 00C9C85E
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: Cursor$LongMenuPopupProcTrackWindow
              • String ID:
              • API String ID: 2864067406-0
              • Opcode ID: 070ef87c897ec6fe4efef03d22d690833d97a109a0e1202bb01ce092adb353bc
              • Instruction ID: a506b75dd31149c06c0d85e086823e0b88236560861fbd05287f36a7153cffb6
              • Opcode Fuzzy Hash: 070ef87c897ec6fe4efef03d22d690833d97a109a0e1202bb01ce092adb353bc
              • Instruction Fuzzy Hash: 73316D75600018AFCF15CF59C8D8EEE7BB6EB49310F04406AF9158B2A1C7359E51EBA4
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C30BD0 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
              Download Yara Rule
              APIs
              • __setmode.LIBCMT ref: 00C30BF2
                • Part of subcall function 00C15B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00C77B20,?,?,00000000), ref: 00C15B8C
                • Part of subcall function 00C15B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00C77B20,?,?,00000000,?,?), ref: 00C15BB0
              • _fprintf.LIBCMT ref: 00C30C29
              • OutputDebugStringW.KERNEL32(?), ref: 00C66331
                • Part of subcall function 00C34CDA: _flsall.LIBCMT ref: 00C34CF3
              • __setmode.LIBCMT ref: 00C30C5E
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
              • String ID:
              • API String ID: 521402451-0
              • Opcode ID: 5785d40387da7fe4d9bc80bf5f8dc57c7fb31030514f73fc5a5dd1086ae5242a
              • Instruction ID: ac9195e707ed8f0f9cefee904d3ecfd8c2c4a7d94674503425bd3308b08821ec
              • Opcode Fuzzy Hash: 5785d40387da7fe4d9bc80bf5f8dc57c7fb31030514f73fc5a5dd1086ae5242a
              • Instruction Fuzzy Hash: 32113A32914608BBCB0877B4AC87AFEBB6DDF42320F14011AF204572D1DE202D86B7D1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C68B9E Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00C68652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00C68669
                • Part of subcall function 00C68652: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00C68673
                • Part of subcall function 00C68652: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00C68682
                • Part of subcall function 00C68652: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00C68689
                • Part of subcall function 00C68652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00C6869F
              • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00C68BEB
              • _memcmp.LIBCMT ref: 00C68C0E
              • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00C68C44
              • HeapFree.KERNEL32(00000000), ref: 00C68C4B
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
              • String ID:
              • API String ID: 1592001646-0
              • Opcode ID: 4db15aace9798fd9218925b491d8ffe6bad87605708007b25704657d578dcb77
              • Instruction ID: 0557b455237cefcd8e170f6e8f96177958003443acda08bfbd220ac95d180e1e
              • Opcode Fuzzy Hash: 4db15aace9798fd9218925b491d8ffe6bad87605708007b25704657d578dcb77
              • Instruction Fuzzy Hash: D4217C71E01208FFDB20DFA4C989BEEB7B8FF44354F144159E664A7240DB31AA0ADB60
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C81A5B Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON
              Download Yara Rule
              APIs
              • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00C81A97
                • Part of subcall function 00C81B21: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00C81B40
                • Part of subcall function 00C81B21: InternetCloseHandle.WININET(00000000), ref: 00C81BDD
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: Internet$CloseConnectHandleOpen
              • String ID:
              • API String ID: 1463438336-0
              • Opcode ID: a9363de81d553b5160eb1d4e5175afbabe9a5eafd98ac56319efa768e1e6552e
              • Instruction ID: 4ba8c730485e4f5f0f5af4135821644f1085f34eb2296c7546efb7930c164dfb
              • Opcode Fuzzy Hash: a9363de81d553b5160eb1d4e5175afbabe9a5eafd98ac56319efa768e1e6552e
              • Instruction Fuzzy Hash: 6C21CF75201600BFDB15AF61CC04FBAB7EDFF44715F18001AFA52D6650EB31D912ABA8
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C6E1AF Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00C6F5AD: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,00C6E1C4,?,?,?,00C6EFB7,00000000,000000EF,00000119,?,?), ref: 00C6F5BC
                • Part of subcall function 00C6F5AD: lstrcpyW.KERNEL32(00000000,?), ref: 00C6F5E2
                • Part of subcall function 00C6F5AD: lstrcmpiW.KERNEL32(00000000,?,00C6E1C4,?,?,?,00C6EFB7,00000000,000000EF,00000119,?,?), ref: 00C6F613
              • lstrlenW.KERNEL32(?,00000002,?,?,?,?,00C6EFB7,00000000,000000EF,00000119,?,?,00000000), ref: 00C6E1DD
              • lstrcpyW.KERNEL32(00000000,?), ref: 00C6E203
              • lstrcmpiW.KERNEL32(00000002,cdecl,?,00C6EFB7,00000000,000000EF,00000119,?,?,00000000), ref: 00C6E237
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: lstrcmpilstrcpylstrlen
              • String ID: cdecl
              • API String ID: 4031866154-3896280584
              • Opcode ID: 9aec0125be84affd07339e34d8cb6abda17bffb369a1afcaeff1223f702b97d1
              • Instruction ID: 64874a4ac9a207afc5af77c56bea17eff522f7727a9fc606f009a4d68624b335
              • Opcode Fuzzy Hash: 9aec0125be84affd07339e34d8cb6abda17bffb369a1afcaeff1223f702b97d1
              • Instruction Fuzzy Hash: C711937A100345EFCB25AF64DC89E7A77A9FF45350B40402BF816CB264EB719951D790
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C45332 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • _free.LIBCMT ref: 00C45351
                • Part of subcall function 00C3594C: __FF_MSGBANNER.LIBCMT ref: 00C35963
                • Part of subcall function 00C3594C: __NMSG_WRITE.LIBCMT ref: 00C3596A
                • Part of subcall function 00C3594C: RtlAllocateHeap.NTDLL(01650000,00000000,00000001,00000000,?,?,?,00C31013,?), ref: 00C3598F
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: AllocateHeap_free
              • String ID:
              • API String ID: 614378929-0
              • Opcode ID: 657c1ea32fc3fd6f544b7e46c13f0ab021cd9b1ba9866ca50fbe7c8f11d2d9fe
              • Instruction ID: 4d4c9411e9689fdf5e82560e207108fb5ec32286bfbc507d0d8b0e0e9c1005da
              • Opcode Fuzzy Hash: 657c1ea32fc3fd6f544b7e46c13f0ab021cd9b1ba9866ca50fbe7c8f11d2d9fe
              • Instruction Fuzzy Hash: 1311AC32505B16AFCB312F70AC4576E3B98BF143B0F24042AF955AA1B2DEB58E41A790
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C14531 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 00C14560
                • Part of subcall function 00C1410D: _memset.LIBCMT ref: 00C1418D
                • Part of subcall function 00C1410D: _wcscpy.LIBCMT ref: 00C141E1
                • Part of subcall function 00C1410D: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00C141F1
              • KillTimer.USER32(?,00000001,?,?), ref: 00C145B5
              • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00C145C4
              • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00C4D6CE
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
              • String ID:
              • API String ID: 1378193009-0
              • Opcode ID: 524b0762798e809622d294677cf730177098c3a4d4842f822715dacdd29f6b44
              • Instruction ID: a6c68641c20bd58f59d97b71526d8f36acd730101a82a0f536227db1d8b791dc
              • Opcode Fuzzy Hash: 524b0762798e809622d294677cf730177098c3a4d4842f822715dacdd29f6b44
              • Instruction Fuzzy Hash: 2821D770904784AFEB329B24D849BEBBBEDAF02304F04049EE69E96242C7745BC5DB51
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C8667C Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00C15B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00C77B20,?,?,00000000), ref: 00C15B8C
                • Part of subcall function 00C15B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00C77B20,?,?,00000000,?,?), ref: 00C15BB0
              • gethostbyname.WSOCK32(?,?,?), ref: 00C866AC
              • WSAGetLastError.WSOCK32(00000000), ref: 00C866B7
              • _memmove.LIBCMT ref: 00C866E4
              • inet_ntoa.WSOCK32(?), ref: 00C866EF
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
              • String ID:
              • API String ID: 1504782959-0
              • Opcode ID: cc88dc0635b5cadf7dc00649ad2e689250c0639386b03ea530141335332d4849
              • Instruction ID: 19bb45288181a538c3360e5b1965478d62758456940286213a870c1eaf69466a
              • Opcode Fuzzy Hash: cc88dc0635b5cadf7dc00649ad2e689250c0639386b03ea530141335332d4849
              • Instruction Fuzzy Hash: 6C117C35500108AFCB04FBA0D996DEEB7B8AF45310B144069F502A71A1DF30AE45EBA5
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C69023 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(?,000000B0,?,?), ref: 00C69043
              • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00C69055
              • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00C6906B
              • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00C69086
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: MessageSend
              • String ID:
              • API String ID: 3850602802-0
              • Opcode ID: d610cd0c704f88107065b0a1b8fb41a643b398ba04f74a18c56af2b58fdf347d
              • Instruction ID: b1d44ef93816011a810a0cbcff7703e87edb750811fffb2c70d9551ac3204618
              • Opcode Fuzzy Hash: d610cd0c704f88107065b0a1b8fb41a643b398ba04f74a18c56af2b58fdf347d
              • Instruction Fuzzy Hash: B1114C79900218FFDB10DFA5C984F9DBB78FB48310F204095E904B7250D6716E11DB90
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C11290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00C12612: GetWindowLongW.USER32(?,000000EB), ref: 00C12623
              • DefDlgProcW.USER32(?,00000020,?), ref: 00C112D8
              • GetClientRect.USER32(?,?), ref: 00C4B84B
              • GetCursorPos.USER32(?), ref: 00C4B855
              • ScreenToClient.USER32(?,?), ref: 00C4B860
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: Client$CursorLongProcRectScreenWindow
              • String ID:
              • API String ID: 4127811313-0
              • Opcode ID: 3c782abeca9600131856e1bc5751865993c54bbfd7d9c33a41f8d9998e38ba2e
              • Instruction ID: 6b575f4f982adca97c928ea891e6c57bc8ce32440a7a2dd380e645a2b865c5ab
              • Opcode Fuzzy Hash: 3c782abeca9600131856e1bc5751865993c54bbfd7d9c33a41f8d9998e38ba2e
              • Instruction Fuzzy Hash: 5B111C35901119AFCF10DFA8D889AFE77B8FB06301F140456FA11E7251D738BA92EBA5
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C71652 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON
              Download Yara Rule
              APIs
              • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00C701FD,?,00C71250,?,00008000), ref: 00C7166F
              • Sleep.KERNEL32(00000000,?,?,?,?,?,?,00C701FD,?,00C71250,?,00008000), ref: 00C71694
              • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00C701FD,?,00C71250,?,00008000), ref: 00C7169E
              • Sleep.KERNEL32(?,?,?,?,?,?,?,00C701FD,?,00C71250,?,00008000), ref: 00C716D1
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: CounterPerformanceQuerySleep
              • String ID:
              • API String ID: 2875609808-0
              • Opcode ID: 4c00136ad0674e1c794a1a1e34ca639c4c84a6d149631ad79c5716d8f7bc918c
              • Instruction ID: d26a820b5999b96f23573a889685153647c4f24189a190a91895a82c905036ad
              • Opcode Fuzzy Hash: 4c00136ad0674e1c794a1a1e34ca639c4c84a6d149631ad79c5716d8f7bc918c
              • Instruction Fuzzy Hash: E5113C31C1051DD7CF009FAAD94ABEEBB78FF09751F09805AED88B6240CB3056A18BD6
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C47207 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
              • String ID:
              • API String ID: 3016257755-0
              • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
              • Instruction ID: f2543a33ef51b8ff6ee9686e0597ce76fd9eefdabce9325c18d184413b9be007
              • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
              • Instruction Fuzzy Hash: E201403644414AFBCF265F94CC018EE3F62BF69351B598615FA2858031D377CAB1BB81
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C9B57F Relevance: 6.0, APIs: 4, Instructions: 47COMMON
              Download Yara Rule
              APIs
              • GetWindowRect.USER32(?,?), ref: 00C9B59E
              • ScreenToClient.USER32(?,?), ref: 00C9B5B6
              • ScreenToClient.USER32(?,?), ref: 00C9B5DA
              • InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00C9B5F5
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: ClientRectScreen$InvalidateWindow
              • String ID:
              • API String ID: 357397906-0
              • Opcode ID: 8d8c66b57ec94e5203562c27c857ecc24034dd90ddb6cc397c01326335c03ae6
              • Instruction ID: 14ea8de2b0fc96de8f851487a7d7666dae322b47732e98266e9fe4e7026265ee
              • Opcode Fuzzy Hash: 8d8c66b57ec94e5203562c27c857ecc24034dd90ddb6cc397c01326335c03ae6
              • Instruction Fuzzy Hash: 1B1146B5D00209EFDB41CF99D544AEEFBB5FB08310F104166E914E3220D735AA658F50
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C9B8EF Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 00C9B8FE
              • _memset.LIBCMT ref: 00C9B90D
              • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00CD7F20,00CD7F64), ref: 00C9B93C
              • CloseHandle.KERNEL32 ref: 00C9B94E
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: _memset$CloseCreateHandleProcess
              • String ID:
              • API String ID: 3277943733-0
              • Opcode ID: 6183e9774ba0e4d94a70402c8583ed9bad561bc8023cef0f69115d2a2a81dbb5
              • Instruction ID: d832e8ec72c47898c9d1f255ed8b3063d641b04ab382f40b1436351b23616ece
              • Opcode Fuzzy Hash: 6183e9774ba0e4d94a70402c8583ed9bad561bc8023cef0f69115d2a2a81dbb5
              • Instruction Fuzzy Hash: 48F082F26553007BF62027B1AC09FBF3B5CEB08354F400126BB08D52A2E7758D1187A8
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C76E7C Relevance: 6.0, APIs: 4, Instructions: 33COMMON
              Download Yara Rule
              APIs
              • EnterCriticalSection.KERNEL32(?), ref: 00C76E88
                • Part of subcall function 00C7794E: _memset.LIBCMT ref: 00C77983
              • _memmove.LIBCMT ref: 00C76EAB
              • _memset.LIBCMT ref: 00C76EB8
              • LeaveCriticalSection.KERNEL32(?), ref: 00C76EC8
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: CriticalSection_memset$EnterLeave_memmove
              • String ID:
              • API String ID: 48991266-0
              • Opcode ID: 76ba3806ccee06436951627b423a333aef36ee13fc27634b05d0f851c90b2859
              • Instruction ID: a8cbb7f613f9af0b679db0b9ce69435a18b6eac6e4b3de645d7f70560bbb2446
              • Opcode Fuzzy Hash: 76ba3806ccee06436951627b423a333aef36ee13fc27634b05d0f851c90b2859
              • Instruction Fuzzy Hash: D0F0543A100204ABCF016F55DC85B4ABB29EF45320F04C065FE089E217C731A911DBB4
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C9C00C Relevance: 6.0, APIs: 4, Instructions: 31COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00C112F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00C1134D
                • Part of subcall function 00C112F3: SelectObject.GDI32(?,00000000), ref: 00C1135C
                • Part of subcall function 00C112F3: BeginPath.GDI32(?), ref: 00C11373
                • Part of subcall function 00C112F3: SelectObject.GDI32(?,00000000), ref: 00C1139C
              • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 00C9C030
              • LineTo.GDI32(00000000,?,?), ref: 00C9C03D
              • EndPath.GDI32(00000000), ref: 00C9C04D
              • StrokePath.GDI32(00000000), ref: 00C9C05B
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
              • String ID:
              • API String ID: 1539411459-0
              • Opcode ID: b65560264dcca8999440518740fb176a8956641d215e99ef2534ab73a40855f5
              • Instruction ID: 6fd84292f194176bd0b98f3b5d78314f0d56ac4782d84b713d04f66aad8f5c9f
              • Opcode Fuzzy Hash: b65560264dcca8999440518740fb176a8956641d215e99ef2534ab73a40855f5
              • Instruction Fuzzy Hash: 1DF05E31005259FBDB126F95AC0EFCE3F59AF06311F144006FA11A10E2C7755662EBE5
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C6A37C Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON
              Download Yara Rule
              APIs
              • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00C6A399
              • GetWindowThreadProcessId.USER32(?,00000000), ref: 00C6A3AC
              • GetCurrentThreadId.KERNEL32 ref: 00C6A3B3
              • AttachThreadInput.USER32(00000000), ref: 00C6A3BA
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
              • String ID:
              • API String ID: 2710830443-0
              • Opcode ID: dbddc84c6e536760a340f4e60084c96f50b2c2d5e4ec7e552760d1048229bc4f
              • Instruction ID: 6c34bca0aa1e836b67c4db85b2a6bd2f1979370ab834eec76a00f00482eba2e4
              • Opcode Fuzzy Hash: dbddc84c6e536760a340f4e60084c96f50b2c2d5e4ec7e552760d1048229bc4f
              • Instruction Fuzzy Hash: 1FE0A572545328BADB205BA2DC4DFDF7E5CEF167A1F00802AB609D5060C671C5419BA1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C12218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
              Download Yara Rule
              APIs
              • GetSysColor.USER32(00000008), ref: 00C12231
              • SetTextColor.GDI32(?,000000FF), ref: 00C1223B
              • SetBkMode.GDI32(?,00000001), ref: 00C12250
              • GetStockObject.GDI32(00000005), ref: 00C12258
              • GetWindowDC.USER32(?,00000000), ref: 00C4C0D3
              • GetPixel.GDI32(00000000,00000000,00000000), ref: 00C4C0E0
              • GetPixel.GDI32(00000000,?,00000000), ref: 00C4C0F9
              • GetPixel.GDI32(00000000,00000000,?), ref: 00C4C112
              • GetPixel.GDI32(00000000,?,?), ref: 00C4C132
              • ReleaseDC.USER32(?,00000000), ref: 00C4C13D
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
              • String ID:
              • API String ID: 1946975507-0
              • Opcode ID: b5bbccd6482d577b8037a8977bb9d2c7ac284c76b51c1d128fd9567b7abbb78c
              • Instruction ID: dfaaa38347471f8613b66a16f3a508c8dd1cd549225106be867a4f6c7fb181d1
              • Opcode Fuzzy Hash: b5bbccd6482d577b8037a8977bb9d2c7ac284c76b51c1d128fd9567b7abbb78c
              • Instruction Fuzzy Hash: 5DE06D32200284EADB215F64FC4D7DC3B20EB06332F10836BFA79880F187B14AA1DB51
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C68C5A Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
              Download Yara Rule
              APIs
              • GetCurrentThread.KERNEL32 ref: 00C68C63
              • OpenThreadToken.ADVAPI32(00000000,?,?,?,00C6882E), ref: 00C68C6A
              • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00C6882E), ref: 00C68C77
              • OpenProcessToken.ADVAPI32(00000000,?,?,?,00C6882E), ref: 00C68C7E
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: CurrentOpenProcessThreadToken
              • String ID:
              • API String ID: 3974789173-0
              • Opcode ID: 13adfc7f7131261c1fc1dcc6aacdc58425e15816358f2416e94140f389e9358d
              • Instruction ID: 9f0ee297d038e17352a9d37b721182e35b1f09d3425ebfa221de75267e6c669f
              • Opcode Fuzzy Hash: 13adfc7f7131261c1fc1dcc6aacdc58425e15816358f2416e94140f389e9358d
              • Instruction Fuzzy Hash: ACE08676642211EBD7205FB06D4DB5E3BACEF50792F14492DB245D9090DA748446CB61
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C52187 Relevance: 6.0, APIs: 4, Instructions: 20COMMON
              Download Yara Rule
              APIs
              • GetDesktopWindow.USER32 ref: 00C52187
              • GetDC.USER32(00000000), ref: 00C52191
              • GetDeviceCaps.GDI32(00000000,0000000C), ref: 00C521B1
              • ReleaseDC.USER32(?), ref: 00C521D2
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: CapsDesktopDeviceReleaseWindow
              • String ID:
              • API String ID: 2889604237-0
              • Opcode ID: 68778032acfb25cb36be94052b6d338c25e336df7113a2705605203139dc0794
              • Instruction ID: 525e65fd17ab6c5c195d7443228affa4e6f0f62cfe8267d51f2b90ce35fa54e8
              • Opcode Fuzzy Hash: 68778032acfb25cb36be94052b6d338c25e336df7113a2705605203139dc0794
              • Instruction Fuzzy Hash: 62E0C276840604AFDB019F61C80CB9E7BA5EB48351F20842AF95AD6260CB788582AF40
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C5219B Relevance: 6.0, APIs: 4, Instructions: 19COMMON
              Download Yara Rule
              APIs
              • GetDesktopWindow.USER32 ref: 00C5219B
              • GetDC.USER32(00000000), ref: 00C521A5
              • GetDeviceCaps.GDI32(00000000,0000000C), ref: 00C521B1
              • ReleaseDC.USER32(?), ref: 00C521D2
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: CapsDesktopDeviceReleaseWindow
              • String ID:
              • API String ID: 2889604237-0
              • Opcode ID: 7f146d766fde0f58c68c718c5964735bf80b50928952a963f000b146ed647929
              • Instruction ID: 669d9de4c8b2595a289de2c48c9250f0cf7e8a30da58fba82729b76407d320a1
              • Opcode Fuzzy Hash: 7f146d766fde0f58c68c718c5964735bf80b50928952a963f000b146ed647929
              • Instruction Fuzzy Hash: 47E0EEB6800304AFCB019FA0C80C7DD7BA6EB4C310F20842AF95AE7260CB789182AF40
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C6B7B6 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 241comCOMMON
              Download Yara Rule
              APIs
              • OleSetContainedObject.OLE32(?,00000001), ref: 00C6B981
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: ContainedObject
              • String ID: AutoIt3GUI$Container
              • API String ID: 3565006973-3941886329
              • Opcode ID: 9363daa5e1ceaf197335be91f33faa24cd1dc462928ef2320a8b35d2c9a5a45d
              • Instruction ID: 32a3a6472f40c5b71bd6ae64c9488348709e2a99032c82049cd023fd988b8363
              • Opcode Fuzzy Hash: 9363daa5e1ceaf197335be91f33faa24cd1dc462928ef2320a8b35d2c9a5a45d
              • Instruction Fuzzy Hash: 1D9139706106019FDB24DF68C884A6AB7F8FF49710F24856DE949CB691DB70ED81CB50
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C7B217 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00C2FEC6: _wcscpy.LIBCMT ref: 00C2FEE9
                • Part of subcall function 00C19997: __itow.LIBCMT ref: 00C199C2
                • Part of subcall function 00C19997: __swprintf.LIBCMT ref: 00C19A0C
              • __wcsnicmp.LIBCMT ref: 00C7B298
              • WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 00C7B361
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
              • String ID: LPT
              • API String ID: 3222508074-1350329615
              • Opcode ID: 784b58b0fdfc93955631fcc73d4c03724b498880d37f1ea05914388a6fe9ca50
              • Instruction ID: 70e514ee9bfa3f0869c5321cffbc4060a7e061ce390d425b7a1d453752896c0a
              • Opcode Fuzzy Hash: 784b58b0fdfc93955631fcc73d4c03724b498880d37f1ea05914388a6fe9ca50
              • Instruction Fuzzy Hash: BD617475A00215EFCB14DF94C895FEEB7B4EF09310F15806AF55AAB261DB70AE80DB50
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C22AB7 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
              Download Yara Rule
              APIs
              • Sleep.KERNEL32(00000000), ref: 00C22AC8
              • GlobalMemoryStatusEx.KERNEL32(?), ref: 00C22AE1
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: GlobalMemorySleepStatus
              • String ID: @
              • API String ID: 2783356886-2766056989
              • Opcode ID: f082a92f24b5901b894be9be30e86a59b0e5353f64ca4aa21dd929d1ae0417cb
              • Instruction ID: d4024d375a9595ae77f0143d234b653d834cbbf522aa0a7fd668f16ea959eaa2
              • Opcode Fuzzy Hash: f082a92f24b5901b894be9be30e86a59b0e5353f64ca4aa21dd929d1ae0417cb
              • Instruction Fuzzy Hash: 215147714187449BD320AF10D896BAFBBE8FF89310F42885DF2D9411A1DB308569EB66
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C799BE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00C1506B: __fread_nolock.LIBCMT ref: 00C15089
              • _wcscmp.LIBCMT ref: 00C79AAE
              • _wcscmp.LIBCMT ref: 00C79AC1
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: _wcscmp$__fread_nolock
              • String ID: FILE
              • API String ID: 4029003684-3121273764
              • Opcode ID: 44aaee07754c40717f35f70a541dcc71365dfdcca5d47c5d6fb1c525a881df58
              • Instruction ID: c536e70c9b16c561abe21a3e1136f28c93f3fc2adf1b6f1cdac4a7e434cf2c03
              • Opcode Fuzzy Hash: 44aaee07754c40717f35f70a541dcc71365dfdcca5d47c5d6fb1c525a881df58
              • Instruction Fuzzy Hash: A741F671A00609BBDF209AA0CC46FEFBBBDDF49710F004079F904A71C1DA75AA4597A1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C82882 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 00C82892
              • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00C828C8
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: CrackInternet_memset
              • String ID: |
              • API String ID: 1413715105-2343686810
              • Opcode ID: 49f9b99cf96e8a1f3f5b13c22ecd9b37ee706b81eb5819a5dca23e0a174a5028
              • Instruction ID: 91099a7e5e9ca20d2c647b0eadba690b9215185641b7f556245627b84d7d95f1
              • Opcode Fuzzy Hash: 49f9b99cf96e8a1f3f5b13c22ecd9b37ee706b81eb5819a5dca23e0a174a5028
              • Instruction Fuzzy Hash: 7D313071800219AFDF01EFA1DC85EEEBFB9FF09300F104169F815A6265DB315A96EB60
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C96CD2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
              Download Yara Rule
              APIs
              • DestroyWindow.USER32(?,?,?,?), ref: 00C96D86
              • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00C96DC2
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: Window$DestroyMove
              • String ID: static
              • API String ID: 2139405536-2160076837
              • Opcode ID: 724ff8bd9a952f28601a60ca2ef7d333f8c52854a9f843fb71f40b52ba3fe90a
              • Instruction ID: e133951428f7fc8da605c2e83f747be5e5b07358532cb07e97b32547804e854b
              • Opcode Fuzzy Hash: 724ff8bd9a952f28601a60ca2ef7d333f8c52854a9f843fb71f40b52ba3fe90a
              • Instruction Fuzzy Hash: 7D319C72200604AADF109F68CC88BFB73B9FF48720F108619F9A5C7190CA31AD91EB60
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C72D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 00C72E00
              • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00C72E3B
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: InfoItemMenu_memset
              • String ID: 0
              • API String ID: 2223754486-4108050209
              • Opcode ID: 2776b7b29a756f7ccb4c8978e547f1697218260c502af78d25848c91e522784c
              • Instruction ID: 5bc2a8f5b7088181117de4298ce65e106a6e90b3766f76b2a4c6c26748b08974
              • Opcode Fuzzy Hash: 2776b7b29a756f7ccb4c8978e547f1697218260c502af78d25848c91e522784c
              • Instruction Fuzzy Hash: 1831E631600305ABEB248F59C845BAEBBB9FF05351F14802EE9E9D61A0D7709B40DB51
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C96943 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00C969D0
              • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00C969DB
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: MessageSend
              • String ID: Combobox
              • API String ID: 3850602802-2096851135
              • Opcode ID: ff911891a670eeac2658f33253a465675ba80e8bf33568626570bfb4b232e29a
              • Instruction ID: fa42db71eca0296b9c2fb3b7c682ba12b7b88cfb5d7ddfe0df55b1a47816de47
              • Opcode Fuzzy Hash: ff911891a670eeac2658f33253a465675ba80e8bf33568626570bfb4b232e29a
              • Instruction Fuzzy Hash: A411BF716002086FEF119F24DC98FFF376AEB893A4F124129F9689B2D0D6719D9197A0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C96E76 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00C11D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00C11D73
                • Part of subcall function 00C11D35: GetStockObject.GDI32(00000011), ref: 00C11D87
                • Part of subcall function 00C11D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00C11D91
              • GetWindowRect.USER32(00000000,?), ref: 00C96EE0
              • GetSysColor.USER32(00000012), ref: 00C96EFA
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: Window$ColorCreateMessageObjectRectSendStock
              • String ID: static
              • API String ID: 1983116058-2160076837
              • Opcode ID: 7016cc95040f96fc7dab84d543cdd7e72b79d3a7dc303620851d9ce39e5c903c
              • Instruction ID: d5af99c8609e70d8b6cadeb732023cbcaadc181d9791e5471174e484d2512f69
              • Opcode Fuzzy Hash: 7016cc95040f96fc7dab84d543cdd7e72b79d3a7dc303620851d9ce39e5c903c
              • Instruction Fuzzy Hash: 1C21267261020AAFDF04DFA8DD49AFA7BB8FB08314F054629FD55D3290E635E861DB60
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C96B8F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
              Download Yara Rule
              APIs
              • GetWindowTextLengthW.USER32(00000000), ref: 00C96C11
              • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00C96C20
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: LengthMessageSendTextWindow
              • String ID: edit
              • API String ID: 2978978980-2167791130
              • Opcode ID: 3ac907393e0861ee0fbd9c4832fe642e00667efa2847aeba84edf19863ae4053
              • Instruction ID: a4605950c65800420f8cf361cc1b4e8dee1fa84dbe84bfc8b54417a97d7c0111
              • Opcode Fuzzy Hash: 3ac907393e0861ee0fbd9c4832fe642e00667efa2847aeba84edf19863ae4053
              • Instruction Fuzzy Hash: 37119671100208ABEF108E74DC49EEA3BAAEB04368F204728FA71D31E0D635DC91AB60
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C72E9E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 00C72F11
              • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00C72F30
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: InfoItemMenu_memset
              • String ID: 0
              • API String ID: 2223754486-4108050209
              • Opcode ID: e9a72eb58465995028ade73e7b181c7aa9a72832e964da88cbbb33700188c4c2
              • Instruction ID: 6e3b945203b95262ad7e79fd122748d0b6abb4efc2968d34bab50f257b2071ba
              • Opcode Fuzzy Hash: e9a72eb58465995028ade73e7b181c7aa9a72832e964da88cbbb33700188c4c2
              • Instruction Fuzzy Hash: 4C11BF31901224ABDB24DB98DC44BAD77B9EB05310F1880A6E87DA72A0D7B0AE04D799
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C824CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON
              Download Yara Rule
              APIs
              • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00C82520
              • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00C82549
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: Internet$OpenOption
              • String ID: <local>
              • API String ID: 942729171-4266983199
              • Opcode ID: 9c5afbc246c30736d37b02725c0404920c930e67ea7eab07e126fd12cbe60efa
              • Instruction ID: 20888e5e213b93ae88e762014579b5e6c5463806decc6e5f4b4e31f08460ec63
              • Opcode Fuzzy Hash: 9c5afbc246c30736d37b02725c0404920c930e67ea7eab07e126fd12cbe60efa
              • Instruction Fuzzy Hash: 4811C2B0541225BADB24AF528C9DFBBFF68FF06769F10812AF91586040D2706A51DBF4
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C880A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55networkCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00C8830B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,00C880C8,?,00000000,?,?), ref: 00C88322
              • inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00C880CB
              • htons.WSOCK32(00000000,?,00000000), ref: 00C88108
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: ByteCharMultiWidehtonsinet_addr
              • String ID: 255.255.255.255
              • API String ID: 2496851823-2422070025
              • Opcode ID: 5d3b65c26d3074ae3009c752f4ed326cd6ad60a16277647e670416875044c85c
              • Instruction ID: 13fed9590096e59025562af9c725c174bcc297e439c1809cb2928b5824d1e6b2
              • Opcode Fuzzy Hash: 5d3b65c26d3074ae3009c752f4ed326cd6ad60a16277647e670416875044c85c
              • Instruction Fuzzy Hash: B711C234100205ABCB20AFA4CC8AFADB364EF04324F10852AE911976D2DF31A8059795
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C692E7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00C17F41: _memmove.LIBCMT ref: 00C17F82
                • Part of subcall function 00C6B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00C6B0E7
              • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00C69355
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: ClassMessageNameSend_memmove
              • String ID: ComboBox$ListBox
              • API String ID: 372448540-1403004172
              • Opcode ID: 2547bdd7ec8b1117846fe2b7ad03a6d9b992604daf075db19302c847a1751fa6
              • Instruction ID: 4af9125c081e78d2e0aba5a9c0ffaca632d348a8d427d31d0e27857aa03d38aa
              • Opcode Fuzzy Hash: 2547bdd7ec8b1117846fe2b7ad03a6d9b992604daf075db19302c847a1751fa6
              • Instruction Fuzzy Hash: 9E01DE71A41218AB8B14EBA0CC91DFE776DFF06320B100729F832973E1DB316948A650
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C691DF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00C17F41: _memmove.LIBCMT ref: 00C17F82
                • Part of subcall function 00C6B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00C6B0E7
              • SendMessageW.USER32(?,00000180,00000000,?), ref: 00C6924D
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: ClassMessageNameSend_memmove
              • String ID: ComboBox$ListBox
              • API String ID: 372448540-1403004172
              • Opcode ID: c780daaef772912843a855b9601c1954bcbc3a2cb74dddf4a65651a0f24d931f
              • Instruction ID: b73df171b0ef35e47b2bd47e635cc9af92eb317fe225d3d1f2c3999773f2e67c
              • Opcode Fuzzy Hash: c780daaef772912843a855b9601c1954bcbc3a2cb74dddf4a65651a0f24d931f
              • Instruction Fuzzy Hash: 1D018871A4110477CB14E7A0C9D6EFF77ACDF45300F140159B512672C1DA316F58A671
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C69264 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00C17F41: _memmove.LIBCMT ref: 00C17F82
                • Part of subcall function 00C6B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00C6B0E7
              • SendMessageW.USER32(?,00000182,?,00000000), ref: 00C692D0
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: ClassMessageNameSend_memmove
              • String ID: ComboBox$ListBox
              • API String ID: 372448540-1403004172
              • Opcode ID: 3781857b9444012ee301657df199182a3f3fda7c612a662fdaaef2df84a5453c
              • Instruction ID: fefd19ee1f342641a4aac350ac23289d63541085400f190fef31979412bb4f00
              • Opcode Fuzzy Hash: 3781857b9444012ee301657df199182a3f3fda7c612a662fdaaef2df84a5453c
              • Instruction Fuzzy Hash: FE01A2B1A81208B7CB14EAA0C9D6EFF77ACDF11300F240129B812A32D2DA315F5DB675
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C751CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: ClassName_wcscmp
              • String ID: #32770
              • API String ID: 2292705959-463685578
              • Opcode ID: 4ad63b91b067ffb632bccdb156ce535fd576d96f83bfbea91ae619d2c9575951
              • Instruction ID: dcb738f60abefe359c34b2e581040e65053f20899e3777c6b4afe5ab7fae4f1e
              • Opcode Fuzzy Hash: 4ad63b91b067ffb632bccdb156ce535fd576d96f83bfbea91ae619d2c9575951
              • Instruction Fuzzy Hash: E5E06832A0022C2BE3209A99EC0AFABF7ECEB41771F00016BFD18D3040E5709A058BE1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C681BC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON
              Download Yara Rule
              APIs
              • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00C681CA
                • Part of subcall function 00C33598: _doexit.LIBCMT ref: 00C335A2
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: Message_doexit
              • String ID: AutoIt$Error allocating memory.
              • API String ID: 1993061046-4017498283
              • Opcode ID: c06bb5de85b3f4ba0b3a0915df16ad9ba8ac769434cda3ed7cd6ab93db11f777
              • Instruction ID: fc3287c91f0d01b524db0fe5b7315eafca753bb6ab78bf151d4f14a3d35d78ba
              • Opcode Fuzzy Hash: c06bb5de85b3f4ba0b3a0915df16ad9ba8ac769434cda3ed7cd6ab93db11f777
              • Instruction Fuzzy Hash: 16D05B323D535836D21832A56C0BFCD75888B06B56F044436FF08955D38DD155D252D9
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C4B511 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00C4B564: _memset.LIBCMT ref: 00C4B571
                • Part of subcall function 00C30B84: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00C4B540,?,?,?,00C1100A), ref: 00C30B89
              • IsDebuggerPresent.KERNEL32(?,?,?,00C1100A), ref: 00C4B544
              • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00C1100A), ref: 00C4B553
              Strings
              • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00C4B54E
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
              • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
              • API String ID: 3158253471-631824599
              • Opcode ID: d79a40e54aa3c49ad0473f800c93b43b29c714c60b510204e7e5333fa8b89c5d
              • Instruction ID: 453edab407adc20be7d7bc9fb2fcb0356114fc91d751b9094ef8d3469107dd44
              • Opcode Fuzzy Hash: d79a40e54aa3c49ad0473f800c93b43b29c714c60b510204e7e5333fa8b89c5d
              • Instruction Fuzzy Hash: 65E092B02007518FD720DF69D508386BBE0BF04755F00892DE486C3661D7F4D844CB61
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00C95BEB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
              Download Yara Rule
              APIs
              • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00C95BF5
              • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00C95C08
                • Part of subcall function 00C754E6: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00C7555E
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1203791197.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
              • Associated: 00000000.00000002.1203766574.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203883672.0000000000CC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203941287.0000000000CCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CDA000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1203968134.0000000000CE8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_c10000_SCU_9028892992899029_789290929209922________________.jbxd
              Similarity
              • API ID: FindMessagePostSleepWindow
              • String ID: Shell_TrayWnd
              • API String ID: 529655941-2988720461
              • Opcode ID: c019a783b130505bf1a0b1123497c3004757a5bba05f7143e61e6af306271cb4
              • Instruction ID: f29c4125198866fe90a26ef98f12976733bfe8df1fb67899fa14eb536e29b0b0
              • Opcode Fuzzy Hash: c019a783b130505bf1a0b1123497c3004757a5bba05f7143e61e6af306271cb4
              • Instruction Fuzzy Hash: 57D01231388311B7E774BB70EC0FFDB6A14AB00B51F05483EB749EA1D0D9E45841C654
              Uniqueness

              Uniqueness Score: -1.00%