Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SWH_67367383992_939930039003___________________________.exe

Overview

General Information

Sample name:SWH_67367383992_939930039003___________________________.exe
Analysis ID:1430155
MD5:5705caf18efe32863c38f4d50ec88cc1
SHA1:15c23f1618bef4336b98212acb97136fbfb67c36
SHA256:301a02cc0eb727a274bb807cb64022861b228129709070739721c9a4548918ea
Tags:AgentTeslaexe
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Double Extension File Execution
Yara detected AgentTesla
Binary is likely a compiled AutoIt script file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • SWH_67367383992_939930039003___________________________.exe (PID: 7436 cmdline: "C:\Users\user\Desktop\SWH_67367383992_939930039003___________________________.exe" MD5: 5705CAF18EFE32863C38F4D50EC88CC1)
    • RegSvcs.exe (PID: 7496 cmdline: "C:\Users\user\Desktop\SWH_67367383992_939930039003___________________________.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.worlorderbillions.top", "Username": "absach@worlorderbillions.top", "Password": "@qwerty90123        "}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.2541569784.0000000000402000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
    00000000.00000002.1313737163.0000000003AE0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      2.2.RegSvcs.exe.400000.0.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
        0.2.SWH_67367383992_939930039003___________________________.exe.3ae0000.1.raw.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
          0.2.SWH_67367383992_939930039003___________________________.exe.3ae0000.1.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Suspicious Double Extension File Execution
            Source: Process startedAuthor: Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Users\user\Desktop\SWH_67367383992_939930039003___________________________.exe", CommandLine: "C:\Users\user\Desktop\SWH_67367383992_939930039003___________________________.exe", CommandLine|base64offset|contains: , Image: C:\Users\user\Desktop\SWH_67367383992_939930039003___________________________.exe, NewProcessName: C:\Users\user\Desktop\SWH_67367383992_939930039003___________________________.exe, OriginalFileName: C:\Users\user\Desktop\SWH_67367383992_939930039003___________________________.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3504, ProcessCommandLine: "C:\Users\user\Desktop\SWH_67367383992_939930039003___________________________.exe", ProcessId: 7436, ProcessName: SWH_67367383992_939930039003___________________________.exe

            Snort Signatures

            No Snort rule has matched

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Found malware configuration
            Source: SWH_67367383992_939930039003___________________________.exe.7436.0.memstrminMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.worlorderbillions.top", "Username": "absach@worlorderbillions.top", "Password": "@qwerty90123 "}
            Multi AV Scanner detection for submitted file
            Source: SWH_67367383992_939930039003___________________________.exeReversingLabs: Detection: 36%
            Source: SWH_67367383992_939930039003___________________________.exeVirustotal: Detection: 28%Perma Link
            Machine Learning detection for sample
            Source: SWH_67367383992_939930039003___________________________.exeJoe Sandbox ML: detected
            Source: SWH_67367383992_939930039003___________________________.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: Binary string: wntdll.pdbUGP source: SWH_67367383992_939930039003___________________________.exe, 00000000.00000003.1306041945.0000000003B10000.00000004.00001000.00020000.00000000.sdmp, SWH_67367383992_939930039003___________________________.exe, 00000000.00000003.1310743975.0000000003CE0000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: SWH_67367383992_939930039003___________________________.exe, 00000000.00000003.1306041945.0000000003B10000.00000004.00001000.00020000.00000000.sdmp, SWH_67367383992_939930039003___________________________.exe, 00000000.00000003.1310743975.0000000003CE0000.00000004.00001000.00020000.00000000.sdmp
            Source: C:\Users\user\Desktop\SWH_67367383992_939930039003___________________________.exeCode function: 0_2_003A4696 GetFileAttributesW,FindFirstFileW,FindClose,0_2_003A4696
            Source: C:\Users\user\Desktop\SWH_67367383992_939930039003___________________________.exeCode function: 0_2_003AC93C FindFirstFileW,FindClose,0_2_003AC93C
            Source: C:\Users\user\Desktop\SWH_67367383992_939930039003___________________________.exeCode function: 0_2_003AC9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_003AC9C7
            Source: C:\Users\user\Desktop\SWH_67367383992_939930039003___________________________.exeCode function: 0_2_003AF200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_003AF200
            Source: C:\Users\user\Desktop\SWH_67367383992_939930039003___________________________.exeCode function: 0_2_003AF35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_003AF35D
            Source: C:\Users\user\Desktop\SWH_67367383992_939930039003___________________________.exeCode function: 0_2_003AF65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_003AF65E
            Source: C:\Users\user\Desktop\SWH_67367383992_939930039003___________________________.exeCode function: 0_2_003A3A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_003A3A2B
            Source: C:\Users\user\Desktop\SWH_67367383992_939930039003___________________________.exeCode function: 0_2_003A3D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_003A3D4E
            Source: C:\Users\user\Desktop\SWH_67367383992_939930039003___________________________.exeCode function: 0_2_003ABF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_003ABF27
            Source: C:\Users\user\Desktop\SWH_67367383992_939930039003___________________________.exeCode function: 0_2_003B25E2 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,0_2_003B25E2
            Source: C:\Users\user\Desktop\SWH_67367383992_939930039003___________________________.exeCode function: 0_2_003B425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_003B425A
            Source: C:\Users\user\Desktop\SWH_67367383992_939930039003___________________________.exeCode function: 0_2_003B4458 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_003B4458
            Source: C:\Users\user\Desktop\SWH_67367383992_939930039003___________________________.exeCode function: 0_2_003B425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_003B425A
            Source: C:\Users\user\Desktop\SWH_67367383992_939930039003___________________________.exeCode function: 0_2_003A0219 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,0_2_003A0219
            Source: C:\Users\user\Desktop\SWH_67367383992_939930039003___________________________.exeCode function: 0_2_003CCDAC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_003CCDAC

            System Summary

            barindex
            Binary is likely a compiled AutoIt script file
            Source: C:\Users\user\Desktop\SWH_67367383992_939930039003___________________________.exeCode function: This is a third-party compiled AutoIt script.0_2_00343B4C
            Source: SWH_67367383992_939930039003___________________________.exeString found in binary or memory: This is a third-party compiled AutoIt script.
            Source: SWH_67367383992_939930039003___________________________.exe, 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_3cf0a5df-3
            Source: SWH_67367383992_939930039003___________________________.exe, 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_f98f09fd-2
            Source: SWH_67367383992_939930039003___________________________.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_18136637-4
            Source: SWH_67367383992_939930039003___________________________.exeString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_087411c6-0
            Source: C:\Users\user\Desktop\SWH_67367383992_939930039003___________________________.exeCode function: 0_2_003A4021: CreateFileW,DeviceIoControl,CloseHandle,0_2_003A4021
            Source: C:\Users\user\Desktop\SWH_67367383992_939930039003___________________________.exeCode function: 0_2_00398858 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00398858
            Source: C:\Users\user\Desktop\SWH_67367383992_939930039003___________________________.exeCode function: 0_2_003A545F ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_003A545F
            Source: C:\Users\user\Desktop\SWH_67367383992_939930039003___________________________.exeCode function: 0_2_0034E8000_2_0034E800
            Source: C:\Users\user\Desktop\SWH_67367383992_939930039003___________________________.exeCode function: 0_2_0036DBB50_2_0036DBB5
            Source: C:\Users\user\Desktop\SWH_67367383992_939930039003___________________________.exeCode function: 0_2_0034E0600_2_0034E060
            Source: C:\Users\user\Desktop\SWH_67367383992_939930039003___________________________.exeCode function: 0_2_003C804A0_2_003C804A
            Source: C:\Users\user\Desktop\SWH_67367383992_939930039003___________________________.exeCode function: 0_2_003541400_2_00354140
            Source: C:\Users\user\Desktop\SWH_67367383992_939930039003___________________________.exeCode function: 0_2_003624050_2_00362405
            Source: C:\Users\user\Desktop\SWH_67367383992_939930039003___________________________.exeCode function: 0_2_003765220_2_00376522
            Source: C:\Users\user\Desktop\SWH_67367383992_939930039003___________________________.exeCode function: 0_2_0034C5B10_2_0034C5B1
            Source: C:\Users\user\Desktop\SWH_67367383992_939930039003___________________________.exeCode function: 0_2_0037267E0_2_0037267E
            Source: C:\Users\user\Desktop\SWH_67367383992_939930039003___________________________.exeCode function: 0_2_003C06650_2_003C0665
            Source: C:\Users\user\Desktop\SWH_67367383992_939930039003___________________________.exeCode function: 0_2_0036283A0_2_0036283A
            Source: C:\Users\user\Desktop\SWH_67367383992_939930039003___________________________.exeCode function: 0_2_003568430_2_00356843
            Source: C:\Users\user\Desktop\SWH_67367383992_939930039003___________________________.exeCode function: 0_2_003789DF0_2_003789DF
            Source: C:\Users\user\Desktop\SWH_67367383992_939930039003___________________________.exeCode function: 0_2_00358A0E0_2_00358A0E
            Source: C:\Users\user\Desktop\SWH_67367383992_939930039003___________________________.exeCode function: 0_2_00376A940_2_00376A94
            Source: C:\Users\user\Desktop\SWH_67367383992_939930039003___________________________.exeCode function: 0_2_003C0AE20_2_003C0AE2
            Source: C:\Users\user\Desktop\SWH_67367383992_939930039003___________________________.exeCode function: 0_2_003A8B130_2_003A8B13
            Source: C:\Users\user\Desktop\SWH_67367383992_939930039003___________________________.exeCode function: 0_2_0039EB070_2_0039EB07
            Source: C:\Users\user\Desktop\SWH_67367383992_939930039003___________________________.exeCode function: 0_2_0036CD610_2_0036CD61
            Source: C:\Users\user\Desktop\SWH_67367383992_939930039003___________________________.exeCode function: 0_2_003770060_2_00377006
            Source: C:\Users\user\Desktop\SWH_67367383992_939930039003___________________________.exeCode function: 0_2_0035710E0_2_0035710E
            Source: C:\Users\user\Desktop\SWH_67367383992_939930039003___________________________.exeCode function: 0_2_003531900_2_00353190
            Source: C:\Users\user\Desktop\SWH_67367383992_939930039003___________________________.exeCode function: 0_2_003412870_2_00341287
            Source: C:\Users\user\Desktop\SWH_67367383992_939930039003___________________________.exeCode function: 0_2_003633C70_2_003633C7
            Source: C:\Users\user\Desktop\SWH_67367383992_939930039003___________________________.exeCode function: 0_2_0036F4190_2_0036F419
            Source: C:\Users\user\Desktop\SWH_67367383992_939930039003___________________________.exeCode function: 0_2_003556800_2_00355680
            Source: C:\Users\user\Desktop\SWH_67367383992_939930039003___________________________.exeCode function: 0_2_003616C40_2_003616C4
            Source: C:\Users\user\Desktop\SWH_67367383992_939930039003___________________________.exeCode function: 0_2_003678D30_2_003678D3
            Source: C:\Users\user\Desktop\SWH_67367383992_939930039003___________________________.exeCode function: 0_2_003558C00_2_003558C0
            Source: C:\Users\user\Desktop\SWH_67367383992_939930039003___________________________.exeCode function: 0_2_00361BB80_2_00361BB8
            Source: C:\Users\user\Desktop\SWH_67367383992_939930039003___________________________.exeCode function: 0_2_00379D050_2_00379D05
            Source: C:\Users\user\Desktop\SWH_67367383992_939930039003___________________________.exeCode function: 0_2_0034FE400_2_0034FE40
            Source: C:\Users\user\Desktop\SWH_67367383992_939930039003___________________________.exeCode function: 0_2_0036BFE60_2_0036BFE6
            Source: C:\Users\user\Desktop\SWH_67367383992_939930039003___________________________.exeCode function: 0_2_00361FD00_2_00361FD0
            Source: C:\Users\user\Desktop\SWH_67367383992_939930039003___________________________.exeCode function: 0_2_03AD36600_2_03AD3660
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_02F2D0482_2_02F2D048
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_02F241102_2_02F24110
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_02F295D82_2_02F295D8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_02F29DD02_2_02F29DD0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_02F24D282_2_02F24D28
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_02F244582_2_02F24458
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_065900402_2_06590040
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_065932682_2_06593268
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_065919182_2_06591918
            Source: C:\Users\user\Desktop\SWH_67367383992_939930039003___________________________.exeCode function: String function: 00360D27 appears 70 times
            Source: C:\Users\user\Desktop\SWH_67367383992_939930039003___________________________.exeCode function: String function: 00368B40 appears 42 times
            Source: C:\Users\user\Desktop\SWH_67367383992_939930039003___________________________.exeCode function: String function: 00347F41 appears 35 times
            Source: SWH_67367383992_939930039003___________________________.exe, 00000000.00000003.1310743975.0000000003E0D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs SWH_67367383992_939930039003___________________________.exe
            Source: SWH_67367383992_939930039003___________________________.exe, 00000000.00000003.1306041945.0000000003C33000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs SWH_67367383992_939930039003___________________________.exe
            Source: SWH_67367383992_939930039003___________________________.exe, 00000000.00000002.1313737163.0000000003AE0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamee98985aa-1a0a-4027-b0e4-a37605f1db47.exe4 vs SWH_67367383992_939930039003___________________________.exe
            Source: SWH_67367383992_939930039003___________________________.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: 0.2.SWH_67367383992_939930039003___________________________.exe.3ae0000.1.raw.unpack, O.csCryptographic APIs: 'TransformFinalBlock'
            Source: 0.2.SWH_67367383992_939930039003___________________________.exe.3ae0000.1.raw.unpack, O.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
            Source: 0.2.SWH_67367383992_939930039003___________________________.exe.3ae0000.1.raw.unpack, P.csCryptographic APIs: 'TransformFinalBlock'
            Source: 0.2.SWH_67367383992_939930039003___________________________.exe.3ae0000.1.raw.unpack, P.csCryptographic APIs: 'TransformFinalBlock'
            Source: 0.2.SWH_67367383992_939930039003___________________________.exe.3ae0000.1.raw.unpack, N.csCryptographic APIs: 'TransformFinalBlock'
            Source: 0.2.SWH_67367383992_939930039003___________________________.exe.3ae0000.1.raw.unpack, N.csCryptographic APIs: 'TransformFinalBlock'
            Source: 0.2.SWH_67367383992_939930039003___________________________.exe.3ae0000.1.raw.unpack, N.csCryptographic APIs: 'TransformFinalBlock'
            Source: 0.2.SWH_67367383992_939930039003___________________________.exe.3ae0000.1.raw.unpack, N.csCryptographic APIs: 'TransformFinalBlock'
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/4@0/0
            Source: C:\Users\user\Desktop\SWH_67367383992_939930039003___________________________.exeCode function: 0_2_003AA2D5 GetLastError,FormatMessageW,0_2_003AA2D5
            Source: C:\Users\user\Desktop\SWH_67367383992_939930039003___________________________.exeCode function: 0_2_00398713 AdjustTokenPrivileges,CloseHandle,0_2_00398713
            Source: C:\Users\user\Desktop\SWH_67367383992_939930039003___________________________.exeCode function: 0_2_00398CC3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_00398CC3
            Source: C:\Users\user\Desktop\SWH_67367383992_939930039003___________________________.exeCode function: 0_2_003AB59E SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_003AB59E
            Source: C:\Users\user\Desktop\SWH_67367383992_939930039003___________________________.exeCode function: 0_2_003BF121 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_003BF121
            Source: C:\Users\user\Desktop\SWH_67367383992_939930039003___________________________.exeCode function: 0_2_003AC602 CoInitialize,CoCreateInstance,CoUninitialize,0_2_003AC602
            Source: C:\Users\user\Desktop\SWH_67367383992_939930039003___________________________.exeCode function: 0_2_00344FE9 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_00344FE9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: NULL
            Source: C:\Users\user\Desktop\SWH_67367383992_939930039003___________________________.exeFile created: C:\Users\user\AppData\Local\Temp\aut9DC1.tmpJump to behavior
            Source: SWH_67367383992_939930039003___________________________.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
            Source: C:\Users\user\Desktop\SWH_67367383992_939930039003___________________________.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: RegSvcs.exe, 00000002.00000002.2542476489.0000000003147000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2542476489.0000000003133000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: SWH_67367383992_939930039003___________________________.exeReversingLabs: Detection: 36%
            Source: SWH_67367383992_939930039003___________________________.exeVirustotal: Detection: 28%
            Source: unknownProcess created: C:\Users\user\Desktop\SWH_67367383992_939930039003___________________________.exe "C:\Users\user\Desktop\SWH_67367383992_939930039003___________________________.exe"
            Source: C:\Users\user\Desktop\SWH_67367383992_939930039003___________________________.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\SWH_67367383992_939930039003___________________________.exe"
            Source: C:\Users\user\Desktop\SWH_67367383992_939930039003___________________________.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\SWH_67367383992_939930039003___________________________.exe"Jump to behavior
            Source: C:\Users\user\Desktop\SWH_67367383992_939930039003___________________________.exeSection loaded: wsock32.dllJump to behavior
            Source: C:\Users\user\Desktop\SWH_67367383992_939930039003___________________________.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\SWH_67367383992_939930039003___________________________.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\Desktop\SWH_67367383992_939930039003___________________________.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Users\user\Desktop\SWH_67367383992_939930039003___________________________.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\Desktop\SWH_67367383992_939930039003___________________________.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\SWH_67367383992_939930039003___________________________.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\SWH_67367383992_939930039003___________________________.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\SWH_67367383992_939930039003___________________________.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\SWH_67367383992_939930039003___________________________.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\SWH_67367383992_939930039003___________________________.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
            Source: SWH_67367383992_939930039003___________________________.exeStatic file information: File size 1088000 > 1048576
            Source: SWH_67367383992_939930039003___________________________.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
            Source: SWH_67367383992_939930039003___________________________.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
            Source: SWH_67367383992_939930039003___________________________.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
            Source: SWH_67367383992_939930039003___________________________.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: SWH_67367383992_939930039003___________________________.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
            Source: SWH_67367383992_939930039003___________________________.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
            Source: SWH_67367383992_939930039003___________________________.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: wntdll.pdbUGP source: SWH_67367383992_939930039003___________________________.exe, 00000000.00000003.1306041945.0000000003B10000.00000004.00001000.00020000.00000000.sdmp, SWH_67367383992_939930039003___________________________.exe, 00000000.00000003.1310743975.0000000003CE0000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: SWH_67367383992_939930039003___________________________.exe, 00000000.00000003.1306041945.0000000003B10000.00000004.00001000.00020000.00000000.sdmp, SWH_67367383992_939930039003___________________________.exe, 00000000.00000003.1310743975.0000000003CE0000.00000004.00001000.00020000.00000000.sdmp
            Source: SWH_67367383992_939930039003___________________________.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
            Source: SWH_67367383992_939930039003___________________________.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
            Source: SWH_67367383992_939930039003___________________________.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
            Source: SWH_67367383992_939930039003___________________________.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
            Source: SWH_67367383992_939930039003___________________________.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
            Source: C:\Users\user\Desktop\SWH_67367383992_939930039003___________________________.exeCode function: 0_2_003BC304 LoadLibraryA,GetProcAddress,0_2_003BC304
            Source: C:\Users\user\Desktop\SWH_67367383992_939930039003___________________________.exeCode function: 0_2_0034C590 push eax; retn 0034h0_2_0034C599
            Source: C:\Users\user\Desktop\SWH_67367383992_939930039003___________________________.exeCode function: 0_2_00368B85 push ecx; ret 0_2_00368B98
            Source: C:\Users\user\Desktop\SWH_67367383992_939930039003___________________________.exeCode function: 0_2_00344A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00344A35
            Source: C:\Users\user\Desktop\SWH_67367383992_939930039003___________________________.exeCode function: 0_2_003C55FD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_003C55FD
            Source: C:\Users\user\Desktop\SWH_67367383992_939930039003___________________________.exeCode function: 0_2_003633C7 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_003633C7
            Source: C:\Users\user\Desktop\SWH_67367383992_939930039003___________________________.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SWH_67367383992_939930039003___________________________.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
            Source: C:\Users\user\Desktop\SWH_67367383992_939930039003___________________________.exeAPI coverage: 4.9 %
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
            Source: C:\Users\user\Desktop\SWH_67367383992_939930039003___________________________.exeCode function: 0_2_003A4696 GetFileAttributesW,FindFirstFileW,FindClose,0_2_003A4696
            Source: C:\Users\user\Desktop\SWH_67367383992_939930039003___________________________.exeCode function: 0_2_003AC93C FindFirstFileW,FindClose,0_2_003AC93C
            Source: C:\Users\user\Desktop\SWH_67367383992_939930039003___________________________.exeCode function: 0_2_003AC9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_003AC9C7
            Source: C:\Users\user\Desktop\SWH_67367383992_939930039003___________________________.exeCode function: 0_2_003AF200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_003AF200
            Source: C:\Users\user\Desktop\SWH_67367383992_939930039003___________________________.exeCode function: 0_2_003AF35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_003AF35D
            Source: C:\Users\user\Desktop\SWH_67367383992_939930039003___________________________.exeCode function: 0_2_003AF65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_003AF65E
            Source: C:\Users\user\Desktop\SWH_67367383992_939930039003___________________________.exeCode function: 0_2_003A3A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_003A3A2B
            Source: C:\Users\user\Desktop\SWH_67367383992_939930039003___________________________.exeCode function: 0_2_003A3D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_003A3D4E
            Source: C:\Users\user\Desktop\SWH_67367383992_939930039003___________________________.exeCode function: 0_2_003ABF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_003ABF27
            Source: C:\Users\user\Desktop\SWH_67367383992_939930039003___________________________.exeCode function: 0_2_00344AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00344AFE
            Source: C:\Users\user\Desktop\SWH_67367383992_939930039003___________________________.exeAPI call chain: ExitProcess graph end nodegraph_0-97837
            Source: C:\Users\user\Desktop\SWH_67367383992_939930039003___________________________.exeAPI call chain: ExitProcess graph end nodegraph_0-97765
            Source: C:\Users\user\Desktop\SWH_67367383992_939930039003___________________________.exeCode function: 0_2_003B41FD BlockInput,0_2_003B41FD
            Source: C:\Users\user\Desktop\SWH_67367383992_939930039003___________________________.exeCode function: 0_2_00343B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00343B4C
            Source: C:\Users\user\Desktop\SWH_67367383992_939930039003___________________________.exeCode function: 0_2_00375CCC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_00375CCC
            Source: C:\Users\user\Desktop\SWH_67367383992_939930039003___________________________.exeCode function: 0_2_003BC304 LoadLibraryA,GetProcAddress,0_2_003BC304
            Source: C:\Users\user\Desktop\SWH_67367383992_939930039003___________________________.exeCode function: 0_2_03AD3550 mov eax, dword ptr fs:[00000030h]0_2_03AD3550
            Source: C:\Users\user\Desktop\SWH_67367383992_939930039003___________________________.exeCode function: 0_2_03AD34F0 mov eax, dword ptr fs:[00000030h]0_2_03AD34F0
            Source: C:\Users\user\Desktop\SWH_67367383992_939930039003___________________________.exeCode function: 0_2_03AD1ED0 mov eax, dword ptr fs:[00000030h]0_2_03AD1ED0
            Source: C:\Users\user\Desktop\SWH_67367383992_939930039003___________________________.exeCode function: 0_2_003981F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_003981F7
            Source: C:\Users\user\Desktop\SWH_67367383992_939930039003___________________________.exeCode function: 0_2_0036A364 SetUnhandledExceptionFilter,0_2_0036A364
            Source: C:\Users\user\Desktop\SWH_67367383992_939930039003___________________________.exeCode function: 0_2_0036A395 SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0036A395
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Maps a DLL or memory area into another process
            Source: C:\Users\user\Desktop\SWH_67367383992_939930039003___________________________.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and writeJump to behavior
            Writes to foreign memory regions
            Source: C:\Users\user\Desktop\SWH_67367383992_939930039003___________________________.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: FF8008Jump to behavior
            Source: C:\Users\user\Desktop\SWH_67367383992_939930039003___________________________.exeCode function: 0_2_00398C93 LogonUserW,0_2_00398C93
            Source: C:\Users\user\Desktop\SWH_67367383992_939930039003___________________________.exeCode function: 0_2_00343B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00343B4C
            Source: C:\Users\user\Desktop\SWH_67367383992_939930039003___________________________.exeCode function: 0_2_00344A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00344A35
            Source: C:\Users\user\Desktop\SWH_67367383992_939930039003___________________________.exeCode function: 0_2_003A4EF5 mouse_event,0_2_003A4EF5
            Source: C:\Users\user\Desktop\SWH_67367383992_939930039003___________________________.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\SWH_67367383992_939930039003___________________________.exe"Jump to behavior
            Source: C:\Users\user\Desktop\SWH_67367383992_939930039003___________________________.exeCode function: 0_2_003981F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_003981F7
            Source: C:\Users\user\Desktop\SWH_67367383992_939930039003___________________________.exeCode function: 0_2_003A4C03 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_003A4C03
            Source: SWH_67367383992_939930039003___________________________.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
            Source: SWH_67367383992_939930039003___________________________.exeBinary or memory string: Shell_TrayWnd
            Source: C:\Users\user\Desktop\SWH_67367383992_939930039003___________________________.exeCode function: 0_2_0036886B cpuid 0_2_0036886B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SWH_67367383992_939930039003___________________________.exeCode function: 0_2_003750D7 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_003750D7
            Source: C:\Users\user\Desktop\SWH_67367383992_939930039003___________________________.exeCode function: 0_2_00382230 GetUserNameW,0_2_00382230
            Source: C:\Users\user\Desktop\SWH_67367383992_939930039003___________________________.exeCode function: 0_2_0037418A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_0037418A
            Source: C:\Users\user\Desktop\SWH_67367383992_939930039003___________________________.exeCode function: 0_2_00344AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00344AFE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information

            barindex
            Yara detected AgentTesla
            Source: Yara matchFile source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.SWH_67367383992_939930039003___________________________.exe.3ae0000.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.SWH_67367383992_939930039003___________________________.exe.3ae0000.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000002.00000002.2541569784.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.1313737163.0000000003AE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
            Source: SWH_67367383992_939930039003___________________________.exeBinary or memory string: WIN_81
            Source: SWH_67367383992_939930039003___________________________.exeBinary or memory string: WIN_XP
            Source: SWH_67367383992_939930039003___________________________.exeBinary or memory string: WIN_XPe
            Source: SWH_67367383992_939930039003___________________________.exeBinary or memory string: WIN_VISTA
            Source: SWH_67367383992_939930039003___________________________.exeBinary or memory string: WIN_7
            Source: SWH_67367383992_939930039003___________________________.exeBinary or memory string: WIN_8
            Source: SWH_67367383992_939930039003___________________________.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 5USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

            Remote Access Functionality

            barindex
            Yara detected AgentTesla
            Source: Yara matchFile source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.SWH_67367383992_939930039003___________________________.exe.3ae0000.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.SWH_67367383992_939930039003___________________________.exe.3ae0000.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000002.00000002.2541569784.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.1313737163.0000000003AE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: C:\Users\user\Desktop\SWH_67367383992_939930039003___________________________.exeCode function: 0_2_003B6596 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,0_2_003B6596
            Source: C:\Users\user\Desktop\SWH_67367383992_939930039003___________________________.exeCode function: 0_2_003B6A5A socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_003B6A5A

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire Infrastructure2
            Valid Accounts            		121
            Windows Management Instrumentation            		1
            DLL Side-Loading            		1
            Exploitation for Privilege Escalation            		11
            Disable or Modify Tools            		1
            OS Credential Dumping            		2
            System Time Discovery            		Remote Services11
            Archive Collected Data            		1
            Ingress Tool Transfer            		Exfiltration Over Other Network Medium1
            System Shutdown/Reboot
            CredentialsDomainsDefault Accounts1
            Native API            		2
            Valid Accounts            		1
            DLL Side-Loading            		11
            Deobfuscate/Decode Files or Information            		21
            Input Capture            		1
            Account Discovery            		Remote Desktop Protocol1
            Data from Local System            		1
            Encrypted Channel            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)2
            Valid Accounts            		2
            Obfuscated Files or Information            		Security Account Manager2
            File and Directory Discovery            		SMB/Windows Admin Shares1
            Email Collection            		SteganographyAutomated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook21
            Access Token Manipulation            		1
            DLL Side-Loading            		NTDS38
            System Information Discovery            		Distributed Component Object Model21
            Input Capture            		Protocol ImpersonationTraffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script212
            Process Injection            		2
            Valid Accounts            		LSA Secrets14
            Security Software Discovery            		SSH3
            Clipboard Data            		Fallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts11
            Virtualization/Sandbox Evasion            		Cached Domain Credentials11
            Virtualization/Sandbox Evasion            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items21
            Access Token Manipulation            		DCSync2
            Process Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job212
            Process Injection            		Proc Filesystem1
            Application Window Discovery            		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow1
            System Owner/User Discovery            		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            SWH_67367383992_939930039003___________________________.exe37%ReversingLabsWin32.Trojan.Strab
            SWH_67367383992_939930039003___________________________.exe29%VirustotalBrowse
            SWH_67367383992_939930039003___________________________.exe100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            No Antivirus matches

            Domains and IPs

            Contacted Domains

            No contacted domains info

            World Map of Contacted IPs

            No contacted IP infos

            General Information

            Joe Sandbox version:40.0.0 Tourmaline
            Analysis ID:1430155
            Start date and time:2024-04-23 08:27:03 +02:00
            Joe Sandbox product:CloudBasic
            Overall analysis duration:0h 5m 44s
            Hypervisor based Inspection enabled:false
            Report type:full
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
            Number of analysed new started processes analysed:10
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Sample name:SWH_67367383992_939930039003___________________________.exe
            Detection:MAL
            Classification:mal100.troj.spyw.evad.winEXE@3/4@0/0
            EGA Information:
            • Successful, ratio: 100%
            HCA Information:
            • Successful, ratio: 100%
            • Number of executed functions: 59
            • Number of non-executed functions: 279
            Cookbook Comments:
            • Found application associated with file extension: .exe

            Warnings

            • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
            • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
            • Not all processes where analyzed, report is missing behavior information
            • Report size exceeded maximum capacity and may have missing disassembly code.

            Simulations

            Behavior and APIs

            No simulations

            Joe Sandbox View / Context

            IPs

            No context

            Domains

            No context

            ASNs

            No context

            JA3 Fingerprints

            No context

            Dropped Files

            No context

            Created / dropped Files

            C:\Users\user\AppData\Local\Temp\Gehman

            Download File
            Process:C:\Users\user\Desktop\SWH_67367383992_939930039003___________________________.exe
            File Type:ASCII text, with very long lines (28720), with no line terminators
            Category:dropped
            Size (bytes):28720
            Entropy (8bit):3.596093281709681
            Encrypted:false
            SSDEEP:768:wiTZ+2QoioGRk6ZklputwjpjBkCiw2RuJ3nXKUrvzjsNboE+I026c024vfF3if6k:wiTZ+2QoioGRk6ZklputwjpjBkCiw2Rr
            MD5:94D5EC66270B78A564BBA1937752D605
            SHA1:F3903224F3CCB6AC786FD27F5CDC6837BD64494F
            SHA-256:95908B77AF81839768C61BE99FBF1F08DB6A5194160399B65DB71F81357CD910
            SHA-512:FC1B8E0A212283CD6FE0B2934FCBEC8AE21D0BF35A58E75174F9C1FEEED416313C7363582EAF114B41B911EEA01AC5CB7B429114C554ECCF88C41D5851C403F5
            Malicious:false
            Reputation:low
            Preview:048B4C24088B008B093BC8760483C8FFC31BC0F7D8C38B0x558bec81eccc0200005657b86b00000066894584b96500000066894d86ba7200000066895588b86e0000006689458ab96500000066894d8cba6c0000006689558eb83300000066894590b93200000066894d92ba2e00000066895594b86400000066894596b96c00000066894d98ba6c0000006689559a33c06689459cb96e00000066898d44ffffffba7400000066899546ffffffb86400000066898548ffffffb96c00000066898d4affffffba6c0000006689954cffffffb82e0000006689854effffffb96400000066898d50ffffffba6c00000066899552ffffffb86c00000066898554ffffff33c966898d56ffffffba75000000668955d0b873000000668945d2b96500000066894dd4ba72000000668955d6b833000000668945d8b93200000066894ddaba2e000000668955dcb864000000668945deb96c00000066894de0ba6c000000668955e233c0668945e4b96100000066898d68ffffffba640000006689956affffffb8760000006689856cffffffb96100000066898d6effffffba7000000066899570ffffffb86900000066898572ffffffb93300000066898d74ffffffba3200000066899576ffffffb82e00000066898578ffffffb96400000066898d7affffffba6c0000006689957cffffffb86c00000066

            C:\Users\user\AppData\Local\Temp\aut9DC1.tmp

            Download File
            Process:C:\Users\user\Desktop\SWH_67367383992_939930039003___________________________.exe
            File Type:data
            Category:dropped
            Size (bytes):131740
            Entropy (8bit):7.953694703219389
            Encrypted:false
            SSDEEP:3072:50urX1FB01vsqkSAQcwJSZ37MoKGZbHL5yuRMOaEy:508FpSAQcf37MoKIHLy
            MD5:D8DDFEC4895A1AFD5BA4B45AD6DC3C1A
            SHA1:1153EFF5ADA0C63D6E94C5762A78C814BEE82DFB
            SHA-256:B7A12F888E6348F195D3CBCB93783411C414FF80848BCE23A7A87365654B35C5
            SHA-512:0427CE6F9510EAD8894C7A935852C9D1FB647E85A2A211881563766457ED97603306783E437088179483A038F2BCACCA7A1F809961CF065705FC2C889E8E7C7A
            Malicious:false
            Reputation:low
            Preview:EA06.....X..y.".9...S.f.qE...5y..F..@.J..qE....r.#....JD..I..k...u.\.....15..+.Z.f.%.U.Zm.I]..h.{.z.h.].W9.Zo#.R)S...&`q..N.9.Q...L..[:4.L.Bj.}.*.9..;....j.p.-D..(.AU..)..9..L.9..@*.E..zSy.b.9...5i....E...gz.9......u8.............G..]..F..).k...o4:..d.fG.....tf.JE.....3+1y...0.. 3`.... O.........Njph..E_.M&.J ........#oU... .9.T......4H.D.QhS;mBk4.v.3....G.Qh ......wZ,..."Rh.E.........+P..i.i...Z..7..M.'.M....B.......?>..&....gS.K..x...$...2..+;.V"^.d..o..j....1:..'>..r.3..3.....).j%.}G..e6).N.&..'.:.6q{.G(`&E..9.........D_...d..F.W.&J...H.O.5*..Z.Qh2.=Z7=.R.3....H.D+`.....Og.I.N.%...}L.1E........A.N.*.`.Q>..u:.........t.....3.0.b.7....5gI8.."t.....f2..zsm....9......b.O.J/.y."....n....91._...$........)l.Qk.9._...N.5:\..m..i.@..G`......n.)...3..~d..L.uy.j.. L'4...^../...F.....,.b.f..b....8...S...9O.C*.).N.2........N..j..j.8.......9(.Ng.......Q.s...5-..5.4.7.....".8.U)..m:.T...uy.Z.Q...u..~.:..'w.4~.J.O.5.....l.P.]|k....._....y...;....Q.['3..(...

            C:\Users\user\AppData\Local\Temp\aut9E10.tmp

            Download File
            Process:C:\Users\user\Desktop\SWH_67367383992_939930039003___________________________.exe
            File Type:data
            Category:dropped
            Size (bytes):9890
            Entropy (8bit):7.5891245600735395
            Encrypted:false
            SSDEEP:192:C+cK50L02Jtyl2ftvwmziMVC6baopzBvq5uMppDKSzLrOOIDqQE+W+hoU:h750LRJtyl2ftLCghBmLzK6XOTD2bYj
            MD5:9FB9E79816D8DCCA8B7EC18F97339BB5
            SHA1:E70E9EF6AE6748A2B3DE88A91E83955209F0EE56
            SHA-256:F69573601FB2B5AD628000DDBDF124C1BCF6A9EFD255A5BC193D8FD76AB03F03
            SHA-512:4E70810B7471114977F60E6A0265456FB94FDC4E5CD67B3810CC300A890C48A793EBD38A1B95F448DE529F0A0007133699A8E310ECE3DA9901BAAD8D4180251B
            Malicious:false
            Reputation:low
            Preview:EA06..p0.M'.)..e4.N'.).......T9..l.0L.s.5..3..s.4.8.......k8.Yls....c..&S...k6...S....1.L&.i..i5.M,S....K.@...7...p. ....P.o...m.X.V........9....3...f....s2.Xf@.]..g3@..h.m.M.......8.l..6.....a........i4........g3Y...c ._..k4...d....H, ......Ac.H..g...(.F..=d....>....C`....@02..N@...u......Y..ab.M.]>.$....M.x>;$....N.j.;%....X.j.;%......j.;,....P'.b.5... .^..f./Z..@F.6.z..G......`......i..G../Z...zqd...l.;.........|......7...}3{(........;^..l =..p.........3p.o....,.......x.....H<.lX.:...b.....,. ...2...f.[...K.)....b..i|v F......X......`....,.9....5...._..l......>K.....ir.e....[4..d..f.y.....,.....S >..p...........s9.... !..Y....f...ja4....ea.h,.p.....,.a8.,..3........f.....f ....,j.0..&...J......f ....6K%.ke..f....L..;2.X...4.Y.V@.Fn.....f@....l..05.....!;3.X...c )D.g6... ...'&`....,f.6..&....r...Brh.....l...i2...B....@.......d.L.`!.....P...@X5d..lSK...9...!;5.X...cVY......'.B...,vl.!..>.a..l...M..@...X...b.M&.X..B.a.Q...sp..X..9..o5..f.!...,vn......d...

            C:\Users\user\AppData\Local\Temp\roundups

            Download File
            Process:C:\Users\user\Desktop\SWH_67367383992_939930039003___________________________.exe
            File Type:data
            Category:dropped
            Size (bytes):167936
            Entropy (8bit):7.078841172954385
            Encrypted:false
            SSDEEP:3072:OHHq6JvdTu6ypl+zoZc29+LLRx4agve6VBjMCSNrzn4r1Yoi+HIaVsBwebwI:Oq63ThyH+zoD9+LEtvNszNQWoQwA
            MD5:58B3720971BCF55E7378C69C7D9BFCAF
            SHA1:FA5F40D5D51740ADC0CC261532C0A5F86B37221B
            SHA-256:A7BD1F2C1BA2211EBDAB578A13721B5F750C6172B7047D4C31AFDBF4BC2807D3
            SHA-512:1CDEEA32B229AD260589F0A4C1DB97E4A6E212114BDD16201A416E03A3FA7A02D8986954E11F407CA38E8DD3B7938362B7287AAC2B9E3345C0B5FA07005D6AEE
            Malicious:false
            Reputation:low
            Preview:~c.77HF9=SZ9..8E.39W74HFy9SZ9SF8EG39W74HF99SZ9SF8EG39W74HF99.Z9SH'.I3.^...Gu.r.Q:5.55\^%VYh%XW=5Ms$]e5FWw^Zh.vjs7V7#.HJ9.W74HF99..9S.9FG/..S4HF99SZ9.F:DL2.W7.JF91SZ9SF8{.19W.4HF99SZ9.F8eG39U74LF99SZ9SB8EG39W74HE99QZ9SF8EE3y.74XF9)SZ9SV8EW39W74HV99SZ9SF8EG3..54.F99S.;S.=EG39W74HF99SZ9SF8EG.;W;4HF99SZ9SF8EG39W74HF99SZ9SF8EG39W74HF99SZ9SF8EG39W74hF91SZ9SF8EG39W?.HFq9SZ9SF8EG39yCQ0299S..QF8eG39.54HD99SZ9SF8EG39W7.HFY.!)K0F8E.69W7.JF9?SZ9.D8EG39W74HF99S.9S..7"_V474DF99S.;SF:EG3.U74HF99SZ9SF8E.39.74HF99SZ9SF8EG39w.6HF99S.9SF:EB3mP54..99PZ9SG8EA39W74HF99SZ9SF8EG39W74HF99SZ9SF8EG39W74HF99SZ9SF+uE3pW74IF9(EP..F>\.2.P.5HF3#YZ?D.9iK..X74`D99YB3S@ .F.>.44H@ 3S\/.G.FG$3W1..G.;xX..l&Go79W=.HF9:cX9.F8EF39F!>p.99SZ?LO.Dk>GU74L)b9S\&YL8CP.8{0.CF9?KP9U[.Dk?GY74L..9SZ'YF>^.2.[DyHF?.RZ9WZ2EA).V.=6K99Wv.HL8C[.8{;JIF9=<.9S@%OG5'.6.E5c9S\.QF8AX:3W1,.G.>{Z;S@!OG5 .6.On?9S\#YF>S.2.T7#BF?&Y.8.D.@.x...HF9*c^9mF8EF39F!>cq9?D.8.[..Op(.W6H@.0SZ?{A8EA1..?6H@!3S\/.G.FG$3W1,.G.;xX..l8E\.<W.4HF;9SK/^m.EN$.V.#`C99Yz{[.

            Static File Info

            General

            File type:PE32 executable (GUI) Intel 80386, for MS Windows
            Entropy (8bit):6.950287785416799
            TrID:
            • Win32 Executable (generic) a (10002005/4) 99.96%
            • Generic Win/DOS Executable (2004/3) 0.02%
            • DOS Executable Generic (2002/1) 0.02%
            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
            File name:SWH_67367383992_939930039003___________________________.exe
            File size:1'088'000 bytes
            MD5:5705caf18efe32863c38f4d50ec88cc1
            SHA1:15c23f1618bef4336b98212acb97136fbfb67c36
            SHA256:301a02cc0eb727a274bb807cb64022861b228129709070739721c9a4548918ea
            SHA512:e8820c21811ce415f307052a71a2a9b5ff6c50e5913d3b2c0428d55675d41ed52d96ec86f6ac4b9c1ca503d79f18f964819bdb2b9c9a9699ec14fb24b10ad069
            SSDEEP:24576:OAHnh+eWsN3skA4RV1Hom2KXMmHaOe+lzye5:5h+ZkldoPK8YaOf
            TLSH:EA359E2267919032FFEAD1735B59F202467C6D1CC127A43F12E82E756EB2B73132E616
            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..R...R...R....C..P.....;.S..._@#.a..._@......_@..g...[j..[...[jo.w...R...r.............#.S..._@'.S...R.k.S.....".S...RichR..

            File Icon

            Icon Hash:0b03084c4e4e0383

            Static PE Info

            General

            Entrypoint:0x42800a
            Entrypoint Section:.text
            Digitally signed:false
            Imagebase:0x400000
            Subsystem:windows gui
            Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
            Time Stamp:0x662694ED [Mon Apr 22 16:48:45 2024 UTC]
            TLS Callbacks:
            CLR (.Net) Version:
            OS Version Major:5
            OS Version Minor:1
            File Version Major:5
            File Version Minor:1
            Subsystem Version Major:5
            Subsystem Version Minor:1
            Import Hash:afcdf79be1557326c854b6e20cb900a7

            Entrypoint Preview

            Instruction
            call 00007FF5B4D2A82Dh
            jmp 00007FF5B4D1D5E4h
            int3
            int3
            int3
            int3
            int3
            int3
            int3
            int3
            int3
            int3
            int3
            int3
            push edi
            push esi
            mov esi, dword ptr [esp+10h]
            mov ecx, dword ptr [esp+14h]
            mov edi, dword ptr [esp+0Ch]
            mov eax, ecx
            mov edx, ecx
            add eax, esi
            cmp edi, esi
            jbe 00007FF5B4D1D76Ah
            cmp edi, eax
            jc 00007FF5B4D1DACEh
            bt dword ptr [004C41FCh], 01h
            jnc 00007FF5B4D1D769h
            rep movsb
            jmp 00007FF5B4D1DA7Ch
            cmp ecx, 00000080h
            jc 00007FF5B4D1D934h
            mov eax, edi
            xor eax, esi
            test eax, 0000000Fh
            jne 00007FF5B4D1D770h
            bt dword ptr [004BF324h], 01h
            jc 00007FF5B4D1DC40h
            bt dword ptr [004C41FCh], 00000000h
            jnc 00007FF5B4D1D90Dh
            test edi, 00000003h
            jne 00007FF5B4D1D91Eh
            test esi, 00000003h
            jne 00007FF5B4D1D8FDh
            bt edi, 02h
            jnc 00007FF5B4D1D76Fh
            mov eax, dword ptr [esi]
            sub ecx, 04h
            lea esi, dword ptr [esi+04h]
            mov dword ptr [edi], eax
            lea edi, dword ptr [edi+04h]
            bt edi, 03h
            jnc 00007FF5B4D1D773h
            movq xmm1, qword ptr [esi]
            sub ecx, 08h
            lea esi, dword ptr [esi+08h]
            movq qword ptr [edi], xmm1
            lea edi, dword ptr [edi+08h]
            test esi, 00000007h
            je 00007FF5B4D1D7C5h
            bt esi, 03h

            Rich Headers

            Programming Language:
            • [ASM] VS2013 build 21005
            • [ C ] VS2013 build 21005
            • [C++] VS2013 build 21005
            • [ C ] VS2008 SP1 build 30729
            • [IMP] VS2008 SP1 build 30729
            • [ASM] VS2013 UPD5 build 40629
            • [RES] VS2013 build 21005
            • [LNK] VS2013 UPD5 build 40629

            Data Directories

            NameVirtual AddressVirtual Size Is in Section
            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IMPORT0xbc0cc0x17c.rdata
            IMAGE_DIRECTORY_ENTRY_RESOURCE0xc80000x3f3ac.rsrc
            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
            IMAGE_DIRECTORY_ENTRY_BASERELOC0x1080000x7134.reloc
            IMAGE_DIRECTORY_ENTRY_DEBUG0x92bc00x1c.rdata
            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xa4b500x40.rdata
            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IAT0x8f0000x884.rdata
            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

            Sections

            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
            .text0x10000x8dfdd0x8e000310e36668512d53489c005622bb1b4a9False0.5735602580325704data6.675248351711057IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            .rdata0x8f0000x2fd8e0x2fe00748cf1ab2605ce1fd72d53d912abb68fFalse0.32828818537859006data5.763244005758284IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .data0xbf0000x8f740x5200aae9601d920f07080bdfadf43dfeff12False0.1017530487804878data1.1963819235530628IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            .rsrc0xc80000x3f3ac0x3f400e7faa09e7172fb427557a8ba6efdfaf0False0.724705873270751data7.506781707847923IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .reloc0x1080000x71340x7200f04128ad0f87f42830e4a6cdbc38c719False0.7617530153508771data6.783955557128661IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

            Resources

            NameRVASizeTypeLanguageCountryZLIB Complexity
            RT_ICON0xc84580x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
            RT_ICON0xc85800x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
            RT_ICON0xc86a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
            RT_ICON0xc87d00x10828Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 15118 x 15118 px/mEnglishGreat Britain0.06374955637051934
            RT_MENU0xd8ff80x50dataEnglishGreat Britain0.9
            RT_STRING0xd90480x594dataEnglishGreat Britain0.3333333333333333
            RT_STRING0xd95dc0x68adataEnglishGreat Britain0.2747909199522103
            RT_STRING0xd9c680x490dataEnglishGreat Britain0.3715753424657534
            RT_STRING0xda0f80x5fcdataEnglishGreat Britain0.3087467362924282
            RT_STRING0xda6f40x65cdataEnglishGreat Britain0.34336609336609336
            RT_STRING0xdad500x466dataEnglishGreat Britain0.3605683836589698
            RT_STRING0xdb1b80x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
            RT_RCDATA0xdb3100x2bb4edata1.0003407402442157
            RT_GROUP_ICON0x106e600x14dataEnglishGreat Britain1.25
            RT_GROUP_ICON0x106e740x14dataEnglishGreat Britain1.25
            RT_GROUP_ICON0x106e880x14dataEnglishGreat Britain1.15
            RT_GROUP_ICON0x106e9c0x14dataEnglishGreat Britain1.25
            RT_VERSION0x106eb00x10cdataEnglishGreat Britain0.5970149253731343
            RT_MANIFEST0x106fbc0x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

            Imports

            DLLImport
            WSOCK32.dllWSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
            VERSION.dllGetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
            WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
            COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
            MPR.dllWNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
            WININET.dllInternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
            PSAPI.DLLGetProcessMemoryInfo
            IPHLPAPI.DLLIcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
            USERENV.dllDestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
            UxTheme.dllIsThemeActive
            KERNEL32.dllDuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
            USER32.dllAdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
            GDI32.dllStrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
            COMDLG32.dllGetOpenFileNameW, GetSaveFileNameW
            ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
            SHELL32.dllDragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
            ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
            OLEAUT32.dllLoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

            Possible Origin

            Language of compilation systemCountry where language is spokenMap
            EnglishGreat Britain

            Network Behavior

            No network behavior found

            Statistics

            CPU Usage

            Click to jump to process

            Memory Usage

            Click to jump to process

            High Level Behavior Distribution

            Click to dive into process behavior distribution

            Behavior

            Click to jump to process

            System Behavior

            General

            Target ID:0
            Start time:08:27:50
            Start date:23/04/2024
            Path:C:\Users\user\Desktop\SWH_67367383992_939930039003___________________________.exe
            Wow64 process (32bit):true
            Commandline:"C:\Users\user\Desktop\SWH_67367383992_939930039003___________________________.exe"
            Imagebase:0x340000
            File size:1'088'000 bytes
            MD5 hash:5705CAF18EFE32863C38F4D50EC88CC1
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.1313737163.0000000003AE0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
            Reputation:low
            Has exited:true

            General

            Target ID:2
            Start time:08:27:50
            Start date:23/04/2024
            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
            Wow64 process (32bit):true
            Commandline:"C:\Users\user\Desktop\SWH_67367383992_939930039003___________________________.exe"
            Imagebase:0xd90000
            File size:45'984 bytes
            MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000002.00000002.2541569784.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
            Reputation:high
            Has exited:false

            Disassembly

            Reset < >

              Execution Graph

              Execution Coverage:4.1%
              Dynamic/Decrypted Code Coverage:0.4%
              Signature Coverage:4.5%
              Total number of Nodes:2000
              Total number of Limit Nodes:41
              execution_graph 97709 341055 97714 342649 97709->97714 97724 3477c7 97714->97724 97719 342754 97720 34105a 97719->97720 97732 343416 59 API calls 2 library calls 97719->97732 97721 362f80 97720->97721 97778 362e84 97721->97778 97723 341064 97733 360ff6 97724->97733 97726 3477e8 97727 360ff6 Mailbox 59 API calls 97726->97727 97728 3426b7 97727->97728 97729 343582 97728->97729 97771 3435b0 97729->97771 97732->97719 97735 360ffe 97733->97735 97736 361018 97735->97736 97738 36101c std::exception::exception 97735->97738 97743 36594c 97735->97743 97760 3635e1 DecodePointer 97735->97760 97736->97726 97761 3687db RaiseException 97738->97761 97740 361046 97762 368711 58 API calls _free 97740->97762 97742 361058 97742->97726 97744 3659c7 97743->97744 97755 365958 97743->97755 97769 3635e1 DecodePointer 97744->97769 97746 3659cd 97770 368d68 58 API calls __getptd_noexit 97746->97770 97749 36598b RtlAllocateHeap 97749->97755 97759 3659bf 97749->97759 97751 3659b3 97767 368d68 58 API calls __getptd_noexit 97751->97767 97755->97749 97755->97751 97756 3659b1 97755->97756 97757 365963 97755->97757 97766 3635e1 DecodePointer 97755->97766 97768 368d68 58 API calls __getptd_noexit 97756->97768 97757->97755 97763 36a3ab 58 API calls 2 library calls 97757->97763 97764 36a408 58 API calls 8 library calls 97757->97764 97765 3632df GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 97757->97765 97759->97735 97760->97735 97761->97740 97762->97742 97763->97757 97764->97757 97766->97755 97767->97756 97768->97759 97769->97746 97770->97759 97772 3435bd 97771->97772 97773 3435a1 97771->97773 97772->97773 97774 3435c4 RegOpenKeyExW 97772->97774 97773->97719 97774->97773 97775 3435de RegQueryValueExW 97774->97775 97776 343614 RegCloseKey 97775->97776 97777 3435ff 97775->97777 97776->97773 97777->97776 97779 362e90 ___lock_fhandle 97778->97779 97786 363457 97779->97786 97785 362eb7 ___lock_fhandle 97785->97723 97803 369e4b 97786->97803 97788 362e99 97789 362ec8 DecodePointer DecodePointer 97788->97789 97790 362ea5 97789->97790 97791 362ef5 97789->97791 97800 362ec2 97790->97800 97791->97790 97849 3689e4 59 API calls strtoxl 97791->97849 97793 362f58 EncodePointer EncodePointer 97793->97790 97794 362f07 97794->97793 97795 362f2c 97794->97795 97850 368aa4 61 API calls 2 library calls 97794->97850 97795->97790 97798 362f46 EncodePointer 97795->97798 97851 368aa4 61 API calls 2 library calls 97795->97851 97798->97793 97799 362f40 97799->97790 97799->97798 97852 363460 97800->97852 97804 369e6f EnterCriticalSection 97803->97804 97805 369e5c 97803->97805 97804->97788 97810 369ed3 97805->97810 97807 369e62 97807->97804 97834 3632f5 58 API calls 3 library calls 97807->97834 97811 369edf ___lock_fhandle 97810->97811 97812 369f00 97811->97812 97813 369ee8 97811->97813 97817 369f21 ___lock_fhandle 97812->97817 97838 368a5d 58 API calls 2 library calls 97812->97838 97835 36a3ab 58 API calls 2 library calls 97813->97835 97815 369eed 97836 36a408 58 API calls 8 library calls 97815->97836 97817->97807 97819 369f15 97821 369f1c 97819->97821 97822 369f2b 97819->97822 97820 369ef4 97837 3632df GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 97820->97837 97839 368d68 58 API calls __getptd_noexit 97821->97839 97825 369e4b __lock 58 API calls 97822->97825 97827 369f32 97825->97827 97828 369f57 97827->97828 97829 369f3f 97827->97829 97841 362f95 97828->97841 97840 36a06b InitializeCriticalSectionAndSpinCount 97829->97840 97832 369f4b 97847 369f73 LeaveCriticalSection _doexit 97832->97847 97835->97815 97836->97820 97838->97819 97839->97817 97840->97832 97842 362f9e RtlFreeHeap 97841->97842 97843 362fc7 _free 97841->97843 97842->97843 97844 362fb3 97842->97844 97843->97832 97848 368d68 58 API calls __getptd_noexit 97844->97848 97846 362fb9 GetLastError 97846->97843 97847->97817 97848->97846 97849->97794 97850->97795 97851->97799 97855 369fb5 LeaveCriticalSection 97852->97855 97854 362ec7 97854->97785 97855->97854 97856 37ff06 97857 37ff10 97856->97857 97862 34ac90 Mailbox _memmove 97856->97862 98167 348e34 59 API calls Mailbox 97857->98167 97860 34b685 98176 3aa0b5 89 API calls 4 library calls 97860->98176 97862->97860 97864 34a097 Mailbox 97862->97864 97867 34a1b7 97862->97867 97889 34b416 97862->97889 97892 380c94 97862->97892 97894 380ca2 97862->97894 97897 34b37c 97862->97897 97899 360ff6 59 API calls Mailbox 97862->97899 97905 34ade2 Mailbox 97862->97905 97913 34a000 97862->97913 98076 3bc5f4 97862->98076 98108 3a7be0 97862->98108 98114 347f41 97862->98114 98118 3bbf80 97862->98118 98158 3966f4 97862->98158 98168 397405 59 API calls 97862->98168 98169 3bc4a7 85 API calls 2 library calls 97862->98169 97866 34b5d5 97864->97866 97864->97867 97869 34b5da 97864->97869 97870 360ff6 59 API calls Mailbox 97864->97870 97873 38047f 97864->97873 97875 3477c7 59 API calls 97864->97875 97877 3481a7 59 API calls 97864->97877 97880 397405 59 API calls 97864->97880 97882 362f80 67 API calls __cinit 97864->97882 97884 380e00 97864->97884 97888 34a6ba 97864->97888 98161 34ca20 331 API calls 2 library calls 97864->98161 98162 34ba60 60 API calls Mailbox 97864->98162 98172 3481a7 97866->98172 98181 3aa0b5 89 API calls 4 library calls 97869->98181 97870->97864 98171 3aa0b5 89 API calls 4 library calls 97873->98171 97875->97864 97877->97864 97879 38048e 97880->97864 97882->97864 97883 3966f4 Mailbox 59 API calls 97883->97867 98180 3aa0b5 89 API calls 4 library calls 97884->98180 98179 3aa0b5 89 API calls 4 library calls 97888->98179 98166 34f803 331 API calls 97889->98166 98177 349df0 59 API calls Mailbox 97892->98177 98178 3aa0b5 89 API calls 4 library calls 97894->98178 97896 380c86 97896->97867 97896->97883 98164 349e9c 60 API calls Mailbox 97897->98164 97899->97862 97900 34b38d 98165 349e9c 60 API calls Mailbox 97900->98165 97905->97860 97905->97867 97905->97896 97906 3800e0 VariantClear 97905->97906 97936 3be237 97905->97936 97939 3be24b 97905->97939 97942 3b474d 97905->97942 97951 3c23c9 97905->97951 97989 3ad2e6 97905->97989 98036 352123 97905->98036 98163 349df0 59 API calls Mailbox 97905->98163 98170 397405 59 API calls 97905->98170 97906->97905 97914 34a01f 97913->97914 97929 34a04d Mailbox 97913->97929 97915 360ff6 Mailbox 59 API calls 97914->97915 97915->97929 97916 34b5d5 97917 3481a7 59 API calls 97916->97917 97931 34a1b7 97917->97931 97918 397405 59 API calls 97918->97929 97921 362f80 67 API calls __cinit 97921->97929 97922 360ff6 59 API calls Mailbox 97922->97929 97923 3481a7 59 API calls 97923->97929 97925 38047f 98184 3aa0b5 89 API calls 4 library calls 97925->98184 97927 3477c7 59 API calls 97927->97929 97929->97916 97929->97918 97929->97921 97929->97922 97929->97923 97929->97925 97929->97927 97929->97931 97932 380e00 97929->97932 97934 34b5da 97929->97934 97935 34a6ba 97929->97935 98182 34ca20 331 API calls 2 library calls 97929->98182 98183 34ba60 60 API calls Mailbox 97929->98183 97930 38048e 97930->97862 97931->97862 98186 3aa0b5 89 API calls 4 library calls 97932->98186 98187 3aa0b5 89 API calls 4 library calls 97934->98187 98185 3aa0b5 89 API calls 4 library calls 97935->98185 98188 3bcdf1 97936->98188 97938 3be247 97938->97905 97940 3bcdf1 130 API calls 97939->97940 97941 3be25b 97940->97941 97941->97905 97943 349997 84 API calls 97942->97943 97944 3b4787 97943->97944 98347 3463a0 97944->98347 97946 3b4797 97947 3b47bc 97946->97947 97948 34a000 331 API calls 97946->97948 97950 3b47c0 97947->97950 98373 349bf8 97947->98373 97948->97947 97950->97905 97952 3477c7 59 API calls 97951->97952 97953 3c23e0 97952->97953 97954 349997 84 API calls 97953->97954 97955 3c23ef 97954->97955 97956 347b76 59 API calls 97955->97956 97957 3c2402 97956->97957 97958 349997 84 API calls 97957->97958 97959 3c240f 97958->97959 97960 3c249d 97959->97960 97961 3c2429 97959->97961 97962 349997 84 API calls 97960->97962 98441 349c9c 59 API calls 97961->98441 97964 3c24a2 97962->97964 97966 3c24ce 97964->97966 97967 3c24b0 97964->97967 97965 3c242e 97968 3c248c 97965->97968 97971 3c2445 97965->97971 97972 3c24e3 97966->97972 98451 349c9c 59 API calls 97966->98451 97970 349bf8 59 API calls 97967->97970 97969 349bf8 59 API calls 97968->97969 97985 3c2499 Mailbox 97969->97985 97970->97985 97974 3479ab 59 API calls 97971->97974 97973 3c24f8 97972->97973 98452 349c9c 59 API calls 97972->98452 98418 3480d7 97973->98418 97978 3c2452 97974->97978 98442 347c8e 97978->98442 97979 3c2512 98422 39f8f2 97979->98422 97983 3479ab 59 API calls 97984 3c2479 97983->97984 97986 347c8e 59 API calls 97984->97986 97985->97905 97988 3c2487 97986->97988 98453 349b9c 59 API calls Mailbox 97988->98453 97990 3ad310 97989->97990 97991 3ad305 97989->97991 97993 3ad3ea Mailbox 97990->97993 97996 3477c7 59 API calls 97990->97996 98474 349c9c 59 API calls 97991->98474 97994 360ff6 Mailbox 59 API calls 97993->97994 98032 3ad3f3 Mailbox 97993->98032 97995 3ad433 97994->97995 97997 3ad43f 97995->97997 98531 345906 60 API calls Mailbox 97995->98531 97998 3ad334 97996->97998 98001 349997 84 API calls 97997->98001 98000 3477c7 59 API calls 97998->98000 98002 3ad33d 98000->98002 98003 3ad457 98001->98003 98004 349997 84 API calls 98002->98004 98461 345956 98003->98461 98006 3ad349 98004->98006 98475 3446f9 98006->98475 98009 3ad35e 98012 347c8e 59 API calls 98009->98012 98010 3ad46a GetLastError 98013 3ad483 98010->98013 98011 3ad49e 98015 3ad4c9 98011->98015 98016 3ad500 98011->98016 98014 3ad391 98012->98014 98013->98032 98532 345a1a CloseHandle 98013->98532 98017 3ad3e3 98014->98017 98526 3a3e73 98014->98526 98019 360ff6 Mailbox 59 API calls 98015->98019 98018 360ff6 Mailbox 59 API calls 98016->98018 98530 349c9c 59 API calls 98017->98530 98023 3ad505 98018->98023 98024 3ad4ce 98019->98024 98028 3477c7 59 API calls 98023->98028 98023->98032 98026 3ad4df 98024->98026 98029 3477c7 59 API calls 98024->98029 98533 3af835 59 API calls 2 library calls 98026->98533 98027 3ad3a5 98031 347f41 59 API calls 98027->98031 98028->98032 98029->98026 98033 3ad3b2 98031->98033 98032->97905 98529 3a3c66 63 API calls Mailbox 98033->98529 98035 3ad3bb Mailbox 98035->98017 98037 349bf8 59 API calls 98036->98037 98038 35213b 98037->98038 98040 360ff6 Mailbox 59 API calls 98038->98040 98042 3869af 98038->98042 98041 352154 98040->98041 98043 352164 98041->98043 98613 345906 60 API calls Mailbox 98041->98613 98055 352189 98042->98055 98617 3af7df 59 API calls 98042->98617 98045 349997 84 API calls 98043->98045 98047 352172 98045->98047 98049 345956 67 API calls 98047->98049 98048 3869f7 98050 352196 98048->98050 98051 3869ff 98048->98051 98052 352181 98049->98052 98053 345e3f 2 API calls 98050->98053 98619 349c9c 59 API calls 98051->98619 98052->98042 98052->98055 98616 345a1a CloseHandle 98052->98616 98057 35219d 98053->98057 98055->98050 98618 349c9c 59 API calls 98055->98618 98058 3521b7 98057->98058 98059 386a11 98057->98059 98060 3477c7 59 API calls 98058->98060 98061 360ff6 Mailbox 59 API calls 98059->98061 98062 3521bf 98060->98062 98063 386a17 98061->98063 98598 3456d2 98062->98598 98065 386a2b 98063->98065 98620 3459b0 ReadFile SetFilePointerEx 98063->98620 98070 386a2f _memmove 98065->98070 98621 3a794e 59 API calls 2 library calls 98065->98621 98067 3521ce 98067->98070 98614 349b9c 59 API calls Mailbox 98067->98614 98071 3521e2 Mailbox 98072 35221c 98071->98072 98073 345dcf CloseHandle 98071->98073 98072->97905 98074 352210 98073->98074 98074->98072 98615 345a1a CloseHandle 98074->98615 98077 3477c7 59 API calls 98076->98077 98078 3bc608 98077->98078 98079 3477c7 59 API calls 98078->98079 98080 3bc610 98079->98080 98081 3477c7 59 API calls 98080->98081 98082 3bc618 98081->98082 98083 349997 84 API calls 98082->98083 98106 3bc626 98083->98106 98084 347d2c 59 API calls 98084->98106 98085 3bc80f 98086 3bc83c Mailbox 98085->98086 98665 349b9c 59 API calls Mailbox 98085->98665 98086->97862 98087 3bc7f6 98658 347e0b 98087->98658 98089 347a84 59 API calls 98089->98106 98090 3bc811 98093 347e0b 59 API calls 98090->98093 98091 3481a7 59 API calls 98091->98106 98095 3bc820 98093->98095 98098 347c8e 59 API calls 98095->98098 98096 347faf 59 API calls 98100 3bc6bd CharUpperBuffW 98096->98100 98097 347c8e 59 API calls 98097->98085 98098->98085 98099 347faf 59 API calls 98101 3bc77d CharUpperBuffW 98099->98101 98645 34859a 68 API calls 98100->98645 98646 34c707 98101->98646 98104 349997 84 API calls 98104->98106 98105 347c8e 59 API calls 98105->98106 98106->98084 98106->98085 98106->98086 98106->98087 98106->98089 98106->98090 98106->98091 98106->98096 98106->98099 98106->98104 98106->98105 98107 347e0b 59 API calls 98106->98107 98107->98106 98109 3a7bec 98108->98109 98110 360ff6 Mailbox 59 API calls 98109->98110 98111 3a7bfa 98110->98111 98112 3a7c08 98111->98112 98113 3477c7 59 API calls 98111->98113 98112->97862 98113->98112 98115 347f50 __wsetenvp _memmove 98114->98115 98116 360ff6 Mailbox 59 API calls 98115->98116 98117 347f8e 98116->98117 98117->97862 98119 3bbfab 98118->98119 98120 3bbfc5 98118->98120 98673 3aa0b5 89 API calls 4 library calls 98119->98673 98674 3ba528 59 API calls Mailbox 98120->98674 98123 3bbfd0 98124 34a000 330 API calls 98123->98124 98126 3bc031 98124->98126 98125 3bbfbd Mailbox 98125->97862 98126->98125 98127 3bc0c3 98126->98127 98131 3bc072 98126->98131 98128 3bc119 98127->98128 98129 3bc0c9 98127->98129 98128->98125 98130 349997 84 API calls 98128->98130 98695 3a7ba4 59 API calls 98129->98695 98132 3bc12b 98130->98132 98675 3a7581 59 API calls Mailbox 98131->98675 98135 347faf 59 API calls 98132->98135 98139 3bc14f CharUpperBuffW 98135->98139 98136 3bc0ec 98696 345ea1 59 API calls Mailbox 98136->98696 98138 3bc0a2 98676 34f5c0 98138->98676 98142 3bc169 98139->98142 98140 3bc0f4 Mailbox 98697 34fe40 331 API calls 2 library calls 98140->98697 98143 3bc1bc 98142->98143 98144 3bc170 98142->98144 98146 349997 84 API calls 98143->98146 98698 3a7581 59 API calls Mailbox 98144->98698 98147 3bc1c4 98146->98147 98699 349fbd 60 API calls 98147->98699 98150 3bc19e 98151 34f5c0 330 API calls 98150->98151 98151->98125 98152 3bc1ce 98152->98125 98153 349997 84 API calls 98152->98153 98154 3bc1e9 98153->98154 98700 345ea1 59 API calls Mailbox 98154->98700 98156 3bc1f9 98701 34fe40 331 API calls 2 library calls 98156->98701 99784 396636 98158->99784 98160 396702 98160->97862 98161->97864 98162->97864 98163->97905 98164->97900 98165->97889 98166->97860 98167->97862 98168->97862 98169->97862 98170->97905 98171->97879 98173 3481b2 98172->98173 98174 3481ba 98172->98174 98175 3480d7 59 API calls 98173->98175 98174->97867 98175->98174 98176->97896 98177->97896 98178->97896 98179->97867 98180->97869 98181->97867 98182->97929 98183->97929 98184->97930 98185->97931 98186->97934 98187->97931 98226 349997 98188->98226 98192 3bd0cd 98193 3bd242 98192->98193 98197 3bd0db 98192->98197 98294 3bdbdc 92 API calls Mailbox 98193->98294 98196 3bd251 98196->98197 98198 3bd25d 98196->98198 98257 3bcc82 98197->98257 98213 3bce75 Mailbox 98198->98213 98199 349997 84 API calls 98214 3bcec6 Mailbox 98199->98214 98204 3bd114 98272 360e48 98204->98272 98207 3bd12e 98278 3aa0b5 89 API calls 4 library calls 98207->98278 98208 3bd147 98279 34942e 98208->98279 98211 3bd139 GetCurrentProcess TerminateProcess 98211->98208 98213->97938 98214->98192 98214->98199 98214->98213 98276 3af835 59 API calls 2 library calls 98214->98276 98277 3bd2f3 61 API calls 2 library calls 98214->98277 98218 3bd2b8 98218->98213 98221 3bd2cc FreeLibrary 98218->98221 98219 3bd17f 98291 3bd95d 107 API calls _free 98219->98291 98221->98213 98225 3bd190 98225->98218 98292 348ea0 59 API calls Mailbox 98225->98292 98293 349e9c 60 API calls Mailbox 98225->98293 98295 3bd95d 107 API calls _free 98225->98295 98227 3499b1 98226->98227 98228 3499ab 98226->98228 98229 37f9fc __i64tow 98227->98229 98230 3499f9 98227->98230 98232 3499b7 __itow 98227->98232 98235 37f903 98227->98235 98228->98213 98244 3bdab9 98228->98244 98296 3638d8 83 API calls 3 library calls 98230->98296 98234 360ff6 Mailbox 59 API calls 98232->98234 98236 3499d1 98234->98236 98237 37f97b Mailbox _wcscpy 98235->98237 98238 360ff6 Mailbox 59 API calls 98235->98238 98236->98228 98239 347f41 59 API calls 98236->98239 98297 3638d8 83 API calls 3 library calls 98237->98297 98240 37f948 98238->98240 98239->98228 98241 360ff6 Mailbox 59 API calls 98240->98241 98242 37f96e 98241->98242 98242->98237 98243 347f41 59 API calls 98242->98243 98243->98237 98298 347faf 98244->98298 98246 3bdad4 CharLowerBuffW 98302 39f658 98246->98302 98250 3477c7 59 API calls 98251 3bdb0d 98250->98251 98309 3479ab 98251->98309 98253 3bdb24 98322 347e8c 98253->98322 98254 3bdb6c Mailbox 98254->98214 98256 3bdb30 Mailbox 98256->98254 98326 3bd2f3 61 API calls 2 library calls 98256->98326 98258 3bcc9d 98257->98258 98259 3bccf2 98257->98259 98260 360ff6 Mailbox 59 API calls 98258->98260 98263 3bdd64 98259->98263 98262 3bccbf 98260->98262 98261 360ff6 Mailbox 59 API calls 98261->98262 98262->98259 98262->98261 98264 3bdf8d Mailbox 98263->98264 98271 3bdd87 _strcat _wcscpy __wsetenvp 98263->98271 98264->98204 98265 349d46 59 API calls 98265->98271 98266 349c9c 59 API calls 98266->98271 98267 349cf8 59 API calls 98267->98271 98268 349997 84 API calls 98268->98271 98269 36594c 58 API calls __malloc_crt 98269->98271 98271->98264 98271->98265 98271->98266 98271->98267 98271->98268 98271->98269 98336 3a5b29 61 API calls 2 library calls 98271->98336 98274 360e5d 98272->98274 98273 360ef5 VirtualAlloc 98275 360ec3 98273->98275 98274->98273 98274->98275 98275->98207 98275->98208 98276->98214 98277->98214 98278->98211 98280 349436 98279->98280 98281 360ff6 Mailbox 59 API calls 98280->98281 98282 349444 98281->98282 98283 349450 98282->98283 98337 34935c 59 API calls Mailbox 98282->98337 98285 3491b0 98283->98285 98338 3492c0 98285->98338 98287 3491bf 98288 360ff6 Mailbox 59 API calls 98287->98288 98289 34925b 98287->98289 98288->98289 98289->98225 98290 348ea0 59 API calls Mailbox 98289->98290 98290->98219 98291->98225 98292->98225 98293->98225 98294->98196 98295->98225 98296->98232 98297->98229 98299 347fc2 98298->98299 98301 347fbf _memmove 98298->98301 98300 360ff6 Mailbox 59 API calls 98299->98300 98300->98301 98301->98246 98304 39f683 __wsetenvp 98302->98304 98303 39f6c2 98303->98250 98303->98256 98304->98303 98305 39f769 98304->98305 98308 39f6b8 98304->98308 98305->98303 98328 347a24 61 API calls 98305->98328 98308->98303 98327 347a24 61 API calls 98308->98327 98310 347a17 98309->98310 98311 3479ba 98309->98311 98312 347e8c 59 API calls 98310->98312 98311->98310 98313 3479c5 98311->98313 98318 3479e8 _memmove 98312->98318 98314 3479e0 98313->98314 98315 37ef32 98313->98315 98329 348087 98314->98329 98333 348189 98315->98333 98318->98253 98319 37ef3c 98320 360ff6 Mailbox 59 API calls 98319->98320 98321 37ef5c 98320->98321 98323 347ea3 _memmove 98322->98323 98324 347e9a 98322->98324 98323->98256 98324->98323 98325 347faf 59 API calls 98324->98325 98325->98323 98326->98254 98327->98308 98328->98305 98330 34809f 98329->98330 98331 348099 98329->98331 98332 360ff6 Mailbox 59 API calls 98330->98332 98331->98318 98332->98331 98334 360ff6 Mailbox 59 API calls 98333->98334 98335 348193 98334->98335 98335->98319 98336->98271 98337->98283 98339 3492c9 Mailbox 98338->98339 98340 37f5c8 98339->98340 98345 3492d3 98339->98345 98341 360ff6 Mailbox 59 API calls 98340->98341 98343 37f5d4 98341->98343 98342 3492da 98342->98287 98345->98342 98346 349df0 59 API calls Mailbox 98345->98346 98346->98345 98386 347b76 98347->98386 98349 3465ca 98393 34766f 98349->98393 98351 3465e4 Mailbox 98351->97946 98354 34766f 59 API calls 98368 3463c5 98354->98368 98355 37e41f 98403 39fdba 91 API calls 4 library calls 98355->98403 98356 3468f9 98356->98351 98404 39fdba 91 API calls 4 library calls 98356->98404 98360 347eec 59 API calls 98360->98368 98361 37e42d 98362 34766f 59 API calls 98361->98362 98363 37e443 98362->98363 98363->98351 98364 37e3bb 98365 348189 59 API calls 98364->98365 98367 37e3c6 98365->98367 98371 360ff6 Mailbox 59 API calls 98367->98371 98368->98349 98368->98354 98368->98355 98368->98356 98368->98360 98368->98364 98369 347faf 59 API calls 98368->98369 98372 37e3eb _memmove 98368->98372 98391 3460cc 60 API calls 98368->98391 98392 345ea1 59 API calls Mailbox 98368->98392 98401 345fd2 60 API calls 98368->98401 98402 347a84 59 API calls 2 library calls 98368->98402 98370 34659b CharUpperBuffW 98369->98370 98370->98368 98371->98372 98372->98355 98372->98356 98374 37fbff 98373->98374 98375 349c08 98373->98375 98376 37fc10 98374->98376 98405 347d2c 98374->98405 98380 360ff6 Mailbox 59 API calls 98375->98380 98414 347eec 98376->98414 98379 37fc1a 98383 349c34 98379->98383 98384 3477c7 59 API calls 98379->98384 98381 349c1b 98380->98381 98381->98379 98382 349c26 98381->98382 98382->98383 98385 347f41 59 API calls 98382->98385 98383->97950 98384->98383 98385->98383 98387 360ff6 Mailbox 59 API calls 98386->98387 98388 347b9b 98387->98388 98389 348189 59 API calls 98388->98389 98390 347baa 98389->98390 98390->98368 98391->98368 98392->98368 98394 347682 _memmove 98393->98394 98395 34770f 98393->98395 98396 360ff6 Mailbox 59 API calls 98394->98396 98397 360ff6 Mailbox 59 API calls 98395->98397 98399 347689 98396->98399 98397->98394 98398 3476b2 98398->98351 98399->98398 98400 360ff6 Mailbox 59 API calls 98399->98400 98400->98398 98401->98368 98402->98368 98403->98361 98404->98351 98406 347da5 98405->98406 98407 347d38 __wsetenvp 98405->98407 98408 347e8c 59 API calls 98406->98408 98409 347d73 98407->98409 98410 347d4e 98407->98410 98413 347d56 _memmove 98408->98413 98412 348189 59 API calls 98409->98412 98411 348087 59 API calls 98410->98411 98411->98413 98412->98413 98413->98376 98415 347f06 98414->98415 98417 347ef9 98414->98417 98416 360ff6 Mailbox 59 API calls 98415->98416 98416->98417 98417->98379 98419 3480e7 98418->98419 98421 3480fa _memmove 98418->98421 98420 360ff6 Mailbox 59 API calls 98419->98420 98419->98421 98420->98421 98421->97979 98423 3477c7 59 API calls 98422->98423 98424 39f905 98423->98424 98425 347b76 59 API calls 98424->98425 98426 39f919 98425->98426 98427 39f658 61 API calls 98426->98427 98434 39f93b 98426->98434 98428 39f935 98427->98428 98430 3479ab 59 API calls 98428->98430 98428->98434 98429 39f658 61 API calls 98429->98434 98430->98434 98431 39f9b5 98433 3479ab 59 API calls 98431->98433 98432 3479ab 59 API calls 98432->98434 98435 39f9ce 98433->98435 98434->98429 98434->98431 98434->98432 98437 347c8e 59 API calls 98434->98437 98436 347c8e 59 API calls 98435->98436 98438 39f9da 98436->98438 98437->98434 98439 3480d7 59 API calls 98438->98439 98440 39f9e9 Mailbox 98438->98440 98439->98440 98440->97988 98441->97965 98443 37f094 98442->98443 98444 347ca0 98442->98444 98460 398123 59 API calls _memmove 98443->98460 98454 347bb1 98444->98454 98447 347cac 98447->97983 98448 37f09e 98449 3481a7 59 API calls 98448->98449 98450 37f0a6 Mailbox 98449->98450 98451->97972 98452->97973 98453->97985 98455 347be5 _memmove 98454->98455 98456 347bbf 98454->98456 98455->98447 98455->98455 98456->98455 98457 360ff6 Mailbox 59 API calls 98456->98457 98458 347c34 98457->98458 98459 360ff6 Mailbox 59 API calls 98458->98459 98459->98455 98460->98448 98534 345dcf 98461->98534 98465 3459a4 98465->98010 98465->98011 98466 345981 98466->98465 98546 345770 98466->98546 98468 345993 98563 3453db SetFilePointerEx SetFilePointerEx 98468->98563 98470 37e030 98564 3a3696 SetFilePointerEx SetFilePointerEx WriteFile 98470->98564 98471 34599a 98471->98465 98471->98470 98473 37e060 98473->98465 98474->97990 98476 3477c7 59 API calls 98475->98476 98477 34470f 98476->98477 98478 3477c7 59 API calls 98477->98478 98479 344717 98478->98479 98480 3477c7 59 API calls 98479->98480 98481 34471f 98480->98481 98482 3477c7 59 API calls 98481->98482 98483 344727 98482->98483 98484 37d8fb 98483->98484 98485 34475b 98483->98485 98486 3481a7 59 API calls 98484->98486 98487 3479ab 59 API calls 98485->98487 98488 37d904 98486->98488 98489 344769 98487->98489 98490 347eec 59 API calls 98488->98490 98491 347e8c 59 API calls 98489->98491 98493 34479e 98490->98493 98492 344773 98491->98492 98492->98493 98494 3479ab 59 API calls 98492->98494 98496 3447bd 98493->98496 98510 37d924 98493->98510 98512 3447de 98493->98512 98497 344794 98494->98497 98495 3479ab 59 API calls 98498 3447ef 98495->98498 98590 347b52 98496->98590 98500 347e8c 59 API calls 98497->98500 98502 344801 98498->98502 98505 3481a7 59 API calls 98498->98505 98499 37d9f4 98503 347d2c 59 API calls 98499->98503 98500->98493 98506 344811 98502->98506 98507 3481a7 59 API calls 98502->98507 98521 37d9b1 98503->98521 98505->98502 98509 3481a7 59 API calls 98506->98509 98511 344818 98506->98511 98507->98506 98508 3479ab 59 API calls 98508->98512 98509->98511 98510->98499 98513 37d9dd 98510->98513 98520 37d95b 98510->98520 98514 3481a7 59 API calls 98511->98514 98523 34481f Mailbox 98511->98523 98512->98495 98513->98499 98515 37d9c8 98513->98515 98514->98523 98518 347d2c 59 API calls 98515->98518 98516 37d9b9 98517 347d2c 59 API calls 98516->98517 98517->98521 98518->98521 98519 347b52 59 API calls 98519->98521 98520->98516 98524 37d9a4 98520->98524 98521->98512 98521->98519 98593 347a84 59 API calls 2 library calls 98521->98593 98523->98009 98525 347d2c 59 API calls 98524->98525 98525->98521 98594 3a4696 GetFileAttributesW 98526->98594 98529->98035 98530->97993 98531->97997 98532->98032 98533->98032 98535 345de8 98534->98535 98536 345962 98534->98536 98535->98536 98537 345ded CloseHandle 98535->98537 98538 345df9 98536->98538 98537->98536 98539 37e181 98538->98539 98540 345e12 CreateFileW 98538->98540 98541 37e187 CreateFileW 98539->98541 98543 345e34 98539->98543 98540->98543 98542 37e1ad 98541->98542 98541->98543 98565 345c4e 98542->98565 98543->98466 98547 37dfce 98546->98547 98548 34578b 98546->98548 98562 34581a 98547->98562 98584 345e3f 98547->98584 98549 345c4e 2 API calls 98548->98549 98548->98562 98550 3457ad 98549->98550 98575 34538e 98550->98575 98554 3457c4 98555 360ff6 Mailbox 59 API calls 98554->98555 98556 3457cf 98555->98556 98557 34538e 59 API calls 98556->98557 98558 3457da 98557->98558 98578 345d20 98558->98578 98561 345c4e 2 API calls 98561->98562 98562->98468 98563->98471 98564->98473 98572 345c68 98565->98572 98566 37e151 98574 345dae SetFilePointerEx 98566->98574 98567 345cef SetFilePointerEx 98573 345dae SetFilePointerEx 98567->98573 98570 37e16b 98571 345cc3 98571->98543 98572->98566 98572->98567 98572->98571 98573->98571 98574->98570 98576 360ff6 Mailbox 59 API calls 98575->98576 98577 3453a0 98576->98577 98577->98547 98577->98554 98579 345d93 98578->98579 98583 345d2e 98578->98583 98589 345dae SetFilePointerEx 98579->98589 98580 345807 98580->98561 98582 345d66 ReadFile 98582->98580 98582->98583 98583->98580 98583->98582 98585 345c4e 2 API calls 98584->98585 98586 345e60 98585->98586 98587 345c4e 2 API calls 98586->98587 98588 345e74 98587->98588 98588->98562 98589->98583 98591 347faf 59 API calls 98590->98591 98592 3447c7 98591->98592 98592->98508 98592->98512 98593->98521 98595 3a3e7a 98594->98595 98596 3a46b1 FindFirstFileW 98594->98596 98595->98017 98595->98027 98596->98595 98597 3a46c6 FindClose 98596->98597 98597->98595 98599 345702 98598->98599 98600 3456dd 98598->98600 98601 347eec 59 API calls 98599->98601 98600->98599 98602 3456ec 98600->98602 98609 3a349a 98601->98609 98624 345c18 98602->98624 98605 3a34c9 98605->98067 98609->98605 98622 3a3436 ReadFile SetFilePointerEx 98609->98622 98623 347a84 59 API calls 2 library calls 98609->98623 98612 3a35d8 Mailbox 98612->98067 98613->98043 98614->98071 98615->98072 98616->98042 98617->98042 98618->98048 98619->98057 98620->98065 98621->98070 98622->98609 98623->98609 98625 360ff6 Mailbox 59 API calls 98624->98625 98626 345c2b 98625->98626 98627 360ff6 Mailbox 59 API calls 98626->98627 98628 345c37 98627->98628 98629 345632 98628->98629 98636 345a2f 98629->98636 98631 345643 98632 345d20 2 API calls 98631->98632 98633 345674 98631->98633 98643 345bda 59 API calls 2 library calls 98631->98643 98632->98631 98633->98612 98635 34793a 61 API calls Mailbox 98633->98635 98635->98612 98637 37e065 98636->98637 98638 345a40 98636->98638 98644 396443 59 API calls Mailbox 98637->98644 98638->98631 98640 37e06f 98641 360ff6 Mailbox 59 API calls 98640->98641 98642 37e07b 98641->98642 98643->98631 98644->98640 98645->98106 98647 347b76 59 API calls 98646->98647 98648 34c72c _wcscmp 98646->98648 98647->98648 98649 347f41 59 API calls 98648->98649 98652 34c760 Mailbox 98648->98652 98650 381abb 98649->98650 98651 347c8e 59 API calls 98650->98651 98653 381ac6 98651->98653 98652->98106 98666 34859a 68 API calls 98653->98666 98655 381ad7 98656 381adb Mailbox 98655->98656 98667 349e9c 60 API calls Mailbox 98655->98667 98656->98106 98659 37f173 98658->98659 98660 347e1f 98658->98660 98662 348189 59 API calls 98659->98662 98668 347db0 98660->98668 98664 37f17e __wsetenvp _memmove 98662->98664 98663 347e2a 98663->98097 98665->98086 98666->98655 98667->98656 98669 347dbf __wsetenvp 98668->98669 98670 348189 59 API calls 98669->98670 98671 347dd0 _memmove 98669->98671 98672 37f130 _memmove 98670->98672 98671->98663 98673->98125 98674->98123 98675->98138 98677 34f7b0 98676->98677 98678 34f61a 98676->98678 98679 347f41 59 API calls 98677->98679 98680 384848 98678->98680 98681 34f626 98678->98681 98687 34f6ec Mailbox 98679->98687 98682 3bbf80 331 API calls 98680->98682 98702 34f3f0 98681->98702 98684 384856 98682->98684 98688 34f790 98684->98688 98804 3aa0b5 89 API calls 4 library calls 98684->98804 98686 34f65d 98686->98684 98686->98687 98686->98688 98691 3b474d 331 API calls 98687->98691 98692 3a3e73 3 API calls 98687->98692 98717 344faa 98687->98717 98723 3acde5 98687->98723 98688->98125 98690 34f743 98690->98688 98803 349df0 59 API calls Mailbox 98690->98803 98691->98690 98692->98690 98695->98136 98696->98140 98697->98125 98698->98150 98699->98152 98700->98156 98701->98125 98703 34f59a 98702->98703 98705 34f41c 98702->98705 98806 3aa0b5 89 API calls 4 library calls 98703->98806 98705->98703 98714 34f459 _memmove 98705->98714 98706 34f533 98707 34f543 98706->98707 98805 3ba5ee 85 API calls Mailbox 98706->98805 98707->98686 98709 360ff6 59 API calls Mailbox 98709->98714 98710 384823 98808 34f803 331 API calls 98710->98808 98711 34a000 331 API calls 98711->98714 98713 3847d3 98713->98686 98714->98706 98714->98709 98714->98710 98714->98711 98714->98713 98715 3847d5 98714->98715 98807 3aa0b5 89 API calls 4 library calls 98715->98807 98718 344fb4 98717->98718 98720 344fbb 98717->98720 98809 3655d6 98718->98809 98721 344fca 98720->98721 98722 344fdb FreeLibrary 98720->98722 98721->98690 98722->98721 98724 3477c7 59 API calls 98723->98724 98725 3ace1a 98724->98725 98726 3477c7 59 API calls 98725->98726 98727 3ace23 98726->98727 98728 3ace37 98727->98728 99216 349c9c 59 API calls 98727->99216 98730 349997 84 API calls 98728->98730 98731 3ace54 98730->98731 98732 3ace76 98731->98732 98733 3acf55 98731->98733 98740 3acf85 Mailbox 98731->98740 98734 349997 84 API calls 98732->98734 99083 344f3d 98733->99083 98736 3ace82 98734->98736 98738 3481a7 59 API calls 98736->98738 98741 3ace8e 98738->98741 98739 3acf81 98739->98740 98743 3477c7 59 API calls 98739->98743 98740->98690 98747 3acea2 98741->98747 98748 3aced4 98741->98748 98742 344f3d 136 API calls 98742->98739 98744 3acfb6 98743->98744 98745 3477c7 59 API calls 98744->98745 98746 3acfbf 98745->98746 98749 3477c7 59 API calls 98746->98749 98750 3481a7 59 API calls 98747->98750 98751 349997 84 API calls 98748->98751 98753 3acfc8 98749->98753 98754 3aceb2 98750->98754 98752 3acee1 98751->98752 98755 3481a7 59 API calls 98752->98755 98756 3477c7 59 API calls 98753->98756 98757 347e0b 59 API calls 98754->98757 98758 3aceed 98755->98758 98759 3acfd1 98756->98759 98760 3acebc 98757->98760 99217 3a4cd3 GetFileAttributesW 98758->99217 98762 349997 84 API calls 98759->98762 98763 349997 84 API calls 98760->98763 98765 3acfde 98762->98765 98766 3acec8 98763->98766 98764 3acef6 98767 3acf09 98764->98767 98770 347b52 59 API calls 98764->98770 98768 3446f9 59 API calls 98765->98768 98769 347c8e 59 API calls 98766->98769 98772 349997 84 API calls 98767->98772 98778 3acf0f 98767->98778 98771 3acff9 98768->98771 98769->98748 98770->98767 98773 347b52 59 API calls 98771->98773 98774 3acf36 98772->98774 98775 3ad008 98773->98775 99218 3a3a2b 75 API calls Mailbox 98774->99218 98777 3ad03c 98775->98777 98780 347b52 59 API calls 98775->98780 98779 3481a7 59 API calls 98777->98779 98778->98740 98781 3ad04a 98779->98781 98782 3ad019 98780->98782 98783 347c8e 59 API calls 98781->98783 98782->98777 98785 347d2c 59 API calls 98782->98785 98784 3ad058 98783->98784 98787 347c8e 59 API calls 98784->98787 98786 3ad02e 98785->98786 98788 347d2c 59 API calls 98786->98788 98789 3ad066 98787->98789 98788->98777 98790 347c8e 59 API calls 98789->98790 98791 3ad074 98790->98791 98792 349997 84 API calls 98791->98792 98793 3ad080 98792->98793 99107 3a42ad 98793->99107 98795 3ad091 98796 3a3e73 3 API calls 98795->98796 98797 3ad09b 98796->98797 98798 349997 84 API calls 98797->98798 98802 3ad0cc 98797->98802 98799 3ad0b9 98798->98799 99161 3a93df 98799->99161 98801 344faa 84 API calls 98801->98740 98802->98801 98803->98690 98804->98688 98805->98707 98806->98713 98807->98713 98808->98713 98810 3655e2 ___lock_fhandle 98809->98810 98811 3655f6 98810->98811 98812 36560e 98810->98812 98844 368d68 58 API calls __getptd_noexit 98811->98844 98818 365606 ___lock_fhandle 98812->98818 98822 366e4e 98812->98822 98815 3655fb 98845 368ff6 9 API calls strtoxl 98815->98845 98818->98720 98823 366e80 EnterCriticalSection 98822->98823 98824 366e5e 98822->98824 98826 365620 98823->98826 98824->98823 98825 366e66 98824->98825 98827 369e4b __lock 58 API calls 98825->98827 98828 36556a 98826->98828 98827->98826 98829 36558d 98828->98829 98830 365579 98828->98830 98836 365589 98829->98836 98847 364c6d 98829->98847 98890 368d68 58 API calls __getptd_noexit 98830->98890 98832 36557e 98891 368ff6 9 API calls strtoxl 98832->98891 98846 365645 LeaveCriticalSection LeaveCriticalSection _fseek 98836->98846 98840 3655a7 98864 370c52 98840->98864 98842 3655ad 98842->98836 98843 362f95 _free 58 API calls 98842->98843 98843->98836 98844->98815 98845->98818 98846->98818 98848 364ca4 98847->98848 98849 364c80 98847->98849 98853 370dc7 98848->98853 98849->98848 98850 364916 __fseek_nolock 58 API calls 98849->98850 98851 364c9d 98850->98851 98892 36dac6 98851->98892 98854 3655a1 98853->98854 98855 370dd4 98853->98855 98857 364916 98854->98857 98855->98854 98856 362f95 _free 58 API calls 98855->98856 98856->98854 98858 364935 98857->98858 98859 364920 98857->98859 98858->98840 99038 368d68 58 API calls __getptd_noexit 98859->99038 98861 364925 99039 368ff6 9 API calls strtoxl 98861->99039 98863 364930 98863->98840 98865 370c5e ___lock_fhandle 98864->98865 98866 370c82 98865->98866 98867 370c6b 98865->98867 98869 370d0d 98866->98869 98871 370c92 98866->98871 99055 368d34 58 API calls __getptd_noexit 98867->99055 99060 368d34 58 API calls __getptd_noexit 98869->99060 98870 370c70 99056 368d68 58 API calls __getptd_noexit 98870->99056 98875 370cb0 98871->98875 98876 370cba 98871->98876 98873 370cb5 99061 368d68 58 API calls __getptd_noexit 98873->99061 99057 368d34 58 API calls __getptd_noexit 98875->99057 98878 36d446 ___lock_fhandle 59 API calls 98876->98878 98880 370cc0 98878->98880 98882 370cd3 98880->98882 98883 370cde 98880->98883 98881 370d19 99062 368ff6 9 API calls strtoxl 98881->99062 99040 370d2d 98882->99040 99058 368d68 58 API calls __getptd_noexit 98883->99058 98886 370c77 ___lock_fhandle 98886->98842 98888 370cd9 99059 370d05 LeaveCriticalSection __unlock_fhandle 98888->99059 98890->98832 98891->98836 98893 36dad2 ___lock_fhandle 98892->98893 98894 36daf6 98893->98894 98895 36dadf 98893->98895 98896 36db95 98894->98896 98898 36db0a 98894->98898 98993 368d34 58 API calls __getptd_noexit 98895->98993 98999 368d34 58 API calls __getptd_noexit 98896->98999 98901 36db32 98898->98901 98902 36db28 98898->98902 98900 36dae4 98994 368d68 58 API calls __getptd_noexit 98900->98994 98920 36d446 98901->98920 98995 368d34 58 API calls __getptd_noexit 98902->98995 98903 36db2d 99000 368d68 58 API calls __getptd_noexit 98903->99000 98907 36daeb ___lock_fhandle 98907->98848 98908 36db38 98910 36db5e 98908->98910 98911 36db4b 98908->98911 98996 368d68 58 API calls __getptd_noexit 98910->98996 98929 36dbb5 98911->98929 98912 36dba1 99001 368ff6 9 API calls strtoxl 98912->99001 98916 36db63 98997 368d34 58 API calls __getptd_noexit 98916->98997 98919 36db57 98998 36db8d LeaveCriticalSection __unlock_fhandle 98919->98998 98921 36d452 ___lock_fhandle 98920->98921 98922 36d4a1 EnterCriticalSection 98921->98922 98923 369e4b __lock 58 API calls 98921->98923 98925 36d4c7 ___lock_fhandle 98922->98925 98924 36d477 98923->98924 98926 36d48f 98924->98926 99002 36a06b InitializeCriticalSectionAndSpinCount 98924->99002 98925->98908 99003 36d4cb LeaveCriticalSection _doexit 98926->99003 98930 36dbc2 __write_nolock 98929->98930 98931 36dc20 98930->98931 98932 36dc01 98930->98932 98960 36dbf6 98930->98960 98936 36dc78 98931->98936 98937 36dc5c 98931->98937 99013 368d34 58 API calls __getptd_noexit 98932->99013 98935 36dc06 99014 368d68 58 API calls __getptd_noexit 98935->99014 98940 36dc91 98936->98940 99019 371b11 60 API calls 3 library calls 98936->99019 99016 368d34 58 API calls __getptd_noexit 98937->99016 98938 36e416 98938->98919 99004 375ebb 98940->99004 98942 36dc0d 99015 368ff6 9 API calls strtoxl 98942->99015 98945 36dc61 99017 368d68 58 API calls __getptd_noexit 98945->99017 98947 36dc9f 98949 36dff8 98947->98949 99020 369bec 58 API calls 2 library calls 98947->99020 98951 36e016 98949->98951 98952 36e38b WriteFile 98949->98952 98950 36dc68 99018 368ff6 9 API calls strtoxl 98950->99018 98955 36e13a 98951->98955 98964 36e02c 98951->98964 98956 36dfeb GetLastError 98952->98956 98962 36dfb8 98952->98962 98966 36e145 98955->98966 98970 36e22f 98955->98970 98956->98962 98957 36dccb GetConsoleMode 98957->98949 98959 36dd0a 98957->98959 98958 36e3c4 98958->98960 99025 368d68 58 API calls __getptd_noexit 98958->99025 98959->98949 98963 36dd1a GetConsoleCP 98959->98963 99027 36c836 98960->99027 98962->98958 98962->98960 98969 36e118 98962->98969 98963->98958 98991 36dd49 98963->98991 98964->98958 98965 36e09b WriteFile 98964->98965 98965->98956 98967 36e0d8 98965->98967 98966->98958 98971 36e1aa WriteFile 98966->98971 98967->98964 98972 36e0fc 98967->98972 98968 36e3f2 99026 368d34 58 API calls __getptd_noexit 98968->99026 98974 36e123 98969->98974 98975 36e3bb 98969->98975 98970->98958 98976 36e2a4 WideCharToMultiByte 98970->98976 98971->98956 98977 36e1f9 98971->98977 98972->98962 99022 368d68 58 API calls __getptd_noexit 98974->99022 99024 368d47 58 API calls 3 library calls 98975->99024 98976->98956 98985 36e2eb 98976->98985 98977->98962 98977->98966 98977->98972 98980 36e2f3 WriteFile 98983 36e346 GetLastError 98980->98983 98980->98985 98981 36e128 99023 368d34 58 API calls __getptd_noexit 98981->99023 98983->98985 98985->98962 98985->98970 98985->98972 98985->98980 98986 37650a 60 API calls __write_nolock 98986->98991 98987 36de32 WideCharToMultiByte 98987->98962 98988 36de6d WriteFile 98987->98988 98988->98956 98990 36de9f 98988->98990 98989 377cae WriteConsoleW CreateFileW __putwch_nolock 98989->98990 98990->98956 98990->98962 98990->98989 98990->98991 98992 36dec7 WriteFile 98990->98992 98991->98962 98991->98986 98991->98987 98991->98990 99021 363835 58 API calls __isleadbyte_l 98991->99021 98992->98956 98992->98990 98993->98900 98994->98907 98995->98903 98996->98916 98997->98919 98998->98907 98999->98903 99000->98912 99001->98907 99002->98926 99003->98922 99005 375ec6 99004->99005 99007 375ed3 99004->99007 99034 368d68 58 API calls __getptd_noexit 99005->99034 99010 375edf 99007->99010 99035 368d68 58 API calls __getptd_noexit 99007->99035 99009 375ecb 99009->98947 99010->98947 99011 375f00 99036 368ff6 9 API calls strtoxl 99011->99036 99013->98935 99014->98942 99015->98960 99016->98945 99017->98950 99018->98960 99019->98940 99020->98957 99021->98991 99022->98981 99023->98960 99024->98960 99025->98968 99026->98960 99028 36c840 IsProcessorFeaturePresent 99027->99028 99029 36c83e 99027->99029 99031 375b5a 99028->99031 99029->98938 99037 375b09 5 API calls 2 library calls 99031->99037 99033 375c3d 99033->98938 99034->99009 99035->99011 99036->99009 99037->99033 99038->98861 99039->98863 99063 36d703 99040->99063 99042 370d91 99076 36d67d 59 API calls 2 library calls 99042->99076 99044 370d3b 99044->99042 99045 370d6f 99044->99045 99048 36d703 __close_nolock 58 API calls 99044->99048 99045->99042 99046 36d703 __close_nolock 58 API calls 99045->99046 99050 370d7b FindCloseChangeNotification 99046->99050 99047 370d99 99054 370dbb 99047->99054 99077 368d47 58 API calls 3 library calls 99047->99077 99049 370d66 99048->99049 99051 36d703 __close_nolock 58 API calls 99049->99051 99050->99042 99052 370d87 GetLastError 99050->99052 99051->99045 99052->99042 99054->98888 99055->98870 99056->98886 99057->98873 99058->98888 99059->98886 99060->98873 99061->98881 99062->98886 99064 36d70e 99063->99064 99066 36d723 99063->99066 99078 368d34 58 API calls __getptd_noexit 99064->99078 99070 36d748 99066->99070 99080 368d34 58 API calls __getptd_noexit 99066->99080 99067 36d713 99079 368d68 58 API calls __getptd_noexit 99067->99079 99070->99044 99071 36d752 99081 368d68 58 API calls __getptd_noexit 99071->99081 99072 36d71b 99072->99044 99074 36d75a 99082 368ff6 9 API calls strtoxl 99074->99082 99076->99047 99077->99054 99078->99067 99079->99072 99080->99071 99081->99074 99082->99072 99219 344d13 99083->99219 99088 37dd0f 99091 344faa 84 API calls 99088->99091 99089 344f68 LoadLibraryExW 99229 344cc8 99089->99229 99093 37dd16 99091->99093 99095 344cc8 3 API calls 99093->99095 99097 37dd1e 99095->99097 99096 344f8f 99096->99097 99098 344f9b 99096->99098 99255 34506b 99097->99255 99100 344faa 84 API calls 99098->99100 99102 344fa0 99100->99102 99102->98739 99102->98742 99104 37dd45 99263 345027 99104->99263 99108 3a42c9 99107->99108 99109 3a42ce 99108->99109 99110 3a42dc 99108->99110 99111 3481a7 59 API calls 99109->99111 99112 3477c7 59 API calls 99110->99112 99160 3a42d7 Mailbox 99111->99160 99113 3a42e4 99112->99113 99114 3477c7 59 API calls 99113->99114 99115 3a42ec 99114->99115 99116 3477c7 59 API calls 99115->99116 99117 3a42f7 99116->99117 99118 3477c7 59 API calls 99117->99118 99119 3a42ff 99118->99119 99120 3477c7 59 API calls 99119->99120 99121 3a4307 99120->99121 99122 3477c7 59 API calls 99121->99122 99123 3a430f 99122->99123 99160->98795 99162 3a93ec __write_nolock 99161->99162 99163 360ff6 Mailbox 59 API calls 99162->99163 99164 3a9449 99163->99164 99165 34538e 59 API calls 99164->99165 99216->98728 99217->98764 99218->98778 99268 344d61 99219->99268 99222 344d53 99226 36548b 99222->99226 99223 344d4a FreeLibrary 99223->99222 99224 344d61 2 API calls 99225 344d3a 99224->99225 99225->99222 99225->99223 99272 3654a0 99226->99272 99228 344f5c 99228->99088 99228->99089 99430 344d94 99229->99430 99232 344ced 99233 344cff FreeLibrary 99232->99233 99234 344d08 99232->99234 99233->99234 99236 344dd0 99234->99236 99235 344d94 2 API calls 99235->99232 99237 360ff6 Mailbox 59 API calls 99236->99237 99238 344de5 99237->99238 99239 34538e 59 API calls 99238->99239 99240 344df1 _memmove 99239->99240 99241 344e2c 99240->99241 99242 344f21 99240->99242 99243 344ee9 99240->99243 99244 345027 69 API calls 99241->99244 99445 3a9ba5 95 API calls 99242->99445 99434 344fe9 CreateStreamOnHGlobal 99243->99434 99252 344e35 99244->99252 99247 34506b 74 API calls 99247->99252 99248 344ec9 99248->99096 99250 37dcd0 99251 345045 85 API calls 99250->99251 99253 37dce4 99251->99253 99252->99247 99252->99248 99252->99250 99440 345045 99252->99440 99254 34506b 74 API calls 99253->99254 99254->99248 99256 37ddf6 99255->99256 99257 34507d 99255->99257 99463 365812 99257->99463 99260 3a9393 99643 3a91e9 99260->99643 99262 3a93a9 99262->99104 99264 345036 99263->99264 99267 37ddb9 99263->99267 99648 365e90 99264->99648 99266 34503e 99269 344d2e 99268->99269 99270 344d6a LoadLibraryA 99268->99270 99269->99224 99269->99225 99270->99269 99271 344d7b GetProcAddress 99270->99271 99271->99269 99275 3654ac ___lock_fhandle 99272->99275 99273 3654bf 99321 368d68 58 API calls __getptd_noexit 99273->99321 99275->99273 99276 3654f0 99275->99276 99291 370738 99276->99291 99277 3654c4 99322 368ff6 9 API calls strtoxl 99277->99322 99280 3654f5 99281 3654fe 99280->99281 99282 36550b 99280->99282 99323 368d68 58 API calls __getptd_noexit 99281->99323 99285 365535 99282->99285 99286 365515 99282->99286 99283 3654cf ___lock_fhandle @_EH4_CallFilterFunc@8 99283->99228 99306 370857 99285->99306 99324 368d68 58 API calls __getptd_noexit 99286->99324 99292 370744 ___lock_fhandle 99291->99292 99293 369e4b __lock 58 API calls 99292->99293 99304 370752 99293->99304 99294 3707c6 99326 37084e 99294->99326 99295 3707cd 99331 368a5d 58 API calls 2 library calls 99295->99331 99298 370843 ___lock_fhandle 99298->99280 99299 3707d4 99299->99294 99332 36a06b InitializeCriticalSectionAndSpinCount 99299->99332 99301 369ed3 __mtinitlocknum 58 API calls 99301->99304 99303 3707fa EnterCriticalSection 99303->99294 99304->99294 99304->99295 99304->99301 99329 366e8d 59 API calls __lock 99304->99329 99330 366ef7 LeaveCriticalSection LeaveCriticalSection _doexit 99304->99330 99315 370877 __wopenfile 99306->99315 99307 370891 99337 368d68 58 API calls __getptd_noexit 99307->99337 99309 370a4c 99309->99307 99312 370aaf 99309->99312 99310 370896 99338 368ff6 9 API calls strtoxl 99310->99338 99334 3787f1 99312->99334 99313 365540 99325 365562 LeaveCriticalSection LeaveCriticalSection _fseek 99313->99325 99315->99307 99315->99309 99339 363a0b 60 API calls 2 library calls 99315->99339 99317 370a45 99317->99309 99340 363a0b 60 API calls 2 library calls 99317->99340 99319 370a64 99319->99309 99341 363a0b 60 API calls 2 library calls 99319->99341 99321->99277 99322->99283 99323->99283 99324->99283 99325->99283 99333 369fb5 LeaveCriticalSection 99326->99333 99328 370855 99328->99298 99329->99304 99330->99304 99331->99299 99332->99303 99333->99328 99342 377fd5 99334->99342 99336 37880a 99336->99313 99337->99310 99338->99313 99339->99317 99340->99319 99341->99309 99345 377fe1 ___lock_fhandle 99342->99345 99343 377ff7 99427 368d68 58 API calls __getptd_noexit 99343->99427 99345->99343 99347 37802d 99345->99347 99346 377ffc 99428 368ff6 9 API calls strtoxl 99346->99428 99353 37809e 99347->99353 99350 378049 99429 378072 LeaveCriticalSection __unlock_fhandle 99350->99429 99351 378006 ___lock_fhandle 99351->99336 99354 3780be 99353->99354 99355 36471a __wsopen_nolock 58 API calls 99354->99355 99358 3780da 99355->99358 99356 369006 __invoke_watson 8 API calls 99357 3787f0 99356->99357 99360 377fd5 __wsopen_helper 103 API calls 99357->99360 99359 378114 99358->99359 99363 378137 99358->99363 99376 378211 99358->99376 99361 368d34 __write 58 API calls 99359->99361 99362 37880a 99360->99362 99364 378119 99361->99364 99362->99350 99367 3781f5 99363->99367 99374 3781d3 99363->99374 99365 368d68 strtoxl 58 API calls 99364->99365 99366 378126 99365->99366 99368 368ff6 strtoxl 9 API calls 99366->99368 99369 368d34 __write 58 API calls 99367->99369 99370 378130 99368->99370 99371 3781fa 99369->99371 99370->99350 99372 368d68 strtoxl 58 API calls 99371->99372 99373 378207 99372->99373 99375 368ff6 strtoxl 9 API calls 99373->99375 99377 36d4d4 __alloc_osfhnd 61 API calls 99374->99377 99375->99376 99376->99356 99378 3782a1 99377->99378 99379 3782ce 99378->99379 99380 3782ab 99378->99380 99381 377f4d ___createFile GetModuleHandleW GetProcAddress CreateFileW 99379->99381 99382 368d34 __write 58 API calls 99380->99382 99390 3782f0 99381->99390 99383 3782b0 99382->99383 99385 368d68 strtoxl 58 API calls 99383->99385 99384 37836e GetFileType 99388 3783bb 99384->99388 99389 378379 GetLastError 99384->99389 99387 3782ba 99385->99387 99386 37833c GetLastError 99391 368d47 __dosmaperr 58 API calls 99386->99391 99392 368d68 strtoxl 58 API calls 99387->99392 99399 36d76a __set_osfhnd 59 API calls 99388->99399 99393 368d47 __dosmaperr 58 API calls 99389->99393 99390->99384 99390->99386 99395 377f4d ___createFile GetModuleHandleW GetProcAddress CreateFileW 99390->99395 99396 378361 99391->99396 99392->99370 99394 3783a0 CloseHandle 99393->99394 99394->99396 99397 3783ae 99394->99397 99398 378331 99395->99398 99401 368d68 strtoxl 58 API calls 99396->99401 99400 368d68 strtoxl 58 API calls 99397->99400 99398->99384 99398->99386 99404 3783d9 99399->99404 99402 3783b3 99400->99402 99401->99376 99402->99396 99403 378594 99403->99376 99406 378767 CloseHandle 99403->99406 99404->99403 99405 371b11 __lseeki64_nolock 60 API calls 99404->99405 99421 37845a 99404->99421 99407 378443 99405->99407 99408 377f4d ___createFile GetModuleHandleW GetProcAddress CreateFileW 99406->99408 99409 368d34 __write 58 API calls 99407->99409 99407->99421 99410 37878e 99408->99410 99409->99421 99411 378796 GetLastError 99410->99411 99412 3787c2 99410->99412 99413 368d47 __dosmaperr 58 API calls 99411->99413 99412->99376 99414 3787a2 99413->99414 99418 36d67d __free_osfhnd 59 API calls 99414->99418 99415 370d2d __close_nolock 61 API calls 99415->99421 99416 3710ab 70 API calls __read_nolock 99416->99421 99417 37848c 99419 3799f2 __chsize_nolock 82 API calls 99417->99419 99417->99421 99418->99412 99419->99417 99420 36dac6 __write 78 API calls 99420->99421 99421->99403 99421->99415 99421->99416 99421->99417 99421->99420 99422 378611 99421->99422 99423 371b11 60 API calls __lseeki64_nolock 99421->99423 99424 370d2d __close_nolock 61 API calls 99422->99424 99423->99421 99425 378618 99424->99425 99426 368d68 strtoxl 58 API calls 99425->99426 99426->99376 99427->99346 99428->99351 99429->99351 99431 344ce1 99430->99431 99432 344d9d LoadLibraryA 99430->99432 99431->99232 99431->99235 99432->99431 99433 344dae GetProcAddress 99432->99433 99433->99431 99435 345020 99434->99435 99436 345003 FindResourceExW 99434->99436 99435->99241 99436->99435 99437 37dd5c LoadResource 99436->99437 99437->99435 99438 37dd71 SizeofResource 99437->99438 99438->99435 99439 37dd85 LockResource 99438->99439 99439->99435 99441 345054 99440->99441 99444 37ddd4 99440->99444 99446 365a7d 99441->99446 99443 345062 99443->99252 99445->99241 99448 365a89 ___lock_fhandle 99446->99448 99447 365a9b 99459 368d68 58 API calls __getptd_noexit 99447->99459 99448->99447 99449 365ac1 99448->99449 99451 366e4e __lock_file 59 API calls 99449->99451 99453 365ac7 99451->99453 99452 365aa0 99460 368ff6 9 API calls strtoxl 99452->99460 99461 3659ee 83 API calls 5 library calls 99453->99461 99456 365ad6 99462 365af8 LeaveCriticalSection LeaveCriticalSection _fseek 99456->99462 99458 365aab ___lock_fhandle 99458->99443 99459->99452 99460->99458 99461->99456 99462->99458 99466 36582d 99463->99466 99465 34508e 99465->99260 99467 365839 ___lock_fhandle 99466->99467 99468 36584f _memset 99467->99468 99469 36587c 99467->99469 99470 365874 ___lock_fhandle 99467->99470 99493 368d68 58 API calls __getptd_noexit 99468->99493 99471 366e4e __lock_file 59 API calls 99469->99471 99470->99465 99473 365882 99471->99473 99479 36564d 99473->99479 99474 365869 99494 368ff6 9 API calls strtoxl 99474->99494 99480 365683 99479->99480 99483 365668 _memset 99479->99483 99495 3658b6 LeaveCriticalSection LeaveCriticalSection _fseek 99480->99495 99481 365673 99584 368d68 58 API calls __getptd_noexit 99481->99584 99483->99480 99483->99481 99485 3656c3 99483->99485 99485->99480 99487 3657d4 _memset 99485->99487 99488 364916 __fseek_nolock 58 API calls 99485->99488 99496 3710ab 99485->99496 99564 370df7 99485->99564 99586 370f18 58 API calls 3 library calls 99485->99586 99587 368d68 58 API calls __getptd_noexit 99487->99587 99488->99485 99492 365678 99585 368ff6 9 API calls strtoxl 99492->99585 99493->99474 99494->99470 99495->99470 99497 3710e3 99496->99497 99498 3710cc 99496->99498 99500 37181b 99497->99500 99503 37111d 99497->99503 99588 368d34 58 API calls __getptd_noexit 99498->99588 99604 368d34 58 API calls __getptd_noexit 99500->99604 99502 3710d1 99589 368d68 58 API calls __getptd_noexit 99502->99589 99506 371125 99503->99506 99513 37113c 99503->99513 99504 371820 99605 368d68 58 API calls __getptd_noexit 99504->99605 99590 368d34 58 API calls __getptd_noexit 99506->99590 99509 371131 99606 368ff6 9 API calls strtoxl 99509->99606 99510 37112a 99591 368d68 58 API calls __getptd_noexit 99510->99591 99512 371151 99592 368d34 58 API calls __getptd_noexit 99512->99592 99513->99512 99516 37116b 99513->99516 99517 371189 99513->99517 99544 3710d8 99513->99544 99516->99512 99519 371176 99516->99519 99593 368a5d 58 API calls 2 library calls 99517->99593 99521 375ebb __stbuf 58 API calls 99519->99521 99520 371199 99522 3711a1 99520->99522 99523 3711bc 99520->99523 99524 37128a 99521->99524 99594 368d68 58 API calls __getptd_noexit 99522->99594 99596 371b11 60 API calls 3 library calls 99523->99596 99526 371303 ReadFile 99524->99526 99531 3712a0 GetConsoleMode 99524->99531 99529 371325 99526->99529 99530 3717e3 GetLastError 99526->99530 99528 3711a6 99595 368d34 58 API calls __getptd_noexit 99528->99595 99529->99530 99538 3712f5 99529->99538 99533 3712e3 99530->99533 99534 3717f0 99530->99534 99535 3712b4 99531->99535 99536 371300 99531->99536 99546 3712e9 99533->99546 99597 368d47 58 API calls 3 library calls 99533->99597 99602 368d68 58 API calls __getptd_noexit 99534->99602 99535->99536 99537 3712ba ReadConsoleW 99535->99537 99536->99526 99537->99538 99540 3712dd GetLastError 99537->99540 99538->99546 99547 37135a 99538->99547 99548 3715c7 99538->99548 99540->99533 99542 3717f5 99603 368d34 58 API calls __getptd_noexit 99542->99603 99544->99485 99545 362f95 _free 58 API calls 99545->99544 99546->99544 99546->99545 99550 3713c6 ReadFile 99547->99550 99556 371447 99547->99556 99548->99546 99554 3716cd ReadFile 99548->99554 99551 3713e7 GetLastError 99550->99551 99562 3713f1 99550->99562 99551->99562 99552 371504 99558 3714b4 MultiByteToWideChar 99552->99558 99600 371b11 60 API calls 3 library calls 99552->99600 99553 3714f4 99599 368d68 58 API calls __getptd_noexit 99553->99599 99555 3716f0 GetLastError 99554->99555 99563 3716fe 99554->99563 99555->99563 99556->99546 99556->99552 99556->99553 99556->99558 99558->99540 99558->99546 99562->99547 99598 371b11 60 API calls 3 library calls 99562->99598 99563->99548 99601 371b11 60 API calls 3 library calls 99563->99601 99565 370e02 99564->99565 99569 370e17 99564->99569 99640 368d68 58 API calls __getptd_noexit 99565->99640 99567 370e07 99641 368ff6 9 API calls strtoxl 99567->99641 99570 370e4c 99569->99570 99575 370e12 99569->99575 99642 376234 58 API calls __malloc_crt 99569->99642 99572 364916 __fseek_nolock 58 API calls 99570->99572 99573 370e60 99572->99573 99607 370f97 99573->99607 99575->99485 99576 370e67 99576->99575 99577 364916 __fseek_nolock 58 API calls 99576->99577 99578 370e8a 99577->99578 99578->99575 99579 364916 __fseek_nolock 58 API calls 99578->99579 99580 370e96 99579->99580 99580->99575 99581 364916 __fseek_nolock 58 API calls 99580->99581 99582 370ea3 99581->99582 99583 364916 __fseek_nolock 58 API calls 99582->99583 99583->99575 99584->99492 99585->99480 99586->99485 99587->99492 99588->99502 99589->99544 99590->99510 99591->99509 99592->99510 99593->99520 99594->99528 99595->99544 99596->99519 99597->99546 99598->99562 99599->99546 99600->99558 99601->99563 99602->99542 99603->99546 99604->99504 99605->99509 99606->99544 99608 370fa3 ___lock_fhandle 99607->99608 99609 370fc7 99608->99609 99610 370fb0 99608->99610 99612 37108b 99609->99612 99615 370fdb 99609->99615 99611 368d34 __write 58 API calls 99610->99611 99614 370fb5 99611->99614 99613 368d34 __write 58 API calls 99612->99613 99616 370ffe 99613->99616 99617 368d68 strtoxl 58 API calls 99614->99617 99618 371006 99615->99618 99619 370ff9 99615->99619 99624 368d68 strtoxl 58 API calls 99616->99624 99627 370fbc ___lock_fhandle 99617->99627 99621 371013 99618->99621 99622 371028 99618->99622 99620 368d34 __write 58 API calls 99619->99620 99620->99616 99625 368d34 __write 58 API calls 99621->99625 99623 36d446 ___lock_fhandle 59 API calls 99622->99623 99626 37102e 99623->99626 99632 371020 99624->99632 99628 371018 99625->99628 99630 371054 99626->99630 99631 371041 99626->99631 99627->99576 99629 368d68 strtoxl 58 API calls 99628->99629 99629->99632 99635 368d68 strtoxl 58 API calls 99630->99635 99633 3710ab __read_nolock 70 API calls 99631->99633 99634 368ff6 strtoxl 9 API calls 99632->99634 99636 37104d 99633->99636 99634->99627 99637 371059 99635->99637 99639 371083 __read LeaveCriticalSection 99636->99639 99638 368d34 __write 58 API calls 99637->99638 99638->99636 99639->99627 99640->99567 99641->99575 99642->99570 99646 36543a GetSystemTimeAsFileTime 99643->99646 99645 3a91f8 99645->99262 99647 365468 __aulldiv 99646->99647 99647->99645 99649 365e9c ___lock_fhandle 99648->99649 99650 365ec3 99649->99650 99651 365eae 99649->99651 99653 366e4e __lock_file 59 API calls 99650->99653 99662 368d68 58 API calls __getptd_noexit 99651->99662 99655 365ec9 99653->99655 99654 365eb3 99663 368ff6 9 API calls strtoxl 99654->99663 99664 365b00 67 API calls 6 library calls 99655->99664 99658 365ebe ___lock_fhandle 99658->99266 99659 365ed4 99665 365ef4 LeaveCriticalSection LeaveCriticalSection _fseek 99659->99665 99661 365ee6 99661->99658 99662->99654 99663->99658 99664->99659 99665->99661 99785 39665e 99784->99785 99786 396641 99784->99786 99785->98160 99786->99785 99788 396621 59 API calls Mailbox 99786->99788 99788->99786 99789 341016 99794 344ad2 99789->99794 99792 362f80 __cinit 67 API calls 99793 341025 99792->99793 99795 360ff6 Mailbox 59 API calls 99794->99795 99796 344ada 99795->99796 99797 34101b 99796->99797 99801 344a94 99796->99801 99797->99792 99802 344aaf 99801->99802 99803 344a9d 99801->99803 99805 344afe 99802->99805 99804 362f80 __cinit 67 API calls 99803->99804 99804->99802 99806 3477c7 59 API calls 99805->99806 99807 344b16 GetVersionExW 99806->99807 99808 347d2c 59 API calls 99807->99808 99809 344b59 99808->99809 99810 347e8c 59 API calls 99809->99810 99819 344b86 99809->99819 99811 344b7a 99810->99811 99833 347886 99811->99833 99813 344bf1 GetCurrentProcess IsWow64Process 99814 344c0a 99813->99814 99816 344c20 99814->99816 99817 344c89 GetSystemInfo 99814->99817 99815 37dc8d 99829 344c95 99816->99829 99818 344c56 99817->99818 99818->99797 99819->99813 99819->99815 99822 344c32 99825 344c95 2 API calls 99822->99825 99823 344c7d GetSystemInfo 99824 344c47 99823->99824 99824->99818 99827 344c4d FreeLibrary 99824->99827 99826 344c3a GetNativeSystemInfo 99825->99826 99826->99824 99827->99818 99830 344c2e 99829->99830 99831 344c9e LoadLibraryA 99829->99831 99830->99822 99830->99823 99831->99830 99832 344caf GetProcAddress 99831->99832 99832->99830 99834 347894 99833->99834 99835 347e8c 59 API calls 99834->99835 99836 3478a4 99835->99836 99836->99819 99837 341066 99842 34f8cf 99837->99842 99839 34106c 99840 362f80 __cinit 67 API calls 99839->99840 99841 341076 99840->99841 99843 34f8f0 99842->99843 99875 360143 99843->99875 99847 34f937 99848 3477c7 59 API calls 99847->99848 99849 34f941 99848->99849 99850 3477c7 59 API calls 99849->99850 99851 34f94b 99850->99851 99852 3477c7 59 API calls 99851->99852 99853 34f955 99852->99853 99854 3477c7 59 API calls 99853->99854 99855 34f993 99854->99855 99856 3477c7 59 API calls 99855->99856 99857 34fa5e 99856->99857 99885 3560e7 99857->99885 99861 34fa90 99862 3477c7 59 API calls 99861->99862 99863 34fa9a 99862->99863 99913 35ffde 99863->99913 99865 34fae1 99866 34faf1 GetStdHandle 99865->99866 99867 34fb3d 99866->99867 99868 3849d5 99866->99868 99869 34fb45 OleInitialize 99867->99869 99868->99867 99870 3849de 99868->99870 99869->99839 99920 3a6dda 64 API calls Mailbox 99870->99920 99872 3849e5 99921 3a74a9 CreateThread 99872->99921 99874 3849f1 CloseHandle 99874->99869 99922 36021c 99875->99922 99878 36021c 59 API calls 99879 360185 99878->99879 99880 3477c7 59 API calls 99879->99880 99881 360191 99880->99881 99882 347d2c 59 API calls 99881->99882 99883 34f8f6 99882->99883 99884 3603a2 6 API calls 99883->99884 99884->99847 99886 3477c7 59 API calls 99885->99886 99887 3560f7 99886->99887 99888 3477c7 59 API calls 99887->99888 99889 3560ff 99888->99889 99929 355bfd 99889->99929 99892 355bfd 59 API calls 99893 35610f 99892->99893 99894 3477c7 59 API calls 99893->99894 99895 35611a 99894->99895 99896 360ff6 Mailbox 59 API calls 99895->99896 99897 34fa68 99896->99897 99898 356259 99897->99898 99899 356267 99898->99899 99900 3477c7 59 API calls 99899->99900 99901 356272 99900->99901 99902 3477c7 59 API calls 99901->99902 99903 35627d 99902->99903 99904 3477c7 59 API calls 99903->99904 99905 356288 99904->99905 99906 3477c7 59 API calls 99905->99906 99907 356293 99906->99907 99908 355bfd 59 API calls 99907->99908 99909 35629e 99908->99909 99910 360ff6 Mailbox 59 API calls 99909->99910 99911 3562a5 RegisterWindowMessageW 99910->99911 99911->99861 99914 395cc3 99913->99914 99915 35ffee 99913->99915 99932 3a9d71 60 API calls 99914->99932 99916 360ff6 Mailbox 59 API calls 99915->99916 99918 35fff6 99916->99918 99918->99865 99919 395cce 99920->99872 99921->99874 99933 3a748f 65 API calls 99921->99933 99923 3477c7 59 API calls 99922->99923 99924 360227 99923->99924 99925 3477c7 59 API calls 99924->99925 99926 36022f 99925->99926 99927 3477c7 59 API calls 99926->99927 99928 36017b 99927->99928 99928->99878 99930 3477c7 59 API calls 99929->99930 99931 355c05 99930->99931 99931->99892 99932->99919 99934 367e93 99935 367e9f ___lock_fhandle 99934->99935 99971 36a048 GetStartupInfoW 99935->99971 99937 367ea4 99973 368dbc GetProcessHeap 99937->99973 99939 367efc 99940 367f07 99939->99940 100056 367fe3 58 API calls 3 library calls 99939->100056 99974 369d26 99940->99974 99943 367f0d 99944 367f18 __RTC_Initialize 99943->99944 100057 367fe3 58 API calls 3 library calls 99943->100057 99995 36d812 99944->99995 99947 367f27 99948 367f33 GetCommandLineW 99947->99948 100058 367fe3 58 API calls 3 library calls 99947->100058 100014 375173 GetEnvironmentStringsW 99948->100014 99952 367f32 99952->99948 99954 367f4d 99955 367f58 99954->99955 100059 3632f5 58 API calls 3 library calls 99954->100059 100024 374fa8 99955->100024 99958 367f5e 99959 367f69 99958->99959 100060 3632f5 58 API calls 3 library calls 99958->100060 100038 36332f 99959->100038 99962 367f71 99963 367f7c __wwincmdln 99962->99963 100061 3632f5 58 API calls 3 library calls 99962->100061 100044 34492e 99963->100044 99966 367f90 99967 367f9f 99966->99967 100062 363598 58 API calls _doexit 99966->100062 100063 363320 58 API calls _doexit 99967->100063 99970 367fa4 ___lock_fhandle 99972 36a05e 99971->99972 99972->99937 99973->99939 100064 3633c7 36 API calls 2 library calls 99974->100064 99976 369d2b 100065 369f7c InitializeCriticalSectionAndSpinCount ___lock_fhandle 99976->100065 99978 369d30 99979 369d34 99978->99979 100067 369fca TlsAlloc 99978->100067 100066 369d9c 61 API calls 2 library calls 99979->100066 99982 369d39 99982->99943 99983 369d46 99983->99979 99984 369d51 99983->99984 100068 368a15 99984->100068 99987 369d93 100076 369d9c 61 API calls 2 library calls 99987->100076 99990 369d72 99990->99987 99992 369d78 99990->99992 99991 369d98 99991->99943 100075 369c73 58 API calls 4 library calls 99992->100075 99994 369d80 GetCurrentThreadId 99994->99943 99996 36d81e ___lock_fhandle 99995->99996 99997 369e4b __lock 58 API calls 99996->99997 99998 36d825 99997->99998 99999 368a15 __calloc_crt 58 API calls 99998->99999 100000 36d836 99999->100000 100001 36d8a1 GetStartupInfoW 100000->100001 100002 36d841 ___lock_fhandle @_EH4_CallFilterFunc@8 100000->100002 100008 36d8b6 100001->100008 100009 36d9e5 100001->100009 100002->99947 100003 36daad 100090 36dabd LeaveCriticalSection _doexit 100003->100090 100005 368a15 __calloc_crt 58 API calls 100005->100008 100006 36da32 GetStdHandle 100006->100009 100007 36da45 GetFileType 100007->100009 100008->100005 100008->100009 100010 36d904 100008->100010 100009->100003 100009->100006 100009->100007 100089 36a06b InitializeCriticalSectionAndSpinCount 100009->100089 100010->100009 100011 36d938 GetFileType 100010->100011 100088 36a06b InitializeCriticalSectionAndSpinCount 100010->100088 100011->100010 100015 375184 100014->100015 100016 367f43 100014->100016 100091 368a5d 58 API calls 2 library calls 100015->100091 100020 374d6b GetModuleFileNameW 100016->100020 100018 3751c0 FreeEnvironmentStringsW 100018->100016 100019 3751aa _memmove 100019->100018 100021 374d9f _wparse_cmdline 100020->100021 100023 374ddf _wparse_cmdline 100021->100023 100092 368a5d 58 API calls 2 library calls 100021->100092 100023->99954 100025 374fc1 __wsetenvp 100024->100025 100029 374fb9 100024->100029 100026 368a15 __calloc_crt 58 API calls 100025->100026 100034 374fea __wsetenvp 100026->100034 100027 375041 100028 362f95 _free 58 API calls 100027->100028 100028->100029 100029->99958 100030 368a15 __calloc_crt 58 API calls 100030->100034 100031 375066 100032 362f95 _free 58 API calls 100031->100032 100032->100029 100034->100027 100034->100029 100034->100030 100034->100031 100035 37507d 100034->100035 100093 374857 58 API calls strtoxl 100034->100093 100094 369006 IsProcessorFeaturePresent 100035->100094 100037 375089 100037->99958 100039 36333b __IsNonwritableInCurrentImage 100038->100039 100109 36a711 100039->100109 100041 363359 __initterm_e 100042 362f80 __cinit 67 API calls 100041->100042 100043 363378 __cinit __IsNonwritableInCurrentImage 100041->100043 100042->100043 100043->99962 100045 344948 100044->100045 100055 3449e7 100044->100055 100046 344982 IsThemeActive 100045->100046 100112 3635ac 100046->100112 100050 3449ae 100124 344a5b SystemParametersInfoW SystemParametersInfoW 100050->100124 100052 3449ba 100125 343b4c 100052->100125 100055->99966 100056->99940 100057->99944 100058->99952 100062->99967 100063->99970 100064->99976 100065->99978 100066->99982 100067->99983 100071 368a1c 100068->100071 100070 368a57 100070->99987 100074 36a026 TlsSetValue 100070->100074 100071->100070 100073 368a3a 100071->100073 100077 375446 100071->100077 100073->100070 100073->100071 100085 36a372 Sleep 100073->100085 100074->99990 100075->99994 100076->99991 100078 375451 100077->100078 100083 37546c 100077->100083 100079 37545d 100078->100079 100078->100083 100086 368d68 58 API calls __getptd_noexit 100079->100086 100081 37547c RtlAllocateHeap 100082 375462 100081->100082 100081->100083 100082->100071 100083->100081 100083->100082 100087 3635e1 DecodePointer 100083->100087 100085->100073 100086->100082 100087->100083 100088->100010 100089->100009 100090->100002 100091->100019 100092->100023 100093->100034 100095 369011 100094->100095 100100 368e99 100095->100100 100099 36902c 100099->100037 100101 368eb3 _memset ___raise_securityfailure 100100->100101 100102 368ed3 IsDebuggerPresent 100101->100102 100108 36a395 SetUnhandledExceptionFilter UnhandledExceptionFilter 100102->100108 100104 36c836 ___wstrgtold12_l 6 API calls 100106 368fba 100104->100106 100105 368f97 ___raise_securityfailure 100105->100104 100107 36a380 GetCurrentProcess TerminateProcess 100106->100107 100107->100099 100108->100105 100110 36a714 EncodePointer 100109->100110 100110->100110 100111 36a72e 100110->100111 100111->100041 100113 369e4b __lock 58 API calls 100112->100113 100114 3635b7 DecodePointer EncodePointer 100113->100114 100177 369fb5 LeaveCriticalSection 100114->100177 100116 3449a7 100117 363614 100116->100117 100118 36361e 100117->100118 100119 363638 100117->100119 100118->100119 100178 368d68 58 API calls __getptd_noexit 100118->100178 100119->100050 100121 363628 100179 368ff6 9 API calls strtoxl 100121->100179 100123 363633 100123->100050 100124->100052 100126 343b59 __write_nolock 100125->100126 100127 3477c7 59 API calls 100126->100127 100128 343b63 GetCurrentDirectoryW 100127->100128 100180 343778 100128->100180 100177->100116 100178->100121 100179->100123 100181 3477c7 59 API calls 100180->100181 100182 34378e 100181->100182 100399 343d43 100182->100399 100184 3437ac 100185 344864 61 API calls 100184->100185 100186 3437c0 100185->100186 100187 347f41 59 API calls 100186->100187 100188 3437cd 100187->100188 100189 344f3d 136 API calls 100188->100189 100190 3437e6 100189->100190 100191 37d3ae 100190->100191 100192 3437ee Mailbox 100190->100192 100445 3a97e5 100191->100445 100196 3481a7 59 API calls 100192->100196 100195 37d3cd 100198 362f95 _free 58 API calls 100195->100198 100199 343801 100196->100199 100197 344faa 84 API calls 100197->100195 100200 37d3da 100198->100200 100413 3493ea 100199->100413 100203 344faa 84 API calls 100200->100203 100204 37d3e3 100203->100204 100208 343ee2 59 API calls 100204->100208 100205 347f41 59 API calls 100206 34381a 100205->100206 100416 348620 100206->100416 100210 37d3fe 100208->100210 100209 34382c Mailbox 100211 347f41 59 API calls 100209->100211 100212 343ee2 59 API calls 100210->100212 100213 343852 100211->100213 100214 37d41a 100212->100214 100215 348620 69 API calls 100213->100215 100216 344864 61 API calls 100214->100216 100218 343861 Mailbox 100215->100218 100217 37d43f 100216->100217 100219 343ee2 59 API calls 100217->100219 100221 3477c7 59 API calls 100218->100221 100220 37d44b 100219->100220 100223 3481a7 59 API calls 100220->100223 100222 34387f 100221->100222 100420 343ee2 100222->100420 100400 343d50 __write_nolock 100399->100400 100401 347d2c 59 API calls 100400->100401 100407 343eb6 Mailbox 100400->100407 100403 343d82 100401->100403 100402 347b52 59 API calls 100402->100403 100403->100402 100412 343db8 Mailbox 100403->100412 100404 347b52 59 API calls 100404->100412 100405 343e89 100406 347f41 59 API calls 100405->100406 100405->100407 100409 343eaa 100406->100409 100407->100184 100408 347f41 59 API calls 100408->100412 100410 343f84 59 API calls 100409->100410 100410->100407 100412->100404 100412->100405 100412->100407 100412->100408 100480 343f84 100412->100480 100414 360ff6 Mailbox 59 API calls 100413->100414 100415 34380d 100414->100415 100415->100205 100417 34862b 100416->100417 100419 348652 100417->100419 100486 348b13 69 API calls Mailbox 100417->100486 100419->100209 100421 343f05 100420->100421 100422 343eec 100420->100422 100424 347d2c 59 API calls 100421->100424 100423 3481a7 59 API calls 100422->100423 100446 345045 85 API calls 100445->100446 100447 3a9854 100446->100447 100448 3a99be 96 API calls 100447->100448 100449 3a9866 100448->100449 100450 34506b 74 API calls 100449->100450 100478 37d3c1 100449->100478 100451 3a9881 100450->100451 100452 34506b 74 API calls 100451->100452 100453 3a9891 100452->100453 100454 34506b 74 API calls 100453->100454 100455 3a98ac 100454->100455 100456 34506b 74 API calls 100455->100456 100457 3a98c7 100456->100457 100458 345045 85 API calls 100457->100458 100459 3a98de 100458->100459 100460 36594c __malloc_crt 58 API calls 100459->100460 100461 3a98e5 100460->100461 100462 36594c __malloc_crt 58 API calls 100461->100462 100463 3a98ef 100462->100463 100464 34506b 74 API calls 100463->100464 100478->100195 100478->100197 100481 343f92 100480->100481 100485 343fb4 _memmove 100480->100485 100484 360ff6 Mailbox 59 API calls 100481->100484 100482 360ff6 Mailbox 59 API calls 100483 343fc8 100482->100483 100483->100412 100484->100485 100485->100482 100486->100419 100806 343633 100807 34366a 100806->100807 100808 3436e7 100807->100808 100809 343688 100807->100809 100845 3436e5 100807->100845 100811 3436ed 100808->100811 100812 37d31c 100808->100812 100813 343695 100809->100813 100814 34375d PostQuitMessage 100809->100814 100810 3436ca DefWindowProcW 100848 3436d8 100810->100848 100818 343715 SetTimer RegisterWindowMessageW 100811->100818 100819 3436f2 100811->100819 100856 3511d0 10 API calls Mailbox 100812->100856 100815 3436a0 100813->100815 100816 37d38f 100813->100816 100814->100848 100820 343767 100815->100820 100821 3436a8 100815->100821 100860 3a2a16 71 API calls _memset 100816->100860 100822 34373e CreatePopupMenu 100818->100822 100818->100848 100825 37d2bf 100819->100825 100826 3436f9 KillTimer 100819->100826 100854 344531 64 API calls _memset 100820->100854 100827 3436b3 100821->100827 100840 37d374 100821->100840 100822->100848 100824 37d343 100857 3511f3 331 API calls Mailbox 100824->100857 100830 37d2c4 100825->100830 100831 37d2f8 MoveWindow 100825->100831 100851 3444cb Shell_NotifyIconW _memset 100826->100851 100833 3436be 100827->100833 100834 34374b 100827->100834 100837 37d2e7 SetFocus 100830->100837 100838 37d2c8 100830->100838 100831->100848 100833->100810 100858 3444cb Shell_NotifyIconW _memset 100833->100858 100853 3445df 81 API calls _memset 100834->100853 100835 37d3a1 100835->100810 100835->100848 100836 34375b 100836->100848 100837->100848 100838->100833 100842 37d2d1 100838->100842 100839 34370c 100852 343114 DeleteObject DestroyWindow Mailbox 100839->100852 100840->100810 100859 39817e 59 API calls Mailbox 100840->100859 100855 3511d0 10 API calls Mailbox 100842->100855 100845->100810 100849 37d368 100850 3443db 68 API calls 100849->100850 100850->100845 100851->100839 100852->100848 100853->100836 100854->100836 100855->100848 100856->100824 100857->100833 100858->100849 100859->100845 100860->100835 100861 34107d 100866 3471eb 100861->100866 100863 34108c 100864 362f80 __cinit 67 API calls 100863->100864 100865 341096 100864->100865 100867 3471fb __write_nolock 100866->100867 100868 3477c7 59 API calls 100867->100868 100869 3472b1 100868->100869 100870 344864 61 API calls 100869->100870 100871 3472ba 100870->100871 100897 36074f 100871->100897 100874 347e0b 59 API calls 100875 3472d3 100874->100875 100876 343f84 59 API calls 100875->100876 100877 3472e2 100876->100877 100878 3477c7 59 API calls 100877->100878 100879 3472eb 100878->100879 100880 347eec 59 API calls 100879->100880 100881 3472f4 RegOpenKeyExW 100880->100881 100882 37ecda RegQueryValueExW 100881->100882 100886 347316 Mailbox 100881->100886 100883 37ecf7 100882->100883 100884 37ed6c RegCloseKey 100882->100884 100885 360ff6 Mailbox 59 API calls 100883->100885 100884->100886 100894 37ed7e _wcscat Mailbox __wsetenvp 100884->100894 100887 37ed10 100885->100887 100886->100863 100888 34538e 59 API calls 100887->100888 100889 37ed1b RegQueryValueExW 100888->100889 100890 37ed38 100889->100890 100893 37ed52 100889->100893 100892 347d2c 59 API calls 100890->100892 100891 347b52 59 API calls 100891->100894 100892->100893 100893->100884 100894->100886 100894->100891 100895 347f41 59 API calls 100894->100895 100896 343f84 59 API calls 100894->100896 100895->100894 100896->100894 100898 371b90 __write_nolock 100897->100898 100899 36075c GetFullPathNameW 100898->100899 100900 36077e 100899->100900 100901 347d2c 59 API calls 100900->100901 100902 3472c5 100901->100902 100902->100874 100903 34b56e 100910 35fb84 100903->100910 100905 34b584 100906 34c707 69 API calls 100905->100906 100907 34b5ac 100906->100907 100909 34a4e8 100907->100909 100919 3aa0b5 89 API calls 4 library calls 100907->100919 100911 35fb90 100910->100911 100912 35fba2 100910->100912 100920 349e9c 60 API calls Mailbox 100911->100920 100914 35fbd1 100912->100914 100915 35fba8 100912->100915 100921 349e9c 60 API calls Mailbox 100914->100921 100916 360ff6 Mailbox 59 API calls 100915->100916 100918 35fb9a 100916->100918 100918->100905 100919->100909 100920->100918 100921->100918 100922 3ad2410 100936 3ad0000 100922->100936 100924 3ad24c0 100939 3ad2300 100924->100939 100942 3ad34f0 GetPEB 100936->100942 100938 3ad068b 100938->100924 100940 3ad2309 Sleep 100939->100940 100941 3ad2317 100940->100941 100943 3ad351a 100942->100943 100943->100938 100944 380226 100950 34ade2 Mailbox 100944->100950 100945 34b6c1 100962 3aa0b5 89 API calls 4 library calls 100945->100962 100947 380c86 100948 3966f4 Mailbox 59 API calls 100947->100948 100949 380c8f 100948->100949 100950->100945 100950->100947 100950->100949 100952 3800e0 VariantClear 100950->100952 100954 3be24b 130 API calls 100950->100954 100955 3c23c9 87 API calls 100950->100955 100956 3b474d 331 API calls 100950->100956 100957 352123 95 API calls 100950->100957 100958 3ad2e6 101 API calls 100950->100958 100959 3be237 130 API calls 100950->100959 100960 349df0 59 API calls Mailbox 100950->100960 100961 397405 59 API calls 100950->100961 100952->100950 100954->100950 100955->100950 100956->100950 100957->100950 100958->100950 100959->100950 100960->100950 100961->100950 100962->100947 100963 34568a 100964 345c18 59 API calls 100963->100964 100965 34569c 100964->100965 100966 345632 61 API calls 100965->100966 100967 3456aa 100966->100967 100968 3456ba Mailbox 100967->100968 100970 3481c1 61 API calls Mailbox 100967->100970 100970->100968 100971 34e70b 100974 34d260 100971->100974 100973 34e719 100975 34d27d 100974->100975 101003 34d4dd 100974->101003 100976 382b0a 100975->100976 100977 382abb 100975->100977 101006 34d2a4 100975->101006 101018 3ba6fb 331 API calls __cinit 100976->101018 100980 382abe 100977->100980 100985 382ad9 100977->100985 100981 382aca 100980->100981 100980->101006 101016 3bad0f 331 API calls 100981->101016 100982 362f80 __cinit 67 API calls 100982->101006 100985->101003 101017 3bb1b7 331 API calls 3 library calls 100985->101017 100986 34d594 101010 348bb2 68 API calls 100986->101010 100987 382cdf 100987->100987 100988 34d6ab 100988->100973 100992 34d5a3 100992->100973 100993 382c26 101022 3baa66 89 API calls 100993->101022 100996 348620 69 API calls 100996->101006 101003->100988 101023 3aa0b5 89 API calls 4 library calls 101003->101023 101004 34a000 331 API calls 101004->101006 101005 3481a7 59 API calls 101005->101006 101006->100982 101006->100986 101006->100988 101006->100993 101006->100996 101006->101003 101006->101004 101006->101005 101008 3488a0 68 API calls __cinit 101006->101008 101009 3486a2 68 API calls 101006->101009 101011 34859a 68 API calls 101006->101011 101012 34d0dc 331 API calls 101006->101012 101013 349f3a 59 API calls Mailbox 101006->101013 101014 34d060 89 API calls 101006->101014 101015 34cedd 331 API calls 101006->101015 101019 348bb2 68 API calls 101006->101019 101020 349e9c 60 API calls Mailbox 101006->101020 101021 396d03 60 API calls 101006->101021 101008->101006 101009->101006 101010->100992 101011->101006 101012->101006 101013->101006 101014->101006 101015->101006 101016->100988 101017->101003 101018->101006 101019->101006 101020->101006 101021->101006 101022->101003 101023->100987

              Executed Functions

              Function 00343B4C Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 153windowCOMMON
              Download Yara Rule

              Control-flow Graph

              APIs
              • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00343B7A
              • IsDebuggerPresent.KERNEL32 ref: 00343B8C
              • GetFullPathNameW.KERNEL32(00007FFF,?,?,004062F8,004062E0,?,?), ref: 00343BFD
                • Part of subcall function 00347D2C: _memmove.LIBCMT ref: 00347D66
                • Part of subcall function 00350A8D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00343C26,004062F8,?,?,?), ref: 00350ACE
              • SetCurrentDirectoryW.KERNEL32(?), ref: 00343C81
              • MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,003F93F0,00000010), ref: 0037D4BC
              • SetCurrentDirectoryW.KERNEL32(?,004062F8,?,?,?), ref: 0037D4F4
              • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,003F5D40,004062F8,?,?,?), ref: 0037D57A
              • ShellExecuteW.SHELL32(00000000,?,?), ref: 0037D581
                • Part of subcall function 00343A58: GetSysColorBrush.USER32(0000000F), ref: 00343A62
                • Part of subcall function 00343A58: LoadCursorW.USER32(00000000,00007F00), ref: 00343A71
                • Part of subcall function 00343A58: LoadIconW.USER32(00000063), ref: 00343A88
                • Part of subcall function 00343A58: LoadIconW.USER32(000000A4), ref: 00343A9A
                • Part of subcall function 00343A58: LoadIconW.USER32(000000A2), ref: 00343AAC
                • Part of subcall function 00343A58: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00343AD2
                • Part of subcall function 00343A58: RegisterClassExW.USER32(?), ref: 00343B28
                • Part of subcall function 003439E7: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00343A15
                • Part of subcall function 003439E7: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00343A36
                • Part of subcall function 003439E7: ShowWindow.USER32(00000000,?,?), ref: 00343A4A
                • Part of subcall function 003439E7: ShowWindow.USER32(00000000,?,?), ref: 00343A53
                • Part of subcall function 003443DB: _memset.LIBCMT ref: 00344401
                • Part of subcall function 003443DB: Shell_NotifyIconW.SHELL32(00000000,?), ref: 003444A6
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
              • String ID: This is a third-party compiled AutoIt script.$runas$%=
              • API String ID: 529118366-4029254884
              • Opcode ID: 8a6710909d32abcf5601a2d4b560071ee6f13c0311937a9e86e9e6f184d42969
              • Instruction ID: 3f44da0a8516a10ec82e3f92dd70b58dd79e3fa726bf0dc074442c48f6dbf874
              • Opcode Fuzzy Hash: 8a6710909d32abcf5601a2d4b560071ee6f13c0311937a9e86e9e6f184d42969
              • Instruction Fuzzy Hash: 7751E030904249AECB13ABB4DC45EED7BB9AF04300F0581BAF456BF1A2CB746A55CB25
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00344FE9 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 62COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 983 344fe9-345001 CreateStreamOnHGlobal 984 345021-345026 983->984 985 345003-34501a FindResourceExW 983->985 986 345020 985->986 987 37dd5c-37dd6b LoadResource 985->987 986->984 987->986 988 37dd71-37dd7f SizeofResource 987->988 988->986 989 37dd85-37dd90 LockResource 988->989 989->986 990 37dd96-37ddb4 989->990 990->986
              APIs
              • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00344EEE,?,?,00000000,00000000), ref: 00344FF9
              • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00344EEE,?,?,00000000,00000000), ref: 00345010
              • LoadResource.KERNEL32(?,00000000,?,?,00344EEE,?,?,00000000,00000000,?,?,?,?,?,?,00344F8F), ref: 0037DD60
              • SizeofResource.KERNEL32(?,00000000,?,?,00344EEE,?,?,00000000,00000000,?,?,?,?,?,?,00344F8F), ref: 0037DD75
              • LockResource.KERNEL32(N4,?,?,00344EEE,?,?,00000000,00000000,?,?,?,?,?,?,00344F8F,00000000), ref: 0037DD88
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
              • String ID: SCRIPT$N4
              • API String ID: 3051347437-3281411753
              • Opcode ID: d3c9294a6b7f195e5688c1e8d40cf06a284a1f7a3f11cf1dd18da2a338392d53
              • Instruction ID: 51e564c27eb4757d0cf3065b0ef583e84c125c25dbc02febf5699a04ee0dd7a3
              • Opcode Fuzzy Hash: d3c9294a6b7f195e5688c1e8d40cf06a284a1f7a3f11cf1dd18da2a338392d53
              • Instruction Fuzzy Hash: C1112E79640701AFD7228B65DC58F677BBEEFC9B51F10456CF406DA260DB61EC008660
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00344AFE Relevance: 10.7, APIs: 7, Instructions: 223COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1047 344afe-344b5e call 3477c7 GetVersionExW call 347d2c 1052 344b64 1047->1052 1053 344c69-344c6b 1047->1053 1054 344b67-344b6c 1052->1054 1055 37db90-37db9c 1053->1055 1057 344c70-344c71 1054->1057 1058 344b72 1054->1058 1056 37db9d-37dba1 1055->1056 1059 37dba4-37dbb0 1056->1059 1060 37dba3 1056->1060 1061 344b73-344baa call 347e8c call 347886 1057->1061 1058->1061 1059->1056 1062 37dbb2-37dbb7 1059->1062 1060->1059 1070 344bb0-344bb1 1061->1070 1071 37dc8d-37dc90 1061->1071 1062->1054 1064 37dbbd-37dbc4 1062->1064 1064->1055 1066 37dbc6 1064->1066 1069 37dbcb-37dbce 1066->1069 1072 37dbd4-37dbf2 1069->1072 1073 344bf1-344c08 GetCurrentProcess IsWow64Process 1069->1073 1070->1069 1074 344bb7-344bc2 1070->1074 1075 37dc92 1071->1075 1076 37dca9-37dcad 1071->1076 1072->1073 1081 37dbf8-37dbfe 1072->1081 1079 344c0d-344c1e 1073->1079 1080 344c0a 1073->1080 1082 37dc13-37dc19 1074->1082 1083 344bc8-344bca 1074->1083 1084 37dc95 1075->1084 1077 37dcaf-37dcb8 1076->1077 1078 37dc98-37dca1 1076->1078 1077->1084 1087 37dcba-37dcbd 1077->1087 1078->1076 1088 344c20-344c30 call 344c95 1079->1088 1089 344c89-344c93 GetSystemInfo 1079->1089 1080->1079 1090 37dc00-37dc03 1081->1090 1091 37dc08-37dc0e 1081->1091 1085 37dc23-37dc29 1082->1085 1086 37dc1b-37dc1e 1082->1086 1092 344bd0-344bd3 1083->1092 1093 37dc2e-37dc3a 1083->1093 1084->1078 1085->1073 1086->1073 1087->1078 1104 344c32-344c3f call 344c95 1088->1104 1105 344c7d-344c87 GetSystemInfo 1088->1105 1094 344c56-344c66 1089->1094 1090->1073 1091->1073 1098 37dc5a-37dc5d 1092->1098 1099 344bd9-344be8 1092->1099 1095 37dc44-37dc4a 1093->1095 1096 37dc3c-37dc3f 1093->1096 1095->1073 1096->1073 1098->1073 1101 37dc63-37dc78 1098->1101 1102 37dc4f-37dc55 1099->1102 1103 344bee 1099->1103 1106 37dc82-37dc88 1101->1106 1107 37dc7a-37dc7d 1101->1107 1102->1073 1103->1073 1112 344c76-344c7b 1104->1112 1113 344c41-344c45 GetNativeSystemInfo 1104->1113 1108 344c47-344c4b 1105->1108 1106->1073 1107->1073 1108->1094 1111 344c4d-344c50 FreeLibrary 1108->1111 1111->1094 1112->1113 1113->1108
              APIs
              • GetVersionExW.KERNEL32(?), ref: 00344B2B
                • Part of subcall function 00347D2C: _memmove.LIBCMT ref: 00347D66
              • GetCurrentProcess.KERNEL32(?,003CFAEC,00000000,00000000,?), ref: 00344BF8
              • IsWow64Process.KERNEL32(00000000), ref: 00344BFF
              • GetNativeSystemInfo.KERNELBASE(00000000), ref: 00344C45
              • FreeLibrary.KERNEL32(00000000), ref: 00344C50
              • GetSystemInfo.KERNEL32(00000000), ref: 00344C81
              • GetSystemInfo.KERNEL32(00000000), ref: 00344C8D
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
              • String ID:
              • API String ID: 1986165174-0
              • Opcode ID: 45fd0cf7b651620c0cef46dbedb787c86f5550aa1b89000ff26f7a5cacf0cfd7
              • Instruction ID: 6117bf188f66f24c611e3a8d07f5e8895dbd2f0ae8baea2d782325a3a5073afb
              • Opcode Fuzzy Hash: 45fd0cf7b651620c0cef46dbedb787c86f5550aa1b89000ff26f7a5cacf0cfd7
              • Instruction Fuzzy Hash: CC91B43154A7C0DEC733CB6885916AABFF9AF25300B498D6DD0CB9BA01D224F948D759
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0034E800 Relevance: 7.4, Strings: 5, Instructions: 1102COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID:
              • String ID: Dt@$Dt@$Dt@$Dt@$Variable must be of type 'Object'.
              • API String ID: 0-807601181
              • Opcode ID: e4387272bb11617ae2511551c3097dc935bf613cd3f2eafcee583ca20eb897c9
              • Instruction ID: 891540cff65bf93d973dd95ee786acf2cc4b631e8cb77979c819fd59118c5ef2
              • Opcode Fuzzy Hash: e4387272bb11617ae2511551c3097dc935bf613cd3f2eafcee583ca20eb897c9
              • Instruction Fuzzy Hash: 6FA28A74A04215CFCB26CF58C480AAAB7F5FF48304F2984A9E916AF351D735BD42CB91
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003A4696 Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON
              Download Yara Rule
              APIs
              • GetFileAttributesW.KERNELBASE(?,0037E7C1), ref: 003A46A6
              • FindFirstFileW.KERNELBASE(?,?), ref: 003A46B7
              • FindClose.KERNEL32(00000000), ref: 003A46C7
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: FileFind$AttributesCloseFirst
              • String ID:
              • API String ID: 48322524-0
              • Opcode ID: 321a08201eea30abc9f308c6d3b7d613a0e5e02e0b9c4eb4d9539a13300a37d8
              • Instruction ID: 32ef0c2eeffea521915bdf639a2ea9943a6f59178045275d8931d96a62ea73a4
              • Opcode Fuzzy Hash: 321a08201eea30abc9f308c6d3b7d613a0e5e02e0b9c4eb4d9539a13300a37d8
              • Instruction Fuzzy Hash: 01E0D8354108006F82116738EC4D8EA775DDE47335F100B15F835C14F0E7F069508695
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00350B30 Relevance: 64.3, APIs: 27, Strings: 9, Instructions: 1300windowsleeptimeCOMMON
              Download Yara Rule
              APIs
              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00350BBB
              • timeGetTime.WINMM ref: 00350E76
              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00350FB3
              • TranslateMessage.USER32(?), ref: 00350FC7
              • DispatchMessageW.USER32(?), ref: 00350FD5
              • Sleep.KERNEL32(0000000A), ref: 00350FDF
              • LockWindowUpdate.USER32(00000000,?,?), ref: 0035105A
              • DestroyWindow.USER32 ref: 00351066
              • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00351080
              • Sleep.KERNEL32(0000000A,?,?), ref: 003852AD
              • TranslateMessage.USER32(?), ref: 0038608A
              • DispatchMessageW.USER32(?), ref: 00386098
              • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 003860AC
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: Message$DispatchPeekSleepTranslateWindow$DestroyLockTimeUpdatetime
              • String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID$pr@$pr@$pr@$pr@
              • API String ID: 4003667617-4165714327
              • Opcode ID: 7879f621e57b7885bed1de0d1fcbba92e9c678a3e6f0f55115bec30f5118d5b0
              • Instruction ID: 26a2946001d619becaea77978f4b2b6e37005a163975fcbee1e4da110b1be18c
              • Opcode Fuzzy Hash: 7879f621e57b7885bed1de0d1fcbba92e9c678a3e6f0f55115bec30f5118d5b0
              • Instruction Fuzzy Hash: 9DB2D770608741DFDB2ADF24C885FAAB7E5BF84304F15495DF88A9B2A1D771E848CB42
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003A93DF Relevance: 19.8, APIs: 13, Instructions: 322fileCOMMON
              Download Yara Rule

              Control-flow Graph

              APIs
                • Part of subcall function 003A91E9: __time64.LIBCMT ref: 003A91F3
                • Part of subcall function 00345045: _fseek.LIBCMT ref: 0034505D
              • __wsplitpath.LIBCMT ref: 003A94BE
                • Part of subcall function 0036432E: __wsplitpath_helper.LIBCMT ref: 0036436E
              • _wcscpy.LIBCMT ref: 003A94D1
              • _wcscat.LIBCMT ref: 003A94E4
              • __wsplitpath.LIBCMT ref: 003A9509
              • _wcscat.LIBCMT ref: 003A951F
              • _wcscat.LIBCMT ref: 003A9532
                • Part of subcall function 003A922F: _memmove.LIBCMT ref: 003A9268
                • Part of subcall function 003A922F: _memmove.LIBCMT ref: 003A9277
              • _wcscmp.LIBCMT ref: 003A9479
                • Part of subcall function 003A99BE: _wcscmp.LIBCMT ref: 003A9AAE
                • Part of subcall function 003A99BE: _wcscmp.LIBCMT ref: 003A9AC1
              • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 003A96DC
              • _wcsncpy.LIBCMT ref: 003A974F
              • DeleteFileW.KERNEL32(?,?), ref: 003A9785
              • CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 003A979B
              • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 003A97AC
              • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 003A97BE
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
              • String ID:
              • API String ID: 1500180987-0
              • Opcode ID: 3a9c739cf64a05a8f249f18abdd06b4900812fd54f93359d081f1ae7867526da
              • Instruction ID: 27f2a7e5c70fa5528300e3c0ffcf343eee4335f11c61d81ab50b878738289742
              • Opcode Fuzzy Hash: 3a9c739cf64a05a8f249f18abdd06b4900812fd54f93359d081f1ae7867526da
              • Instruction Fuzzy Hash: 1EC11AB5D00229ABDF22DF95CC85ADEB7BDEF45310F0040AAF609EA151DB319A848F65
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00343015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 73windowregistryCOMMON
              Download Yara Rule

              Control-flow Graph

              APIs
              • GetSysColorBrush.USER32(0000000F), ref: 00343074
              • RegisterClassExW.USER32(00000030), ref: 0034309E
              • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 003430AF
              • InitCommonControlsEx.COMCTL32(?), ref: 003430CC
              • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 003430DC
              • LoadIconW.USER32(000000A9), ref: 003430F2
              • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00343101
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
              • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
              • API String ID: 2914291525-1005189915
              • Opcode ID: ebe872593bbf21765e2c14571232d005f80b935299707186ab524545723cc930
              • Instruction ID: 5dd3596cd8d04263d85d2d4306c2853fd03bb9e88739ea6358b873c6a9b03519
              • Opcode Fuzzy Hash: ebe872593bbf21765e2c14571232d005f80b935299707186ab524545723cc930
              • Instruction Fuzzy Hash: FB3189B2801309EFEB01EFA4DC88AC9BBF5FB09310F10812AE541E62A0D3B51551CF50
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00343041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54windowregistryCOMMON
              Download Yara Rule

              Control-flow Graph

              APIs
              • GetSysColorBrush.USER32(0000000F), ref: 00343074
              • RegisterClassExW.USER32(00000030), ref: 0034309E
              • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 003430AF
              • InitCommonControlsEx.COMCTL32(?), ref: 003430CC
              • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 003430DC
              • LoadIconW.USER32(000000A9), ref: 003430F2
              • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00343101
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
              • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
              • API String ID: 2914291525-1005189915
              • Opcode ID: c55bbda2f754b98d0e1febde2811a326ebf51bbffa8389475def40a9cc048bbf
              • Instruction ID: 52149f565dddf4ed61a33bf2d6f4a08adf8330ea5bceb24b26f58402139ea47d
              • Opcode Fuzzy Hash: c55bbda2f754b98d0e1febde2811a326ebf51bbffa8389475def40a9cc048bbf
              • Instruction Fuzzy Hash: F321C5B6901218AFDB01EFA4E949B9DBBF9FB08700F00852AF511E62A0D7B155548F95
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003471EB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
              Download Yara Rule

              Control-flow Graph

              APIs
                • Part of subcall function 00344864: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,004062F8,?,003437C0,?), ref: 00344882
                • Part of subcall function 0036074F: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,003472C5), ref: 00360771
              • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00347308
              • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0037ECF1
              • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 0037ED32
              • RegCloseKey.ADVAPI32(?), ref: 0037ED70
              • _wcscat.LIBCMT ref: 0037EDC9
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
              • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
              • API String ID: 2673923337-2727554177
              • Opcode ID: 3d8b4a15ecf1e24d6cf237048499d8bd20dad1dbb4282d73d09eea52fc00edad
              • Instruction ID: ec5d16e22736321ff7e551690ab1b92afd82fc676c3f74e0df406bc2cf57f454
              • Opcode Fuzzy Hash: 3d8b4a15ecf1e24d6cf237048499d8bd20dad1dbb4282d73d09eea52fc00edad
              • Instruction Fuzzy Hash: A57181718093019EC326EF25ED8199BBBE8FF58340F40457EF445DB1A1DB30A948CB66
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00343633 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151windowtimeregistryCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 760 343633-343681 762 3436e1-3436e3 760->762 763 343683-343686 760->763 762->763 764 3436e5 762->764 765 3436e7 763->765 766 343688-34368f 763->766 767 3436ca-3436d2 DefWindowProcW 764->767 768 3436ed-3436f0 765->768 769 37d31c-37d34a call 3511d0 call 3511f3 765->769 770 343695-34369a 766->770 771 34375d-343765 PostQuitMessage 766->771 775 3436d8-3436de 767->775 777 343715-34373c SetTimer RegisterWindowMessageW 768->777 778 3436f2-3436f3 768->778 804 37d34f-37d356 769->804 772 3436a0-3436a2 770->772 773 37d38f-37d3a3 call 3a2a16 770->773 776 343711-343713 771->776 779 343767-343776 call 344531 772->779 780 3436a8-3436ad 772->780 773->776 796 37d3a9 773->796 776->775 777->776 781 34373e-343749 CreatePopupMenu 777->781 784 37d2bf-37d2c2 778->784 785 3436f9-34370c KillTimer call 3444cb call 343114 778->785 779->776 786 37d374-37d37b 780->786 787 3436b3-3436b8 780->787 781->776 791 37d2c4-37d2c6 784->791 792 37d2f8-37d317 MoveWindow 784->792 785->776 786->767 802 37d381-37d38a call 39817e 786->802 794 3436be-3436c4 787->794 795 34374b-34375b call 3445df 787->795 799 37d2e7-37d2f3 SetFocus 791->799 800 37d2c8-37d2cb 791->800 792->776 794->767 794->804 795->776 796->767 799->776 800->794 805 37d2d1-37d2e2 call 3511d0 800->805 802->767 804->767 810 37d35c-37d36f call 3444cb call 3443db 804->810 805->776 810->767
              APIs
              • DefWindowProcW.USER32(?,?,?,?), ref: 003436D2
              • KillTimer.USER32(?,00000001), ref: 003436FC
              • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0034371F
              • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0034372A
              • CreatePopupMenu.USER32 ref: 0034373E
              • PostQuitMessage.USER32(00000000), ref: 0034375F
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
              • String ID: TaskbarCreated$%=
              • API String ID: 129472671-273969447
              • Opcode ID: 024ce91ff6bbd4c36a5b2af09d200b9dc69dd02b948b9ebca4bfc8fc2a45484b
              • Instruction ID: 5414f4c4901ac5601cd3762e195532e268a74cc48c28b7abaa1b5bb6de8d67ba
              • Opcode Fuzzy Hash: 024ce91ff6bbd4c36a5b2af09d200b9dc69dd02b948b9ebca4bfc8fc2a45484b
              • Instruction Fuzzy Hash: 7D41F7B2100105ABDF276F24DD49B793BD9EB00340F164139F947EF2A2DA78BE209765
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00343A58 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71windowregistryCOMMON
              Download Yara Rule

              Control-flow Graph

              APIs
              • GetSysColorBrush.USER32(0000000F), ref: 00343A62
              • LoadCursorW.USER32(00000000,00007F00), ref: 00343A71
              • LoadIconW.USER32(00000063), ref: 00343A88
              • LoadIconW.USER32(000000A4), ref: 00343A9A
              • LoadIconW.USER32(000000A2), ref: 00343AAC
              • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00343AD2
              • RegisterClassExW.USER32(?), ref: 00343B28
                • Part of subcall function 00343041: GetSysColorBrush.USER32(0000000F), ref: 00343074
                • Part of subcall function 00343041: RegisterClassExW.USER32(00000030), ref: 0034309E
                • Part of subcall function 00343041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 003430AF
                • Part of subcall function 00343041: InitCommonControlsEx.COMCTL32(?), ref: 003430CC
                • Part of subcall function 00343041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 003430DC
                • Part of subcall function 00343041: LoadIconW.USER32(000000A9), ref: 003430F2
                • Part of subcall function 00343041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00343101
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
              • String ID: #$0$AutoIt v3
              • API String ID: 423443420-4155596026
              • Opcode ID: 128c874feb46f99778ad1afd797c582d51cf3e36c92d20dfeac4ed5a8dc890ed
              • Instruction ID: 24477383b31836907269e6647fe6a36ab30695f0209b739b6e25cb3d7943f1e3
              • Opcode Fuzzy Hash: 128c874feb46f99778ad1afd797c582d51cf3e36c92d20dfeac4ed5a8dc890ed
              • Instruction Fuzzy Hash: CB213C74910304EFEB11AFA4ED09F9D7BF5EB08710F014179E505BA2A0D3B665648F48
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00343778 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 267COMMON
              Download Yara Rule

              Control-flow Graph

              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
              • String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW$b@
              • API String ID: 1825951767-1011239151
              • Opcode ID: 71c98d449bb11e14b00176ca6360fbd575b548ce4d3348d36395d1c3db58b312
              • Instruction ID: 9df8c0c00a10f6e2f50d5cccd7c87f43f2694a4e9e0b046b66ea6b8b71b03ea3
              • Opcode Fuzzy Hash: 71c98d449bb11e14b00176ca6360fbd575b548ce4d3348d36395d1c3db58b312
              • Instruction Fuzzy Hash: EFA130729112199ADB16FBA0CC92EEEB7B8BF14300F04442AF416BF191DF756A09CB60
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0034F8CF Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 168comCOMMON
              Download Yara Rule

              Control-flow Graph

              APIs
                • Part of subcall function 003603A2: MapVirtualKeyW.USER32(0000005B,00000000), ref: 003603D3
                • Part of subcall function 003603A2: MapVirtualKeyW.USER32(00000010,00000000), ref: 003603DB
                • Part of subcall function 003603A2: MapVirtualKeyW.USER32(000000A0,00000000), ref: 003603E6
                • Part of subcall function 003603A2: MapVirtualKeyW.USER32(000000A1,00000000), ref: 003603F1
                • Part of subcall function 003603A2: MapVirtualKeyW.USER32(00000011,00000000), ref: 003603F9
                • Part of subcall function 003603A2: MapVirtualKeyW.USER32(00000012,00000000), ref: 00360401
                • Part of subcall function 00356259: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,0034FA90), ref: 003562B4
              • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0034FB2D
              • OleInitialize.OLE32(00000000), ref: 0034FBAA
              • CloseHandle.KERNEL32(00000000), ref: 003849F2
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
              • String ID: <g@$\d@$%=$c@
              • API String ID: 1986988660-3809897742
              • Opcode ID: 7928a002119c09fcad7009e85eb53e2535cc599882a3818b2250b45eb907fd6b
              • Instruction ID: 25edf2377bd1c86e6f67d5b70dc04379796aa5803023d43dfc8bd2fc8f65b161
              • Opcode Fuzzy Hash: 7928a002119c09fcad7009e85eb53e2535cc599882a3818b2250b45eb907fd6b
              • Instruction Fuzzy Hash: 1681BCB09012509FC385EF39EE956157AE9EB89308712813ED81BEB3A2EB355424CF5D
              Uniqueness

              Uniqueness Score: -1.00%

              Function 03AD2640 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 993 3ad2640-3ad26ee call 3ad0000 996 3ad26f5-3ad271b call 3ad3550 CreateFileW 993->996 999 3ad271d 996->999 1000 3ad2722-3ad2732 996->1000 1001 3ad286d-3ad2871 999->1001 1005 3ad2739-3ad2753 VirtualAlloc 1000->1005 1006 3ad2734 1000->1006 1003 3ad28b3-3ad28b6 1001->1003 1004 3ad2873-3ad2877 1001->1004 1007 3ad28b9-3ad28c0 1003->1007 1008 3ad2879-3ad287c 1004->1008 1009 3ad2883-3ad2887 1004->1009 1012 3ad275a-3ad2771 ReadFile 1005->1012 1013 3ad2755 1005->1013 1006->1001 1014 3ad2915-3ad292a 1007->1014 1015 3ad28c2-3ad28cd 1007->1015 1008->1009 1010 3ad2889-3ad2893 1009->1010 1011 3ad2897-3ad289b 1009->1011 1010->1011 1018 3ad289d-3ad28a7 1011->1018 1019 3ad28ab 1011->1019 1020 3ad2778-3ad27b8 VirtualAlloc 1012->1020 1021 3ad2773 1012->1021 1013->1001 1016 3ad292c-3ad2937 VirtualFree 1014->1016 1017 3ad293a-3ad2942 1014->1017 1022 3ad28cf 1015->1022 1023 3ad28d1-3ad28dd 1015->1023 1016->1017 1018->1019 1019->1003 1024 3ad27bf-3ad27da call 3ad37a0 1020->1024 1025 3ad27ba 1020->1025 1021->1001 1022->1014 1026 3ad28df-3ad28ef 1023->1026 1027 3ad28f1-3ad28fd 1023->1027 1033 3ad27e5-3ad27ef 1024->1033 1025->1001 1029 3ad2913 1026->1029 1030 3ad28ff-3ad2908 1027->1030 1031 3ad290a-3ad2910 1027->1031 1029->1007 1030->1029 1031->1029 1034 3ad27f1-3ad2820 call 3ad37a0 1033->1034 1035 3ad2822-3ad2836 call 3ad35b0 1033->1035 1034->1033 1041 3ad2838 1035->1041 1042 3ad283a-3ad283e 1035->1042 1041->1001 1043 3ad284a-3ad284e 1042->1043 1044 3ad2840-3ad2844 FindCloseChangeNotification 1042->1044 1045 3ad285e-3ad2867 1043->1045 1046 3ad2850-3ad285b VirtualFree 1043->1046 1044->1043 1045->996 1045->1001 1046->1045
              APIs
              • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 03AD2711
              • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 03AD2937
              Memory Dump Source
              • Source File: 00000000.00000002.1313713721.0000000003AD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AD0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_3ad0000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: CreateFileFreeVirtual
              • String ID:
              • API String ID: 204039940-0
              • Opcode ID: 7a8af28d10d872e8c42d0e09e8738e4af41cabd85448581b7ead53f150642b41
              • Instruction ID: 7460296dc344141fed93598a5973765090ff5c25fa4ed2cb1996a6c67ccf7af0
              • Opcode Fuzzy Hash: 7a8af28d10d872e8c42d0e09e8738e4af41cabd85448581b7ead53f150642b41
              • Instruction Fuzzy Hash: 2DA12874E00208EBDB14CFA4C994BEEBBB5FF48305F20859AE116BB280D7759A41CF94
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003439E7 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1114 3439e7-343a57 CreateWindowExW * 2 ShowWindow * 2
              APIs
              • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00343A15
              • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00343A36
              • ShowWindow.USER32(00000000,?,?), ref: 00343A4A
              • ShowWindow.USER32(00000000,?,?), ref: 00343A53
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: Window$CreateShow
              • String ID: AutoIt v3$edit
              • API String ID: 1584632944-3779509399
              • Opcode ID: 77bc05ec36fc515824bd57cda8f4bca2d8a058360a04b0fdbfc2c5393f24ded4
              • Instruction ID: c8196e1bbd9d6865a04cb755ec9624d9ad73704963701ff2afc8bdffce6afafa
              • Opcode Fuzzy Hash: 77bc05ec36fc515824bd57cda8f4bca2d8a058360a04b0fdbfc2c5393f24ded4
              • Instruction Fuzzy Hash: 53F01770600290BEEA2127236C0CE672E7ED7C6F50F02407EB905F2160C2BA1820CAB4
              Uniqueness

              Uniqueness Score: -1.00%

              Function 03AD2410 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 143fileCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1115 3ad2410-3ad2536 call 3ad0000 call 3ad2300 CreateFileW 1122 3ad253d-3ad254d 1115->1122 1123 3ad2538 1115->1123 1126 3ad254f 1122->1126 1127 3ad2554-3ad256e VirtualAlloc 1122->1127 1124 3ad25ed-3ad25f2 1123->1124 1126->1124 1128 3ad2570 1127->1128 1129 3ad2572-3ad2589 ReadFile 1127->1129 1128->1124 1130 3ad258d-3ad25c7 call 3ad2340 call 3ad1300 1129->1130 1131 3ad258b 1129->1131 1136 3ad25c9-3ad25de call 3ad2390 1130->1136 1137 3ad25e3-3ad25eb ExitProcess 1130->1137 1131->1124 1136->1137 1137->1124
              APIs
                • Part of subcall function 03AD2300: Sleep.KERNELBASE(000001F4), ref: 03AD2311
              • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 03AD252C
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1313713721.0000000003AD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AD0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_3ad0000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: CreateFileSleep
              • String ID: 39W74HF99SZ9SF8EG
              • API String ID: 2694422964-2084206759
              • Opcode ID: 6ce94531d7e97e02db54a1039d3c38ef9f797b2b7c0faa7723680de92f7d0002
              • Instruction ID: 274529b5d21f81a8dfd7755bf3941ee36247c4445ea01fe8f70e6a0a98f4128c
              • Opcode Fuzzy Hash: 6ce94531d7e97e02db54a1039d3c38ef9f797b2b7c0faa7723680de92f7d0002
              • Instruction Fuzzy Hash: 54518334D04258EBEF11DBE4C955BEEBBB9AF04300F04459AE209BB2C0D7B91B45CBA5
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0034410D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1139 34410d-344123 1140 344200-344204 1139->1140 1141 344129-34413e call 347b76 1139->1141 1144 344144-344164 call 347d2c 1141->1144 1145 37d5dd-37d5ec LoadStringW 1141->1145 1148 37d5f7-37d60f call 347c8e call 347143 1144->1148 1149 34416a-34416e 1144->1149 1145->1148 1158 34417e-3441fb call 363020 call 34463e call 362ffc Shell_NotifyIconW call 345a64 1148->1158 1161 37d615-37d633 call 347e0b call 347143 call 347e0b 1148->1161 1151 344174-344179 call 347c8e 1149->1151 1152 344205-34420e call 3481a7 1149->1152 1151->1158 1152->1158 1158->1140 1161->1158
              APIs
              • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 0037D5EC
                • Part of subcall function 00347D2C: _memmove.LIBCMT ref: 00347D66
              • _memset.LIBCMT ref: 0034418D
              • _wcscpy.LIBCMT ref: 003441E1
              • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 003441F1
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
              • String ID: Line:
              • API String ID: 3942752672-1585850449
              • Opcode ID: 64116e9c8f0455e012b8d66457bc6b5202363253ebec5f26cf857d9f03a12cd3
              • Instruction ID: 6ab26b262a31fb969348f0692874967d08fc667ed2d0c5b1833116625cce8568
              • Opcode Fuzzy Hash: 64116e9c8f0455e012b8d66457bc6b5202363253ebec5f26cf857d9f03a12cd3
              • Instruction Fuzzy Hash: 0C31A171408314AAE723EB60DD85FDB77ECAF44300F11492EF589AA0A1EB74B658C796
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0036564D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
              • String ID:
              • API String ID: 1559183368-0
              • Opcode ID: cbc132a2d90f1fa170c901e77712e707e3c45fd9b9f6dd10e42efcbbdaed9f46
              • Instruction ID: 8315ece58bfcfb6d2437eaac85b7a13d261358368874c936b3bf6010bc29e8af
              • Opcode Fuzzy Hash: cbc132a2d90f1fa170c901e77712e707e3c45fd9b9f6dd10e42efcbbdaed9f46
              • Instruction Fuzzy Hash: D2519030A00B05DBDB269FA9C88466EB7A5AF40320F65C739F8399A6D8D7709D50DB50
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003469CA Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00344F3D: LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,004062F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00344F6F
              • _free.LIBCMT ref: 0037E68C
              • _free.LIBCMT ref: 0037E6D3
                • Part of subcall function 00346BEC: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00346D0D
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: _free$CurrentDirectoryLibraryLoad
              • String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
              • API String ID: 2861923089-1757145024
              • Opcode ID: c204d545bc1441d53c736d686368e10a2ee8952a999c6bae00a38028cc72b8d0
              • Instruction ID: b2d106acdca2069d612d92311afeeb58ad3b9b8bcf951ee5bbea2f954859a0f0
              • Opcode Fuzzy Hash: c204d545bc1441d53c736d686368e10a2ee8952a999c6bae00a38028cc72b8d0
              • Instruction Fuzzy Hash: 8F916E71910219EFCF16EFA4C8919EDB7B8FF19314F148469F815AF2A1EB34A904CB50
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003435B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON
              Download Yara Rule
              APIs
              • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,003435A1,SwapMouseButtons,00000004,?), ref: 003435D4
              • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,003435A1,SwapMouseButtons,00000004,?,?,?,?,00342754), ref: 003435F5
              • RegCloseKey.KERNELBASE(00000000,?,?,003435A1,SwapMouseButtons,00000004,?,?,?,?,00342754), ref: 00343617
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: CloseOpenQueryValue
              • String ID: Control Panel\Mouse
              • API String ID: 3677997916-824357125
              • Opcode ID: 55bb9b9100de5c1241f49691d31da5453977616c824d9726acc3d3927f329b0c
              • Instruction ID: de96766eb7374da28f2e1b2bc7a95a09846b954bf061f96a978116487ca974c0
              • Opcode Fuzzy Hash: 55bb9b9100de5c1241f49691d31da5453977616c824d9726acc3d3927f329b0c
              • Instruction Fuzzy Hash: EF114571614219BFDB229F64DC80EAEBBFDEF04740F128469E805DB210E275AE409BA0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 03AD1300 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
              Download Yara Rule
              APIs
              • CreateProcessW.KERNELBASE(?,00000000), ref: 03AD1B2D
              • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 03AD1B51
              • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 03AD1B73
              Memory Dump Source
              • Source File: 00000000.00000002.1313713721.0000000003AD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AD0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_3ad0000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: Process$ContextCreateMemoryReadThreadWow64
              • String ID:
              • API String ID: 2438371351-0
              • Opcode ID: cc658a0e6010fd3573e63fe9dffc1f366d2843c5c23e1a249a06af30add5367b
              • Instruction ID: 53529c660bb4a624868f66dff078d0a6aa6233ededf5003d1f33b57001562418
              • Opcode Fuzzy Hash: cc658a0e6010fd3573e63fe9dffc1f366d2843c5c23e1a249a06af30add5367b
              • Instruction Fuzzy Hash: D4621C34A14258DBEB24CFA4C850BEEB376EF58300F1095A9D10DEB394E7759E81CB59
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003A97E5 Relevance: 6.2, APIs: 4, Instructions: 155COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00345045: _fseek.LIBCMT ref: 0034505D
                • Part of subcall function 003A99BE: _wcscmp.LIBCMT ref: 003A9AAE
                • Part of subcall function 003A99BE: _wcscmp.LIBCMT ref: 003A9AC1
              • _free.LIBCMT ref: 003A992C
              • _free.LIBCMT ref: 003A9933
              • _free.LIBCMT ref: 003A999E
                • Part of subcall function 00362F95: RtlFreeHeap.NTDLL(00000000,00000000,?,00369C64), ref: 00362FA9
                • Part of subcall function 00362F95: GetLastError.KERNEL32(00000000,?,00369C64), ref: 00362FBB
              • _free.LIBCMT ref: 003A99A6
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
              • String ID:
              • API String ID: 1552873950-0
              • Opcode ID: c040f5d591410a8d3afab51092a26b6f5939c84b98243336257d617f1f09bfd3
              • Instruction ID: 6d8b263f311948c88a028cd693f66c7fe07379375b6c95e4bd1baadb28d278a7
              • Opcode Fuzzy Hash: c040f5d591410a8d3afab51092a26b6f5939c84b98243336257d617f1f09bfd3
              • Instruction Fuzzy Hash: 50516BB1D04218AFDF259F64CC81A9EBBB9EF49300F0044AEF209AB241DB315A80CF58
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0036493A Relevance: 6.1, APIs: 4, Instructions: 136COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: __flsbuf__flush__getptd_noexit__write_memmove
              • String ID:
              • API String ID: 2782032738-0
              • Opcode ID: 14470a6213cb86a88b8286372661136e60ed3d9327b1e96cf2061ba74b92ecb7
              • Instruction ID: 0bfc7d08e50154591d5210f7747d35d8ba7f8867ae8837295e60fbcfd8c269a7
              • Opcode Fuzzy Hash: 14470a6213cb86a88b8286372661136e60ed3d9327b1e96cf2061ba74b92ecb7
              • Instruction Fuzzy Hash: EC41C475E40605AFDF2A9FA9C8809AF7BEAEF84360B24C12DE855CB648D770DD408B44
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00344DD0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 141COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: _memmove
              • String ID: AU3!P/=$EA06
              • API String ID: 4104443479-3802933467
              • Opcode ID: 11611655c91bab17c5f61899fc0f9ba6d4c993c7ad26ce4bf677bb6b2d642078
              • Instruction ID: b62ad915bee53e4ec6a70aaefb4a34bc2c61b585867b401311263f2f4d8a812b
              • Opcode Fuzzy Hash: 11611655c91bab17c5f61899fc0f9ba6d4c993c7ad26ce4bf677bb6b2d642078
              • Instruction Fuzzy Hash: BF416B71A041586BDF239F6488517BE7FEAAF05300F298075F882AF283C621BDC487E1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003473E5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 0037EE62
              • GetOpenFileNameW.COMDLG32(?), ref: 0037EEAC
                • Part of subcall function 003448AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,003448A1,?,?,003437C0,?), ref: 003448CE
                • Part of subcall function 003609D5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 003609F4
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: Name$Path$FileFullLongOpen_memset
              • String ID: X
              • API String ID: 3777226403-3081909835
              • Opcode ID: 7b149ad476cd2feb4ecd6fa694d0b5d8937f0ce6ee5290223314e6af00a92119
              • Instruction ID: 362699b673f57cbe4798a054006f77e690fc14e8d666efe639d44c55f075d34d
              • Opcode Fuzzy Hash: 7b149ad476cd2feb4ecd6fa694d0b5d8937f0ce6ee5290223314e6af00a92119
              • Instruction Fuzzy Hash: CF21C331A142589BCB16DF94C845BEE7BFD9F49300F00805AE509EF281DBB859898FA1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003A901B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: __fread_nolock_memmove
              • String ID: EA06
              • API String ID: 1988441806-3962188686
              • Opcode ID: 5ac66b3b9c3d3d69b64f284a70ba31845f791cc6087e617f664334571419115b
              • Instruction ID: 7924b4b6343451f22510b3b6f392bf70421715b4eb70ac5391579b0c1d04d99b
              • Opcode Fuzzy Hash: 5ac66b3b9c3d3d69b64f284a70ba31845f791cc6087e617f664334571419115b
              • Instruction Fuzzy Hash: 5B01B971904258AEDB29C7A8CC56FFE7BFCDB15301F00819BF552D6581E5B9A6048760
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003A9B6D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON
              Download Yara Rule
              APIs
              • GetTempPathW.KERNEL32(00000104,?), ref: 003A9B82
              • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 003A9B99
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: Temp$FileNamePath
              • String ID: aut
              • API String ID: 3285503233-3010740371
              • Opcode ID: c8a46e58241101f64de94c01fcfe3abd159def9c3d0eefdbb73fa18b595221ef
              • Instruction ID: 9e3ba752980643f95264bddaf033bc3c0da07df55483cec004ce2c26322f40ce
              • Opcode Fuzzy Hash: c8a46e58241101f64de94c01fcfe3abd159def9c3d0eefdbb73fa18b595221ef
              • Instruction Fuzzy Hash: 73D05E7A54030DAFDB11AB90DC0EFEABB2CE704700F0046A1BF54D21A1DEB065988B91
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003BCDF1 Relevance: 4.9, APIs: 3, Instructions: 392COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 86e2110c2966876cb0d1f3630e66cffe0cabd39f04e25cfe2a21a0234b546d18
              • Instruction ID: 1790430dce42f92080463d9e5ba77ac2152260b023ad4878cfc7246ef2c1459d
              • Opcode Fuzzy Hash: 86e2110c2966876cb0d1f3630e66cffe0cabd39f04e25cfe2a21a0234b546d18
              • Instruction Fuzzy Hash: 65F15A70A083419FC715DF28C484A6ABBE5FF88318F14892EF9999B751E731E945CF82
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003443DB Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 00344401
              • Shell_NotifyIconW.SHELL32(00000000,?), ref: 003444A6
              • Shell_NotifyIconW.SHELL32(00000001,?), ref: 003444C3
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: IconNotifyShell_$_memset
              • String ID:
              • API String ID: 1505330794-0
              • Opcode ID: 7d34bbb62bddc81f81312bf90235890dd06d25b0265df41f6e267472e217ba14
              • Instruction ID: 78d4a3064648ed02a5efe0099b22e3c48e8822bc407fcb466fdc6007b98f0ce7
              • Opcode Fuzzy Hash: 7d34bbb62bddc81f81312bf90235890dd06d25b0265df41f6e267472e217ba14
              • Instruction Fuzzy Hash: 053180705057018FD722EF25D884797BBE8FB48304F00093EE59A9B240D775A944CB96
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0036594C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • __FF_MSGBANNER.LIBCMT ref: 00365963
                • Part of subcall function 0036A3AB: __NMSG_WRITE.LIBCMT ref: 0036A3D2
                • Part of subcall function 0036A3AB: __NMSG_WRITE.LIBCMT ref: 0036A3DC
              • __NMSG_WRITE.LIBCMT ref: 0036596A
                • Part of subcall function 0036A408: GetModuleFileNameW.KERNEL32(00000000,004043BA,00000104,?,00000001,00000000), ref: 0036A49A
                • Part of subcall function 0036A408: ___crtMessageBoxW.LIBCMT ref: 0036A548
                • Part of subcall function 003632DF: ___crtCorExitProcess.LIBCMT ref: 003632E5
                • Part of subcall function 003632DF: ExitProcess.KERNEL32 ref: 003632EE
                • Part of subcall function 00368D68: __getptd_noexit.LIBCMT ref: 00368D68
              • RtlAllocateHeap.NTDLL(011B0000,00000000,00000001,00000000,?,?,?,00361013,?), ref: 0036598F
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
              • String ID:
              • API String ID: 1372826849-0
              • Opcode ID: c692f4073ac9d5185319e6e670656acf1349ca3ca185815ebf14195f4fcf24ce
              • Instruction ID: 0f3a9d22ea569c52b9b41e990f71a8ebab7497fb069a85e8b4a874aa5c9f75b4
              • Opcode Fuzzy Hash: c692f4073ac9d5185319e6e670656acf1349ca3ca185815ebf14195f4fcf24ce
              • Instruction Fuzzy Hash: 1F019E35341A15DEE6233B75EC42A6E72D89F83770F11853AF601AF28ADF709D418664
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003A9B2C Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON
              Download Yara Rule
              APIs
              • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,003A97D2,?,?,?,?,?,00000004), ref: 003A9B45
              • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,003A97D2,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 003A9B5B
              • CloseHandle.KERNEL32(00000000,?,003A97D2,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 003A9B62
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: File$CloseCreateHandleTime
              • String ID:
              • API String ID: 3397143404-0
              • Opcode ID: 019bc84b8cadfdf9b893be0f94ed861fd07299f87610093a39b46c5452f91d7d
              • Instruction ID: 98063c8e9ee36dec20bef96f1e1a159b975855a5141be37f4876561a79df3941
              • Opcode Fuzzy Hash: 019bc84b8cadfdf9b893be0f94ed861fd07299f87610093a39b46c5452f91d7d
              • Instruction Fuzzy Hash: EFE08632180214BBDB232B54EC09FDA7B1DEB05761F144121FB14B90E087B135119798
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003A8F97 Relevance: 4.5, APIs: 3, Instructions: 22COMMON
              Download Yara Rule
              APIs
              • _free.LIBCMT ref: 003A8FA5
                • Part of subcall function 00362F95: RtlFreeHeap.NTDLL(00000000,00000000,?,00369C64), ref: 00362FA9
                • Part of subcall function 00362F95: GetLastError.KERNEL32(00000000,?,00369C64), ref: 00362FBB
              • _free.LIBCMT ref: 003A8FB6
              • _free.LIBCMT ref: 003A8FC8
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: _free$ErrorFreeHeapLast
              • String ID:
              • API String ID: 776569668-0
              • Opcode ID: 358057a8cee776a4634d1da6a11f7167cf7af4a4bc472a0de26b354d0d310ced
              • Instruction ID: ccb60ad236de687dd5b87343382355c0797e1ed7cb67fe93e771784bca190281
              • Opcode Fuzzy Hash: 358057a8cee776a4634d1da6a11f7167cf7af4a4bc472a0de26b354d0d310ced
              • Instruction Fuzzy Hash: 11E012B1A09B024ECA25A679BD44A9357EE9F4975171A081DB409DF146DE24E8418124
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0034AB23 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID:
              • String ID: CALL
              • API String ID: 0-4196123274
              • Opcode ID: d0d5f6e7c1610dd268c5498951e1f59932ae45edbda439b1d6ec210f50d27f2d
              • Instruction ID: 22c63203dc8e7043df36c4ed552610fe6f7e958473bb96d947500b45cb902134
              • Opcode Fuzzy Hash: d0d5f6e7c1610dd268c5498951e1f59932ae45edbda439b1d6ec210f50d27f2d
              • Instruction Fuzzy Hash: 82223674508741CFCB2ADF24C494B2ABBE5BF85300F15895DE89A8F662D735EC85CB82
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0034C6DA Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: _wcscmp
              • String ID: 4
              • API String ID: 856254489-4088798008
              • Opcode ID: e68d7fe888b0e26bb65a7a26b02de34ca88d6f984495acc9cd9d276cd45f5c57
              • Instruction ID: ed73b7f4301d5623db9c14fe76982a5cdd6a6408cb72b26afe1627f8edcef40a
              • Opcode Fuzzy Hash: e68d7fe888b0e26bb65a7a26b02de34ca88d6f984495acc9cd9d276cd45f5c57
              • Instruction Fuzzy Hash: 6601D632D052455FEB175F2888915DEFFB8EF57350F164096D8509F2A2D634AD46CB80
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0034492E Relevance: 3.1, APIs: 2, Instructions: 59COMMON
              Download Yara Rule
              APIs
              • IsThemeActive.UXTHEME ref: 00344992
                • Part of subcall function 003635AC: __lock.LIBCMT ref: 003635B2
                • Part of subcall function 003635AC: DecodePointer.KERNEL32(00000001,?,003449A7,003981BC), ref: 003635BE
                • Part of subcall function 003635AC: EncodePointer.KERNEL32(?,?,003449A7,003981BC), ref: 003635C9
                • Part of subcall function 00344A5B: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00344A73
                • Part of subcall function 00344A5B: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00344A88
                • Part of subcall function 00343B4C: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00343B7A
                • Part of subcall function 00343B4C: IsDebuggerPresent.KERNEL32 ref: 00343B8C
                • Part of subcall function 00343B4C: GetFullPathNameW.KERNEL32(00007FFF,?,?,004062F8,004062E0,?,?), ref: 00343BFD
                • Part of subcall function 00343B4C: SetCurrentDirectoryW.KERNEL32(?), ref: 00343C81
              • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 003449D2
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
              • String ID:
              • API String ID: 1438897964-0
              • Opcode ID: 5e569237031292cb95316553ba72347f9655492a79b6ff70e0c3ed1314871ece
              • Instruction ID: e0614c27568272f45a0e6f9318bb1956f8806c10ac1f605c9e57689219608c23
              • Opcode Fuzzy Hash: 5e569237031292cb95316553ba72347f9655492a79b6ff70e0c3ed1314871ece
              • Instruction Fuzzy Hash: F9119D719083119FC701EF28DD45A0AFFF8EB94710F00852EF0859B2B1DBB0A565CB9A
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00345DF9 Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON
              Download Yara Rule
              APIs
              • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000,?,00345981,?,?,?,?), ref: 00345E27
              • CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,00000000,?,00345981,?,?,?,?), ref: 0037E19C
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: CreateFile
              • String ID:
              • API String ID: 823142352-0
              • Opcode ID: 0ce9a210485ed48f48f2ed492b2657469ca721426743e4fe7e4f6c6b275a45d0
              • Instruction ID: e5aa02b7f815afb3f2198eb3cdaf26cb27ac650567f02d04ac1c90c3659ea015
              • Opcode Fuzzy Hash: 0ce9a210485ed48f48f2ed492b2657469ca721426743e4fe7e4f6c6b275a45d0
              • Instruction Fuzzy Hash: 58019270644708BFF3260E24CC8AFA63ADCAB05768F108318BAE55E1E1C6B42E858B50
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00360FF6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE
              Download Yara Rule
              APIs
                • Part of subcall function 0036594C: __FF_MSGBANNER.LIBCMT ref: 00365963
                • Part of subcall function 0036594C: __NMSG_WRITE.LIBCMT ref: 0036596A
                • Part of subcall function 0036594C: RtlAllocateHeap.NTDLL(011B0000,00000000,00000001,00000000,?,?,?,00361013,?), ref: 0036598F
              • std::exception::exception.LIBCMT ref: 0036102C
              • __CxxThrowException@8.LIBCMT ref: 00361041
                • Part of subcall function 003687DB: RaiseException.KERNEL32(?,?,?,003FBAF8,00000000,?,?,?,?,00361046,?,003FBAF8,?,00000001), ref: 00368830
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
              • String ID:
              • API String ID: 3902256705-0
              • Opcode ID: 57bd4c8586af9ca9760d84970ccc5a0fbd7df55dc1ff70aecd3d6b061370f9bb
              • Instruction ID: adab953cd7041e4b99df8a6498bc1245ed91bbdda4d7f7e6f1778753a57c76fd
              • Opcode Fuzzy Hash: 57bd4c8586af9ca9760d84970ccc5a0fbd7df55dc1ff70aecd3d6b061370f9bb
              • Instruction Fuzzy Hash: C9F04C7950030DA7CF23BB98EC029DF7BAC9F00351F14C026FD04AA685EFB08A8082E0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0036582D Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: __lock_file_memset
              • String ID:
              • API String ID: 26237723-0
              • Opcode ID: a964f2d70b77521ee42643a319a14c69caccbc97d55d7afdb86ee5537140d251
              • Instruction ID: 0cde1ee0e9870f2bdab78dc480cb19279e9c21dc87ea8e71ad5f791be8828866
              • Opcode Fuzzy Hash: a964f2d70b77521ee42643a319a14c69caccbc97d55d7afdb86ee5537140d251
              • Instruction Fuzzy Hash: E2018471900618EBCF13AF69CC0659F7B61AF84360F15C225F8245F1A9DB318A21DB91
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003655D6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE
              Download Yara Rule
              APIs
                • Part of subcall function 00368D68: __getptd_noexit.LIBCMT ref: 00368D68
              • __lock_file.LIBCMT ref: 0036561B
                • Part of subcall function 00366E4E: __lock.LIBCMT ref: 00366E71
              • __fclose_nolock.LIBCMT ref: 00365626
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
              • String ID:
              • API String ID: 2800547568-0
              • Opcode ID: 7bbadf8404dd072fc99f024ab4b1993ecf6d66852fc785f26b5a2ac99c55194c
              • Instruction ID: 421e547925add6e2bef7619a80605e428174894bdeac5dcad3f9954be1a1bde9
              • Opcode Fuzzy Hash: 7bbadf8404dd072fc99f024ab4b1993ecf6d66852fc785f26b5a2ac99c55194c
              • Instruction Fuzzy Hash: 28F02E72800A049ADB23BF38C80276EBBA02F01330F65C219E421AF0C9CF7C8A41CB65
              Uniqueness

              Uniqueness Score: -1.00%

              Function 03AD12FD Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON
              Download Yara Rule
              APIs
              • CreateProcessW.KERNELBASE(?,00000000), ref: 03AD1B2D
              • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 03AD1B51
              • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 03AD1B73
              Memory Dump Source
              • Source File: 00000000.00000002.1313713721.0000000003AD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AD0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_3ad0000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: Process$ContextCreateMemoryReadThreadWow64
              • String ID:
              • API String ID: 2438371351-0
              • Opcode ID: d88754d343c0358fec48bb39518f6d050a5efe1528146ba10a354079ac39ca1d
              • Instruction ID: f66ebe09f5ae561945e7e57332cb9856c5b0e7a6b8c1676943211c15a814aef2
              • Opcode Fuzzy Hash: d88754d343c0358fec48bb39518f6d050a5efe1528146ba10a354079ac39ca1d
              • Instruction Fuzzy Hash: 4312CD24E24658C6EB24DF64D8507DEB232EF68300F1091E9910DEB7A4E77A4F81CF5A
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0034F3F0 Relevance: 1.7, APIs: 1, Instructions: 185COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 899c8ab1a591682fa55213077536fc8e0a4eb929ea24bd5b0097ed10ef7919b0
              • Instruction ID: 6f2770d8f8d9e632f5a6322e88b6caf9e0b537c07199a4cda4d4dae49ce073d0
              • Opcode Fuzzy Hash: 899c8ab1a591682fa55213077536fc8e0a4eb929ea24bd5b0097ed10ef7919b0
              • Instruction Fuzzy Hash: 1761AA7060060A9FCB12EF64C881AABB7E9EF05304F1981B9E9168F641EB71FD51CB51
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00352123 Relevance: 1.7, APIs: 1, Instructions: 171COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a4557d133a4ed2517241ec096b06c79a9fc2c4685b8d07eba9ee19b84ac60dc6
              • Instruction ID: ab65c871f37bb8f7ba05aacb17338156dfaba2a8b936ba0cb9c625a2ad53a97f
              • Opcode Fuzzy Hash: a4557d133a4ed2517241ec096b06c79a9fc2c4685b8d07eba9ee19b84ac60dc6
              • Instruction Fuzzy Hash: BE515E35600604AFCF16EB64C992F6E77E6AF45710F1581A8F946AF292CB34FE04CB51
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00345C4E Relevance: 1.6, APIs: 1, Instructions: 97COMMON
              Download Yara Rule
              APIs
              • SetFilePointerEx.KERNELBASE(?,?,00000001,00000000,00000000,?,?,00000000), ref: 00345CF6
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: FilePointer
              • String ID:
              • API String ID: 973152223-0
              • Opcode ID: 02090f25146f69bc73908f943fd68d484a1a08c603aacf67a5165ae08f89e852
              • Instruction ID: fd0242006b253af0bf257a4c83506e25d2a15114200d0f91333fc433b513e883
              • Opcode Fuzzy Hash: 02090f25146f69bc73908f943fd68d484a1a08c603aacf67a5165ae08f89e852
              • Instruction Fuzzy Hash: 09312771A00B0AABCB19DF29C484AADB7F5FF48310F158629E8199B711D771BD60DB90
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003800D6 Relevance: 1.6, APIs: 1, Instructions: 88COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: ClearVariant
              • String ID:
              • API String ID: 1473721057-0
              • Opcode ID: c1a23217e71e6ef45f2f15e5234757fb3c3ef54295667f68e0c29c42c7270b0e
              • Instruction ID: 15604723625297a67c2b472ef3445b9d8f6a7771d55e230163b5b4ff92b8d085
              • Opcode Fuzzy Hash: c1a23217e71e6ef45f2f15e5234757fb3c3ef54295667f68e0c29c42c7270b0e
              • Instruction Fuzzy Hash: C341F574508741CFDB26DF14C484B1ABBE1BF45318F1A889CE8998B762C736F899CB52
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003479AB Relevance: 1.6, APIs: 1, Instructions: 71COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: _memmove
              • String ID:
              • API String ID: 4104443479-0
              • Opcode ID: 64602025b210a69d44d795642d596fdfc93abb49ffaa1266944914acc7b2a18e
              • Instruction ID: 88dfbbfa43edfe5744c61220bde30e55f6d922b0f65e6195e9de4cae8f20a33b
              • Opcode Fuzzy Hash: 64602025b210a69d44d795642d596fdfc93abb49ffaa1266944914acc7b2a18e
              • Instruction Fuzzy Hash: 6311B131209215AFDB16DF28C881C6EB7E9EF453247258A1AF919DF3A0DB32BC1187D0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0034C707 Relevance: 1.6, APIs: 1, Instructions: 69COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: _wcscmp
              • String ID:
              • API String ID: 856254489-0
              • Opcode ID: 4a18f4ffe2d73a58042247bc98454f9d23359fc455b4d4a9df3b0c5f8b5cdffb
              • Instruction ID: 19434b13723c454c18d1aa2b345a87bfda1c28b2c1b1996b222934c803ce2bff
              • Opcode Fuzzy Hash: 4a18f4ffe2d73a58042247bc98454f9d23359fc455b4d4a9df3b0c5f8b5cdffb
              • Instruction Fuzzy Hash: D5119071D15219DBCB16ABA9DC819EEF7BCEF51350F104166E811AF1A0EB30AD06CB90
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00344F3D Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00344D13: FreeLibrary.KERNEL32(00000000,?), ref: 00344D4D
                • Part of subcall function 0036548B: __wfsopen.LIBCMT ref: 00365496
              • LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,004062F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00344F6F
                • Part of subcall function 00344CC8: FreeLibrary.KERNEL32(00000000), ref: 00344D02
                • Part of subcall function 00344DD0: _memmove.LIBCMT ref: 00344E1A
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: Library$Free$Load__wfsopen_memmove
              • String ID:
              • API String ID: 1396898556-0
              • Opcode ID: 643f02c7e5c68e42912ba68ead9a4904472b542eb10267a45dde47370513907c
              • Instruction ID: 41faef32ebf6e2a516dbcb731a4fa3c81904fa84e8ce4b180a1e5307f6616ee8
              • Opcode Fuzzy Hash: 643f02c7e5c68e42912ba68ead9a4904472b542eb10267a45dde47370513907c
              • Instruction Fuzzy Hash: 6811E731A00609ABCB22AF70DC52FAE77E9DF40B00F108439F541AE1C2DE75AE059790
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003801AF Relevance: 1.6, APIs: 1, Instructions: 63COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: ClearVariant
              • String ID:
              • API String ID: 1473721057-0
              • Opcode ID: e6350eaa11425a319c2d6ab76b78a05958587d4fbb548e72ed5358e17bd2934e
              • Instruction ID: 1b0238de356f675ddb816e23d3bce219a78ed12cfdc2a6accec1be1402c26b3d
              • Opcode Fuzzy Hash: e6350eaa11425a319c2d6ab76b78a05958587d4fbb548e72ed5358e17bd2934e
              • Instruction Fuzzy Hash: 9A2113B4508741DFCB16DF14C444B1ABBE5BF84304F058968E89A5B761D731F859CB92
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00345D20 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON
              Download Yara Rule
              APIs
              • ReadFile.KERNELBASE(?,?,00010000,?,00000000,00000000,?,00010000,?,00345807,00000000,00010000,00000000,00000000,00000000,00000000), ref: 00345D76
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: FileRead
              • String ID:
              • API String ID: 2738559852-0
              • Opcode ID: b8f19c5138721cfc41fd71825294b9d4b5f7d4f1e93041093881fe85acdd8e91
              • Instruction ID: e727ff64b649563e24be1a237233fe6e2b07405491e18d7890ec442c90fe83ba
              • Opcode Fuzzy Hash: b8f19c5138721cfc41fd71825294b9d4b5f7d4f1e93041093881fe85acdd8e91
              • Instruction Fuzzy Hash: 98113A31A00B059FD3328F15C888B62B7E9EF46750F14C92EE4AA8AA51D770F945CF60
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00364A93 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
              Download Yara Rule
              APIs
              • __lock_file.LIBCMT ref: 00364AD6
                • Part of subcall function 00368D68: __getptd_noexit.LIBCMT ref: 00368D68
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: __getptd_noexit__lock_file
              • String ID:
              • API String ID: 2597487223-0
              • Opcode ID: 14d4b1f084793c1c57e3303102ed88de696b2f501bf429fab2c75ea346d69c77
              • Instruction ID: a0c2c62e4bc6e2f5890527599e847ea0a7f1dfaee5db84d37840a33ca283ced9
              • Opcode Fuzzy Hash: 14d4b1f084793c1c57e3303102ed88de696b2f501bf429fab2c75ea346d69c77
              • Instruction Fuzzy Hash: 90F0AF71D80209ABDF63AFA8CC063AE76A1AF05325F05C614F424AF1D9DB788A50DF55
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00344FAA Relevance: 1.5, APIs: 1, Instructions: 28COMMON
              Download Yara Rule
              APIs
              • FreeLibrary.KERNEL32(?,?,004062F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00344FDE
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: FreeLibrary
              • String ID:
              • API String ID: 3664257935-0
              • Opcode ID: affd97511dacb456792066c5ceb694d2cbd662640f985580308272170c49da3e
              • Instruction ID: bfefea0b020df30b1dfda1eef96072582e5c0fff59fc8dd86f0c617388d2a302
              • Opcode Fuzzy Hash: affd97511dacb456792066c5ceb694d2cbd662640f985580308272170c49da3e
              • Instruction Fuzzy Hash: 4CF039B1105712CFCB369F64E494912BBE5BF043293258A3EE5D78AA10C731B848DF40
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003609D5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
              Download Yara Rule
              APIs
              • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 003609F4
                • Part of subcall function 00347D2C: _memmove.LIBCMT ref: 00347D66
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: LongNamePath_memmove
              • String ID:
              • API String ID: 2514874351-0
              • Opcode ID: 1d48ab9d935f44b87db670fefe5d6a9d60ed5c241dcccc2b11c14be9779a95b9
              • Instruction ID: 2034922213afca0ab90e662dfe2917e9296422025685bcb83bb1479162995a16
              • Opcode Fuzzy Hash: 1d48ab9d935f44b87db670fefe5d6a9d60ed5c241dcccc2b11c14be9779a95b9
              • Instruction Fuzzy Hash: 11E086369042285BC721D6589C05FFA77EDDF89790F0441B5FC0CDB204DA64AC818690
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003A9129 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: __fread_nolock
              • String ID:
              • API String ID: 2638373210-0
              • Opcode ID: 7603a7e23398706fbe611478ecf9e3358d47b441acc83f726054c373298f7434
              • Instruction ID: 80923986e69b87333b8c57fb5e8948454cd6cbfd61d97893d4a69e2b4fb96ab8
              • Opcode Fuzzy Hash: 7603a7e23398706fbe611478ecf9e3358d47b441acc83f726054c373298f7434
              • Instruction Fuzzy Hash: 23E09AB0204B009FDB3A8A24D810BE377E0EB0A315F00081DF2AA93342EB62B8418B59
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00345DAE Relevance: 1.5, APIs: 1, Instructions: 16COMMON
              Download Yara Rule
              APIs
              • SetFilePointerEx.KERNELBASE(?,00000000,00000000,?,00000001,?,?,?,0037E16B,?,?,00000000), ref: 00345DBF
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: FilePointer
              • String ID:
              • API String ID: 973152223-0
              • Opcode ID: 8b3040438e48e45fb7d2cf76affb501b0d6f9c653ba09094b3772862e8de416f
              • Instruction ID: f11adc3af6e0b8db0f2ce6db83a9d2307603a2d260fbb30ee73bd6491bf79539
              • Opcode Fuzzy Hash: 8b3040438e48e45fb7d2cf76affb501b0d6f9c653ba09094b3772862e8de416f
              • Instruction Fuzzy Hash: C8D0C77464020CBFE711DB80DC46FA9777DDB05710F100194FD0496290D6B27D508795
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0036548B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: __wfsopen
              • String ID:
              • API String ID: 197181222-0
              • Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
              • Instruction ID: 91e74f2575a1560c6b6725572dea249e4109ad96686daa53a83ee7d1ceb46c8f
              • Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
              • Instruction Fuzzy Hash: 0FB0927684020C77DE022E82EC03A593B199B40678F808060FB0C1C166AAB3A6A09689
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003AD2E6 Relevance: 1.4, APIs: 1, Instructions: 198COMMON
              Download Yara Rule
              APIs
              • GetLastError.KERNEL32(00000002,00000000), ref: 003AD46A
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: ErrorLast
              • String ID:
              • API String ID: 1452528299-0
              • Opcode ID: b325f9fbfba19b770c1159b26baf9d7df17a7ab982a400aeb625a6eec5b94dbb
              • Instruction ID: 5f17e5e2d9c278ec227299d2868855da923370ee77a18123c2bd19cbd1665c4f
              • Opcode Fuzzy Hash: b325f9fbfba19b770c1159b26baf9d7df17a7ab982a400aeb625a6eec5b94dbb
              • Instruction Fuzzy Hash: B9713D346083018FC716EF25C491A6AB7E4EF8A314F04496DF8969F6A2DF30ED49CB52
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00360E48 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: AllocVirtual
              • String ID:
              • API String ID: 4275171209-0
              • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
              • Instruction ID: e0627754b1e1bb05a46d64d1aec3296724b4898ea19e09d05fcde4b71db2783b
              • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
              • Instruction Fuzzy Hash: 4931F370A00505DBC71ADF48C48296AF7A6FF59300B25CAA5E40ACF659D732EDC1CBC0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 03AD2300 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
              Download Yara Rule
              APIs
              • Sleep.KERNELBASE(000001F4), ref: 03AD2311
              Memory Dump Source
              • Source File: 00000000.00000002.1313713721.0000000003AD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AD0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_3ad0000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: Sleep
              • String ID:
              • API String ID: 3472027048-0
              • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
              • Instruction ID: f7eb2a206d46cb787303e639bb97c9f2dabdb84aac0fd4f20cb113d79e6fab99
              • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
              • Instruction Fuzzy Hash: A3E0BF7494010D9FDB00EFB8D54969E7BB4EF04301F1005A1FD0192280D63099508A62
              Uniqueness

              Uniqueness Score: -1.00%

              Non-executed Functions

              Function 003CCDAC Relevance: 77.6, APIs: 40, Strings: 4, Instructions: 637windowkeyboardCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00342612: GetWindowLongW.USER32(?,000000EB), ref: 00342623
              • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 003CCE50
              • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 003CCE91
              • GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 003CCED6
              • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 003CCF00
              • SendMessageW.USER32 ref: 003CCF29
              • _wcsncpy.LIBCMT ref: 003CCFA1
              • GetKeyState.USER32(00000011), ref: 003CCFC2
              • GetKeyState.USER32(00000009), ref: 003CCFCF
              • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 003CCFE5
              • GetKeyState.USER32(00000010), ref: 003CCFEF
              • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 003CD018
              • SendMessageW.USER32 ref: 003CD03F
              • SendMessageW.USER32(?,00001030,?,003CB602), ref: 003CD145
              • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 003CD15B
              • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 003CD16E
              • SetCapture.USER32(?), ref: 003CD177
              • ClientToScreen.USER32(?,?), ref: 003CD1DC
              • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 003CD1E9
              • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 003CD203
              • ReleaseCapture.USER32 ref: 003CD20E
              • GetCursorPos.USER32(?), ref: 003CD248
              • ScreenToClient.USER32(?,?), ref: 003CD255
              • SendMessageW.USER32(?,00001012,00000000,?), ref: 003CD2B1
              • SendMessageW.USER32 ref: 003CD2DF
              • SendMessageW.USER32(?,00001111,00000000,?), ref: 003CD31C
              • SendMessageW.USER32 ref: 003CD34B
              • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 003CD36C
              • SendMessageW.USER32(?,0000110B,00000009,?), ref: 003CD37B
              • GetCursorPos.USER32(?), ref: 003CD39B
              • ScreenToClient.USER32(?,?), ref: 003CD3A8
              • GetParent.USER32(?), ref: 003CD3C8
              • SendMessageW.USER32(?,00001012,00000000,?), ref: 003CD431
              • SendMessageW.USER32 ref: 003CD462
              • ClientToScreen.USER32(?,?), ref: 003CD4C0
              • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 003CD4F0
              • SendMessageW.USER32(?,00001111,00000000,?), ref: 003CD51A
              • SendMessageW.USER32 ref: 003CD53D
              • ClientToScreen.USER32(?,?), ref: 003CD58F
              • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 003CD5C3
                • Part of subcall function 003425DB: GetWindowLongW.USER32(?,000000EB), ref: 003425EC
              • GetWindowLongW.USER32(?,000000F0), ref: 003CD65F
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
              • String ID: @GUI_DRAGID$@U=u$F$pr@
              • API String ID: 3977979337-2754189547
              • Opcode ID: ebf898b6bd7470b0e881f21f850b889f53512821a1047f9077e793cf5171bb1c
              • Instruction ID: 8b0ad28c9a8e7803a21fa66bcff97e9856fb50ceb1e837de8993902a3bd6b295
              • Opcode Fuzzy Hash: ebf898b6bd7470b0e881f21f850b889f53512821a1047f9077e793cf5171bb1c
              • Instruction Fuzzy Hash: E7426A31204241AFD726DF68C844FAABBE9FF49314F15452DF69ADB2A1C731AC50CB92
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003C804A Relevance: 61.8, APIs: 33, Strings: 2, Instructions: 571windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(?,00000400,00000000,00000000), ref: 003C873F
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: MessageSend
              • String ID: %d/%02d/%02d$@U=u
              • API String ID: 3850602802-2764005415
              • Opcode ID: 1f88d3d28e3b934b0e023a1c152e149245e0fc8fdcc6d96cbfa247e3c155382d
              • Instruction ID: 8a7d4403361d51009fceba039b57ee1b4eb0f4301d6f4251904defa56d0c351b
              • Opcode Fuzzy Hash: 1f88d3d28e3b934b0e023a1c152e149245e0fc8fdcc6d96cbfa247e3c155382d
              • Instruction Fuzzy Hash: 5212BE71500248AFEB269F24CC49FAB7BB9EF85710F25412DF915EA2A1EF749E41CB10
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0035710E Relevance: 52.3, APIs: 19, Strings: 8, Instructions: 5093COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: _memmove$_memset
              • String ID: 0w?$DEFINE$Oa5$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)
              • API String ID: 1357608183-3367732055
              • Opcode ID: a3e51b48b560b86079c636ca50845a44b4f3849258eb631ca9aedfff70ab084a
              • Instruction ID: affd4f19eff1cb1afd646cbe1d0e3a0f23c672bee2581b6aac43f0e811f34144
              • Opcode Fuzzy Hash: a3e51b48b560b86079c636ca50845a44b4f3849258eb631ca9aedfff70ab084a
              • Instruction Fuzzy Hash: C8939175A04216DBDF26CF98D881BADB7B1FF48310F25856AE945EB290E7709E81CB40
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00344A35 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON
              Download Yara Rule
              APIs
              • GetForegroundWindow.USER32(00000000,?), ref: 00344A3D
              • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0037DA8E
              • IsIconic.USER32(?), ref: 0037DA97
              • ShowWindow.USER32(?,00000009), ref: 0037DAA4
              • SetForegroundWindow.USER32(?), ref: 0037DAAE
              • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0037DAC4
              • GetCurrentThreadId.KERNEL32 ref: 0037DACB
              • GetWindowThreadProcessId.USER32(?,00000000), ref: 0037DAD7
              • AttachThreadInput.USER32(?,00000000,00000001), ref: 0037DAE8
              • AttachThreadInput.USER32(?,00000000,00000001), ref: 0037DAF0
              • AttachThreadInput.USER32(00000000,?,00000001), ref: 0037DAF8
              • SetForegroundWindow.USER32(?), ref: 0037DAFB
              • MapVirtualKeyW.USER32(00000012,00000000), ref: 0037DB10
              • keybd_event.USER32(00000012,00000000), ref: 0037DB1B
              • MapVirtualKeyW.USER32(00000012,00000000), ref: 0037DB25
              • keybd_event.USER32(00000012,00000000), ref: 0037DB2A
              • MapVirtualKeyW.USER32(00000012,00000000), ref: 0037DB33
              • keybd_event.USER32(00000012,00000000), ref: 0037DB38
              • MapVirtualKeyW.USER32(00000012,00000000), ref: 0037DB42
              • keybd_event.USER32(00000012,00000000), ref: 0037DB47
              • SetForegroundWindow.USER32(?), ref: 0037DB4A
              • AttachThreadInput.USER32(?,?,00000000), ref: 0037DB71
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
              • String ID: Shell_TrayWnd
              • API String ID: 4125248594-2988720461
              • Opcode ID: 084a45b848e87932311a40297742086cb1a3e908782d139d9abaa80e410a1ed4
              • Instruction ID: ed1bde0f0a2fbc5eeb7579162c6bb1cd0cecf25b32e271da764f31ff528172a0
              • Opcode Fuzzy Hash: 084a45b848e87932311a40297742086cb1a3e908782d139d9abaa80e410a1ed4
              • Instruction Fuzzy Hash: 9C313271A40318BFEB326F619C49F7E7E7DEF44B50F114025FA05EA1D1D6B46910ABA0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00398858 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00398CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00398D0D
                • Part of subcall function 00398CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00398D3A
                • Part of subcall function 00398CC3: GetLastError.KERNEL32 ref: 00398D47
              • _memset.LIBCMT ref: 0039889B
              • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 003988ED
              • CloseHandle.KERNEL32(?), ref: 003988FE
              • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00398915
              • GetProcessWindowStation.USER32 ref: 0039892E
              • SetProcessWindowStation.USER32(00000000), ref: 00398938
              • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00398952
                • Part of subcall function 00398713: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00398851), ref: 00398728
                • Part of subcall function 00398713: CloseHandle.KERNEL32(?,?,00398851), ref: 0039873A
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
              • String ID: $default$winsta0
              • API String ID: 2063423040-1027155976
              • Opcode ID: 94031e3517012e8bb8dad987307912d68ee93adfe2e35f11d6487054fdfcb038
              • Instruction ID: 1935e731759347feb24a9e0d524ee7812e0e93e3063e419a2875f95a6f4d306d
              • Opcode Fuzzy Hash: 94031e3517012e8bb8dad987307912d68ee93adfe2e35f11d6487054fdfcb038
              • Instruction Fuzzy Hash: 1C817971900209BFDF12DFA4CC45EEEBBB9EF46314F08452AF910A6261DB319E15DB60
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003B425A Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON
              Download Yara Rule
              APIs
              • OpenClipboard.USER32(003CF910), ref: 003B4284
              • IsClipboardFormatAvailable.USER32(0000000D), ref: 003B4292
              • GetClipboardData.USER32(0000000D), ref: 003B429A
              • CloseClipboard.USER32 ref: 003B42A6
              • GlobalLock.KERNEL32(00000000), ref: 003B42C2
              • CloseClipboard.USER32 ref: 003B42CC
              • GlobalUnlock.KERNEL32(00000000,00000000), ref: 003B42E1
              • IsClipboardFormatAvailable.USER32(00000001), ref: 003B42EE
              • GetClipboardData.USER32(00000001), ref: 003B42F6
              • GlobalLock.KERNEL32(00000000), ref: 003B4303
              • GlobalUnlock.KERNEL32(00000000,00000000,?), ref: 003B4337
              • CloseClipboard.USER32 ref: 003B4447
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
              • String ID:
              • API String ID: 3222323430-0
              • Opcode ID: a2b40e4241f7847009e71979ef6bc02bc6adb05f26a09492e79ed1bae75b9baf
              • Instruction ID: 7b884726d862d5167985a22de30b9dea1cc19a6a2932f3b90081825e54c87927
              • Opcode Fuzzy Hash: a2b40e4241f7847009e71979ef6bc02bc6adb05f26a09492e79ed1bae75b9baf
              • Instruction Fuzzy Hash: 105194752043016FD703AF64EC85FAF77ADAF84B05F004929F696DA1A2DF70E9048B66
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003AC9C7 Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON
              Download Yara Rule
              APIs
              • FindFirstFileW.KERNEL32(?,?), ref: 003AC9F8
              • FindClose.KERNEL32(00000000), ref: 003ACA4C
              • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 003ACA71
              • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 003ACA88
              • FileTimeToSystemTime.KERNEL32(?,?), ref: 003ACAAF
              • __swprintf.LIBCMT ref: 003ACAFB
              • __swprintf.LIBCMT ref: 003ACB3E
                • Part of subcall function 00347F41: _memmove.LIBCMT ref: 00347F82
              • __swprintf.LIBCMT ref: 003ACB92
                • Part of subcall function 003638D8: __woutput_l.LIBCMT ref: 00363931
              • __swprintf.LIBCMT ref: 003ACBE0
                • Part of subcall function 003638D8: __flsbuf.LIBCMT ref: 00363953
                • Part of subcall function 003638D8: __flsbuf.LIBCMT ref: 0036396B
              • __swprintf.LIBCMT ref: 003ACC2F
              • __swprintf.LIBCMT ref: 003ACC7E
              • __swprintf.LIBCMT ref: 003ACCCD
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
              • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
              • API String ID: 3953360268-2428617273
              • Opcode ID: a522a59b7bd1b66f63aca21c2111101c162efd6e23d4d0f71b23f8db884f9266
              • Instruction ID: 4e5fde95caa2ec32efcda8833ad2a65aef8e9281a72064011cd7d2ec0b39746d
              • Opcode Fuzzy Hash: a522a59b7bd1b66f63aca21c2111101c162efd6e23d4d0f71b23f8db884f9266
              • Instruction Fuzzy Hash: 9DA100B2518344AFC712EF54C985EAFB7ECEF95700F40491AB585CB191EB34EA09CB62
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003AF200 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON
              Download Yara Rule
              APIs
              • FindFirstFileW.KERNEL32(?,?,76F88FB0,?,00000000), ref: 003AF221
              • _wcscmp.LIBCMT ref: 003AF236
              • _wcscmp.LIBCMT ref: 003AF24D
              • GetFileAttributesW.KERNEL32(?), ref: 003AF25F
              • SetFileAttributesW.KERNEL32(?,?), ref: 003AF279
              • FindNextFileW.KERNEL32(00000000,?), ref: 003AF291
              • FindClose.KERNEL32(00000000), ref: 003AF29C
              • FindFirstFileW.KERNEL32(*.*,?), ref: 003AF2B8
              • _wcscmp.LIBCMT ref: 003AF2DF
              • _wcscmp.LIBCMT ref: 003AF2F6
              • SetCurrentDirectoryW.KERNEL32(?), ref: 003AF308
              • SetCurrentDirectoryW.KERNEL32(003FA5A0), ref: 003AF326
              • FindNextFileW.KERNEL32(00000000,00000010), ref: 003AF330
              • FindClose.KERNEL32(00000000), ref: 003AF33D
              • FindClose.KERNEL32(00000000), ref: 003AF34F
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
              • String ID: *.*
              • API String ID: 1803514871-438819550
              • Opcode ID: ef7e3995af239cdafe30aa324ff9eeb770cd38b42c997c311f5276c4536211fb
              • Instruction ID: b149047a9bf6037b05608511b15fa737d1465a8f88ccc764120cc794609f2cea
              • Opcode Fuzzy Hash: ef7e3995af239cdafe30aa324ff9eeb770cd38b42c997c311f5276c4536211fb
              • Instruction Fuzzy Hash: 9431BF7A5006196EDF12DBB4DC48EEE73ACEF4A361F144675E904D30A0EB30EE458B50
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003C0AE2 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
              Download Yara Rule
              APIs
              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 003C0BDE
              • RegCreateKeyExW.ADVAPI32(?,?,00000000,003CF910,00000000,?,00000000,?,?), ref: 003C0C4C
              • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 003C0C94
              • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 003C0D1D
              • RegCloseKey.ADVAPI32(?), ref: 003C103D
              • RegCloseKey.ADVAPI32(00000000), ref: 003C104A
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: Close$ConnectCreateRegistryValue
              • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
              • API String ID: 536824911-966354055
              • Opcode ID: 0d719df0b37bbffd26ae7230795902d8f9e543c90974878dc8e323f193c51e74
              • Instruction ID: 176b97f48b36fbc4ead6610688f5278c769d9ad2399ea41d7a4314f157000622
              • Opcode Fuzzy Hash: 0d719df0b37bbffd26ae7230795902d8f9e543c90974878dc8e323f193c51e74
              • Instruction Fuzzy Hash: 360224752006519FCB16EF24C881E2AB7E9AF89714F05885DF88A9F362CB30FD41CB81
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003AF35D Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON
              Download Yara Rule
              APIs
              • FindFirstFileW.KERNEL32(?,?,76F88FB0,?,00000000), ref: 003AF37E
              • _wcscmp.LIBCMT ref: 003AF393
              • _wcscmp.LIBCMT ref: 003AF3AA
                • Part of subcall function 003A45C1: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 003A45DC
              • FindNextFileW.KERNEL32(00000000,?), ref: 003AF3D9
              • FindClose.KERNEL32(00000000), ref: 003AF3E4
              • FindFirstFileW.KERNEL32(*.*,?), ref: 003AF400
              • _wcscmp.LIBCMT ref: 003AF427
              • _wcscmp.LIBCMT ref: 003AF43E
              • SetCurrentDirectoryW.KERNEL32(?), ref: 003AF450
              • SetCurrentDirectoryW.KERNEL32(003FA5A0), ref: 003AF46E
              • FindNextFileW.KERNEL32(00000000,00000010), ref: 003AF478
              • FindClose.KERNEL32(00000000), ref: 003AF485
              • FindClose.KERNEL32(00000000), ref: 003AF497
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
              • String ID: *.*
              • API String ID: 1824444939-438819550
              • Opcode ID: be9cad31b169669b728ce46ac6e73b552fff0101e1119c2ef9c6db9a2c3b17a7
              • Instruction ID: 19c9318ec5f279e789f87319b0efde657ee2f144fb626545e93b14aa842b88c6
              • Opcode Fuzzy Hash: be9cad31b169669b728ce46ac6e73b552fff0101e1119c2ef9c6db9a2c3b17a7
              • Instruction Fuzzy Hash: 8331F4765012196FCF12ABA5EC88EEE77ADDF4A364F114275E854E30A0DB30EE44CB64
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003981F7 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 0039874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00398766
                • Part of subcall function 0039874A: GetLastError.KERNEL32(?,0039822A,?,?,?), ref: 00398770
                • Part of subcall function 0039874A: GetProcessHeap.KERNEL32(00000008,?,?,0039822A,?,?,?), ref: 0039877F
                • Part of subcall function 0039874A: HeapAlloc.KERNEL32(00000000,?,0039822A,?,?,?), ref: 00398786
                • Part of subcall function 0039874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0039879D
                • Part of subcall function 003987E7: GetProcessHeap.KERNEL32(00000008,00398240,00000000,00000000,?,00398240,?), ref: 003987F3
                • Part of subcall function 003987E7: HeapAlloc.KERNEL32(00000000,?,00398240,?), ref: 003987FA
                • Part of subcall function 003987E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00398240,?), ref: 0039880B
              • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 0039825B
              • _memset.LIBCMT ref: 00398270
              • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 0039828F
              • GetLengthSid.ADVAPI32(?), ref: 003982A0
              • GetAce.ADVAPI32(?,00000000,?), ref: 003982DD
              • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 003982F9
              • GetLengthSid.ADVAPI32(?), ref: 00398316
              • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00398325
              • HeapAlloc.KERNEL32(00000000), ref: 0039832C
              • GetLengthSid.ADVAPI32(?,00000008,?), ref: 0039834D
              • CopySid.ADVAPI32(00000000), ref: 00398354
              • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00398385
              • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 003983AB
              • SetUserObjectSecurity.USER32(?,00000004,?), ref: 003983BF
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
              • String ID:
              • API String ID: 3996160137-0
              • Opcode ID: d3ef784949ffb121f76634e41cda43acdca6eb8114b1fe14ccb4a57cde507e57
              • Instruction ID: 815d1a83bdd55547580e624b8dc5d8021c14ecb197051fcf13ecccafb65487af
              • Opcode Fuzzy Hash: d3ef784949ffb121f76634e41cda43acdca6eb8114b1fe14ccb4a57cde507e57
              • Instruction Fuzzy Hash: 1D615D75A04219AFDF029F94DC84EAEBBB9FF45700F048129E915E6291DB359A05CB60
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00356843 Relevance: 20.9, Strings: 16, Instructions: 883COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID:
              • String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$Oa5$PJ>$UCP)$UTF)$UTF16)
              • API String ID: 0-1101034524
              • Opcode ID: 4506647f7ee565c89b09bb98448f2c5b278b4850236ab4f2b02c973541393cf7
              • Instruction ID: 23b689013b5282ffe817ce20478d5ba09a0cbfc0bed0c37bc57eb8982770ab66
              • Opcode Fuzzy Hash: 4506647f7ee565c89b09bb98448f2c5b278b4850236ab4f2b02c973541393cf7
              • Instruction Fuzzy Hash: AE728F75E0021A9BDF26CF58C881BAEB7F5EF48310F55816AE849FB290DB709D45CB90
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003C0665 Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 003C10A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,003C0038,?,?), ref: 003C10BC
              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 003C0737
                • Part of subcall function 00349997: __itow.LIBCMT ref: 003499C2
                • Part of subcall function 00349997: __swprintf.LIBCMT ref: 00349A0C
              • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 003C07D6
              • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 003C086E
              • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 003C0AAD
              • RegCloseKey.ADVAPI32(00000000), ref: 003C0ABA
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
              • String ID:
              • API String ID: 1240663315-0
              • Opcode ID: 2d0154612034d2ab4648a8d3a2dc5e9954d722c3aeb78d9640273a5e80cd9729
              • Instruction ID: c81083aab1d13ff20e4f34d537711cb6e882e3cf9ebd1054fa8e12c2d997cd44
              • Opcode Fuzzy Hash: 2d0154612034d2ab4648a8d3a2dc5e9954d722c3aeb78d9640273a5e80cd9729
              • Instruction Fuzzy Hash: CDE13C75204250EFCB1ADF24C885E6ABBE9EF89714F04856DF48ADB262DB30ED05CB51
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003A0219 Relevance: 16.6, APIs: 11, Instructions: 120keyboardCOMMON
              Download Yara Rule
              APIs
              • GetKeyboardState.USER32(?), ref: 003A0241
              • GetAsyncKeyState.USER32(000000A0), ref: 003A02C2
              • GetKeyState.USER32(000000A0), ref: 003A02DD
              • GetAsyncKeyState.USER32(000000A1), ref: 003A02F7
              • GetKeyState.USER32(000000A1), ref: 003A030C
              • GetAsyncKeyState.USER32(00000011), ref: 003A0324
              • GetKeyState.USER32(00000011), ref: 003A0336
              • GetAsyncKeyState.USER32(00000012), ref: 003A034E
              • GetKeyState.USER32(00000012), ref: 003A0360
              • GetAsyncKeyState.USER32(0000005B), ref: 003A0378
              • GetKeyState.USER32(0000005B), ref: 003A038A
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: State$Async$Keyboard
              • String ID:
              • API String ID: 541375521-0
              • Opcode ID: 4ab9b4c5fdda795f2c2e05ac36f3feec72ba8e3578766fc6906b8ca94739222a
              • Instruction ID: a8d883a882e5045382e66c383ee22490fc6d44ade0e30a87174e724bd62f2bd9
              • Opcode Fuzzy Hash: 4ab9b4c5fdda795f2c2e05ac36f3feec72ba8e3578766fc6906b8ca94739222a
              • Instruction Fuzzy Hash: BE41DC385047C96EFF3B8B64C8087B5BEA1EF13340F09849DD6C6561C2E7D599C887A2
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003B4458 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: Clipboard$AllocCloseEmptyGlobalOpen
              • String ID:
              • API String ID: 1737998785-0
              • Opcode ID: 3cf2af07694c2858f6bfef28c2b83cadf455464815f4bd646a2ca836a723b02f
              • Instruction ID: ab32ef69fd7a712a4a2d8da705d8678a22d39e2cf32e39e63f2a0c5116fc1b1a
              • Opcode Fuzzy Hash: 3cf2af07694c2858f6bfef28c2b83cadf455464815f4bd646a2ca836a723b02f
              • Instruction Fuzzy Hash: F821AE352006109FDB12AF24EC09FAA77ADEF04715F11802AF946DF2A2DB34BD10CB58
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003A3A2B Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 003448AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,003448A1,?,?,003437C0,?), ref: 003448CE
                • Part of subcall function 003A4CD3: GetFileAttributesW.KERNEL32(?,003A3947), ref: 003A4CD4
              • FindFirstFileW.KERNEL32(?,?), ref: 003A3ADF
              • DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 003A3B87
              • MoveFileW.KERNEL32(?,?), ref: 003A3B9A
              • DeleteFileW.KERNEL32(?,?,?,?,?), ref: 003A3BB7
              • FindNextFileW.KERNEL32(00000000,00000010), ref: 003A3BD9
              • FindClose.KERNEL32(00000000,?,?,?,?), ref: 003A3BF5
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
              • String ID: \*.*
              • API String ID: 4002782344-1173974218
              • Opcode ID: 7b22c358fd84e3b408d806fe82578a776001fbf726c87201334fd115d07239d1
              • Instruction ID: a60b22c3997255de3da708bc29eca64cccbc3906537a6beaf07cd211ea2e4b6d
              • Opcode Fuzzy Hash: 7b22c358fd84e3b408d806fe82578a776001fbf726c87201334fd115d07239d1
              • Instruction Fuzzy Hash: 2C513D31805259AECB17EBA0CD929EDB7B9EF16300F644169F4467B092DF216F09CB60
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00354140 Relevance: 13.4, APIs: 1, Strings: 6, Instructions: 1132COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID:
              • String ID: ERCP$Oa5$VUUU$VUUU$VUUU$VUUU
              • API String ID: 0-1794953832
              • Opcode ID: ad86a8a2e4f26271d3448bab13498ca49a6dd0414bd87305d39373c50e8713ed
              • Instruction ID: cf6a3717fc6048eb5597bc4bfb9fb47bf89065ac8adc9d6ca4004bba33f321a9
              • Opcode Fuzzy Hash: ad86a8a2e4f26271d3448bab13498ca49a6dd0414bd87305d39373c50e8713ed
              • Instruction Fuzzy Hash: DEA2A270E0421ACBDF2ADF58C980BADB7B1BF54319F2581A9DC55A7690E7309EC9CB40
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003AF65E Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00347F41: _memmove.LIBCMT ref: 00347F82
              • FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 003AF6AB
              • Sleep.KERNEL32(0000000A), ref: 003AF6DB
              • _wcscmp.LIBCMT ref: 003AF6EF
              • _wcscmp.LIBCMT ref: 003AF70A
              • FindNextFileW.KERNEL32(?,?), ref: 003AF7A8
              • FindClose.KERNEL32(00000000), ref: 003AF7BE
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
              • String ID: *.*
              • API String ID: 713712311-438819550
              • Opcode ID: cf4660aa1fed30347f1013484c8809b8137ab8c4f9ea5cff3b8706f2b7fd452e
              • Instruction ID: f5aeb690ea72840050316ee490e38471cc85596395ae534b655e71f705cd9d50
              • Opcode Fuzzy Hash: cf4660aa1fed30347f1013484c8809b8137ab8c4f9ea5cff3b8706f2b7fd452e
              • Instruction Fuzzy Hash: 6A41837590021A9FCF52DFA4CC85EEEBBB8FF06350F144566E815AB1A1DB31AE44CB90
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003558C0 Relevance: 11.0, APIs: 7, Instructions: 532COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: _memmove
              • String ID:
              • API String ID: 4104443479-0
              • Opcode ID: eb4e9e48d532131c9d842877318d7ea1467032f8c76bda2c67f1f9600a0aef31
              • Instruction ID: e44b0a3ca73b3fd0a24c054db3690f7695fcc307c8353ec7ac0f5bb43ba64197
              • Opcode Fuzzy Hash: eb4e9e48d532131c9d842877318d7ea1467032f8c76bda2c67f1f9600a0aef31
              • Instruction Fuzzy Hash: 70129E70A00609DFDF1ADFA4D991AAEB7F5FF48300F108569E806EB261EB35AD15CB50
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00355680 Relevance: 11.0, APIs: 5, Strings: 1, Instructions: 516COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00360FF6: std::exception::exception.LIBCMT ref: 0036102C
                • Part of subcall function 00360FF6: __CxxThrowException@8.LIBCMT ref: 00361041
              • _memmove.LIBCMT ref: 0039062F
              • _memmove.LIBCMT ref: 00390744
              • _memmove.LIBCMT ref: 003907EB
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: _memmove$Exception@8Throwstd::exception::exception
              • String ID: yZ5
              • API String ID: 1300846289-2995190576
              • Opcode ID: 8d769a8c30be5d1318b126e390936302dbb2a7b21465afe7b08ea9a98acfece1
              • Instruction ID: c259c0407be920ea3dc8b83497e12908d3ec38109b6fe2c03236b3b900edc655
              • Opcode Fuzzy Hash: 8d769a8c30be5d1318b126e390936302dbb2a7b21465afe7b08ea9a98acfece1
              • Instruction Fuzzy Hash: D40290B0A00205DFDF0ADF64D992AAEBBF5EF44300F158069E806DF265EB31E955CB91
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003A545F Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00398CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00398D0D
                • Part of subcall function 00398CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00398D3A
                • Part of subcall function 00398CC3: GetLastError.KERNEL32 ref: 00398D47
              • ExitWindowsEx.USER32(?,00000000), ref: 003A549B
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
              • String ID: $@$SeShutdownPrivilege
              • API String ID: 2234035333-194228
              • Opcode ID: 3030db2dcb0306a1c8121c162591990d2192cdbb8a5cbeee69fc6f3cb0f82727
              • Instruction ID: 314e1ec3e12677e79ada3737485b9fa493c13655253584f59ec0bc1c72cbec1e
              • Opcode Fuzzy Hash: 3030db2dcb0306a1c8121c162591990d2192cdbb8a5cbeee69fc6f3cb0f82727
              • Instruction Fuzzy Hash: AF014732655A152EE72B5376EC4BFBA725CEB0B752F210525FD06D60C2DA501C8082A0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00353190 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 587COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: __itow__swprintf
              • String ID: Oa5
              • API String ID: 674341424-2933034282
              • Opcode ID: 224282af27b32063ea264f1baf9abb8b9cb159662124a5fd1fa7b949c6806359
              • Instruction ID: 6dcbaee2927d2e55ecc13e4e956c3f0245afff903815310c62e4cd7d7dd31856
              • Opcode Fuzzy Hash: 224282af27b32063ea264f1baf9abb8b9cb159662124a5fd1fa7b949c6806359
              • Instruction Fuzzy Hash: 93228D715083019FC726EF14C891F6FB7E5AF84344F15491DF8969B2A1EB71EA08CB92
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003B6596 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON
              Download Yara Rule
              APIs
              • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 003B65EF
              • WSAGetLastError.WSOCK32(00000000), ref: 003B65FE
              • bind.WSOCK32(00000000,?,00000010), ref: 003B661A
              • listen.WSOCK32(00000000,00000005), ref: 003B6629
              • WSAGetLastError.WSOCK32(00000000), ref: 003B6643
              • closesocket.WSOCK32(00000000,00000000), ref: 003B6657
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: ErrorLast$bindclosesocketlistensocket
              • String ID:
              • API String ID: 1279440585-0
              • Opcode ID: 25d9ecd0476c5c7b35ba02f9f45b32ed41a61998874e465f4a170acbb57d05bb
              • Instruction ID: 6bf0582cb354f609cdbdedf70f7fb9a875dbced17beaa0f1d6bf81ebbc87a260
              • Opcode Fuzzy Hash: 25d9ecd0476c5c7b35ba02f9f45b32ed41a61998874e465f4a170acbb57d05bb
              • Instruction Fuzzy Hash: 40218F302002049FCB12AF24CC86FAEB7EDEF44324F15815AE956EB392CB74AD018B51
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00341287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00342612: GetWindowLongW.USER32(?,000000EB), ref: 00342623
              • DefDlgProcW.USER32(?,?,?,?,?), ref: 003419FA
              • GetSysColor.USER32(0000000F), ref: 00341A4E
              • SetBkColor.GDI32(?,00000000), ref: 00341A61
                • Part of subcall function 00341290: DefDlgProcW.USER32(?,00000020,?), ref: 003412D8
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: ColorProc$LongWindow
              • String ID:
              • API String ID: 3744519093-0
              • Opcode ID: 7e385d62bbfb24a7e69750affb3407ff1f6645f87d47148ef6666257f397b7c8
              • Instruction ID: da7049e8235b95bdb90e8c398047596b54ad7535ac084e174bad718a03be08e8
              • Opcode Fuzzy Hash: 7e385d62bbfb24a7e69750affb3407ff1f6645f87d47148ef6666257f397b7c8
              • Instruction Fuzzy Hash: 32A15971112D44BED63BAF284C44F7F29EDDB41385B168119F406EE591CB28FC8193B5
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003B6A5A Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 003B80A0: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 003B80CB
              • socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 003B6AB1
              • WSAGetLastError.WSOCK32(00000000), ref: 003B6ADA
              • bind.WSOCK32(00000000,?,00000010), ref: 003B6B13
              • WSAGetLastError.WSOCK32(00000000), ref: 003B6B20
              • closesocket.WSOCK32(00000000,00000000), ref: 003B6B34
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: ErrorLast$bindclosesocketinet_addrsocket
              • String ID:
              • API String ID: 99427753-0
              • Opcode ID: 2c51954ba10017abd8fc9ad89fbc49b4a5dd27ad2da515347b7f2cb871a0264a
              • Instruction ID: 479042bfe9fd535cdcefcdb55e3a0ea6b875c8082cada58312e9a419e7a9fb6b
              • Opcode Fuzzy Hash: 2c51954ba10017abd8fc9ad89fbc49b4a5dd27ad2da515347b7f2cb871a0264a
              • Instruction Fuzzy Hash: 4C41A275600210AFEB12BF24DC86F6E77E9DB44714F048059FA1AAF3D2DA74AD008B91
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003C55FD Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: Window$EnabledForegroundIconicVisibleZoomed
              • String ID:
              • API String ID: 292994002-0
              • Opcode ID: f3bb4523052e8bf47c23fa2dc9ae94603ee243e48bd7daf4b6ea37e865a6de6b
              • Instruction ID: 25254684d1e8153a94b83af56424ae8b6b5d7eccfbacfd38654836b066b95fcc
              • Opcode Fuzzy Hash: f3bb4523052e8bf47c23fa2dc9ae94603ee243e48bd7daf4b6ea37e865a6de6b
              • Instruction Fuzzy Hash: 96118B32300A106FE7236F269C44F2BBB9DEF44761F855429E846DB241CB70BD518BA4
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003AC602 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON
              Download Yara Rule
              APIs
              • CoInitialize.OLE32(00000000), ref: 003AC69D
              • CoCreateInstance.OLE32(003D2D6C,00000000,00000001,003D2BDC,?), ref: 003AC6B5
                • Part of subcall function 00347F41: _memmove.LIBCMT ref: 00347F82
              • CoUninitialize.OLE32 ref: 003AC922
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: CreateInitializeInstanceUninitialize_memmove
              • String ID: .lnk
              • API String ID: 2683427295-24824748
              • Opcode ID: 2870394fafd973065bc1f15cbdfcd275d2c798d2a8f7de3374e5a48a13a86057
              • Instruction ID: 6e9b4147cac28f88b867998e4f9811695cd05a58b7f8d2d76f2d89c141569b05
              • Opcode Fuzzy Hash: 2870394fafd973065bc1f15cbdfcd275d2c798d2a8f7de3374e5a48a13a86057
              • Instruction Fuzzy Hash: 47A12A71108205AFD701EF54C881EABB7ECEF95704F00491DF1969F2A2EB70EA49CB62
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003BC304 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON
              Download Yara Rule
              APIs
              • LoadLibraryA.KERNEL32(kernel32.dll,?,00381D88,?), ref: 003BC312
              • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 003BC324
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: AddressLibraryLoadProc
              • String ID: GetSystemWow64DirectoryW$kernel32.dll
              • API String ID: 2574300362-1816364905
              • Opcode ID: ede2c2812bc1c121ea54e9ea9cb33f5ede3746c687ed06572dca760b93f04dbb
              • Instruction ID: 97ddabf2d7d3845614c7773145fae0abbabc84d5e76c1278e4887ba4bd0f5e0d
              • Opcode Fuzzy Hash: ede2c2812bc1c121ea54e9ea9cb33f5ede3746c687ed06572dca760b93f04dbb
              • Instruction Fuzzy Hash: 6BE08C78610303CFCB324B25C804EC6B6E8EF08308F84C439E98AC6610E778E840CB60
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003BF121 Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON
              Download Yara Rule
              APIs
              • CreateToolhelp32Snapshot.KERNEL32 ref: 003BF151
              • Process32FirstW.KERNEL32(00000000,?), ref: 003BF15F
                • Part of subcall function 00347F41: _memmove.LIBCMT ref: 00347F82
              • Process32NextW.KERNEL32(00000000,?), ref: 003BF21F
              • CloseHandle.KERNEL32(00000000,?,?,?), ref: 003BF22E
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
              • String ID:
              • API String ID: 2576544623-0
              • Opcode ID: 5a8eec51767e96447a43c1b0baf9e6f19e2d8b557b56f1aee15e7904a32ae39f
              • Instruction ID: d85774ca99b25e54018b47be13bb4879cece1d896a437e8ce7db4e6572bcd657
              • Opcode Fuzzy Hash: 5a8eec51767e96447a43c1b0baf9e6f19e2d8b557b56f1aee15e7904a32ae39f
              • Instruction Fuzzy Hash: BC517E71504300AFD312EF24DC85EABBBE8FF94714F14482DF5959B262EB70A904CB92
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0039EB07 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON
              Download Yara Rule
              APIs
              • lstrlenW.KERNEL32(?,?,?,00000000), ref: 0039EB19
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: lstrlen
              • String ID: ($|
              • API String ID: 1659193697-1631851259
              • Opcode ID: 543379e27c6cbecc64d75ced7f0389ab03a7a0916217e037deb4091e64dd906f
              • Instruction ID: 14f72835ee5cb3eb43f68989664e2a7da8d3b3424c74383cb79399dd49f6a768
              • Opcode Fuzzy Hash: 543379e27c6cbecc64d75ced7f0389ab03a7a0916217e037deb4091e64dd906f
              • Instruction Fuzzy Hash: 77324775A047059FDB29CF19C481A6AB7F0FF48320B16C56EE89ADB7A1E770E941CB40
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003B25E2 Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON
              Download Yara Rule
              APIs
              • InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000), ref: 003B26D5
              • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 003B270C
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: Internet$AvailableDataFileQueryRead
              • String ID:
              • API String ID: 599397726-0
              • Opcode ID: da28c4514e82c2a90897a22a6eb0639d2f1e26dcad69a3f0ebe58d39e384a1e6
              • Instruction ID: 00fa38e91c90a5cdd9ddea1f9c80b46bc5339964d3dbcef392d3e52bf0670f49
              • Opcode Fuzzy Hash: da28c4514e82c2a90897a22a6eb0639d2f1e26dcad69a3f0ebe58d39e384a1e6
              • Instruction Fuzzy Hash: EE410671900209BFEB22DE55CC85FFBB7BCEB4071CF10416AF701AA941EEB1AE419654
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003AB59E Relevance: 4.6, APIs: 3, Instructions: 73COMMON
              Download Yara Rule
              APIs
              • SetErrorMode.KERNEL32(00000001), ref: 003AB5AE
              • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 003AB608
              • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 003AB655
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: ErrorMode$DiskFreeSpace
              • String ID:
              • API String ID: 1682464887-0
              • Opcode ID: 48fcb7d64db6206bcecf83586f5e18283dd384b2d3f4601d86440b7beebe7c50
              • Instruction ID: 9c8b0463d6a008ae23fa35cff697085e82f8e8a82cad94cb7772bd9d7f6432af
              • Opcode Fuzzy Hash: 48fcb7d64db6206bcecf83586f5e18283dd384b2d3f4601d86440b7beebe7c50
              • Instruction Fuzzy Hash: 0B214C75A00118EFCB01EF65D880EAEBBB8FF49310F1480AAE805AB361DB31A915CB51
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00398CC3 Relevance: 4.6, APIs: 3, Instructions: 67COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00360FF6: std::exception::exception.LIBCMT ref: 0036102C
                • Part of subcall function 00360FF6: __CxxThrowException@8.LIBCMT ref: 00361041
              • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00398D0D
              • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00398D3A
              • GetLastError.KERNEL32 ref: 00398D47
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
              • String ID:
              • API String ID: 1922334811-0
              • Opcode ID: a97acb6032e1d5f0e99513bdd5aba3f7cb56f4792da7c8278f53de8e40cf22ee
              • Instruction ID: 0326076b2db7e612fccd0a2564f82dfd20330da271ee1be8f67e61dde2342e5d
              • Opcode Fuzzy Hash: a97acb6032e1d5f0e99513bdd5aba3f7cb56f4792da7c8278f53de8e40cf22ee
              • Instruction Fuzzy Hash: 421191B2414209AFDB29DF54DC86D6BB7BDFB44710B20852EF45697241EB30BC408B60
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003A4021 Relevance: 4.6, APIs: 3, Instructions: 61fileCOMMON
              Download Yara Rule
              APIs
              • CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 003A404B
              • DeviceIoControl.KERNEL32(00000000,002D1400,00000007,0000000C,?,0000000C,?,00000000), ref: 003A4088
              • CloseHandle.KERNEL32(00000000,?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 003A4091
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: CloseControlCreateDeviceFileHandle
              • String ID:
              • API String ID: 33631002-0
              • Opcode ID: dcd17e8c7a356fe82b1f41bb7eb5a7f6076c5a531bc32a345d01d22dd50fc325
              • Instruction ID: 0a621540faab85d6724cf3335fe8141f4fc57800be21d3d12e96ef6adae18f42
              • Opcode Fuzzy Hash: dcd17e8c7a356fe82b1f41bb7eb5a7f6076c5a531bc32a345d01d22dd50fc325
              • Instruction Fuzzy Hash: 7B118EB1D00228BEE711DBE8DC44FBFBBBCEB49710F010666BA04E7191D2B46D0587A1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003A4C03 Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON
              Download Yara Rule
              APIs
              • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 003A4C2C
              • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 003A4C43
              • FreeSid.ADVAPI32(?), ref: 003A4C53
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: AllocateCheckFreeInitializeMembershipToken
              • String ID:
              • API String ID: 3429775523-0
              • Opcode ID: 5d1b9ff6b09f8cea617652660a49daa9f8382c34d27752835a41ea7a53d8b296
              • Instruction ID: d5759048ab79f6632b86e085a36c762f4314f778751bf7da72c691bdcd2a4c7f
              • Opcode Fuzzy Hash: 5d1b9ff6b09f8cea617652660a49daa9f8382c34d27752835a41ea7a53d8b296
              • Instruction Fuzzy Hash: 82F03775A51208BFDB04DFE09C89EBEBBBDEB08711F0044A9A901E2181E6706A048B50
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003A8B13 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 68COMMON
              Download Yara Rule
              APIs
              • __time64.LIBCMT ref: 003A8B25
                • Part of subcall function 0036543A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,003A91F8,00000000,?,?,?,?,003A93A9,00000000,?), ref: 00365443
                • Part of subcall function 0036543A: __aulldiv.LIBCMT ref: 00365463
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: Time$FileSystem__aulldiv__time64
              • String ID: 0u@
              • API String ID: 2893107130-4290703521
              • Opcode ID: eccbb533ed62efe7b082c5cc742421fce9ea56c25980ad06ba7ff1b6c34f1470
              • Instruction ID: a5f328a08132da8c4363b60231fdd72f998255a3a56c0672fa049cdba0d2fdab
              • Opcode Fuzzy Hash: eccbb533ed62efe7b082c5cc742421fce9ea56c25980ad06ba7ff1b6c34f1470
              • Instruction Fuzzy Hash: B121E4726355108BC72ACF25D841A52B3E1EFA5311B288E6CD0F5CF2D0CA74BD05CB94
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0034E060 Relevance: 3.5, APIs: 2, Instructions: 539COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 5301bd91abbc148bf344239304e02b686a979cbbd4208935aae88bf25d0575a8
              • Instruction ID: dd1a71a9e32c01d6077687913eed9d1db055ff051e0da1addc72ac22f3de9a77
              • Opcode Fuzzy Hash: 5301bd91abbc148bf344239304e02b686a979cbbd4208935aae88bf25d0575a8
              • Instruction Fuzzy Hash: BC228B74A00216CFDB26EF58C481AAEB7F4FF08300F1585A9E856AF351E774B985CB91
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003AC93C Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON
              Download Yara Rule
              APIs
              • FindFirstFileW.KERNEL32(?,?), ref: 003AC966
              • FindClose.KERNEL32(00000000), ref: 003AC996
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: Find$CloseFileFirst
              • String ID:
              • API String ID: 2295610775-0
              • Opcode ID: 01543f74c13621d73c699fc221ea05a42195e71b40bc7b15c545270c713b4eab
              • Instruction ID: 14311bcc15cd55ccfaf8cd053610098269948a6e4ccebce23ddca168b91b9528
              • Opcode Fuzzy Hash: 01543f74c13621d73c699fc221ea05a42195e71b40bc7b15c545270c713b4eab
              • Instruction Fuzzy Hash: 771130756106009FDB119F29D845A2AF7E9EF85324F00851EF8A5DB291DB30A800CB81
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003AA2D5 Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON
              Download Yara Rule
              APIs
              • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,003B977D,?,003CFB84,?), ref: 003AA302
              • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,003B977D,?,003CFB84,?), ref: 003AA314
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: ErrorFormatLastMessage
              • String ID:
              • API String ID: 3479602957-0
              • Opcode ID: dffcee55d902fa3889a26f8639e2a4d2bb891a0ca0663817cafc2f56ce1afbca
              • Instruction ID: cb0a6771ee0de16f05e346e6a1a1e0e7c0c1a56b97f42ae4e6e156d2ad48e0a2
              • Opcode Fuzzy Hash: dffcee55d902fa3889a26f8639e2a4d2bb891a0ca0663817cafc2f56ce1afbca
              • Instruction Fuzzy Hash: C7F0823A54422DBBDB229FA4CC48FEA776DFF09761F008165B908D6181D730A944CBA1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00398713 Relevance: 3.0, APIs: 2, Instructions: 22COMMON
              Download Yara Rule
              APIs
              • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00398851), ref: 00398728
              • CloseHandle.KERNEL32(?,?,00398851), ref: 0039873A
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: AdjustCloseHandlePrivilegesToken
              • String ID:
              • API String ID: 81990902-0
              • Opcode ID: 5903a0d816192595a5d1509146ed66512e31c8ab3a6026cf58f6fdc12e581efb
              • Instruction ID: bd4accfdb39ff09b629543a2623433004de548a66fe6f97c197675b9f3ffcf37
              • Opcode Fuzzy Hash: 5903a0d816192595a5d1509146ed66512e31c8ab3a6026cf58f6fdc12e581efb
              • Instruction Fuzzy Hash: A1E0B676010650EEEB272B60EC09D777BAEEB44750B24882AB496C4474DB62ACA0DB50
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0036A395 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • SetUnhandledExceptionFilter.KERNEL32(00000000,?,00368F97,?,?,?,00000001), ref: 0036A39A
              • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 0036A3A3
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: ExceptionFilterUnhandled
              • String ID:
              • API String ID: 3192549508-0
              • Opcode ID: 80066a17d61224719bcfd67e7de031ed731fc0b2a70e43f52ccc3a4479637432
              • Instruction ID: 9662621202b121151370905b5c84057a9e8589d17773eeed5b99fff3742932b4
              • Opcode Fuzzy Hash: 80066a17d61224719bcfd67e7de031ed731fc0b2a70e43f52ccc3a4479637432
              • Instruction Fuzzy Hash: 47B09235054248BFCA022B91EC09F883F6EEB84BA2F404020FA0DC4060CB6266508B91
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0036F419 Relevance: 2.1, APIs: 1, Instructions: 645COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7a81d0d585199ab859bd360904c7c3add7fa6e340ca80e9e1806c6e1aba9732d
              • Instruction ID: af75c2485d403b4a42c9a26a058f9d7cb7bafc7d9b5085f6e2eea100e373f265
              • Opcode Fuzzy Hash: 7a81d0d585199ab859bd360904c7c3add7fa6e340ca80e9e1806c6e1aba9732d
              • Instruction Fuzzy Hash: 43320522D6AF414DD7239634E832335A74DAFB73C4F55D737E81AB5AAAEB29C4834100
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0037267E Relevance: 1.8, APIs: 1, Instructions: 294COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4a6c46a8d3d2d29eef4a73a0f2e8b1af26d2654e412811a61722057259f76e6b
              • Instruction ID: 1c4eae6637538904facc25de2702d601ec69f98a960ca2f88b6359e939e6ee30
              • Opcode Fuzzy Hash: 4a6c46a8d3d2d29eef4a73a0f2e8b1af26d2654e412811a61722057259f76e6b
              • Instruction Fuzzy Hash: C1B1F120D2AF414DD72396399931336BB5CAFBB2D5F92D71BFC2A74E22EB2185834141
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003B41FD Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
              Download Yara Rule
              APIs
              • BlockInput.USER32(00000001), ref: 003B4218
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: BlockInput
              • String ID:
              • API String ID: 3456056419-0
              • Opcode ID: fb05a6f9ce7c15e4e744119f426f1ed17418174848d1266faa81cfe56f9cf335
              • Instruction ID: 682fa2a2e3cf10b76e4c2d44548255d4978d9f40b9edeccf0290627011cf044d
              • Opcode Fuzzy Hash: fb05a6f9ce7c15e4e744119f426f1ed17418174848d1266faa81cfe56f9cf335
              • Instruction Fuzzy Hash: 92E01A712402149FC711AF59D844A9AB7ECAF94764F018426F949DF752DA70F8408BA0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003A4EF5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
              Download Yara Rule
              APIs
              • mouse_event.USER32(00000004,00000000,00000000,00000000,00000000), ref: 003A4F18
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: mouse_event
              • String ID:
              • API String ID: 2434400541-0
              • Opcode ID: aba65b0cdb8dca59dc8389788b23a0284ea7bb1b30647a0a3be8c2a6ebc78134
              • Instruction ID: 8382d97d376c7724dbfc99e26800582995b00f34353fea09b239f3eecc0ecfce
              • Opcode Fuzzy Hash: aba65b0cdb8dca59dc8389788b23a0284ea7bb1b30647a0a3be8c2a6ebc78134
              • Instruction Fuzzy Hash: 49D05EB01A42053CFC1A4B24AC0FF76010DE3C3781F8569893301C98C1A9E16800A034
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00398C93 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
              Download Yara Rule
              APIs
              • LogonUserW.ADVAPI32(?,00000001,?,?,00000000,003988D1), ref: 00398CB3
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: LogonUser
              • String ID:
              • API String ID: 1244722697-0
              • Opcode ID: 62fc4445b00a31f26f91c33b9f663af35fd553a28bdec64c6c741757f5c9415a
              • Instruction ID: e5519b0abcb716acfb599c30975b98c02981ffdb91e67160a53e5cc97ef2f8b7
              • Opcode Fuzzy Hash: 62fc4445b00a31f26f91c33b9f663af35fd553a28bdec64c6c741757f5c9415a
              • Instruction Fuzzy Hash: F3D05E3226050EAFEF019EA4DC01EBE3B6AEB04B01F408111FE15C50A1C775E835AB60
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00382230 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
              Download Yara Rule
              APIs
              • GetUserNameW.ADVAPI32(?,?), ref: 00382242
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: NameUser
              • String ID:
              • API String ID: 2645101109-0
              • Opcode ID: 27c4e115dc16078e15e9c87bbf4c0679948d9ea59fbdbb8ee7b563196560f225
              • Instruction ID: 93ae8db070981219d7106e295939257eb996c92ccc236fb33e01bf5e23572219
              • Opcode Fuzzy Hash: 27c4e115dc16078e15e9c87bbf4c0679948d9ea59fbdbb8ee7b563196560f225
              • Instruction Fuzzy Hash: 81C04CF1801119DBDB06DB90D988DEE77BDAB04304F2040A6A102F2100D7749B448B71
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0036A364 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
              Download Yara Rule
              APIs
              • SetUnhandledExceptionFilter.KERNEL32(?), ref: 0036A36A
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: ExceptionFilterUnhandled
              • String ID:
              • API String ID: 3192549508-0
              • Opcode ID: 3a05c1f2d67906932a194d85ea3797e36fc41065210813540e99d53e520cab66
              • Instruction ID: 12ca8c5472b1c937089a1010175d978ca261ef9d24051b911c9533b9de4ddb52
              • Opcode Fuzzy Hash: 3a05c1f2d67906932a194d85ea3797e36fc41065210813540e99d53e520cab66
              • Instruction Fuzzy Hash: F1A0113000020CBB8A022B82EC08888BFAEEA802A0B008020F80C800228B32AA208A80
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0034C5B1 Relevance: 1.3, Strings: 1, Instructions: 70COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID:
              • String ID: 4
              • API String ID: 0-4088798008
              • Opcode ID: 55c49c7ac14e336b47531708e903c4458a45508cc311b0cca9a1187f608afb1e
              • Instruction ID: 632a6b937d4c38acec2c08bd3b27d8c3fa69096f9ad889d65dd9b62c403c31a2
              • Opcode Fuzzy Hash: 55c49c7ac14e336b47531708e903c4458a45508cc311b0cca9a1187f608afb1e
              • Instruction Fuzzy Hash: E521A16390A3D16FFB53873488519D23FA06F57360B6F11CAC9806F1A3DA256D0BE761
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00358A0E Relevance: .6, Instructions: 608COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2686f0ed1885ec04d62c71a10173f83f66f034276e64e84de6f9d1fd2db8306b
              • Instruction ID: 4aeaa606bd0456045ae085d825e00ef7b2767736669f499d1f30c7000ca0dcc8
              • Opcode Fuzzy Hash: 2686f0ed1885ec04d62c71a10173f83f66f034276e64e84de6f9d1fd2db8306b
              • Instruction Fuzzy Hash: 9A224930605656CBDF2BCF28C4D4A7DB7A5EB41342F26442ADC52AB6A1DB30DDC9CB60
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00362405 Relevance: .3, Instructions: 345COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
              • Instruction ID: 06b366daaa06d410d7071be8219280164e3b637a894cf089b767ad8e1aafb1db
              • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
              • Instruction Fuzzy Hash: 83C16E3220559309DB2F463A943453FBAE15BA37B131B876DE8B3DF5C9EF20D524A620
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0036283A Relevance: .3, Instructions: 341COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
              • Instruction ID: a5bf7af81e5884c7d7530d7de2e1b0394615a5cb38fb2c84e3c708da929ba637
              • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
              • Instruction Fuzzy Hash: 35C17F3220559309DB2E463A843403FBAE15BA37B131F876DE8B2DF5D8EF20D524E620
              Uniqueness

              Uniqueness Score: -1.00%

              Function 03AD3660 Relevance: .1, Instructions: 92COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1313713721.0000000003AD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AD0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_3ad0000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
              • Instruction ID: d64994ff07689baa69bfa220ab49a50959fb16b865962592a2f06eaaf67347ca
              • Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
              • Instruction Fuzzy Hash: 7841C271D1091CEBCF48CFADC991AAEBBF2AF88201F548299D516AB345D730AB41DB40
              Uniqueness

              Uniqueness Score: -1.00%

              Function 03AD34F0 Relevance: .0, Instructions: 35COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1313713721.0000000003AD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AD0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_3ad0000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
              • Instruction ID: 34ad5764c99aa34dbcea1aeb4503a6331b853ac816978a434e39c49e1f0ff2a2
              • Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
              • Instruction Fuzzy Hash: E9019279A00209EFCB49DF98C6909AEF7B5FF48310F2485DAD90AA7741D731AE41DB81
              Uniqueness

              Uniqueness Score: -1.00%

              Function 03AD3550 Relevance: .0, Instructions: 35COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1313713721.0000000003AD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AD0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_3ad0000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
              • Instruction ID: 8b5db44dfca887e277cce087b4dad8c42284f170f621c6183cdd02719ad2f6ea
              • Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
              • Instruction Fuzzy Hash: 24019678A00109EFCB44DF98C6909ADF7F5FF48310F24859AD819A7741D731AE41DB81
              Uniqueness

              Uniqueness Score: -1.00%

              Function 03AD1ED0 Relevance: .0, Instructions: 6COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1313713721.0000000003AD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AD0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_3ad0000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
              • Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
              • Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
              • Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003CA849 Relevance: 59.8, APIs: 33, Strings: 1, Instructions: 274COMMON
              Download Yara Rule
              APIs
              • SetTextColor.GDI32(?,00000000), ref: 003CA89F
              • GetSysColorBrush.USER32(0000000F), ref: 003CA8D0
              • GetSysColor.USER32(0000000F), ref: 003CA8DC
              • SetBkColor.GDI32(?,000000FF), ref: 003CA8F6
              • SelectObject.GDI32(?,?), ref: 003CA905
              • InflateRect.USER32(?,000000FF,000000FF), ref: 003CA930
              • GetSysColor.USER32(00000010), ref: 003CA938
              • CreateSolidBrush.GDI32(00000000), ref: 003CA93F
              • FrameRect.USER32(?,?,00000000), ref: 003CA94E
              • DeleteObject.GDI32(00000000), ref: 003CA955
              • InflateRect.USER32(?,000000FE,000000FE), ref: 003CA9A0
              • FillRect.USER32(?,?,?), ref: 003CA9D2
              • GetWindowLongW.USER32(?,000000F0), ref: 003CA9FD
                • Part of subcall function 003CAB60: GetSysColor.USER32(00000012), ref: 003CAB99
                • Part of subcall function 003CAB60: SetTextColor.GDI32(?,?), ref: 003CAB9D
                • Part of subcall function 003CAB60: GetSysColorBrush.USER32(0000000F), ref: 003CABB3
                • Part of subcall function 003CAB60: GetSysColor.USER32(0000000F), ref: 003CABBE
                • Part of subcall function 003CAB60: GetSysColor.USER32(00000011), ref: 003CABDB
                • Part of subcall function 003CAB60: CreatePen.GDI32(00000000,00000001,00743C00), ref: 003CABE9
                • Part of subcall function 003CAB60: SelectObject.GDI32(?,00000000), ref: 003CABFA
                • Part of subcall function 003CAB60: SetBkColor.GDI32(?,00000000), ref: 003CAC03
                • Part of subcall function 003CAB60: SelectObject.GDI32(?,?), ref: 003CAC10
                • Part of subcall function 003CAB60: InflateRect.USER32(?,000000FF,000000FF), ref: 003CAC2F
                • Part of subcall function 003CAB60: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 003CAC46
                • Part of subcall function 003CAB60: GetWindowLongW.USER32(00000000,000000F0), ref: 003CAC5B
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
              • String ID: @U=u
              • API String ID: 4124339563-2594219639
              • Opcode ID: 28ef69c202cb13b301eb449658140177e2d00a808036384f31fb5bf2e72df531
              • Instruction ID: b591594d17726c6baf84fae00a660403c1db2d99b62f70c885855a299855dda6
              • Opcode Fuzzy Hash: 28ef69c202cb13b301eb449658140177e2d00a808036384f31fb5bf2e72df531
              • Instruction Fuzzy Hash: BEA18D72008705AFD7129F64DC08E6B7BAEFF89325F144A2DFA62D61A0D731E944CB52
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003C37F3 Relevance: 52.9, APIs: 6, Strings: 24, Instructions: 365windowCOMMON
              Download Yara Rule
              APIs
              • CharUpperBuffW.USER32(?,?,003CF910), ref: 003C38AF
              • IsWindowVisible.USER32(?), ref: 003C38D3
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: BuffCharUpperVisibleWindow
              • String ID: @U=u$ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
              • API String ID: 4105515805-3469695742
              • Opcode ID: c9d3092b62387b1c3e2fc4952f3fbcb8a02d7a6bc6be5b352270600745df180e
              • Instruction ID: f954d8769d8bfed9d7e09546ea6943d7631e5408d2259d0dea2e474e5b5c3c76
              • Opcode Fuzzy Hash: c9d3092b62387b1c3e2fc4952f3fbcb8a02d7a6bc6be5b352270600745df180e
              • Instruction Fuzzy Hash: 28D18F742043099BCB16EF14C451F6EB7A5AF94344F11C95DB9869F3A2CB31EE0ACB82
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00342C18 Relevance: 51.2, APIs: 27, Strings: 2, Instructions: 486windowCOMMON
              Download Yara Rule
              APIs
              • DestroyWindow.USER32(?,?,?), ref: 00342CA2
              • DeleteObject.GDI32(00000000), ref: 00342CE8
              • DeleteObject.GDI32(00000000), ref: 00342CF3
              • DestroyIcon.USER32(00000000,?,?,?), ref: 00342CFE
              • DestroyWindow.USER32(00000000,?,?,?), ref: 00342D09
              • SendMessageW.USER32(?,00001308,?,00000000), ref: 0037C68B
              • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 0037C6C4
              • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 0037CAED
                • Part of subcall function 00341B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00342036,?,00000000,?,?,?,?,003416CB,00000000,?), ref: 00341B9A
              • SendMessageW.USER32(?,00001053), ref: 0037CB2A
              • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 0037CB41
              • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 0037CB57
              • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 0037CB62
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
              • String ID: 0$@U=u
              • API String ID: 464785882-975001249
              • Opcode ID: 628a2eedcf0182018512b0461c3e06040d999ac8af309a11f1ffecc0d0aa142a
              • Instruction ID: a6c70be691ad1319d63a64ce4f0319f2769030716a75d7b2fe078d14b800cfbd
              • Opcode Fuzzy Hash: 628a2eedcf0182018512b0461c3e06040d999ac8af309a11f1ffecc0d0aa142a
              • Instruction Fuzzy Hash: 5D127930610201AFDB26CF24C884BAABBE5FF45300F55956DF999EB662CB35EC41CB91
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003B77BE Relevance: 47.5, APIs: 22, Strings: 5, Instructions: 284windowCOMMON
              Download Yara Rule
              APIs
              • DestroyWindow.USER32(00000000), ref: 003B77F1
              • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 003B78B0
              • SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 003B78EE
              • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 003B7900
              • CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 003B7946
              • GetClientRect.USER32(00000000,?), ref: 003B7952
              • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 003B7996
              • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 003B79A5
              • GetStockObject.GDI32(00000011), ref: 003B79B5
              • SelectObject.GDI32(00000000,00000000), ref: 003B79B9
              • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 003B79C9
              • GetDeviceCaps.GDI32(00000000,0000005A), ref: 003B79D2
              • DeleteDC.GDI32(00000000), ref: 003B79DB
              • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 003B7A07
              • SendMessageW.USER32(00000030,00000000,00000001), ref: 003B7A1E
              • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 003B7A59
              • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 003B7A6D
              • SendMessageW.USER32(00000404,00000001,00000000), ref: 003B7A7E
              • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 003B7AAE
              • GetStockObject.GDI32(00000011), ref: 003B7AB9
              • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 003B7AC4
              • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 003B7ACE
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
              • String ID: @U=u$AutoIt v3$DISPLAY$msctls_progress32$static
              • API String ID: 2910397461-2771358697
              • Opcode ID: 6a4e154914a334a23f2b0cf78fc1fd202b6e2b3d51bf41f9e891c8f9469c5d21
              • Instruction ID: de83527cd8ad5caa252848ec9a9ddd630640f12384fc6294531bd77b6dec05f5
              • Opcode Fuzzy Hash: 6a4e154914a334a23f2b0cf78fc1fd202b6e2b3d51bf41f9e891c8f9469c5d21
              • Instruction Fuzzy Hash: 30A17EB1A40215BFEB159FA4DD4AFAA7BAEEB44714F014118FA15EB2E0C770BD10CB64
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003CAB60 Relevance: 47.5, APIs: 26, Strings: 1, Instructions: 201windowCOMMON
              Download Yara Rule
              APIs
              • GetSysColor.USER32(00000012), ref: 003CAB99
              • SetTextColor.GDI32(?,?), ref: 003CAB9D
              • GetSysColorBrush.USER32(0000000F), ref: 003CABB3
              • GetSysColor.USER32(0000000F), ref: 003CABBE
              • CreateSolidBrush.GDI32(?), ref: 003CABC3
              • GetSysColor.USER32(00000011), ref: 003CABDB
              • CreatePen.GDI32(00000000,00000001,00743C00), ref: 003CABE9
              • SelectObject.GDI32(?,00000000), ref: 003CABFA
              • SetBkColor.GDI32(?,00000000), ref: 003CAC03
              • SelectObject.GDI32(?,?), ref: 003CAC10
              • InflateRect.USER32(?,000000FF,000000FF), ref: 003CAC2F
              • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 003CAC46
              • GetWindowLongW.USER32(00000000,000000F0), ref: 003CAC5B
              • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 003CACA7
              • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 003CACCE
              • InflateRect.USER32(?,000000FD,000000FD), ref: 003CACEC
              • DrawFocusRect.USER32(?,?), ref: 003CACF7
              • GetSysColor.USER32(00000011), ref: 003CAD05
              • SetTextColor.GDI32(?,00000000), ref: 003CAD0D
              • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 003CAD21
              • SelectObject.GDI32(?,003CA869), ref: 003CAD38
              • DeleteObject.GDI32(?), ref: 003CAD43
              • SelectObject.GDI32(?,?), ref: 003CAD49
              • DeleteObject.GDI32(?), ref: 003CAD4E
              • SetTextColor.GDI32(?,?), ref: 003CAD54
              • SetBkColor.GDI32(?,?), ref: 003CAD5E
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
              • String ID: @U=u
              • API String ID: 1996641542-2594219639
              • Opcode ID: f4c912daad11e55b6b63e1fef05cede05730511e9927db33fb4fe7ec72e31ffa
              • Instruction ID: 5e16fb78baf23dffdc3b49936c096a3c386156c15ff7aa153f9537400b801cbf
              • Opcode Fuzzy Hash: f4c912daad11e55b6b63e1fef05cede05730511e9927db33fb4fe7ec72e31ffa
              • Instruction Fuzzy Hash: 79616D71900618EFDF129FA4DC48EAE7B7AFB08324F158125F915EB2A1D771AD40DB90
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003AAF7B Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON
              Download Yara Rule
              APIs
              • SetErrorMode.KERNEL32(00000001), ref: 003AAF89
              • GetDriveTypeW.KERNEL32(?,003CFAC0,?,\\.\,003CF910), ref: 003AB066
              • SetErrorMode.KERNEL32(00000000,003CFAC0,?,\\.\,003CF910), ref: 003AB1C4
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: ErrorMode$DriveType
              • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
              • API String ID: 2907320926-4222207086
              • Opcode ID: 7be5fabb702772253cc7987fe7bdff17e70c74ab01a262d010535e1e6cb9b663
              • Instruction ID: dd2da3b251ed7de0104ec720ae6172cd2cacdc26d135a6c5d86980f05c2aca35
              • Opcode Fuzzy Hash: 7be5fabb702772253cc7987fe7bdff17e70c74ab01a262d010535e1e6cb9b663
              • Instruction Fuzzy Hash: F351F270680709EBCB07EB50CD92DBDF7B5EB16341B204016E50BAB692C735AD45DB42
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00346A3C Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: __wcsnicmp
              • String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
              • API String ID: 1038674560-86951937
              • Opcode ID: 4e9083a480ee383bf02ee7ab48edb4ef674a792beb7c150b3bc7b113451ab178
              • Instruction ID: c05195f3aa60567f77e9e945fa90359e30429cb9e7aa5b319a4d55a2a3056770
              • Opcode Fuzzy Hash: 4e9083a480ee383bf02ee7ab48edb4ef674a792beb7c150b3bc7b113451ab178
              • Instruction Fuzzy Hash: FB812AB1600245BBCB27AF61CC83FEF7798EF16700F048025F945AE196EB64FA55D292
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003C8C44 Relevance: 40.7, APIs: 21, Strings: 2, Instructions: 401windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 003C8D34
              • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 003C8D45
              • CharNextW.USER32(0000014E), ref: 003C8D74
              • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 003C8DB5
              • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 003C8DCB
              • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 003C8DDC
              • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 003C8DF9
              • SetWindowTextW.USER32(?,0000014E), ref: 003C8E45
              • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 003C8E5B
              • SendMessageW.USER32(?,00001002,00000000,?), ref: 003C8E8C
              • _memset.LIBCMT ref: 003C8EB1
              • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 003C8EFA
              • _memset.LIBCMT ref: 003C8F59
              • SendMessageW.USER32(?,00001053,000000FF,?), ref: 003C8F83
              • SendMessageW.USER32(?,00001074,?,00000001), ref: 003C8FDB
              • SendMessageW.USER32(?,0000133D,?,?), ref: 003C9088
              • InvalidateRect.USER32(?,00000000,00000001), ref: 003C90AA
              • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 003C90F4
              • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 003C9121
              • DrawMenuBar.USER32(?), ref: 003C9130
              • SetWindowTextW.USER32(?,0000014E), ref: 003C9158
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
              • String ID: 0$@U=u
              • API String ID: 1073566785-975001249
              • Opcode ID: cfb8b3af00a89f24d967ec808698699bbe16e5fcfae0dccfd10a6c57d93fa134
              • Instruction ID: 78b87828e05b75228b9619efb7d59e57cdbad4c9f26a62af52b1ac8c814f9d55
              • Opcode Fuzzy Hash: cfb8b3af00a89f24d967ec808698699bbe16e5fcfae0dccfd10a6c57d93fa134
              • Instruction Fuzzy Hash: CBE19171900219AEDF129F60CC89FEE7BB9EF05710F15815AF916EA290DB709E81DF60
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003C4B16 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
              Download Yara Rule
              APIs
              • GetCursorPos.USER32(?), ref: 003C4C51
              • GetDesktopWindow.USER32 ref: 003C4C66
              • GetWindowRect.USER32(00000000), ref: 003C4C6D
              • GetWindowLongW.USER32(?,000000F0), ref: 003C4CCF
              • DestroyWindow.USER32(?), ref: 003C4CFB
              • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 003C4D24
              • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 003C4D42
              • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 003C4D68
              • SendMessageW.USER32(?,00000421,?,?), ref: 003C4D7D
              • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 003C4D90
              • IsWindowVisible.USER32(?), ref: 003C4DB0
              • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 003C4DCB
              • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 003C4DDF
              • GetWindowRect.USER32(?,?), ref: 003C4DF7
              • MonitorFromPoint.USER32(?,?,00000002), ref: 003C4E1D
              • GetMonitorInfoW.USER32(00000000,?), ref: 003C4E37
              • CopyRect.USER32(?,?), ref: 003C4E4E
              • SendMessageW.USER32(?,00000412,00000000), ref: 003C4EB9
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
              • String ID: ($0$tooltips_class32
              • API String ID: 698492251-4156429822
              • Opcode ID: 1a5e9bdc5b84a1f05026bd11bb66fe37c8ce226320830621ae73dadbb433a9a1
              • Instruction ID: a2c37a997bef08ded240df232b41937d4244a279facece9b923a3cc679c99357
              • Opcode Fuzzy Hash: 1a5e9bdc5b84a1f05026bd11bb66fe37c8ce226320830621ae73dadbb433a9a1
              • Instruction Fuzzy Hash: 86B14771604340AFDB06DF64C998F6ABBE9BB88710F01891DF599DB2A1DB71EC04CB91
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003A46D6 Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON
              Download Yara Rule
              APIs
              • GetFileVersionInfoSizeW.VERSION(?,?), ref: 003A46E8
              • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 003A470E
              • _wcscpy.LIBCMT ref: 003A473C
              • _wcscmp.LIBCMT ref: 003A4747
              • _wcscat.LIBCMT ref: 003A475D
              • _wcsstr.LIBCMT ref: 003A4768
              • VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 003A4784
              • _wcscat.LIBCMT ref: 003A47CD
              • _wcscat.LIBCMT ref: 003A47D4
              • _wcsncpy.LIBCMT ref: 003A47FF
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
              • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
              • API String ID: 699586101-1459072770
              • Opcode ID: ebdc544a607fd2becde6f5f057b6e5c40fc40743c8388cc655fd24813feb19f0
              • Instruction ID: 2557539d5a48c81b191870f7c0b7c1f19afff3b01c2957063494091d544e102f
              • Opcode Fuzzy Hash: ebdc544a607fd2becde6f5f057b6e5c40fc40743c8388cc655fd24813feb19f0
              • Instruction Fuzzy Hash: 60412876A002047EDB13A7749C43EBF77BCDF46710F04816AF905EA182EB76AA0197A5
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003427D9 Relevance: 35.3, APIs: 18, Strings: 2, Instructions: 286windowtimeCOMMON
              Download Yara Rule
              APIs
              • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 003428BC
              • GetSystemMetrics.USER32(00000007), ref: 003428C4
              • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 003428EF
              • GetSystemMetrics.USER32(00000008), ref: 003428F7
              • GetSystemMetrics.USER32(00000004), ref: 0034291C
              • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00342939
              • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00342949
              • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 0034297C
              • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00342990
              • GetClientRect.USER32(00000000,000000FF), ref: 003429AE
              • GetStockObject.GDI32(00000011), ref: 003429CA
              • SendMessageW.USER32(00000000,00000030,00000000), ref: 003429D5
                • Part of subcall function 00342344: GetCursorPos.USER32(?), ref: 00342357
                • Part of subcall function 00342344: ScreenToClient.USER32(004067B0,?), ref: 00342374
                • Part of subcall function 00342344: GetAsyncKeyState.USER32(00000001), ref: 00342399
                • Part of subcall function 00342344: GetAsyncKeyState.USER32(00000002), ref: 003423A7
              • SetTimer.USER32(00000000,00000000,00000028,00341256), ref: 003429FC
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
              • String ID: @U=u$AutoIt v3 GUI
              • API String ID: 1458621304-2077007950
              • Opcode ID: 1a9276681b3b0aae72939b5b41f713cf9603bde4e32718af9e5500c862e7698f
              • Instruction ID: 96b2e54c875faa170cff4e1bf35b3c400c0a80a5bc6f0678ac7c04611e3919d9
              • Opcode Fuzzy Hash: 1a9276681b3b0aae72939b5b41f713cf9603bde4e32718af9e5500c862e7698f
              • Instruction Fuzzy Hash: 01B18E7560020ADFDB16DFA8DC45FAE7BB9FB08310F118129FA16EB290CB74A850CB50
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0039C4C1 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 169windowtimeCOMMON
              Download Yara Rule
              APIs
              • LoadIconW.USER32(00000063), ref: 0039C4D4
              • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 0039C4E6
              • SetWindowTextW.USER32(?,?), ref: 0039C4FD
              • GetDlgItem.USER32(?,000003EA), ref: 0039C512
              • SetWindowTextW.USER32(00000000,?), ref: 0039C518
              • GetDlgItem.USER32(?,000003E9), ref: 0039C528
              • SetWindowTextW.USER32(00000000,?), ref: 0039C52E
              • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 0039C54F
              • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 0039C569
              • GetWindowRect.USER32(?,?), ref: 0039C572
              • SetWindowTextW.USER32(?,?), ref: 0039C5DD
              • GetDesktopWindow.USER32 ref: 0039C5E3
              • GetWindowRect.USER32(00000000), ref: 0039C5EA
              • MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 0039C636
              • GetClientRect.USER32(?,?), ref: 0039C643
              • PostMessageW.USER32(?,00000005,00000000,00000000), ref: 0039C668
              • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 0039C693
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
              • String ID: @U=u
              • API String ID: 3869813825-2594219639
              • Opcode ID: 573ba2e7bc43dba213f303539bc54d90affa7f8f093349dbc89bd6c0b0300a2a
              • Instruction ID: a980d30bf453ac58142df738fe5154f846896947b4cfc9dc30ad5ee79dc6a43c
              • Opcode Fuzzy Hash: 573ba2e7bc43dba213f303539bc54d90affa7f8f093349dbc89bd6c0b0300a2a
              • Instruction Fuzzy Hash: 81516F71900709AFDB22EFA9DD85F6EBBB9FF04704F014528E686A25A0C775B914CB50
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003C4069 Relevance: 30.0, APIs: 3, Strings: 14, Instructions: 283windowCOMMON
              Download Yara Rule
              APIs
              • CharUpperBuffW.USER32(?,?), ref: 003C40F6
              • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 003C41B6
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: BuffCharMessageSendUpper
              • String ID: @U=u$DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
              • API String ID: 3974292440-1753161424
              • Opcode ID: 514b284a6e02951be047c9d964492e8e3fdcc1cf8cdf709d4c926bcc1c730f4f
              • Instruction ID: 42f9864227804e92326d55bf4d8f2f840d38680f7e0769daa7f60a121327dd41
              • Opcode Fuzzy Hash: 514b284a6e02951be047c9d964492e8e3fdcc1cf8cdf709d4c926bcc1c730f4f
              • Instruction Fuzzy Hash: 43A18D742142459FCB16EF20C962F6AB3E9AF84314F14896DB8969F792DB30FC09CB41
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003CC8EE Relevance: 28.2, APIs: 11, Strings: 5, Instructions: 181windowfileCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00342612: GetWindowLongW.USER32(?,000000EB), ref: 00342623
              • DragQueryPoint.SHELL32(?,?), ref: 003CC917
                • Part of subcall function 003CADF1: ClientToScreen.USER32(?,?), ref: 003CAE1A
                • Part of subcall function 003CADF1: GetWindowRect.USER32(?,?), ref: 003CAE90
                • Part of subcall function 003CADF1: PtInRect.USER32(?,?,003CC304), ref: 003CAEA0
              • SendMessageW.USER32(?,000000B0,?,?), ref: 003CC980
              • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 003CC98B
              • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 003CC9AE
              • _wcscat.LIBCMT ref: 003CC9DE
              • SendMessageW.USER32(?,000000C2,00000001,?), ref: 003CC9F5
              • SendMessageW.USER32(?,000000B0,?,?), ref: 003CCA0E
              • SendMessageW.USER32(?,000000B1,?,?), ref: 003CCA25
              • SendMessageW.USER32(?,000000B1,?,?), ref: 003CCA47
              • DragFinish.SHELL32(?), ref: 003CCA4E
              • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 003CCB41
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
              • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$@U=u$pr@
              • API String ID: 169749273-803660837
              • Opcode ID: d74d32e7aefbd85b4f50f85cddfb05d545a4d954b2fd7373060ce97054631f79
              • Instruction ID: 63658d3b8364cc55cc7b6acd24fd82307bd7682a5a574757adc024197948af8c
              • Opcode Fuzzy Hash: d74d32e7aefbd85b4f50f85cddfb05d545a4d954b2fd7373060ce97054631f79
              • Instruction Fuzzy Hash: EE615072108305AFC702DF54CC85E9FBBE9EF89750F00092EF5969B1A1DB70AA49CB52
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003B52F0 Relevance: 27.1, APIs: 18, Instructions: 124COMMON
              Download Yara Rule
              APIs
              • LoadCursorW.USER32(00000000,00007F89), ref: 003B5309
              • LoadCursorW.USER32(00000000,00007F8A), ref: 003B5314
              • LoadCursorW.USER32(00000000,00007F00), ref: 003B531F
              • LoadCursorW.USER32(00000000,00007F03), ref: 003B532A
              • LoadCursorW.USER32(00000000,00007F8B), ref: 003B5335
              • LoadCursorW.USER32(00000000,00007F01), ref: 003B5340
              • LoadCursorW.USER32(00000000,00007F81), ref: 003B534B
              • LoadCursorW.USER32(00000000,00007F88), ref: 003B5356
              • LoadCursorW.USER32(00000000,00007F80), ref: 003B5361
              • LoadCursorW.USER32(00000000,00007F86), ref: 003B536C
              • LoadCursorW.USER32(00000000,00007F83), ref: 003B5377
              • LoadCursorW.USER32(00000000,00007F85), ref: 003B5382
              • LoadCursorW.USER32(00000000,00007F82), ref: 003B538D
              • LoadCursorW.USER32(00000000,00007F84), ref: 003B5398
              • LoadCursorW.USER32(00000000,00007F04), ref: 003B53A3
              • LoadCursorW.USER32(00000000,00007F02), ref: 003B53AE
              • GetCursorInfo.USER32(?), ref: 003B53BE
              • GetLastError.KERNEL32(00000001,00000000), ref: 003B53E9
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: Cursor$Load$ErrorInfoLast
              • String ID:
              • API String ID: 3215588206-0
              • Opcode ID: f1aae7dd2d7678665ad0b3ce21310ebfbdac75975ac7db45d6f854d5a2659d7f
              • Instruction ID: c9f61afa1cb2308d217a52376fa21b8b6b3e46f586f60fea902d76f6cef67855
              • Opcode Fuzzy Hash: f1aae7dd2d7678665ad0b3ce21310ebfbdac75975ac7db45d6f854d5a2659d7f
              • Instruction Fuzzy Hash: 45415370E043196ADB119FBA8C49D6FFFF8EF51B50B10452FA509EB290DAB8A4018E51
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0039AA64 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON
              Download Yara Rule
              APIs
              • GetClassNameW.USER32(?,?,00000100), ref: 0039AAA5
              • __swprintf.LIBCMT ref: 0039AB46
              • _wcscmp.LIBCMT ref: 0039AB59
              • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 0039ABAE
              • _wcscmp.LIBCMT ref: 0039ABEA
              • GetClassNameW.USER32(?,?,00000400), ref: 0039AC21
              • GetDlgCtrlID.USER32(?), ref: 0039AC73
              • GetWindowRect.USER32(?,?), ref: 0039ACA9
              • GetParent.USER32(?), ref: 0039ACC7
              • ScreenToClient.USER32(00000000), ref: 0039ACCE
              • GetClassNameW.USER32(?,?,00000100), ref: 0039AD48
              • _wcscmp.LIBCMT ref: 0039AD5C
              • GetWindowTextW.USER32(?,?,00000400), ref: 0039AD82
              • _wcscmp.LIBCMT ref: 0039AD96
                • Part of subcall function 0036386C: _iswctype.LIBCMT ref: 00363874
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
              • String ID: %s%u
              • API String ID: 3744389584-679674701
              • Opcode ID: d8302201a042c3e526dd98879d95b37309d5024e59f4d32ac3567886c1c71b80
              • Instruction ID: a00bd7c1024bc1ea3057993c0ae5625ba449cc0f518e3ed75b844fe160bd931e
              • Opcode Fuzzy Hash: d8302201a042c3e526dd98879d95b37309d5024e59f4d32ac3567886c1c71b80
              • Instruction Fuzzy Hash: 74A1DF72204B06AFDB16DF24C894FAAB7E8FF04315F108629F999C6590DB30E955CBD2
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0039B397 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON
              Download Yara Rule
              APIs
              • GetClassNameW.USER32(00000008,?,00000400), ref: 0039B3DB
              • _wcscmp.LIBCMT ref: 0039B3EC
              • GetWindowTextW.USER32(00000001,?,00000400), ref: 0039B414
              • CharUpperBuffW.USER32(?,00000000), ref: 0039B431
              • _wcscmp.LIBCMT ref: 0039B44F
              • _wcsstr.LIBCMT ref: 0039B460
              • GetClassNameW.USER32(00000018,?,00000400), ref: 0039B498
              • _wcscmp.LIBCMT ref: 0039B4A8
              • GetWindowTextW.USER32(00000002,?,00000400), ref: 0039B4CF
              • GetClassNameW.USER32(00000018,?,00000400), ref: 0039B518
              • _wcscmp.LIBCMT ref: 0039B528
              • GetClassNameW.USER32(00000010,?,00000400), ref: 0039B550
              • GetWindowRect.USER32(00000004,?), ref: 0039B5B9
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
              • String ID: @$ThumbnailClass
              • API String ID: 1788623398-1539354611
              • Opcode ID: 574e89ed824b7843e4bfc4f0a598c8494bdceb81dd8747718279f2518d320f85
              • Instruction ID: c0c36190429521dde5d2539dbb4d5021dfe9bd46ca3c75ba20c19c8de23c6511
              • Opcode Fuzzy Hash: 574e89ed824b7843e4bfc4f0a598c8494bdceb81dd8747718279f2518d320f85
              • Instruction Fuzzy Hash: F381B0710083099FDF06DF11EA85FAABBE8EF44314F058569FD859A0A6DB30ED49CB61
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003CA428 Relevance: 26.5, APIs: 12, Strings: 3, Instructions: 205windowCOMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 003CA4C8
              • DestroyWindow.USER32(?,?), ref: 003CA542
                • Part of subcall function 00347D2C: _memmove.LIBCMT ref: 00347D66
              • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 003CA5BC
              • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 003CA5DE
              • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 003CA5F1
              • DestroyWindow.USER32(00000000), ref: 003CA613
              • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00340000,00000000), ref: 003CA64A
              • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 003CA663
              • GetDesktopWindow.USER32 ref: 003CA67C
              • GetWindowRect.USER32(00000000), ref: 003CA683
              • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 003CA69B
              • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 003CA6B3
                • Part of subcall function 003425DB: GetWindowLongW.USER32(?,000000EB), ref: 003425EC
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
              • String ID: 0$@U=u$tooltips_class32
              • API String ID: 1297703922-1130792468
              • Opcode ID: 4e651df9bca0f20af4f5f18d60603f3096fdb9ea9fad385cf5d46975caf255d0
              • Instruction ID: 2a748e94cd9ede3db66fd89d56dd4ce9107c3704678c9a49fae973182a0a5aab
              • Opcode Fuzzy Hash: 4e651df9bca0f20af4f5f18d60603f3096fdb9ea9fad385cf5d46975caf255d0
              • Instruction Fuzzy Hash: 88719D71140609AFD722DF28CC49F6677EAEB88308F09452DF985DB2A0CB70ED25DB16
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0039B1E0 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: __wcsnicmp
              • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
              • API String ID: 1038674560-1810252412
              • Opcode ID: 5d399e4f93db785b2e0b50c0a2622f1e1f7f72357bf8d39b90d338de3c5508fb
              • Instruction ID: 65b851377e18e61a679a9aaf3a7518fde83584f0def3acaa7d7d4a87bf8e590a
              • Opcode Fuzzy Hash: 5d399e4f93db785b2e0b50c0a2622f1e1f7f72357bf8d39b90d338de3c5508fb
              • Instruction Fuzzy Hash: 7B317C31A04209A6DF17FB60DE83FFEB7A89F14750F600526F581B90E6EF616E08C951
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003C4619 Relevance: 24.8, APIs: 2, Strings: 12, Instructions: 251windowCOMMON
              Download Yara Rule
              APIs
              • CharUpperBuffW.USER32(?,?), ref: 003C46AB
              • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 003C46F6
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: BuffCharMessageSendUpper
              • String ID: @U=u$CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
              • API String ID: 3974292440-383632319
              • Opcode ID: 5c8a632d825b4d644d56093cf8145378fc2d3fb9cbd4a85a43ca25eaa0847f34
              • Instruction ID: fa25207b9572643593bcd608d5c1c3b24550f4e7363cd269dd6d5cc59a7d814c
              • Opcode Fuzzy Hash: 5c8a632d825b4d644d56093cf8145378fc2d3fb9cbd4a85a43ca25eaa0847f34
              • Instruction Fuzzy Hash: 79915C742047159BCB16EF10C861B6AB7E5AF84314F04885DB8969F7A2CB31FD4ACB81
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003AA0B5 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 156COMMON
              Download Yara Rule
              APIs
              • LoadStringW.USER32(00000066,?,00000FFF,003CFB78), ref: 003AA0FC
                • Part of subcall function 00347F41: _memmove.LIBCMT ref: 00347F82
              • LoadStringW.USER32(?,?,00000FFF,?), ref: 003AA11E
              • __swprintf.LIBCMT ref: 003AA177
              • __swprintf.LIBCMT ref: 003AA190
              • _wprintf.LIBCMT ref: 003AA246
              • _wprintf.LIBCMT ref: 003AA264
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: LoadString__swprintf_wprintf$_memmove
              • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR$%=
              • API String ID: 311963372-1034662572
              • Opcode ID: c42ed5a35b3ce1e47008934a473bbeb6f7a4d8a424fed9f8770d9c858178da8a
              • Instruction ID: 9bbe371dfcdbc4705db8ae46e1f51b47b2ee5f65d3435c3709b62d88755367b8
              • Opcode Fuzzy Hash: c42ed5a35b3ce1e47008934a473bbeb6f7a4d8a424fed9f8770d9c858178da8a
              • Instruction Fuzzy Hash: 07518D72904609ABCF17EBA0CD86EEEB7B8EF15300F100165F5057A0A1EB316F58DB61
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003AA5BD Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00349997: __itow.LIBCMT ref: 003499C2
                • Part of subcall function 00349997: __swprintf.LIBCMT ref: 00349A0C
              • CharLowerBuffW.USER32(?,?), ref: 003AA636
              • GetDriveTypeW.KERNEL32 ref: 003AA683
              • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 003AA6CB
              • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 003AA702
              • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 003AA730
                • Part of subcall function 00347D2C: _memmove.LIBCMT ref: 00347D66
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
              • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
              • API String ID: 2698844021-4113822522
              • Opcode ID: 93e998fb80e2e14a5636b60cdfb076e89dd6bd932d36aa886e26c621a2bf1942
              • Instruction ID: 2cf524b32354321cd2049fc23d1bbbbe2b5b56293071508f28d6fed6d1b3ad67
              • Opcode Fuzzy Hash: 93e998fb80e2e14a5636b60cdfb076e89dd6bd932d36aa886e26c621a2bf1942
              • Instruction Fuzzy Hash: F7515B751047059FC702EF20C88196BB7F8FF94718F04896DF89A9B261DB31AE0ACB52
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003AA45A Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON
              Download Yara Rule
              APIs
              • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 003AA47A
              • __swprintf.LIBCMT ref: 003AA49C
              • CreateDirectoryW.KERNEL32(?,00000000), ref: 003AA4D9
              • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 003AA4FE
              • _memset.LIBCMT ref: 003AA51D
              • _wcsncpy.LIBCMT ref: 003AA559
              • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 003AA58E
              • CloseHandle.KERNEL32(00000000), ref: 003AA599
              • RemoveDirectoryW.KERNEL32(?), ref: 003AA5A2
              • CloseHandle.KERNEL32(00000000), ref: 003AA5AC
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
              • String ID: :$\$\??\%s
              • API String ID: 2733774712-3457252023
              • Opcode ID: 2d6455be586640d78925b1461352fc5d8a64c1bdd0e223d9487ec595cb43a0e7
              • Instruction ID: a062607ed0bc2e4f44567cd15364a3fea44d929c9181de15f266200b8b27b811
              • Opcode Fuzzy Hash: 2d6455be586640d78925b1461352fc5d8a64c1bdd0e223d9487ec595cb43a0e7
              • Instruction Fuzzy Hash: 603190B6900219ABDB229FA1DC49FFB77BDEF89701F1041B6F908D6160E770A644CB25
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003CC49C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00342612: GetWindowLongW.USER32(?,000000EB), ref: 00342623
              • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 003CC4EC
              • GetFocus.USER32 ref: 003CC4FC
              • GetDlgCtrlID.USER32(00000000), ref: 003CC507
              • _memset.LIBCMT ref: 003CC632
              • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 003CC65D
              • GetMenuItemCount.USER32(?), ref: 003CC67D
              • GetMenuItemID.USER32(?,00000000), ref: 003CC690
              • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 003CC6C4
              • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 003CC70C
              • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 003CC744
              • DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 003CC779
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
              • String ID: 0
              • API String ID: 1296962147-4108050209
              • Opcode ID: 54fbe4af15a35fc1e7ec9bd3619a014cabfcff0e34edfa01c1ca5dca72c6dd08
              • Instruction ID: 26269dddeb2ced5602025ff2ac85e792dafb65d508bf3d57db123cb783793f4c
              • Opcode Fuzzy Hash: 54fbe4af15a35fc1e7ec9bd3619a014cabfcff0e34edfa01c1ca5dca72c6dd08
              • Instruction Fuzzy Hash: E2818871218301AFDB12DF24C984E6BBBE9EB89314F01592DF999D7291C730ED15CBA2
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003983F4 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 0039874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00398766
                • Part of subcall function 0039874A: GetLastError.KERNEL32(?,0039822A,?,?,?), ref: 00398770
                • Part of subcall function 0039874A: GetProcessHeap.KERNEL32(00000008,?,?,0039822A,?,?,?), ref: 0039877F
                • Part of subcall function 0039874A: HeapAlloc.KERNEL32(00000000,?,0039822A,?,?,?), ref: 00398786
                • Part of subcall function 0039874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0039879D
                • Part of subcall function 003987E7: GetProcessHeap.KERNEL32(00000008,00398240,00000000,00000000,?,00398240,?), ref: 003987F3
                • Part of subcall function 003987E7: HeapAlloc.KERNEL32(00000000,?,00398240,?), ref: 003987FA
                • Part of subcall function 003987E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00398240,?), ref: 0039880B
              • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00398458
              • _memset.LIBCMT ref: 0039846D
              • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 0039848C
              • GetLengthSid.ADVAPI32(?), ref: 0039849D
              • GetAce.ADVAPI32(?,00000000,?), ref: 003984DA
              • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 003984F6
              • GetLengthSid.ADVAPI32(?), ref: 00398513
              • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00398522
              • HeapAlloc.KERNEL32(00000000), ref: 00398529
              • GetLengthSid.ADVAPI32(?,00000008,?), ref: 0039854A
              • CopySid.ADVAPI32(00000000), ref: 00398551
              • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00398582
              • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 003985A8
              • SetUserObjectSecurity.USER32(?,00000004,?), ref: 003985BC
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
              • String ID:
              • API String ID: 3996160137-0
              • Opcode ID: 7528058ec5eef340f06f230257d120f23bb65ba7371448135322245ab5fff8d6
              • Instruction ID: 05ccc32b62eb0464494637125a844c6a9342f410d99116f7fbb016f85164c410
              • Opcode Fuzzy Hash: 7528058ec5eef340f06f230257d120f23bb65ba7371448135322245ab5fff8d6
              • Instruction Fuzzy Hash: E9614D7190021AAFDF02DF94DC45EAEBBB9FF46700F058169E915E7291DB31AA09CF60
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003B762D Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON
              Download Yara Rule
              APIs
              • GetDC.USER32(00000000), ref: 003B76A2
              • CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 003B76AE
              • CreateCompatibleDC.GDI32(?), ref: 003B76BA
              • SelectObject.GDI32(00000000,?), ref: 003B76C7
              • StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 003B771B
              • GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 003B7757
              • GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 003B777B
              • SelectObject.GDI32(00000006,?), ref: 003B7783
              • DeleteObject.GDI32(?), ref: 003B778C
              • DeleteDC.GDI32(00000006), ref: 003B7793
              • ReleaseDC.USER32(00000000,?), ref: 003B779E
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
              • String ID: (
              • API String ID: 2598888154-3887548279
              • Opcode ID: 943ed42f72fb5af53071324fd0a4c53dc03cafe61412affb7fe008c8e9c85f9a
              • Instruction ID: 5cc02a8bf868c35b8b7f3ff1e7024381e7702e18311c2861b31462e4e6ee5a6a
              • Opcode Fuzzy Hash: 943ed42f72fb5af53071324fd0a4c53dc03cafe61412affb7fe008c8e9c85f9a
              • Instruction Fuzzy Hash: 83512975904219EFCB16CFA8CC85EAEBBB9EF48710F14852DFA5AD7610D731A940CB60
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003A5217 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 72sleepwindowtimeCOMMON
              Download Yara Rule
              APIs
              • timeGetTime.WINMM ref: 003A521C
                • Part of subcall function 00360719: timeGetTime.WINMM(?,753DB400,00350FF9), ref: 0036071D
              • Sleep.KERNEL32(0000000A), ref: 003A5248
              • EnumThreadWindows.USER32(?,Function_000651CA,00000000), ref: 003A526C
              • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 003A528E
              • SetActiveWindow.USER32 ref: 003A52AD
              • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 003A52BB
              • SendMessageW.USER32(00000010,00000000,00000000), ref: 003A52DA
              • Sleep.KERNEL32(000000FA), ref: 003A52E5
              • IsWindow.USER32 ref: 003A52F1
              • EndDialog.USER32(00000000), ref: 003A5302
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
              • String ID: @U=u$BUTTON
              • API String ID: 1194449130-2582809321
              • Opcode ID: 8fd35c514ffceb109050aa328adb9aee71ee2236127ecf62822135321a4e3bfe
              • Instruction ID: 670c14dc67843a06bbefe3fca82c4b74c03d578087b559a56ccc84cbe6f73eef
              • Opcode Fuzzy Hash: 8fd35c514ffceb109050aa328adb9aee71ee2236127ecf62822135321a4e3bfe
              • Instruction Fuzzy Hash: 2521A171204744BFEB035F20EE89F663B6EEB9638AF051478F101E15B1CBB1AC108B26
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00346BEC Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00360B9B: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00346C6C,?,00008000), ref: 00360BB7
                • Part of subcall function 003448AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,003448A1,?,?,003437C0,?), ref: 003448CE
              • SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00346D0D
              • SetCurrentDirectoryW.KERNEL32(?), ref: 00346E5A
                • Part of subcall function 003459CD: _wcscpy.LIBCMT ref: 00345A05
                • Part of subcall function 0036387D: _iswctype.LIBCMT ref: 00363885
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
              • String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
              • API String ID: 537147316-1018226102
              • Opcode ID: 4abafeb5d6d4d093e91c2b8c5a41d660096188f4886c3f284e9b7b77402e1c14
              • Instruction ID: 295f1e272394b635bf61069a328e56450885cff039e0ca08e4b391a3c9cba54a
              • Opcode Fuzzy Hash: 4abafeb5d6d4d093e91c2b8c5a41d660096188f4886c3f284e9b7b77402e1c14
              • Instruction Fuzzy Hash: 870270715083419FC726EF24C881AAFBBE5EF99354F04491DF4899B2A2DB34E949CB43
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003445DF Relevance: 19.7, APIs: 13, Instructions: 215windowCOMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 003445F9
              • GetMenuItemCount.USER32(00406890), ref: 0037D7CD
              • GetMenuItemCount.USER32(00406890), ref: 0037D87D
              • GetCursorPos.USER32(?), ref: 0037D8C1
              • SetForegroundWindow.USER32(00000000), ref: 0037D8CA
              • TrackPopupMenuEx.USER32(00406890,00000000,?,00000000,00000000,00000000), ref: 0037D8DD
              • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 0037D8E9
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow_memset
              • String ID:
              • API String ID: 2751501086-0
              • Opcode ID: 8525e8521d3c573476ec2848f1c3a526fe217b547db5c11a18b7433286ae7d4b
              • Instruction ID: daf8152f8bef405180128a68702dff294d1c4da8978a95384cf9205540629019
              • Opcode Fuzzy Hash: 8525e8521d3c573476ec2848f1c3a526fe217b547db5c11a18b7433286ae7d4b
              • Instruction Fuzzy Hash: E7711870601245BEEB369F14DC45FAABFB9FF05364F204226F519AA1E0C7B96C10DB90
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003B8BC0 Relevance: 19.6, APIs: 10, Strings: 1, Instructions: 324fileCOMMON
              Download Yara Rule
              APIs
              • VariantInit.OLEAUT32(?), ref: 003B8BEC
              • CoInitialize.OLE32(00000000), ref: 003B8C19
              • CoUninitialize.OLE32 ref: 003B8C23
              • GetRunningObjectTable.OLE32(00000000,?), ref: 003B8D23
              • SetErrorMode.KERNEL32(00000001,00000029), ref: 003B8E50
              • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,003D2C0C), ref: 003B8E84
              • CoGetObject.OLE32(?,00000000,003D2C0C,?), ref: 003B8EA7
              • SetErrorMode.KERNEL32(00000000), ref: 003B8EBA
              • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 003B8F3A
              • VariantClear.OLEAUT32(?), ref: 003B8F4A
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
              • String ID: ,,=
              • API String ID: 2395222682-2941206825
              • Opcode ID: a74837e58cf6075bebf8ff80c40296f3aef6a5cd4ad0ca7ed930e89acd32041d
              • Instruction ID: 11330917de2ca5dee22d2dc0291115d7040d8f08ae2dbb09113553b0ec9a8b51
              • Opcode Fuzzy Hash: a74837e58cf6075bebf8ff80c40296f3aef6a5cd4ad0ca7ed930e89acd32041d
              • Instruction Fuzzy Hash: BDC103B1608305AFC702EF64C884A6BB7E9BF89748F00495DF689DB251DB71ED05CB52
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003CC27C Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 149windowCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00342612: GetWindowLongW.USER32(?,000000EB), ref: 00342623
                • Part of subcall function 00342344: GetCursorPos.USER32(?), ref: 00342357
                • Part of subcall function 00342344: ScreenToClient.USER32(004067B0,?), ref: 00342374
                • Part of subcall function 00342344: GetAsyncKeyState.USER32(00000001), ref: 00342399
                • Part of subcall function 00342344: GetAsyncKeyState.USER32(00000002), ref: 003423A7
              • ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?), ref: 003CC2E4
              • ImageList_EndDrag.COMCTL32 ref: 003CC2EA
              • ReleaseCapture.USER32 ref: 003CC2F0
              • SetWindowTextW.USER32(?,00000000), ref: 003CC39A
              • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 003CC3AD
              • DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?), ref: 003CC48F
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
              • String ID: @GUI_DRAGFILE$@GUI_DROPID$@U=u$pr@$pr@
              • API String ID: 1924731296-2961276154
              • Opcode ID: 3e736c33199e2255737a5b7b76ef85fde039e0d078d5fd043b97ef473cd48728
              • Instruction ID: 39226a71fabdf702210090e7e194af710b8a75a68a845d3c163967e66db628b9
              • Opcode Fuzzy Hash: 3e736c33199e2255737a5b7b76ef85fde039e0d078d5fd043b97ef473cd48728
              • Instruction Fuzzy Hash: A6518C71204304AFDB06EF24CC56F6A7BE5EB88314F00892DF5969B2E1DB71A958CB52
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003C10A5 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON
              Download Yara Rule
              APIs
              • CharUpperBuffW.USER32(?,?,?,?,?,?,?,003C0038,?,?), ref: 003C10BC
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: BuffCharUpper
              • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
              • API String ID: 3964851224-909552448
              • Opcode ID: 2f4a8b8147c33ad0cb3d06e039a73389fbae4b5bb92a5896c31dd1f7c62a8085
              • Instruction ID: 81597eccfaad4a4c21b05d54a206bbecc219a3bb9f25e5e74a7113f90698ee86
              • Opcode Fuzzy Hash: 2f4a8b8147c33ad0cb3d06e039a73389fbae4b5bb92a5896c31dd1f7c62a8085
              • Instruction Fuzzy Hash: AF41797410024E9BCF16EF90DC92AEB3724EF12300F518558EE919F296DB31AD1ADB60
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003C772A Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 101windowCOMMON
              Download Yara Rule
              APIs
              • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 003C77CD
              • CreateCompatibleDC.GDI32(00000000), ref: 003C77D4
              • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 003C77E7
              • SelectObject.GDI32(00000000,00000000), ref: 003C77EF
              • GetPixel.GDI32(00000000,00000000,00000000), ref: 003C77FA
              • DeleteDC.GDI32(00000000), ref: 003C7803
              • GetWindowLongW.USER32(?,000000EC), ref: 003C780D
              • SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 003C7821
              • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 003C782D
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
              • String ID: @U=u$static
              • API String ID: 2559357485-3553413495
              • Opcode ID: b3c3640715df08d013e74161fa66e66d9db936b5f9fea3a7b44b1ab428428ed4
              • Instruction ID: 6489b43bae92dacc1fc33de822d26071fba7ac951081bb0c1bad423e98b15e1f
              • Opcode Fuzzy Hash: b3c3640715df08d013e74161fa66e66d9db936b5f9fea3a7b44b1ab428428ed4
              • Instruction Fuzzy Hash: 28314932105219AFDF129F64DC09FEA3B6EEF09724F114229FA15E61A0C731A821DBA4
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003A5569 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00347D2C: _memmove.LIBCMT ref: 00347D66
                • Part of subcall function 00347A84: _memmove.LIBCMT ref: 00347B0D
              • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 003A55D2
              • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 003A55E8
              • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 003A55F9
              • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 003A560B
              • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 003A561C
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: SendString$_memmove
              • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
              • API String ID: 2279737902-1007645807
              • Opcode ID: 3086d9f495ff89f9b3b159b886ad2d411dc8922354c83ecaae66106ff7910128
              • Instruction ID: f23014fd10044ec8a4b5096bae77a1f08da80ec106f05f7de03c7c0d56e35e6d
              • Opcode Fuzzy Hash: 3086d9f495ff89f9b3b159b886ad2d411dc8922354c83ecaae66106ff7910128
              • Instruction Fuzzy Hash: 5611C464A5056D79D722B761CC8ADFF7BBCFF92B00F41042AB505AB0D1DF602D45C5A1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003A48F3 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
              • String ID: 0.0.0.0
              • API String ID: 208665112-3771769585
              • Opcode ID: 8c3cfe3a1b9299bf0d933df078354b6427d980eea146034f865731f967ebb15d
              • Instruction ID: d9beeabe1d28407c078154f55859cea9882fe533ad8528bb1f6827618d7f9fdf
              • Opcode Fuzzy Hash: 8c3cfe3a1b9299bf0d933df078354b6427d980eea146034f865731f967ebb15d
              • Instruction Fuzzy Hash: ED11D531904114AFCB22AB249C0AEDB77ACDB42710F05817AF505DA095EFB19A918751
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003AD7F8 Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00349997: __itow.LIBCMT ref: 003499C2
                • Part of subcall function 00349997: __swprintf.LIBCMT ref: 00349A0C
              • CoInitialize.OLE32(00000000), ref: 003AD855
              • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 003AD8E8
              • SHGetDesktopFolder.SHELL32(?), ref: 003AD8FC
              • CoCreateInstance.OLE32(003D2D7C,00000000,00000001,003FA89C,?), ref: 003AD948
              • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 003AD9B7
              • CoTaskMemFree.OLE32(?,?), ref: 003ADA0F
              • _memset.LIBCMT ref: 003ADA4C
              • SHBrowseForFolderW.SHELL32(?), ref: 003ADA88
              • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 003ADAAB
              • CoTaskMemFree.OLE32(00000000), ref: 003ADAB2
              • CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 003ADAE9
              • CoUninitialize.OLE32(00000001,00000000), ref: 003ADAEB
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
              • String ID:
              • API String ID: 1246142700-0
              • Opcode ID: 92a85c4ff6c33836370ce337f9bfb2033e4c620473c0d913752ab16619da0c3f
              • Instruction ID: a66ed71d7de530c699022e3bfe97031f47fbf3bbc2f74499e42a054189c0f447
              • Opcode Fuzzy Hash: 92a85c4ff6c33836370ce337f9bfb2033e4c620473c0d913752ab16619da0c3f
              • Instruction Fuzzy Hash: E5B1EC75A00119AFDB05DFA4C889EAEBBF9EF49304B148469F50AEB261DB30ED45CB50
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003A052C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON
              Download Yara Rule
              APIs
              • GetKeyboardState.USER32(?), ref: 003A05A7
              • SetKeyboardState.USER32(?), ref: 003A0612
              • GetAsyncKeyState.USER32(000000A0), ref: 003A0632
              • GetKeyState.USER32(000000A0), ref: 003A0649
              • GetAsyncKeyState.USER32(000000A1), ref: 003A0678
              • GetKeyState.USER32(000000A1), ref: 003A0689
              • GetAsyncKeyState.USER32(00000011), ref: 003A06B5
              • GetKeyState.USER32(00000011), ref: 003A06C3
              • GetAsyncKeyState.USER32(00000012), ref: 003A06EC
              • GetKeyState.USER32(00000012), ref: 003A06FA
              • GetAsyncKeyState.USER32(0000005B), ref: 003A0723
              • GetKeyState.USER32(0000005B), ref: 003A0731
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: State$Async$Keyboard
              • String ID:
              • API String ID: 541375521-0
              • Opcode ID: 5d8d1a0bc4d060ea4bea87759d2d08d021f6a4932f0c9c969833fbbdcb824733
              • Instruction ID: f4fd3d75f290ffa6cd7d4677dd6fdd7dcaa89b9673abc152fb4378cea979adbe
              • Opcode Fuzzy Hash: 5d8d1a0bc4d060ea4bea87759d2d08d021f6a4932f0c9c969833fbbdcb824733
              • Instruction Fuzzy Hash: 9751CB70E0878819FB3ADBB088547EABFB5DF13380F094599D5C25B1C2DA64AA4CCB51
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0039C72A Relevance: 18.2, APIs: 12, Instructions: 174COMMON
              Download Yara Rule
              APIs
              • GetDlgItem.USER32(?,00000001), ref: 0039C746
              • GetWindowRect.USER32(00000000,?), ref: 0039C758
              • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 0039C7B6
              • GetDlgItem.USER32(?,00000002), ref: 0039C7C1
              • GetWindowRect.USER32(00000000,?), ref: 0039C7D3
              • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 0039C827
              • GetDlgItem.USER32(?,000003E9), ref: 0039C835
              • GetWindowRect.USER32(00000000,?), ref: 0039C846
              • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 0039C889
              • GetDlgItem.USER32(?,000003EA), ref: 0039C897
              • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 0039C8B4
              • InvalidateRect.USER32(?,00000000,00000001), ref: 0039C8C1
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: Window$ItemMoveRect$Invalidate
              • String ID:
              • API String ID: 3096461208-0
              • Opcode ID: b78ae0ea75e682d74c65d3ff3a96b2a340042ab13007e1ae0047397fac85d229
              • Instruction ID: 765a306eb49513e113d3c88ddbb829d0f55deee609f49dbc622f2a17b50860ef
              • Opcode Fuzzy Hash: b78ae0ea75e682d74c65d3ff3a96b2a340042ab13007e1ae0047397fac85d229
              • Instruction Fuzzy Hash: BD512E71B10205AFDF19CFA9DD99EAEBBBAEB88311F14812DF516D7290D770AD008B50
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0034201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00341B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00342036,?,00000000,?,?,?,?,003416CB,00000000,?), ref: 00341B9A
              • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 003420D3
              • KillTimer.USER32(-00000001,?,?,?,?,003416CB,00000000,?,?,00341AE2,?,?), ref: 0034216E
              • DestroyAcceleratorTable.USER32(00000000), ref: 0037BEF6
              • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,003416CB,00000000,?,?,00341AE2,?,?), ref: 0037BF27
              • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,003416CB,00000000,?,?,00341AE2,?,?), ref: 0037BF3E
              • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,003416CB,00000000,?,?,00341AE2,?,?), ref: 0037BF5A
              • DeleteObject.GDI32(00000000), ref: 0037BF6C
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
              • String ID:
              • API String ID: 641708696-0
              • Opcode ID: 0258c9c883783ffed8ef769267758144b2b9db26637579acf1146bb6b43ec0c3
              • Instruction ID: cc058381547f4feceed3607c891f2621ad6f5a305f88f5768dd191dd68399a87
              • Opcode Fuzzy Hash: 0258c9c883783ffed8ef769267758144b2b9db26637579acf1146bb6b43ec0c3
              • Instruction Fuzzy Hash: 3E618831101610DFCB37AF14DE48B2AB7F6FB50716F528429E142ABA60C779B8A0DF94
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003421A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 003425DB: GetWindowLongW.USER32(?,000000EB), ref: 003425EC
              • GetSysColor.USER32(0000000F), ref: 003421D3
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: ColorLongWindow
              • String ID:
              • API String ID: 259745315-0
              • Opcode ID: ef27c5540b4cb0f8101c6d450a0d8e7ca01583376ff9ea2f1adb8b92af905bf5
              • Instruction ID: 7ce15335a24d3e203ae3a0ec06839836df3928627b2716326247fcbbaedc4a7e
              • Opcode Fuzzy Hash: ef27c5540b4cb0f8101c6d450a0d8e7ca01583376ff9ea2f1adb8b92af905bf5
              • Instruction Fuzzy Hash: 0241C7310001549FDB235F28EC48BBA37AAEB06331F594265FD65DE1E2C771AC42DB21
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003AAB12 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON
              Download Yara Rule
              APIs
              • CharLowerBuffW.USER32(?,?,003CF910), ref: 003AAB76
              • GetDriveTypeW.KERNEL32(00000061,003FA620,00000061), ref: 003AAC40
              • _wcscpy.LIBCMT ref: 003AAC6A
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: BuffCharDriveLowerType_wcscpy
              • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
              • API String ID: 2820617543-1000479233
              • Opcode ID: 542afb0d04bf5e5585ccf8d7033a4253ba946f2d42de8946479efa2ba0269d08
              • Instruction ID: f5a361e45de0c2ca229198ec2f57805b2a726af7aecd6d5123cc4ef03d5144fb
              • Opcode Fuzzy Hash: 542afb0d04bf5e5585ccf8d7033a4253ba946f2d42de8946479efa2ba0269d08
              • Instruction Fuzzy Hash: E7519F311087059BC716EF14C892AAFB7E5EF82310F14491DF5969F2A2DB31E909CB53
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003C88B4 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 168COMMON
              Download Yara Rule
              APIs
              • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 003C896E
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: InvalidateRect
              • String ID: @U=u
              • API String ID: 634782764-2594219639
              • Opcode ID: 8cc5601edc3d99914abd220bd1e4cc33dd84d07ca455070bcd7c176fc3ec35d6
              • Instruction ID: e1287062836626250e21e37570713f3e786ace2f60d9340841246615793d163a
              • Opcode Fuzzy Hash: 8cc5601edc3d99914abd220bd1e4cc33dd84d07ca455070bcd7c176fc3ec35d6
              • Instruction Fuzzy Hash: 6C51B435500209BFDF229F28CC85FAA7BA9FB05314F60452AF515EA5A1DF71AF908B41
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00342B72 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 161windowCOMMON
              Download Yara Rule
              APIs
              • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 0037C547
              • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0037C569
              • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 0037C581
              • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 0037C59F
              • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 0037C5C0
              • DestroyIcon.USER32(00000000), ref: 0037C5CF
              • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0037C5EC
              • DestroyIcon.USER32(?), ref: 0037C5FB
                • Part of subcall function 003CA71E: DeleteObject.GDI32(00000000), ref: 003CA757
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
              • String ID: @U=u
              • API String ID: 2819616528-2594219639
              • Opcode ID: 41ed7768af9da61b60f5d9696ad936ae1756d51982d7d3e4b101ac9f27f509f1
              • Instruction ID: 29789ec8014e742e581d31701adb1ba2e76ae74ab6a11ca39abee38e7d2374a6
              • Opcode Fuzzy Hash: 41ed7768af9da61b60f5d9696ad936ae1756d51982d7d3e4b101ac9f27f509f1
              • Instruction Fuzzy Hash: 8B516A70610209AFDB26DF25CC45FAA3BE9EB44320F114528F946EB690DB75FD90DB50
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00349997 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: __i64tow__itow__swprintf
              • String ID: %.15g$0x%p$False$True
              • API String ID: 421087845-2263619337
              • Opcode ID: 2e78f0c999d7d4fcbef0edb371a97322dc85bc29892999b9a6b5434eac65c6fc
              • Instruction ID: e3e7fbba2ece9529671c70fc1ce6bbc0bab071f9a05611725bfca4911ccdf526
              • Opcode Fuzzy Hash: 2e78f0c999d7d4fcbef0edb371a97322dc85bc29892999b9a6b5434eac65c6fc
              • Instruction Fuzzy Hash: D241A171604605AFDB269B38D842F7B73E8FB46300F20846FE64DDF295EB75A9418B11
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003C73C1 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 003C73D9
              • CreateMenu.USER32 ref: 003C73F4
              • SetMenu.USER32(?,00000000), ref: 003C7403
              • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 003C7490
              • IsMenu.USER32(?), ref: 003C74A6
              • CreatePopupMenu.USER32 ref: 003C74B0
              • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 003C74DD
              • DrawMenuBar.USER32 ref: 003C74E5
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
              • String ID: 0$F
              • API String ID: 176399719-3044882817
              • Opcode ID: 9d67cc4a305a6dea2a48ee0b0d3c4f92705a9182490889f746996c5d6330d29a
              • Instruction ID: 8e94bf502888d86e7ba1fa181d1a9d0f17be738b475a50bbe0437465521e4b64
              • Opcode Fuzzy Hash: 9d67cc4a305a6dea2a48ee0b0d3c4f92705a9182490889f746996c5d6330d29a
              • Instruction Fuzzy Hash: 0E411375A01205AFDB15DF65D884FAABBB9FB49300F154029EE55E7360DB31AD20CF50
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00399471 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 82windowCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00347F41: _memmove.LIBCMT ref: 00347F82
                • Part of subcall function 0039B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0039B0E7
              • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 003994F6
              • GetDlgCtrlID.USER32 ref: 00399501
              • GetParent.USER32 ref: 0039951D
              • SendMessageW.USER32(00000000,?,00000111,?), ref: 00399520
              • GetDlgCtrlID.USER32(?), ref: 00399529
              • GetParent.USER32(?), ref: 00399545
              • SendMessageW.USER32(00000000,?,?,00000111), ref: 00399548
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: MessageSend$CtrlParent$ClassName_memmove
              • String ID: @U=u$ComboBox$ListBox
              • API String ID: 1536045017-2258501812
              • Opcode ID: 18f5876c394df5f7f3c4cf36ab85ba8b6adcc659b354daf9c70348dffea1646b
              • Instruction ID: cd63b5980863c7a4f5076d541ab7d34ed419a0d01b5214a9042a629819f96d79
              • Opcode Fuzzy Hash: 18f5876c394df5f7f3c4cf36ab85ba8b6adcc659b354daf9c70348dffea1646b
              • Instruction Fuzzy Hash: 6421C471900108BFCF07AB64CC85EFEBBB9EF49300F10011AF5619B2A2DB756919DB20
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0039955C Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 81windowCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00347F41: _memmove.LIBCMT ref: 00347F82
                • Part of subcall function 0039B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0039B0E7
              • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 003995DF
              • GetDlgCtrlID.USER32 ref: 003995EA
              • GetParent.USER32 ref: 00399606
              • SendMessageW.USER32(00000000,?,00000111,?), ref: 00399609
              • GetDlgCtrlID.USER32(?), ref: 00399612
              • GetParent.USER32(?), ref: 0039962E
              • SendMessageW.USER32(00000000,?,?,00000111), ref: 00399631
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: MessageSend$CtrlParent$ClassName_memmove
              • String ID: @U=u$ComboBox$ListBox
              • API String ID: 1536045017-2258501812
              • Opcode ID: e5ce9a1695057444f9cf0a1b8e3f84edfc316eb969322136b275316cf69b0cff
              • Instruction ID: dbedee221c8e42a590f36e99daef77be5a094ca142bb87ab2bcdc0906ec54eed
              • Opcode Fuzzy Hash: e5ce9a1695057444f9cf0a1b8e3f84edfc316eb969322136b275316cf69b0cff
              • Instruction Fuzzy Hash: AE21B675900108BFDF06AB64CC85EFEBBB9EF59300F10401AF5519B2A1DB7569199B20
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00399645 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 72windowCOMMON
              Download Yara Rule
              APIs
              • GetParent.USER32 ref: 00399651
              • GetClassNameW.USER32(00000000,?,00000100), ref: 00399666
              • _wcscmp.LIBCMT ref: 00399678
              • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 003996F3
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: ClassMessageNameParentSend_wcscmp
              • String ID: @U=u$SHELLDLL_DefView$details$largeicons$list$smallicons
              • API String ID: 1704125052-1428604138
              • Opcode ID: d4dd553f975c73f4f4012d3d2706757efb167a09111fa55e98b29cd3a9fb208f
              • Instruction ID: bf2a91efe60dd29d8f7ed88f387bf8263766a90f14cb4b3d82f882899689f1cc
              • Opcode Fuzzy Hash: d4dd553f975c73f4f4012d3d2706757efb167a09111fa55e98b29cd3a9fb208f
              • Instruction Fuzzy Hash: C211C67624830BBEFE072728DC06FE6779C9F06770F20012BFA04E94D5FEA169518A59
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00367040 Relevance: 16.8, APIs: 11, Instructions: 258COMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 0036707B
                • Part of subcall function 00368D68: __getptd_noexit.LIBCMT ref: 00368D68
              • __gmtime64_s.LIBCMT ref: 00367114
              • __gmtime64_s.LIBCMT ref: 0036714A
              • __gmtime64_s.LIBCMT ref: 00367167
              • __allrem.LIBCMT ref: 003671BD
              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 003671D9
              • __allrem.LIBCMT ref: 003671F0
              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0036720E
              • __allrem.LIBCMT ref: 00367225
              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00367243
              • __invoke_watson.LIBCMT ref: 003672B4
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
              • String ID:
              • API String ID: 384356119-0
              • Opcode ID: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
              • Instruction ID: d524acf5a0c0a0f448fe22a16857d02cf2fdd028a520748695a1bce600bebb13
              • Opcode Fuzzy Hash: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
              • Instruction Fuzzy Hash: 70712B71A04707ABD7269F79CC41B5AB3B8AF15328F54C23AF414DB285E774ED508B90
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003A2A16 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 003A2A31
              • GetMenuItemInfoW.USER32(00406890,000000FF,00000000,00000030), ref: 003A2A92
              • SetMenuItemInfoW.USER32(00406890,00000004,00000000,00000030), ref: 003A2AC8
              • Sleep.KERNEL32(000001F4), ref: 003A2ADA
              • GetMenuItemCount.USER32(?), ref: 003A2B1E
              • GetMenuItemID.USER32(?,00000000), ref: 003A2B3A
              • GetMenuItemID.USER32(?,-00000001), ref: 003A2B64
              • GetMenuItemID.USER32(?,?), ref: 003A2BA9
              • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 003A2BEF
              • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 003A2C03
              • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 003A2C24
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
              • String ID:
              • API String ID: 4176008265-0
              • Opcode ID: aabe7fa49d72ca29690ecd17c4630fab475f443070b4c369c1e0bb4039241221
              • Instruction ID: 73cc0ee2c67f35b9b4fdedee16d305d4d26362cfdb0405025c33ff83e226c9ff
              • Opcode Fuzzy Hash: aabe7fa49d72ca29690ecd17c4630fab475f443070b4c369c1e0bb4039241221
              • Instruction Fuzzy Hash: C361BFB0900249AFDB22DF68CD88EBFBBB9EB06314F150569F842E7251D731AD05DB20
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003C7192 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 003C7214
              • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 003C7217
              • GetWindowLongW.USER32(?,000000F0), ref: 003C723B
              • _memset.LIBCMT ref: 003C724C
              • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 003C725E
              • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 003C72D6
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: MessageSend$LongWindow_memset
              • String ID:
              • API String ID: 830647256-0
              • Opcode ID: 38c42a50bb70d4c2a139d09594511adeec9a0646f4c439d5a0177d1f12f2db27
              • Instruction ID: 1b105d716f914030c3a3bc349e3b83c609e6e7579e5a16a35c0b31d062bd044b
              • Opcode Fuzzy Hash: 38c42a50bb70d4c2a139d09594511adeec9a0646f4c439d5a0177d1f12f2db27
              • Instruction Fuzzy Hash: B5617775A00248AFDB11DFA4CC81EEE77F8AB09310F144169FA15EB2A1C770AE51DFA0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0039710E Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON
              Download Yara Rule
              APIs
              • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00397135
              • SafeArrayAllocData.OLEAUT32(?), ref: 0039718E
              • VariantInit.OLEAUT32(?), ref: 003971A0
              • SafeArrayAccessData.OLEAUT32(?,?), ref: 003971C0
              • VariantCopy.OLEAUT32(?,?), ref: 00397213
              • SafeArrayUnaccessData.OLEAUT32(?), ref: 00397227
              • VariantClear.OLEAUT32(?), ref: 0039723C
              • SafeArrayDestroyData.OLEAUT32(?), ref: 00397249
              • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00397252
              • VariantClear.OLEAUT32(?), ref: 00397264
              • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0039726F
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
              • String ID:
              • API String ID: 2706829360-0
              • Opcode ID: 9ac4e5a27022b22ec1f396f8ddfbdc32586bc4763d79d95f45141df6d44daf68
              • Instruction ID: dda835e065b93cd37e01bd094d5a70f94b77279ba2fcf42ef4577404a550d6ab
              • Opcode Fuzzy Hash: 9ac4e5a27022b22ec1f396f8ddfbdc32586bc4763d79d95f45141df6d44daf68
              • Instruction Fuzzy Hash: C8416F31910219AFCF06EF69D844DAEBBB9FF08350F008469F945EB261CB30B945CB90
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003CD74C Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 257windowCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00342612: GetWindowLongW.USER32(?,000000EB), ref: 00342623
              • GetSystemMetrics.USER32(0000000F), ref: 003CD78A
              • GetSystemMetrics.USER32(0000000F), ref: 003CD7AA
              • MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 003CD9E5
              • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 003CDA03
              • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 003CDA24
              • ShowWindow.USER32(00000003,00000000), ref: 003CDA43
              • InvalidateRect.USER32(?,00000000,00000001), ref: 003CDA68
              • DefDlgProcW.USER32(?,00000005,?,?), ref: 003CDA8B
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
              • String ID: @U=u
              • API String ID: 1211466189-2594219639
              • Opcode ID: 9a8a8c301784b024d2bdc51dbc470705ab6f903a1ba59afbbf49931ab39f1fa9
              • Instruction ID: 6542a2aa06472c06d4ea567cb23b754da7d773c82480b9e8f85a7e17b15817d0
              • Opcode Fuzzy Hash: 9a8a8c301784b024d2bdc51dbc470705ab6f903a1ba59afbbf49931ab39f1fa9
              • Instruction Fuzzy Hash: A5B18735600225AFDF16CF68C985BB97BB1BF08700F0A8079FC49EA299D734AD50CB50
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003B86D0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00349997: __itow.LIBCMT ref: 003499C2
                • Part of subcall function 00349997: __swprintf.LIBCMT ref: 00349A0C
              • CoInitialize.OLE32 ref: 003B8718
              • CoUninitialize.OLE32 ref: 003B8723
              • CoCreateInstance.OLE32(?,00000000,00000017,003D2BEC,?), ref: 003B8783
              • IIDFromString.OLE32(?,?), ref: 003B87F6
              • VariantInit.OLEAUT32(?), ref: 003B8890
              • VariantClear.OLEAUT32(?), ref: 003B88F1
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
              • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
              • API String ID: 834269672-1287834457
              • Opcode ID: 03b01cc0cb2cab38e447f4846d6ef51c2d1db5d76d277d67cbba74f513e6d11a
              • Instruction ID: 39862d5cd966c13ff62ac5a42ed7cec536ca52a63f424146ba61a8161ab74a26
              • Opcode Fuzzy Hash: 03b01cc0cb2cab38e447f4846d6ef51c2d1db5d76d277d67cbba74f513e6d11a
              • Instruction Fuzzy Hash: 6B617C716087019FD712DF24C849BABBBECAF45718F14481AFA85DBA91CB70ED44CB92
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00342E26 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 186windowCOMMON
              Download Yara Rule
              APIs
              • SetWindowLongW.USER32(?,000000EB), ref: 00342EAE
                • Part of subcall function 00341DB3: GetClientRect.USER32(?,?), ref: 00341DDC
                • Part of subcall function 00341DB3: GetWindowRect.USER32(?,?), ref: 00341E1D
                • Part of subcall function 00341DB3: ScreenToClient.USER32(?,?), ref: 00341E45
              • GetDC.USER32 ref: 0037CF82
              • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 0037CF95
              • SelectObject.GDI32(00000000,00000000), ref: 0037CFA3
              • SelectObject.GDI32(00000000,00000000), ref: 0037CFB8
              • ReleaseDC.USER32(?,00000000), ref: 0037CFC0
              • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 0037D04B
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
              • String ID: @U=u$U
              • API String ID: 4009187628-4110099822
              • Opcode ID: 953723e7883a9728668ed1529207de1069a432e56fab1f0515d53af076b644ac
              • Instruction ID: 9fea5b3b2cb142cee3cd2880eb8a7e3141c34c47a30a2dc7ea9ea8ae1e500c99
              • Opcode Fuzzy Hash: 953723e7883a9728668ed1529207de1069a432e56fab1f0515d53af076b644ac
              • Instruction Fuzzy Hash: 3371C431400205DFCF338F64CC84AAA7BBAFF49350F15926AFD59AA266C7359C91DB60
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003AB72E Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON
              Download Yara Rule
              APIs
              • SetErrorMode.KERNEL32(00000001), ref: 003AB73B
              • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 003AB7B1
              • GetLastError.KERNEL32 ref: 003AB7BB
              • SetErrorMode.KERNEL32(00000000,READY), ref: 003AB828
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: Error$Mode$DiskFreeLastSpace
              • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
              • API String ID: 4194297153-14809454
              • Opcode ID: 6221da11f372c5a064540ed5869bcb5090ed5621ff983198fbc3ef7cfc36bd89
              • Instruction ID: 44ae1117321a41b84c4302278939fcb5078997d1d8967658604df1c1c0ffe827
              • Opcode Fuzzy Hash: 6221da11f372c5a064540ed5869bcb5090ed5621ff983198fbc3ef7cfc36bd89
              • Instruction Fuzzy Hash: 2F318635A002099FDB12EF68C885EFEBBB8FF46740F154029E505DB292DBB2A942C751
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003C6442 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 95windowCOMMON
              Download Yara Rule
              APIs
              • DeleteObject.GDI32(00000000), ref: 003C645A
              • GetDC.USER32(00000000), ref: 003C6462
              • GetDeviceCaps.GDI32(00000000,0000005A), ref: 003C646D
              • ReleaseDC.USER32(00000000,00000000), ref: 003C6479
              • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 003C64B5
              • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 003C64C6
              • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,003C9299,?,?,000000FF,00000000,?,000000FF,?), ref: 003C6500
              • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 003C6520
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
              • String ID: @U=u
              • API String ID: 3864802216-2594219639
              • Opcode ID: c6c62e271b11631ac26cfc554602924248e17f478e4b2088279d8597a1770e3c
              • Instruction ID: 69218ae783a5448a708f5a75349977de60d57b42ad019a8f99133522def5f198
              • Opcode Fuzzy Hash: c6c62e271b11631ac26cfc554602924248e17f478e4b2088279d8597a1770e3c
              • Instruction Fuzzy Hash: E2317F72201214BFEB128F50CC4AFEA3FAEEF0A761F054065FE08DA291D675AC51CB64
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003A4189 Relevance: 15.1, APIs: 10, Instructions: 108windowCOMMON
              Download Yara Rule
              APIs
              • __swprintf.LIBCMT ref: 003A419D
              • __swprintf.LIBCMT ref: 003A41AA
                • Part of subcall function 003638D8: __woutput_l.LIBCMT ref: 00363931
              • FindResourceW.KERNEL32(?,?,0000000E), ref: 003A41D4
              • LoadResource.KERNEL32(?,00000000), ref: 003A41E0
              • LockResource.KERNEL32(00000000), ref: 003A41ED
              • FindResourceW.KERNEL32(?,?,00000003), ref: 003A420D
              • LoadResource.KERNEL32(?,00000000), ref: 003A421F
              • SizeofResource.KERNEL32(?,00000000), ref: 003A422E
              • LockResource.KERNEL32(?), ref: 003A423A
              • CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 003A429B
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
              • String ID:
              • API String ID: 1433390588-0
              • Opcode ID: 293cd90028d6b6ddb0795b9f21f4a0183ade775a4853d25fedcf115f7b620db0
              • Instruction ID: db93ae63d183e2a6278f7e3645b49402ae0392bd14c26f54419ce0afd9a418d6
              • Opcode Fuzzy Hash: 293cd90028d6b6ddb0795b9f21f4a0183ade775a4853d25fedcf115f7b620db0
              • Instruction Fuzzy Hash: 6331D275A0120ABFDB129F60DD48EBF7BADEF46301F004925F905D6150D7B4EA51CBA0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003A16DE Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON
              Download Yara Rule
              APIs
              • GetCurrentThreadId.KERNEL32 ref: 003A1700
              • GetForegroundWindow.USER32(00000000,?,?,?,?,?,003A0778,?,00000001), ref: 003A1714
              • GetWindowThreadProcessId.USER32(00000000), ref: 003A171B
              • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,003A0778,?,00000001), ref: 003A172A
              • GetWindowThreadProcessId.USER32(?,00000000), ref: 003A173C
              • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,003A0778,?,00000001), ref: 003A1755
              • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,003A0778,?,00000001), ref: 003A1767
              • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,003A0778,?,00000001), ref: 003A17AC
              • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,003A0778,?,00000001), ref: 003A17C1
              • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,003A0778,?,00000001), ref: 003A17CC
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: Thread$AttachInput$Window$Process$CurrentForeground
              • String ID:
              • API String ID: 2156557900-0
              • Opcode ID: 66be3e84dd965f6c964ce7d85e4fddee8973ee9e248fc7a106ead1a3970eb84b
              • Instruction ID: 616815c1e4a7c41217ec9fa4746d78e027910b30c9d9315f6c36b8d34bb8ab5a
              • Opcode Fuzzy Hash: 66be3e84dd965f6c964ce7d85e4fddee8973ee9e248fc7a106ead1a3970eb84b
              • Instruction Fuzzy Hash: 7331D075A00205BFEB139F24DE88F793BEEEB16751F114024FA00E62A0DB75AD408BA5
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003B9428 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 263COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: Variant$ClearInit$_memset
              • String ID: ,,=$Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
              • API String ID: 2862541840-1434771687
              • Opcode ID: 078650fa997c6fc1148c6bf6dbf7f07c9bb9f8b3451383ef9758d5ca4965f38e
              • Instruction ID: 3e680b6a56f6977fbce1232a4c7283e03b1bcf91836cede39c2fe87324d7fef0
              • Opcode Fuzzy Hash: 078650fa997c6fc1148c6bf6dbf7f07c9bb9f8b3451383ef9758d5ca4965f38e
              • Instruction Fuzzy Hash: B891AD71A00219ABDF26DFA5C844FEEB7B8EF45728F10815AF705AB680D7709905CFA0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0039A693 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON
              Download Yara Rule
              APIs
              • EnumChildWindows.USER32(?,0039AA64), ref: 0039A9A2
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: ChildEnumWindows
              • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
              • API String ID: 3555792229-1603158881
              • Opcode ID: 33eb104c58c29c5f8c719caccedacc4c7ccf85ee13a656d8b639b68c3d489b30
              • Instruction ID: e68190cd0d123e94dd2b93806b23c2fda10483a40206e6540e2fca43933affb3
              • Opcode Fuzzy Hash: 33eb104c58c29c5f8c719caccedacc4c7ccf85ee13a656d8b639b68c3d489b30
              • Instruction Fuzzy Hash: D891A670A0090AEBDF0ADF60C482BEAFB75FF04314F518219D99AAB551DF306A59CBD1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003CB60B Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 199windowCOMMON
              Download Yara Rule
              APIs
              • IsWindow.USER32(011C6008), ref: 003CB6A5
              • IsWindowEnabled.USER32(011C6008), ref: 003CB6B1
              • SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 003CB795
              • SendMessageW.USER32(011C6008,000000B0,?,?), ref: 003CB7CC
              • IsDlgButtonChecked.USER32(?,?), ref: 003CB809
              • GetWindowLongW.USER32(011C6008,000000EC), ref: 003CB82B
              • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 003CB843
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: MessageSendWindow$ButtonCheckedEnabledLong
              • String ID: @U=u
              • API String ID: 4072528602-2594219639
              • Opcode ID: edad21db13d3b27f4beb243153e08ee7d0e6d51e5eb22552f74e5385dfecb107
              • Instruction ID: 4f19c6a625b34188ebf3eb044ecefc16461694909d895aada98fbbb3867f1e90
              • Opcode Fuzzy Hash: edad21db13d3b27f4beb243153e08ee7d0e6d51e5eb22552f74e5385dfecb107
              • Instruction Fuzzy Hash: F6717E34600204AFDB269F64C896FAAFBB9EF49300F16406DE946E73A1C731AD61DB54
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003C6FEF Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 143windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 003C7093
              • SendMessageW.USER32(?,00001036,00000000,?), ref: 003C70A7
              • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 003C70C1
              • _wcscat.LIBCMT ref: 003C711C
              • SendMessageW.USER32(?,00001057,00000000,?), ref: 003C7133
              • SendMessageW.USER32(?,00001061,?,0000000F), ref: 003C7161
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: MessageSend$Window_wcscat
              • String ID: @U=u$SysListView32
              • API String ID: 307300125-1908207174
              • Opcode ID: c3b3a4c9025468f7332e02c968df84163630865ff2aa3fb804224131abc45e39
              • Instruction ID: 54a9ee0fd740a755141cb1118d4720f1d77bb934f67a987d475801962828dbb8
              • Opcode Fuzzy Hash: c3b3a4c9025468f7332e02c968df84163630865ff2aa3fb804224131abc45e39
              • Instruction Fuzzy Hash: 15418171A04318AFDB229F64CC85FEE77A9EF08350F11452EF945E7291D7729D848B50
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003C653C Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 99windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 003C655B
              • GetWindowLongW.USER32(011C6008,000000F0), ref: 003C658E
              • GetWindowLongW.USER32(011C6008,000000F0), ref: 003C65C3
              • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 003C65F5
              • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 003C661F
              • GetWindowLongW.USER32(00000000,000000F0), ref: 003C6630
              • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 003C664A
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: LongWindow$MessageSend
              • String ID: @U=u
              • API String ID: 2178440468-2594219639
              • Opcode ID: 81482ec0f4feae066bcf2d5a41155f5d8718009337471b91912bac48394fcb25
              • Instruction ID: e415f8aa2f66e14dc4554b0d64ba09c54b4b3551c7a9c9c397a5f48479328955
              • Opcode Fuzzy Hash: 81482ec0f4feae066bcf2d5a41155f5d8718009337471b91912bac48394fcb25
              • Instruction Fuzzy Hash: 78311331604211AFDB22DF18DD86F653BE5FB4A314F2A41A8F502DB2B6CB71AC60DB41
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003B8F5B Relevance: 13.9, APIs: 9, Instructions: 438COMMON
              Download Yara Rule
              APIs
              • GetModuleFileNameW.KERNEL32(?,?,00000104,?,003CF910), ref: 003B903D
              • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,003CF910), ref: 003B9071
              • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 003B91EB
              • SysFreeString.OLEAUT32(?), ref: 003B9215
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: Free$FileLibraryModuleNamePathQueryStringType
              • String ID:
              • API String ID: 560350794-0
              • Opcode ID: b421259f9f2a8f8ecbab494ef2edba42d3802b00e21fcb0c075420293892c7fb
              • Instruction ID: 873498403159544aac2f740ce51ed6b83861913f3d1a331830edd7835722507f
              • Opcode Fuzzy Hash: b421259f9f2a8f8ecbab494ef2edba42d3802b00e21fcb0c075420293892c7fb
              • Instruction Fuzzy Hash: EAF12875A00209EFDB05DF94C888EEEB7B9FF49318F11805AF619AB651CB31AE45CB50
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003BF9A8 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 003BF9C9
              • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 003BFB5C
              • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 003BFB80
              • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 003BFBC0
              • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 003BFBE2
              • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 003BFD5E
              • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 003BFD90
              • CloseHandle.KERNEL32(?), ref: 003BFDBF
              • CloseHandle.KERNEL32(?), ref: 003BFE36
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
              • String ID:
              • API String ID: 4090791747-0
              • Opcode ID: b1828fe8290032f1576099c2f205fd8001cc5ab686134c42fcb34893a015846d
              • Instruction ID: ff013d193c722cd831508b92ba8f81350b6e2f2c538e561fd5a3b718630fd3c3
              • Opcode Fuzzy Hash: b1828fe8290032f1576099c2f205fd8001cc5ab686134c42fcb34893a015846d
              • Instruction Fuzzy Hash: 20E1B1312042419FCB16EF24C891BABBBE5AF85314F15946DF9998F6A2CB31EC44CB52
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003A4F63 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 003A48AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,003A38D3,?), ref: 003A48C7
                • Part of subcall function 003A48AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,003A38D3,?), ref: 003A48E0
                • Part of subcall function 003A4CD3: GetFileAttributesW.KERNEL32(?,003A3947), ref: 003A4CD4
              • lstrcmpiW.KERNEL32(?,?), ref: 003A4FE2
              • _wcscmp.LIBCMT ref: 003A4FFC
              • MoveFileW.KERNEL32(?,?), ref: 003A5017
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
              • String ID:
              • API String ID: 793581249-0
              • Opcode ID: 1b0be778f7600092aa143aa62f5bf77c00518e00a005cb6fc95d5530fb18698f
              • Instruction ID: aa89cf991d6f515a8c342e6d48efaf9fb2c4760d5ca164eba4a6fe7180d37035
              • Opcode Fuzzy Hash: 1b0be778f7600092aa143aa62f5bf77c00518e00a005cb6fc95d5530fb18698f
              • Instruction Fuzzy Hash: 595183B25087849FC726DB60C8819DFB3ECEF85300F00492EB189CB152EF75A2888766
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00398E03 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
              Download Yara Rule
              APIs
              • GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,00398A84,00000B00,?,?), ref: 00398E0C
              • HeapAlloc.KERNEL32(00000000,?,00398A84,00000B00,?,?), ref: 00398E13
              • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00398A84,00000B00,?,?), ref: 00398E28
              • GetCurrentProcess.KERNEL32(?,00000000,?,00398A84,00000B00,?,?), ref: 00398E30
              • DuplicateHandle.KERNEL32(00000000,?,00398A84,00000B00,?,?), ref: 00398E33
              • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00398A84,00000B00,?,?), ref: 00398E43
              • GetCurrentProcess.KERNEL32(00398A84,00000000,?,00398A84,00000B00,?,?), ref: 00398E4B
              • DuplicateHandle.KERNEL32(00000000,?,00398A84,00000B00,?,?), ref: 00398E4E
              • CreateThread.KERNEL32(00000000,00000000,00398E74,00000000,00000000,00000000), ref: 00398E68
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
              • String ID:
              • API String ID: 1957940570-0
              • Opcode ID: a9d5a9e86cf51416020902011ae6a4bd553e3f7d757ff82942a56bff430cdf40
              • Instruction ID: 3ee33f931eb5b7b0b1da7e33c9a25e0b247aebc9e53fce70b543629f815b99fc
              • Opcode Fuzzy Hash: a9d5a9e86cf51416020902011ae6a4bd553e3f7d757ff82942a56bff430cdf40
              • Instruction Fuzzy Hash: 5F01B6B5640308FFEB11ABA5DC4DF6B7BADEB89711F044421FA05DB2A1CA70A800CB20
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003B9A72 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00397652: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0039758C,80070057,?,?,?,0039799D), ref: 0039766F
                • Part of subcall function 00397652: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0039758C,80070057,?,?), ref: 0039768A
                • Part of subcall function 00397652: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0039758C,80070057,?,?), ref: 00397698
                • Part of subcall function 00397652: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0039758C,80070057,?), ref: 003976A8
              • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 003B9B1B
              • _memset.LIBCMT ref: 003B9B28
              • _memset.LIBCMT ref: 003B9C6B
              • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 003B9C97
              • CoTaskMemFree.OLE32(?), ref: 003B9CA2
              Strings
              • NULL Pointer assignment, xrefs: 003B9CF0
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
              • String ID: NULL Pointer assignment
              • API String ID: 1300414916-2785691316
              • Opcode ID: cb56a63fd4b96feec7bdadcf9cb992b101d17f5beac6dd2f7b4f034f23e36dbb
              • Instruction ID: 36db8661a847efa2ab1759b393b8295286e47390d2071e54af6d1a29fa1f9e13
              • Opcode Fuzzy Hash: cb56a63fd4b96feec7bdadcf9cb992b101d17f5beac6dd2f7b4f034f23e36dbb
              • Instruction Fuzzy Hash: 46912C71D00229ABDF12DFA5DC81EDEBBB9EF08710F10415AF619AB251DB716A44CFA0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003BEC47 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 003A3E91: CreateToolhelp32Snapshot.KERNEL32 ref: 003A3EB6
                • Part of subcall function 003A3E91: Process32FirstW.KERNEL32(00000000,?), ref: 003A3EC4
                • Part of subcall function 003A3E91: CloseHandle.KERNEL32(00000000), ref: 003A3F8E
              • OpenProcess.KERNEL32(00000001,00000000,?), ref: 003BECB8
              • GetLastError.KERNEL32 ref: 003BECCB
              • OpenProcess.KERNEL32(00000001,00000000,?), ref: 003BECFA
              • TerminateProcess.KERNEL32(00000000,00000000), ref: 003BED77
              • GetLastError.KERNEL32(00000000), ref: 003BED82
              • CloseHandle.KERNEL32(00000000), ref: 003BEDB7
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
              • String ID: SeDebugPrivilege
              • API String ID: 2533919879-2896544425
              • Opcode ID: 1a941fc2edbb17736c39de44c494ddd7a8a99903bd0a11ede01bc3dbf8dce11e
              • Instruction ID: 060c6d784246c08f227e152ab0f8d2a92a73b89b188dc19f3ef7fe66fb0b94ec
              • Opcode Fuzzy Hash: 1a941fc2edbb17736c39de44c494ddd7a8a99903bd0a11ede01bc3dbf8dce11e
              • Instruction Fuzzy Hash: 4D41C0712002019FDB16EF28CC96FAEB7A5AF80714F18845DF9429F3D2DBB5A804CB95
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003CB958 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 109windowCOMMON
              Download Yara Rule
              APIs
              • ShowWindow.USER32(004067B0,00000000,011C6008,?,?,004067B0,?,003CB862,?,?), ref: 003CB9CC
              • EnableWindow.USER32(00000000,00000000), ref: 003CB9F0
              • ShowWindow.USER32(004067B0,00000000,011C6008,?,?,004067B0,?,003CB862,?,?), ref: 003CBA50
              • ShowWindow.USER32(00000000,00000004,?,003CB862,?,?), ref: 003CBA62
              • EnableWindow.USER32(00000000,00000001), ref: 003CBA86
              • SendMessageW.USER32(?,0000130C,?,00000000), ref: 003CBAA9
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: Window$Show$Enable$MessageSend
              • String ID: @U=u
              • API String ID: 642888154-2594219639
              • Opcode ID: 506ce6000701c89baed31d73fc50a075f4a7c9191ae55d615e526f7d2c25c8aa
              • Instruction ID: 9160356fab5691f8b6d53bb638b16695cbe00dd47c8582050828d7b215ebb439
              • Opcode Fuzzy Hash: 506ce6000701c89baed31d73fc50a075f4a7c9191ae55d615e526f7d2c25c8aa
              • Instruction Fuzzy Hash: BC415035600241AFDB27CF14C88AF95BBE1BB05310F1982BDEA48DF2A2C732AC45CB51
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003A3226 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON
              Download Yara Rule
              APIs
              • LoadIconW.USER32(00000000,00007F03), ref: 003A32C5
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: IconLoad
              • String ID: blank$info$question$stop$warning
              • API String ID: 2457776203-404129466
              • Opcode ID: 0c85c23b93addf84a7890ca9e5e63f6dcb821ac7c84b707659322d38cbf6aef7
              • Instruction ID: 410429543a6b7b9b20ec2a706610cd064a1b8aeec66a0edde45247f9bc950882
              • Opcode Fuzzy Hash: 0c85c23b93addf84a7890ca9e5e63f6dcb821ac7c84b707659322d38cbf6aef7
              • Instruction Fuzzy Hash: E8110A3174974ABBF7036B54DC43EAAB79CDF1B370F20442AF504AA181E7766B4046A6
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003A4534 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON
              Download Yara Rule
              APIs
              • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 003A454E
              • LoadStringW.USER32(00000000), ref: 003A4555
              • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 003A456B
              • LoadStringW.USER32(00000000), ref: 003A4572
              • _wprintf.LIBCMT ref: 003A4598
              • MessageBoxW.USER32(00000000,?,?,00011010), ref: 003A45B6
              Strings
              • %s (%d) : ==> %s: %s %s, xrefs: 003A4593
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: HandleLoadModuleString$Message_wprintf
              • String ID: %s (%d) : ==> %s: %s %s
              • API String ID: 3648134473-3128320259
              • Opcode ID: 0249851c9f70ac2467dfa683b7e03fe2fd84c140468e1235ebc80f02558c17eb
              • Instruction ID: 813cc36ce9f573e74634642a9fc67e33c95541f2003f9ab764b79048cca94c9d
              • Opcode Fuzzy Hash: 0249851c9f70ac2467dfa683b7e03fe2fd84c140468e1235ebc80f02558c17eb
              • Instruction Fuzzy Hash: DC0162F6900208BFE712A7A0DD89FF7776DD709301F0005A5BB45D2051EA75AE858B74
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00342A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON
              Download Yara Rule
              APIs
              • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0037C417,00000004,00000000,00000000,00000000), ref: 00342ACF
              • ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,0037C417,00000004,00000000,00000000,00000000,000000FF), ref: 00342B17
              • ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,0037C417,00000004,00000000,00000000,00000000), ref: 0037C46A
              • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0037C417,00000004,00000000,00000000,00000000), ref: 0037C4D6
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: ShowWindow
              • String ID:
              • API String ID: 1268545403-0
              • Opcode ID: d90aa67a05a7bfe466aa992cc3fe716b13fd4a1d99dddea6a62a514a83e35693
              • Instruction ID: 2cef14e56517891e335dfa299e4ffd7cf1c66859f4159ca5c0766b2da319a251
              • Opcode Fuzzy Hash: d90aa67a05a7bfe466aa992cc3fe716b13fd4a1d99dddea6a62a514a83e35693
              • Instruction Fuzzy Hash: BC413C316147809EC7379B298C9CB7B7BDAAB85300F96C81DF44BAE960CE75B845D710
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003A7368 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON
              Download Yara Rule
              APIs
              • InterlockedExchange.KERNEL32(?,000001F5), ref: 003A737F
                • Part of subcall function 00360FF6: std::exception::exception.LIBCMT ref: 0036102C
                • Part of subcall function 00360FF6: __CxxThrowException@8.LIBCMT ref: 00361041
              • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 003A73B6
              • EnterCriticalSection.KERNEL32(?), ref: 003A73D2
              • _memmove.LIBCMT ref: 003A7420
              • _memmove.LIBCMT ref: 003A743D
              • LeaveCriticalSection.KERNEL32(?), ref: 003A744C
              • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 003A7461
              • InterlockedExchange.KERNEL32(?,000001F6), ref: 003A7480
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
              • String ID:
              • API String ID: 256516436-0
              • Opcode ID: 4edff9ae32e342d0ea00febfb7a6c4db7c9e3d53a604809e78308edac6038e99
              • Instruction ID: 76236c85da0cc73073586690ca4c19e7a287c4f79db5e5b110534e2a64c61505
              • Opcode Fuzzy Hash: 4edff9ae32e342d0ea00febfb7a6c4db7c9e3d53a604809e78308edac6038e99
              • Instruction Fuzzy Hash: AD316C75904205EFCF12DF64DC85EAABB78EF45710F1581A5F904EA24ADB30AA14CBA0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0039C072 Relevance: 12.1, APIs: 8, Instructions: 92COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: _memcmp
              • String ID:
              • API String ID: 2931989736-0
              • Opcode ID: 92403c23f14b3460b8fe801fec80c648211eecf2f173913392dbe30f1f83767a
              • Instruction ID: 9b7634c75e272e3b153bb83cf381f9af84c910ba25833de6fa567374629ea477
              • Opcode Fuzzy Hash: 92403c23f14b3460b8fe801fec80c648211eecf2f173913392dbe30f1f83767a
              • Instruction Fuzzy Hash: 0821F376620205BBEA17A5209D42FFF739CAF21394F089021FD059B787E791DE1182B5
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003AED8E Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00349997: __itow.LIBCMT ref: 003499C2
                • Part of subcall function 00349997: __swprintf.LIBCMT ref: 00349A0C
                • Part of subcall function 0035FEC6: _wcscpy.LIBCMT ref: 0035FEE9
              • _wcstok.LIBCMT ref: 003AEEFF
              • _wcscpy.LIBCMT ref: 003AEF8E
              • _memset.LIBCMT ref: 003AEFC1
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: _wcscpy$__itow__swprintf_memset_wcstok
              • String ID: X
              • API String ID: 774024439-3081909835
              • Opcode ID: 920031cf7642827d20bc9efcfc01418e6a421583c066446e70f2b78a216e858c
              • Instruction ID: 39e5ba87f4445bce2fde11027e149a932aa4a697ba5a89a42920a5107335ba12
              • Opcode Fuzzy Hash: 920031cf7642827d20bc9efcfc01418e6a421583c066446e70f2b78a216e858c
              • Instruction Fuzzy Hash: 49C15C755083409FC726EF64C881A6BB7E4EF85310F05896DF8999F2A2DB30ED45CB82
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003B6E17 Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON
              Download Yara Rule
              APIs
              • __WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 003B6F14
              • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 003B6F35
              • WSAGetLastError.WSOCK32(00000000), ref: 003B6F48
              • htons.WSOCK32(?,?,?,00000000,?), ref: 003B6FFE
              • inet_ntoa.WSOCK32(?), ref: 003B6FBB
                • Part of subcall function 0039AE14: _strlen.LIBCMT ref: 0039AE1E
                • Part of subcall function 0039AE14: _memmove.LIBCMT ref: 0039AE40
              • _strlen.LIBCMT ref: 003B7058
              • _memmove.LIBCMT ref: 003B70C1
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
              • String ID:
              • API String ID: 3619996494-0
              • Opcode ID: 8caafe33336b2f8ba8178dd2ddbb2e9588ea2040d43c4c3a4c9da523c33a0823
              • Instruction ID: 056cedc4a4d8cca9be351c7c22818b9c1e5b23292caf5922b5311058e9cda83c
              • Opcode Fuzzy Hash: 8caafe33336b2f8ba8178dd2ddbb2e9588ea2040d43c4c3a4c9da523c33a0823
              • Instruction Fuzzy Hash: 9D81AF71508300ABD712EB24CC86FABB7E9EF84718F144919F6559F2A2DB71ED04CB92
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00341424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: abed937d55f7c27cebce91fd9c1001630e1c4b0c3d2c61fa5df287701d63f748
              • Instruction ID: 50ea4adc964162ea4c3f7116dbd6e7f946bb04adb99d5f9ce597a2f73eb581b0
              • Opcode Fuzzy Hash: abed937d55f7c27cebce91fd9c1001630e1c4b0c3d2c61fa5df287701d63f748
              • Instruction Fuzzy Hash: D6717D30900509EFCB16CF99CC49EBEBBB9FF86314F158159F915AA251C734AA91CFA0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003BF732 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 003BF75C
              • _memset.LIBCMT ref: 003BF825
              • ShellExecuteExW.SHELL32(?), ref: 003BF86A
                • Part of subcall function 00349997: __itow.LIBCMT ref: 003499C2
                • Part of subcall function 00349997: __swprintf.LIBCMT ref: 00349A0C
                • Part of subcall function 0035FEC6: _wcscpy.LIBCMT ref: 0035FEE9
              • GetProcessId.KERNEL32(00000000), ref: 003BF8E1
              • CloseHandle.KERNEL32(00000000), ref: 003BF910
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
              • String ID: @
              • API String ID: 3522835683-2766056989
              • Opcode ID: 071fc0ed3fb09d9947684b87b95cd31a67d48749d7a02be6a7da090cdd2ecba6
              • Instruction ID: b9d8cb713f4875d1e33f2a842d93413dd6d4266689f2f3ce2207b16c663a35f8
              • Opcode Fuzzy Hash: 071fc0ed3fb09d9947684b87b95cd31a67d48749d7a02be6a7da090cdd2ecba6
              • Instruction Fuzzy Hash: F1617E75A006199FCF16EF54C881AAEBBF5FF48314B15846AE846AF751CB30AE40CB90
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003A145D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON
              Download Yara Rule
              APIs
              • GetParent.USER32(?), ref: 003A149C
              • GetKeyboardState.USER32(?), ref: 003A14B1
              • SetKeyboardState.USER32(?), ref: 003A1512
              • PostMessageW.USER32(?,00000101,00000010,?), ref: 003A1540
              • PostMessageW.USER32(?,00000101,00000011,?), ref: 003A155F
              • PostMessageW.USER32(?,00000101,00000012,?), ref: 003A15A5
              • PostMessageW.USER32(?,00000101,0000005B,?), ref: 003A15C8
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: MessagePost$KeyboardState$Parent
              • String ID:
              • API String ID: 87235514-0
              • Opcode ID: cf854c31ca6a169bf82c9ee500e14fefd5c0b2bc09a85bf95e5cc8ecc456da37
              • Instruction ID: 508b7d9598aa1df6e3d197e1b925443c4d14dcc25011a1127f8e2821989f62f0
              • Opcode Fuzzy Hash: cf854c31ca6a169bf82c9ee500e14fefd5c0b2bc09a85bf95e5cc8ecc456da37
              • Instruction Fuzzy Hash: 8951E3A0A047D53EFB3746388C45BBABEA99B47304F0D8589E5D58A8D2C3D9ECC4D750
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003A1276 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON
              Download Yara Rule
              APIs
              • GetParent.USER32(00000000), ref: 003A12B5
              • GetKeyboardState.USER32(?), ref: 003A12CA
              • SetKeyboardState.USER32(?), ref: 003A132B
              • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 003A1357
              • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 003A1374
              • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 003A13B8
              • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 003A13D9
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: MessagePost$KeyboardState$Parent
              • String ID:
              • API String ID: 87235514-0
              • Opcode ID: 5f7c454ccb05221c6f57e7b836471d9b8ff98b61f65c13fe014e7ed6c0874ac8
              • Instruction ID: 2a0b1683b8ff153a3f93bab2c23351828302f882a976ed9ff45c5c1460ae04df
              • Opcode Fuzzy Hash: 5f7c454ccb05221c6f57e7b836471d9b8ff98b61f65c13fe014e7ed6c0874ac8
              • Instruction Fuzzy Hash: CF51D3A09047D53DFB3787258C55BBABFA9DB07300F088589E1D59A8C2D395EC94E760
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003A589F Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: _wcsncpy$LocalTime
              • String ID:
              • API String ID: 2945705084-0
              • Opcode ID: eb2fb8681c0b2e0277e2dac83bd111b1fa8a00f9e7697729c403626f59325014
              • Instruction ID: e57b7c97581ee2be9e3c3aef60925a03aa65e936d8e9781944a2225faebbfd79
              • Opcode Fuzzy Hash: eb2fb8681c0b2e0277e2dac83bd111b1fa8a00f9e7697729c403626f59325014
              • Instruction Fuzzy Hash: 3B41A465D2052876CB12EBB48C869CFB3A8EF06310F50D966F518E7121F734E714C7A5
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003CA2C5 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 130COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID:
              • String ID: @U=u
              • API String ID: 0-2594219639
              • Opcode ID: 920a01b687a327ebe935da9649c2db32c9dbcc17529de7ca7db80ee70fd3848d
              • Instruction ID: 45c1cd446a387f88062a9233eaf236d718a79c3212b54bde96245a2fd6afeb6b
              • Opcode Fuzzy Hash: 920a01b687a327ebe935da9649c2db32c9dbcc17529de7ca7db80ee70fd3848d
              • Instruction Fuzzy Hash: 8A41363990064CAFC722EF28CC58FA9BBA9FB09314F064169F916E72E0C730AD41DB51
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003A38AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 003A48AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,003A38D3,?), ref: 003A48C7
                • Part of subcall function 003A48AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,003A38D3,?), ref: 003A48E0
              • lstrcmpiW.KERNEL32(?,?), ref: 003A38F3
              • _wcscmp.LIBCMT ref: 003A390F
              • MoveFileW.KERNEL32(?,?), ref: 003A3927
              • _wcscat.LIBCMT ref: 003A396F
              • SHFileOperationW.SHELL32(?), ref: 003A39DB
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
              • String ID: \*.*
              • API String ID: 1377345388-1173974218
              • Opcode ID: 3ca25c8bab3cd84037c92e8e79982f24ba61cb29e8846870ff66de85cfdea7ae
              • Instruction ID: 8be478247fd9076a44f98d72f873f807a04a62279c81eb9e99a401e4956f2d8e
              • Opcode Fuzzy Hash: 3ca25c8bab3cd84037c92e8e79982f24ba61cb29e8846870ff66de85cfdea7ae
              • Instruction Fuzzy Hash: C3416FB25093449EC753EF64C481AEBB7ECEF8A340F14092EB489C7151EB75D648C752
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003C7500 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 003C7519
              • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 003C75C0
              • IsMenu.USER32(?), ref: 003C75D8
              • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 003C7620
              • DrawMenuBar.USER32 ref: 003C7633
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: Menu$Item$DrawInfoInsert_memset
              • String ID: 0
              • API String ID: 3866635326-4108050209
              • Opcode ID: 7cdb8502c582d5c8e90f7e7ffba4d52b57135869bce9397f2ee15cefb7c1af23
              • Instruction ID: 135f7ebed3ea1b03899b9cb7b9bf0fc520c7b8976e908fca38bc8ecd1efd068e
              • Opcode Fuzzy Hash: 7cdb8502c582d5c8e90f7e7ffba4d52b57135869bce9397f2ee15cefb7c1af23
              • Instruction Fuzzy Hash: F8412575A05609AFDB21DF54D984E9ABBF9FB09310F058129ED15EB290D730AD60CFA0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003C122D Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON
              Download Yara Rule
              APIs
              • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 003C125C
              • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 003C1286
              • FreeLibrary.KERNEL32(00000000), ref: 003C133D
                • Part of subcall function 003C122D: RegCloseKey.ADVAPI32(?), ref: 003C12A3
                • Part of subcall function 003C122D: FreeLibrary.KERNEL32(?), ref: 003C12F5
                • Part of subcall function 003C122D: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 003C1318
              • RegDeleteKeyW.ADVAPI32(?,?), ref: 003C12E0
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: EnumFreeLibrary$CloseDeleteOpen
              • String ID:
              • API String ID: 395352322-0
              • Opcode ID: a140502f9ecde0273c7d767af2bb9849dde5248a83eed1513a375abba0110c2b
              • Instruction ID: d0a5afd5a3790ed0a897e04880ed9aee7b0e1771819aefa47fb76b3e94023cd7
              • Opcode Fuzzy Hash: a140502f9ecde0273c7d767af2bb9849dde5248a83eed1513a375abba0110c2b
              • Instruction Fuzzy Hash: 9F312BB5901119BFDB16DB90DC89EFEB7BCEF09304F004569E502E2152EA74AE45ABA0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003B6486 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 003B80A0: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 003B80CB
              • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 003B64D9
              • WSAGetLastError.WSOCK32(00000000), ref: 003B64E8
              • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 003B6521
              • connect.WSOCK32(00000000,?,00000010), ref: 003B652A
              • WSAGetLastError.WSOCK32 ref: 003B6534
              • closesocket.WSOCK32(00000000), ref: 003B655D
              • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 003B6576
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
              • String ID:
              • API String ID: 910771015-0
              • Opcode ID: 02e9140c2b1187d951208a108dc6d3ddfe60211a0487b027e01c09dfe39d6905
              • Instruction ID: e2788d272b036c7686a591d2d1c781f8181420a8dca4885b03aa59ce1bf36e1d
              • Opcode Fuzzy Hash: 02e9140c2b1187d951208a108dc6d3ddfe60211a0487b027e01c09dfe39d6905
              • Instruction Fuzzy Hash: 0831B371600218AFDB12AF24CC86FFE7BADEB45754F00406AFA05DB291CB74AD04CB61
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00399372 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 94windowCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00347F41: _memmove.LIBCMT ref: 00347F82
                • Part of subcall function 0039B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0039B0E7
              • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 003993F6
              • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00399409
              • SendMessageW.USER32(?,00000189,?,00000000), ref: 00399439
                • Part of subcall function 00347D2C: _memmove.LIBCMT ref: 00347D66
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: MessageSend$_memmove$ClassName
              • String ID: @U=u$ComboBox$ListBox
              • API String ID: 365058703-2258501812
              • Opcode ID: 880d135a88fb1d54852397b8043e734c6e6cea8b9602cd7f97ba0fdb18a55ae1
              • Instruction ID: a32ef53675e129837a6c00b7edf84c70ad4f6fe38a32deb6256fb8872940d793
              • Opcode Fuzzy Hash: 880d135a88fb1d54852397b8043e734c6e6cea8b9602cd7f97ba0fdb18a55ae1
              • Instruction Fuzzy Hash: 5A21D275900108AFDF17AB65DC85EFFB7ACDF05350B14411EF9259B2E1DB35190A9620
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0039E0B5 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON
              Download Yara Rule
              APIs
              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0039E0FA
              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0039E120
              • SysAllocString.OLEAUT32(00000000), ref: 0039E123
              • SysAllocString.OLEAUT32 ref: 0039E144
              • SysFreeString.OLEAUT32 ref: 0039E14D
              • StringFromGUID2.OLE32(?,?,00000028), ref: 0039E167
              • SysAllocString.OLEAUT32(?), ref: 0039E175
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
              • String ID:
              • API String ID: 3761583154-0
              • Opcode ID: b0aad4d8f8d79ab2fe6fb8ede98f4d20bf09e520e02f8e0aba29c895e8523d10
              • Instruction ID: 0ec493ab050bec35b185f82c2f8764df934147c1fdf2e7e8bf97b1bae8e54edf
              • Opcode Fuzzy Hash: b0aad4d8f8d79ab2fe6fb8ede98f4d20bf09e520e02f8e0aba29c895e8523d10
              • Instruction Fuzzy Hash: 04217136604208AFDF11EFADDC88DAB77EDEB09760B118125F915CB260DA71EC41DB64
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0039B6AF Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88windowCOMMON
              Download Yara Rule
              APIs
              • IsWindowVisible.USER32(?), ref: 0039B6C7
              • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 0039B6E4
              • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 0039B71C
              • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 0039B742
              • _wcsstr.LIBCMT ref: 0039B74C
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
              • String ID: @U=u
              • API String ID: 3902887630-2594219639
              • Opcode ID: 3d1e3df35d6434a260b508f6cb23de9cf85718a5b9199ef2a6e80a40bc89b3b8
              • Instruction ID: 0751e1a3a11a1f96f328e1a521fbfd0ebc0d547c3722abd876fdad788cf96ede
              • Opcode Fuzzy Hash: 3d1e3df35d6434a260b508f6cb23de9cf85718a5b9199ef2a6e80a40bc89b3b8
              • Instruction Fuzzy Hash: F021C532204204BBEF265B79AD49E7BBBADDF85750F018139F805CA1A1EB71DC5097A0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003997E9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 84windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00399802
                • Part of subcall function 00347D2C: _memmove.LIBCMT ref: 00347D66
              • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00399834
              • __itow.LIBCMT ref: 0039984C
              • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00399874
              • __itow.LIBCMT ref: 00399885
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: MessageSend$__itow$_memmove
              • String ID: @U=u
              • API String ID: 2983881199-2594219639
              • Opcode ID: 6d90756da013c73b6507521a48028dc49bc67dfbf22b7142354ab4b50fecb18c
              • Instruction ID: 11a747846bcf271e7409727fad5322a575446ea370da5af6ad96ef174ddb3787
              • Opcode Fuzzy Hash: 6d90756da013c73b6507521a48028dc49bc67dfbf22b7142354ab4b50fecb18c
              • Instruction Fuzzy Hash: 9121C571B04208AFEF12AA698C86FEE7BADEF4A710F04402EF904DF291D7709D459791
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003C783C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00341D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00341D73
                • Part of subcall function 00341D35: GetStockObject.GDI32(00000011), ref: 00341D87
                • Part of subcall function 00341D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00341D91
              • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 003C78A1
              • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 003C78AE
              • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 003C78B9
              • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 003C78C8
              • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 003C78D4
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: MessageSend$CreateObjectStockWindow
              • String ID: Msctls_Progress32
              • API String ID: 1025951953-3636473452
              • Opcode ID: f06b266947a87249c3b1a525f146f208ecbe565e912f087e8403d43ca15f632a
              • Instruction ID: a2300539563356eb3ff81a3e500ff9fa20f0088c053f470499c1c0025cb9bcd7
              • Opcode Fuzzy Hash: f06b266947a87249c3b1a525f146f208ecbe565e912f087e8403d43ca15f632a
              • Instruction Fuzzy Hash: A9115EB6550219BEEF169E60CC86EE77F6DEF08758F014115BB04A6090C772AC21DBA4
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003641C9 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,00364292,?), ref: 003641E3
              • GetProcAddress.KERNEL32(00000000), ref: 003641EA
              • EncodePointer.KERNEL32(00000000), ref: 003641F6
              • DecodePointer.KERNEL32(00000001,00364292,?), ref: 00364213
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
              • String ID: RoInitialize$combase.dll
              • API String ID: 3489934621-340411864
              • Opcode ID: 8111b105bef34ce9582d985f4b196ca2eaa03041815e8716c3eb55513e1bacac
              • Instruction ID: b5a705defd075825941ef846fc6d13061542d38fa203518abe0512a2fd85b163
              • Opcode Fuzzy Hash: 8111b105bef34ce9582d985f4b196ca2eaa03041815e8716c3eb55513e1bacac
              • Instruction Fuzzy Hash: 4DE048F4590340AFDB126F70ED0DF4535AAB7A1702F118434F521E91E0D7B55095CF04
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0036429E Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,003641B8), ref: 003642B8
              • GetProcAddress.KERNEL32(00000000), ref: 003642BF
              • EncodePointer.KERNEL32(00000000), ref: 003642CA
              • DecodePointer.KERNEL32(003641B8), ref: 003642E5
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
              • String ID: RoUninitialize$combase.dll
              • API String ID: 3489934621-2819208100
              • Opcode ID: 896bca624f833edf2377566b41aa4117e591a13c4491fd3c81f2434569900085
              • Instruction ID: 89985924c0d703197c351a42af40b7316eda7cb0b3ba35b5bc2017cf8fb61ca8
              • Opcode Fuzzy Hash: 896bca624f833edf2377566b41aa4117e591a13c4491fd3c81f2434569900085
              • Instruction Fuzzy Hash: 2FE0B6BC981300AFEB129B61FE0DF453AAAB7A8742F254435F211E91A4CFB45644CB18
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003A675A Relevance: 9.2, APIs: 6, Instructions: 205COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: _memmove$__itow__swprintf
              • String ID:
              • API String ID: 3253778849-0
              • Opcode ID: 85db79b2357762b9e250be41096e75e0a8b11e2f4c8f4dceac26103551ccb84f
              • Instruction ID: 9c15b880b306e64f18f0ab6b4765a197ebede35d6c421f0b147fb98791bfe1f0
              • Opcode Fuzzy Hash: 85db79b2357762b9e250be41096e75e0a8b11e2f4c8f4dceac26103551ccb84f
              • Instruction Fuzzy Hash: 18618A3050465A9BCF13EF60C882EFF37A8EF46308F094519F85A5F296DB34A941CB90
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003C046F Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00347F41: _memmove.LIBCMT ref: 00347F82
                • Part of subcall function 003C10A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,003C0038,?,?), ref: 003C10BC
              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 003C0548
              • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 003C0588
              • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 003C05AB
              • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 003C05D4
              • RegCloseKey.ADVAPI32(?,?,00000000), ref: 003C0617
              • RegCloseKey.ADVAPI32(00000000), ref: 003C0624
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
              • String ID:
              • API String ID: 4046560759-0
              • Opcode ID: 7f92827dd93947b9492fc2e45da9c425d53ed70a5dcfbb7a3ce40b650ccb1ccb
              • Instruction ID: 673996cf68d317f605463a30b0d820ed9c228a01e2a2e5da9dacac8c842e66dd
              • Opcode Fuzzy Hash: 7f92827dd93947b9492fc2e45da9c425d53ed70a5dcfbb7a3ce40b650ccb1ccb
              • Instruction Fuzzy Hash: 8E514831108240EFCB16EF64C885E6BBBE9FF85714F04491DF5859B2A2DB31E914CB52
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003C5A20 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON
              Download Yara Rule
              APIs
              • GetMenu.USER32(?), ref: 003C5A82
              • GetMenuItemCount.USER32(00000000), ref: 003C5AB9
              • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 003C5AE1
              • GetMenuItemID.USER32(?,?), ref: 003C5B50
              • GetSubMenu.USER32(?,?), ref: 003C5B5E
              • PostMessageW.USER32(?,00000111,?,00000000), ref: 003C5BAF
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: Menu$Item$CountMessagePostString
              • String ID:
              • API String ID: 650687236-0
              • Opcode ID: 5ec0662669d035c88cee4dfcd04dbf387d3d310377d8a296fa97a8d0cf25c3ae
              • Instruction ID: 81ab073fd6ab1aa2558f17ec0719602ba816f97d585827f80ec03e2802005228
              • Opcode Fuzzy Hash: 5ec0662669d035c88cee4dfcd04dbf387d3d310377d8a296fa97a8d0cf25c3ae
              • Instruction Fuzzy Hash: AA516D35A00615AFCF16EF65C845EAEBBB5EF48310F154469E802FB351CB70BE818B90
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0039F3DD Relevance: 9.2, APIs: 6, Instructions: 159COMMON
              Download Yara Rule
              APIs
              • VariantInit.OLEAUT32(?), ref: 0039F3F7
              • VariantClear.OLEAUT32(00000013), ref: 0039F469
              • VariantClear.OLEAUT32(00000000), ref: 0039F4C4
              • _memmove.LIBCMT ref: 0039F4EE
              • VariantClear.OLEAUT32(?), ref: 0039F53B
              • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 0039F569
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: Variant$Clear$ChangeInitType_memmove
              • String ID:
              • API String ID: 1101466143-0
              • Opcode ID: ff6449dfedcd3af5470bbe9624681ffe9f725c13555ff1b11c6a195e79666f54
              • Instruction ID: 87067b26ed870b47dc62eb4598789f3a8630a8614f8b16314858587ff885be1a
              • Opcode Fuzzy Hash: ff6449dfedcd3af5470bbe9624681ffe9f725c13555ff1b11c6a195e79666f54
              • Instruction Fuzzy Hash: AD515BB5A00209EFCF15DF58D880EAAB7B9FF4C314B15816AE959DB310D730E911CBA0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003A26F9 Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 003A2747
              • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 003A2792
              • IsMenu.USER32(00000000), ref: 003A27B2
              • CreatePopupMenu.USER32 ref: 003A27E6
              • GetMenuItemCount.USER32(000000FF), ref: 003A2844
              • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 003A2875
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
              • String ID:
              • API String ID: 3311875123-0
              • Opcode ID: 45cb421193cdce6d9c1f55aa1add518e93c70bd4e16d2736529b73e1cfc21bd9
              • Instruction ID: 1577ea3bc711f99acb8b69d2de25b1b9479112f017790fc10498af262fb9598b
              • Opcode Fuzzy Hash: 45cb421193cdce6d9c1f55aa1add518e93c70bd4e16d2736529b73e1cfc21bd9
              • Instruction Fuzzy Hash: E551AE70A00209EFDF26CF6CC988AAFBBF9EF46314F114169F8219B291D7799904CB51
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00341765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00342612: GetWindowLongW.USER32(?,000000EB), ref: 00342623
              • BeginPaint.USER32(?,?,?,?,?,?), ref: 0034179A
              • GetWindowRect.USER32(?,?), ref: 003417FE
              • ScreenToClient.USER32(?,?), ref: 0034181B
              • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 0034182C
              • EndPaint.USER32(?,?), ref: 00341876
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: PaintWindow$BeginClientLongRectScreenViewport
              • String ID:
              • API String ID: 1827037458-0
              • Opcode ID: 92c7080c950638ab201c1bbf0552f1ae069d89e97792411495c6da9212082c2b
              • Instruction ID: eaa91914411d9240ae2f07d807feb760a401bc4186f6e6ad7efc995376e4cb8a
              • Opcode Fuzzy Hash: 92c7080c950638ab201c1bbf0552f1ae069d89e97792411495c6da9212082c2b
              • Instruction Fuzzy Hash: EC41BE71100701AFD712EF25CC84FBA7BF9EB49724F044629F999DB2A1C731A885DB61
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003B73B1 Relevance: 9.1, APIs: 6, Instructions: 97COMMON
              Download Yara Rule
              APIs
              • GetForegroundWindow.USER32(?,?,?,?,?,?,003B5134,?,?,00000000,00000001), ref: 003B73BF
                • Part of subcall function 003B3C94: GetWindowRect.USER32(?,?), ref: 003B3CA7
              • GetDesktopWindow.USER32 ref: 003B73E9
              • GetWindowRect.USER32(00000000), ref: 003B73F0
              • mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 003B7422
                • Part of subcall function 003A54E6: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 003A555E
              • GetCursorPos.USER32(?), ref: 003B744E
              • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 003B74AC
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
              • String ID:
              • API String ID: 4137160315-0
              • Opcode ID: 5cf5a789ec40f3281edf040f7d80d0373ed743e29bbe6f3607a92071afd98871
              • Instruction ID: 4f8b03d9d9f7f62d65854703cb72cf9e0b223c31616def61593c3aa919905561
              • Opcode Fuzzy Hash: 5cf5a789ec40f3281edf040f7d80d0373ed743e29bbe6f3607a92071afd98871
              • Instruction Fuzzy Hash: 8331A172508305AFD721DF55D849E9ABBAAFBC9314F000929F68997191CA30EA098B92
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00398D5B Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 003985F1: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00398608
                • Part of subcall function 003985F1: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00398612
                • Part of subcall function 003985F1: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00398621
                • Part of subcall function 003985F1: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00398628
                • Part of subcall function 003985F1: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 0039863E
              • GetLengthSid.ADVAPI32(?,00000000,00398977), ref: 00398DAC
              • GetProcessHeap.KERNEL32(00000008,00000000), ref: 00398DB8
              • HeapAlloc.KERNEL32(00000000), ref: 00398DBF
              • CopySid.ADVAPI32(00000000,00000000,?), ref: 00398DD8
              • GetProcessHeap.KERNEL32(00000000,00000000,00398977), ref: 00398DEC
              • HeapFree.KERNEL32(00000000), ref: 00398DF3
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
              • String ID:
              • API String ID: 3008561057-0
              • Opcode ID: a6dc1303be36082748aa5e11fc0d1bacca56625d0d436669536502bfae0bed76
              • Instruction ID: 14b0c08884f674763daab06f99a4c210e4fbc26ac4a53519c69917f824caf629
              • Opcode Fuzzy Hash: a6dc1303be36082748aa5e11fc0d1bacca56625d0d436669536502bfae0bed76
              • Instruction Fuzzy Hash: 1011BB72601605FFDF129FA4CC09FAE7BAEEF96315F15402AE849D7251CB32A904CB60
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00398AF9 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON
              Download Yara Rule
              APIs
              • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00398B2A
              • OpenProcessToken.ADVAPI32(00000000), ref: 00398B31
              • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00398B40
              • CloseHandle.KERNEL32(00000004), ref: 00398B4B
              • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00398B7A
              • DestroyEnvironmentBlock.USERENV(00000000), ref: 00398B8E
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
              • String ID:
              • API String ID: 1413079979-0
              • Opcode ID: daa14c661247b0ecb7483cb44c2cccf0d1a1e0ccd646cc3cd5fd3dc38793d764
              • Instruction ID: cb1e902bc686ce234e74f2593ab4bcb2ba427d5e3b1a812d829be70da95d7935
              • Opcode Fuzzy Hash: daa14c661247b0ecb7483cb44c2cccf0d1a1e0ccd646cc3cd5fd3dc38793d764
              • Instruction Fuzzy Hash: 17115CB2501209AFDF028FA4DD49FEA7BADFF49344F094065FE05A2160C7729D609B60
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003CC19A Relevance: 9.0, APIs: 6, Instructions: 49COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 003412F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 0034134D
                • Part of subcall function 003412F3: SelectObject.GDI32(?,00000000), ref: 0034135C
                • Part of subcall function 003412F3: BeginPath.GDI32(?), ref: 00341373
                • Part of subcall function 003412F3: SelectObject.GDI32(?,00000000), ref: 0034139C
              • MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 003CC1C4
              • LineTo.GDI32(00000000,00000003,?), ref: 003CC1D8
              • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 003CC1E6
              • LineTo.GDI32(00000000,00000000,?), ref: 003CC1F6
              • EndPath.GDI32(00000000), ref: 003CC206
              • StrokePath.GDI32(00000000), ref: 003CC216
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
              • String ID:
              • API String ID: 43455801-0
              • Opcode ID: e94ed164b4240e76f00fb060ade9dc12f09c0cfdb5ec60fdca1bba56364105ca
              • Instruction ID: f1f55313d6f5ab53a9c47ee5f62b2369715f0f2365a36ef8cf595ab93d8ad6da
              • Opcode Fuzzy Hash: e94ed164b4240e76f00fb060ade9dc12f09c0cfdb5ec60fdca1bba56364105ca
              • Instruction Fuzzy Hash: 3111097640011CBFDF129F91DC88FAA7FADEB08354F048425FA199A161C772AD55DBA0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003603A2 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
              Download Yara Rule
              APIs
              • MapVirtualKeyW.USER32(0000005B,00000000), ref: 003603D3
              • MapVirtualKeyW.USER32(00000010,00000000), ref: 003603DB
              • MapVirtualKeyW.USER32(000000A0,00000000), ref: 003603E6
              • MapVirtualKeyW.USER32(000000A1,00000000), ref: 003603F1
              • MapVirtualKeyW.USER32(00000011,00000000), ref: 003603F9
              • MapVirtualKeyW.USER32(00000012,00000000), ref: 00360401
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: Virtual
              • String ID:
              • API String ID: 4278518827-0
              • Opcode ID: 36b21cb38d18cfcdb9ba8da48c04f66594a0e8074fa55569bd02ce2e8fdf2828
              • Instruction ID: 6d8291223c248a1e40a0e8ccb5bc3aebd7abba42d72e2ef283b63d481a51eb77
              • Opcode Fuzzy Hash: 36b21cb38d18cfcdb9ba8da48c04f66594a0e8074fa55569bd02ce2e8fdf2828
              • Instruction Fuzzy Hash: E3016CB09017597DE3008F5A8C85B52FFA8FF19354F00411BA15C87941C7F5A864CBE5
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003A568B Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON
              Download Yara Rule
              APIs
              • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 003A569B
              • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 003A56B1
              • GetWindowThreadProcessId.USER32(?,?), ref: 003A56C0
              • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 003A56CF
              • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 003A56D9
              • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 003A56E0
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
              • String ID:
              • API String ID: 839392675-0
              • Opcode ID: 9d149093bf145d8b7bba84d53f60a666f140736e3c78ec1369470fc798dd56f1
              • Instruction ID: eca1d14d5833f7435d1e50b6083b0df3927b3a2546dc17b31dcb8603f80dc3ec
              • Opcode Fuzzy Hash: 9d149093bf145d8b7bba84d53f60a666f140736e3c78ec1369470fc798dd56f1
              • Instruction Fuzzy Hash: 9DF03032241558BFE7225BA2DC0EEEF7B7DEFC6B11F040169FA04D1060D7A12A1187B5
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003A74D2 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • InterlockedExchange.KERNEL32(?,?), ref: 003A74E5
              • EnterCriticalSection.KERNEL32(?,?,00351044,?,?), ref: 003A74F6
              • TerminateThread.KERNEL32(00000000,000001F6,?,00351044,?,?), ref: 003A7503
              • WaitForSingleObject.KERNEL32(00000000,000003E8,?,00351044,?,?), ref: 003A7510
                • Part of subcall function 003A6ED7: CloseHandle.KERNEL32(00000000,?,003A751D,?,00351044,?,?), ref: 003A6EE1
              • InterlockedExchange.KERNEL32(?,000001F6), ref: 003A7523
              • LeaveCriticalSection.KERNEL32(?,?,00351044,?,?), ref: 003A752A
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
              • String ID:
              • API String ID: 3495660284-0
              • Opcode ID: 11b71ad913164b06b22495bab7836c5dfe75dcf7182f101acb3e2503e37234bf
              • Instruction ID: 16a783a21f1a41ab65897731f5d7660a8d5541831941a4e2d6afc65a07de1ca7
              • Opcode Fuzzy Hash: 11b71ad913164b06b22495bab7836c5dfe75dcf7182f101acb3e2503e37234bf
              • Instruction Fuzzy Hash: 9EF03A3A540612EFDB131B64ED88DEA773EEF46302F050932F202D50A1CB756801CB50
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00398E74 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
              Download Yara Rule
              APIs
              • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00398E7F
              • UnloadUserProfile.USERENV(?,?), ref: 00398E8B
              • CloseHandle.KERNEL32(?), ref: 00398E94
              • CloseHandle.KERNEL32(?), ref: 00398E9C
              • GetProcessHeap.KERNEL32(00000000,?), ref: 00398EA5
              • HeapFree.KERNEL32(00000000), ref: 00398EAC
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
              • String ID:
              • API String ID: 146765662-0
              • Opcode ID: 3bf8de92c5b4ece72babe45ba2712b70bba24c8275e1a0b29f6fdfed18b5e38f
              • Instruction ID: 2b54b5f2ea5485ab74f8bfab3cac73a19d546e8d02d729d5aecd0aec00f3796d
              • Opcode Fuzzy Hash: 3bf8de92c5b4ece72babe45ba2712b70bba24c8275e1a0b29f6fdfed18b5e38f
              • Instruction Fuzzy Hash: D5E05276104505FFDA022FE6EC0CD5ABB6EFB89762B548632F219C1470CB32A461DB50
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00397A78 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 231COMMON
              Download Yara Rule
              APIs
              • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,003D2C7C,?), ref: 00397C32
              • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,003D2C7C,?), ref: 00397C4A
              • CLSIDFromProgID.OLE32(?,?,00000000,003CFB80,000000FF,?,00000000,00000800,00000000,?,003D2C7C,?), ref: 00397C6F
              • _memcmp.LIBCMT ref: 00397C90
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: FromProg$FreeTask_memcmp
              • String ID: ,,=
              • API String ID: 314563124-2941206825
              • Opcode ID: f54c990083ee9fb51aa2b718a123884dda2cecfad3592e7c67535969158ae9cf
              • Instruction ID: 0d917843cb1c2d839b9c39b9dc830a824c2a69a0bda9c1a5c4c6ab4f9fc4a3b4
              • Opcode Fuzzy Hash: f54c990083ee9fb51aa2b718a123884dda2cecfad3592e7c67535969158ae9cf
              • Instruction Fuzzy Hash: 03810975A10109EFCF05DF94C984EEEB7B9FF89315F204198E506AB290DB71AE06CB60
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003B8902 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON
              Download Yara Rule
              APIs
              • VariantInit.OLEAUT32(?), ref: 003B8928
              • CharUpperBuffW.USER32(?,?), ref: 003B8A37
              • VariantClear.OLEAUT32(?), ref: 003B8BAF
                • Part of subcall function 003A7804: VariantInit.OLEAUT32(00000000), ref: 003A7844
                • Part of subcall function 003A7804: VariantCopy.OLEAUT32(00000000,?), ref: 003A784D
                • Part of subcall function 003A7804: VariantClear.OLEAUT32(00000000), ref: 003A7859
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: Variant$ClearInit$BuffCharCopyUpper
              • String ID: AUTOIT.ERROR$Incorrect Parameter format
              • API String ID: 4237274167-1221869570
              • Opcode ID: c13d23afced6dee7244f73fecb0840055e3361189180509a71bdda74742cbe4f
              • Instruction ID: 85420e5f3207cb5365ebd99105194e5353edfe42f180e451ee6920c8cd5550d8
              • Opcode Fuzzy Hash: c13d23afced6dee7244f73fecb0840055e3361189180509a71bdda74742cbe4f
              • Instruction Fuzzy Hash: C49181756083019FCB11DF24C48199BBBE8EF89318F04496EF99A8F761DB31E905CB52
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003A2F86 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 0035FEC6: _wcscpy.LIBCMT ref: 0035FEE9
              • _memset.LIBCMT ref: 003A3077
              • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 003A30A6
              • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 003A3159
              • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 003A3187
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: ItemMenu$Info$Default_memset_wcscpy
              • String ID: 0
              • API String ID: 4152858687-4108050209
              • Opcode ID: 5d74a323758836f556b1692e5e5a19589e6d275529b804ca6faf7f4ee2480e9f
              • Instruction ID: c7687e885c08c7de6c6819f3dffe4c2280ea9b3827bc6c437105d844288fd5ef
              • Opcode Fuzzy Hash: 5d74a323758836f556b1692e5e5a19589e6d275529b804ca6faf7f4ee2480e9f
              • Instruction Fuzzy Hash: D251CF716083009FD727EF28D845A6BB7E8EF96320F054A2EF896D7191DB70DE448792
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003A2C42 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 003A2CAF
              • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 003A2CCB
              • DeleteMenu.USER32(?,00000007,00000000), ref: 003A2D11
              • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00406890,00000000), ref: 003A2D5A
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: Menu$Delete$InfoItem_memset
              • String ID: 0
              • API String ID: 1173514356-4108050209
              • Opcode ID: f160113c850f5928b07de30967e08ad1dd7551c73170c52fc3ce47035c8b11f6
              • Instruction ID: 95264067ac25c2545fe2a7ada59f41cf84d712a1564c371144e924374c294cdf
              • Opcode Fuzzy Hash: f160113c850f5928b07de30967e08ad1dd7551c73170c52fc3ce47035c8b11f6
              • Instruction Fuzzy Hash: 434191302083019FD726DF28C845F5BBBE8EF86320F15465DF9669B2A2D770E904CB92
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003C8AC0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 109COMMON
              Download Yara Rule
              APIs
              • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 003C8B4D
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: InvalidateRect
              • String ID: @U=u
              • API String ID: 634782764-2594219639
              • Opcode ID: c1f6b7cfe5012aab053ab2664200d794873e1d2d4b565784a9b461b52efb6419
              • Instruction ID: 6200cee84fcafdc0b40adfe7209e8da4c61b7184a5a946d7343ba5db232ab67f
              • Opcode Fuzzy Hash: c1f6b7cfe5012aab053ab2664200d794873e1d2d4b565784a9b461b52efb6419
              • Instruction Fuzzy Hash: 5631C4B4600208BFEF269F18CC45FAA77A9EB05310F25851EFA51E76A0CF30AE509B51
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003C6656 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00341D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00341D73
                • Part of subcall function 00341D35: GetStockObject.GDI32(00000011), ref: 00341D87
                • Part of subcall function 00341D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00341D91
              • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 003C66D0
              • LoadLibraryW.KERNEL32(?), ref: 003C66D7
              • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 003C66EC
              • DestroyWindow.USER32(?), ref: 003C66F4
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
              • String ID: SysAnimate32
              • API String ID: 4146253029-1011021900
              • Opcode ID: 4ae2f19a33cb0e6a046c8c244cac77ba91d28a42504c236119496313827195a0
              • Instruction ID: d4dadf01b4a297e6fff09d03d60dcc9c38c9ea1ea6a817d0628c7c728b0bf1f3
              • Opcode Fuzzy Hash: 4ae2f19a33cb0e6a046c8c244cac77ba91d28a42504c236119496313827195a0
              • Instruction Fuzzy Hash: DC21A971200206AFEF124E64EC82FBB77ADEB59368F110629FA10D61A0C771DC619761
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003A703E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
              Download Yara Rule
              APIs
              • GetStdHandle.KERNEL32(0000000C), ref: 003A705E
              • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 003A7091
              • GetStdHandle.KERNEL32(0000000C), ref: 003A70A3
              • CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 003A70DD
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: CreateHandle$FilePipe
              • String ID: nul
              • API String ID: 4209266947-2873401336
              • Opcode ID: 3793363aada1958e095dbeb1af6c41dfb8d075c705c315d223879b2f1b4fa77f
              • Instruction ID: 6cc5584eaa38185a07badbaf4f5758c4cdcd09bb2b5df2c77b71c7ffc4d1bb37
              • Opcode Fuzzy Hash: 3793363aada1958e095dbeb1af6c41dfb8d075c705c315d223879b2f1b4fa77f
              • Instruction Fuzzy Hash: C8216274504209AFDB22DF39DC45A9A77B8FF46720F204A29FDA1D72D0E770A850CB50
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003A710C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
              Download Yara Rule
              APIs
              • GetStdHandle.KERNEL32(000000F6), ref: 003A712B
              • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 003A715D
              • GetStdHandle.KERNEL32(000000F6), ref: 003A716E
              • CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 003A71A8
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: CreateHandle$FilePipe
              • String ID: nul
              • API String ID: 4209266947-2873401336
              • Opcode ID: c08b7dd9a1b406b5d4d53dbbe2a0bf5a8cf24e7255487708e2b7456b2f2d17ec
              • Instruction ID: 6949f3099b6972a1c4bce94d1d59896e78bb14861f5cd9b3cf91a4f9c9681322
              • Opcode Fuzzy Hash: c08b7dd9a1b406b5d4d53dbbe2a0bf5a8cf24e7255487708e2b7456b2f2d17ec
              • Instruction Fuzzy Hash: 3C2183756042059FDB229F69DC85EAAB7ECEF56720F200A19FDA1D72D0E770A841CB50
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003AAEAB Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON
              Download Yara Rule
              APIs
              • SetErrorMode.KERNEL32(00000001), ref: 003AAEBF
              • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 003AAF13
              • __swprintf.LIBCMT ref: 003AAF2C
              • SetErrorMode.KERNEL32(00000000,00000001,00000000,003CF910), ref: 003AAF6A
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: ErrorMode$InformationVolume__swprintf
              • String ID: %lu
              • API String ID: 3164766367-685833217
              • Opcode ID: b467cdf8b7d4ed1cc0b1e8698a3f9c4d051aae2bcab98f7f8d59a4c3820144c4
              • Instruction ID: fa8d36122cec713084dada1435007f4cfe3f6fc77daa5da9208655401cdaa9ff
              • Opcode Fuzzy Hash: b467cdf8b7d4ed1cc0b1e8698a3f9c4d051aae2bcab98f7f8d59a4c3820144c4
              • Instruction Fuzzy Hash: AC216031A00109AFCB11EB65CC85EAE7BB8EF89704B004069F909EB251DB71EA41CB21
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0039A52F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68windowCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00347D2C: _memmove.LIBCMT ref: 00347D66
                • Part of subcall function 0039A37C: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0039A399
                • Part of subcall function 0039A37C: GetWindowThreadProcessId.USER32(?,00000000), ref: 0039A3AC
                • Part of subcall function 0039A37C: GetCurrentThreadId.KERNEL32 ref: 0039A3B3
                • Part of subcall function 0039A37C: AttachThreadInput.USER32(00000000), ref: 0039A3BA
              • GetFocus.USER32 ref: 0039A554
                • Part of subcall function 0039A3C5: GetParent.USER32(?), ref: 0039A3D3
              • GetClassNameW.USER32(?,?,00000100), ref: 0039A59D
              • EnumChildWindows.USER32(?,0039A615), ref: 0039A5C5
              • __swprintf.LIBCMT ref: 0039A5DF
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf_memmove
              • String ID: %s%d
              • API String ID: 1941087503-1110647743
              • Opcode ID: 71187e572fb9b14746112cbcb27d735b9b2ab188d264680d4c54d8d8eb7c3bd9
              • Instruction ID: 9a2b3dd548c4885d0f82ad0cabc0cd7dae961b00a5185f4f956e9657685b96d6
              • Opcode Fuzzy Hash: 71187e572fb9b14746112cbcb27d735b9b2ab188d264680d4c54d8d8eb7c3bd9
              • Instruction Fuzzy Hash: B211AF75600208ABDF12BF74DC85FEA37BDAF49700F044179F908AE152CB7069459BB5
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003A2017 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON
              Download Yara Rule
              APIs
              • CharUpperBuffW.USER32(?,?), ref: 003A2048
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: BuffCharUpper
              • String ID: APPEND$EXISTS$KEYS$REMOVE
              • API String ID: 3964851224-769500911
              • Opcode ID: cfdfc21653e4bef1230a52aeb379252c71354e5e4070ef1aef556e40fcd8f0e5
              • Instruction ID: 0f98620e8069c7af15185666eac4f45c84eea4e10ccdd5d397ac4e36186c8fbb
              • Opcode Fuzzy Hash: cfdfc21653e4bef1230a52aeb379252c71354e5e4070ef1aef556e40fcd8f0e5
              • Instruction Fuzzy Hash: A6115B749001099FCF06EFA8D8428FFB7B4FF16304B108569D965AB252EB32690ACB50
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003BEE69 Relevance: 7.7, APIs: 5, Instructions: 247COMMON
              Download Yara Rule
              APIs
              • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 003BEF1B
              • GetProcessIoCounters.KERNEL32(00000000,?), ref: 003BEF4B
              • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 003BF07E
              • CloseHandle.KERNEL32(?), ref: 003BF0FF
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: Process$CloseCountersHandleInfoMemoryOpen
              • String ID:
              • API String ID: 2364364464-0
              • Opcode ID: 583b970510c5826d6d7b587872240a813bff34c16897ef4409c8ec2e841d5297
              • Instruction ID: caa230f764bf2006280f109927e47a54ee883119898798301c6bb93e29b0fcf7
              • Opcode Fuzzy Hash: 583b970510c5826d6d7b587872240a813bff34c16897ef4409c8ec2e841d5297
              • Instruction Fuzzy Hash: 70814D716043019FD721EF28C886B6AB7E5AF88714F15881EF595DF692DB70AC408B51
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003C02C2 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00347F41: _memmove.LIBCMT ref: 00347F82
                • Part of subcall function 003C10A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,003C0038,?,?), ref: 003C10BC
              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 003C0388
              • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 003C03C7
              • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 003C040E
              • RegCloseKey.ADVAPI32(?,?), ref: 003C043A
              • RegCloseKey.ADVAPI32(00000000), ref: 003C0447
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
              • String ID:
              • API String ID: 3440857362-0
              • Opcode ID: 631d5979654a32f7980cbe0fb1b6660d0625880c68ffc67ce5858971b4e1a864
              • Instruction ID: 592d05c51e96808297b8552cc5827e9ec423c3dae65ba726eba42492d9038a00
              • Opcode Fuzzy Hash: 631d5979654a32f7980cbe0fb1b6660d0625880c68ffc67ce5858971b4e1a864
              • Instruction Fuzzy Hash: C6512971208244EFD706EB64C881F6AB7E9FF84704F44892DB595DB2A2DB31ED04DB52
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003AE7DC Relevance: 7.6, APIs: 5, Instructions: 135COMMON
              Download Yara Rule
              APIs
              • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 003AE88A
              • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 003AE8B3
              • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 003AE8F2
                • Part of subcall function 00349997: __itow.LIBCMT ref: 003499C2
                • Part of subcall function 00349997: __swprintf.LIBCMT ref: 00349A0C
              • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 003AE917
              • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 003AE91F
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
              • String ID:
              • API String ID: 1389676194-0
              • Opcode ID: ac1d5e737a1bc3f5ac580a5c204f44ca007a984f61f1dfe942193d35fdcb0528
              • Instruction ID: 8dfdef07493a82bade4e9cac7403c7d997fbe3c27b01209432ad16a2d364b0c3
              • Opcode Fuzzy Hash: ac1d5e737a1bc3f5ac580a5c204f44ca007a984f61f1dfe942193d35fdcb0528
              • Instruction Fuzzy Hash: F151FA35A00205DFCF02EF64C981AAEBBF9EF49310B148099E849AF361CB35AD51DF50
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00342344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON
              Download Yara Rule
              APIs
              • GetCursorPos.USER32(?), ref: 00342357
              • ScreenToClient.USER32(004067B0,?), ref: 00342374
              • GetAsyncKeyState.USER32(00000001), ref: 00342399
              • GetAsyncKeyState.USER32(00000002), ref: 003423A7
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: AsyncState$ClientCursorScreen
              • String ID:
              • API String ID: 4210589936-0
              • Opcode ID: 198b0341340cb2d2cc6de9fa765cd981b0ee0406b4e5209337c6a260bf6e3bd6
              • Instruction ID: de8d4bf42d76b7d55661b502a4583705e0666ac3207bbdfca61a8e9bcf643d37
              • Opcode Fuzzy Hash: 198b0341340cb2d2cc6de9fa765cd981b0ee0406b4e5209337c6a260bf6e3bd6
              • Instruction Fuzzy Hash: D0417135514119FFDF269F64C844EEABBB4FB05320F60835AF828AA2A1C7346D50DB91
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00396920 Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON
              Download Yara Rule
              APIs
              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0039695D
              • TranslateAcceleratorW.USER32(?,?,?), ref: 003969A9
              • TranslateMessage.USER32(?), ref: 003969D2
              • DispatchMessageW.USER32(?), ref: 003969DC
              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 003969EB
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: Message$PeekTranslate$AcceleratorDispatch
              • String ID:
              • API String ID: 2108273632-0
              • Opcode ID: c2791297eeb9fad1440d04afa8d7b296388b5867e0372b348b05a67f7e1727f0
              • Instruction ID: 5b9a7c72d84681af33f7d9cdf0c11baede1e2f3d962c83291055901bd30d0d31
              • Opcode Fuzzy Hash: c2791297eeb9fad1440d04afa8d7b296388b5867e0372b348b05a67f7e1727f0
              • Instruction Fuzzy Hash: AF31E471902246AFDF22DF74CC46FB6BBACAB01304F124179E426E71A1D734E895DBA0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00398F01 Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON
              Download Yara Rule
              APIs
              • GetWindowRect.USER32(?,?), ref: 00398F12
              • PostMessageW.USER32(?,00000201,00000001), ref: 00398FBC
              • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00398FC4
              • PostMessageW.USER32(?,00000202,00000000), ref: 00398FD2
              • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00398FDA
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: MessagePostSleep$RectWindow
              • String ID:
              • API String ID: 3382505437-0
              • Opcode ID: b3b4c9a8baf76d25d08d469182736da4854758c5db0ecfb3be19ca2de82e8c4e
              • Instruction ID: 9cabf9c505ce4aed2da6a84b7a2d128753d0d207dddf482ba011e6ee12720118
              • Opcode Fuzzy Hash: b3b4c9a8baf76d25d08d469182736da4854758c5db0ecfb3be19ca2de82e8c4e
              • Instruction Fuzzy Hash: ED31E071500219EFDF01CF68E94CA9E7BBAEB45315F114229F926EA1D0C7B09910CB90
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003CB405 Relevance: 7.6, APIs: 5, Instructions: 85COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00342612: GetWindowLongW.USER32(?,000000EB), ref: 00342623
              • GetWindowLongW.USER32(?,000000F0), ref: 003CB44C
              • SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 003CB471
              • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 003CB489
              • GetSystemMetrics.USER32(00000004), ref: 003CB4B2
              • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,003B1184,00000000), ref: 003CB4D0
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: Window$Long$MetricsSystem
              • String ID:
              • API String ID: 2294984445-0
              • Opcode ID: fe1344bfd04e687adee9a4ed912c37798f009e0a4fb5642db963793d3972d0f5
              • Instruction ID: 3cb59812060c3b6569a621ffa8c08a0e6dbf1175d7725382f812f76882784a3c
              • Opcode Fuzzy Hash: fe1344bfd04e687adee9a4ed912c37798f009e0a4fb5642db963793d3972d0f5
              • Instruction Fuzzy Hash: 93219431918215AFCB1A9F39DC05F6677A9EB05720F168738F926D71E1E7309C10DB50
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003412F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON
              Download Yara Rule
              APIs
              • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 0034134D
              • SelectObject.GDI32(?,00000000), ref: 0034135C
              • BeginPath.GDI32(?), ref: 00341373
              • SelectObject.GDI32(?,00000000), ref: 0034139C
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: ObjectSelect$BeginCreatePath
              • String ID:
              • API String ID: 3225163088-0
              • Opcode ID: e62aca789a52dbbac711a22bbbb2e433d801a9b0252523acfb6419854293cd93
              • Instruction ID: 0a3e3227358bbc86c522e9a13b4ead06874c82716504bf4f6bf5e08f0280ad66
              • Opcode Fuzzy Hash: e62aca789a52dbbac711a22bbbb2e433d801a9b0252523acfb6419854293cd93
              • Instruction Fuzzy Hash: 2021B371801704EFDB12AF25DD04B697BF9FB00721F16C236F811AA5A0D371A8A1DF94
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0039C161 Relevance: 7.6, APIs: 5, Instructions: 61COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: _memcmp
              • String ID:
              • API String ID: 2931989736-0
              • Opcode ID: 3e503d05d19af1ab48dc97b7ea0d9457385866cf545ec433dd115b6134d078bc
              • Instruction ID: 9dd56388156f3852083d44f8347065672dd5b81b576ad526ba1246bccf8ea203
              • Opcode Fuzzy Hash: 3e503d05d19af1ab48dc97b7ea0d9457385866cf545ec433dd115b6134d078bc
              • Instruction Fuzzy Hash: 1201DD726141057BEA07A5209D42FAB735CAF21394F488012FD0497387E794DE11C2F8
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003A4D35 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON
              Download Yara Rule
              APIs
              • GetCurrentThreadId.KERNEL32 ref: 003A4D5C
              • __beginthreadex.LIBCMT ref: 003A4D7A
              • MessageBoxW.USER32(?,?,?,?), ref: 003A4D8F
              • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 003A4DA5
              • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 003A4DAC
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
              • String ID:
              • API String ID: 3824534824-0
              • Opcode ID: bd503988ade92d1b2b4f9793c56df53fef6d55c6fc0dd2abbb213ae07ee2a109
              • Instruction ID: 58ccdef1571505dc1795a94b03be3ad4d82f8337ca1d86c6071ccf59411c752a
              • Opcode Fuzzy Hash: bd503988ade92d1b2b4f9793c56df53fef6d55c6fc0dd2abbb213ae07ee2a109
              • Instruction Fuzzy Hash: FB110876904244BFC7029BB89C08EDA7FADEB86320F154269F915D3251D6B58D1087A0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0039874A Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON
              Download Yara Rule
              APIs
              • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00398766
              • GetLastError.KERNEL32(?,0039822A,?,?,?), ref: 00398770
              • GetProcessHeap.KERNEL32(00000008,?,?,0039822A,?,?,?), ref: 0039877F
              • HeapAlloc.KERNEL32(00000000,?,0039822A,?,?,?), ref: 00398786
              • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0039879D
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
              • String ID:
              • API String ID: 842720411-0
              • Opcode ID: 8ff524e1305342c2e4c756e202f39315497a16cf1657b97760c32a9fe1707dbf
              • Instruction ID: 3959e04fc793509405c86cf0c9fcfed4fb642e9e3f3f6356774ccbcf81d789dd
              • Opcode Fuzzy Hash: 8ff524e1305342c2e4c756e202f39315497a16cf1657b97760c32a9fe1707dbf
              • Instruction Fuzzy Hash: 6F011275601604FFEB124FA6DC48DA77F6DFF86755B200579F849C2160DA329D10DB60
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003A54E6 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON
              Download Yara Rule
              APIs
              • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 003A5502
              • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 003A5510
              • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 003A5518
              • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 003A5522
              • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 003A555E
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: PerformanceQuery$CounterSleep$Frequency
              • String ID:
              • API String ID: 2833360925-0
              • Opcode ID: 925bba0265f6d87d31370b93cadb05105d05ed61550fe6fde106c0fe7bf031e1
              • Instruction ID: 13777bbccdd553bd88a9e8be206192b7f4ab498148243478b0694fdea809ed47
              • Opcode Fuzzy Hash: 925bba0265f6d87d31370b93cadb05105d05ed61550fe6fde106c0fe7bf031e1
              • Instruction Fuzzy Hash: 22013975D01A19DBCF02AFE9E888AEDBB7DFB0A701F050056E902F2140DB3455548BA1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00397652 Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON
              Download Yara Rule
              APIs
              • CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0039758C,80070057,?,?,?,0039799D), ref: 0039766F
              • ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0039758C,80070057,?,?), ref: 0039768A
              • lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0039758C,80070057,?,?), ref: 00397698
              • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0039758C,80070057,?), ref: 003976A8
              • CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0039758C,80070057,?,?), ref: 003976B4
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: From$Prog$FreeStringTasklstrcmpi
              • String ID:
              • API String ID: 3897988419-0
              • Opcode ID: 1ca06f4788235c48a8852f43f9d6172c705cb6f57c40417d2518b63e31c62ca8
              • Instruction ID: 19cac09928559eeca3a7994d621e703e22ac0a0cf8a00c66fedc178f728abbbc
              • Opcode Fuzzy Hash: 1ca06f4788235c48a8852f43f9d6172c705cb6f57c40417d2518b63e31c62ca8
              • Instruction Fuzzy Hash: 2A017176615605BFDB125F58DC48EAA7BBDEB44751F140028FD08D2251E731ED4197A0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003985F1 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
              Download Yara Rule
              APIs
              • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00398608
              • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00398612
              • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00398621
              • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00398628
              • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 0039863E
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: HeapInformationToken$AllocErrorLastProcess
              • String ID:
              • API String ID: 44706859-0
              • Opcode ID: d7d15ca5b36222417ba6a43bf8b462638834c1046e458072353cafc882181cb3
              • Instruction ID: e43a5b3354aa652e50eb42595a31b1b134c615c0bb42172cb32cbb886d9d2b40
              • Opcode Fuzzy Hash: d7d15ca5b36222417ba6a43bf8b462638834c1046e458072353cafc882181cb3
              • Instruction Fuzzy Hash: C5F04935201214AFEB120FA5DC89E6B3FADFFCAB54F04042AFA49CA150CB65AC41DB60
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00398652 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
              Download Yara Rule
              APIs
              • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00398669
              • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00398673
              • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00398682
              • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00398689
              • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0039869F
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: HeapInformationToken$AllocErrorLastProcess
              • String ID:
              • API String ID: 44706859-0
              • Opcode ID: 600764ac2f6f0cc5394f1faed5157ea3a9103a6fb602a7b5aa6feb589ded17cb
              • Instruction ID: beee57a12b563fcf5d9b4211377702a7267551f40f9735e8f5d2507aa403b378
              • Opcode Fuzzy Hash: 600764ac2f6f0cc5394f1faed5157ea3a9103a6fb602a7b5aa6feb589ded17cb
              • Instruction Fuzzy Hash: 37F04F75300214AFEB121FA5EC88EA73FBDFF8A754F140026FA45C6150CA61E941DB60
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0039C6A6 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON
              Download Yara Rule
              APIs
              • GetDlgItem.USER32(?,000003E9), ref: 0039C6BA
              • GetWindowTextW.USER32(00000000,?,00000100), ref: 0039C6D1
              • MessageBeep.USER32(00000000), ref: 0039C6E9
              • KillTimer.USER32(?,0000040A), ref: 0039C705
              • EndDialog.USER32(?,00000001), ref: 0039C71F
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: BeepDialogItemKillMessageTextTimerWindow
              • String ID:
              • API String ID: 3741023627-0
              • Opcode ID: 28eb377f9d178b4d7eb0a0f0d495f12e137740542646c03439b1d6afb3f5f0ad
              • Instruction ID: 69065847d0cd7a094a8938f8535c50f038fbc693ffbc6eff943f5a3f8a9cbe26
              • Opcode Fuzzy Hash: 28eb377f9d178b4d7eb0a0f0d495f12e137740542646c03439b1d6afb3f5f0ad
              • Instruction Fuzzy Hash: C0014B30510704AFEB22AB60DD8EFA677BDBB00745F041669B582E14E1DBF1A9688B80
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003413B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
              Download Yara Rule
              APIs
              • EndPath.GDI32(?), ref: 003413BF
              • StrokeAndFillPath.GDI32(?,?,0037BAD8,00000000,?), ref: 003413DB
              • SelectObject.GDI32(?,00000000), ref: 003413EE
              • DeleteObject.GDI32 ref: 00341401
              • StrokePath.GDI32(?), ref: 0034141C
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: Path$ObjectStroke$DeleteFillSelect
              • String ID:
              • API String ID: 2625713937-0
              • Opcode ID: 3ca2930908555743906b8b3e9611a4e3c8e2828b071b0b580ed1c69b48de9314
              • Instruction ID: b4152c47f2ce5e39bd97b2614c3af144e40426bd8ebacf73ccfe6237d1cf9fe1
              • Opcode Fuzzy Hash: 3ca2930908555743906b8b3e9611a4e3c8e2828b071b0b580ed1c69b48de9314
              • Instruction Fuzzy Hash: 18F0F632001708AFDB226F66EE0CB583BE9AB00726F05C234F46A981B1C731A9A5DF14
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00352E5B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00360FF6: std::exception::exception.LIBCMT ref: 0036102C
                • Part of subcall function 00360FF6: __CxxThrowException@8.LIBCMT ref: 00361041
                • Part of subcall function 00347F41: _memmove.LIBCMT ref: 00347F82
                • Part of subcall function 00347BB1: _memmove.LIBCMT ref: 00347C0B
              • __swprintf.LIBCMT ref: 0035302D
              Strings
              • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00352EC6
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
              • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
              • API String ID: 1943609520-557222456
              • Opcode ID: 93bd01fe6e71a30cbc66407046df2cb4fd521aeb74e2b324368043117eb4b04f
              • Instruction ID: 21514159050faae0e492792dad3d20a864f53bd1d603b4130cd5c0af29c19287
              • Opcode Fuzzy Hash: 93bd01fe6e71a30cbc66407046df2cb4fd521aeb74e2b324368043117eb4b04f
              • Instruction Fuzzy Hash: 47914C711087019FCB1AEF24D896C6EB7E8EF85750F04495DF9869F2A1DB20EE48CB52
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0039B7B6 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 241comCOMMON
              Download Yara Rule
              APIs
              • OleSetContainedObject.OLE32(?,00000001), ref: 0039B981
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: ContainedObject
              • String ID: AutoIt3GUI$Container$%=
              • API String ID: 3565006973-2852750407
              • Opcode ID: 1b06e939a5c2e5d2a094d1596628587efe4d87f469d5b73e655b76b0f19205d0
              • Instruction ID: 80dcdd4fc8ca43f82fe9f8a265079292f955d9979f5ad15cf942e185cb319940
              • Opcode Fuzzy Hash: 1b06e939a5c2e5d2a094d1596628587efe4d87f469d5b73e655b76b0f19205d0
              • Instruction Fuzzy Hash: BF915974600201AFDB25DF68D985B6ABBE9FF48710F10856EF94ACF691DB70E840CB60
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0036524D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON
              Download Yara Rule
              APIs
              • __startOneArgErrorHandling.LIBCMT ref: 003652DD
                • Part of subcall function 00370340: __87except.LIBCMT ref: 0037037B
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: ErrorHandling__87except__start
              • String ID: pow
              • API String ID: 2905807303-2276729525
              • Opcode ID: f1899aca0aace9a2aea106720022ebc86c9c3a2e0955cd9a61f328d381407d0b
              • Instruction ID: d413ca3dd93f285df3a1ae60b98a447802eb0465e0f8d2b56dd4ddafb1a30bb1
              • Opcode Fuzzy Hash: f1899aca0aace9a2aea106720022ebc86c9c3a2e0955cd9a61f328d381407d0b
              • Instruction Fuzzy Hash: 8C51A861A1D601C7CB2BB725C95037E2B989B00750F71CD7AE0D9862EDEF788CC49E46
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0036023B Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID:
              • String ID: #$+
              • API String ID: 0-2552117581
              • Opcode ID: 6fe00a62d52a48c2abd9927be4ba8948c379e1a258591672b8912f2db6d84334
              • Instruction ID: a2dd874a9e4be2ef7a149893a0a92248fc881ea38955601066ba04689805ff41
              • Opcode Fuzzy Hash: 6fe00a62d52a48c2abd9927be4ba8948c379e1a258591672b8912f2db6d84334
              • Instruction Fuzzy Hash: C25123755046469FDF1BDF28C489AFA7BA8EF19310F298055EC919F2A0D7309C86C760
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00353297 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 161COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: _memmove$_free
              • String ID: Oa5
              • API String ID: 2620147621-2933034282
              • Opcode ID: 825e1f2612561a9093c43d4f564733a779f4c47e8f053d2ebaa05becfeeb4a12
              • Instruction ID: 4cc183ffe004cea7221d886192aee804e11a8d45d9eeda70dbb84561bfe1fbbc
              • Opcode Fuzzy Hash: 825e1f2612561a9093c43d4f564733a779f4c47e8f053d2ebaa05becfeeb4a12
              • Instruction Fuzzy Hash: 1C517A716083419FDB26CF28C481B2BBBE1FF85345F55492DE9898B360EB31D905CB82
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003562F2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 143COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: _memset$_memmove
              • String ID: ERCP
              • API String ID: 2532777613-1384759551
              • Opcode ID: b6a45665a324e7b7563c1767961878449c2c9854968b9f30e74ecdd40b9d37b8
              • Instruction ID: 183aa3627319f1bc42264ec84dad85bd7e51c963460dce3c696fd0985992255d
              • Opcode Fuzzy Hash: b6a45665a324e7b7563c1767961878449c2c9854968b9f30e74ecdd40b9d37b8
              • Instruction Fuzzy Hash: A351D6B1900309DFCB26CF55C882BAABBF8EF04315F20856EE94ADB261E771D584CB40
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003C7648 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 003C76D0
              • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 003C76E4
              • SendMessageW.USER32(?,00001002,00000000,?), ref: 003C7708
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: MessageSend$Window
              • String ID: SysMonthCal32
              • API String ID: 2326795674-1439706946
              • Opcode ID: 2158f8be19890eabca46b2f48af462c5de7575943fe143b9a6731dce96792ba1
              • Instruction ID: db7623a7ce38a756bbaff327390b8675de6a7f24be99563ad20e7133ef3f88dc
              • Opcode Fuzzy Hash: 2158f8be19890eabca46b2f48af462c5de7575943fe143b9a6731dce96792ba1
              • Instruction Fuzzy Hash: 7921A132600219BBDF16CF64CC46FEA3B69EF48714F110218FE15AB1D0DAB1AC609BA0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003C6F1F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 003C6FAA
              • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 003C6FBA
              • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 003C6FDF
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: MessageSend$MoveWindow
              • String ID: Listbox
              • API String ID: 3315199576-2633736733
              • Opcode ID: 93fd2272c10b167ee631800c2618efc86a2df61f717e3926f9c6cf97ec864ad8
              • Instruction ID: 7f40165fbd9f3b122ff66c57f5df309d9b194dccdc7f537ae844407fe9f1db69
              • Opcode Fuzzy Hash: 93fd2272c10b167ee631800c2618efc86a2df61f717e3926f9c6cf97ec864ad8
              • Instruction Fuzzy Hash: AF217F32610118BFDF129F54DC86FAB37AAEF89754F02812CFA549B190C671AC518BA0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0039912D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 79windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(?,000000B0,?,?), ref: 0039914F
              • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00399166
              • SendMessageW.USER32(?,0000000D,?,00000000), ref: 0039919E
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: MessageSend
              • String ID: @U=u
              • API String ID: 3850602802-2594219639
              • Opcode ID: d1b9288325a2ecf35d97e5247254ebba6760af9c896f10143e3e22054b22d4c8
              • Instruction ID: 07be41275999ebee86890c6fd2538afabec9ad8705e3819cfaa5b87a750fa0b4
              • Opcode Fuzzy Hash: d1b9288325a2ecf35d97e5247254ebba6760af9c896f10143e3e22054b22d4c8
              • Instruction Fuzzy Hash: D0219F32600109BFDF22DBACD846AAEB7BEBF44350F11045BE905E7294DA71AD448B90
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003B60EC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 69windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(00000402,00000000,00000000), ref: 003B613B
              • SendMessageW.USER32(0000000C,00000000,?), ref: 003B617C
              • SendMessageW.USER32(0000000C,00000000,?), ref: 003B61A4
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: MessageSend
              • String ID: @U=u
              • API String ID: 3850602802-2594219639
              • Opcode ID: c131b4a2718f7c67c8da1174c59a36e5eeb4b32b498f82af6c744715f3d39386
              • Instruction ID: eacd1db74ad0587e9dd348bc81f63877c654216eced379e685a32b74d9012bc5
              • Opcode Fuzzy Hash: c131b4a2718f7c67c8da1174c59a36e5eeb4b32b498f82af6c744715f3d39386
              • Instruction Fuzzy Hash: 4D211D75201501AFDB12AB18DD86E6AB7EAFB49314B018069F9199FA72CB31BC51CF90
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003C797D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 003C79E1
              • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 003C79F6
              • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 003C7A03
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: MessageSend
              • String ID: msctls_trackbar32
              • API String ID: 3850602802-1010561917
              • Opcode ID: 600d9b0f0285e66914a9e2039af9fbcd5929703a6b617ef70c5f92b2f5b1734f
              • Instruction ID: 3d9180d1bd21c792764ffa520cfe5981d91c029012fab4e93024ed3684a5dbe5
              • Opcode Fuzzy Hash: 600d9b0f0285e66914a9e2039af9fbcd5929703a6b617ef70c5f92b2f5b1734f
              • Instruction Fuzzy Hash: 3311E372244208BBEF169F61CC05FEB77ADEF89B64F02052DFA41A6190D272AC51CB60
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003C6B8F Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 64windowCOMMON
              Download Yara Rule
              APIs
              • GetWindowTextLengthW.USER32(00000000), ref: 003C6C11
              • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 003C6C20
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: LengthMessageSendTextWindow
              • String ID: @U=u$edit
              • API String ID: 2978978980-590756393
              • Opcode ID: 3e445888835145f5ae555d196f1454c68e2b31ca81d38641a980321690603b88
              • Instruction ID: 2488e87e39b6139197285f2e516ddca0d25714cdab065170b7eafd8e5fd092e4
              • Opcode Fuzzy Hash: 3e445888835145f5ae555d196f1454c68e2b31ca81d38641a980321690603b88
              • Instruction Fuzzy Hash: 9A116D71500208AFEB124E649C82FEA376EEB45378F114728F965D71D0C775EC919B60
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003992E7 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 52windowCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00347F41: _memmove.LIBCMT ref: 00347F82
                • Part of subcall function 0039B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0039B0E7
              • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00399355
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: ClassMessageNameSend_memmove
              • String ID: @U=u$ComboBox$ListBox
              • API String ID: 372448540-2258501812
              • Opcode ID: 93599eba7e7aeda556a250f7e0187b974e428544f29b59a9ee914f461d993d44
              • Instruction ID: 6d03cccf19eba43558568378c7c94c809b44cbfd946d49da3850ccdce62ea4b1
              • Opcode Fuzzy Hash: 93599eba7e7aeda556a250f7e0187b974e428544f29b59a9ee914f461d993d44
              • Instruction Fuzzy Hash: BA019275A05218ABCF06EF64CC929FE77ADBF06320B14061AF9725B2D2DB31690C8650
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003991DF Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 50windowCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00347F41: _memmove.LIBCMT ref: 00347F82
                • Part of subcall function 0039B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0039B0E7
              • SendMessageW.USER32(?,00000180,00000000,?), ref: 0039924D
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: ClassMessageNameSend_memmove
              • String ID: @U=u$ComboBox$ListBox
              • API String ID: 372448540-2258501812
              • Opcode ID: 2309029a2b3b5ca482897ebc21efbd78d6fc33e999908e3490ca5b264054e05d
              • Instruction ID: 7324ca9892d71c3da3b9e6e4e82a0ef3f38a3e9086863f4a8c0af835bbe8af07
              • Opcode Fuzzy Hash: 2309029a2b3b5ca482897ebc21efbd78d6fc33e999908e3490ca5b264054e05d
              • Instruction Fuzzy Hash: FF018471A451087BCF17EBA4C992FFF77AC9F55300F14001AB9566B292EB116E0C9672
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00399264 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 49windowCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00347F41: _memmove.LIBCMT ref: 00347F82
                • Part of subcall function 0039B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0039B0E7
              • SendMessageW.USER32(?,00000182,?,00000000), ref: 003992D0
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: ClassMessageNameSend_memmove
              • String ID: @U=u$ComboBox$ListBox
              • API String ID: 372448540-2258501812
              • Opcode ID: d70a954b03148509aeb18d66ade2c41121797c71e50140d9abab790a6c5a1b16
              • Instruction ID: 04e90d7c12e8ca648ab56c3fde5b4cfb12591c0aaf1ec403ee76fc67d56f7036
              • Opcode Fuzzy Hash: d70a954b03148509aeb18d66ade2c41121797c71e50140d9abab790a6c5a1b16
              • Instruction Fuzzy Hash: 7201A771A4510C77CF07E7A4C982FFF77AC9F11300F14051AB9526B292DB116E0C9271
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003CAF89 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45windowCOMMON
              Download Yara Rule
              APIs
              • GetForegroundWindow.USER32(?,004067B0,003CDB17,000000FC,?,00000000,00000000,?,?,?,0037BBB9,?,?,?,?,?), ref: 003CAF8B
              • GetFocus.USER32 ref: 003CAF93
                • Part of subcall function 00342612: GetWindowLongW.USER32(?,000000EB), ref: 00342623
                • Part of subcall function 003425DB: GetWindowLongW.USER32(?,000000EB), ref: 003425EC
              • SendMessageW.USER32(011CECA0,000000B0,000001BC,000001C0), ref: 003CB005
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: Window$Long$FocusForegroundMessageSend
              • String ID: @U=u
              • API String ID: 3601265619-2594219639
              • Opcode ID: 8cf3f9cf4deb2ac2682778e69ca5ea291f9c9d06ae18b31ca1736d52b5a8ddc6
              • Instruction ID: cb2548905db8bcc1b952982b0d637da285c04d50d736501a2c656fe0b1ced879
              • Opcode Fuzzy Hash: 8cf3f9cf4deb2ac2682778e69ca5ea291f9c9d06ae18b31ca1736d52b5a8ddc6
              • Instruction Fuzzy Hash: 610156312015109FC7269B28D885F6777EAEB89324F19417DE426DB3A1CB316C56CF50
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003561C3 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31windowCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 0035619A: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 003561B1
              • SendMessageW.USER32(?,0000000C,00000000,?), ref: 003561DF
              • GetParent.USER32(?), ref: 0039111F
              • InvalidateRect.USER32(00000000,?,00353BAF,?,00000000,00000001), ref: 00391126
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: MessageSend$InvalidateParentRectTimeout
              • String ID: @U=u
              • API String ID: 3648793173-2594219639
              • Opcode ID: a16860f271fb4127e1d9f84a5fc5379413443d9755c31b3a7f4c2338b26937fa
              • Instruction ID: 794856108b8d7f6e9164d139b00a496673aa7e5ff7c28f7663427220b866ad15
              • Opcode Fuzzy Hash: a16860f271fb4127e1d9f84a5fc5379413443d9755c31b3a7f4c2338b26937fa
              • Instruction Fuzzy Hash: 1FF0A031100204FFEF222F60DC0AFB1BB6DAB15341F604035F9819B0B3CAA26968AB60
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00344C95 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
              Download Yara Rule
              APIs
              • LoadLibraryA.KERNEL32(kernel32.dll,?,00344C2E), ref: 00344CA3
              • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00344CB5
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: AddressLibraryLoadProc
              • String ID: GetNativeSystemInfo$kernel32.dll
              • API String ID: 2574300362-192647395
              • Opcode ID: 6dfdf27229594947d2f66b2f87cc7798faf2c81e2954a06524ef53cbbf3c3c61
              • Instruction ID: f240aa6b011c2f0d598cf3caee1395b828c92b4c0f3f8c4ffff14efdf067895d
              • Opcode Fuzzy Hash: 6dfdf27229594947d2f66b2f87cc7798faf2c81e2954a06524ef53cbbf3c3c61
              • Instruction Fuzzy Hash: 53D01770550723DFE7229F31EA58B46B6EAAF05791F1AC83ED886DA150E770EC80CB50
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00344D61 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
              Download Yara Rule
              APIs
              • LoadLibraryA.KERNEL32(kernel32.dll,?,00344D2E,?,00344F4F,?,004062F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00344D6F
              • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00344D81
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: AddressLibraryLoadProc
              • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
              • API String ID: 2574300362-3689287502
              • Opcode ID: d4ba1257e8e876e7e421839535a9ded9c7e5bcce320b248d5f6ef2574febe2a7
              • Instruction ID: 7d37582badb28d7ca0927f91250b1524ad67b0475703714bad6a883547b24669
              • Opcode Fuzzy Hash: d4ba1257e8e876e7e421839535a9ded9c7e5bcce320b248d5f6ef2574febe2a7
              • Instruction Fuzzy Hash: DED01730910713CFD7229F31D808B56B6E9AF16352F16C93ED497DA260EB70E880CB50
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00344D94 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
              Download Yara Rule
              APIs
              • LoadLibraryA.KERNEL32(kernel32.dll,?,00344CE1,?), ref: 00344DA2
              • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00344DB4
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: AddressLibraryLoadProc
              • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
              • API String ID: 2574300362-1355242751
              • Opcode ID: 86c7751d113e48214b966063746026963e015147e86071b5c5ccec47e16ccac9
              • Instruction ID: 151c2e2d8e41630cd090a22a728e676c02a0d447e4c44a9646c54382c7d9cd09
              • Opcode Fuzzy Hash: 86c7751d113e48214b966063746026963e015147e86071b5c5ccec47e16ccac9
              • Instruction Fuzzy Hash: 72D0E231950713CFD7229B31D808B86B6E9AF06355B16883AD887DA150EB70E880CB50
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003C1072 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
              Download Yara Rule
              APIs
              • LoadLibraryA.KERNEL32(advapi32.dll,?,003C12C1), ref: 003C1080
              • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 003C1092
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: AddressLibraryLoadProc
              • String ID: RegDeleteKeyExW$advapi32.dll
              • API String ID: 2574300362-4033151799
              • Opcode ID: 595475c3510fead119a37b334419d33e40838809be517ce023be6f3e7c9ef9c4
              • Instruction ID: 21ee101a0bad53805a5758e0fc8d23defe6611b8330579aa0787098fc93f3542
              • Opcode Fuzzy Hash: 595475c3510fead119a37b334419d33e40838809be517ce023be6f3e7c9ef9c4
              • Instruction Fuzzy Hash: 01D01770520726DFD7229F35D818E6AB6E9AF06361F1A8D3EE4CADA150E770D8C0CB50
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003B93F5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
              Download Yara Rule
              APIs
              • LoadLibraryA.KERNEL32(kernel32.dll,00000001,003B9009,?,003CF910), ref: 003B9403
              • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 003B9415
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: AddressLibraryLoadProc
              • String ID: GetModuleHandleExW$kernel32.dll
              • API String ID: 2574300362-199464113
              • Opcode ID: 60a1940fb4fd1ffcc11ada2de43c82b897508b2ee74cf8c2c5bb139c61acb2cc
              • Instruction ID: 841d13182f642427bc861bd728c1aee19208270bdaa52444bb2cb78bafb55984
              • Opcode Fuzzy Hash: 60a1940fb4fd1ffcc11ada2de43c82b897508b2ee74cf8c2c5bb139c61acb2cc
              • Instruction Fuzzy Hash: 62D01274610727CFD7229F32DA08A867ADAAF05355F15C83ED686D6950D770D880C750
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003976C5 Relevance: 6.3, APIs: 4, Instructions: 333COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 79dcbc3c6dd72c7ab63ad74daa02b6b7cc95124651c2466eaf38570a327cf966
              • Instruction ID: d7ca0d93f7fd4c1978093c97b59cb5e72902b1f6593a9de6aa2f8d5f46a790b7
              • Opcode Fuzzy Hash: 79dcbc3c6dd72c7ab63ad74daa02b6b7cc95124651c2466eaf38570a327cf966
              • Instruction Fuzzy Hash: 58C16E75A14216EFCF15CF98C884EAEB7B9FF48714B158598E805EB291D730ED81CB90
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003BE33E Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON
              Download Yara Rule
              APIs
              • CharLowerBuffW.USER32(?,?), ref: 003BE3D2
              • CharLowerBuffW.USER32(?,?), ref: 003BE415
                • Part of subcall function 003BDAB9: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 003BDAD9
              • VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 003BE615
              • _memmove.LIBCMT ref: 003BE628
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: BuffCharLower$AllocVirtual_memmove
              • String ID:
              • API String ID: 3659485706-0
              • Opcode ID: 76ae92e8b9a305b1e7226598fec47e3891583e83839a4f49260b0af8c6589d55
              • Instruction ID: 034344118bfd1a4ff23679aede5070081340b004fc3de1cdec3511fe562294d5
              • Opcode Fuzzy Hash: 76ae92e8b9a305b1e7226598fec47e3891583e83839a4f49260b0af8c6589d55
              • Instruction Fuzzy Hash: 74C17A756083018FC716DF28C481AAABBE4FF89718F14896EF9999B751D730E905CF82
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003B83A8 Relevance: 6.3, APIs: 4, Instructions: 267COMMON
              Download Yara Rule
              APIs
              • CoInitialize.OLE32(00000000), ref: 003B83D8
              • CoUninitialize.OLE32 ref: 003B83E3
                • Part of subcall function 0039DA5D: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0039DAC5
              • VariantInit.OLEAUT32(?), ref: 003B83EE
              • VariantClear.OLEAUT32(?), ref: 003B86BF
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
              • String ID:
              • API String ID: 780911581-0
              • Opcode ID: 51feecf473d379cbe0c4b726e12cc79d29ea4de89752d26997bc0c72a8141898
              • Instruction ID: 6b8ab54a9741453db883a86519cce0e118708b7ac18508d750a6df9469e07aae
              • Opcode Fuzzy Hash: 51feecf473d379cbe0c4b726e12cc79d29ea4de89752d26997bc0c72a8141898
              • Instruction Fuzzy Hash: E0A104752047019FCB12DF15C885B5AB7E9BF89318F15444AFA9A9B7A1CB30FD04CB52
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00396DF3 Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: Variant$AllocClearCopyInitString
              • String ID:
              • API String ID: 2808897238-0
              • Opcode ID: 91bb3e596dcacfda42a8230888931db88f4307f06c62f68d872cdb580b74bddd
              • Instruction ID: f4fd8e3cc6686e8df2c787f920b4527aa4c1532961bf517ece05e799124ec9e9
              • Opcode Fuzzy Hash: 91bb3e596dcacfda42a8230888931db88f4307f06c62f68d872cdb580b74bddd
              • Instruction Fuzzy Hash: BD51A6356183019ADF26AF65D896B3BB3E9AF49310F20881FE556CF6D1DB709840DB11
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003B6CBD Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON
              Download Yara Rule
              APIs
              • socket.WSOCK32(00000002,00000002,00000011), ref: 003B6CE4
              • WSAGetLastError.WSOCK32(00000000), ref: 003B6CF4
                • Part of subcall function 00349997: __itow.LIBCMT ref: 003499C2
                • Part of subcall function 00349997: __swprintf.LIBCMT ref: 00349A0C
              • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 003B6D58
              • WSAGetLastError.WSOCK32(00000000), ref: 003B6D64
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: ErrorLast$__itow__swprintfsocket
              • String ID:
              • API String ID: 2214342067-0
              • Opcode ID: 76de58c40350ae8514709711b714160b3425fbd353014ef9969d4cfac71e7855
              • Instruction ID: 6f350b8c4f7fb7a003214cc96aa849906c9dd5afbb35e558ba6c501843b97b51
              • Opcode Fuzzy Hash: 76de58c40350ae8514709711b714160b3425fbd353014ef9969d4cfac71e7855
              • Instruction Fuzzy Hash: 59418D74740200AFEB22AF24DC87F7A77E9EB44B14F448019FA599F2D3DA75AD008B91
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003B672D Relevance: 6.1, APIs: 4, Instructions: 116COMMON
              Download Yara Rule
              APIs
              • #16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,003CF910), ref: 003B67BA
              • _strlen.LIBCMT ref: 003B67EC
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: _strlen
              • String ID:
              • API String ID: 4218353326-0
              • Opcode ID: d21b6fdb164261d5306b6c5e30fdb270f208b390bcf8d0eb96a5df5e7c64e262
              • Instruction ID: d72a8e3b90444891f8dd28cbf105c0f26455b4a6257cb421fd4bc798182ad95e
              • Opcode Fuzzy Hash: d21b6fdb164261d5306b6c5e30fdb270f208b390bcf8d0eb96a5df5e7c64e262
              • Instruction Fuzzy Hash: 19417F71A00104ABCB16EBA4DCC6FEEB3EDAF44314F148165F9169F692DB34AD00CB50
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003CADF1 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON
              Download Yara Rule
              APIs
              • ClientToScreen.USER32(?,?), ref: 003CAE1A
              • GetWindowRect.USER32(?,?), ref: 003CAE90
              • PtInRect.USER32(?,?,003CC304), ref: 003CAEA0
              • MessageBeep.USER32(00000000), ref: 003CAF11
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: Rect$BeepClientMessageScreenWindow
              • String ID:
              • API String ID: 1352109105-0
              • Opcode ID: 24ae751632302b5a7ca82719fa8ebb4a4fef7337f17477f4d451f42c122c7321
              • Instruction ID: 59ac6ef71f8ea1a985101c7793513c9158395d529209089270c773faf02859c0
              • Opcode Fuzzy Hash: 24ae751632302b5a7ca82719fa8ebb4a4fef7337f17477f4d451f42c122c7321
              • Instruction Fuzzy Hash: 31417A71A009199FCB12DF68C884F69BBF5FB88304F1580ADE415DB251C730AC41DB92
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003A0FE6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON
              Download Yara Rule
              APIs
              • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 003A1037
              • SetKeyboardState.USER32(00000080,?,00000001), ref: 003A1053
              • PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 003A10B9
              • SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 003A110B
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: KeyboardState$InputMessagePostSend
              • String ID:
              • API String ID: 432972143-0
              • Opcode ID: 67cf02a265650068b4baad37977fb12eb648e2479061cf662491ffd9b022b20e
              • Instruction ID: 6042d1c3a0c712b807b64e480d20ccad9d2c1fa7fdd69b99ad69ee7d9b7104d5
              • Opcode Fuzzy Hash: 67cf02a265650068b4baad37977fb12eb648e2479061cf662491ffd9b022b20e
              • Instruction Fuzzy Hash: 68314830E44698AEFB37CB658C09BFABBAEEB4B310F08431AE580965D1C3758DC49755
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003A1121 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON
              Download Yara Rule
              APIs
              • GetKeyboardState.USER32(?,753DC0D0,?,00008000), ref: 003A1176
              • SetKeyboardState.USER32(00000080,?,00008000), ref: 003A1192
              • PostMessageW.USER32(00000000,00000101,00000000), ref: 003A11F1
              • SendInput.USER32(00000001,?,0000001C,753DC0D0,?,00008000), ref: 003A1243
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: KeyboardState$InputMessagePostSend
              • String ID:
              • API String ID: 432972143-0
              • Opcode ID: 1e4fc330342d4e2c71f0cbc6302a27745246bbef7baee6681a3b763521d5aed0
              • Instruction ID: 757498ef2cd93a9da14d88b526f8ef385252098160d3f5dd8f6e6212eaf82e46
              • Opcode Fuzzy Hash: 1e4fc330342d4e2c71f0cbc6302a27745246bbef7baee6681a3b763521d5aed0
              • Instruction Fuzzy Hash: AA312430A40618AEEF378B658C09BFABBAEEB4B310F04471BE681925D1C3358A559751
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00376415 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0037644B
              • __isleadbyte_l.LIBCMT ref: 00376479
              • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 003764A7
              • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 003764DD
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
              • String ID:
              • API String ID: 3058430110-0
              • Opcode ID: 4c086b808d3b5f9c54c4e9cc3dc0e92080d4e9ceef10800627ccd63935509b9a
              • Instruction ID: 65db196bceb5f2a9eb133b76bf0e19bf35456c0add988473ddf0da54d890654e
              • Opcode Fuzzy Hash: 4c086b808d3b5f9c54c4e9cc3dc0e92080d4e9ceef10800627ccd63935509b9a
              • Instruction Fuzzy Hash: D831D031600A46EFDB338F66C856BBA7BA9FF41310F168029E8588B190D739E850DB90
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003C5175 Relevance: 6.1, APIs: 4, Instructions: 95COMMON
              Download Yara Rule
              APIs
              • GetForegroundWindow.USER32 ref: 003C5189
                • Part of subcall function 003A387D: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 003A3897
                • Part of subcall function 003A387D: GetCurrentThreadId.KERNEL32 ref: 003A389E
                • Part of subcall function 003A387D: AttachThreadInput.USER32(00000000,?,003A52A7), ref: 003A38A5
              • GetCaretPos.USER32(?), ref: 003C519A
              • ClientToScreen.USER32(00000000,?), ref: 003C51D5
              • GetForegroundWindow.USER32 ref: 003C51DB
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
              • String ID:
              • API String ID: 2759813231-0
              • Opcode ID: b6352a816ecde03f6dc7d483e75a7f64ba8d61095cc4f4c362b745221dbd0919
              • Instruction ID: 9aed0f125e8788b2243aff0c903509aac5b250d1d209d6ef9109948571025a89
              • Opcode Fuzzy Hash: b6352a816ecde03f6dc7d483e75a7f64ba8d61095cc4f4c362b745221dbd0919
              • Instruction Fuzzy Hash: C1310D71900118AFDB01EFA5C885EEFB7FDEF99304F10406AE515EB241EA75AE45CBA0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003CC788 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00342612: GetWindowLongW.USER32(?,000000EB), ref: 00342623
              • GetCursorPos.USER32(?), ref: 003CC7C2
              • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,0037BBFB,?,?,?,?,?), ref: 003CC7D7
              • GetCursorPos.USER32(?), ref: 003CC824
              • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,0037BBFB,?,?,?), ref: 003CC85E
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: Cursor$LongMenuPopupProcTrackWindow
              • String ID:
              • API String ID: 2864067406-0
              • Opcode ID: 1168ec8e37bc88e09a361c953b28876351883c6268181774e71e606650440a13
              • Instruction ID: bc247041da53ae1f57dbbd5eb158b8919c09639c851c042c8ddbb5cfdd6e669c
              • Opcode Fuzzy Hash: 1168ec8e37bc88e09a361c953b28876351883c6268181774e71e606650440a13
              • Instruction Fuzzy Hash: 7B318035610118AFCB16DF58C8A8EEB7BFAEB49310F054069F909DB261C735AD60DFA0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00398B9E Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00398652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00398669
                • Part of subcall function 00398652: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00398673
                • Part of subcall function 00398652: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00398682
                • Part of subcall function 00398652: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00398689
                • Part of subcall function 00398652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0039869F
              • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00398BEB
              • _memcmp.LIBCMT ref: 00398C0E
              • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00398C44
              • HeapFree.KERNEL32(00000000), ref: 00398C4B
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
              • String ID:
              • API String ID: 1592001646-0
              • Opcode ID: a74de99e3b584b71142d5c678cf130276b5bac5ec10300bbecefa4e019fad5ed
              • Instruction ID: c0fc5366221a462a386075b16829d137773b4fb2e494f9a54edf6cca4c891492
              • Opcode Fuzzy Hash: a74de99e3b584b71142d5c678cf130276b5bac5ec10300bbecefa4e019fad5ed
              • Instruction Fuzzy Hash: 94218B71E01208AFCF01DFA4C984BAEB7B8EF81344F09405AE454AB240DB30AA06CF60
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00360BD0 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
              Download Yara Rule
              APIs
              • __setmode.LIBCMT ref: 00360BF2
                • Part of subcall function 00345B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,003A7B20,?,?,00000000), ref: 00345B8C
                • Part of subcall function 00345B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,003A7B20,?,?,00000000,?,?), ref: 00345BB0
              • _fprintf.LIBCMT ref: 00360C29
              • OutputDebugStringW.KERNEL32(?), ref: 00396331
                • Part of subcall function 00364CDA: _flsall.LIBCMT ref: 00364CF3
              • __setmode.LIBCMT ref: 00360C5E
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
              • String ID:
              • API String ID: 521402451-0
              • Opcode ID: b91131fe42718c1f4f5b770e948594526ad7e5865f14c8b4fc0269f157f44f15
              • Instruction ID: 10e995decda1543943fe7de430871ed643dbff0e267a034717c2180531c92379
              • Opcode Fuzzy Hash: b91131fe42718c1f4f5b770e948594526ad7e5865f14c8b4fc0269f157f44f15
              • Instruction Fuzzy Hash: 08112432D042047BCB0BB7B4AC839BE7BADDF41320F14811AF1049F296EF206D5297A5
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0039E1AF Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 0039F5AD: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,0039E1C4,?,?,?,0039EFB7,00000000,000000EF,00000119,?,?), ref: 0039F5BC
                • Part of subcall function 0039F5AD: lstrcpyW.KERNEL32(00000000,?), ref: 0039F5E2
                • Part of subcall function 0039F5AD: lstrcmpiW.KERNEL32(00000000,?,0039E1C4,?,?,?,0039EFB7,00000000,000000EF,00000119,?,?), ref: 0039F613
              • lstrlenW.KERNEL32(?,00000002,?,?,?,?,0039EFB7,00000000,000000EF,00000119,?,?,00000000), ref: 0039E1DD
              • lstrcpyW.KERNEL32(00000000,?), ref: 0039E203
              • lstrcmpiW.KERNEL32(00000002,cdecl,?,0039EFB7,00000000,000000EF,00000119,?,?,00000000), ref: 0039E237
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: lstrcmpilstrcpylstrlen
              • String ID: cdecl
              • API String ID: 4031866154-3896280584
              • Opcode ID: 39baa782cdf5286c8549cf74a2c55a6b0cde6c3d2d331d9596722b31ff4ee6fc
              • Instruction ID: 364693c24d78a6f1f60794ee0ce712fc3edfb7f0ee3fdcb1869d4043378f7498
              • Opcode Fuzzy Hash: 39baa782cdf5286c8549cf74a2c55a6b0cde6c3d2d331d9596722b31ff4ee6fc
              • Instruction Fuzzy Hash: 2311BE3A200345EFCF26AF64D845E7A77A9FF85310B45842AF816CB260EB71E85187A0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00375332 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • _free.LIBCMT ref: 00375351
                • Part of subcall function 0036594C: __FF_MSGBANNER.LIBCMT ref: 00365963
                • Part of subcall function 0036594C: __NMSG_WRITE.LIBCMT ref: 0036596A
                • Part of subcall function 0036594C: RtlAllocateHeap.NTDLL(011B0000,00000000,00000001,00000000,?,?,?,00361013,?), ref: 0036598F
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: AllocateHeap_free
              • String ID:
              • API String ID: 614378929-0
              • Opcode ID: 6c5103389c9288d7076a20bdfc50aa7775776c3e4b2d518836103b8cd7a29c43
              • Instruction ID: 3c70d74bfded7631ac1c5e3d6d03d124cebaf5f8fb9e26c137eb5ec015005e60
              • Opcode Fuzzy Hash: 6c5103389c9288d7076a20bdfc50aa7775776c3e4b2d518836103b8cd7a29c43
              • Instruction Fuzzy Hash: 46112336504A05AFEB3B3F70AC4471E3B989F053E0F11C52AF9099E0B0DEF8894083A0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00344531 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 00344560
                • Part of subcall function 0034410D: _memset.LIBCMT ref: 0034418D
                • Part of subcall function 0034410D: _wcscpy.LIBCMT ref: 003441E1
                • Part of subcall function 0034410D: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 003441F1
              • KillTimer.USER32(?,00000001,?,?), ref: 003445B5
              • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 003445C4
              • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0037D6CE
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
              • String ID:
              • API String ID: 1378193009-0
              • Opcode ID: 17423e865f4836e20b4b799382d913640a8a5b371ed60f00537c8742503bc79c
              • Instruction ID: bc74b02976bc68d728464077f81c91a524c63e09e51bdafbd2be8d496760f273
              • Opcode Fuzzy Hash: 17423e865f4836e20b4b799382d913640a8a5b371ed60f00537c8742503bc79c
              • Instruction Fuzzy Hash: 0521C970904784AFEB339B24DC55BE7BBEC9F11304F0440EDE69EAA245C7786A84DB51
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003A40B1 Relevance: 6.1, APIs: 4, Instructions: 65fileCOMMON
              Download Yara Rule
              APIs
              • CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 003A40D1
              • _memset.LIBCMT ref: 003A40F2
              • DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 003A4144
              • CloseHandle.KERNEL32(00000000), ref: 003A414D
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: CloseControlCreateDeviceFileHandle_memset
              • String ID:
              • API String ID: 1157408455-0
              • Opcode ID: 8bb9926fa65d131561284516556307794c6fe647defcd1bc5467cb6f3be157a9
              • Instruction ID: d7045d3f29af938fe4ef45d318aaed22774b2ba96940882f11cbb9a6cb34c863
              • Opcode Fuzzy Hash: 8bb9926fa65d131561284516556307794c6fe647defcd1bc5467cb6f3be157a9
              • Instruction Fuzzy Hash: F3110A759012287AD7319BA5AC4DFABBB7CEF85760F1042AAF908D7180D6744E80CBA4
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003B667C Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00345B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,003A7B20,?,?,00000000), ref: 00345B8C
                • Part of subcall function 00345B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,003A7B20,?,?,00000000,?,?), ref: 00345BB0
              • gethostbyname.WSOCK32(?,?,?), ref: 003B66AC
              • WSAGetLastError.WSOCK32(00000000), ref: 003B66B7
              • _memmove.LIBCMT ref: 003B66E4
              • inet_ntoa.WSOCK32(?), ref: 003B66EF
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
              • String ID:
              • API String ID: 1504782959-0
              • Opcode ID: 1d65c783f5ba4883c0994a1d78313682a732332eefd53dd171cc5e2ddc139638
              • Instruction ID: 1318effffa35970a7dcbc0f82c922063d0a4a09f00e97494ac5742811541430b
              • Opcode Fuzzy Hash: 1d65c783f5ba4883c0994a1d78313682a732332eefd53dd171cc5e2ddc139638
              • Instruction Fuzzy Hash: EA114975900608AFCB02FBA4DD86DEEB7BDAF04310B148065F502AF262DF31AE04CB61
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00399023 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(?,000000B0,?,?), ref: 00399043
              • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00399055
              • SendMessageW.USER32(?,000000C9,?,00000000), ref: 0039906B
              • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00399086
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: MessageSend
              • String ID:
              • API String ID: 3850602802-0
              • Opcode ID: b1a5f12190042a69b6844b4e9d4fc15efa43e8c24839080110274dea7f6e9ccb
              • Instruction ID: 859e995d349daff83380ece83b66854fbc0beba0829ffa41833ee8ce59fa1e25
              • Opcode Fuzzy Hash: b1a5f12190042a69b6844b4e9d4fc15efa43e8c24839080110274dea7f6e9ccb
              • Instruction Fuzzy Hash: 0D113A79901218BFEF11DFA9CD84F9DBB78FB48310F204096E914B7250D6726E10DB90
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00341290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00342612: GetWindowLongW.USER32(?,000000EB), ref: 00342623
              • DefDlgProcW.USER32(?,00000020,?), ref: 003412D8
              • GetClientRect.USER32(?,?), ref: 0037B84B
              • GetCursorPos.USER32(?), ref: 0037B855
              • ScreenToClient.USER32(?,?), ref: 0037B860
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: Client$CursorLongProcRectScreenWindow
              • String ID:
              • API String ID: 4127811313-0
              • Opcode ID: 81fe5888a51e74ab0213bbda2c932db3813d0d721fb2bc2536b06567326b5ba9
              • Instruction ID: 605d97eb6332654e4f2a8a8cd509f5872c0ae60eb50685995dd26bb67f274bfd
              • Opcode Fuzzy Hash: 81fe5888a51e74ab0213bbda2c932db3813d0d721fb2bc2536b06567326b5ba9
              • Instruction Fuzzy Hash: 09112835A00519AFCB12EF94D885DEE77FDEB05301F004866F941EB150D770BA918BA5
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003A1652 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON
              Download Yara Rule
              APIs
              • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,003A01FD,?,003A1250,?,00008000), ref: 003A166F
              • Sleep.KERNEL32(00000000,?,?,?,?,?,?,003A01FD,?,003A1250,?,00008000), ref: 003A1694
              • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,003A01FD,?,003A1250,?,00008000), ref: 003A169E
              • Sleep.KERNEL32(?,?,?,?,?,?,?,003A01FD,?,003A1250,?,00008000), ref: 003A16D1
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: CounterPerformanceQuerySleep
              • String ID:
              • API String ID: 2875609808-0
              • Opcode ID: 81a65f03b62fe384d228b06445fea57fa1bb2c1bb7c0fb2ff26d862496a62fe3
              • Instruction ID: 3707ef265dedd49f2d4083510dab2ad8456299b01aa3863557e8c0b420da67af
              • Opcode Fuzzy Hash: 81a65f03b62fe384d228b06445fea57fa1bb2c1bb7c0fb2ff26d862496a62fe3
              • Instruction Fuzzy Hash: 9F112A71C0091DDBCF029FA5D949AEEBB78FF0A751F094156ED40F6250CB30A5608B96
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00377207 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
              • String ID:
              • API String ID: 3016257755-0
              • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
              • Instruction ID: 8fd5a22688c86964f6cb4437c378c0a63b6618157016d984e1fd0e3befbc747d
              • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
              • Instruction Fuzzy Hash: 4701403604414ABBCF235E84CC018EE3F66BF59351B598915FA2C58032D73BC9B1AB81
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003CB57F Relevance: 6.0, APIs: 4, Instructions: 47COMMON
              Download Yara Rule
              APIs
              • GetWindowRect.USER32(?,?), ref: 003CB59E
              • ScreenToClient.USER32(?,?), ref: 003CB5B6
              • ScreenToClient.USER32(?,?), ref: 003CB5DA
              • InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 003CB5F5
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: ClientRectScreen$InvalidateWindow
              • String ID:
              • API String ID: 357397906-0
              • Opcode ID: 0fffd6e3103c00fc83a180d3860de646b2de76d4f076a2345225becf2a1efebb
              • Instruction ID: c8cd24455b021ff679f1e20fa0fbb466efdfdf54a7eb0a9129e01b1e82ee36cb
              • Opcode Fuzzy Hash: 0fffd6e3103c00fc83a180d3860de646b2de76d4f076a2345225becf2a1efebb
              • Instruction Fuzzy Hash: F31146B5D00209EFDB41DF99C844AEEFBB9FB08310F104166E954E3220D735AA658F50
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003CB8EF Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 003CB8FE
              • _memset.LIBCMT ref: 003CB90D
              • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00407F20,00407F64), ref: 003CB93C
              • CloseHandle.KERNEL32 ref: 003CB94E
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: _memset$CloseCreateHandleProcess
              • String ID:
              • API String ID: 3277943733-0
              • Opcode ID: 7a76b2424d10f34be2f3e1925b5e3e844ec10c8e5cc77c6cc05d3a5b2a9ed2d7
              • Instruction ID: 5f9a7ea7c7ce2c2ce81b37e19e2b418928373d6dfc9480c4cfa69c32742aec70
              • Opcode Fuzzy Hash: 7a76b2424d10f34be2f3e1925b5e3e844ec10c8e5cc77c6cc05d3a5b2a9ed2d7
              • Instruction Fuzzy Hash: 7BF05EB29483417FE2113771AC46FBB7A5CEB08354F008031FB08EA192DB756D0087AE
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003A6E7C Relevance: 6.0, APIs: 4, Instructions: 33COMMON
              Download Yara Rule
              APIs
              • EnterCriticalSection.KERNEL32(?), ref: 003A6E88
                • Part of subcall function 003A794E: _memset.LIBCMT ref: 003A7983
              • _memmove.LIBCMT ref: 003A6EAB
              • _memset.LIBCMT ref: 003A6EB8
              • LeaveCriticalSection.KERNEL32(?), ref: 003A6EC8
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: CriticalSection_memset$EnterLeave_memmove
              • String ID:
              • API String ID: 48991266-0
              • Opcode ID: f35ad4817fde1e76eeec55427048bbde0ff3fca15ea5078d0bc562119aec3a3e
              • Instruction ID: a0c7a6072c6bda125154d04eb78ee81de778ac05fe93231775a2b080c3355c8b
              • Opcode Fuzzy Hash: f35ad4817fde1e76eeec55427048bbde0ff3fca15ea5078d0bc562119aec3a3e
              • Instruction Fuzzy Hash: CFF0543A104200ABCF026F55DC85E4ABB2AEF45320F04C065FE089E22AC731A911CBB4
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003CC00C Relevance: 6.0, APIs: 4, Instructions: 31COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 003412F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 0034134D
                • Part of subcall function 003412F3: SelectObject.GDI32(?,00000000), ref: 0034135C
                • Part of subcall function 003412F3: BeginPath.GDI32(?), ref: 00341373
                • Part of subcall function 003412F3: SelectObject.GDI32(?,00000000), ref: 0034139C
              • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 003CC030
              • LineTo.GDI32(00000000,?,?), ref: 003CC03D
              • EndPath.GDI32(00000000), ref: 003CC04D
              • StrokePath.GDI32(00000000), ref: 003CC05B
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
              • String ID:
              • API String ID: 1539411459-0
              • Opcode ID: 5318e4ee7b8f4c2be789db97210c6f35752cac93a4fa21d5ccaa105851a26db1
              • Instruction ID: e9f9cabbca6f5c9a4977241c53805a9d283dfe6837a62859c557b22a47dbe3aa
              • Opcode Fuzzy Hash: 5318e4ee7b8f4c2be789db97210c6f35752cac93a4fa21d5ccaa105851a26db1
              • Instruction Fuzzy Hash: FBF05E32001269BBDB136F55AC0AFCE3F9AAF05711F048014FA15A50E287B56961DB99
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0039A37C Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON
              Download Yara Rule
              APIs
              • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0039A399
              • GetWindowThreadProcessId.USER32(?,00000000), ref: 0039A3AC
              • GetCurrentThreadId.KERNEL32 ref: 0039A3B3
              • AttachThreadInput.USER32(00000000), ref: 0039A3BA
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
              • String ID:
              • API String ID: 2710830443-0
              • Opcode ID: 6df611b1e3aa95e24ca32f004104b777d48ea4551fba7c67cffaba3f79db3942
              • Instruction ID: 04cbe0e787050a8a6198d1535810bfe47b32823ae40e36ce06c36fd9ac847c7d
              • Opcode Fuzzy Hash: 6df611b1e3aa95e24ca32f004104b777d48ea4551fba7c67cffaba3f79db3942
              • Instruction Fuzzy Hash: 10E03931241228BEEB221BA2DC0CED73F1DEF167A1F008125F908C4060C6719550CBE0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00342218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
              Download Yara Rule
              APIs
              • GetSysColor.USER32(00000008), ref: 00342231
              • SetTextColor.GDI32(?,000000FF), ref: 0034223B
              • SetBkMode.GDI32(?,00000001), ref: 00342250
              • GetStockObject.GDI32(00000005), ref: 00342258
              • GetWindowDC.USER32(?,00000000), ref: 0037C0D3
              • GetPixel.GDI32(00000000,00000000,00000000), ref: 0037C0E0
              • GetPixel.GDI32(00000000,?,00000000), ref: 0037C0F9
              • GetPixel.GDI32(00000000,00000000,?), ref: 0037C112
              • GetPixel.GDI32(00000000,?,?), ref: 0037C132
              • ReleaseDC.USER32(?,00000000), ref: 0037C13D
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
              • String ID:
              • API String ID: 1946975507-0
              • Opcode ID: 5c0916246136d8e87068cd63797e79ae54cd2d9e90e4cc523e07aa5c383987ec
              • Instruction ID: 60ac72b9fa695a2154470d49f9d465a6d020a7c1683bcc9026d80374e739b92c
              • Opcode Fuzzy Hash: 5c0916246136d8e87068cd63797e79ae54cd2d9e90e4cc523e07aa5c383987ec
              • Instruction Fuzzy Hash: 96E06D32100244EEDB225F64FC0DBD87B19EB05332F04C37AFA69980E187729980DB11
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00398C5A Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
              Download Yara Rule
              APIs
              • GetCurrentThread.KERNEL32 ref: 00398C63
              • OpenThreadToken.ADVAPI32(00000000,?,?,?,0039882E), ref: 00398C6A
              • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,0039882E), ref: 00398C77
              • OpenProcessToken.ADVAPI32(00000000,?,?,?,0039882E), ref: 00398C7E
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: CurrentOpenProcessThreadToken
              • String ID:
              • API String ID: 3974789173-0
              • Opcode ID: 20f5c3db2adc456408fa669daa41e919a8edaf142259f63d146aa185f8e91818
              • Instruction ID: 637e87d69671a8375500d649786e05cdeb4731ffc56418c75fdae94b8fd2e367
              • Opcode Fuzzy Hash: 20f5c3db2adc456408fa669daa41e919a8edaf142259f63d146aa185f8e91818
              • Instruction Fuzzy Hash: FDE08676642221EFDB215FB0AD0CF567BADFF51B92F054C28B645C9040DA349445CF61
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00382187 Relevance: 6.0, APIs: 4, Instructions: 20COMMON
              Download Yara Rule
              APIs
              • GetDesktopWindow.USER32 ref: 00382187
              • GetDC.USER32(00000000), ref: 00382191
              • GetDeviceCaps.GDI32(00000000,0000000C), ref: 003821B1
              • ReleaseDC.USER32(?), ref: 003821D2
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: CapsDesktopDeviceReleaseWindow
              • String ID:
              • API String ID: 2889604237-0
              • Opcode ID: 9191a20b1d553c403367dad1f58cf257ddec36654b02325ff7ceb3d01ae89f12
              • Instruction ID: f5f1ae4ab0c7d10bb4b3858bfc2458af84c763b37d936ffc69cfd761b2b55f08
              • Opcode Fuzzy Hash: 9191a20b1d553c403367dad1f58cf257ddec36654b02325ff7ceb3d01ae89f12
              • Instruction Fuzzy Hash: D3E0E5B5800614EFDB029F60C808A9E7FFAEB4C350F218425F95ADB260CB38A1519F40
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0038219B Relevance: 6.0, APIs: 4, Instructions: 19COMMON
              Download Yara Rule
              APIs
              • GetDesktopWindow.USER32 ref: 0038219B
              • GetDC.USER32(00000000), ref: 003821A5
              • GetDeviceCaps.GDI32(00000000,0000000C), ref: 003821B1
              • ReleaseDC.USER32(?), ref: 003821D2
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: CapsDesktopDeviceReleaseWindow
              • String ID:
              • API String ID: 2889604237-0
              • Opcode ID: 634d942c1af7d9a55b71beea7b9b5999e68a9689209c6b9034319672a732f9a8
              • Instruction ID: f44c6b572fcf92bf896325cc38a155940a67d58307f63beecf80e91d12b8dc3b
              • Opcode Fuzzy Hash: 634d942c1af7d9a55b71beea7b9b5999e68a9689209c6b9034319672a732f9a8
              • Instruction Fuzzy Hash: ECE0E5B5800204AFCB029F60C808A9D7FEAAB4C310F108025F95ADB220CB38B1519F40
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003463A0 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 317COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID:
              • String ID: %=
              • API String ID: 0-1420429418
              • Opcode ID: 1c4d91d0c3f97a14ca660c0ddda94a20adb9e77822ff1b060e5c708a67ed3d41
              • Instruction ID: 1bbdc13ad13f5ec215ef011815e01daeb06b98e30d77190dfd37bcc29332fbc5
              • Opcode Fuzzy Hash: 1c4d91d0c3f97a14ca660c0ddda94a20adb9e77822ff1b060e5c708a67ed3d41
              • Instruction Fuzzy Hash: B5B19071D001099BCF26EF94C8829EEB7F9EF46310F514066E906AF295DB34AE85CB52
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003BB1B7 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 313COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: __itow_s
              • String ID: xr@$xr@
              • API String ID: 3653519197-1117122260
              • Opcode ID: 6319771bc735e71bebbb466c3b0e3cecc6f262d86a6f6f34d29683736842e76e
              • Instruction ID: e1f26a85da51e59e41138615b1722a21d753e9efffbda9240f1469f05aabbb8d
              • Opcode Fuzzy Hash: 6319771bc735e71bebbb466c3b0e3cecc6f262d86a6f6f34d29683736842e76e
              • Instruction Fuzzy Hash: 4CB15C70A00109ABDB26DF54C891EEAF7F9FF58304F14845AFA459F692DBB0E941CB60
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003AB217 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 0035FEC6: _wcscpy.LIBCMT ref: 0035FEE9
                • Part of subcall function 00349997: __itow.LIBCMT ref: 003499C2
                • Part of subcall function 00349997: __swprintf.LIBCMT ref: 00349A0C
              • __wcsnicmp.LIBCMT ref: 003AB298
              • WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 003AB361
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
              • String ID: LPT
              • API String ID: 3222508074-1350329615
              • Opcode ID: 3053ea78f3091cd6dd9b880b11f3c009e4bf8338fa88339b8151381cdb56b116
              • Instruction ID: 8e34a97e289fea365ef5cc7ffd85e415a26d4f0f6a4e5646a1a66bb0fda7e03f
              • Opcode Fuzzy Hash: 3053ea78f3091cd6dd9b880b11f3c009e4bf8338fa88339b8151381cdb56b116
              • Instruction Fuzzy Hash: 8E616075A00215AFCF16DF94C885EAEB7F8EF09310F15455AF946AB292DB70AE40CB50
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00388A77 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 148COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: _memmove
              • String ID: Oa5
              • API String ID: 4104443479-2933034282
              • Opcode ID: c6b3232c4c343af43e35961293f6c5afbe4d45426ae896f67bc38e4b1429fef2
              • Instruction ID: e4365ac279a8dbf866b9d18a0fcfd12d36240043380655edcb50570d1ceae7e5
              • Opcode Fuzzy Hash: c6b3232c4c343af43e35961293f6c5afbe4d45426ae896f67bc38e4b1429fef2
              • Instruction Fuzzy Hash: C5517EB0A007099FCF26DF68C880AAEB7F5FF44314F54456AE85AD7250EB30A995CB51
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00352AB7 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
              Download Yara Rule
              APIs
              • Sleep.KERNEL32(00000000), ref: 00352AC8
              • GlobalMemoryStatusEx.KERNEL32(?), ref: 00352AE1
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: GlobalMemorySleepStatus
              • String ID: @
              • API String ID: 2783356886-2766056989
              • Opcode ID: 6c9109b676c3cedf00e9587dd0359f076a674704387d579d22d59cf069358eee
              • Instruction ID: 05d58ed4828f27ca9882a3190a9d59775e21ef26b09d10d720d35db88a019aae
              • Opcode Fuzzy Hash: 6c9109b676c3cedf00e9587dd0359f076a674704387d579d22d59cf069358eee
              • Instruction Fuzzy Hash: A95147714187459BD321AF50DC86BAFBBECFF84310F42885EF1D9591A1DB309529CB26
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003A99BE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 0034506B: __fread_nolock.LIBCMT ref: 00345089
              • _wcscmp.LIBCMT ref: 003A9AAE
              • _wcscmp.LIBCMT ref: 003A9AC1
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: _wcscmp$__fread_nolock
              • String ID: FILE
              • API String ID: 4029003684-3121273764
              • Opcode ID: a4cb70f2d33d5b0a481ecd405395699936cadfb190e297420ad966be022ecd62
              • Instruction ID: 4230cb0b6583a9749e20b7eb401716c2b6d9422cc50a9649589646a2cb825885
              • Opcode Fuzzy Hash: a4cb70f2d33d5b0a481ecd405395699936cadfb190e297420ad966be022ecd62
              • Instruction Fuzzy Hash: BF41E275A00619BBDF229AA0CC45FEFBBFDDF46710F01406AB900BF181DA71AA0487A1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0038099E Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 115COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: ClearVariant
              • String ID: Dt@$Dt@
              • API String ID: 1473721057-2149874077
              • Opcode ID: 901e109e65fadca027fa4acd356a0251d363c7533f3f7fb5f18f057554563578
              • Instruction ID: aff40a6a93eaa1fe5acf98fd40cf12c09533f5c22e5b53b1ceed88c9dcd39295
              • Opcode Fuzzy Hash: 901e109e65fadca027fa4acd356a0251d363c7533f3f7fb5f18f057554563578
              • Instruction Fuzzy Hash: C7510678A487418FD756CF19C180A1ABBE1BB99344F55885DE9818B321E731FC81CF82
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003B2882 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 003B2892
              • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 003B28C8
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: CrackInternet_memset
              • String ID: |
              • API String ID: 1413715105-2343686810
              • Opcode ID: 389266d5fa702b55ba3d84151058cfcc95efc2a2e84211684670256658b8a507
              • Instruction ID: 206220674c1d6f1ebd1e6f939e433e01fb372a2c49c3a2f2a0300bdc1d494e0b
              • Opcode Fuzzy Hash: 389266d5fa702b55ba3d84151058cfcc95efc2a2e84211684670256658b8a507
              • Instruction Fuzzy Hash: D7311D71800119AFCF02DFA1CC85EEEBFB9FF08354F104169F915AA166DB315A56DBA0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003C6CD2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
              Download Yara Rule
              APIs
              • DestroyWindow.USER32(?,?,?,?), ref: 003C6D86
              • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 003C6DC2
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: Window$DestroyMove
              • String ID: static
              • API String ID: 2139405536-2160076837
              • Opcode ID: 606d4462ccb12143a339f9cc92f8d5de0c87beb23d50a52d985370d348e5b8a9
              • Instruction ID: 9130076810c667c3c6da745144a8f1b9613c319db8ed6a458968ce30a2a17541
              • Opcode Fuzzy Hash: 606d4462ccb12143a339f9cc92f8d5de0c87beb23d50a52d985370d348e5b8a9
              • Instruction Fuzzy Hash: A4319E71200604AEDB129F28CC85FFB73A9FF48720F11961DF8A6DB190CA31AC91CB60
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003A2D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 003A2E00
              • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 003A2E3B
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: InfoItemMenu_memset
              • String ID: 0
              • API String ID: 2223754486-4108050209
              • Opcode ID: bca6fd338d1d09fe21efc88ef38b12ab02de857c6d129aa31f4feaeaa992dfd8
              • Instruction ID: 14d41bb3937c93ccbdc05334acc8e388f92e3cb16b42988978061f35f19b4682
              • Opcode Fuzzy Hash: bca6fd338d1d09fe21efc88ef38b12ab02de857c6d129aa31f4feaeaa992dfd8
              • Instruction Fuzzy Hash: 4631D531A00305EFEB268F5DC945FAFBBB9EF06350F15402AED85E61A1D7709984CB50
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0039AFDC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 82windowCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 0035619A: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 003561B1
              • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 0039B03B
              • _strlen.LIBCMT ref: 0039B046
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: MessageSend$Timeout_strlen
              • String ID: @U=u
              • API String ID: 2777139624-2594219639
              • Opcode ID: 07f16c613fd0363c926f5c9f1b9178f96af6c7e8a49cb0709f6b938eec656cd1
              • Instruction ID: a2559743baa6ec2d9ff945633e57141c22107c3e6be051a895c99fbd71e4798c
              • Opcode Fuzzy Hash: 07f16c613fd0363c926f5c9f1b9178f96af6c7e8a49cb0709f6b938eec656cd1
              • Instruction Fuzzy Hash: AB11A53260420566CF16AA78ADC2ABFBBA99F45700F10006DF6159E293DF2699498750
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003C6AD4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 76windowCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 003A589F: GetLocalTime.KERNEL32 ref: 003A58AC
                • Part of subcall function 003A589F: _wcsncpy.LIBCMT ref: 003A58E1
                • Part of subcall function 003A589F: _wcsncpy.LIBCMT ref: 003A5913
                • Part of subcall function 003A589F: _wcsncpy.LIBCMT ref: 003A5946
                • Part of subcall function 003A589F: _wcsncpy.LIBCMT ref: 003A5988
              • SendMessageW.USER32(?,00001002,00000000,?), ref: 003C6B6E
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: _wcsncpy$LocalMessageSendTime
              • String ID: @U=u$SysDateTimePick32
              • API String ID: 2466184910-2530228043
              • Opcode ID: 420a5a7f315b79fa6c59abec23864ca1f03c3e0c1e31c62ffc05bb9972755764
              • Instruction ID: d031f2b087b4b09628e05cd3162526bba51120333e727e610d388e827bcbeeee
              • Opcode Fuzzy Hash: 420a5a7f315b79fa6c59abec23864ca1f03c3e0c1e31c62ffc05bb9972755764
              • Instruction Fuzzy Hash: 4C21B4727402096FEF229E54CC82FEA736DEB44764F114519F955EB1D0D6B1AC9087A0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00399707 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00399720
                • Part of subcall function 003A18EE: GetWindowThreadProcessId.USER32(?,?), ref: 003A1919
                • Part of subcall function 003A18EE: OpenProcess.KERNEL32(00000438,00000000,?,?,?,0039973C,00000034,?,?,00001004,00000000,00000000), ref: 003A1929
                • Part of subcall function 003A18EE: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,0039973C,00000034,?,?,00001004,00000000,00000000), ref: 003A193F
                • Part of subcall function 003A19CC: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00399778,?,?,00000034,00000800,?,00000034), ref: 003A19F6
              • SendMessageW.USER32(?,00001073,00000000,?), ref: 00399787
                • Part of subcall function 003A1997: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,003997A7,?,?,00000800,?,00001073,00000000,?,?), ref: 003A19C1
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: Process$MemoryMessageSend$AllocOpenReadThreadVirtualWindowWrite
              • String ID: @U=u
              • API String ID: 1045663743-2594219639
              • Opcode ID: 5d5929d1ae00ad837db47de5b816b3c4c7478635d62f85d3bebf66104a95b3ca
              • Instruction ID: 09528c5c733fcbc7ddca5afb6e89491afcc39d9098355eae4397d822711e5ca2
              • Opcode Fuzzy Hash: 5d5929d1ae00ad837db47de5b816b3c4c7478635d62f85d3bebf66104a95b3ca
              • Instruction Fuzzy Hash: 54213131901119ABEF22AFA8CC45FDDBBB9FF09350F1001A9F944EB1A0DA715A54DBA1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003C6943 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 003C69D0
              • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 003C69DB
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: MessageSend
              • String ID: Combobox
              • API String ID: 3850602802-2096851135
              • Opcode ID: eb41ffcdc280044af941e7f0ab0daf0dd0875af81aa84193df0e3da858f7dc4a
              • Instruction ID: 145d2f6a6a35af6d8cf7346ab191d45acfa1e3fdc4b86065977f9f12c452c544
              • Opcode Fuzzy Hash: eb41ffcdc280044af941e7f0ab0daf0dd0875af81aa84193df0e3da858f7dc4a
              • Instruction Fuzzy Hash: C011B2716002086FEF129E14CC92FBB77AEEB893A4F120128F958DB290D7719C9187A0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003C9962 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID:
              • String ID: @U=u
              • API String ID: 0-2594219639
              • Opcode ID: 2365af2d28e2999bfb19976fd585d32eb52390eb68a99e2fa07618b9289d7851
              • Instruction ID: 6d532cd3c49ddaa53593448104f427083c85612926c0f36972435001dc057035
              • Opcode Fuzzy Hash: 2365af2d28e2999bfb19976fd585d32eb52390eb68a99e2fa07618b9289d7851
              • Instruction Fuzzy Hash: 82217F36204158BFEB129F54CC49FBA37A8EB09310F03415EFA16EB1E1D671ED209B64
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003C6E76 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00341D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00341D73
                • Part of subcall function 00341D35: GetStockObject.GDI32(00000011), ref: 00341D87
                • Part of subcall function 00341D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00341D91
              • GetWindowRect.USER32(00000000,?), ref: 003C6EE0
              • GetSysColor.USER32(00000012), ref: 003C6EFA
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: Window$ColorCreateMessageObjectRectSendStock
              • String ID: static
              • API String ID: 1983116058-2160076837
              • Opcode ID: 2d64c160317769f7d4488d491d2fc1f1f13dc439bd73c0ebe627632e43d521f2
              • Instruction ID: d8949ef6239a63ffc0c4569906dad8e9b121f7c41caac06f1f98e0530008e351
              • Opcode Fuzzy Hash: 2d64c160317769f7d4488d491d2fc1f1f13dc439bd73c0ebe627632e43d521f2
              • Instruction Fuzzy Hash: 12214772610209AFDB05DFA8CD46EEA7BA9EB08314F014629F955D3250D635E8619B50
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003A2E9E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 003A2F11
              • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 003A2F30
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: InfoItemMenu_memset
              • String ID: 0
              • API String ID: 2223754486-4108050209
              • Opcode ID: 5000e1cb7cbb65009d3318466379497eeed7b1d3e9f656050c9c76bf6dc2c7c8
              • Instruction ID: 7c017aab23b6c2179388f5a79204197231451095a53e690558db5afe82dfa799
              • Opcode Fuzzy Hash: 5000e1cb7cbb65009d3318466379497eeed7b1d3e9f656050c9c76bf6dc2c7c8
              • Instruction Fuzzy Hash: 1B11D036909114AFCB22EB5CDC04F9B73B9EB17310F0A40B1EC45B72A0D7B0AD048795
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003B24CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON
              Download Yara Rule
              APIs
              • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 003B2520
              • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 003B2549
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: Internet$OpenOption
              • String ID: <local>
              • API String ID: 942729171-4266983199
              • Opcode ID: 6b1df99eff24d3bd1abb731c75a7acbe660f1b54d30a7e560d62493ffb16b66e
              • Instruction ID: 01ca9aa73095a3d70bac177b3d7a10d60c00df85858ab1807d427c8fd083545b
              • Opcode Fuzzy Hash: 6b1df99eff24d3bd1abb731c75a7acbe660f1b54d30a7e560d62493ffb16b66e
              • Instruction Fuzzy Hash: 4311E370100225BEDB368F528C94EFBFF6CFB06359F10832BF60552840D2706940D6E0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003C8752 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(?,?,?,?), ref: 003C879F
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: MessageSend
              • String ID: @U=u
              • API String ID: 3850602802-2594219639
              • Opcode ID: eb82077fc45a891ac9e0c2968d69dac6f929df958b1e7c3d3ca39f0825023603
              • Instruction ID: 63ebac4ebf3156456a07010ec6081490b765f625424ac3bfbe355ba4a0d38b09
              • Opcode Fuzzy Hash: eb82077fc45a891ac9e0c2968d69dac6f929df958b1e7c3d3ca39f0825023603
              • Instruction Fuzzy Hash: B221E776600109EFCB16DF94D840DAA7BB9FB4C340B114159FD06E7360EB31AE61DBA0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003C6825 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(?,00000401,?,00000000), ref: 003C689B
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: MessageSend
              • String ID: @U=u$button
              • API String ID: 3850602802-1762282863
              • Opcode ID: 50efa2d01e71d96ccb45f888b62b2ad8fae10335bf9b9241d03988ffe9ce2f4c
              • Instruction ID: fb28a84aa0feff3739099a06fc1111775a13b79c30e6722b3113db65f829e2b0
              • Opcode Fuzzy Hash: 50efa2d01e71d96ccb45f888b62b2ad8fae10335bf9b9241d03988ffe9ce2f4c
              • Instruction Fuzzy Hash: 5C11A132150209ABDF129F60CC52FFA376AEF58714F12151CFA95EB190C776ECA19B50
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003B80A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55networkCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 003B830B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,003B80C8,?,00000000,?,?), ref: 003B8322
              • inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 003B80CB
              • htons.WSOCK32(00000000,?,00000000), ref: 003B8108
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: ByteCharMultiWidehtonsinet_addr
              • String ID: 255.255.255.255
              • API String ID: 2496851823-2422070025
              • Opcode ID: f9884f88a206c78e8082e66850c759419a4cdc64d344e30642f17ea8798b15c4
              • Instruction ID: 6d0905dcf2466ccf67704d557f41caa836e9ce7c65f7c8625b3af5d1e3146815
              • Opcode Fuzzy Hash: f9884f88a206c78e8082e66850c759419a4cdc64d344e30642f17ea8798b15c4
              • Instruction Fuzzy Hash: 29110874600209ABDB12AF64CC86FFDB379FF04354F108526FA119B6D1DB71A811C791
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00399989 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55windowCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 003A19CC: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00399778,?,?,00000034,00000800,?,00000034), ref: 003A19F6
              • SendMessageW.USER32(?,0000102B,?,00000000), ref: 003999EB
              • SendMessageW.USER32(?,0000102B,?,00000000), ref: 00399A10
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: MessageSend$MemoryProcessWrite
              • String ID: @U=u
              • API String ID: 1195347164-2594219639
              • Opcode ID: 769813dd043fe5e21a47e323724a536ba1bb0bc3092a247278c0be384fcbe598
              • Instruction ID: e5abea389de8ce44470fa07d31f33c3a6339b06340bedac6a914a3564c96ead4
              • Opcode Fuzzy Hash: 769813dd043fe5e21a47e323724a536ba1bb0bc3092a247278c0be384fcbe598
              • Instruction Fuzzy Hash: 7901DB32900118ABEB22AB68DC46FEEBB7CDB04320F10416EF955AB1D1DB716D54CB60
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00350A8D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON
              Download Yara Rule
              APIs
              • GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00343C26,004062F8,?,?,?), ref: 00350ACE
                • Part of subcall function 00347D2C: _memmove.LIBCMT ref: 00347D66
              • _wcscat.LIBCMT ref: 003850E1
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: FullNamePath_memmove_wcscat
              • String ID: c@
              • API String ID: 257928180-3695045992
              • Opcode ID: e78128f0a67663f719330566e8ce3b2e4ac58ce8d9fb6ab0792b5667ead9431c
              • Instruction ID: 5e9eb3f595f5c10fcd04bba086860e8aad9cac9c4a49fe96f1f0807fb8d0b601
              • Opcode Fuzzy Hash: e78128f0a67663f719330566e8ce3b2e4ac58ce8d9fb6ab0792b5667ead9431c
              • Instruction Fuzzy Hash: 3811E5349042089ACB06EB64CC42EDD73F8EF08311B0140A6BD49DB191EB34EA8C8B51
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003CC86D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00342612: GetWindowLongW.USER32(?,000000EB), ref: 00342623
              • DefDlgProcW.USER32(?,0000002B,?,?,?,?,?,?,?,0037BB8A,?,?,?), ref: 003CC8E1
                • Part of subcall function 003425DB: GetWindowLongW.USER32(?,000000EB), ref: 003425EC
              • SendMessageW.USER32(?,00000401,00000000,00000000), ref: 003CC8C7
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: LongWindow$MessageProcSend
              • String ID: @U=u
              • API String ID: 982171247-2594219639
              • Opcode ID: 29b32c77c507d8aead0e63545663dfdf56b437cb593af8a7eaec67fa308dae6c
              • Instruction ID: ff2ac96a40003e72eb0140021aee3a9019c6d8f5b72ae0b408196bef0363e79d
              • Opcode Fuzzy Hash: 29b32c77c507d8aead0e63545663dfdf56b437cb593af8a7eaec67fa308dae6c
              • Instruction Fuzzy Hash: 6601B136200204ABCB226F14CC54F6B7BAAFB85324F15402CF9569F2E0CB71AC52EB91
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00366DAE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: __calloc_crt
              • String ID: @R@
              • API String ID: 3494438863-1904880276
              • Opcode ID: 306c42713f7e944383a252a26c7a7a5e2576c14999af5986a7c3f368f4ae97fb
              • Instruction ID: b7f6a51664270e9816785216fc8f177b3b849b98e94cdac8ac97386ea8b3607c
              • Opcode Fuzzy Hash: 306c42713f7e944383a252a26c7a7a5e2576c14999af5986a7c3f368f4ae97fb
              • Instruction Fuzzy Hash: F7F0C8753046169BF726EF54FE1276127D8EB05360B12817BEA01DF188EB3088504648
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00399A1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00399A2E
              • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00399A46
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: MessageSend
              • String ID: @U=u
              • API String ID: 3850602802-2594219639
              • Opcode ID: 12716615d3e1cf624f623e2249baee1e5e34d6b01c1b3597b4d921edee33ef00
              • Instruction ID: 4c73b6436c16f6d14db4c7b5f6fb33525c3c0eb9867bc16e3a8fb74828f873ac
              • Opcode Fuzzy Hash: 12716615d3e1cf624f623e2249baee1e5e34d6b01c1b3597b4d921edee33ef00
              • Instruction Fuzzy Hash: 47E09B353413517AFA3255194C4EFD75F5DDB8DB61F11003EBB01991E1CAD24C5183A1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0039A1A8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0039A1BA
              • SendMessageW.USER32(?,0000110A,00000000,00000000), ref: 0039A1EA
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: MessageSend
              • String ID: @U=u
              • API String ID: 3850602802-2594219639
              • Opcode ID: f590e5ee5b73ffa96a22a1db05f1916c4042b3f7907aa4b13f370b300c762947
              • Instruction ID: c0f0ba4df648b5fe2dd5f5726c17051ed99a906fb1b9844a6fcc5671e8804cc6
              • Opcode Fuzzy Hash: f590e5ee5b73ffa96a22a1db05f1916c4042b3f7907aa4b13f370b300c762947
              • Instruction Fuzzy Hash: 14F0A736240304BFEE132A54DC46FE67B5EEF08751F004029F7059E1E1D6E25C505790
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0039A327 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 30windowCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00399E2E: SendMessageW.USER32(?,0000110A,00000000,00000000), ref: 00399E47
                • Part of subcall function 00399E2E: SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 00399E81
              • SendMessageW.USER32(?,0000110B,00000005,00000000), ref: 0039A34B
              • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0039A35B
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: MessageSend
              • String ID: @U=u
              • API String ID: 3850602802-2594219639
              • Opcode ID: 5d9ff5458355c15e6101272dd54fe9796541411e4f4c989e5bd8b03335438feb
              • Instruction ID: 7bd8f48734c8b1853a967117730818698249b81c122296bd9f25e4bfea0adf2f
              • Opcode Fuzzy Hash: 5d9ff5458355c15e6101272dd54fe9796541411e4f4c989e5bd8b03335438feb
              • Instruction Fuzzy Hash: 40E0D87A2087057FFA271A619C8BE97375DDB48751F114039B300451A0EEA29C606760
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003A51CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: ClassName_wcscmp
              • String ID: #32770
              • API String ID: 2292705959-463685578
              • Opcode ID: d6386b9da513afbf043be6bd7ed29e1ccd933dfccc5a91fd8ae1485215bb6b73
              • Instruction ID: 83efd613fa79dedbdb8439008e701913df32a856c6a4fd93c7a77d020cf60193
              • Opcode Fuzzy Hash: d6386b9da513afbf043be6bd7ed29e1ccd933dfccc5a91fd8ae1485215bb6b73
              • Instruction Fuzzy Hash: 8EE0D873A0422D2BE7219B99AC49FE7FBACEB45771F00016BFD14D7050E570AA458BE1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003981BC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON
              Download Yara Rule
              APIs
              • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 003981CA
                • Part of subcall function 00363598: _doexit.LIBCMT ref: 003635A2
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: Message_doexit
              • String ID: AutoIt$Error allocating memory.
              • API String ID: 1993061046-4017498283
              • Opcode ID: 4a5664c87f31b5750d99c06a1fb0a17a68c09bbc0758b106a818b884104b9b4d
              • Instruction ID: dda5fbfc8f032cb682552607a859f6377d9889ae0a24b3c08d71b7ff2736c355
              • Opcode Fuzzy Hash: 4a5664c87f31b5750d99c06a1fb0a17a68c09bbc0758b106a818b884104b9b4d
              • Instruction Fuzzy Hash: ACD05B323C535836D61733A57C07FC575884B15B51F044026FB08DE5D38DD1599152D9
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0037B511 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 0037B564: _memset.LIBCMT ref: 0037B571
                • Part of subcall function 00360B84: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,0037B540,?,?,?,0034100A), ref: 00360B89
              • IsDebuggerPresent.KERNEL32(?,?,?,0034100A), ref: 0037B544
              • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0034100A), ref: 0037B553
              Strings
              • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 0037B54E
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
              • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
              • API String ID: 3158253471-631824599
              • Opcode ID: 76f967fe0195d2bcbe3a1c71b86b7e62e5fe118051112ec0c914c9972ed98d58
              • Instruction ID: a1adbb0a089c93202007e8fe853d1b5bc200aa41bb6b0aac08635a21864fadab
              • Opcode Fuzzy Hash: 76f967fe0195d2bcbe3a1c71b86b7e62e5fe118051112ec0c914c9972ed98d58
              • Instruction Fuzzy Hash: 56E06D742007608FD333DF29E504742BBE8AF00718F04CA2CE44AC7250DBB8E404CBA1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 003998BF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 003998CB
              • SendMessageW.USER32(00000000,00001200,00000000,00000000), ref: 003998D9
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1312096779.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
              • Associated: 00000000.00000002.1312067280.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312501015.00000000003F5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312578507.00000000003FF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1312600594.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_340000_SWH_67367383992_939930039003___________________________.jbxd
              Similarity
              • API ID: MessageSend
              • String ID: @U=u
              • API String ID: 3850602802-2594219639
              • Opcode ID: ed0e8b198fb166ece4d41ba2de4c078051c1809bf716f9812c34010b1863e50a
              • Instruction ID: 10769139b10af69aca78053ac711fd9b0d724b1ff993fdc4d70ae78597197c89
              • Opcode Fuzzy Hash: ed0e8b198fb166ece4d41ba2de4c078051c1809bf716f9812c34010b1863e50a
              • Instruction Fuzzy Hash: 84C00232141180BAEA221B77AC0DD873E3EE7CAF52B11016CB211D51B5866510A5D724
              Uniqueness

              Uniqueness Score: -1.00%