Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
DPT_590327839_027838893200_____________________________.exe

Overview

General Information

Sample name:DPT_590327839_027838893200_____________________________.exe
Analysis ID:1430157
MD5:a41d666268109b71eeab533caf08d5ec
SHA1:62694b120d65962dbdefc457bfafa092a3e6a018
SHA256:92d6b2ccfc3f6f350b4c5f989022abda28a982e9fe0bb4121ad4092802e1a758
Tags:exe
Infos:

Detection

AgentTesla
Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Double Extension File Execution
Yara detected AgentTesla
Binary is likely a compiled AutoIt script file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found evasive API chain (may stop execution after accessing registry keys)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • DPT_590327839_027838893200_____________________________.exe (PID: 6764 cmdline: "C:\Users\user\Desktop\DPT_590327839_027838893200_____________________________.exe" MD5: A41D666268109B71EEAB533CAF08D5EC)
    • RegSvcs.exe (PID: 1020 cmdline: "C:\Users\user\Desktop\DPT_590327839_027838893200_____________________________.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.worlorderbillions.top", "Username": "neds@worlorderbillions.top", "Password": "      rwe87$%21q"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.1227948932.0000000002500000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
    00000002.00000002.2447856889.0000000000402000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      2.2.RegSvcs.exe.400000.0.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
        0.2.DPT_590327839_027838893200_____________________________.exe.2500000.1.raw.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
          0.2.DPT_590327839_027838893200_____________________________.exe.2500000.1.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Suspicious Double Extension File Execution
            Source: Process startedAuthor: Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Users\user\Desktop\DPT_590327839_027838893200_____________________________.exe", CommandLine: "C:\Users\user\Desktop\DPT_590327839_027838893200_____________________________.exe", CommandLine|base64offset|contains: , Image: C:\Users\user\Desktop\DPT_590327839_027838893200_____________________________.exe, NewProcessName: C:\Users\user\Desktop\DPT_590327839_027838893200_____________________________.exe, OriginalFileName: C:\Users\user\Desktop\DPT_590327839_027838893200_____________________________.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4056, ProcessCommandLine: "C:\Users\user\Desktop\DPT_590327839_027838893200_____________________________.exe", ProcessId: 6764, ProcessName: DPT_590327839_027838893200_____________________________.exe

            Snort Signatures

            No Snort rule has matched

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Found malware configuration
            Source: RegSvcs.exe.1020.2.memstrminMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.worlorderbillions.top", "Username": "neds@worlorderbillions.top", "Password": " rwe87$%21q"}
            Multi AV Scanner detection for submitted file
            Source: DPT_590327839_027838893200_____________________________.exeReversingLabs: Detection: 34%
            Source: DPT_590327839_027838893200_____________________________.exeVirustotal: Detection: 23%Perma Link
            Machine Learning detection for sample
            Source: DPT_590327839_027838893200_____________________________.exeJoe Sandbox ML: detected
            Source: DPT_590327839_027838893200_____________________________.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: Binary string: wntdll.pdbUGP source: DPT_590327839_027838893200_____________________________.exe, 00000000.00000003.1222060623.00000000041E0000.00000004.00001000.00020000.00000000.sdmp, DPT_590327839_027838893200_____________________________.exe, 00000000.00000003.1223128482.0000000004380000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: DPT_590327839_027838893200_____________________________.exe, 00000000.00000003.1222060623.00000000041E0000.00000004.00001000.00020000.00000000.sdmp, DPT_590327839_027838893200_____________________________.exe, 00000000.00000003.1223128482.0000000004380000.00000004.00001000.00020000.00000000.sdmp
            Source: C:\Users\user\Desktop\DPT_590327839_027838893200_____________________________.exeCode function: 0_2_01024696 GetFileAttributesW,FindFirstFileW,FindClose,0_2_01024696
            Source: C:\Users\user\Desktop\DPT_590327839_027838893200_____________________________.exeCode function: 0_2_0102C93C FindFirstFileW,FindClose,0_2_0102C93C
            Source: C:\Users\user\Desktop\DPT_590327839_027838893200_____________________________.exeCode function: 0_2_0102C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_0102C9C7
            Source: C:\Users\user\Desktop\DPT_590327839_027838893200_____________________________.exeCode function: 0_2_0102F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0102F35D
            Source: C:\Users\user\Desktop\DPT_590327839_027838893200_____________________________.exeCode function: 0_2_0102F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0102F200
            Source: C:\Users\user\Desktop\DPT_590327839_027838893200_____________________________.exeCode function: 0_2_0102F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0102F65E
            Source: C:\Users\user\Desktop\DPT_590327839_027838893200_____________________________.exeCode function: 0_2_01023A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_01023A2B
            Source: C:\Users\user\Desktop\DPT_590327839_027838893200_____________________________.exeCode function: 0_2_01023D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_01023D4E
            Source: C:\Users\user\Desktop\DPT_590327839_027838893200_____________________________.exeCode function: 0_2_0102BF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0102BF27
            Source: C:\Users\user\Desktop\DPT_590327839_027838893200_____________________________.exeCode function: 0_2_010325E2 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,0_2_010325E2
            Source: C:\Users\user\Desktop\DPT_590327839_027838893200_____________________________.exeCode function: 0_2_0103425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_0103425A
            Source: C:\Users\user\Desktop\DPT_590327839_027838893200_____________________________.exeCode function: 0_2_01034458 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_01034458
            Source: C:\Users\user\Desktop\DPT_590327839_027838893200_____________________________.exeCode function: 0_2_0103425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_0103425A
            Source: C:\Users\user\Desktop\DPT_590327839_027838893200_____________________________.exeCode function: 0_2_01020219 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,0_2_01020219
            Source: C:\Users\user\Desktop\DPT_590327839_027838893200_____________________________.exeCode function: 0_2_0104CDAC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_0104CDAC

            System Summary

            barindex
            Binary is likely a compiled AutoIt script file
            Source: C:\Users\user\Desktop\DPT_590327839_027838893200_____________________________.exeCode function: This is a third-party compiled AutoIt script.0_2_00FC3B4C
            Source: DPT_590327839_027838893200_____________________________.exeString found in binary or memory: This is a third-party compiled AutoIt script.
            Source: DPT_590327839_027838893200_____________________________.exe, 00000000.00000000.1212135324.0000000001075000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_d6d50743-2
            Source: DPT_590327839_027838893200_____________________________.exe, 00000000.00000000.1212135324.0000000001075000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_600fac8e-0
            Source: DPT_590327839_027838893200_____________________________.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_9d4b6c78-8
            Source: DPT_590327839_027838893200_____________________________.exeString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_746cb9b3-5
            Source: C:\Users\user\Desktop\DPT_590327839_027838893200_____________________________.exeCode function: 0_2_01024021: CreateFileW,DeviceIoControl,CloseHandle,0_2_01024021
            Source: C:\Users\user\Desktop\DPT_590327839_027838893200_____________________________.exeCode function: 0_2_01018858 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_01018858
            Source: C:\Users\user\Desktop\DPT_590327839_027838893200_____________________________.exeCode function: 0_2_0102545F ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_0102545F
            Source: C:\Users\user\Desktop\DPT_590327839_027838893200_____________________________.exeCode function: 0_2_00FCE8000_2_00FCE800
            Source: C:\Users\user\Desktop\DPT_590327839_027838893200_____________________________.exeCode function: 0_2_00FEDBB50_2_00FEDBB5
            Source: C:\Users\user\Desktop\DPT_590327839_027838893200_____________________________.exeCode function: 0_2_00FCE0600_2_00FCE060
            Source: C:\Users\user\Desktop\DPT_590327839_027838893200_____________________________.exeCode function: 0_2_0104804A0_2_0104804A
            Source: C:\Users\user\Desktop\DPT_590327839_027838893200_____________________________.exeCode function: 0_2_00FD41400_2_00FD4140
            Source: C:\Users\user\Desktop\DPT_590327839_027838893200_____________________________.exeCode function: 0_2_00FE24050_2_00FE2405
            Source: C:\Users\user\Desktop\DPT_590327839_027838893200_____________________________.exeCode function: 0_2_00FF65220_2_00FF6522
            Source: C:\Users\user\Desktop\DPT_590327839_027838893200_____________________________.exeCode function: 0_2_00FF267E0_2_00FF267E
            Source: C:\Users\user\Desktop\DPT_590327839_027838893200_____________________________.exeCode function: 0_2_010406650_2_01040665
            Source: C:\Users\user\Desktop\DPT_590327839_027838893200_____________________________.exeCode function: 0_2_00FD68430_2_00FD6843
            Source: C:\Users\user\Desktop\DPT_590327839_027838893200_____________________________.exeCode function: 0_2_00FE283A0_2_00FE283A
            Source: C:\Users\user\Desktop\DPT_590327839_027838893200_____________________________.exeCode function: 0_2_00FF89DF0_2_00FF89DF
            Source: C:\Users\user\Desktop\DPT_590327839_027838893200_____________________________.exeCode function: 0_2_0101EB070_2_0101EB07
            Source: C:\Users\user\Desktop\DPT_590327839_027838893200_____________________________.exeCode function: 0_2_01028B130_2_01028B13
            Source: C:\Users\user\Desktop\DPT_590327839_027838893200_____________________________.exeCode function: 0_2_00FF6A940_2_00FF6A94
            Source: C:\Users\user\Desktop\DPT_590327839_027838893200_____________________________.exeCode function: 0_2_00FD8A0E0_2_00FD8A0E
            Source: C:\Users\user\Desktop\DPT_590327839_027838893200_____________________________.exeCode function: 0_2_01040AE20_2_01040AE2
            Source: C:\Users\user\Desktop\DPT_590327839_027838893200_____________________________.exeCode function: 0_2_00FECD610_2_00FECD61
            Source: C:\Users\user\Desktop\DPT_590327839_027838893200_____________________________.exeCode function: 0_2_00FF70060_2_00FF7006
            Source: C:\Users\user\Desktop\DPT_590327839_027838893200_____________________________.exeCode function: 0_2_00FD31900_2_00FD3190
            Source: C:\Users\user\Desktop\DPT_590327839_027838893200_____________________________.exeCode function: 0_2_00FD710E0_2_00FD710E
            Source: C:\Users\user\Desktop\DPT_590327839_027838893200_____________________________.exeCode function: 0_2_00FC12870_2_00FC1287
            Source: C:\Users\user\Desktop\DPT_590327839_027838893200_____________________________.exeCode function: 0_2_00FE33C70_2_00FE33C7
            Source: C:\Users\user\Desktop\DPT_590327839_027838893200_____________________________.exeCode function: 0_2_00FEF4190_2_00FEF419
            Source: C:\Users\user\Desktop\DPT_590327839_027838893200_____________________________.exeCode function: 0_2_00FE16C40_2_00FE16C4
            Source: C:\Users\user\Desktop\DPT_590327839_027838893200_____________________________.exeCode function: 0_2_00FD56800_2_00FD5680
            Source: C:\Users\user\Desktop\DPT_590327839_027838893200_____________________________.exeCode function: 0_2_00FE78D30_2_00FE78D3
            Source: C:\Users\user\Desktop\DPT_590327839_027838893200_____________________________.exeCode function: 0_2_00FD58C00_2_00FD58C0
            Source: C:\Users\user\Desktop\DPT_590327839_027838893200_____________________________.exeCode function: 0_2_00FE1BB80_2_00FE1BB8
            Source: C:\Users\user\Desktop\DPT_590327839_027838893200_____________________________.exeCode function: 0_2_00FF9D050_2_00FF9D05
            Source: C:\Users\user\Desktop\DPT_590327839_027838893200_____________________________.exeCode function: 0_2_00FCFE400_2_00FCFE40
            Source: C:\Users\user\Desktop\DPT_590327839_027838893200_____________________________.exeCode function: 0_2_00FEBFE60_2_00FEBFE6
            Source: C:\Users\user\Desktop\DPT_590327839_027838893200_____________________________.exeCode function: 0_2_00FE1FD00_2_00FE1FD0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_017241002_2_01724100
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0172D2412_2_0172D241
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_01724D182_2_01724D18
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_01729E802_2_01729E80
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_017244482_2_01724448
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0172C7472_2_0172C747
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_065600402_2_06560040
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_065620F82_2_065620F8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_06563A482_2_06563A48
            Source: C:\Users\user\Desktop\DPT_590327839_027838893200_____________________________.exeCode function: String function: 00FE0D27 appears 70 times
            Source: C:\Users\user\Desktop\DPT_590327839_027838893200_____________________________.exeCode function: String function: 00FC7F41 appears 35 times
            Source: C:\Users\user\Desktop\DPT_590327839_027838893200_____________________________.exeCode function: String function: 00FE8B40 appears 42 times
            Source: DPT_590327839_027838893200_____________________________.exe, 00000000.00000003.1221153657.0000000004303000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs DPT_590327839_027838893200_____________________________.exe
            Source: DPT_590327839_027838893200_____________________________.exe, 00000000.00000003.1220193431.00000000044AD000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs DPT_590327839_027838893200_____________________________.exe
            Source: DPT_590327839_027838893200_____________________________.exe, 00000000.00000002.1227948932.0000000002500000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamec32e98c6-4205-4798-904b-ffd769a7f33f.exe4 vs DPT_590327839_027838893200_____________________________.exe
            Source: DPT_590327839_027838893200_____________________________.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: 0.2.DPT_590327839_027838893200_____________________________.exe.2500000.1.raw.unpack, O.csCryptographic APIs: 'TransformFinalBlock'
            Source: 0.2.DPT_590327839_027838893200_____________________________.exe.2500000.1.raw.unpack, O.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
            Source: 0.2.DPT_590327839_027838893200_____________________________.exe.2500000.1.raw.unpack, P.csCryptographic APIs: 'TransformFinalBlock'
            Source: 0.2.DPT_590327839_027838893200_____________________________.exe.2500000.1.raw.unpack, P.csCryptographic APIs: 'TransformFinalBlock'
            Source: 0.2.DPT_590327839_027838893200_____________________________.exe.2500000.1.raw.unpack, N.csCryptographic APIs: 'TransformFinalBlock'
            Source: 0.2.DPT_590327839_027838893200_____________________________.exe.2500000.1.raw.unpack, N.csCryptographic APIs: 'TransformFinalBlock'
            Source: 0.2.DPT_590327839_027838893200_____________________________.exe.2500000.1.raw.unpack, N.csCryptographic APIs: 'TransformFinalBlock'
            Source: 0.2.DPT_590327839_027838893200_____________________________.exe.2500000.1.raw.unpack, N.csCryptographic APIs: 'TransformFinalBlock'
            Source: classification engineClassification label: mal96.troj.spyw.evad.winEXE@3/4@0/0
            Source: C:\Users\user\Desktop\DPT_590327839_027838893200_____________________________.exeCode function: 0_2_0102A2D5 GetLastError,FormatMessageW,0_2_0102A2D5
            Source: C:\Users\user\Desktop\DPT_590327839_027838893200_____________________________.exeCode function: 0_2_01018713 AdjustTokenPrivileges,CloseHandle,0_2_01018713
            Source: C:\Users\user\Desktop\DPT_590327839_027838893200_____________________________.exeCode function: 0_2_01018CC3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_01018CC3
            Source: C:\Users\user\Desktop\DPT_590327839_027838893200_____________________________.exeCode function: 0_2_0102B59E SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_0102B59E
            Source: C:\Users\user\Desktop\DPT_590327839_027838893200_____________________________.exeCode function: 0_2_0103F121 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_0103F121
            Source: C:\Users\user\Desktop\DPT_590327839_027838893200_____________________________.exeCode function: 0_2_0102C602 CoInitialize,CoCreateInstance,CoUninitialize,0_2_0102C602
            Source: C:\Users\user\Desktop\DPT_590327839_027838893200_____________________________.exeCode function: 0_2_00FC4FE9 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_00FC4FE9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: NULL
            Source: C:\Users\user\Desktop\DPT_590327839_027838893200_____________________________.exeFile created: C:\Users\user~1\AppData\Local\Temp\aut9B87.tmpJump to behavior
            Source: DPT_590327839_027838893200_____________________________.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
            Source: C:\Users\user\Desktop\DPT_590327839_027838893200_____________________________.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: RegSvcs.exe, 00000002.00000002.2452344447.0000000003329000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2452344447.000000000333E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: DPT_590327839_027838893200_____________________________.exeReversingLabs: Detection: 34%
            Source: DPT_590327839_027838893200_____________________________.exeVirustotal: Detection: 23%
            Source: unknownProcess created: C:\Users\user\Desktop\DPT_590327839_027838893200_____________________________.exe "C:\Users\user\Desktop\DPT_590327839_027838893200_____________________________.exe"
            Source: C:\Users\user\Desktop\DPT_590327839_027838893200_____________________________.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\DPT_590327839_027838893200_____________________________.exe"
            Source: C:\Users\user\Desktop\DPT_590327839_027838893200_____________________________.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\DPT_590327839_027838893200_____________________________.exe"Jump to behavior
            Source: C:\Users\user\Desktop\DPT_590327839_027838893200_____________________________.exeSection loaded: wsock32.dllJump to behavior
            Source: C:\Users\user\Desktop\DPT_590327839_027838893200_____________________________.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\DPT_590327839_027838893200_____________________________.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\Desktop\DPT_590327839_027838893200_____________________________.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Users\user\Desktop\DPT_590327839_027838893200_____________________________.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\Desktop\DPT_590327839_027838893200_____________________________.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\DPT_590327839_027838893200_____________________________.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\DPT_590327839_027838893200_____________________________.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\DPT_590327839_027838893200_____________________________.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\DPT_590327839_027838893200_____________________________.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\DPT_590327839_027838893200_____________________________.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
            Source: DPT_590327839_027838893200_____________________________.exeStatic file information: File size 1088512 > 1048576
            Source: DPT_590327839_027838893200_____________________________.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
            Source: DPT_590327839_027838893200_____________________________.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
            Source: DPT_590327839_027838893200_____________________________.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
            Source: DPT_590327839_027838893200_____________________________.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: DPT_590327839_027838893200_____________________________.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
            Source: DPT_590327839_027838893200_____________________________.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
            Source: DPT_590327839_027838893200_____________________________.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: wntdll.pdbUGP source: DPT_590327839_027838893200_____________________________.exe, 00000000.00000003.1222060623.00000000041E0000.00000004.00001000.00020000.00000000.sdmp, DPT_590327839_027838893200_____________________________.exe, 00000000.00000003.1223128482.0000000004380000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: DPT_590327839_027838893200_____________________________.exe, 00000000.00000003.1222060623.00000000041E0000.00000004.00001000.00020000.00000000.sdmp, DPT_590327839_027838893200_____________________________.exe, 00000000.00000003.1223128482.0000000004380000.00000004.00001000.00020000.00000000.sdmp
            Source: DPT_590327839_027838893200_____________________________.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
            Source: DPT_590327839_027838893200_____________________________.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
            Source: DPT_590327839_027838893200_____________________________.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
            Source: DPT_590327839_027838893200_____________________________.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
            Source: DPT_590327839_027838893200_____________________________.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
            Source: C:\Users\user\Desktop\DPT_590327839_027838893200_____________________________.exeCode function: 0_2_0103C304 LoadLibraryA,GetProcAddress,0_2_0103C304
            Source: C:\Users\user\Desktop\DPT_590327839_027838893200_____________________________.exeCode function: 0_2_00FE8B85 push ecx; ret 0_2_00FE8B98
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0656F6E8 push ss; retf 0005h2_2_0656F6EA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0656F758 push ss; retf 0005h2_2_0656F75A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0656F2E9 push cs; retf 0005h2_2_0656F2EA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0656F3B9 push cs; retf 0005h2_2_0656F3BA
            Source: C:\Users\user\Desktop\DPT_590327839_027838893200_____________________________.exeCode function: 0_2_00FC4A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00FC4A35
            Source: C:\Users\user\Desktop\DPT_590327839_027838893200_____________________________.exeCode function: 0_2_010455FD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_010455FD
            Source: C:\Users\user\Desktop\DPT_590327839_027838893200_____________________________.exeCode function: 0_2_00FE33C7 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00FE33C7
            Source: C:\Users\user\Desktop\DPT_590327839_027838893200_____________________________.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DPT_590327839_027838893200_____________________________.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
            Source: C:\Users\user\Desktop\DPT_590327839_027838893200_____________________________.exeEvasive API call chain: RegOpenKey,DecisionNodes,Sleepgraph_0-97441
            Source: C:\Users\user\Desktop\DPT_590327839_027838893200_____________________________.exeAPI coverage: 4.1 %
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
            Source: C:\Users\user\Desktop\DPT_590327839_027838893200_____________________________.exeCode function: 0_2_01024696 GetFileAttributesW,FindFirstFileW,FindClose,0_2_01024696
            Source: C:\Users\user\Desktop\DPT_590327839_027838893200_____________________________.exeCode function: 0_2_0102C93C FindFirstFileW,FindClose,0_2_0102C93C
            Source: C:\Users\user\Desktop\DPT_590327839_027838893200_____________________________.exeCode function: 0_2_0102C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_0102C9C7
            Source: C:\Users\user\Desktop\DPT_590327839_027838893200_____________________________.exeCode function: 0_2_0102F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0102F35D
            Source: C:\Users\user\Desktop\DPT_590327839_027838893200_____________________________.exeCode function: 0_2_0102F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0102F200
            Source: C:\Users\user\Desktop\DPT_590327839_027838893200_____________________________.exeCode function: 0_2_0102F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0102F65E
            Source: C:\Users\user\Desktop\DPT_590327839_027838893200_____________________________.exeCode function: 0_2_01023A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_01023A2B
            Source: C:\Users\user\Desktop\DPT_590327839_027838893200_____________________________.exeCode function: 0_2_01023D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_01023D4E
            Source: C:\Users\user\Desktop\DPT_590327839_027838893200_____________________________.exeCode function: 0_2_0102BF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0102BF27
            Source: C:\Users\user\Desktop\DPT_590327839_027838893200_____________________________.exeCode function: 0_2_00FC4AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00FC4AFE
            Source: C:\Users\user\Desktop\DPT_590327839_027838893200_____________________________.exeAPI call chain: ExitProcess graph end nodegraph_0-97575
            Source: C:\Users\user\Desktop\DPT_590327839_027838893200_____________________________.exeAPI call chain: ExitProcess graph end nodegraph_0-97644
            Source: C:\Users\user\Desktop\DPT_590327839_027838893200_____________________________.exeCode function: 0_2_010341FD BlockInput,0_2_010341FD
            Source: C:\Users\user\Desktop\DPT_590327839_027838893200_____________________________.exeCode function: 0_2_00FC3B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00FC3B4C
            Source: C:\Users\user\Desktop\DPT_590327839_027838893200_____________________________.exeCode function: 0_2_00FF5CCC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_00FF5CCC
            Source: C:\Users\user\Desktop\DPT_590327839_027838893200_____________________________.exeCode function: 0_2_0103C304 LoadLibraryA,GetProcAddress,0_2_0103C304
            Source: C:\Users\user\Desktop\DPT_590327839_027838893200_____________________________.exeCode function: 0_2_010181F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_010181F7
            Source: C:\Users\user\Desktop\DPT_590327839_027838893200_____________________________.exeCode function: 0_2_00FEA395 SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00FEA395
            Source: C:\Users\user\Desktop\DPT_590327839_027838893200_____________________________.exeCode function: 0_2_00FEA364 SetUnhandledExceptionFilter,0_2_00FEA364
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Maps a DLL or memory area into another process
            Source: C:\Users\user\Desktop\DPT_590327839_027838893200_____________________________.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\DPT_590327839_027838893200_____________________________.exeCode function: 0_2_01018C93 LogonUserW,0_2_01018C93
            Source: C:\Users\user\Desktop\DPT_590327839_027838893200_____________________________.exeCode function: 0_2_00FC3B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00FC3B4C
            Source: C:\Users\user\Desktop\DPT_590327839_027838893200_____________________________.exeCode function: 0_2_00FC4A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00FC4A35
            Source: C:\Users\user\Desktop\DPT_590327839_027838893200_____________________________.exeCode function: 0_2_01024F21 mouse_event,0_2_01024F21
            Source: C:\Users\user\Desktop\DPT_590327839_027838893200_____________________________.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\DPT_590327839_027838893200_____________________________.exe"Jump to behavior
            Source: C:\Users\user\Desktop\DPT_590327839_027838893200_____________________________.exeCode function: 0_2_010181F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_010181F7
            Source: C:\Users\user\Desktop\DPT_590327839_027838893200_____________________________.exeCode function: 0_2_01024C03 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_01024C03
            Source: DPT_590327839_027838893200_____________________________.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
            Source: DPT_590327839_027838893200_____________________________.exeBinary or memory string: Shell_TrayWnd
            Source: C:\Users\user\Desktop\DPT_590327839_027838893200_____________________________.exeCode function: 0_2_00FE886B cpuid 0_2_00FE886B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\DPT_590327839_027838893200_____________________________.exeCode function: 0_2_00FF50D7 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00FF50D7
            Source: C:\Users\user\Desktop\DPT_590327839_027838893200_____________________________.exeCode function: 0_2_01002230 GetUserNameW,0_2_01002230
            Source: C:\Users\user\Desktop\DPT_590327839_027838893200_____________________________.exeCode function: 0_2_00FF418A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_00FF418A
            Source: C:\Users\user\Desktop\DPT_590327839_027838893200_____________________________.exeCode function: 0_2_00FC4AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00FC4AFE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information

            barindex
            Yara detected AgentTesla
            Source: Yara matchFile source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.DPT_590327839_027838893200_____________________________.exe.2500000.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.DPT_590327839_027838893200_____________________________.exe.2500000.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000002.1227948932.0000000002500000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2447856889.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
            Source: DPT_590327839_027838893200_____________________________.exeBinary or memory string: WIN_81
            Source: DPT_590327839_027838893200_____________________________.exeBinary or memory string: WIN_XP
            Source: DPT_590327839_027838893200_____________________________.exeBinary or memory string: WIN_XPe
            Source: DPT_590327839_027838893200_____________________________.exeBinary or memory string: WIN_VISTA
            Source: DPT_590327839_027838893200_____________________________.exeBinary or memory string: WIN_7
            Source: DPT_590327839_027838893200_____________________________.exeBinary or memory string: WIN_8
            Source: DPT_590327839_027838893200_____________________________.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 5USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

            Remote Access Functionality

            barindex
            Yara detected AgentTesla
            Source: Yara matchFile source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.DPT_590327839_027838893200_____________________________.exe.2500000.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.DPT_590327839_027838893200_____________________________.exe.2500000.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000002.1227948932.0000000002500000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2447856889.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: C:\Users\user\Desktop\DPT_590327839_027838893200_____________________________.exeCode function: 0_2_01036596 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,0_2_01036596
            Source: C:\Users\user\Desktop\DPT_590327839_027838893200_____________________________.exeCode function: 0_2_01036A5A socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_01036A5A

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire Infrastructure2
            Valid Accounts            		121
            Windows Management Instrumentation            		1
            DLL Side-Loading            		1
            Exploitation for Privilege Escalation            		11
            Disable or Modify Tools            		1
            OS Credential Dumping            		2
            System Time Discovery            		Remote Services11
            Archive Collected Data            		1
            Ingress Tool Transfer            		Exfiltration Over Other Network Medium1
            System Shutdown/Reboot
            CredentialsDomainsDefault Accounts1
            Native API            		2
            Valid Accounts            		1
            DLL Side-Loading            		11
            Deobfuscate/Decode Files or Information            		21
            Input Capture            		1
            Account Discovery            		Remote Desktop Protocol1
            Data from Local System            		1
            Encrypted Channel            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)2
            Valid Accounts            		2
            Obfuscated Files or Information            		Security Account Manager2
            File and Directory Discovery            		SMB/Windows Admin Shares1
            Email Collection            		SteganographyAutomated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook21
            Access Token Manipulation            		1
            DLL Side-Loading            		NTDS38
            System Information Discovery            		Distributed Component Object Model21
            Input Capture            		Protocol ImpersonationTraffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script112
            Process Injection            		2
            Valid Accounts            		LSA Secrets14
            Security Software Discovery            		SSH3
            Clipboard Data            		Fallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts11
            Virtualization/Sandbox Evasion            		Cached Domain Credentials11
            Virtualization/Sandbox Evasion            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items21
            Access Token Manipulation            		DCSync2
            Process Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job112
            Process Injection            		Proc Filesystem1
            Application Window Discovery            		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow1
            System Owner/User Discovery            		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            DPT_590327839_027838893200_____________________________.exe34%ReversingLabsWin32.Trojan.Strab
            DPT_590327839_027838893200_____________________________.exe24%VirustotalBrowse
            DPT_590327839_027838893200_____________________________.exe100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            No Antivirus matches

            Domains and IPs

            Contacted Domains

            No contacted domains info

            World Map of Contacted IPs

            No contacted IP infos

            General Information

            Joe Sandbox version:40.0.0 Tourmaline
            Analysis ID:1430157
            Start date and time:2024-04-23 08:30:44 +02:00
            Joe Sandbox product:CloudBasic
            Overall analysis duration:0h 5m 49s
            Hypervisor based Inspection enabled:false
            Report type:full
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
            Number of analysed new started processes analysed:17
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Sample name:DPT_590327839_027838893200_____________________________.exe
            Detection:MAL
            Classification:mal96.troj.spyw.evad.winEXE@3/4@0/0
            EGA Information:
            • Successful, ratio: 100%
            HCA Information:
            • Successful, ratio: 100%
            • Number of executed functions: 53
            • Number of non-executed functions: 273
            Cookbook Comments:
            • Found application associated with file extension: .exe

            Warnings

            • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, conhost.exe, svchost.exe
            • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
            • Not all processes where analyzed, report is missing behavior information
            • Report size exceeded maximum capacity and may have missing disassembly code.

            Simulations

            Behavior and APIs

            No simulations

            Joe Sandbox View / Context

            IPs

            No context

            Domains

            No context

            ASNs

            No context

            JA3 Fingerprints

            No context

            Dropped Files

            No context

            Created / dropped Files

            C:\Users\user\AppData\Local\Temp\aut9B87.tmp

            Download File
            Process:C:\Users\user\Desktop\DPT_590327839_027838893200_____________________________.exe
            File Type:data
            Category:dropped
            Size (bytes):132180
            Entropy (8bit):7.9513960654096225
            Encrypted:false
            SSDEEP:3072:dE/FzLym8bR1dI0NGQ+XWJtATH0NU+luEsdINu:duyL91dIbXCqLdEu
            MD5:5C0F6568FE0CA0A6626B480124D2820F
            SHA1:6A3ABCF59D57AE790EC6E7799A5D0B2A1BC4472A
            SHA-256:06CAB7D1A4B22CD3B0CBA4F0447F16382FCF153AF7B5405C920691588950CA25
            SHA-512:ED922416534E73DC410546DB91724C68F64EB8894F2EAA726038ED8D65246908596306A7EBEF60323F3B432D99CAE74B6327205CA1B6F362E68DAE2CE4CBB128
            Malicious:false
            Reputation:low
            Preview:EA06.......t..b.S....-..m6.S..:\.H..@.JD.m6.....#....I..J.~kXh.....X.....-F.HeR.Un.+.V.y...S.M.r;...x.G,.:..YQ.N.4KH.&bw..".7..3x.....Z...oO..jt..j.S..;...Sjv..-B&.h..AQ....9..L.S..@*.F.Cz..".S...2I...E...gw?zL.....(........S.tp....G..]..F.......o....x.f[8....ui3j.(....3&q...a+.. T..... L........P..H..C".L)sj....R&.@.#.Q... ..lD.......5..D.M.4.MR.6.ujsZ...5.M.@......j5:.."Vi.9%Vei.M&...>.T..2.Ye&qD......S..(T*....'.n5..M....*\..>.m......G..e.jM.oh.Z~..D..J...1..bms.P.@....M.Wg..(..D..*...^.K.v.P.<..B.L$ ......;.@.".0.w&Sx5NkE..).)g".b.Kh.j.2.<.L.T.O"oh...Je..+.3*..P.!0..U......(..m^Im.U%T..2Z.fRl.Z\.R..h.0."uE...^\.H..@....!G.V.4......[.V.l2....l.:\..L...L.L.m'.Q,.J\...Fk......I)...~..Gh...:m!.S..J..N...QJ."G<.P..:..is.^>V........0...Y..-....F.2Vl.j\.h.. ..T.m6.[).(d.E..*....m!.......J.M..Z%.g6.S.V../...^.....=..,..B.`..hs+U:i6.T+.Z.&m^.^.9."......ih..p.....-"i0..3R*u..7...8..[..jt..~.s.....Ri6.{)TK..H..j3....p.[%...6=S.T....j.p.U..J..g..E4.G..

            C:\Users\user\AppData\Local\Temp\aut9BE5.tmp

            Download File
            Process:C:\Users\user\Desktop\DPT_590327839_027838893200_____________________________.exe
            File Type:data
            Category:dropped
            Size (bytes):9922
            Entropy (8bit):7.59578339129546
            Encrypted:false
            SSDEEP:192:m+cK6f01Ehm0qek9Gh0qWbK307N+P7EqP008IuLrQpbrSKD0O7t:976Mkm7ek9y0pbK307Nkgq+XQpbrXDPx
            MD5:F3E5ADDD42115E929C29BB96DFAA5B65
            SHA1:7E64D5DD0227633F81A542F9ED522444BEFC2ECD
            SHA-256:5FEB526A93368DE24851F4E6C76345266ABDA89B0C60CF203E0EF2D5EE37087D
            SHA-512:CA5238FCB8DA520D7588E9AE82DD9658B684EE935A63DE023ACAA584E3B19AA50BCA04E75467D00120215E3C59473D3EB00F05FD0BD7E93E898B80691D941764
            Malicious:false
            Reputation:low
            Preview:EA06..t0.M'.)..e4.N'.).......T9..l.0L.s.5..3..s.4.8.......k8.Yls....c..&S...k6...S....1.L&.i..i5.M,S....K.@...7...p. ....P.o...m.X.V........9....3...f....s2.Xf@.]..g3@..h.m.M.......8.l..6.....a........i4........g3Y...c ._..k4...d....H, ......Ac.H..g...(.F..=d....>....C`....@02..N@...u......Y..ab.M.]>.$....M.x>;$....N.j.;%....X.j.;%......j.;,....P'.b.5... .^..f./Z..@F.6.z..G......`......i..G../Z...zqd...l.;.........|......7...}3{(........;^..l =..p.........3p.o....,.......x.....H<.lX.:...b.....,. ...2...f.[...K.)....b..i|v F......X......`....,.9....5...._..l......>K.....ir.e....[4..d..f.y.....,.....S >..p...........s9.... !..Y....f...ja4....ea.h,.p.....,.a8.,..3........f.....f ....,j.0..&...J......f ....6K%.ke..f....L..;2.X...4.Y.V@.Fn.....f@....l..05.....!;3.X...c )D.g6... ...'&`....,f.6..&....r...Brh.....l...i2...B....@.......d.L.`!.....P...@X5d..lSK...9...!;5.X...cVY......'.B...,vl.!..>.a..l...M..@...X...b.M&.X..B.a.Q...sp..X..9..o5..f.!...,vn......d...

            C:\Users\user\AppData\Local\Temp\electicism

            Download File
            Process:C:\Users\user\Desktop\DPT_590327839_027838893200_____________________________.exe
            File Type:ASCII text, with very long lines (29744), with no line terminators
            Category:modified
            Size (bytes):29744
            Entropy (8bit):3.546555146881828
            Encrypted:false
            SSDEEP:768:wiTZ+2QoioGRk6ZklputwjpjBkCiw2RuJ3nXKUrvzjsNbQE+I+h6584vfF3if6gL:wiTZ+2QoioGRk6ZklputwjpjBkCiw2Ra
            MD5:52CD5248D09D5A260B82DA1CA36EBAD4
            SHA1:8F55BA826B82A19D1095E4F0853061C7D046D8AA
            SHA-256:30F7C33D238119A141FA7CD27106ECFBA124EB693AD08B7B5C8C71DDBCA0FE0B
            SHA-512:AC3D909CD3B67A030099C7E42C01E80E1956318CF078497C20578FF74907380ABDC376CEFCBC7C8C579C94AFD3A89F805DDB5FF14D822029C0FABC16D7DEA619
            Malicious:false
            Reputation:low
            Preview:048B4C24088B008B093BC8760483C8FFC31BC0F7D8C38B0x558bec81eccc0200005657b86b00000066894584b96500000066894d86ba7200000066895588b86e0000006689458ab96500000066894d8cba6c0000006689558eb83300000066894590b93200000066894d92ba2e00000066895594b86400000066894596b96c00000066894d98ba6c0000006689559a33c06689459cb96e00000066898d44ffffffba7400000066899546ffffffb86400000066898548ffffffb96c00000066898d4affffffba6c0000006689954cffffffb82e0000006689854effffffb96400000066898d50ffffffba6c00000066899552ffffffb86c00000066898554ffffff33c966898d56ffffffba75000000668955d0b873000000668945d2b96500000066894dd4ba72000000668955d6b833000000668945d8b93200000066894ddaba2e000000668955dcb864000000668945deb96c00000066894de0ba6c000000668955e233c0668945e4b96100000066898d68ffffffba640000006689956affffffb8760000006689856cffffffb96100000066898d6effffffba7000000066899570ffffffb86900000066898572ffffffb93300000066898d74ffffffba3200000066899576ffffffb82e00000066898578ffffffb96400000066898d7affffffba6c0000006689957cffffffb86c00000066

            C:\Users\user\AppData\Local\Temp\intemeration

            Download File
            Process:C:\Users\user\Desktop\DPT_590327839_027838893200_____________________________.exe
            File Type:data
            Category:dropped
            Size (bytes):167936
            Entropy (8bit):7.117364737785545
            Encrypted:false
            SSDEEP:3072:tPvRL4Y7QIgpCenQO8gPS/dDzYnLIrkJ+gfFMEZBe26gtR5bJbesEVyxk9Z8bCNt:tnRLj7KpCenB8gPS/dDzYnpESU26gtf6
            MD5:94BCF511F99D9712CE0E91A0574B18E8
            SHA1:BA5807E5EC721907AE7BEC6C492930F395E612D4
            SHA-256:370A0C789828EC3071419C734BFFCD703D19E9DDF613B02D64F878A86DD214F4
            SHA-512:DB6547FDB83C9D5E784B8CEFE8B87312A868495676F9AF57E25F8AF8B2B84A72A86170023800CECAC07FE7D4B7A334E8012A7AE06A9C644FEF8A96557D4EC923
            Malicious:false
            Reputation:low
            Preview:...K5XHS1C8B..66.NMSK6XH.5C8BH466DNMSK6XHS5C8BH466DNMSK6XHS5.8BH:).JN.Z...I..bl*!G.F6!*!*[x+2[-W6hVS.6;#s"Xx..fcU-,Q.;IDiSK6XHS5.}BHx75D.../6XHS5C8B.447OO}SK.ZHS=C8BH46x.LMSk6XHS5C8B.46.DNMQK6\HS5C8BH066DNMSK6XKS5A8BH466FN..K6HHS%C8BH$66TNMSK6XXS5C8BH466DN..I6.HS5C.@Hr36DNMSK6XHS5C8BH466D.OSG6XHS5C8BH466DNMSK6XHS5C8BH466DNMSK6XHS5C8BH466DNMSK6xHS=C8BH466DNMSC.XH.5C8BH466DNM}?S <S5Cl.J46.DNM.I6XJS5C8BH466DNMSK.XH3.1K0+466.KMSK.ZHS3C8B.666DNMSK6XHS5CxBHt.D!""0K6THS5C.@H446DN.QK6XHS5C8BH466.NM.K6XHS5C8BH466DNMc.4XHS5CpBH446AN)TI6..S5@8BH566BNMSK6XHS5C8BH466DNMSK6XHS5C8BH466DNMSK6XHS5C8BH4%.FN.SK6YHS$U2i.40..OaTc5XHU,I8DQ.7.CfLSK<BBS3T.Cd8..KNM{I6XBK?C>T.5.5DYGSM,.I.7h:i..(4lJMSA.XHS6s:B.466ENMB]<`.S5C8DV.7.I=.SK0.JS5G'KB40!.OaTc=XHU-I8DT.7.H0LSK27.S5E%HH2,.EbD-F6XL.<X2BN).7hG3]K6\d.+I8DP.7.CfMQK0ABS3\1.I.;HFNMW$mXHU*I2BN-.7hIeUK6^RY5E#.I.:E.NMU.7XHW)I8D^.7.GNZYK0GB.4o:iM.x..gSK%hLS.C8BI46'RDfdK0O.R.^.X.r..$LMUc?XHU.D8BN6!.LLMUS<XNE.B.AH#<6BV.Rg4sJx.i8BS.36.NMSI6XYE8h.BA#.7hYeVK6RhC...j(6

            Static File Info

            General

            File type:PE32 executable (GUI) Intel 80386, for MS Windows
            Entropy (8bit):6.919451048170663
            TrID:
            • Win32 Executable (generic) a (10002005/4) 99.96%
            • Generic Win/DOS Executable (2004/3) 0.02%
            • DOS Executable Generic (2002/1) 0.02%
            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
            File name:DPT_590327839_027838893200_____________________________.exe
            File size:1'088'512 bytes
            MD5:a41d666268109b71eeab533caf08d5ec
            SHA1:62694b120d65962dbdefc457bfafa092a3e6a018
            SHA256:92d6b2ccfc3f6f350b4c5f989022abda28a982e9fe0bb4121ad4092802e1a758
            SHA512:1e6ddcea2dd5f3660d3ab639fe86def6cd44c4c1545de76805482b54905372b62383eb1f9fc03a2579a1dc8edf253340e28560eff8eb87724e4799d7b8192462
            SSDEEP:24576:+AHnh+eWsN3skA4RV1Hom2KXMmHaLzS77o5:ph+ZkldoPK8YaLzr
            TLSH:BE358C3263918335FFAB9E73DB5DB20D56BC6D250123852FD29C2F79A9F01B1122D262
            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..R...R...R....C..P.....;.S..._@#.a..._@......_@..g...[j..[...[jo.w...R...r.............#.S..._@'.S...R.k.S.....".S...RichR..

            File Icon

            Icon Hash:1a5ada12a98c3689

            Static PE Info

            General

            Entrypoint:0x42800a
            Entrypoint Section:.text
            Digitally signed:false
            Imagebase:0x400000
            Subsystem:windows gui
            Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
            Time Stamp:0x66269655 [Mon Apr 22 16:54:45 2024 UTC]
            TLS Callbacks:
            CLR (.Net) Version:
            OS Version Major:5
            OS Version Minor:1
            File Version Major:5
            File Version Minor:1
            Subsystem Version Major:5
            Subsystem Version Minor:1
            Import Hash:afcdf79be1557326c854b6e20cb900a7

            Entrypoint Preview

            Instruction
            call 00007F61010E56EDh
            jmp 00007F61010D84A4h
            int3
            int3
            int3
            int3
            int3
            int3
            int3
            int3
            int3
            int3
            int3
            int3
            push edi
            push esi
            mov esi, dword ptr [esp+10h]
            mov ecx, dword ptr [esp+14h]
            mov edi, dword ptr [esp+0Ch]
            mov eax, ecx
            mov edx, ecx
            add eax, esi
            cmp edi, esi
            jbe 00007F61010D862Ah
            cmp edi, eax
            jc 00007F61010D898Eh
            bt dword ptr [004C41FCh], 01h
            jnc 00007F61010D8629h
            rep movsb
            jmp 00007F61010D893Ch
            cmp ecx, 00000080h
            jc 00007F61010D87F4h
            mov eax, edi
            xor eax, esi
            test eax, 0000000Fh
            jne 00007F61010D8630h
            bt dword ptr [004BF324h], 01h
            jc 00007F61010D8B00h
            bt dword ptr [004C41FCh], 00000000h
            jnc 00007F61010D87CDh
            test edi, 00000003h
            jne 00007F61010D87DEh
            test esi, 00000003h
            jne 00007F61010D87BDh
            bt edi, 02h
            jnc 00007F61010D862Fh
            mov eax, dword ptr [esi]
            sub ecx, 04h
            lea esi, dword ptr [esi+04h]
            mov dword ptr [edi], eax
            lea edi, dword ptr [edi+04h]
            bt edi, 03h
            jnc 00007F61010D8633h
            movq xmm1, qword ptr [esi]
            sub ecx, 08h
            lea esi, dword ptr [esi+08h]
            movq qword ptr [edi], xmm1
            lea edi, dword ptr [edi+08h]
            test esi, 00000007h
            je 00007F61010D8685h
            bt esi, 03h

            Rich Headers

            Programming Language:
            • [ASM] VS2013 build 21005
            • [ C ] VS2013 build 21005
            • [C++] VS2013 build 21005
            • [ C ] VS2008 SP1 build 30729
            • [IMP] VS2008 SP1 build 30729
            • [ASM] VS2013 UPD5 build 40629
            • [RES] VS2013 build 21005
            • [LNK] VS2013 UPD5 build 40629

            Data Directories

            NameVirtual AddressVirtual Size Is in Section
            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IMPORT0xbc0cc0x17c.rdata
            IMAGE_DIRECTORY_ENTRY_RESOURCE0xc80000x3f57c.rsrc
            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
            IMAGE_DIRECTORY_ENTRY_BASERELOC0x1080000x7134.reloc
            IMAGE_DIRECTORY_ENTRY_DEBUG0x92bc00x1c.rdata
            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xa4b500x40.rdata
            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IAT0x8f0000x884.rdata
            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

            Sections

            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
            .text0x10000x8dfdd0x8e000310e36668512d53489c005622bb1b4a9False0.5735602580325704data6.675248351711057IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            .rdata0x8f0000x2fd8e0x2fe00748cf1ab2605ce1fd72d53d912abb68fFalse0.32828818537859006data5.763244005758284IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .data0xbf0000x8f740x5200aae9601d920f07080bdfadf43dfeff12False0.1017530487804878data1.1963819235530628IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            .rsrc0xc80000x3f57c0x3f6005388ab06552e9b0b8f86525235d453acFalse0.7207878759861933data7.189407458583954IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .reloc0x1080000x71340x7200f04128ad0f87f42830e4a6cdbc38c719False0.7617530153508771data6.783955557128661IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

            Resources

            NameRVASizeTypeLanguageCountryZLIB Complexity
            RT_ICON0xc84580x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
            RT_ICON0xc85800x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
            RT_ICON0xc86a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
            RT_ICON0xc87d00x10828Device independent bitmap graphic, 128 x 256 x 32, image size 67584EnglishGreat Britain0.046891636105524666
            RT_MENU0xd8ff80x50dataEnglishGreat Britain0.9
            RT_STRING0xd90480x594dataEnglishGreat Britain0.3333333333333333
            RT_STRING0xd95dc0x68adataEnglishGreat Britain0.2747909199522103
            RT_STRING0xd9c680x490dataEnglishGreat Britain0.3715753424657534
            RT_STRING0xda0f80x5fcdataEnglishGreat Britain0.3087467362924282
            RT_STRING0xda6f40x65cdataEnglishGreat Britain0.34336609336609336
            RT_STRING0xdad500x466dataEnglishGreat Britain0.3605683836589698
            RT_STRING0xdb1b80x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
            RT_RCDATA0xdb3100x2bd20data1.0003398555892316
            RT_GROUP_ICON0x1070300x14dataEnglishGreat Britain1.25
            RT_GROUP_ICON0x1070440x14dataEnglishGreat Britain1.25
            RT_GROUP_ICON0x1070580x14dataEnglishGreat Britain1.15
            RT_GROUP_ICON0x10706c0x14dataEnglishGreat Britain1.25
            RT_VERSION0x1070800x10cdataEnglishGreat Britain0.5970149253731343
            RT_MANIFEST0x10718c0x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

            Imports

            DLLImport
            WSOCK32.dllWSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
            VERSION.dllGetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
            WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
            COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
            MPR.dllWNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
            WININET.dllInternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
            PSAPI.DLLGetProcessMemoryInfo
            IPHLPAPI.DLLIcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
            USERENV.dllDestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
            UxTheme.dllIsThemeActive
            KERNEL32.dllDuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
            USER32.dllAdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
            GDI32.dllStrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
            COMDLG32.dllGetOpenFileNameW, GetSaveFileNameW
            ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
            SHELL32.dllDragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
            ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
            OLEAUT32.dllLoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

            Possible Origin

            Language of compilation systemCountry where language is spokenMap
            EnglishGreat Britain

            Network Behavior

            No network behavior found

            Statistics

            CPU Usage

            Click to jump to process

            Memory Usage

            Click to jump to process

            High Level Behavior Distribution

            Click to dive into process behavior distribution

            Behavior

            Click to jump to process

            System Behavior

            General

            Target ID:0
            Start time:08:31:34
            Start date:23/04/2024
            Path:C:\Users\user\Desktop\DPT_590327839_027838893200_____________________________.exe
            Wow64 process (32bit):true
            Commandline:"C:\Users\user\Desktop\DPT_590327839_027838893200_____________________________.exe"
            Imagebase:0xfc0000
            File size:1'088'512 bytes
            MD5 hash:A41D666268109B71EEAB533CAF08D5EC
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.1227948932.0000000002500000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
            Reputation:low
            Has exited:true

            General

            Target ID:2
            Start time:08:31:35
            Start date:23/04/2024
            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
            Wow64 process (32bit):true
            Commandline:"C:\Users\user\Desktop\DPT_590327839_027838893200_____________________________.exe"
            Imagebase:0xd50000
            File size:45'984 bytes
            MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000002.00000002.2447856889.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
            Reputation:high
            Has exited:false

            Disassembly

            Reset < >

              Execution Graph

              Execution Coverage:3.6%
              Dynamic/Decrypted Code Coverage:0%
              Signature Coverage:4.4%
              Total number of Nodes:2000
              Total number of Limit Nodes:51
              execution_graph 97421 fc107d 97426 fc71eb 97421->97426 97423 fc108c 97457 fe2f80 97423->97457 97427 fc71fb __ftell_nolock 97426->97427 97460 fc77c7 97427->97460 97431 fc72ba 97472 fe074f 97431->97472 97438 fc77c7 59 API calls 97439 fc72eb 97438->97439 97491 fc7eec 97439->97491 97441 fc72f4 RegOpenKeyExW 97442 ffecda RegQueryValueExW 97441->97442 97446 fc7316 Mailbox 97441->97446 97443 ffed6c RegCloseKey 97442->97443 97444 ffecf7 97442->97444 97443->97446 97455 ffed7e _wcscat Mailbox __wsetenvp 97443->97455 97495 fe0ff6 97444->97495 97446->97423 97447 ffed10 97505 fc538e 97447->97505 97450 fc7b52 59 API calls 97450->97455 97451 ffed38 97508 fc7d2c 97451->97508 97453 ffed52 97453->97443 97455->97446 97455->97450 97456 fc3f84 59 API calls 97455->97456 97517 fc7f41 97455->97517 97456->97455 97585 fe2e84 97457->97585 97459 fc1096 97461 fe0ff6 Mailbox 59 API calls 97460->97461 97462 fc77e8 97461->97462 97463 fe0ff6 Mailbox 59 API calls 97462->97463 97464 fc72b1 97463->97464 97465 fc4864 97464->97465 97521 ff1b90 97465->97521 97468 fc7f41 59 API calls 97469 fc4897 97468->97469 97523 fc48ae 97469->97523 97471 fc48a1 Mailbox 97471->97431 97473 ff1b90 __ftell_nolock 97472->97473 97474 fe075c GetFullPathNameW 97473->97474 97475 fe077e 97474->97475 97476 fc7d2c 59 API calls 97475->97476 97477 fc72c5 97476->97477 97478 fc7e0b 97477->97478 97479 fc7e1f 97478->97479 97480 fff173 97478->97480 97545 fc7db0 97479->97545 97550 fc8189 97480->97550 97483 fc72d3 97485 fc3f84 97483->97485 97484 fff17e __wsetenvp _memmove 97486 fc3f92 97485->97486 97490 fc3fb4 _memmove 97485->97490 97488 fe0ff6 Mailbox 59 API calls 97486->97488 97487 fe0ff6 Mailbox 59 API calls 97489 fc3fc8 97487->97489 97488->97490 97489->97438 97490->97487 97492 fc7f06 97491->97492 97494 fc7ef9 97491->97494 97493 fe0ff6 Mailbox 59 API calls 97492->97493 97493->97494 97494->97441 97499 fe0ffe 97495->97499 97497 fe1018 97497->97447 97499->97497 97500 fe101c std::exception::exception 97499->97500 97553 fe594c 97499->97553 97570 fe35e1 DecodePointer 97499->97570 97571 fe87db RaiseException 97500->97571 97502 fe1046 97572 fe8711 58 API calls _free 97502->97572 97504 fe1058 97504->97447 97506 fe0ff6 Mailbox 59 API calls 97505->97506 97507 fc53a0 RegQueryValueExW 97506->97507 97507->97451 97507->97453 97509 fc7d38 __wsetenvp 97508->97509 97510 fc7da5 97508->97510 97512 fc7d4e 97509->97512 97513 fc7d73 97509->97513 97511 fc7e8c 59 API calls 97510->97511 97516 fc7d56 _memmove 97511->97516 97581 fc8087 97512->97581 97514 fc8189 59 API calls 97513->97514 97514->97516 97516->97453 97518 fc7f50 __wsetenvp _memmove 97517->97518 97519 fe0ff6 Mailbox 59 API calls 97518->97519 97520 fc7f8e 97519->97520 97520->97455 97522 fc4871 GetModuleFileNameW 97521->97522 97522->97468 97524 ff1b90 __ftell_nolock 97523->97524 97525 fc48bb GetFullPathNameW 97524->97525 97526 fc48da 97525->97526 97527 fc48f7 97525->97527 97528 fc7d2c 59 API calls 97526->97528 97529 fc7eec 59 API calls 97527->97529 97530 fc48e6 97528->97530 97529->97530 97533 fc7886 97530->97533 97534 fc7894 97533->97534 97537 fc7e8c 97534->97537 97536 fc48f2 97536->97471 97538 fc7ea3 _memmove 97537->97538 97539 fc7e9a 97537->97539 97538->97536 97539->97538 97541 fc7faf 97539->97541 97542 fc7fc2 97541->97542 97544 fc7fbf _memmove 97541->97544 97543 fe0ff6 Mailbox 59 API calls 97542->97543 97543->97544 97544->97538 97546 fc7dbf __wsetenvp 97545->97546 97547 fc8189 59 API calls 97546->97547 97548 fc7dd0 _memmove 97546->97548 97549 fff130 _memmove 97547->97549 97548->97483 97551 fe0ff6 Mailbox 59 API calls 97550->97551 97552 fc8193 97551->97552 97552->97484 97554 fe59c7 97553->97554 97561 fe5958 97553->97561 97579 fe35e1 DecodePointer 97554->97579 97556 fe59cd 97580 fe8d68 58 API calls __getptd_noexit 97556->97580 97559 fe598b RtlAllocateHeap 97559->97561 97569 fe59bf 97559->97569 97561->97559 97562 fe59b3 97561->97562 97566 fe5963 97561->97566 97567 fe59b1 97561->97567 97576 fe35e1 DecodePointer 97561->97576 97577 fe8d68 58 API calls __getptd_noexit 97562->97577 97566->97561 97573 fea3ab 58 API calls 2 library calls 97566->97573 97574 fea408 58 API calls 8 library calls 97566->97574 97575 fe32df GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 97566->97575 97578 fe8d68 58 API calls __getptd_noexit 97567->97578 97569->97499 97570->97499 97571->97502 97572->97504 97573->97566 97574->97566 97576->97561 97577->97567 97578->97569 97579->97556 97580->97569 97582 fc8099 97581->97582 97583 fc809f 97581->97583 97582->97516 97584 fe0ff6 Mailbox 59 API calls 97583->97584 97584->97582 97586 fe2e90 _fseek 97585->97586 97593 fe3457 97586->97593 97592 fe2eb7 _fseek 97592->97459 97610 fe9e4b 97593->97610 97595 fe2e99 97596 fe2ec8 DecodePointer DecodePointer 97595->97596 97597 fe2ea5 97596->97597 97598 fe2ef5 97596->97598 97607 fe2ec2 97597->97607 97598->97597 97662 fe89e4 59 API calls _fseek 97598->97662 97600 fe2f58 EncodePointer EncodePointer 97600->97597 97601 fe2f07 97601->97600 97603 fe2f2c 97601->97603 97663 fe8aa4 61 API calls 2 library calls 97601->97663 97603->97597 97605 fe2f46 EncodePointer 97603->97605 97664 fe8aa4 61 API calls 2 library calls 97603->97664 97605->97600 97606 fe2f40 97606->97597 97606->97605 97665 fe3460 97607->97665 97611 fe9e6f EnterCriticalSection 97610->97611 97612 fe9e5c 97610->97612 97611->97595 97617 fe9ed3 97612->97617 97614 fe9e62 97614->97611 97641 fe32f5 58 API calls 3 library calls 97614->97641 97618 fe9edf _fseek 97617->97618 97619 fe9ee8 97618->97619 97620 fe9f00 97618->97620 97642 fea3ab 58 API calls 2 library calls 97619->97642 97628 fe9f21 _fseek 97620->97628 97645 fe8a5d 97620->97645 97623 fe9eed 97643 fea408 58 API calls 8 library calls 97623->97643 97626 fe9f1c 97651 fe8d68 58 API calls __getptd_noexit 97626->97651 97627 fe9f2b 97631 fe9e4b __lock 58 API calls 97627->97631 97628->97614 97629 fe9ef4 97644 fe32df GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 97629->97644 97634 fe9f32 97631->97634 97635 fe9f3f 97634->97635 97636 fe9f57 97634->97636 97652 fea06b InitializeCriticalSectionAndSpinCount 97635->97652 97653 fe2f95 97636->97653 97639 fe9f4b 97659 fe9f73 LeaveCriticalSection _doexit 97639->97659 97642->97623 97643->97629 97646 fe8a6b 97645->97646 97647 fe594c __malloc_crt 58 API calls 97646->97647 97648 fe8a9d 97646->97648 97650 fe8a7e 97646->97650 97647->97646 97648->97626 97648->97627 97650->97646 97650->97648 97660 fea372 Sleep 97650->97660 97651->97628 97652->97639 97654 fe2f9e RtlFreeHeap 97653->97654 97655 fe2fc7 _free 97653->97655 97654->97655 97656 fe2fb3 97654->97656 97655->97639 97661 fe8d68 58 API calls __getptd_noexit 97656->97661 97658 fe2fb9 GetLastError 97658->97655 97659->97628 97660->97650 97661->97658 97662->97601 97663->97603 97664->97606 97668 fe9fb5 LeaveCriticalSection 97665->97668 97667 fe2ec7 97667->97592 97668->97667 97669 fcb56e 97676 fdfb84 97669->97676 97671 fcb584 97685 fcc707 97671->97685 97673 fcb5ac 97675 fca4e8 97673->97675 97697 102a0b5 89 API calls 4 library calls 97673->97697 97677 fdfb90 97676->97677 97678 fdfba2 97676->97678 97698 fc9e9c 60 API calls Mailbox 97677->97698 97679 fdfba8 97678->97679 97680 fdfbd1 97678->97680 97682 fe0ff6 Mailbox 59 API calls 97679->97682 97699 fc9e9c 60 API calls Mailbox 97680->97699 97684 fdfb9a 97682->97684 97684->97671 97687 fcc72c _wcscmp 97685->97687 97700 fc7b76 97685->97700 97688 fc7f41 59 API calls 97687->97688 97690 fcc760 Mailbox 97687->97690 97689 1001abb 97688->97689 97705 fc7c8e 97689->97705 97690->97673 97694 1001ad7 97696 1001adb Mailbox 97694->97696 97715 fc9e9c 60 API calls Mailbox 97694->97715 97696->97673 97697->97675 97698->97684 97699->97684 97701 fe0ff6 Mailbox 59 API calls 97700->97701 97702 fc7b9b 97701->97702 97703 fc8189 59 API calls 97702->97703 97704 fc7baa 97703->97704 97704->97687 97706 fff094 97705->97706 97707 fc7ca0 97705->97707 97722 1018123 59 API calls _memmove 97706->97722 97716 fc7bb1 97707->97716 97710 fff09e 97723 fc81a7 97710->97723 97711 fc7cac 97714 fc859a 68 API calls 97711->97714 97713 fff0a6 Mailbox 97714->97694 97715->97696 97717 fc7bbf 97716->97717 97721 fc7be5 _memmove 97716->97721 97718 fe0ff6 Mailbox 59 API calls 97717->97718 97717->97721 97719 fc7c34 97718->97719 97720 fe0ff6 Mailbox 59 API calls 97719->97720 97720->97721 97721->97711 97722->97710 97724 fc81ba 97723->97724 97725 fc81b2 97723->97725 97724->97713 97727 fc80d7 97725->97727 97728 fc80e7 97727->97728 97730 fc80fa _memmove 97727->97730 97729 fe0ff6 Mailbox 59 API calls 97728->97729 97728->97730 97729->97730 97730->97724 97731 fc568a 97738 fc5c18 97731->97738 97737 fc56ba Mailbox 97739 fe0ff6 Mailbox 59 API calls 97738->97739 97740 fc5c2b 97739->97740 97741 fe0ff6 Mailbox 59 API calls 97740->97741 97742 fc569c 97741->97742 97743 fc5632 97742->97743 97757 fc5a2f 97743->97757 97747 fc5674 97747->97737 97749 fc81c1 MultiByteToWideChar 97747->97749 97748 fc5643 97748->97747 97764 fc5d20 97748->97764 97770 fc5bda 59 API calls 2 library calls 97748->97770 97750 fc822e 97749->97750 97751 fc81e7 97749->97751 97752 fc7eec 59 API calls 97750->97752 97753 fe0ff6 Mailbox 59 API calls 97751->97753 97756 fc8220 97752->97756 97754 fc81fc MultiByteToWideChar 97753->97754 97773 fc78ad 97754->97773 97756->97737 97758 ffe065 97757->97758 97759 fc5a40 97757->97759 97771 1016443 59 API calls Mailbox 97758->97771 97759->97748 97761 ffe06f 97762 fe0ff6 Mailbox 59 API calls 97761->97762 97763 ffe07b 97762->97763 97765 fc5d93 97764->97765 97769 fc5d2e 97764->97769 97772 fc5dae SetFilePointerEx 97765->97772 97767 fc5d56 97767->97748 97768 fc5d66 ReadFile 97768->97767 97768->97769 97769->97767 97769->97768 97770->97748 97771->97761 97772->97769 97774 fc78bc 97773->97774 97775 fc792f 97773->97775 97774->97775 97777 fc78c8 97774->97777 97776 fc7e8c 59 API calls 97775->97776 97778 fc78da _memmove 97776->97778 97779 fc7900 97777->97779 97780 fc78d2 97777->97780 97778->97756 97781 fc8189 59 API calls 97779->97781 97782 fc8087 59 API calls 97780->97782 97783 fc790a 97781->97783 97782->97778 97784 fe0ff6 Mailbox 59 API calls 97783->97784 97784->97778 97785 1000226 97786 fcade2 Mailbox 97785->97786 97787 fcb6c1 97786->97787 97789 1000c86 97786->97789 97791 1000c8f 97786->97791 97801 102d2e6 97786->97801 97848 103e24b 97786->97848 97851 10423c9 97786->97851 97889 103474d 97786->97889 97898 103e237 97786->97898 97901 fd2123 97786->97901 97941 fc9df0 59 API calls Mailbox 97786->97941 97942 fc8e34 59 API calls Mailbox 97786->97942 97943 1017405 59 API calls 97786->97943 97944 102a0b5 89 API calls 4 library calls 97787->97944 97945 10166f4 97789->97945 97802 102d310 97801->97802 97803 102d305 97801->97803 97806 fc77c7 59 API calls 97802->97806 97846 102d3ea Mailbox 97802->97846 97979 fc9c9c 59 API calls 97803->97979 97805 fe0ff6 Mailbox 59 API calls 97807 102d433 97805->97807 97808 102d334 97806->97808 97809 102d43f 97807->97809 98036 fc5906 60 API calls Mailbox 97807->98036 97811 fc77c7 59 API calls 97808->97811 97948 fc9997 97809->97948 97813 102d33d 97811->97813 97815 fc9997 84 API calls 97813->97815 97817 102d349 97815->97817 97980 fc46f9 97817->97980 97820 102d46a GetLastError 97823 102d483 97820->97823 97821 102d49e 97825 102d500 97821->97825 97826 102d4c9 97821->97826 97822 102d35e 97824 fc7c8e 59 API calls 97822->97824 97844 102d3f3 Mailbox 97823->97844 98037 fc5a1a CloseHandle 97823->98037 97827 102d391 97824->97827 97828 fe0ff6 Mailbox 59 API calls 97825->97828 97829 fe0ff6 Mailbox 59 API calls 97826->97829 97830 102d3e3 97827->97830 98031 1023e73 97827->98031 97831 102d505 97828->97831 97832 102d4ce 97829->97832 98035 fc9c9c 59 API calls 97830->98035 97839 fc77c7 59 API calls 97831->97839 97831->97844 97836 102d4df 97832->97836 97840 fc77c7 59 API calls 97832->97840 98038 102f835 59 API calls 2 library calls 97836->98038 97838 102d3a5 97841 fc7f41 59 API calls 97838->97841 97839->97844 97840->97836 97843 102d3b2 97841->97843 98034 1023c66 63 API calls Mailbox 97843->98034 97844->97786 97846->97805 97846->97844 97847 102d3bb Mailbox 97847->97830 98108 103cdf1 97848->98108 97850 103e25b 97850->97786 97852 fc77c7 59 API calls 97851->97852 97853 10423e0 97852->97853 97854 fc9997 84 API calls 97853->97854 97855 10423ef 97854->97855 97856 fc7b76 59 API calls 97855->97856 97857 1042402 97856->97857 97858 fc9997 84 API calls 97857->97858 97859 104240f 97858->97859 97860 104249d 97859->97860 97861 1042429 97859->97861 97862 fc9997 84 API calls 97860->97862 98232 fc9c9c 59 API calls 97861->98232 97864 10424a2 97862->97864 97866 10424b0 97864->97866 97867 10424ce 97864->97867 97865 104242e 97868 104248c 97865->97868 97871 1042445 97865->97871 97870 fc9bf8 59 API calls 97866->97870 97872 10424e3 97867->97872 98246 fc9c9c 59 API calls 97867->98246 98233 fc9bf8 97868->98233 97886 1042499 Mailbox 97870->97886 97873 fc79ab 59 API calls 97871->97873 97880 10424f8 97872->97880 98247 fc9c9c 59 API calls 97872->98247 97877 1042452 97873->97877 97876 fc80d7 59 API calls 97878 1042512 97876->97878 97879 fc7c8e 59 API calls 97877->97879 98213 101f8f2 97878->98213 97882 1042460 97879->97882 97880->97876 97883 fc79ab 59 API calls 97882->97883 97884 1042479 97883->97884 97885 fc7c8e 59 API calls 97884->97885 97888 1042487 97885->97888 97886->97786 98248 fc9b9c 59 API calls Mailbox 97888->98248 97890 fc9997 84 API calls 97889->97890 97891 1034787 97890->97891 98249 fc63a0 97891->98249 97893 1034797 97894 10347bc 97893->97894 98274 fca000 97893->98274 97896 fc9bf8 59 API calls 97894->97896 97897 10347c0 97894->97897 97896->97897 97897->97786 97899 103cdf1 129 API calls 97898->97899 97900 103e247 97899->97900 97900->97786 97902 fc9bf8 59 API calls 97901->97902 97903 fd213b 97902->97903 97905 fe0ff6 Mailbox 59 API calls 97903->97905 97908 10069af 97903->97908 97906 fd2154 97905->97906 97909 fd2164 97906->97909 98332 fc5906 60 API calls Mailbox 97906->98332 97907 fd2189 97916 fd2196 97907->97916 98337 fc9c9c 59 API calls 97907->98337 97908->97907 98336 102f7df 59 API calls 97908->98336 97911 fc9997 84 API calls 97909->97911 97913 fd2172 97911->97913 97915 fc5956 67 API calls 97913->97915 97914 10069f7 97914->97916 97917 10069ff 97914->97917 97918 fd2181 97915->97918 97919 fc5e3f 2 API calls 97916->97919 98338 fc9c9c 59 API calls 97917->98338 97918->97907 97918->97908 98335 fc5a1a CloseHandle 97918->98335 97922 fd219d 97919->97922 97923 1006a11 97922->97923 97924 fd21b7 97922->97924 97926 fe0ff6 Mailbox 59 API calls 97923->97926 97925 fc77c7 59 API calls 97924->97925 97927 fd21bf 97925->97927 97928 1006a17 97926->97928 98317 fc56d2 97927->98317 97930 1006a2b 97928->97930 98339 fc59b0 ReadFile SetFilePointerEx 97928->98339 97935 1006a2f _memmove 97930->97935 98340 102794e 59 API calls 2 library calls 97930->98340 97933 fd21ce 97933->97935 98333 fc9b9c 59 API calls Mailbox 97933->98333 97936 fd21e2 Mailbox 97937 fd221c 97936->97937 97938 fc5dcf CloseHandle 97936->97938 97937->97786 97939 fd2210 97938->97939 97939->97937 98334 fc5a1a CloseHandle 97939->98334 97941->97786 97942->97786 97943->97786 97944->97789 98344 1016636 97945->98344 97947 1016702 97947->97791 97949 fc99ab 97948->97949 97950 fc99b1 97948->97950 97966 fc5956 97949->97966 97951 fff9fc __i64tow 97950->97951 97952 fc99f9 97950->97952 97954 fc99b7 __itow 97950->97954 97957 fff903 97950->97957 98039 fe38d8 83 API calls 3 library calls 97952->98039 97956 fe0ff6 Mailbox 59 API calls 97954->97956 97958 fc99d1 97956->97958 97959 fe0ff6 Mailbox 59 API calls 97957->97959 97964 fff97b Mailbox _wcscpy 97957->97964 97958->97949 97960 fc7f41 59 API calls 97958->97960 97961 fff948 97959->97961 97960->97949 97962 fe0ff6 Mailbox 59 API calls 97961->97962 97963 fff96e 97962->97963 97963->97964 97965 fc7f41 59 API calls 97963->97965 98040 fe38d8 83 API calls 3 library calls 97964->98040 97965->97964 98041 fc5dcf 97966->98041 97970 fc5981 97974 fc59a4 97970->97974 98053 fc5770 97970->98053 97972 fc5993 98070 fc53db SetFilePointerEx SetFilePointerEx 97972->98070 97974->97820 97974->97821 97975 fc599a 97975->97974 97976 ffe030 97975->97976 98071 1023696 SetFilePointerEx SetFilePointerEx WriteFile 97976->98071 97978 ffe060 97978->97974 97979->97802 97981 fc77c7 59 API calls 97980->97981 97982 fc470f 97981->97982 97983 fc77c7 59 API calls 97982->97983 97984 fc4717 97983->97984 97985 fc77c7 59 API calls 97984->97985 97986 fc471f 97985->97986 97987 fc77c7 59 API calls 97986->97987 97988 fc4727 97987->97988 97989 ffd8fb 97988->97989 97990 fc475b 97988->97990 97991 fc81a7 59 API calls 97989->97991 97992 fc79ab 59 API calls 97990->97992 97993 ffd904 97991->97993 97994 fc4769 97992->97994 97995 fc7eec 59 API calls 97993->97995 97996 fc7e8c 59 API calls 97994->97996 97997 fc479e 97995->97997 97998 fc4773 97996->97998 98001 fc47bd 97997->98001 98016 fc47de 97997->98016 98018 ffd924 97997->98018 97998->97997 97999 fc79ab 59 API calls 97998->97999 98002 fc4794 97999->98002 98100 fc7b52 98001->98100 98004 fc7e8c 59 API calls 98002->98004 98003 ffd9f4 98008 fc7d2c 59 API calls 98003->98008 98004->97997 98006 fc47ef 98007 fc4801 98006->98007 98010 fc81a7 59 API calls 98006->98010 98011 fc4811 98007->98011 98012 fc81a7 59 API calls 98007->98012 98026 ffd9b1 98008->98026 98010->98007 98014 fc4818 98011->98014 98017 fc81a7 59 API calls 98011->98017 98012->98011 98013 ffd9dd 98013->98003 98021 ffd9c8 98013->98021 98019 fc81a7 59 API calls 98014->98019 98028 fc481f Mailbox 98014->98028 98015 fc79ab 59 API calls 98015->98016 98087 fc79ab 98016->98087 98017->98014 98018->98003 98018->98013 98025 ffd95b 98018->98025 98019->98028 98020 fc7b52 59 API calls 98020->98026 98024 fc7d2c 59 API calls 98021->98024 98022 ffd9b9 98023 fc7d2c 59 API calls 98022->98023 98023->98026 98024->98026 98025->98022 98029 ffd9a4 98025->98029 98026->98016 98026->98020 98103 fc7a84 59 API calls 2 library calls 98026->98103 98028->97822 98030 fc7d2c 59 API calls 98029->98030 98030->98026 98104 1024696 GetFileAttributesW 98031->98104 98034->97847 98035->97846 98036->97809 98037->97844 98038->97844 98039->97954 98040->97951 98042 fc5de8 98041->98042 98043 fc5962 98041->98043 98042->98043 98044 fc5ded CloseHandle 98042->98044 98045 fc5df9 98043->98045 98044->98043 98046 ffe181 98045->98046 98047 fc5e12 CreateFileW 98045->98047 98048 fc5e34 98046->98048 98049 ffe187 CreateFileW 98046->98049 98047->98048 98048->97970 98049->98048 98050 ffe1ad 98049->98050 98072 fc5c4e 98050->98072 98054 ffdfce 98053->98054 98055 fc578b 98053->98055 98069 fc581a 98054->98069 98082 fc5e3f 98054->98082 98056 fc5c4e 2 API calls 98055->98056 98055->98069 98057 fc57ad 98056->98057 98058 fc538e 59 API calls 98057->98058 98060 fc57b7 98058->98060 98060->98054 98061 fc57c4 98060->98061 98062 fe0ff6 Mailbox 59 API calls 98061->98062 98063 fc57cf 98062->98063 98064 fc538e 59 API calls 98063->98064 98065 fc57da 98064->98065 98066 fc5d20 2 API calls 98065->98066 98067 fc5807 98066->98067 98068 fc5c4e 2 API calls 98067->98068 98068->98069 98069->97972 98070->97975 98071->97978 98077 fc5c68 98072->98077 98073 fc5cef SetFilePointerEx 98080 fc5dae SetFilePointerEx 98073->98080 98074 ffe151 98081 fc5dae SetFilePointerEx 98074->98081 98077->98073 98077->98074 98079 fc5cc3 98077->98079 98078 ffe16b 98079->98048 98080->98079 98081->98078 98083 fc5c4e 2 API calls 98082->98083 98084 fc5e60 98083->98084 98085 fc5c4e 2 API calls 98084->98085 98086 fc5e74 98085->98086 98086->98069 98088 fc79ba 98087->98088 98089 fc7a17 98087->98089 98088->98089 98091 fc79c5 98088->98091 98090 fc7e8c 59 API calls 98089->98090 98097 fc79e8 _memmove 98090->98097 98092 fc79e0 98091->98092 98093 ffef32 98091->98093 98095 fc8087 59 API calls 98092->98095 98094 fc8189 59 API calls 98093->98094 98096 ffef3c 98094->98096 98095->98097 98098 fe0ff6 Mailbox 59 API calls 98096->98098 98097->98006 98099 ffef5c 98098->98099 98101 fc7faf 59 API calls 98100->98101 98102 fc47c7 98101->98102 98102->98015 98102->98016 98103->98026 98105 1023e7a 98104->98105 98106 10246b1 FindFirstFileW 98104->98106 98105->97830 98105->97838 98106->98105 98107 10246c6 FindClose 98106->98107 98107->98105 98109 fc9997 84 API calls 98108->98109 98110 103ce2e 98109->98110 98128 103ce75 Mailbox 98110->98128 98144 103dab9 98110->98144 98112 103d0cd 98113 103d242 98112->98113 98117 103d0db 98112->98117 98190 103dbdc 92 API calls Mailbox 98113->98190 98116 103d251 98116->98117 98119 103d25d 98116->98119 98157 103cc82 98117->98157 98118 fc9997 84 API calls 98125 103cec6 Mailbox 98118->98125 98119->98128 98124 103d114 98126 103d147 98124->98126 98127 103d12e 98124->98127 98125->98112 98125->98118 98125->98128 98172 102f835 59 API calls 2 library calls 98125->98172 98173 103d2f3 61 API calls 2 library calls 98125->98173 98175 fc942e 98126->98175 98174 102a0b5 89 API calls 4 library calls 98127->98174 98128->97850 98131 103d139 GetCurrentProcess TerminateProcess 98131->98126 98136 103d2b8 98136->98128 98140 103d2cc FreeLibrary 98136->98140 98137 103d17f 98187 103d95d 107 API calls _free 98137->98187 98140->98128 98142 103d190 98142->98136 98188 fc8ea0 59 API calls Mailbox 98142->98188 98189 fc9e9c 60 API calls Mailbox 98142->98189 98191 103d95d 107 API calls _free 98142->98191 98145 fc7faf 59 API calls 98144->98145 98146 103dad4 CharLowerBuffW 98145->98146 98192 101f658 98146->98192 98150 fc77c7 59 API calls 98151 103db0d 98150->98151 98152 fc79ab 59 API calls 98151->98152 98154 103db24 98152->98154 98153 103db6c Mailbox 98153->98125 98155 fc7e8c 59 API calls 98154->98155 98156 103db30 Mailbox 98155->98156 98156->98153 98199 103d2f3 61 API calls 2 library calls 98156->98199 98158 103cc9d 98157->98158 98162 103ccf2 98157->98162 98159 fe0ff6 Mailbox 59 API calls 98158->98159 98161 103ccbf 98159->98161 98160 fe0ff6 Mailbox 59 API calls 98160->98161 98161->98160 98161->98162 98163 103dd64 98162->98163 98164 103df8d Mailbox 98163->98164 98171 103dd87 _strcat _wcscpy __wsetenvp 98163->98171 98164->98124 98165 fc9d46 59 API calls 98165->98171 98166 fc9c9c 59 API calls 98166->98171 98167 fc9cf8 59 API calls 98167->98171 98168 fc9997 84 API calls 98168->98171 98169 fe594c 58 API calls __malloc_crt 98169->98171 98171->98164 98171->98165 98171->98166 98171->98167 98171->98168 98171->98169 98202 1025b29 61 API calls 2 library calls 98171->98202 98172->98125 98173->98125 98174->98131 98176 fc9436 98175->98176 98177 fe0ff6 Mailbox 59 API calls 98176->98177 98178 fc9444 98177->98178 98179 fc9450 98178->98179 98203 fc935c 59 API calls Mailbox 98178->98203 98181 fc91b0 98179->98181 98204 fc92c0 98181->98204 98183 fe0ff6 Mailbox 59 API calls 98185 fc925b 98183->98185 98184 fc91bf 98184->98183 98184->98185 98185->98142 98186 fc8ea0 59 API calls Mailbox 98185->98186 98186->98137 98187->98142 98188->98142 98189->98142 98190->98116 98191->98142 98194 101f683 __wsetenvp 98192->98194 98193 101f6c2 98193->98150 98193->98156 98194->98193 98195 101f769 98194->98195 98196 101f6b8 98194->98196 98195->98193 98201 fc7a24 61 API calls 98195->98201 98196->98193 98200 fc7a24 61 API calls 98196->98200 98199->98153 98200->98196 98201->98195 98202->98171 98203->98179 98205 fc92c9 Mailbox 98204->98205 98206 fff5c8 98205->98206 98210 fc92d3 98205->98210 98207 fe0ff6 Mailbox 59 API calls 98206->98207 98209 fff5d4 98207->98209 98208 fc92da 98208->98184 98210->98208 98212 fc9df0 59 API calls Mailbox 98210->98212 98212->98210 98214 fc77c7 59 API calls 98213->98214 98215 101f905 98214->98215 98216 fc7b76 59 API calls 98215->98216 98217 101f919 98216->98217 98218 101f658 61 API calls 98217->98218 98225 101f93b 98217->98225 98219 101f935 98218->98219 98221 fc79ab 59 API calls 98219->98221 98219->98225 98220 101f658 61 API calls 98220->98225 98221->98225 98222 101f9b5 98224 fc79ab 59 API calls 98222->98224 98223 fc79ab 59 API calls 98223->98225 98226 101f9ce 98224->98226 98225->98220 98225->98222 98225->98223 98228 fc7c8e 59 API calls 98225->98228 98227 fc7c8e 59 API calls 98226->98227 98229 101f9da 98227->98229 98228->98225 98230 fc80d7 59 API calls 98229->98230 98231 101f9e9 Mailbox 98229->98231 98230->98231 98231->97888 98232->97865 98234 fffbff 98233->98234 98235 fc9c08 98233->98235 98236 fffc10 98234->98236 98237 fc7d2c 59 API calls 98234->98237 98240 fe0ff6 Mailbox 59 API calls 98235->98240 98238 fc7eec 59 API calls 98236->98238 98237->98236 98239 fffc1a 98238->98239 98243 fc9c34 98239->98243 98244 fc77c7 59 API calls 98239->98244 98241 fc9c1b 98240->98241 98241->98239 98242 fc9c26 98241->98242 98242->98243 98245 fc7f41 59 API calls 98242->98245 98243->97886 98244->98243 98245->98243 98246->97872 98247->97880 98248->97886 98250 fc7b76 59 API calls 98249->98250 98269 fc63c5 98250->98269 98251 fc65ca 98299 fc766f 98251->98299 98253 fc65e4 Mailbox 98253->97893 98256 ffe41f 98309 101fdba 91 API calls 4 library calls 98256->98309 98257 fc7eec 59 API calls 98257->98269 98258 fc766f 59 API calls 98258->98269 98262 ffe42d 98263 fc766f 59 API calls 98262->98263 98264 ffe443 98263->98264 98264->98253 98265 fc68f9 _memmove 98310 101fdba 91 API calls 4 library calls 98265->98310 98266 ffe3bb 98267 fc8189 59 API calls 98266->98267 98268 ffe3c6 98267->98268 98273 fe0ff6 Mailbox 59 API calls 98268->98273 98269->98251 98269->98256 98269->98257 98269->98258 98269->98265 98269->98266 98271 fc7faf 59 API calls 98269->98271 98297 fc60cc 60 API calls 98269->98297 98298 fc5ea1 59 API calls Mailbox 98269->98298 98307 fc5fd2 60 API calls 98269->98307 98308 fc7a84 59 API calls 2 library calls 98269->98308 98272 fc659b CharUpperBuffW 98271->98272 98272->98269 98273->98265 98275 fca01f 98274->98275 98288 fca04d Mailbox 98274->98288 98276 fe0ff6 Mailbox 59 API calls 98275->98276 98276->98288 98277 fcb5d5 98278 fc81a7 59 API calls 98277->98278 98292 fca1b7 98278->98292 98281 fe0ff6 59 API calls Mailbox 98281->98288 98282 fc81a7 59 API calls 98282->98288 98284 100047f 98313 102a0b5 89 API calls 4 library calls 98284->98313 98286 fc77c7 59 API calls 98286->98288 98288->98277 98288->98281 98288->98282 98288->98284 98288->98286 98290 fe2f80 67 API calls __cinit 98288->98290 98291 1017405 59 API calls 98288->98291 98288->98292 98293 1000e00 98288->98293 98295 fcb5da 98288->98295 98296 fca6ba 98288->98296 98311 fcca20 331 API calls 2 library calls 98288->98311 98312 fcba60 60 API calls Mailbox 98288->98312 98289 100048e 98289->97894 98290->98288 98291->98288 98292->97894 98315 102a0b5 89 API calls 4 library calls 98293->98315 98316 102a0b5 89 API calls 4 library calls 98295->98316 98314 102a0b5 89 API calls 4 library calls 98296->98314 98297->98269 98298->98269 98300 fc770f 98299->98300 98304 fc7682 _memmove 98299->98304 98302 fe0ff6 Mailbox 59 API calls 98300->98302 98301 fe0ff6 Mailbox 59 API calls 98303 fc7689 98301->98303 98302->98304 98305 fe0ff6 Mailbox 59 API calls 98303->98305 98306 fc76b2 98303->98306 98304->98301 98305->98306 98306->98253 98307->98269 98308->98269 98309->98262 98310->98253 98311->98288 98312->98288 98313->98289 98314->98292 98315->98295 98316->98292 98318 fc56dd 98317->98318 98319 fc5702 98317->98319 98318->98319 98321 fc56ec 98318->98321 98320 fc7eec 59 API calls 98319->98320 98324 102349a 98320->98324 98325 fc5c18 59 API calls 98321->98325 98323 10234c9 98323->97933 98324->98323 98341 1023436 ReadFile SetFilePointerEx 98324->98341 98342 fc7a84 59 API calls 2 library calls 98324->98342 98326 10235ba 98325->98326 98328 fc5632 61 API calls 98326->98328 98329 10235c8 98328->98329 98331 10235d8 Mailbox 98329->98331 98343 fc793a 61 API calls Mailbox 98329->98343 98331->97933 98332->97909 98333->97936 98334->97937 98335->97908 98336->97908 98337->97914 98338->97922 98339->97930 98340->97935 98341->98324 98342->98324 98343->98331 98345 1016641 98344->98345 98346 101665e 98344->98346 98345->98346 98348 1016621 59 API calls Mailbox 98345->98348 98346->97947 98348->98345 98349 fce70b 98352 fcd260 98349->98352 98351 fce719 98353 fcd27d 98352->98353 98354 fcd4dd 98352->98354 98355 1002b0a 98353->98355 98356 1002abb 98353->98356 98361 fcd2a4 98353->98361 98366 fcd6ab 98354->98366 98405 102a0b5 89 API calls 4 library calls 98354->98405 98400 103a6fb 331 API calls __cinit 98355->98400 98358 1002abe 98356->98358 98367 1002ad9 98356->98367 98360 1002aca 98358->98360 98358->98361 98398 103ad0f 331 API calls 98360->98398 98361->98354 98364 fe2f80 __cinit 67 API calls 98361->98364 98361->98366 98368 fcd594 98361->98368 98372 1002c26 98361->98372 98383 fca000 331 API calls 98361->98383 98384 fc81a7 59 API calls 98361->98384 98386 fc88a0 68 API calls __cinit 98361->98386 98387 fc86a2 68 API calls 98361->98387 98388 fc8620 98361->98388 98393 fc859a 68 API calls 98361->98393 98394 fcd0dc 331 API calls 98361->98394 98395 fc9f3a 59 API calls Mailbox 98361->98395 98396 fcd060 89 API calls 98361->98396 98397 fccedd 331 API calls 98361->98397 98401 fc8bb2 68 API calls 98361->98401 98402 fc9e9c 60 API calls Mailbox 98361->98402 98403 1016d03 60 API calls 98361->98403 98364->98361 98365 1002cdf 98365->98365 98366->98351 98367->98354 98399 103b1b7 331 API calls 3 library calls 98367->98399 98392 fc8bb2 68 API calls 98368->98392 98404 103aa66 89 API calls 98372->98404 98373 fcd5a3 98373->98351 98383->98361 98384->98361 98386->98361 98387->98361 98389 fc862b 98388->98389 98391 fc8652 98389->98391 98406 fc8b13 69 API calls Mailbox 98389->98406 98391->98361 98392->98373 98393->98361 98394->98361 98395->98361 98396->98361 98397->98361 98398->98366 98399->98354 98400->98361 98401->98361 98402->98361 98403->98361 98404->98354 98405->98365 98406->98391 98407 fc1055 98412 fc2649 98407->98412 98410 fe2f80 __cinit 67 API calls 98411 fc1064 98410->98411 98413 fc77c7 59 API calls 98412->98413 98414 fc26b7 98413->98414 98419 fc3582 98414->98419 98416 fc2754 98417 fc105a 98416->98417 98422 fc3416 59 API calls 2 library calls 98416->98422 98417->98410 98423 fc35b0 98419->98423 98422->98416 98424 fc35bd 98423->98424 98425 fc35a1 98423->98425 98424->98425 98426 fc35c4 RegOpenKeyExW 98424->98426 98425->98416 98426->98425 98427 fc35de RegQueryValueExW 98426->98427 98428 fc35ff 98427->98428 98429 fc3614 RegCloseKey 98427->98429 98428->98429 98429->98425 98430 ffff06 98431 ffff10 98430->98431 98463 fcac90 Mailbox _memmove 98430->98463 98571 fc8e34 59 API calls Mailbox 98431->98571 98435 fcb685 98577 102a0b5 89 API calls 4 library calls 98435->98577 98438 fcb5d5 98443 fc81a7 59 API calls 98438->98443 98439 fe0ff6 59 API calls Mailbox 98460 fca097 Mailbox 98439->98460 98441 fc81a7 59 API calls 98441->98460 98452 fca1b7 98443->98452 98444 100047f 98576 102a0b5 89 API calls 4 library calls 98444->98576 98445 fcb5da 98582 102a0b5 89 API calls 4 library calls 98445->98582 98448 fc7f41 59 API calls 98448->98463 98449 fc77c7 59 API calls 98449->98460 98450 100048e 98451 fe2f80 67 API calls __cinit 98451->98460 98453 1017405 59 API calls 98453->98460 98455 1000c86 98455->98452 98456 10166f4 Mailbox 59 API calls 98455->98456 98456->98452 98457 1000e00 98581 102a0b5 89 API calls 4 library calls 98457->98581 98460->98438 98460->98439 98460->98441 98460->98444 98460->98445 98460->98449 98460->98451 98460->98452 98460->98453 98460->98457 98461 fca6ba 98460->98461 98565 fcca20 331 API calls 2 library calls 98460->98565 98566 fcba60 60 API calls Mailbox 98460->98566 98580 102a0b5 89 API calls 4 library calls 98461->98580 98462 10166f4 Mailbox 59 API calls 98462->98463 98463->98435 98463->98448 98463->98452 98463->98460 98463->98462 98465 fca000 331 API calls 98463->98465 98466 1000c94 98463->98466 98468 1000ca2 98463->98468 98470 fcb37c 98463->98470 98471 fe0ff6 59 API calls Mailbox 98463->98471 98476 fcb416 98463->98476 98479 fcade2 Mailbox 98463->98479 98487 103c5f4 98463->98487 98519 1027be0 98463->98519 98525 103bf80 98463->98525 98572 1017405 59 API calls 98463->98572 98573 103c4a7 85 API calls 2 library calls 98463->98573 98465->98463 98578 fc9df0 59 API calls Mailbox 98466->98578 98579 102a0b5 89 API calls 4 library calls 98468->98579 98568 fc9e9c 60 API calls Mailbox 98470->98568 98471->98463 98473 fcb38d 98569 fc9e9c 60 API calls Mailbox 98473->98569 98570 fcf803 331 API calls 98476->98570 98479->98435 98479->98452 98479->98455 98481 102d2e6 101 API calls 98479->98481 98482 103e237 129 API calls 98479->98482 98483 103e24b 129 API calls 98479->98483 98484 10423c9 87 API calls 98479->98484 98485 fd2123 95 API calls 98479->98485 98486 103474d 331 API calls 98479->98486 98567 fc9df0 59 API calls Mailbox 98479->98567 98574 fc8e34 59 API calls Mailbox 98479->98574 98575 1017405 59 API calls 98479->98575 98481->98479 98482->98479 98483->98479 98484->98479 98485->98479 98486->98479 98488 fc77c7 59 API calls 98487->98488 98489 103c608 98488->98489 98490 fc77c7 59 API calls 98489->98490 98491 103c610 98490->98491 98492 fc77c7 59 API calls 98491->98492 98493 103c618 98492->98493 98494 fc9997 84 API calls 98493->98494 98518 103c626 98494->98518 98495 fc7d2c 59 API calls 98495->98518 98496 103c80f 98497 103c83c Mailbox 98496->98497 98584 fc9b9c 59 API calls Mailbox 98496->98584 98497->98463 98498 103c7f6 98503 fc7e0b 59 API calls 98498->98503 98500 fc7a84 59 API calls 98500->98518 98501 103c811 98505 fc7e0b 59 API calls 98501->98505 98502 fc81a7 59 API calls 98502->98518 98504 103c803 98503->98504 98506 fc7c8e 59 API calls 98504->98506 98507 103c820 98505->98507 98506->98496 98509 fc7c8e 59 API calls 98507->98509 98508 fc7faf 59 API calls 98511 103c6bd CharUpperBuffW 98508->98511 98509->98496 98510 fc7faf 59 API calls 98512 103c77d CharUpperBuffW 98510->98512 98583 fc859a 68 API calls 98511->98583 98514 fcc707 69 API calls 98512->98514 98514->98518 98515 fc7e0b 59 API calls 98515->98518 98516 fc9997 84 API calls 98516->98518 98517 fc7c8e 59 API calls 98517->98518 98518->98495 98518->98496 98518->98497 98518->98498 98518->98500 98518->98501 98518->98502 98518->98508 98518->98510 98518->98515 98518->98516 98518->98517 98520 1027bec 98519->98520 98521 fe0ff6 Mailbox 59 API calls 98520->98521 98522 1027bfa 98521->98522 98523 1027c08 98522->98523 98524 fc77c7 59 API calls 98522->98524 98523->98463 98524->98523 98526 103bfc5 98525->98526 98527 103bfab 98525->98527 98586 103a528 59 API calls Mailbox 98526->98586 98585 102a0b5 89 API calls 4 library calls 98527->98585 98530 103bfd0 98531 fca000 330 API calls 98530->98531 98532 103c031 98531->98532 98533 103c0c3 98532->98533 98536 103c072 98532->98536 98558 103bfbd Mailbox 98532->98558 98534 103c119 98533->98534 98535 103c0c9 98533->98535 98537 fc9997 84 API calls 98534->98537 98534->98558 98607 1027ba4 59 API calls 98535->98607 98587 1027581 59 API calls Mailbox 98536->98587 98538 103c12b 98537->98538 98541 fc7faf 59 API calls 98538->98541 98544 103c14f CharUpperBuffW 98541->98544 98542 103c0ec 98608 fc5ea1 59 API calls Mailbox 98542->98608 98543 103c0a2 98588 fcf5c0 98543->98588 98548 103c169 98544->98548 98547 103c0f4 Mailbox 98609 fcfe40 331 API calls 2 library calls 98547->98609 98549 103c170 98548->98549 98550 103c1bc 98548->98550 98610 1027581 59 API calls Mailbox 98549->98610 98552 fc9997 84 API calls 98550->98552 98553 103c1c4 98552->98553 98611 fc9fbd 60 API calls 98553->98611 98556 103c19e 98557 fcf5c0 330 API calls 98556->98557 98557->98558 98558->98463 98559 103c1ce 98559->98558 98560 fc9997 84 API calls 98559->98560 98561 103c1e9 98560->98561 98612 fc5ea1 59 API calls Mailbox 98561->98612 98563 103c1f9 98613 fcfe40 331 API calls 2 library calls 98563->98613 98565->98460 98566->98460 98567->98479 98568->98473 98569->98476 98570->98435 98571->98463 98572->98463 98573->98463 98574->98479 98575->98479 98576->98450 98577->98455 98578->98455 98579->98455 98580->98452 98581->98445 98582->98452 98583->98518 98584->98497 98585->98558 98586->98530 98587->98543 98589 fcf61a 98588->98589 98590 fcf7b0 98588->98590 98591 1004848 98589->98591 98592 fcf626 98589->98592 98593 fc7f41 59 API calls 98590->98593 98594 103bf80 331 API calls 98591->98594 98700 fcf3f0 331 API calls 2 library calls 98592->98700 98600 fcf6ec Mailbox 98593->98600 98597 1004856 98594->98597 98596 fcf790 98596->98558 98597->98596 98702 102a0b5 89 API calls 4 library calls 98597->98702 98599 fcf65d 98599->98596 98599->98597 98599->98600 98603 1023e73 3 API calls 98600->98603 98606 103474d 331 API calls 98600->98606 98614 fc4faa 98600->98614 98620 102cde5 98600->98620 98602 fcf743 98602->98596 98701 fc9df0 59 API calls Mailbox 98602->98701 98603->98602 98606->98602 98607->98542 98608->98547 98609->98558 98610->98556 98611->98559 98612->98563 98613->98558 98615 fc4fbb 98614->98615 98616 fc4fb4 98614->98616 98618 fc4fca 98615->98618 98619 fc4fdb FreeLibrary 98615->98619 98703 fe55d6 98616->98703 98618->98602 98619->98618 98621 fc77c7 59 API calls 98620->98621 98622 102ce1a 98621->98622 98623 fc77c7 59 API calls 98622->98623 98624 102ce23 98623->98624 98625 102ce37 98624->98625 99110 fc9c9c 59 API calls 98624->99110 98627 fc9997 84 API calls 98625->98627 98628 102ce54 98627->98628 98629 102ce76 98628->98629 98630 102cf55 98628->98630 98641 102cf85 Mailbox 98628->98641 98631 fc9997 84 API calls 98629->98631 98977 fc4f3d 98630->98977 98633 102ce82 98631->98633 98635 fc81a7 59 API calls 98633->98635 98637 102ce8e 98635->98637 98636 102cf81 98639 fc77c7 59 API calls 98636->98639 98636->98641 98644 102cea2 98637->98644 98645 102ced4 98637->98645 98638 fc4f3d 136 API calls 98638->98636 98640 102cfb6 98639->98640 98642 fc77c7 59 API calls 98640->98642 98641->98602 98643 102cfbf 98642->98643 98646 fc77c7 59 API calls 98643->98646 98647 fc81a7 59 API calls 98644->98647 98648 fc9997 84 API calls 98645->98648 98650 102cfc8 98646->98650 98651 102ceb2 98647->98651 98649 102cee1 98648->98649 98652 fc81a7 59 API calls 98649->98652 98653 fc77c7 59 API calls 98650->98653 98654 fc7e0b 59 API calls 98651->98654 98655 102ceed 98652->98655 98656 102cfd1 98653->98656 98657 102cebc 98654->98657 99111 1024cd3 GetFileAttributesW 98655->99111 98659 fc9997 84 API calls 98656->98659 98660 fc9997 84 API calls 98657->98660 98662 102cfde 98659->98662 98663 102cec8 98660->98663 98661 102cef6 98664 102cf09 98661->98664 98667 fc7b52 59 API calls 98661->98667 98665 fc46f9 59 API calls 98662->98665 98666 fc7c8e 59 API calls 98663->98666 98669 fc9997 84 API calls 98664->98669 98675 102cf0f 98664->98675 98668 102cff9 98665->98668 98666->98645 98667->98664 98670 fc7b52 59 API calls 98668->98670 98671 102cf36 98669->98671 98672 102d008 98670->98672 99112 1023a2b 75 API calls Mailbox 98671->99112 98674 102d03c 98672->98674 98677 fc7b52 59 API calls 98672->98677 98676 fc81a7 59 API calls 98674->98676 98675->98641 98678 102d04a 98676->98678 98679 102d019 98677->98679 98680 fc7c8e 59 API calls 98678->98680 98679->98674 98682 fc7d2c 59 API calls 98679->98682 98681 102d058 98680->98681 98684 fc7c8e 59 API calls 98681->98684 98683 102d02e 98682->98683 98685 fc7d2c 59 API calls 98683->98685 98686 102d066 98684->98686 98685->98674 98687 fc7c8e 59 API calls 98686->98687 98688 102d074 98687->98688 98689 fc9997 84 API calls 98688->98689 98690 102d080 98689->98690 99001 10242ad 98690->99001 98692 102d091 98693 1023e73 3 API calls 98692->98693 98694 102d09b 98693->98694 98695 fc9997 84 API calls 98694->98695 98699 102d0cc 98694->98699 98696 102d0b9 98695->98696 99055 10293df 98696->99055 98698 fc4faa 84 API calls 98698->98641 98699->98698 98700->98599 98701->98602 98702->98596 98704 fe55e2 _fseek 98703->98704 98705 fe560e 98704->98705 98706 fe55f6 98704->98706 98709 fe5606 _fseek 98705->98709 98716 fe6e4e 98705->98716 98738 fe8d68 58 API calls __getptd_noexit 98706->98738 98708 fe55fb 98739 fe8ff6 9 API calls _fseek 98708->98739 98709->98615 98717 fe6e5e 98716->98717 98718 fe6e80 EnterCriticalSection 98716->98718 98717->98718 98720 fe6e66 98717->98720 98719 fe5620 98718->98719 98722 fe556a 98719->98722 98721 fe9e4b __lock 58 API calls 98720->98721 98721->98719 98723 fe558d 98722->98723 98724 fe5579 98722->98724 98731 fe5589 98723->98731 98741 fe4c6d 98723->98741 98784 fe8d68 58 API calls __getptd_noexit 98724->98784 98727 fe557e 98785 fe8ff6 9 API calls _fseek 98727->98785 98740 fe5645 LeaveCriticalSection LeaveCriticalSection _fseek 98731->98740 98734 fe55a7 98758 ff0c52 98734->98758 98736 fe55ad 98736->98731 98737 fe2f95 _free 58 API calls 98736->98737 98737->98731 98738->98708 98739->98709 98740->98709 98742 fe4c80 98741->98742 98746 fe4ca4 98741->98746 98743 fe4916 __fflush_nolock 58 API calls 98742->98743 98742->98746 98744 fe4c9d 98743->98744 98786 fedac6 98744->98786 98747 ff0dc7 98746->98747 98748 fe55a1 98747->98748 98749 ff0dd4 98747->98749 98751 fe4916 98748->98751 98749->98748 98750 fe2f95 _free 58 API calls 98749->98750 98750->98748 98752 fe4935 98751->98752 98753 fe4920 98751->98753 98752->98734 98932 fe8d68 58 API calls __getptd_noexit 98753->98932 98755 fe4925 98933 fe8ff6 9 API calls _fseek 98755->98933 98757 fe4930 98757->98734 98759 ff0c5e _fseek 98758->98759 98760 ff0c6b 98759->98760 98761 ff0c82 98759->98761 98949 fe8d34 58 API calls __getptd_noexit 98760->98949 98763 ff0d0d 98761->98763 98766 ff0c92 98761->98766 98954 fe8d34 58 API calls __getptd_noexit 98763->98954 98765 ff0c70 98950 fe8d68 58 API calls __getptd_noexit 98765->98950 98767 ff0cba 98766->98767 98768 ff0cb0 98766->98768 98772 fed446 ___lock_fhandle 59 API calls 98767->98772 98951 fe8d34 58 API calls __getptd_noexit 98768->98951 98769 ff0cb5 98955 fe8d68 58 API calls __getptd_noexit 98769->98955 98774 ff0cc0 98772->98774 98776 ff0cde 98774->98776 98777 ff0cd3 98774->98777 98775 ff0d19 98956 fe8ff6 9 API calls _fseek 98775->98956 98952 fe8d68 58 API calls __getptd_noexit 98776->98952 98934 ff0d2d 98777->98934 98781 ff0cd9 98953 ff0d05 LeaveCriticalSection __unlock_fhandle 98781->98953 98782 ff0c77 _fseek 98782->98736 98784->98727 98785->98731 98787 fedad2 _fseek 98786->98787 98788 fedadf 98787->98788 98789 fedaf6 98787->98789 98887 fe8d34 58 API calls __getptd_noexit 98788->98887 98791 fedb95 98789->98791 98793 fedb0a 98789->98793 98893 fe8d34 58 API calls __getptd_noexit 98791->98893 98792 fedae4 98888 fe8d68 58 API calls __getptd_noexit 98792->98888 98797 fedb28 98793->98797 98798 fedb32 98793->98798 98795 fedb2d 98894 fe8d68 58 API calls __getptd_noexit 98795->98894 98889 fe8d34 58 API calls __getptd_noexit 98797->98889 98814 fed446 98798->98814 98802 fedb38 98804 fedb5e 98802->98804 98805 fedb4b 98802->98805 98803 fedba1 98895 fe8ff6 9 API calls _fseek 98803->98895 98890 fe8d68 58 API calls __getptd_noexit 98804->98890 98823 fedbb5 98805->98823 98806 fedaeb _fseek 98806->98746 98810 fedb57 98892 fedb8d LeaveCriticalSection __unlock_fhandle 98810->98892 98811 fedb63 98891 fe8d34 58 API calls __getptd_noexit 98811->98891 98815 fed452 _fseek 98814->98815 98816 fed4a1 EnterCriticalSection 98815->98816 98817 fe9e4b __lock 58 API calls 98815->98817 98818 fed4c7 _fseek 98816->98818 98819 fed477 98817->98819 98818->98802 98820 fed48f 98819->98820 98896 fea06b InitializeCriticalSectionAndSpinCount 98819->98896 98897 fed4cb LeaveCriticalSection _doexit 98820->98897 98824 fedbc2 __ftell_nolock 98823->98824 98825 fedc20 98824->98825 98826 fedc01 98824->98826 98857 fedbf6 98824->98857 98831 fedc78 98825->98831 98832 fedc5c 98825->98832 98907 fe8d34 58 API calls __getptd_noexit 98826->98907 98829 fee416 98829->98810 98830 fedc06 98908 fe8d68 58 API calls __getptd_noexit 98830->98908 98835 fedc91 98831->98835 98913 ff1b11 60 API calls 3 library calls 98831->98913 98910 fe8d34 58 API calls __getptd_noexit 98832->98910 98898 ff5ebb 98835->98898 98836 fedc61 98911 fe8d68 58 API calls __getptd_noexit 98836->98911 98837 fedc0d 98909 fe8ff6 9 API calls _fseek 98837->98909 98842 fedc9f 98844 fedff8 98842->98844 98914 fe9bec 58 API calls 2 library calls 98842->98914 98843 fedc68 98912 fe8ff6 9 API calls _fseek 98843->98912 98845 fee38b WriteFile 98844->98845 98846 fee016 98844->98846 98849 fedfeb GetLastError 98845->98849 98859 fedfb8 98845->98859 98850 fee13a 98846->98850 98856 fee02c 98846->98856 98849->98859 98860 fee22f 98850->98860 98862 fee145 98850->98862 98851 fedccb GetConsoleMode 98851->98844 98853 fedd0a 98851->98853 98852 fee3c4 98852->98857 98919 fe8d68 58 API calls __getptd_noexit 98852->98919 98853->98844 98854 fedd1a GetConsoleCP 98853->98854 98854->98852 98881 fedd49 98854->98881 98855 fee09b WriteFile 98855->98849 98861 fee0d8 98855->98861 98856->98852 98856->98855 98921 fec836 98857->98921 98859->98852 98859->98857 98864 fee118 98859->98864 98860->98852 98867 fee2a4 WideCharToMultiByte 98860->98867 98861->98856 98868 fee0fc 98861->98868 98862->98852 98869 fee1aa WriteFile 98862->98869 98863 fee3f2 98920 fe8d34 58 API calls __getptd_noexit 98863->98920 98865 fee3bb 98864->98865 98866 fee123 98864->98866 98918 fe8d47 58 API calls 3 library calls 98865->98918 98916 fe8d68 58 API calls __getptd_noexit 98866->98916 98867->98849 98880 fee2eb 98867->98880 98868->98859 98869->98849 98873 fee1f9 98869->98873 98873->98859 98873->98862 98873->98868 98874 fee128 98917 fe8d34 58 API calls __getptd_noexit 98874->98917 98875 fee2f3 WriteFile 98878 fee346 GetLastError 98875->98878 98875->98880 98878->98880 98879 ff650a 60 API calls __write_nolock 98879->98881 98880->98859 98880->98860 98880->98868 98880->98875 98881->98859 98881->98879 98882 fede32 WideCharToMultiByte 98881->98882 98885 fede9f 98881->98885 98915 fe3835 58 API calls __isleadbyte_l 98881->98915 98882->98859 98883 fede6d WriteFile 98882->98883 98883->98849 98883->98885 98884 ff7cae WriteConsoleW CreateFileW __putwch_nolock 98884->98885 98885->98849 98885->98859 98885->98881 98885->98884 98886 fedec7 WriteFile 98885->98886 98886->98849 98886->98885 98887->98792 98888->98806 98889->98795 98890->98811 98891->98810 98892->98806 98893->98795 98894->98803 98895->98806 98896->98820 98897->98816 98899 ff5ec6 98898->98899 98900 ff5ed3 98898->98900 98928 fe8d68 58 API calls __getptd_noexit 98899->98928 98903 ff5edf 98900->98903 98929 fe8d68 58 API calls __getptd_noexit 98900->98929 98902 ff5ecb 98902->98842 98903->98842 98905 ff5f00 98930 fe8ff6 9 API calls _fseek 98905->98930 98907->98830 98908->98837 98909->98857 98910->98836 98911->98843 98912->98857 98913->98835 98914->98851 98915->98881 98916->98874 98917->98857 98918->98857 98919->98863 98920->98857 98922 fec83e 98921->98922 98923 fec840 IsProcessorFeaturePresent 98921->98923 98922->98829 98925 ff5b5a 98923->98925 98931 ff5b09 5 API calls 2 library calls 98925->98931 98927 ff5c3d 98927->98829 98928->98902 98929->98905 98930->98902 98931->98927 98932->98755 98933->98757 98957 fed703 98934->98957 98936 ff0d91 98970 fed67d 59 API calls 2 library calls 98936->98970 98938 ff0d3b 98938->98936 98939 fed703 __lseeki64_nolock 58 API calls 98938->98939 98948 ff0d6f 98938->98948 98942 ff0d66 98939->98942 98940 fed703 __lseeki64_nolock 58 API calls 98943 ff0d7b FindCloseChangeNotification 98940->98943 98941 ff0d99 98944 ff0dbb 98941->98944 98971 fe8d47 58 API calls 3 library calls 98941->98971 98945 fed703 __lseeki64_nolock 58 API calls 98942->98945 98943->98936 98946 ff0d87 GetLastError 98943->98946 98944->98781 98945->98948 98946->98936 98948->98936 98948->98940 98949->98765 98950->98782 98951->98769 98952->98781 98953->98782 98954->98769 98955->98775 98956->98782 98958 fed70e 98957->98958 98959 fed723 98957->98959 98972 fe8d34 58 API calls __getptd_noexit 98958->98972 98964 fed748 98959->98964 98974 fe8d34 58 API calls __getptd_noexit 98959->98974 98961 fed713 98973 fe8d68 58 API calls __getptd_noexit 98961->98973 98964->98938 98965 fed752 98975 fe8d68 58 API calls __getptd_noexit 98965->98975 98967 fed71b 98967->98938 98968 fed75a 98976 fe8ff6 9 API calls _fseek 98968->98976 98970->98941 98971->98944 98972->98961 98973->98967 98974->98965 98975->98968 98976->98967 99113 fc4d13 98977->99113 98982 ffdd0f 98985 fc4faa 84 API calls 98982->98985 98983 fc4f68 LoadLibraryExW 99123 fc4cc8 98983->99123 98987 ffdd16 98985->98987 98989 fc4cc8 3 API calls 98987->98989 98991 ffdd1e 98989->98991 98990 fc4f8f 98990->98991 98992 fc4f9b 98990->98992 99149 fc506b 98991->99149 98993 fc4faa 84 API calls 98992->98993 98995 fc4fa0 98993->98995 98995->98636 98995->98638 98998 ffdd45 99157 fc5027 98998->99157 99002 10242c9 99001->99002 99003 10242ce 99002->99003 99004 10242dc 99002->99004 99005 fc81a7 59 API calls 99003->99005 99006 fc77c7 59 API calls 99004->99006 99007 10242d7 Mailbox 99005->99007 99008 10242e4 99006->99008 99007->98692 99009 fc77c7 59 API calls 99008->99009 99010 10242ec 99009->99010 99011 fc77c7 59 API calls 99010->99011 99012 10242f7 99011->99012 99013 fc77c7 59 API calls 99012->99013 99014 10242ff 99013->99014 99110->98625 99111->98661 99112->98675 99162 fc4d61 99113->99162 99116 fc4d61 2 API calls 99119 fc4d3a 99116->99119 99117 fc4d4a FreeLibrary 99118 fc4d53 99117->99118 99120 fe548b 99118->99120 99119->99117 99119->99118 99166 fe54a0 99120->99166 99122 fc4f5c 99122->98982 99122->98983 99323 fc4d94 99123->99323 99126 fc4cff FreeLibrary 99127 fc4d08 99126->99127 99130 fc4dd0 99127->99130 99128 fc4d94 2 API calls 99129 fc4ced 99128->99129 99129->99126 99129->99127 99131 fe0ff6 Mailbox 59 API calls 99130->99131 99132 fc4de5 99131->99132 99133 fc538e 59 API calls 99132->99133 99134 fc4df1 _memmove 99133->99134 99135 fc4e2c 99134->99135 99136 fc4ee9 99134->99136 99137 fc4f21 99134->99137 99138 fc5027 69 API calls 99135->99138 99327 fc4fe9 CreateStreamOnHGlobal 99136->99327 99338 1029ba5 95 API calls 99137->99338 99146 fc4e35 99138->99146 99141 fc506b 74 API calls 99141->99146 99143 fc4ec9 99143->98990 99144 ffdcd0 99145 fc5045 85 API calls 99144->99145 99147 ffdce4 99145->99147 99146->99141 99146->99143 99146->99144 99333 fc5045 99146->99333 99148 fc506b 74 API calls 99147->99148 99148->99143 99150 fc507d 99149->99150 99151 ffddf6 99149->99151 99356 fe5812 99150->99356 99154 1029393 99537 10291e9 99154->99537 99156 10293a9 99156->98998 99158 ffddb9 99157->99158 99159 fc5036 99157->99159 99542 fe5e90 99159->99542 99161 fc503e 99163 fc4d2e 99162->99163 99164 fc4d6a LoadLibraryA 99162->99164 99163->99116 99163->99119 99164->99163 99165 fc4d7b GetProcAddress 99164->99165 99165->99163 99169 fe54ac _fseek 99166->99169 99167 fe54bf 99215 fe8d68 58 API calls __getptd_noexit 99167->99215 99169->99167 99171 fe54f0 99169->99171 99170 fe54c4 99216 fe8ff6 9 API calls _fseek 99170->99216 99185 ff0738 99171->99185 99174 fe54f5 99175 fe54fe 99174->99175 99176 fe550b 99174->99176 99217 fe8d68 58 API calls __getptd_noexit 99175->99217 99178 fe5535 99176->99178 99179 fe5515 99176->99179 99200 ff0857 99178->99200 99218 fe8d68 58 API calls __getptd_noexit 99179->99218 99182 fe54cf _fseek @_EH4_CallFilterFunc@8 99182->99122 99186 ff0744 _fseek 99185->99186 99187 fe9e4b __lock 58 API calls 99186->99187 99188 ff0752 99187->99188 99189 ff07cd 99188->99189 99194 fe9ed3 __mtinitlocknum 58 API calls 99188->99194 99198 ff07c6 99188->99198 99223 fe6e8d 59 API calls __lock 99188->99223 99224 fe6ef7 LeaveCriticalSection LeaveCriticalSection _doexit 99188->99224 99190 fe8a5d __malloc_crt 58 API calls 99189->99190 99192 ff07d4 99190->99192 99192->99198 99225 fea06b InitializeCriticalSectionAndSpinCount 99192->99225 99194->99188 99196 ff0843 _fseek 99196->99174 99197 ff07fa EnterCriticalSection 99197->99198 99220 ff084e 99198->99220 99208 ff0877 __wopenfile 99200->99208 99201 ff0891 99230 fe8d68 58 API calls __getptd_noexit 99201->99230 99203 ff0896 99231 fe8ff6 9 API calls _fseek 99203->99231 99205 fe5540 99219 fe5562 LeaveCriticalSection LeaveCriticalSection _fseek 99205->99219 99206 ff0aaf 99227 ff87f1 99206->99227 99208->99201 99214 ff0a4c 99208->99214 99232 fe3a0b 60 API calls 2 library calls 99208->99232 99210 ff0a45 99210->99214 99233 fe3a0b 60 API calls 2 library calls 99210->99233 99212 ff0a64 99212->99214 99234 fe3a0b 60 API calls 2 library calls 99212->99234 99214->99201 99214->99206 99215->99170 99216->99182 99217->99182 99218->99182 99219->99182 99226 fe9fb5 LeaveCriticalSection 99220->99226 99222 ff0855 99222->99196 99223->99188 99224->99188 99225->99197 99226->99222 99235 ff7fd5 99227->99235 99229 ff880a 99229->99205 99230->99203 99231->99205 99232->99210 99233->99212 99234->99214 99236 ff7fe1 _fseek 99235->99236 99237 ff7ff7 99236->99237 99239 ff802d 99236->99239 99320 fe8d68 58 API calls __getptd_noexit 99237->99320 99246 ff809e 99239->99246 99240 ff7ffc 99321 fe8ff6 9 API calls _fseek 99240->99321 99243 ff8049 99322 ff8072 LeaveCriticalSection __unlock_fhandle 99243->99322 99245 ff8006 _fseek 99245->99229 99247 ff80be 99246->99247 99248 fe471a __wsopen_nolock 58 API calls 99247->99248 99250 ff80da 99248->99250 99249 fe9006 __invoke_watson 8 API calls 99251 ff87f0 99249->99251 99252 ff8114 99250->99252 99260 ff8137 99250->99260 99294 ff8211 99250->99294 99253 ff7fd5 __wsopen_helper 103 API calls 99251->99253 99254 fe8d34 __write 58 API calls 99252->99254 99255 ff880a 99253->99255 99256 ff8119 99254->99256 99255->99243 99257 fe8d68 _fseek 58 API calls 99256->99257 99258 ff8126 99257->99258 99261 fe8ff6 _fseek 9 API calls 99258->99261 99259 ff81f5 99262 fe8d34 __write 58 API calls 99259->99262 99260->99259 99266 ff81d3 99260->99266 99287 ff8130 99261->99287 99263 ff81fa 99262->99263 99264 fe8d68 _fseek 58 API calls 99263->99264 99265 ff8207 99264->99265 99267 fe8ff6 _fseek 9 API calls 99265->99267 99268 fed4d4 __alloc_osfhnd 61 API calls 99266->99268 99267->99294 99269 ff82a1 99268->99269 99270 ff82ce 99269->99270 99271 ff82ab 99269->99271 99273 ff7f4d ___createFile GetModuleHandleW GetProcAddress CreateFileW 99270->99273 99272 fe8d34 __write 58 API calls 99271->99272 99274 ff82b0 99272->99274 99275 ff82f0 99273->99275 99276 fe8d68 _fseek 58 API calls 99274->99276 99277 ff836e GetFileType 99275->99277 99280 ff833c GetLastError 99275->99280 99285 ff7f4d ___createFile GetModuleHandleW GetProcAddress CreateFileW 99275->99285 99278 ff82ba 99276->99278 99279 ff8379 GetLastError 99277->99279 99281 ff83bb 99277->99281 99283 fe8d68 _fseek 58 API calls 99278->99283 99284 fe8d47 __dosmaperr 58 API calls 99279->99284 99282 fe8d47 __dosmaperr 58 API calls 99280->99282 99290 fed76a __set_osfhnd 59 API calls 99281->99290 99286 ff8361 99282->99286 99283->99287 99288 ff83a0 CloseHandle 99284->99288 99289 ff8331 99285->99289 99292 fe8d68 _fseek 58 API calls 99286->99292 99287->99243 99288->99286 99291 ff83ae 99288->99291 99289->99277 99289->99280 99297 ff83d9 99290->99297 99293 fe8d68 _fseek 58 API calls 99291->99293 99292->99294 99295 ff83b3 99293->99295 99294->99249 99295->99286 99296 ff8594 99296->99294 99299 ff8767 CloseHandle 99296->99299 99297->99296 99298 ff1b11 __lseeki64_nolock 60 API calls 99297->99298 99307 ff845a 99297->99307 99300 ff8443 99298->99300 99301 ff7f4d ___createFile GetModuleHandleW GetProcAddress CreateFileW 99299->99301 99304 fe8d34 __write 58 API calls 99300->99304 99300->99307 99303 ff878e 99301->99303 99302 ff10ab 70 API calls __read_nolock 99302->99307 99305 ff87c2 99303->99305 99306 ff8796 GetLastError 99303->99306 99304->99307 99305->99294 99308 fe8d47 __dosmaperr 58 API calls 99306->99308 99307->99296 99307->99302 99309 ff0d2d __close_nolock 61 API calls 99307->99309 99310 ff848c 99307->99310 99314 fedac6 __write 78 API calls 99307->99314 99315 ff8611 99307->99315 99316 ff1b11 60 API calls __lseeki64_nolock 99307->99316 99311 ff87a2 99308->99311 99309->99307 99310->99307 99312 ff99f2 __chsize_nolock 82 API calls 99310->99312 99313 fed67d __free_osfhnd 59 API calls 99311->99313 99312->99310 99313->99305 99314->99307 99317 ff0d2d __close_nolock 61 API calls 99315->99317 99316->99307 99318 ff8618 99317->99318 99319 fe8d68 _fseek 58 API calls 99318->99319 99319->99294 99320->99240 99321->99245 99322->99245 99324 fc4ce1 99323->99324 99325 fc4d9d LoadLibraryA 99323->99325 99324->99128 99324->99129 99325->99324 99326 fc4dae GetProcAddress 99325->99326 99326->99324 99328 fc5003 FindResourceExW 99327->99328 99330 fc5020 99327->99330 99329 ffdd5c LoadResource 99328->99329 99328->99330 99329->99330 99331 ffdd71 SizeofResource 99329->99331 99330->99135 99331->99330 99332 ffdd85 LockResource 99331->99332 99332->99330 99334 fc5054 99333->99334 99335 ffddd4 99333->99335 99339 fe5a7d 99334->99339 99337 fc5062 99337->99146 99338->99135 99340 fe5a89 _fseek 99339->99340 99341 fe5a9b 99340->99341 99343 fe5ac1 99340->99343 99352 fe8d68 58 API calls __getptd_noexit 99341->99352 99344 fe6e4e __lock_file 59 API calls 99343->99344 99346 fe5ac7 99344->99346 99345 fe5aa0 99353 fe8ff6 9 API calls _fseek 99345->99353 99354 fe59ee 83 API calls 5 library calls 99346->99354 99349 fe5ad6 99355 fe5af8 LeaveCriticalSection LeaveCriticalSection _fseek 99349->99355 99351 fe5aab _fseek 99351->99337 99352->99345 99353->99351 99354->99349 99355->99351 99359 fe582d 99356->99359 99358 fc508e 99358->99154 99360 fe5839 _fseek 99359->99360 99361 fe584f _memset 99360->99361 99362 fe587c 99360->99362 99364 fe5874 _fseek 99360->99364 99386 fe8d68 58 API calls __getptd_noexit 99361->99386 99363 fe6e4e __lock_file 59 API calls 99362->99363 99365 fe5882 99363->99365 99364->99358 99372 fe564d 99365->99372 99368 fe5869 99387 fe8ff6 9 API calls _fseek 99368->99387 99375 fe5668 _memset 99372->99375 99379 fe5683 99372->99379 99373 fe5673 99477 fe8d68 58 API calls __getptd_noexit 99373->99477 99375->99373 99375->99379 99383 fe56c3 99375->99383 99376 fe5678 99478 fe8ff6 9 API calls _fseek 99376->99478 99388 fe58b6 LeaveCriticalSection LeaveCriticalSection _fseek 99379->99388 99380 fe57d4 _memset 99480 fe8d68 58 API calls __getptd_noexit 99380->99480 99381 fe4916 __fflush_nolock 58 API calls 99381->99383 99383->99379 99383->99380 99383->99381 99389 ff10ab 99383->99389 99457 ff0df7 99383->99457 99479 ff0f18 58 API calls 3 library calls 99383->99479 99386->99368 99387->99364 99388->99364 99390 ff10cc 99389->99390 99391 ff10e3 99389->99391 99481 fe8d34 58 API calls __getptd_noexit 99390->99481 99393 ff181b 99391->99393 99396 ff111d 99391->99396 99496 fe8d34 58 API calls __getptd_noexit 99393->99496 99395 ff10d1 99482 fe8d68 58 API calls __getptd_noexit 99395->99482 99399 ff1125 99396->99399 99405 ff113c 99396->99405 99397 ff1820 99497 fe8d68 58 API calls __getptd_noexit 99397->99497 99483 fe8d34 58 API calls __getptd_noexit 99399->99483 99402 ff1131 99498 fe8ff6 9 API calls _fseek 99402->99498 99403 ff112a 99484 fe8d68 58 API calls __getptd_noexit 99403->99484 99406 ff1151 99405->99406 99409 ff116b 99405->99409 99410 ff1189 99405->99410 99437 ff10d8 99405->99437 99485 fe8d34 58 API calls __getptd_noexit 99406->99485 99409->99406 99412 ff1176 99409->99412 99411 fe8a5d __malloc_crt 58 API calls 99410->99411 99413 ff1199 99411->99413 99414 ff5ebb __read_nolock 58 API calls 99412->99414 99415 ff11bc 99413->99415 99416 ff11a1 99413->99416 99417 ff128a 99414->99417 99488 ff1b11 60 API calls 3 library calls 99415->99488 99486 fe8d68 58 API calls __getptd_noexit 99416->99486 99419 ff1303 ReadFile 99417->99419 99424 ff12a0 GetConsoleMode 99417->99424 99422 ff1325 99419->99422 99423 ff17e3 GetLastError 99419->99423 99421 ff11a6 99487 fe8d34 58 API calls __getptd_noexit 99421->99487 99422->99423 99431 ff12f5 99422->99431 99428 ff12e3 99423->99428 99429 ff17f0 99423->99429 99425 ff12b4 99424->99425 99426 ff1300 99424->99426 99425->99426 99430 ff12ba ReadConsoleW 99425->99430 99426->99419 99440 ff12e9 99428->99440 99489 fe8d47 58 API calls 3 library calls 99428->99489 99494 fe8d68 58 API calls __getptd_noexit 99429->99494 99430->99431 99433 ff12dd GetLastError 99430->99433 99439 ff15c7 99431->99439 99431->99440 99442 ff135a 99431->99442 99433->99428 99435 ff17f5 99495 fe8d34 58 API calls __getptd_noexit 99435->99495 99437->99383 99438 fe2f95 _free 58 API calls 99438->99437 99439->99440 99447 ff16cd ReadFile 99439->99447 99440->99437 99440->99438 99443 ff13c6 ReadFile 99442->99443 99449 ff1447 99442->99449 99444 ff13e7 GetLastError 99443->99444 99455 ff13f1 99443->99455 99444->99455 99445 ff1504 99451 ff14b4 MultiByteToWideChar 99445->99451 99492 ff1b11 60 API calls 3 library calls 99445->99492 99446 ff14f4 99491 fe8d68 58 API calls __getptd_noexit 99446->99491 99448 ff16f0 GetLastError 99447->99448 99456 ff16fe 99447->99456 99448->99456 99449->99440 99449->99445 99449->99446 99449->99451 99451->99433 99451->99440 99455->99442 99490 ff1b11 60 API calls 3 library calls 99455->99490 99456->99439 99493 ff1b11 60 API calls 3 library calls 99456->99493 99458 ff0e17 99457->99458 99459 ff0e02 99457->99459 99463 ff0e4c 99458->99463 99471 ff0e12 99458->99471 99534 ff6234 99458->99534 99532 fe8d68 58 API calls __getptd_noexit 99459->99532 99461 ff0e07 99533 fe8ff6 9 API calls _fseek 99461->99533 99465 fe4916 __fflush_nolock 58 API calls 99463->99465 99466 ff0e60 99465->99466 99499 ff0f97 99466->99499 99468 ff0e67 99469 fe4916 __fflush_nolock 58 API calls 99468->99469 99468->99471 99470 ff0e8a 99469->99470 99470->99471 99472 fe4916 __fflush_nolock 58 API calls 99470->99472 99471->99383 99473 ff0e96 99472->99473 99473->99471 99474 fe4916 __fflush_nolock 58 API calls 99473->99474 99475 ff0ea3 99474->99475 99476 fe4916 __fflush_nolock 58 API calls 99475->99476 99476->99471 99477->99376 99478->99379 99479->99383 99480->99376 99481->99395 99482->99437 99483->99403 99484->99402 99485->99403 99486->99421 99487->99437 99488->99412 99489->99440 99490->99455 99491->99440 99492->99451 99493->99456 99494->99435 99495->99440 99496->99397 99497->99402 99498->99437 99500 ff0fa3 _fseek 99499->99500 99501 ff0fc7 99500->99501 99502 ff0fb0 99500->99502 99503 ff108b 99501->99503 99505 ff0fdb 99501->99505 99504 fe8d34 __write 58 API calls 99502->99504 99506 fe8d34 __write 58 API calls 99503->99506 99507 ff0fb5 99504->99507 99508 ff0ff9 99505->99508 99509 ff1006 99505->99509 99510 ff0ffe 99506->99510 99511 fe8d68 _fseek 58 API calls 99507->99511 99512 fe8d34 __write 58 API calls 99508->99512 99513 ff1028 99509->99513 99514 ff1013 99509->99514 99517 fe8d68 _fseek 58 API calls 99510->99517 99523 ff0fbc _fseek 99511->99523 99512->99510 99516 fed446 ___lock_fhandle 59 API calls 99513->99516 99515 fe8d34 __write 58 API calls 99514->99515 99519 ff1018 99515->99519 99520 ff102e 99516->99520 99518 ff1020 99517->99518 99526 fe8ff6 _fseek 9 API calls 99518->99526 99524 fe8d68 _fseek 58 API calls 99519->99524 99521 ff1054 99520->99521 99522 ff1041 99520->99522 99527 fe8d68 _fseek 58 API calls 99521->99527 99525 ff10ab __read_nolock 70 API calls 99522->99525 99523->99468 99524->99518 99528 ff104d 99525->99528 99526->99523 99529 ff1059 99527->99529 99531 ff1083 __read LeaveCriticalSection 99528->99531 99530 fe8d34 __write 58 API calls 99529->99530 99530->99528 99531->99523 99532->99461 99533->99471 99535 fe8a5d __malloc_crt 58 API calls 99534->99535 99536 ff6249 99535->99536 99536->99463 99540 fe543a GetSystemTimeAsFileTime 99537->99540 99539 10291f8 99539->99156 99541 fe5468 __aulldiv 99540->99541 99541->99539 99543 fe5e9c _fseek 99542->99543 99544 fe5eae 99543->99544 99545 fe5ec3 99543->99545 99556 fe8d68 58 API calls __getptd_noexit 99544->99556 99547 fe6e4e __lock_file 59 API calls 99545->99547 99549 fe5ec9 99547->99549 99548 fe5eb3 99557 fe8ff6 9 API calls _fseek 99548->99557 99558 fe5b00 67 API calls 6 library calls 99549->99558 99552 fe5ed4 99559 fe5ef4 LeaveCriticalSection LeaveCriticalSection _fseek 99552->99559 99554 fe5ee6 99555 fe5ebe _fseek 99554->99555 99555->99161 99556->99548 99557->99555 99558->99552 99559->99554 99701 fc1066 99706 fcf8cf 99701->99706 99703 fc106c 99704 fe2f80 __cinit 67 API calls 99703->99704 99705 fc1076 99704->99705 99707 fcf8f0 99706->99707 99739 fe0143 99707->99739 99711 fcf937 99712 fc77c7 59 API calls 99711->99712 99713 fcf941 99712->99713 99714 fc77c7 59 API calls 99713->99714 99715 fcf94b 99714->99715 99716 fc77c7 59 API calls 99715->99716 99717 fcf955 99716->99717 99718 fc77c7 59 API calls 99717->99718 99719 fcf993 99718->99719 99720 fc77c7 59 API calls 99719->99720 99721 fcfa5e 99720->99721 99749 fd60e7 99721->99749 99725 fcfa90 99726 fc77c7 59 API calls 99725->99726 99727 fcfa9a 99726->99727 99777 fdffde 99727->99777 99729 fcfae1 99730 fcfaf1 GetStdHandle 99729->99730 99731 fcfb3d 99730->99731 99732 10049d5 99730->99732 99733 fcfb45 OleInitialize 99731->99733 99732->99731 99734 10049de 99732->99734 99733->99703 99784 1026dda 64 API calls Mailbox 99734->99784 99736 10049e5 99785 10274a9 CreateThread 99736->99785 99738 10049f1 CloseHandle 99738->99733 99786 fe021c 99739->99786 99742 fe021c 59 API calls 99743 fe0185 99742->99743 99744 fc77c7 59 API calls 99743->99744 99745 fe0191 99744->99745 99746 fc7d2c 59 API calls 99745->99746 99747 fcf8f6 99746->99747 99748 fe03a2 6 API calls 99747->99748 99748->99711 99750 fc77c7 59 API calls 99749->99750 99751 fd60f7 99750->99751 99752 fc77c7 59 API calls 99751->99752 99753 fd60ff 99752->99753 99793 fd5bfd 99753->99793 99756 fd5bfd 59 API calls 99757 fd610f 99756->99757 99758 fc77c7 59 API calls 99757->99758 99759 fd611a 99758->99759 99760 fe0ff6 Mailbox 59 API calls 99759->99760 99761 fcfa68 99760->99761 99762 fd6259 99761->99762 99763 fd6267 99762->99763 99764 fc77c7 59 API calls 99763->99764 99765 fd6272 99764->99765 99766 fc77c7 59 API calls 99765->99766 99767 fd627d 99766->99767 99768 fc77c7 59 API calls 99767->99768 99769 fd6288 99768->99769 99770 fc77c7 59 API calls 99769->99770 99771 fd6293 99770->99771 99772 fd5bfd 59 API calls 99771->99772 99773 fd629e 99772->99773 99774 fe0ff6 Mailbox 59 API calls 99773->99774 99775 fd62a5 RegisterWindowMessageW 99774->99775 99775->99725 99778 1015cc3 99777->99778 99779 fdffee 99777->99779 99796 1029d71 60 API calls 99778->99796 99780 fe0ff6 Mailbox 59 API calls 99779->99780 99782 fdfff6 99780->99782 99782->99729 99783 1015cce 99784->99736 99785->99738 99797 102748f 65 API calls 99785->99797 99787 fc77c7 59 API calls 99786->99787 99788 fe0227 99787->99788 99789 fc77c7 59 API calls 99788->99789 99790 fe022f 99789->99790 99791 fc77c7 59 API calls 99790->99791 99792 fe017b 99791->99792 99792->99742 99794 fc77c7 59 API calls 99793->99794 99795 fd5c05 99794->99795 99795->99756 99796->99783 99798 fc1016 99803 fc4ad2 99798->99803 99801 fe2f80 __cinit 67 API calls 99802 fc1025 99801->99802 99804 fe0ff6 Mailbox 59 API calls 99803->99804 99805 fc4ada 99804->99805 99806 fc101b 99805->99806 99810 fc4a94 99805->99810 99806->99801 99811 fc4a9d 99810->99811 99812 fc4aaf 99810->99812 99813 fe2f80 __cinit 67 API calls 99811->99813 99814 fc4afe 99812->99814 99813->99812 99815 fc77c7 59 API calls 99814->99815 99816 fc4b16 GetVersionExW 99815->99816 99817 fc7d2c 59 API calls 99816->99817 99818 fc4b59 99817->99818 99819 fc7e8c 59 API calls 99818->99819 99822 fc4b86 99818->99822 99820 fc4b7a 99819->99820 99821 fc7886 59 API calls 99820->99821 99821->99822 99823 fc4bf1 GetCurrentProcess IsWow64Process 99822->99823 99825 ffdc8d 99822->99825 99824 fc4c0a 99823->99824 99826 fc4c89 GetSystemInfo 99824->99826 99827 fc4c20 99824->99827 99829 fc4c56 99826->99829 99838 fc4c95 99827->99838 99829->99806 99831 fc4c7d GetSystemInfo 99834 fc4c47 99831->99834 99832 fc4c32 99833 fc4c95 2 API calls 99832->99833 99835 fc4c3a GetNativeSystemInfo 99833->99835 99834->99829 99836 fc4c4d FreeLibrary 99834->99836 99835->99834 99836->99829 99839 fc4c2e 99838->99839 99840 fc4c9e LoadLibraryA 99838->99840 99839->99831 99839->99832 99840->99839 99841 fc4caf GetProcAddress 99840->99841 99841->99839 99842 fe7e93 99843 fe7e9f _fseek 99842->99843 99879 fea048 GetStartupInfoW 99843->99879 99846 fe7ea4 99881 fe8dbc GetProcessHeap 99846->99881 99847 fe7efc 99848 fe7f07 99847->99848 99964 fe7fe3 58 API calls 3 library calls 99847->99964 99882 fe9d26 99848->99882 99851 fe7f0d 99852 fe7f18 __RTC_Initialize 99851->99852 99965 fe7fe3 58 API calls 3 library calls 99851->99965 99903 fed812 99852->99903 99855 fe7f27 99856 fe7f33 GetCommandLineW 99855->99856 99966 fe7fe3 58 API calls 3 library calls 99855->99966 99922 ff5173 GetEnvironmentStringsW 99856->99922 99860 fe7f32 99860->99856 99862 fe7f4d 99865 fe7f58 99862->99865 99967 fe32f5 58 API calls 3 library calls 99862->99967 99932 ff4fa8 99865->99932 99866 fe7f5e 99867 fe7f69 99866->99867 99968 fe32f5 58 API calls 3 library calls 99866->99968 99946 fe332f 99867->99946 99870 fe7f71 99871 fe7f7c __wwincmdln 99870->99871 99969 fe32f5 58 API calls 3 library calls 99870->99969 99952 fc492e 99871->99952 99874 fe7f90 99875 fe7f9f 99874->99875 99970 fe3598 58 API calls _doexit 99874->99970 99971 fe3320 58 API calls _doexit 99875->99971 99878 fe7fa4 _fseek 99880 fea05e 99879->99880 99880->99846 99881->99847 99972 fe33c7 36 API calls 2 library calls 99882->99972 99884 fe9d2b 99973 fe9f7c InitializeCriticalSectionAndSpinCount __getstream 99884->99973 99886 fe9d30 99887 fe9d34 99886->99887 99975 fe9fca TlsAlloc 99886->99975 99974 fe9d9c 61 API calls 2 library calls 99887->99974 99890 fe9d39 99890->99851 99891 fe9d46 99891->99887 99892 fe9d51 99891->99892 99976 fe8a15 99892->99976 99895 fe9d93 99984 fe9d9c 61 API calls 2 library calls 99895->99984 99898 fe9d72 99898->99895 99900 fe9d78 99898->99900 99899 fe9d98 99899->99851 99983 fe9c73 58 API calls 4 library calls 99900->99983 99902 fe9d80 GetCurrentThreadId 99902->99851 99904 fed81e _fseek 99903->99904 99905 fe9e4b __lock 58 API calls 99904->99905 99906 fed825 99905->99906 99907 fe8a15 __calloc_crt 58 API calls 99906->99907 99908 fed836 99907->99908 99909 fed8a1 GetStartupInfoW 99908->99909 99910 fed841 _fseek @_EH4_CallFilterFunc@8 99908->99910 99916 fed8b6 99909->99916 99919 fed9e5 99909->99919 99910->99855 99911 fedaad 99998 fedabd LeaveCriticalSection _doexit 99911->99998 99913 fe8a15 __calloc_crt 58 API calls 99913->99916 99914 feda32 GetStdHandle 99914->99919 99915 feda45 GetFileType 99915->99919 99916->99913 99918 fed904 99916->99918 99916->99919 99917 fed938 GetFileType 99917->99918 99918->99917 99918->99919 99996 fea06b InitializeCriticalSectionAndSpinCount 99918->99996 99919->99911 99919->99914 99919->99915 99997 fea06b InitializeCriticalSectionAndSpinCount 99919->99997 99923 fe7f43 99922->99923 99924 ff5184 99922->99924 99928 ff4d6b GetModuleFileNameW 99923->99928 99925 fe8a5d __malloc_crt 58 API calls 99924->99925 99926 ff51aa _memmove 99925->99926 99927 ff51c0 FreeEnvironmentStringsW 99926->99927 99927->99923 99929 ff4d9f _wparse_cmdline 99928->99929 99930 fe8a5d __malloc_crt 58 API calls 99929->99930 99931 ff4ddf _wparse_cmdline 99929->99931 99930->99931 99931->99862 99933 ff4fb9 99932->99933 99934 ff4fc1 __wsetenvp 99932->99934 99933->99866 99935 fe8a15 __calloc_crt 58 API calls 99934->99935 99939 ff4fea __wsetenvp 99935->99939 99936 ff5041 99937 fe2f95 _free 58 API calls 99936->99937 99937->99933 99938 fe8a15 __calloc_crt 58 API calls 99938->99939 99939->99933 99939->99936 99939->99938 99940 ff5066 99939->99940 99943 ff507d 99939->99943 99999 ff4857 58 API calls _fseek 99939->99999 99941 fe2f95 _free 58 API calls 99940->99941 99941->99933 100000 fe9006 IsProcessorFeaturePresent 99943->100000 99945 ff5089 99945->99866 99948 fe333b __IsNonwritableInCurrentImage 99946->99948 100015 fea711 99948->100015 99949 fe3359 __initterm_e 99950 fe2f80 __cinit 67 API calls 99949->99950 99951 fe3378 _doexit __IsNonwritableInCurrentImage 99949->99951 99950->99951 99951->99870 99953 fc4948 99952->99953 99963 fc49e7 99952->99963 99954 fc4982 IsThemeActive 99953->99954 100018 fe35ac 99954->100018 99958 fc49ae 100030 fc4a5b SystemParametersInfoW SystemParametersInfoW 99958->100030 99960 fc49ba 100031 fc3b4c 99960->100031 99963->99874 99964->99848 99965->99852 99966->99860 99970->99875 99971->99878 99972->99884 99973->99886 99974->99890 99975->99891 99979 fe8a1c 99976->99979 99978 fe8a57 99978->99895 99982 fea026 TlsSetValue 99978->99982 99979->99978 99980 fe8a3a 99979->99980 99985 ff5446 99979->99985 99980->99978 99980->99979 99993 fea372 Sleep 99980->99993 99982->99898 99983->99902 99984->99899 99986 ff5451 99985->99986 99989 ff546c 99985->99989 99987 ff545d 99986->99987 99986->99989 99994 fe8d68 58 API calls __getptd_noexit 99987->99994 99988 ff547c RtlAllocateHeap 99988->99989 99991 ff5462 99988->99991 99989->99988 99989->99991 99995 fe35e1 DecodePointer 99989->99995 99991->99979 99993->99980 99994->99991 99995->99989 99996->99918 99997->99919 99998->99910 99999->99939 100001 fe9011 100000->100001 100006 fe8e99 100001->100006 100005 fe902c 100005->99945 100007 fe8eb3 _memset __call_reportfault 100006->100007 100008 fe8ed3 IsDebuggerPresent 100007->100008 100014 fea395 SetUnhandledExceptionFilter UnhandledExceptionFilter 100008->100014 100010 fec836 __wtof_l 6 API calls 100012 fe8fba 100010->100012 100011 fe8f97 __call_reportfault 100011->100010 100013 fea380 GetCurrentProcess TerminateProcess 100012->100013 100013->100005 100014->100011 100016 fea714 EncodePointer 100015->100016 100016->100016 100017 fea72e 100016->100017 100017->99949 100019 fe9e4b __lock 58 API calls 100018->100019 100020 fe35b7 DecodePointer EncodePointer 100019->100020 100083 fe9fb5 LeaveCriticalSection 100020->100083 100022 fc49a7 100023 fe3614 100022->100023 100024 fe361e 100023->100024 100025 fe3638 100023->100025 100024->100025 100084 fe8d68 58 API calls __getptd_noexit 100024->100084 100025->99958 100027 fe3628 100085 fe8ff6 9 API calls _fseek 100027->100085 100029 fe3633 100029->99958 100030->99960 100032 fc3b59 __ftell_nolock 100031->100032 100033 fc77c7 59 API calls 100032->100033 100034 fc3b63 GetCurrentDirectoryW 100033->100034 100086 fc3778 100034->100086 100083->100022 100084->100027 100085->100029 100087 fc77c7 59 API calls 100086->100087 100088 fc378e 100087->100088 100298 fc3d43 100088->100298 100090 fc37ac 100091 fc4864 61 API calls 100090->100091 100092 fc37c0 100091->100092 100093 fc7f41 59 API calls 100092->100093 100094 fc37cd 100093->100094 100095 fc4f3d 136 API calls 100094->100095 100096 fc37e6 100095->100096 100097 ffd3ae 100096->100097 100098 fc37ee Mailbox 100096->100098 100340 10297e5 100097->100340 100102 fc81a7 59 API calls 100098->100102 100101 ffd3cd 100105 fe2f95 _free 58 API calls 100101->100105 100103 fc3801 100102->100103 100312 fc93ea 100103->100312 100104 fc4faa 84 API calls 100104->100101 100106 ffd3da 100105->100106 100108 fc4faa 84 API calls 100106->100108 100110 ffd3e3 100108->100110 100114 fc3ee2 59 API calls 100110->100114 100111 fc7f41 59 API calls 100112 fc381a 100111->100112 100113 fc8620 69 API calls 100112->100113 100115 fc382c Mailbox 100113->100115 100116 ffd3fe 100114->100116 100117 fc7f41 59 API calls 100115->100117 100118 fc3ee2 59 API calls 100116->100118 100119 fc3852 100117->100119 100120 ffd41a 100118->100120 100121 fc8620 69 API calls 100119->100121 100122 fc4864 61 API calls 100120->100122 100124 fc3861 Mailbox 100121->100124 100123 ffd43f 100122->100123 100125 fc3ee2 59 API calls 100123->100125 100127 fc77c7 59 API calls 100124->100127 100129 fc387f 100127->100129 100315 fc3ee2 100129->100315 100299 fc3d50 __ftell_nolock 100298->100299 100300 fc7d2c 59 API calls 100299->100300 100306 fc3eb6 Mailbox 100299->100306 100302 fc3d82 100300->100302 100301 fc7b52 59 API calls 100301->100302 100302->100301 100311 fc3db8 Mailbox 100302->100311 100303 fc7b52 59 API calls 100303->100311 100304 fc3e89 100305 fc7f41 59 API calls 100304->100305 100304->100306 100308 fc3eaa 100305->100308 100306->100090 100307 fc7f41 59 API calls 100307->100311 100309 fc3f84 59 API calls 100308->100309 100309->100306 100310 fc3f84 59 API calls 100310->100311 100311->100303 100311->100304 100311->100306 100311->100307 100311->100310 100313 fe0ff6 Mailbox 59 API calls 100312->100313 100314 fc380d 100313->100314 100314->100111 100316 fc3eec 100315->100316 100317 fc3f05 100315->100317 100318 fc81a7 59 API calls 100316->100318 100319 fc7d2c 59 API calls 100317->100319 100341 fc5045 85 API calls 100340->100341 100342 1029854 100341->100342 100343 10299be 96 API calls 100342->100343 100344 1029866 100343->100344 100345 fc506b 74 API calls 100344->100345 100371 ffd3c1 100344->100371 100346 1029881 100345->100346 100347 fc506b 74 API calls 100346->100347 100348 1029891 100347->100348 100349 fc506b 74 API calls 100348->100349 100350 10298ac 100349->100350 100351 fc506b 74 API calls 100350->100351 100352 10298c7 100351->100352 100353 fc5045 85 API calls 100352->100353 100354 10298de 100353->100354 100355 fe594c __malloc_crt 58 API calls 100354->100355 100356 10298e5 100355->100356 100357 fe594c __malloc_crt 58 API calls 100356->100357 100371->100101 100371->100104 100682 100220e GetTempPathW 100683 100222b 100682->100683 100684 fc3633 100685 fc366a 100684->100685 100686 fc3688 100685->100686 100687 fc36e7 100685->100687 100725 fc36e5 100685->100725 100691 fc375d PostQuitMessage 100686->100691 100692 fc3695 100686->100692 100689 fc36ed 100687->100689 100690 ffd31c 100687->100690 100688 fc36ca DefWindowProcW 100693 fc36d8 100688->100693 100694 fc3715 SetTimer RegisterWindowMessageW 100689->100694 100695 fc36f2 100689->100695 100734 fd11d0 10 API calls Mailbox 100690->100734 100691->100693 100696 ffd38f 100692->100696 100697 fc36a0 100692->100697 100694->100693 100701 fc373e CreatePopupMenu 100694->100701 100699 ffd2bf 100695->100699 100700 fc36f9 KillTimer 100695->100700 100738 1022a16 71 API calls _memset 100696->100738 100702 fc36a8 100697->100702 100703 fc3767 100697->100703 100708 ffd2f8 MoveWindow 100699->100708 100709 ffd2c4 100699->100709 100729 fc44cb Shell_NotifyIconW _memset 100700->100729 100701->100693 100711 ffd374 100702->100711 100712 fc36b3 100702->100712 100732 fc4531 64 API calls _memset 100703->100732 100705 ffd343 100735 fd11f3 331 API calls Mailbox 100705->100735 100708->100693 100716 ffd2c8 100709->100716 100717 ffd2e7 SetFocus 100709->100717 100711->100688 100737 101817e 59 API calls Mailbox 100711->100737 100714 fc36be 100712->100714 100719 fc374b 100712->100719 100713 ffd3a1 100713->100688 100713->100693 100714->100688 100736 fc44cb Shell_NotifyIconW _memset 100714->100736 100715 fc375b 100715->100693 100716->100714 100720 ffd2d1 100716->100720 100717->100693 100718 fc370c 100730 fc3114 DeleteObject DestroyWindow Mailbox 100718->100730 100731 fc45df 81 API calls _memset 100719->100731 100733 fd11d0 10 API calls Mailbox 100720->100733 100725->100688 100727 ffd368 100728 fc43db 68 API calls 100727->100728 100728->100725 100729->100718 100730->100693 100731->100715 100732->100715 100733->100693 100734->100705 100735->100714 100736->100727 100737->100725 100738->100713

              Executed Functions

              Function 00FC3B4C Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153windowCOMMON
              Download Yara Rule

              Control-flow Graph

              APIs
              • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00FC3B7A
              • IsDebuggerPresent.KERNEL32 ref: 00FC3B8C
              • GetFullPathNameW.KERNEL32(00007FFF,?,?,010862F8,010862E0,?,?), ref: 00FC3BFD
                • Part of subcall function 00FC7D2C: _memmove.LIBCMT ref: 00FC7D66
                • Part of subcall function 00FD0A8D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00FC3C26,010862F8,?,?,?), ref: 00FD0ACE
              • SetCurrentDirectoryW.KERNEL32(?), ref: 00FC3C81
              • MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,010793F0,00000010), ref: 00FFD4BC
              • SetCurrentDirectoryW.KERNEL32(?,010862F8,?,?,?), ref: 00FFD4F4
              • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,01075D40,010862F8,?,?,?), ref: 00FFD57A
              • ShellExecuteW.SHELL32(00000000,?,?), ref: 00FFD581
                • Part of subcall function 00FC3A58: GetSysColorBrush.USER32(0000000F), ref: 00FC3A62
                • Part of subcall function 00FC3A58: LoadCursorW.USER32(00000000,00007F00), ref: 00FC3A71
                • Part of subcall function 00FC3A58: LoadIconW.USER32(00000063), ref: 00FC3A88
                • Part of subcall function 00FC3A58: LoadIconW.USER32(000000A4), ref: 00FC3A9A
                • Part of subcall function 00FC3A58: LoadIconW.USER32(000000A2), ref: 00FC3AAC
                • Part of subcall function 00FC3A58: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00FC3AD2
                • Part of subcall function 00FC3A58: RegisterClassExW.USER32(?), ref: 00FC3B28
                • Part of subcall function 00FC39E7: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00FC3A15
                • Part of subcall function 00FC39E7: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00FC3A36
                • Part of subcall function 00FC39E7: ShowWindow.USER32(00000000,?,?), ref: 00FC3A4A
                • Part of subcall function 00FC39E7: ShowWindow.USER32(00000000,?,?), ref: 00FC3A53
                • Part of subcall function 00FC43DB: _memset.LIBCMT ref: 00FC4401
                • Part of subcall function 00FC43DB: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00FC44A6
              Strings
              • runas, xrefs: 00FFD575
              • This is a third-party compiled AutoIt script., xrefs: 00FFD4B4
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
              • String ID: This is a third-party compiled AutoIt script.$runas
              • API String ID: 529118366-3287110873
              • Opcode ID: 0ed03059059fac33b4e593818302c1cf2af566627f5acb9653029af85070a276
              • Instruction ID: bc157560dc4d123a0d0a8fd6b19aeb3fc07a287762ce6852034977e1933a8623
              • Opcode Fuzzy Hash: 0ed03059059fac33b4e593818302c1cf2af566627f5acb9653029af85070a276
              • Instruction Fuzzy Hash: FF510331D0824AAACB21FBB4DE46FFD7B75AF04350F0480ADF8D1A6152CA3E5645EB20
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00FC4AFE Relevance: 10.7, APIs: 7, Instructions: 223COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 942 fc4afe-fc4b5e call fc77c7 GetVersionExW call fc7d2c 947 fc4c69-fc4c6b 942->947 948 fc4b64 942->948 949 ffdb90-ffdb9c 947->949 950 fc4b67-fc4b6c 948->950 953 ffdb9d-ffdba1 949->953 951 fc4c70-fc4c71 950->951 952 fc4b72 950->952 956 fc4b73-fc4baa call fc7e8c call fc7886 951->956 952->956 954 ffdba4-ffdbb0 953->954 955 ffdba3 953->955 954->953 957 ffdbb2-ffdbb7 954->957 955->954 965 ffdc8d-ffdc90 956->965 966 fc4bb0-fc4bb1 956->966 957->950 959 ffdbbd-ffdbc4 957->959 959->949 961 ffdbc6 959->961 964 ffdbcb-ffdbce 961->964 967 ffdbd4-ffdbf2 964->967 968 fc4bf1-fc4c08 GetCurrentProcess IsWow64Process 964->968 969 ffdca9-ffdcad 965->969 970 ffdc92 965->970 966->964 971 fc4bb7-fc4bc2 966->971 967->968 972 ffdbf8-ffdbfe 967->972 978 fc4c0d-fc4c1e 968->978 979 fc4c0a 968->979 976 ffdcaf-ffdcb8 969->976 977 ffdc98-ffdca1 969->977 973 ffdc95 970->973 974 fc4bc8-fc4bca 971->974 975 ffdc13-ffdc19 971->975 980 ffdc08-ffdc0e 972->980 981 ffdc00-ffdc03 972->981 973->977 982 ffdc2e-ffdc3a 974->982 983 fc4bd0-fc4bd3 974->983 984 ffdc1b-ffdc1e 975->984 985 ffdc23-ffdc29 975->985 976->973 986 ffdcba-ffdcbd 976->986 977->969 987 fc4c89-fc4c93 GetSystemInfo 978->987 988 fc4c20-fc4c30 call fc4c95 978->988 979->978 980->968 981->968 993 ffdc3c-ffdc3f 982->993 994 ffdc44-ffdc4a 982->994 990 ffdc5a-ffdc5d 983->990 991 fc4bd9-fc4be8 983->991 984->968 985->968 986->977 992 fc4c56-fc4c66 987->992 999 fc4c7d-fc4c87 GetSystemInfo 988->999 1000 fc4c32-fc4c3f call fc4c95 988->1000 990->968 996 ffdc63-ffdc78 990->996 997 ffdc4f-ffdc55 991->997 998 fc4bee 991->998 993->968 994->968 1001 ffdc7a-ffdc7d 996->1001 1002 ffdc82-ffdc88 996->1002 997->968 998->968 1004 fc4c47-fc4c4b 999->1004 1007 fc4c76-fc4c7b 1000->1007 1008 fc4c41-fc4c45 GetNativeSystemInfo 1000->1008 1001->968 1002->968 1004->992 1006 fc4c4d-fc4c50 FreeLibrary 1004->1006 1006->992 1007->1008 1008->1004
              APIs
              • GetVersionExW.KERNEL32(?), ref: 00FC4B2B
                • Part of subcall function 00FC7D2C: _memmove.LIBCMT ref: 00FC7D66
              • GetCurrentProcess.KERNEL32(?,0104FAEC,00000000,00000000,?), ref: 00FC4BF8
              • IsWow64Process.KERNEL32(00000000), ref: 00FC4BFF
              • GetNativeSystemInfo.KERNELBASE(00000000), ref: 00FC4C45
              • FreeLibrary.KERNEL32(00000000), ref: 00FC4C50
              • GetSystemInfo.KERNEL32(00000000), ref: 00FC4C81
              • GetSystemInfo.KERNEL32(00000000), ref: 00FC4C8D
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
              • String ID:
              • API String ID: 1986165174-0
              • Opcode ID: a65a3b13a3dbbaab7824930e92f236dfbb8606c474916286577876200463027e
              • Instruction ID: bf6889d59080bda2aa1f81334a1a8f983f71157eb3dc3eeba0aa663616d95f32
              • Opcode Fuzzy Hash: a65a3b13a3dbbaab7824930e92f236dfbb8606c474916286577876200463027e
              • Instruction Fuzzy Hash: 2591273184A7C5DEC731DB788662BAAFFE5AF66310B044D9DD0CB83A51C224F908E719
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00FC4FE9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1009 fc4fe9-fc5001 CreateStreamOnHGlobal 1010 fc5021-fc5026 1009->1010 1011 fc5003-fc501a FindResourceExW 1009->1011 1012 ffdd5c-ffdd6b LoadResource 1011->1012 1013 fc5020 1011->1013 1012->1013 1014 ffdd71-ffdd7f SizeofResource 1012->1014 1013->1010 1014->1013 1015 ffdd85-ffdd90 LockResource 1014->1015 1015->1013 1016 ffdd96-ffddb4 1015->1016 1016->1013
              APIs
              • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00FC4EEE,?,?,00000000,00000000), ref: 00FC4FF9
              • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00FC4EEE,?,?,00000000,00000000), ref: 00FC5010
              • LoadResource.KERNEL32(?,00000000,?,?,00FC4EEE,?,?,00000000,00000000,?,?,?,?,?,?,00FC4F8F), ref: 00FFDD60
              • SizeofResource.KERNEL32(?,00000000,?,?,00FC4EEE,?,?,00000000,00000000,?,?,?,?,?,?,00FC4F8F), ref: 00FFDD75
              • LockResource.KERNEL32(00FC4EEE,?,?,00FC4EEE,?,?,00000000,00000000,?,?,?,?,?,?,00FC4F8F,00000000), ref: 00FFDD88
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
              • String ID: SCRIPT
              • API String ID: 3051347437-3967369404
              • Opcode ID: 6779b655990172ff1f2f1e9a98cd23781cfb98c4692745edf319806a189221e0
              • Instruction ID: 453c4b1d4e3757597a0bd7a9ba6dd2ce37bf8838bf497287b15bdac9ce4476a7
              • Opcode Fuzzy Hash: 6779b655990172ff1f2f1e9a98cd23781cfb98c4692745edf319806a189221e0
              • Instruction Fuzzy Hash: C6119EB5640702BFD7308B29DE89F277BB9EBC9B51F10416CF445C6250DB62E8409660
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01024696 Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON
              Download Yara Rule
              APIs
              • GetFileAttributesW.KERNELBASE(?,00FFE7C1), ref: 010246A6
              • FindFirstFileW.KERNELBASE(?,?), ref: 010246B7
              • FindClose.KERNEL32(00000000), ref: 010246C7
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: FileFind$AttributesCloseFirst
              • String ID:
              • API String ID: 48322524-0
              • Opcode ID: 98f695f24a7162bf5592fda5b50f996975b82b070988eab912f594d882d43c4c
              • Instruction ID: 37b3ec92f0c7a9fb64fec5ccdcdbfaab8485a39dea77a20cd78a3c3be65af292
              • Opcode Fuzzy Hash: 98f695f24a7162bf5592fda5b50f996975b82b070988eab912f594d882d43c4c
              • Instruction Fuzzy Hash: 16E0D875910411DB4231663CED8D4EA779C9E09235F000746F9B5C10D0EBB459508696
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00FCE800 Relevance: 2.4, Strings: 1, Instructions: 1102COMMON
              Download Yara Rule
              Strings
              • Variable must be of type 'Object'., xrefs: 0100428C
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID:
              • String ID: Variable must be of type 'Object'.
              • API String ID: 0-109567571
              • Opcode ID: ee970642016b393da27784e0135e06b42fc9c2ab0faca62079d49b0576fc8be4
              • Instruction ID: 5297ed4cb34d90b38388de7a2cd839747039477521cac9ddf7be36d49587ccc5
              • Opcode Fuzzy Hash: ee970642016b393da27784e0135e06b42fc9c2ab0faca62079d49b0576fc8be4
              • Instruction Fuzzy Hash: D4A27A75E00206CFDB24CF58C682FADB7B2BB48310F24806DE956AB355D735AC46EB91
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00FD0B30 Relevance: 57.3, APIs: 27, Strings: 5, Instructions: 1300windowsleeptimeCOMMON
              Download Yara Rule
              APIs
              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00FD0BBB
              • timeGetTime.WINMM ref: 00FD0E76
              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00FD0FB3
              • TranslateMessage.USER32(?), ref: 00FD0FC7
              • DispatchMessageW.USER32(?), ref: 00FD0FD5
              • Sleep.KERNEL32(0000000A), ref: 00FD0FDF
              • LockWindowUpdate.USER32(00000000,?,?), ref: 00FD105A
              • DestroyWindow.USER32 ref: 00FD1066
              • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00FD1080
              • Sleep.KERNEL32(0000000A,?,?), ref: 010052AD
              • TranslateMessage.USER32(?), ref: 0100608A
              • DispatchMessageW.USER32(?), ref: 01006098
              • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 010060AC
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: Message$DispatchPeekSleepTranslateWindow$DestroyLockTimeUpdatetime
              • String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
              • API String ID: 4003667617-3242690629
              • Opcode ID: 44bd5c1be8751ac5c75dc2eceebaf31c82cbae21e20fc6bf7a49a640ee68bc21
              • Instruction ID: 8b04431ff4398230f04665b2b3875a3a2e1a2cdb1515d251b7b6e5a7ada5dd0a
              • Opcode Fuzzy Hash: 44bd5c1be8751ac5c75dc2eceebaf31c82cbae21e20fc6bf7a49a640ee68bc21
              • Instruction Fuzzy Hash: 61B2B070608342DFE725DB24C885BAEBBE5BF84304F18495EE5C987291DB79E844DF82
              Uniqueness

              Uniqueness Score: -1.00%

              Function 010293DF Relevance: 19.8, APIs: 13, Instructions: 322fileCOMMON
              Download Yara Rule

              Control-flow Graph

              APIs
                • Part of subcall function 010291E9: __time64.LIBCMT ref: 010291F3
                • Part of subcall function 00FC5045: _fseek.LIBCMT ref: 00FC505D
              • __wsplitpath.LIBCMT ref: 010294BE
                • Part of subcall function 00FE432E: __wsplitpath_helper.LIBCMT ref: 00FE436E
              • _wcscpy.LIBCMT ref: 010294D1
              • _wcscat.LIBCMT ref: 010294E4
              • __wsplitpath.LIBCMT ref: 01029509
              • _wcscat.LIBCMT ref: 0102951F
              • _wcscat.LIBCMT ref: 01029532
                • Part of subcall function 0102922F: _memmove.LIBCMT ref: 01029268
                • Part of subcall function 0102922F: _memmove.LIBCMT ref: 01029277
              • _wcscmp.LIBCMT ref: 01029479
                • Part of subcall function 010299BE: _wcscmp.LIBCMT ref: 01029AAE
                • Part of subcall function 010299BE: _wcscmp.LIBCMT ref: 01029AC1
              • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 010296DC
              • _wcsncpy.LIBCMT ref: 0102974F
              • DeleteFileW.KERNEL32(?,?), ref: 01029785
              • CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 0102979B
              • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 010297AC
              • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 010297BE
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
              • String ID:
              • API String ID: 1500180987-0
              • Opcode ID: 88d7ee2cdd6d331282bad9cc486da692ce82f6564673c321b0184e691e4f043d
              • Instruction ID: b8e90ea47ff0496a2bf5425723b75d4fc1dc49c3c4f714dde03f48f4eca41ad6
              • Opcode Fuzzy Hash: 88d7ee2cdd6d331282bad9cc486da692ce82f6564673c321b0184e691e4f043d
              • Instruction Fuzzy Hash: 2AC15DB1E0022AABCF21DF95CD85EDEB7BCEF44304F0040AAE649E7141DB359A848F65
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00FC3015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 73windowregistryCOMMON
              Download Yara Rule

              Control-flow Graph

              APIs
              • GetSysColorBrush.USER32(0000000F), ref: 00FC3074
              • RegisterClassExW.USER32(00000030), ref: 00FC309E
              • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00FC30AF
              • InitCommonControlsEx.COMCTL32(?), ref: 00FC30CC
              • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00FC30DC
              • LoadIconW.USER32(000000A9), ref: 00FC30F2
              • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00FC3101
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
              • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
              • API String ID: 2914291525-1005189915
              • Opcode ID: 8a27e20540b7131c8287b2abc19cace4abe5b7bd4df7980aab1279f42a57b817
              • Instruction ID: 695f17142e0a1e6b64fc7be33f82380ae43c24dd97ade277a3552591a2e83e0a
              • Opcode Fuzzy Hash: 8a27e20540b7131c8287b2abc19cace4abe5b7bd4df7980aab1279f42a57b817
              • Instruction Fuzzy Hash: 4E3147B585430AEFDB20DFA8D989ACDBBF0FB09310F15426AE5D0E6284D3BA4585CF51
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00FC3041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54windowregistryCOMMON
              Download Yara Rule

              Control-flow Graph

              APIs
              • GetSysColorBrush.USER32(0000000F), ref: 00FC3074
              • RegisterClassExW.USER32(00000030), ref: 00FC309E
              • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00FC30AF
              • InitCommonControlsEx.COMCTL32(?), ref: 00FC30CC
              • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00FC30DC
              • LoadIconW.USER32(000000A9), ref: 00FC30F2
              • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00FC3101
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
              • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
              • API String ID: 2914291525-1005189915
              • Opcode ID: b285edccb5b4f0d2f341bfa5233c8fc22144fa6698f60ced5f9272cefc06cadf
              • Instruction ID: 6d8b39a90248ac08144463e153dd49d5553cc1a1e3346973c19726ff9e3a23f2
              • Opcode Fuzzy Hash: b285edccb5b4f0d2f341bfa5233c8fc22144fa6698f60ced5f9272cefc06cadf
              • Instruction Fuzzy Hash: 3E2115F5914209EFDB20DFA8E988B8DBBF4FB08700F00421AF994E6284D7BB05448F91
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00FC71EB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
              Download Yara Rule

              Control-flow Graph

              APIs
                • Part of subcall function 00FC4864: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,010862F8,?,00FC37C0,?), ref: 00FC4882
                • Part of subcall function 00FE074F: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00FC72C5), ref: 00FE0771
              • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00FC7308
              • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00FFECF1
              • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00FFED32
              • RegCloseKey.ADVAPI32(?), ref: 00FFED70
              • _wcscat.LIBCMT ref: 00FFEDC9
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
              • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
              • API String ID: 2673923337-2727554177
              • Opcode ID: fb1fd5f2f89fe7030cac48a9975df9723344ae5a8130a05e43dc6bc5d5c92ddc
              • Instruction ID: 3ddc24607fafa7327b665c54c71b2f05123a0ad348ca36ddea72f4145ced300d
              • Opcode Fuzzy Hash: fb1fd5f2f89fe7030cac48a9975df9723344ae5a8130a05e43dc6bc5d5c92ddc
              • Instruction Fuzzy Hash: 7A718C714083069EC324EF25ED829AFBBE8FF84750F50442EF5C587168EB3A9948DB52
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00FC3A58 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71windowregistryCOMMON
              Download Yara Rule

              Control-flow Graph

              APIs
              • GetSysColorBrush.USER32(0000000F), ref: 00FC3A62
              • LoadCursorW.USER32(00000000,00007F00), ref: 00FC3A71
              • LoadIconW.USER32(00000063), ref: 00FC3A88
              • LoadIconW.USER32(000000A4), ref: 00FC3A9A
              • LoadIconW.USER32(000000A2), ref: 00FC3AAC
              • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00FC3AD2
              • RegisterClassExW.USER32(?), ref: 00FC3B28
                • Part of subcall function 00FC3041: GetSysColorBrush.USER32(0000000F), ref: 00FC3074
                • Part of subcall function 00FC3041: RegisterClassExW.USER32(00000030), ref: 00FC309E
                • Part of subcall function 00FC3041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00FC30AF
                • Part of subcall function 00FC3041: InitCommonControlsEx.COMCTL32(?), ref: 00FC30CC
                • Part of subcall function 00FC3041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00FC30DC
                • Part of subcall function 00FC3041: LoadIconW.USER32(000000A9), ref: 00FC30F2
                • Part of subcall function 00FC3041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00FC3101
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
              • String ID: #$0$AutoIt v3
              • API String ID: 423443420-4155596026
              • Opcode ID: ae247be6ec55a72f8f53348ebbfe315be81a057ccf0b3053a9d73e5a245f56b2
              • Instruction ID: 550980d93bf49826335b1a934824ba6877e06b94d8f141326e04c16ebeb47cc8
              • Opcode Fuzzy Hash: ae247be6ec55a72f8f53348ebbfe315be81a057ccf0b3053a9d73e5a245f56b2
              • Instruction Fuzzy Hash: E5216DB5D04305AFEB20DFA8E949B9D7BB4FB08710F014199F580AA294C3BF55549F80
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00FC3633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151windowtimeregistryCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 767 fc3633-fc3681 769 fc36e1-fc36e3 767->769 770 fc3683-fc3686 767->770 769->770 771 fc36e5 769->771 772 fc3688-fc368f 770->772 773 fc36e7 770->773 774 fc36ca-fc36d2 DefWindowProcW 771->774 777 fc375d-fc3765 PostQuitMessage 772->777 778 fc3695-fc369a 772->778 775 fc36ed-fc36f0 773->775 776 ffd31c-ffd34a call fd11d0 call fd11f3 773->776 779 fc36d8-fc36de 774->779 781 fc3715-fc373c SetTimer RegisterWindowMessageW 775->781 782 fc36f2-fc36f3 775->782 810 ffd34f-ffd356 776->810 780 fc3711-fc3713 777->780 783 ffd38f-ffd3a3 call 1022a16 778->783 784 fc36a0-fc36a2 778->784 780->779 781->780 788 fc373e-fc3749 CreatePopupMenu 781->788 786 ffd2bf-ffd2c2 782->786 787 fc36f9-fc370c KillTimer call fc44cb call fc3114 782->787 783->780 801 ffd3a9 783->801 789 fc36a8-fc36ad 784->789 790 fc3767-fc3776 call fc4531 784->790 795 ffd2f8-ffd317 MoveWindow 786->795 796 ffd2c4-ffd2c6 786->796 787->780 788->780 798 ffd374-ffd37b 789->798 799 fc36b3-fc36b8 789->799 790->780 795->780 804 ffd2c8-ffd2cb 796->804 805 ffd2e7-ffd2f3 SetFocus 796->805 798->774 807 ffd381-ffd38a call 101817e 798->807 808 fc36be-fc36c4 799->808 809 fc374b-fc375b call fc45df 799->809 801->774 804->808 811 ffd2d1-ffd2e2 call fd11d0 804->811 805->780 807->774 808->774 808->810 809->780 810->774 816 ffd35c-ffd36f call fc44cb call fc43db 810->816 811->780 816->774
              APIs
              • DefWindowProcW.USER32(?,?,?,?), ref: 00FC36D2
              • KillTimer.USER32(?,00000001), ref: 00FC36FC
              • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00FC371F
              • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00FC372A
              • CreatePopupMenu.USER32 ref: 00FC373E
              • PostQuitMessage.USER32(00000000), ref: 00FC375F
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
              • String ID: TaskbarCreated
              • API String ID: 129472671-2362178303
              • Opcode ID: 45b6d7d708c5d502dd9899b82c489eb0771d8099f8e59c56387f9bac9699dc03
              • Instruction ID: cb74036093f0342933421f5538f685afba281c9a84cf58eb8cfd9794ee107e12
              • Opcode Fuzzy Hash: 45b6d7d708c5d502dd9899b82c489eb0771d8099f8e59c56387f9bac9699dc03
              • Instruction Fuzzy Hash: 3041F8F2618107BBDB24AB68EE4BF7D3755FB00390F14411DF68686295CA6F9D00B7A1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00FC3778 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267COMMON
              Download Yara Rule

              Control-flow Graph

              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
              • String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW
              • API String ID: 1825951767-3513169116
              • Opcode ID: 2fe5ee34ba3a5e2832d734ea3d1e362594f1aa26b1036f9113114c3e8442ede0
              • Instruction ID: 42d73942faf3f7e099cb60b71ace65c8f5adcaddd310caa40fc04a71464456fe
              • Opcode Fuzzy Hash: 2fe5ee34ba3a5e2832d734ea3d1e362594f1aa26b1036f9113114c3e8442ede0
              • Instruction Fuzzy Hash: E6A17E72C0422E9ACB14EBA1CD96FEEB778BF14340F04442DF452A7191DF796A09EB60
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00FC39E7 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1019 fc39e7-fc3a57 CreateWindowExW * 2 ShowWindow * 2
              APIs
              • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00FC3A15
              • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00FC3A36
              • ShowWindow.USER32(00000000,?,?), ref: 00FC3A4A
              • ShowWindow.USER32(00000000,?,?), ref: 00FC3A53
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: Window$CreateShow
              • String ID: AutoIt v3$edit
              • API String ID: 1584632944-3779509399
              • Opcode ID: 646e8708ae788bc3332677d1b1e664ab5b19ca07c9a11129a261167811363c6b
              • Instruction ID: 7ebdb3b6ecf06439ea5d9d9ed5fc68bd8a8a48cfb515acc314752cfa6fe6d04b
              • Opcode Fuzzy Hash: 646e8708ae788bc3332677d1b1e664ab5b19ca07c9a11129a261167811363c6b
              • Instruction Fuzzy Hash: 70F03AB46442A07FEA305667AC48F2B3E7DE7C6F51B02006EB980E6154C2AF0810CBB0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00FC410D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1020 fc410d-fc4123 1021 fc4129-fc413e call fc7b76 1020->1021 1022 fc4200-fc4204 1020->1022 1025 ffd5dd-ffd5ec LoadStringW 1021->1025 1026 fc4144-fc4164 call fc7d2c 1021->1026 1029 ffd5f7-ffd60f call fc7c8e call fc7143 1025->1029 1026->1029 1030 fc416a-fc416e 1026->1030 1039 fc417e-fc41fb call fe3020 call fc463e call fe2ffc Shell_NotifyIconW call fc5a64 1029->1039 1042 ffd615-ffd633 call fc7e0b call fc7143 call fc7e0b 1029->1042 1032 fc4174-fc4179 call fc7c8e 1030->1032 1033 fc4205-fc420e call fc81a7 1030->1033 1032->1039 1033->1039 1039->1022 1042->1039
              APIs
              • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00FFD5EC
                • Part of subcall function 00FC7D2C: _memmove.LIBCMT ref: 00FC7D66
              • _memset.LIBCMT ref: 00FC418D
              • _wcscpy.LIBCMT ref: 00FC41E1
              • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00FC41F1
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
              • String ID: Line:
              • API String ID: 3942752672-1585850449
              • Opcode ID: a77c837405a3dd1097a038d360eeaf050098d827406eb49a3b78065598649046
              • Instruction ID: 24e9563eebccdcd3d755366eb59b60df959d11939afaa08e39a5d241782725ec
              • Opcode Fuzzy Hash: a77c837405a3dd1097a038d360eeaf050098d827406eb49a3b78065598649046
              • Instruction Fuzzy Hash: 1431DE71408306AAD331FB60DE47FDE77E8AF44310F14491EB1C492092EF79A648EB92
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00FE564D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1055 fe564d-fe5666 1056 fe5668-fe566d 1055->1056 1057 fe5683 1055->1057 1056->1057 1058 fe566f-fe5671 1056->1058 1059 fe5685-fe568b 1057->1059 1060 fe568c-fe5691 1058->1060 1061 fe5673-fe5678 call fe8d68 1058->1061 1063 fe569f-fe56a3 1060->1063 1064 fe5693-fe569d 1060->1064 1073 fe567e call fe8ff6 1061->1073 1067 fe56a5-fe56b0 call fe3020 1063->1067 1068 fe56b3-fe56b5 1063->1068 1064->1063 1066 fe56c3-fe56d2 1064->1066 1071 fe56d9 1066->1071 1072 fe56d4-fe56d7 1066->1072 1067->1068 1068->1061 1070 fe56b7-fe56c1 1068->1070 1070->1061 1070->1066 1075 fe56de-fe56e3 1071->1075 1072->1075 1073->1057 1077 fe57cc-fe57cf 1075->1077 1078 fe56e9-fe56f0 1075->1078 1077->1059 1079 fe56f2-fe56fa 1078->1079 1080 fe5731-fe5733 1078->1080 1079->1080 1083 fe56fc 1079->1083 1081 fe579d-fe579e call ff0df7 1080->1081 1082 fe5735-fe5737 1080->1082 1090 fe57a3-fe57a7 1081->1090 1085 fe575b-fe5766 1082->1085 1086 fe5739-fe5741 1082->1086 1087 fe57fa 1083->1087 1088 fe5702-fe5704 1083->1088 1093 fe576a-fe576d 1085->1093 1094 fe5768 1085->1094 1091 fe5743-fe574f 1086->1091 1092 fe5751-fe5755 1086->1092 1089 fe57fe-fe5807 1087->1089 1095 fe570b-fe5710 1088->1095 1096 fe5706-fe5708 1088->1096 1089->1059 1090->1089 1097 fe57a9-fe57ae 1090->1097 1098 fe5757-fe5759 1091->1098 1092->1098 1099 fe576f-fe577b call fe4916 call ff10ab 1093->1099 1100 fe57d4-fe57d8 1093->1100 1094->1093 1095->1100 1101 fe5716-fe572f call ff0f18 1095->1101 1096->1095 1097->1100 1102 fe57b0-fe57c1 1097->1102 1098->1093 1116 fe5780-fe5785 1099->1116 1103 fe57ea-fe57f5 call fe8d68 1100->1103 1104 fe57da-fe57e7 call fe3020 1100->1104 1112 fe5792-fe579b 1101->1112 1108 fe57c4-fe57c6 1102->1108 1103->1073 1104->1103 1108->1077 1108->1078 1112->1108 1117 fe580c-fe5810 1116->1117 1118 fe578b-fe578e 1116->1118 1117->1089 1118->1087 1119 fe5790 1118->1119 1119->1112
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
              • String ID:
              • API String ID: 1559183368-0
              • Opcode ID: cbc132a2d90f1fa170c901e77712e707e3c45fd9b9f6dd10e42efcbbdaed9f46
              • Instruction ID: 8fbf7aabba6e59a3e66e9ebb07997f9bb5e4f8291921101491087935e54d3118
              • Opcode Fuzzy Hash: cbc132a2d90f1fa170c901e77712e707e3c45fd9b9f6dd10e42efcbbdaed9f46
              • Instruction Fuzzy Hash: A751D631E00B89DBDB249F7BCC8466E77A1AF40B38F248729F835962D1D7749D60AB50
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00FC69CA Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1120 fc69ca-fc69f1 call fc4f3d 1123 ffe45a-ffe46a call 10297e5 1120->1123 1124 fc69f7-fc6a05 call fc4f3d 1120->1124 1128 ffe46f-ffe471 1123->1128 1124->1123 1129 fc6a0b-fc6a11 1124->1129 1130 ffe473-ffe476 call fc4faa 1128->1130 1131 ffe490-ffe4d8 call fe0ff6 1128->1131 1133 ffe47b-ffe48a call 1024534 1129->1133 1134 fc6a17-fc6a39 call fc6bec 1129->1134 1130->1133 1140 ffe4fd 1131->1140 1141 ffe4da-ffe4e4 1131->1141 1133->1131 1144 ffe4ff-ffe512 1140->1144 1143 ffe4f8-ffe4f9 1141->1143 1145 ffe4fb 1143->1145 1146 ffe4e6-ffe4f5 1143->1146 1147 ffe689-ffe68c call fe2f95 1144->1147 1148 ffe518 1144->1148 1145->1144 1146->1143 1151 ffe691-ffe69a call fc4faa 1147->1151 1150 ffe51f-ffe522 call fc75e0 1148->1150 1153 ffe527-ffe549 call fc5f12 call 102768b 1150->1153 1158 ffe69c-ffe6ac call fc7776 call fc5efb 1151->1158 1164 ffe55d-ffe567 call 1027675 1153->1164 1165 ffe54b-ffe558 1153->1165 1171 ffe6b1-ffe6e1 call 101fcb1 call fe106c call fe2f95 call fc4faa 1158->1171 1173 ffe569-ffe57c 1164->1173 1174 ffe581-ffe58b call 102765f 1164->1174 1167 ffe650-ffe660 call fc766f 1165->1167 1167->1153 1176 ffe666-ffe670 call fc74bd 1167->1176 1171->1158 1173->1167 1183 ffe59f-ffe5a9 call fc5f8a 1174->1183 1184 ffe58d-ffe59a 1174->1184 1182 ffe675-ffe683 1176->1182 1182->1147 1182->1150 1183->1167 1189 ffe5af-ffe5c7 call 101fc4d 1183->1189 1184->1167 1195 ffe5ea-ffe5ed 1189->1195 1196 ffe5c9-ffe5e8 call fc7f41 call fc5a64 1189->1196 1198 ffe5ef-ffe60a call fc7f41 call fc6999 call fc5a64 1195->1198 1199 ffe61b-ffe61e 1195->1199 1220 ffe60b-ffe619 call fc5f12 1196->1220 1198->1220 1201 ffe63e-ffe641 call 1027621 1199->1201 1202 ffe620-ffe629 call 101fb6e 1199->1202 1209 ffe646-ffe64f call fe106c 1201->1209 1202->1171 1214 ffe62f-ffe639 call fe106c 1202->1214 1209->1167 1214->1153 1220->1209
              APIs
                • Part of subcall function 00FC4F3D: LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,010862F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00FC4F6F
              • _free.LIBCMT ref: 00FFE68C
              • _free.LIBCMT ref: 00FFE6D3
                • Part of subcall function 00FC6BEC: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00FC6D0D
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: _free$CurrentDirectoryLibraryLoad
              • String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
              • API String ID: 2861923089-1757145024
              • Opcode ID: 192cc4c49b38670e01f25ca37508027892f18472573d2df61665f2ad1d940de6
              • Instruction ID: d894aaac13a131cf341749d6745c481dc230da8b20d7a352b559d5710ea98645
              • Opcode Fuzzy Hash: 192cc4c49b38670e01f25ca37508027892f18472573d2df61665f2ad1d940de6
              • Instruction Fuzzy Hash: 9B917C7191021EAFCF04EFA4CD91AEDB7B4FF19314B04446DE955EB2A1DB34A904EB60
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00FC35B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1224 fc35b0-fc35bb 1225 fc35bd-fc35c2 1224->1225 1226 fc362f-fc3631 1224->1226 1225->1226 1228 fc35c4-fc35dc RegOpenKeyExW 1225->1228 1227 fc3620-fc3625 1226->1227 1228->1226 1229 fc35de-fc35fd RegQueryValueExW 1228->1229 1230 fc35ff-fc360a 1229->1230 1231 fc3614-fc361f RegCloseKey 1229->1231 1232 fc360c-fc360e 1230->1232 1233 fc3626-fc362d 1230->1233 1231->1227 1234 fc3612 1232->1234 1233->1234 1234->1231
              APIs
              • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,00FC35A1,SwapMouseButtons,00000004,?), ref: 00FC35D4
              • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,00FC35A1,SwapMouseButtons,00000004,?,?,?,?,00FC2754), ref: 00FC35F5
              • RegCloseKey.KERNELBASE(00000000,?,?,00FC35A1,SwapMouseButtons,00000004,?,?,?,?,00FC2754), ref: 00FC3617
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: CloseOpenQueryValue
              • String ID: Control Panel\Mouse
              • API String ID: 3677997916-824357125
              • Opcode ID: 846fc89c7d1c62e6dba3e3aaec79be5112a943407fee046c241046e3c3151073
              • Instruction ID: 51b0b8de385be5e9a5db51853e5b14600c4ace1cc4d39fca8759814c0e0a5163
              • Opcode Fuzzy Hash: 846fc89c7d1c62e6dba3e3aaec79be5112a943407fee046c241046e3c3151073
              • Instruction Fuzzy Hash: EE115AB5910209BFDB208F68D985EEEB7B8EF44790F018459F805D7200D2729F40B760
              Uniqueness

              Uniqueness Score: -1.00%

              Function 010297E5 Relevance: 6.2, APIs: 4, Instructions: 155COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00FC5045: _fseek.LIBCMT ref: 00FC505D
                • Part of subcall function 010299BE: _wcscmp.LIBCMT ref: 01029AAE
                • Part of subcall function 010299BE: _wcscmp.LIBCMT ref: 01029AC1
              • _free.LIBCMT ref: 0102992C
              • _free.LIBCMT ref: 01029933
              • _free.LIBCMT ref: 0102999E
                • Part of subcall function 00FE2F95: RtlFreeHeap.NTDLL(00000000,00000000,?,00FE9C64), ref: 00FE2FA9
                • Part of subcall function 00FE2F95: GetLastError.KERNEL32(00000000,?,00FE9C64), ref: 00FE2FBB
              • _free.LIBCMT ref: 010299A6
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
              • String ID:
              • API String ID: 1552873950-0
              • Opcode ID: c040f5d591410a8d3afab51092a26b6f5939c84b98243336257d617f1f09bfd3
              • Instruction ID: 67db03b5e7cc8cf04c06ad7dab76d941683f5e4a7cf60b32a82b1c797136cfbf
              • Opcode Fuzzy Hash: c040f5d591410a8d3afab51092a26b6f5939c84b98243336257d617f1f09bfd3
              • Instruction Fuzzy Hash: A55183B1E04269AFDF249F64CC81B9EBBB9EF48314F00009EF649A7241DB755980CF58
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00FE493A Relevance: 6.1, APIs: 4, Instructions: 136COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: __flsbuf__flush__getptd_noexit__write_memmove
              • String ID:
              • API String ID: 2782032738-0
              • Opcode ID: 6b900c82ae833c016f0ad4fafe5841f230cacf6ecaddb2f96621bb99e00bcb06
              • Instruction ID: e1889389d640fa65a9388f781399392d8cd151b699414527d1cf581cba6bc81c
              • Opcode Fuzzy Hash: 6b900c82ae833c016f0ad4fafe5841f230cacf6ecaddb2f96621bb99e00bcb06
              • Instruction Fuzzy Hash: 66412771A007869BDF28CEABC8809AF77A6EF84770B24817DE855D7641D738FD40AB44
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00FC73E5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 00FFEE62
              • GetOpenFileNameW.COMDLG32(?), ref: 00FFEEAC
                • Part of subcall function 00FC48AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00FC48A1,?,?,00FC37C0,?), ref: 00FC48CE
                • Part of subcall function 00FE09D5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00FE09F4
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: Name$Path$FileFullLongOpen_memset
              • String ID: X
              • API String ID: 3777226403-3081909835
              • Opcode ID: 07f175fb5148739110afa21914a26d7036a4ba6a7fe06e81df59553c8bd85750
              • Instruction ID: 487e06258b2fe61a18e142f2c93696563fbed220ded97816d43b4f0a6264da1c
              • Opcode Fuzzy Hash: 07f175fb5148739110afa21914a26d7036a4ba6a7fe06e81df59553c8bd85750
              • Instruction Fuzzy Hash: 50210531E0028C9BCB15DF94CC46BEE7BF89F49314F00405AE508E7281DBB85A899FA1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0102901B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: __fread_nolock_memmove
              • String ID: EA06
              • API String ID: 1988441806-3962188686
              • Opcode ID: 954647f3c50da98899e2b8dd367b92cea36953b4fa2f2367fbf5673d4fe5298c
              • Instruction ID: b2ec82df62cc72ade451f37bb559ceec6c7709401c63930de1a6b10455563a60
              • Opcode Fuzzy Hash: 954647f3c50da98899e2b8dd367b92cea36953b4fa2f2367fbf5673d4fe5298c
              • Instruction Fuzzy Hash: FB01F972904268AEDB28C6A9CC56EEE7BF89B01205F00419EF592D2181E579A704DB60
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01029B6D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON
              Download Yara Rule
              APIs
              • GetTempPathW.KERNEL32(00000104,?), ref: 01029B82
              • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 01029B99
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: Temp$FileNamePath
              • String ID: aut
              • API String ID: 3285503233-3010740371
              • Opcode ID: 34d7c2d742fe6b283b1911b823e99b38a5659b681b63d8e87d0f0679604c786d
              • Instruction ID: 16243388befa27dc80b4b056e124228f41ada5a43e2b30f4f664d0b07e5355b6
              • Opcode Fuzzy Hash: 34d7c2d742fe6b283b1911b823e99b38a5659b681b63d8e87d0f0679604c786d
              • Instruction Fuzzy Hash: 97D05EB994030EBBDB209A94DD4EF9A772CE704700F0042A1BE9496091DEB655988B95
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0103CDF1 Relevance: 4.9, APIs: 3, Instructions: 392COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 637166013c82fd67c198acb3cc3ad71192af955735b5e0d688621c6500499624
              • Instruction ID: 61cd67564388175c8ad3a80955a8f79410de2af0176c1d299b5a9eb982593894
              • Opcode Fuzzy Hash: 637166013c82fd67c198acb3cc3ad71192af955735b5e0d688621c6500499624
              • Instruction Fuzzy Hash: EAF17670A083019FC710DF68C984A6ABBE9FFC8314F44896EF8999B251D775E945CF82
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00FCF8CF Relevance: 4.7, APIs: 3, Instructions: 168comCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00FE03A2: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00FE03D3
                • Part of subcall function 00FE03A2: MapVirtualKeyW.USER32(00000010,00000000), ref: 00FE03DB
                • Part of subcall function 00FE03A2: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00FE03E6
                • Part of subcall function 00FE03A2: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00FE03F1
                • Part of subcall function 00FE03A2: MapVirtualKeyW.USER32(00000011,00000000), ref: 00FE03F9
                • Part of subcall function 00FE03A2: MapVirtualKeyW.USER32(00000012,00000000), ref: 00FE0401
                • Part of subcall function 00FD6259: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,00FCFA90), ref: 00FD62B4
              • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00FCFB2D
              • OleInitialize.OLE32(00000000), ref: 00FCFBAA
              • CloseHandle.KERNEL32(00000000), ref: 010049F2
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
              • String ID:
              • API String ID: 1986988660-0
              • Opcode ID: ddca10068eb5e4cbe7ad801cf2310b957ede49741d0830538077be1fc6905c87
              • Instruction ID: d334abb05db924e4cbbf01e6cefff0216b6e5b586f5238bff6422716886ff552
              • Opcode Fuzzy Hash: ddca10068eb5e4cbe7ad801cf2310b957ede49741d0830538077be1fc6905c87
              • Instruction Fuzzy Hash: 1081AAB09092518FC3A4EF7DE65561D7AE6FB58304B12A12EA0D9CB35AEF3F44048F61
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00FC43DB Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 00FC4401
              • Shell_NotifyIconW.SHELL32(00000000,?), ref: 00FC44A6
              • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00FC44C3
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: IconNotifyShell_$_memset
              • String ID:
              • API String ID: 1505330794-0
              • Opcode ID: 926db12962b37474f17e24de2e767777cae642431f924951a0a28c3a15aa453e
              • Instruction ID: b18275480cbe878894999ce26db97c6c7f1c73922c0e10c9478cf288a4ea6092
              • Opcode Fuzzy Hash: 926db12962b37474f17e24de2e767777cae642431f924951a0a28c3a15aa453e
              • Instruction Fuzzy Hash: E73181B19087028FD724DF24D595B9BBBE8FB48314F10092EE9DAC7240D77AA948DB52
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00FE594C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • __FF_MSGBANNER.LIBCMT ref: 00FE5963
                • Part of subcall function 00FEA3AB: __NMSG_WRITE.LIBCMT ref: 00FEA3D2
                • Part of subcall function 00FEA3AB: __NMSG_WRITE.LIBCMT ref: 00FEA3DC
              • __NMSG_WRITE.LIBCMT ref: 00FE596A
                • Part of subcall function 00FEA408: GetModuleFileNameW.KERNEL32(00000000,010843BA,00000104,?,00000001,00000000), ref: 00FEA49A
                • Part of subcall function 00FEA408: ___crtMessageBoxW.LIBCMT ref: 00FEA548
                • Part of subcall function 00FE32DF: ___crtCorExitProcess.LIBCMT ref: 00FE32E5
                • Part of subcall function 00FE32DF: ExitProcess.KERNEL32 ref: 00FE32EE
                • Part of subcall function 00FE8D68: __getptd_noexit.LIBCMT ref: 00FE8D68
              • RtlAllocateHeap.NTDLL(01820000,00000000,00000001,00000000,?,?,?,00FE1013,?), ref: 00FE598F
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
              • String ID:
              • API String ID: 1372826849-0
              • Opcode ID: 33dde4e94fe22dc4ed22ea4c643a701e2fde8de97ba12c6ef29eab8d76e1a746
              • Instruction ID: 741993b4b8af1e8693950498cebf28ca4aac03783e8a661a6ad2327e8df99c17
              • Opcode Fuzzy Hash: 33dde4e94fe22dc4ed22ea4c643a701e2fde8de97ba12c6ef29eab8d76e1a746
              • Instruction Fuzzy Hash: E701F532604B96DEE6313B67DC46BAD72988F42F78F50002AF444EB2C2DE799D01B365
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01029B2C Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON
              Download Yara Rule
              APIs
              • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,010297D2,?,?,?,?,?,00000004), ref: 01029B45
              • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,010297D2,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 01029B5B
              • CloseHandle.KERNEL32(00000000,?,010297D2,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 01029B62
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: File$CloseCreateHandleTime
              • String ID:
              • API String ID: 3397143404-0
              • Opcode ID: c6a035ff35c1ce27369fbed9d2d75ff67f77e5327293b1935d2e74aaa4a0ebb9
              • Instruction ID: 458573ec4f9c95db11f1bb362fd686251be51e6ca3db2884bca8c4b1f083baa4
              • Opcode Fuzzy Hash: c6a035ff35c1ce27369fbed9d2d75ff67f77e5327293b1935d2e74aaa4a0ebb9
              • Instruction Fuzzy Hash: 77E08636180225B7EB311A58ED49FCA7F58AB06B65F108110FB94690E087B625119798
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01028F97 Relevance: 4.5, APIs: 3, Instructions: 22COMMON
              Download Yara Rule
              APIs
              • _free.LIBCMT ref: 01028FA5
                • Part of subcall function 00FE2F95: RtlFreeHeap.NTDLL(00000000,00000000,?,00FE9C64), ref: 00FE2FA9
                • Part of subcall function 00FE2F95: GetLastError.KERNEL32(00000000,?,00FE9C64), ref: 00FE2FBB
              • _free.LIBCMT ref: 01028FB6
              • _free.LIBCMT ref: 01028FC8
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: _free$ErrorFreeHeapLast
              • String ID:
              • API String ID: 776569668-0
              • Opcode ID: 358057a8cee776a4634d1da6a11f7167cf7af4a4bc472a0de26b354d0d310ced
              • Instruction ID: 7544be8e301855afb99a78005edff81b99916fbf03bedbea9a1562e5c53cca6b
              • Opcode Fuzzy Hash: 358057a8cee776a4634d1da6a11f7167cf7af4a4bc472a0de26b354d0d310ced
              • Instruction Fuzzy Hash: 14E0C2A13087904AEAE4A5BDAD00E832BEE0F48211708084FF649DB142EE28E4419024
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00FCAB23 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID:
              • String ID: CALL
              • API String ID: 0-4196123274
              • Opcode ID: 3f584bd57744500cdfce3df872a79ce53d202562ff3a75c6971f6499ba73b8b8
              • Instruction ID: 3282dafb19a4cf38a3b30b1aa95c3b47e56eb2e16c4bedfde6ca09c8af5e95e4
              • Opcode Fuzzy Hash: 3f584bd57744500cdfce3df872a79ce53d202562ff3a75c6971f6499ba73b8b8
              • Instruction Fuzzy Hash: 39226874508346CFD724DF14C996F6ABBE1BF84304F14895DE8868B262DB35EC81EB82
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00FC4DD0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: _memmove
              • String ID: EA06
              • API String ID: 4104443479-3962188686
              • Opcode ID: 10b2cf6ac5a4a27942d515b5c0f6774d4339fcf1b2a059129d77d32c78d8bb14
              • Instruction ID: 208bb2447c663bc00762e67ede4b169b6d0280927e29cbfeeb86f88bf7d4d2d0
              • Opcode Fuzzy Hash: 10b2cf6ac5a4a27942d515b5c0f6774d4339fcf1b2a059129d77d32c78d8bb14
              • Instruction Fuzzy Hash: FF415E32E041565BDF219B648E73FBE7F66AB41310F19406DEC82DB182C525BD84B3A1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00FC492E Relevance: 3.1, APIs: 2, Instructions: 59COMMON
              Download Yara Rule
              APIs
              • IsThemeActive.UXTHEME ref: 00FC4992
                • Part of subcall function 00FE35AC: __lock.LIBCMT ref: 00FE35B2
                • Part of subcall function 00FE35AC: DecodePointer.KERNEL32(00000001,?,00FC49A7,010181BC), ref: 00FE35BE
                • Part of subcall function 00FE35AC: EncodePointer.KERNEL32(?,?,00FC49A7,010181BC), ref: 00FE35C9
                • Part of subcall function 00FC4A5B: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00FC4A73
                • Part of subcall function 00FC4A5B: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00FC4A88
                • Part of subcall function 00FC3B4C: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00FC3B7A
                • Part of subcall function 00FC3B4C: IsDebuggerPresent.KERNEL32 ref: 00FC3B8C
                • Part of subcall function 00FC3B4C: GetFullPathNameW.KERNEL32(00007FFF,?,?,010862F8,010862E0,?,?), ref: 00FC3BFD
                • Part of subcall function 00FC3B4C: SetCurrentDirectoryW.KERNEL32(?), ref: 00FC3C81
              • SystemParametersInfoW.USER32(00002001,00000000,?,00000002), ref: 00FC49D2
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
              • String ID:
              • API String ID: 1438897964-0
              • Opcode ID: 72f8ec42bb3368ea17f27a090b10f9c4be89d524b759ca46ef3138f84441f429
              • Instruction ID: 21c2af2e256dd0d1b67f72190dd14d91393fbede4af31a6c4f358df3f33cc44b
              • Opcode Fuzzy Hash: 72f8ec42bb3368ea17f27a090b10f9c4be89d524b759ca46ef3138f84441f429
              • Instruction Fuzzy Hash: 08118E719187129BC310DF29D94AE0EFBE8EB94710F00451EF4C5872A5DBBA9544DB92
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00FC5DF9 Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON
              Download Yara Rule
              APIs
              • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000,?,00FC5981,?,?,?,?), ref: 00FC5E27
              • CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,00000000,?,00FC5981,?,?,?,?), ref: 00FFE19C
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: CreateFile
              • String ID:
              • API String ID: 823142352-0
              • Opcode ID: 33486ab3345960c05a6ec8692f72226ac9958e06dac5eb079a38bf389abc6520
              • Instruction ID: 84d18bd1ac8362775e5fb2b518be7597c9f8310cca86081aed6e0a5fca63085a
              • Opcode Fuzzy Hash: 33486ab3345960c05a6ec8692f72226ac9958e06dac5eb079a38bf389abc6520
              • Instruction Fuzzy Hash: 6401B571644709BFF3240E29CD8BF763B9CEB01B78F108319BAE55A1E0C6B42E859B50
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00FE0FF6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE
              Download Yara Rule
              APIs
                • Part of subcall function 00FE594C: __FF_MSGBANNER.LIBCMT ref: 00FE5963
                • Part of subcall function 00FE594C: __NMSG_WRITE.LIBCMT ref: 00FE596A
                • Part of subcall function 00FE594C: RtlAllocateHeap.NTDLL(01820000,00000000,00000001,00000000,?,?,?,00FE1013,?), ref: 00FE598F
              • std::exception::exception.LIBCMT ref: 00FE102C
              • __CxxThrowException@8.LIBCMT ref: 00FE1041
                • Part of subcall function 00FE87DB: RaiseException.KERNEL32(?,?,?,0107BAF8,00000000,?,?,?,?,00FE1046,?,0107BAF8,?,00000001), ref: 00FE8830
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
              • String ID:
              • API String ID: 3902256705-0
              • Opcode ID: 3e6c63bbe38746fbef20076c2a0b88c493ca8a0a1fca6c45a2f40be18104c7b4
              • Instruction ID: 026f9370e835f24a7cd2fbd39b19f0a4dbe5c7d40804ec36e918eb6c1aa66df7
              • Opcode Fuzzy Hash: 3e6c63bbe38746fbef20076c2a0b88c493ca8a0a1fca6c45a2f40be18104c7b4
              • Instruction Fuzzy Hash: 76F0C8359003DDA6CB24BA5BEC159DF7BACAF01361F100426FD08A6691DF758EC1A2E5
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00FE582D Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: __lock_file_memset
              • String ID:
              • API String ID: 26237723-0
              • Opcode ID: 400d98256557c873ff2c5191cda19c0271313d591977ff5073eb37f24ad8eb01
              • Instruction ID: dd8c69ca46f146b3a0a1d9a48875774332dff531823be39d04b39107afc3002b
              • Opcode Fuzzy Hash: 400d98256557c873ff2c5191cda19c0271313d591977ff5073eb37f24ad8eb01
              • Instruction Fuzzy Hash: 9501AC71C01689EBCF11BF678C0559F7B61AF807A4F144215F8245B161DB35CB12FB51
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00FE55D6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE
              Download Yara Rule
              APIs
                • Part of subcall function 00FE8D68: __getptd_noexit.LIBCMT ref: 00FE8D68
              • __lock_file.LIBCMT ref: 00FE561B
                • Part of subcall function 00FE6E4E: __lock.LIBCMT ref: 00FE6E71
              • __fclose_nolock.LIBCMT ref: 00FE5626
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
              • String ID:
              • API String ID: 2800547568-0
              • Opcode ID: 84f3bd9e84f476ae0f533e076ca0548fd1a36ec49c2c03e2b7e77798d58e281f
              • Instruction ID: b20910914a39f2b3d17e9706fc6a49a500a9ea1d7aefae49b35bfdedf43b21a3
              • Opcode Fuzzy Hash: 84f3bd9e84f476ae0f533e076ca0548fd1a36ec49c2c03e2b7e77798d58e281f
              • Instruction Fuzzy Hash: 49F09072C00A859ADB20BB778C0276E77A16F40B78F558209E428AB1C1CF7C8902BB55
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00FC81C1 Relevance: 2.6, APIs: 2, Instructions: 54COMMON
              Download Yara Rule
              APIs
              • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000001,00000000,00000000,?,?,?,00FC558F,?,?,?,?,?), ref: 00FC81DA
              • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000001,00000000,?,?,?,00FC558F,?,?,?,?,?), ref: 00FC820D
                • Part of subcall function 00FC78AD: _memmove.LIBCMT ref: 00FC78E9
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: ByteCharMultiWide$_memmove
              • String ID:
              • API String ID: 3033907384-0
              • Opcode ID: f8242d993449c0d8b26b48198ac9df5e5358a5b185c038c831ef7134c2e4b089
              • Instruction ID: 79c591df5ef61c4e55a787d7c0a0b506a62be1318a3e0e1d0302fb6f61beec27
              • Opcode Fuzzy Hash: f8242d993449c0d8b26b48198ac9df5e5358a5b185c038c831ef7134c2e4b089
              • Instruction Fuzzy Hash: 7501A2752012057FEB247A26DE4BFBB3B5CEB85760F10802AFD05CD190DE71D800A671
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00FD2123 Relevance: 1.7, APIs: 1, Instructions: 171COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3201ef153737e287dd3ded7083ce763f119b28e8253745f18e53788ac156482d
              • Instruction ID: 6a67f3f21d65afa720bae448311b13112eb1a2ab7a66186c2d50c71255843cb8
              • Opcode Fuzzy Hash: 3201ef153737e287dd3ded7083ce763f119b28e8253745f18e53788ac156482d
              • Instruction Fuzzy Hash: 9D51D531600205AFDF15EB58CD92FAE77E6AF85710F188099F9469B382CB35ED40EB51
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00FC5C4E Relevance: 1.6, APIs: 1, Instructions: 97COMMON
              Download Yara Rule
              APIs
              • SetFilePointerEx.KERNELBASE(?,?,00000001,00000000,00000000,?,?,00000000), ref: 00FC5CF6
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: FilePointer
              • String ID:
              • API String ID: 973152223-0
              • Opcode ID: 0edd0e5ed245885d53fc7786f09bd694f9fc12f27fed18987782f4db9a1264fc
              • Instruction ID: e250512d6f74980b867d2f30c543c9a02284e543238830f07a1208fba834ed3e
              • Opcode Fuzzy Hash: 0edd0e5ed245885d53fc7786f09bd694f9fc12f27fed18987782f4db9a1264fc
              • Instruction Fuzzy Hash: A3316D71A00B0AAFCB18CF6DC585B6DB7B1FF48720F148619D81A93710D771B9A0EB90
              Uniqueness

              Uniqueness Score: -1.00%

              Function 010000D6 Relevance: 1.6, APIs: 1, Instructions: 88COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: ClearVariant
              • String ID:
              • API String ID: 1473721057-0
              • Opcode ID: ac18fb331e97c6c24cdbe88f5afb4a499e505a2e311a2023cf62337dfd33e6af
              • Instruction ID: 537438aa2eb644e2613f50172a86da0e3d8f775fed40455e92e95ed8daa00d4f
              • Opcode Fuzzy Hash: ac18fb331e97c6c24cdbe88f5afb4a499e505a2e311a2023cf62337dfd33e6af
              • Instruction Fuzzy Hash: F8412774908342CFDB25DF19C585F1ABBE0BF45318F09889CE98A4B762C736E845DB52
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00FC4F3D Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00FC4D13: FreeLibrary.KERNEL32(00000000,?), ref: 00FC4D4D
                • Part of subcall function 00FE548B: __wfsopen.LIBCMT ref: 00FE5496
              • LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,010862F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00FC4F6F
                • Part of subcall function 00FC4CC8: FreeLibrary.KERNEL32(00000000), ref: 00FC4D02
                • Part of subcall function 00FC4DD0: _memmove.LIBCMT ref: 00FC4E1A
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: Library$Free$Load__wfsopen_memmove
              • String ID:
              • API String ID: 1396898556-0
              • Opcode ID: e2eea9debacd2badac9fc8bb716ceb97386ddce2c13ad754ab799d49c004e554
              • Instruction ID: 40d317d4d11bebca702011a73ed2594e9e5b6b67d5c8955858d70c54a3169704
              • Opcode Fuzzy Hash: e2eea9debacd2badac9fc8bb716ceb97386ddce2c13ad754ab799d49c004e554
              • Instruction Fuzzy Hash: EA11E73260020BABCB14FF74CE67FAE77A59F40711F10842DF941A71C1DA79AA05BBA0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 010001AF Relevance: 1.6, APIs: 1, Instructions: 63COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: ClearVariant
              • String ID:
              • API String ID: 1473721057-0
              • Opcode ID: b81107bbc6531b23eef794d3534cd4130c169cceef8fb527e59825649e03a03a
              • Instruction ID: 6839bc1544fa5c5f571c7a574a3a78f3906c3eaa3694fdcd9b6dcec8c5f32ede
              • Opcode Fuzzy Hash: b81107bbc6531b23eef794d3534cd4130c169cceef8fb527e59825649e03a03a
              • Instruction Fuzzy Hash: 0B211FB4908342DFDB25DF65C985F1ABBE0BB84318F04886CE98A47761C735F845DB92
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00FC78AD Relevance: 1.6, APIs: 1, Instructions: 62COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: _memmove
              • String ID:
              • API String ID: 4104443479-0
              • Opcode ID: e0b0f1feff7007f9a685850875a5a6e1ea6a23f504afe070e1a0459631d1335c
              • Instruction ID: f8467423fcf37e625351d769e00e603f72f7824498b8ffc306bfb7dcb29fc260
              • Opcode Fuzzy Hash: e0b0f1feff7007f9a685850875a5a6e1ea6a23f504afe070e1a0459631d1335c
              • Instruction Fuzzy Hash: 1911A0326093176BD714BB2C9D82F6AB399EF45360B24412EF916C7290DE35AC15AA90
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00FE0941 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
              Download Yara Rule
              APIs
              • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00FE09F4
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: LongNamePath
              • String ID:
              • API String ID: 82841172-0
              • Opcode ID: acfb2f6243b039b5672768ffc86251c791cf0114a286c1c20b526726435d8d17
              • Instruction ID: 11bc0a64a54025b714b72df16cf6a38998a267ac1b6246481cb3cf30f0a63168
              • Opcode Fuzzy Hash: acfb2f6243b039b5672768ffc86251c791cf0114a286c1c20b526726435d8d17
              • Instruction Fuzzy Hash: 1201807384A2818FC352C774D95A6D03BB6DE5762932801DDDC429A532E5675C13AB50
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00FC5D20 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON
              Download Yara Rule
              APIs
              • ReadFile.KERNELBASE(?,?,00010000,?,00000000,00000000,?,00010000,?,00FC5807,00000000,00010000,00000000,00000000,00000000,00000000), ref: 00FC5D76
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: FileRead
              • String ID:
              • API String ID: 2738559852-0
              • Opcode ID: d4a9a9d0ba70d058b370f06285ec8d894eb2f73a0098b7dccdf08dd7fc858e24
              • Instruction ID: b0c01ff4529aa5a52576b4b4d75a03c56a90b2043c77137b5df0bad612d6ff53
              • Opcode Fuzzy Hash: d4a9a9d0ba70d058b370f06285ec8d894eb2f73a0098b7dccdf08dd7fc858e24
              • Instruction Fuzzy Hash: D6115871608B029FD3308F05CA85F62B7E4EB45B20F10892EE8AB86A50D771F984DB60
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00FE4A93 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
              Download Yara Rule
              APIs
              • __lock_file.LIBCMT ref: 00FE4AD6
                • Part of subcall function 00FE8D68: __getptd_noexit.LIBCMT ref: 00FE8D68
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: __getptd_noexit__lock_file
              • String ID:
              • API String ID: 2597487223-0
              • Opcode ID: 4166419d4f7c8d24f6847da06c398fa2ca6d6aa1c68465d1d7776b04350b418c
              • Instruction ID: 5695d4dfa45f5eeb2f1b3a7ee6eec8b59ea2b1f304bd36bc9a68783e2bb79a04
              • Opcode Fuzzy Hash: 4166419d4f7c8d24f6847da06c398fa2ca6d6aa1c68465d1d7776b04350b418c
              • Instruction Fuzzy Hash: 0CF0AF31D40289ABDF61BF668C063AF36A1AF00775F048528F828AA1D1DB7C9A51FF55
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00FC4FAA Relevance: 1.5, APIs: 1, Instructions: 28COMMON
              Download Yara Rule
              APIs
              • FreeLibrary.KERNEL32(?,?,010862F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00FC4FDE
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: FreeLibrary
              • String ID:
              • API String ID: 3664257935-0
              • Opcode ID: aa627b5eaed96fa83defd2fb009054a3c2deb9ed78f0251f2c0b276501191d28
              • Instruction ID: c6d90210e7c903356aaf45fa3c339eeda5847e7d4a7ccd7260384860e7cff250
              • Opcode Fuzzy Hash: aa627b5eaed96fa83defd2fb009054a3c2deb9ed78f0251f2c0b276501191d28
              • Instruction Fuzzy Hash: ACF015B2505712CFCB389F64E5A5E12BBE1AF043293248A2EE5D683A10C772A840EF40
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00FE09D5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
              Download Yara Rule
              APIs
              • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00FE09F4
                • Part of subcall function 00FC7D2C: _memmove.LIBCMT ref: 00FC7D66
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: LongNamePath_memmove
              • String ID:
              • API String ID: 2514874351-0
              • Opcode ID: b41c44c60b8027eb031677c67fe116006482fe76821e25d5383b1878c17e2755
              • Instruction ID: b8ae64170d493905cb9766380aa7bb2c89b999c6ed3dad512c24c1df1ec25213
              • Opcode Fuzzy Hash: b41c44c60b8027eb031677c67fe116006482fe76821e25d5383b1878c17e2755
              • Instruction Fuzzy Hash: F5E086769052299BC720E5589C06FFA77ADDF88790F0401B5FD4CD7208D9659C818690
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01029129 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: __fread_nolock
              • String ID:
              • API String ID: 2638373210-0
              • Opcode ID: 85a266c19ac15f6dd4f37f244161312340f338b31e1d7e5613d3c154e10e17cf
              • Instruction ID: 52c2e9313693a37e291c8b4e9899284925bd6d27f3b1f403c9eaeeee53cc3c9e
              • Opcode Fuzzy Hash: 85a266c19ac15f6dd4f37f244161312340f338b31e1d7e5613d3c154e10e17cf
              • Instruction Fuzzy Hash: BEE092B0104B505FDB798A28D8107E377E0AB06319F00085DF2DA83342EB627841C759
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00FC5DAE Relevance: 1.5, APIs: 1, Instructions: 16COMMON
              Download Yara Rule
              APIs
              • SetFilePointerEx.KERNELBASE(?,00000000,00000000,?,00000001,?,?,?,00FFE16B,?,?,00000000), ref: 00FC5DBF
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: FilePointer
              • String ID:
              • API String ID: 973152223-0
              • Opcode ID: feebc1120ae8911a2392ab6ab9a9b4e264f8ae4216e3b71a4c05ee68a4de55fe
              • Instruction ID: a589d4ba8fbfbd6a2bbaf5377417d3eb3fda3c3b75315c4c401cd6dc18917300
              • Opcode Fuzzy Hash: feebc1120ae8911a2392ab6ab9a9b4e264f8ae4216e3b71a4c05ee68a4de55fe
              • Instruction Fuzzy Hash: 70D0C77464020CBFE710DB84DC46FA9777CD705710F100194FD0456290D6B27D508795
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00FE548B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: __wfsopen
              • String ID:
              • API String ID: 197181222-0
              • Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
              • Instruction ID: 45f44c800f194e76492d40cf083b43dc43a9e5955b87bca747f1a7c98342ac2b
              • Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
              • Instruction Fuzzy Hash: 33B0927684020C77DE022E82EC02A593B199B40A78F808020FB0C181A2A677A6A0A689
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0100220E Relevance: 1.5, APIs: 1, Instructions: 7COMMON
              Download Yara Rule
              APIs
              • GetTempPathW.KERNELBASE(00000104,?), ref: 0100221A
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: PathTemp
              • String ID:
              • API String ID: 2920410445-0
              • Opcode ID: b92ecb0de9d8a844e977b1f0cae787e5afc9a3e32b79e30edc8e7f9f535dafa2
              • Instruction ID: 00a6d6629590d338d26a35537d9539abc8d760d1d9793c0dcc7dcfed69efbc2b
              • Opcode Fuzzy Hash: b92ecb0de9d8a844e977b1f0cae787e5afc9a3e32b79e30edc8e7f9f535dafa2
              • Instruction Fuzzy Hash: ECC09B7445401A9FF725A754CDD5ABC733CFF00701F0000D5718591080DAF45B80CF11
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0102D2E6 Relevance: 1.4, APIs: 1, Instructions: 198COMMON
              Download Yara Rule
              APIs
              • GetLastError.KERNEL32(00000002,00000000), ref: 0102D46A
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: ErrorLast
              • String ID:
              • API String ID: 1452528299-0
              • Opcode ID: da8c174955e33872f040faf99e0cbab9f71fa0aefc425181fab7658de40651b7
              • Instruction ID: ac1f78c35e8e417bf09744457658355e107d7f20729dbc24c88ff760e764a79f
              • Opcode Fuzzy Hash: da8c174955e33872f040faf99e0cbab9f71fa0aefc425181fab7658de40651b7
              • Instruction Fuzzy Hash: 2E7161302083128FC714EF68C991FAAB7E0AF88714F04456DF5968B291DF78ED49DB52
              Uniqueness

              Uniqueness Score: -1.00%

              Non-executed Functions

              Function 0104CDAC Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 637windowkeyboardCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00FC2612: GetWindowLongW.USER32(?,000000EB), ref: 00FC2623
              • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0104CE50
              • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0104CE91
              • GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 0104CED6
              • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0104CF00
              • SendMessageW.USER32 ref: 0104CF29
              • _wcsncpy.LIBCMT ref: 0104CFA1
              • GetKeyState.USER32(00000011), ref: 0104CFC2
              • GetKeyState.USER32(00000009), ref: 0104CFCF
              • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0104CFE5
              • GetKeyState.USER32(00000010), ref: 0104CFEF
              • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0104D018
              • SendMessageW.USER32 ref: 0104D03F
              • SendMessageW.USER32(?,00001030,?,0104B602), ref: 0104D145
              • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0104D15B
              • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 0104D16E
              • SetCapture.USER32(?), ref: 0104D177
              • ClientToScreen.USER32(?,?), ref: 0104D1DC
              • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 0104D1E9
              • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 0104D203
              • ReleaseCapture.USER32 ref: 0104D20E
              • GetCursorPos.USER32(?), ref: 0104D248
              • ScreenToClient.USER32(?,?), ref: 0104D255
              • SendMessageW.USER32(?,00001012,00000000,?), ref: 0104D2B1
              • SendMessageW.USER32 ref: 0104D2DF
              • SendMessageW.USER32(?,00001111,00000000,?), ref: 0104D31C
              • SendMessageW.USER32 ref: 0104D34B
              • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0104D36C
              • SendMessageW.USER32(?,0000110B,00000009,?), ref: 0104D37B
              • GetCursorPos.USER32(?), ref: 0104D39B
              • ScreenToClient.USER32(?,?), ref: 0104D3A8
              • GetParent.USER32(?), ref: 0104D3C8
              • SendMessageW.USER32(?,00001012,00000000,?), ref: 0104D431
              • SendMessageW.USER32 ref: 0104D462
              • ClientToScreen.USER32(?,?), ref: 0104D4C0
              • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 0104D4F0
              • SendMessageW.USER32(?,00001111,00000000,?), ref: 0104D51A
              • SendMessageW.USER32 ref: 0104D53D
              • ClientToScreen.USER32(?,?), ref: 0104D58F
              • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 0104D5C3
                • Part of subcall function 00FC25DB: GetWindowLongW.USER32(?,000000EB), ref: 00FC25EC
              • GetWindowLongW.USER32(?,000000F0), ref: 0104D65F
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
              • String ID: @GUI_DRAGID$F
              • API String ID: 3977979337-4164748364
              • Opcode ID: ac525ef531fe3aa90499ba84c21edd31074934b4a9b4a202b9f2072b7072d049
              • Instruction ID: cf7a391e6659eaa18b4db3871dbb4860fb414c74fcaf84db2daa78508a55fc03
              • Opcode Fuzzy Hash: ac525ef531fe3aa90499ba84c21edd31074934b4a9b4a202b9f2072b7072d049
              • Instruction Fuzzy Hash: 2D42BEB4205241AFE725DF68C984FAABFE5FF48354F04056DF6D5872A1C736A840CB92
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0104804A Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 571windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(?,00000400,00000000,00000000), ref: 0104873F
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: MessageSend
              • String ID: %d/%02d/%02d
              • API String ID: 3850602802-328681919
              • Opcode ID: 4f19cd9d3ab2d20bb423459ed0cc58e1ae6228f795d9668c1bf3d9c073649047
              • Instruction ID: d76cf44dc4275493cfdcfb024a090ded35eb1490b16b901f724a6f9dfbf180d4
              • Opcode Fuzzy Hash: 4f19cd9d3ab2d20bb423459ed0cc58e1ae6228f795d9668c1bf3d9c073649047
              • Instruction Fuzzy Hash: 8E1213B0500245ABEB259FA8CD89FAE7BF8FF49750F00856AFA95EA191DB748540CB10
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00FD710E Relevance: 48.8, APIs: 19, Strings: 6, Instructions: 5093COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: _memmove$_memset
              • String ID: DEFINE$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)
              • API String ID: 1357608183-1798697756
              • Opcode ID: af6937b09511c39889588a2e3751a1cd7b8400b7facfab1d037aabcae3de7fe5
              • Instruction ID: 94fe261d8f19de269f3eca581cbdbd4c11bd9119e01c993aa6ff0a4a9b65a679
              • Opcode Fuzzy Hash: af6937b09511c39889588a2e3751a1cd7b8400b7facfab1d037aabcae3de7fe5
              • Instruction Fuzzy Hash: A8939171E00215DBDB24DF98C8817ADB7F1FF48320F2885AAE985EB395E7749981DB40
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00FC4A35 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON
              Download Yara Rule
              APIs
              • GetForegroundWindow.USER32(00000000,?), ref: 00FC4A3D
              • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00FFDA8E
              • IsIconic.USER32(?), ref: 00FFDA97
              • ShowWindow.USER32(?,00000009), ref: 00FFDAA4
              • SetForegroundWindow.USER32(?), ref: 00FFDAAE
              • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00FFDAC4
              • GetCurrentThreadId.KERNEL32 ref: 00FFDACB
              • GetWindowThreadProcessId.USER32(?,00000000), ref: 00FFDAD7
              • AttachThreadInput.USER32(?,00000000,00000001), ref: 00FFDAE8
              • AttachThreadInput.USER32(?,00000000,00000001), ref: 00FFDAF0
              • AttachThreadInput.USER32(00000000,?,00000001), ref: 00FFDAF8
              • SetForegroundWindow.USER32(?), ref: 00FFDAFB
              • MapVirtualKeyW.USER32(00000012,00000000), ref: 00FFDB10
              • keybd_event.USER32(00000012,00000000), ref: 00FFDB1B
              • MapVirtualKeyW.USER32(00000012,00000000), ref: 00FFDB25
              • keybd_event.USER32(00000012,00000000), ref: 00FFDB2A
              • MapVirtualKeyW.USER32(00000012,00000000), ref: 00FFDB33
              • keybd_event.USER32(00000012,00000000), ref: 00FFDB38
              • MapVirtualKeyW.USER32(00000012,00000000), ref: 00FFDB42
              • keybd_event.USER32(00000012,00000000), ref: 00FFDB47
              • SetForegroundWindow.USER32(?), ref: 00FFDB4A
              • AttachThreadInput.USER32(?,?,00000000), ref: 00FFDB71
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
              • String ID: Shell_TrayWnd
              • API String ID: 4125248594-2988720461
              • Opcode ID: 2083cab603aae1556ece71562a545e63597b45ebb9a712245bafcf7b99d075a3
              • Instruction ID: 14f72b0facbe07754ba3db60e6e61433e768529b22ed09ef54b63158d704d455
              • Opcode Fuzzy Hash: 2083cab603aae1556ece71562a545e63597b45ebb9a712245bafcf7b99d075a3
              • Instruction Fuzzy Hash: D7319FB5A8031CBBEB306FA59D89F7F3E6CEF44B60F104015FB00EA190C6B55900ABA4
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01018858 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 01018CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 01018D0D
                • Part of subcall function 01018CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 01018D3A
                • Part of subcall function 01018CC3: GetLastError.KERNEL32 ref: 01018D47
              • _memset.LIBCMT ref: 0101889B
              • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 010188ED
              • CloseHandle.KERNEL32(?), ref: 010188FE
              • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 01018915
              • GetProcessWindowStation.USER32 ref: 0101892E
              • SetProcessWindowStation.USER32(00000000), ref: 01018938
              • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 01018952
                • Part of subcall function 01018713: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,01018851), ref: 01018728
                • Part of subcall function 01018713: CloseHandle.KERNEL32(?,?,01018851), ref: 0101873A
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
              • String ID: $default$winsta0
              • API String ID: 2063423040-1027155976
              • Opcode ID: 4d23d48e9862bc8c8ce690280f6e99cbe4578251b8dcc35a2ec966f13d89bdfb
              • Instruction ID: f2d3a18f4916b2dc3e1a93db0dfca67da4432a8bfc9c5aac7206bb24898925b7
              • Opcode Fuzzy Hash: 4d23d48e9862bc8c8ce690280f6e99cbe4578251b8dcc35a2ec966f13d89bdfb
              • Instruction Fuzzy Hash: 36814FB6D0024ABFEF11DFA8DD44AEE7BB8FF05305F08815AF990A6154D7398A14DB60
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0103425A Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON
              Download Yara Rule
              APIs
              • OpenClipboard.USER32(0104F910), ref: 01034284
              • IsClipboardFormatAvailable.USER32(0000000D), ref: 01034292
              • GetClipboardData.USER32(0000000D), ref: 0103429A
              • CloseClipboard.USER32 ref: 010342A6
              • GlobalLock.KERNEL32(00000000), ref: 010342C2
              • CloseClipboard.USER32 ref: 010342CC
              • GlobalUnlock.KERNEL32(00000000,00000000), ref: 010342E1
              • IsClipboardFormatAvailable.USER32(00000001), ref: 010342EE
              • GetClipboardData.USER32(00000001), ref: 010342F6
              • GlobalLock.KERNEL32(00000000), ref: 01034303
              • GlobalUnlock.KERNEL32(00000000,00000000,?), ref: 01034337
              • CloseClipboard.USER32 ref: 01034447
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
              • String ID:
              • API String ID: 3222323430-0
              • Opcode ID: e28a9b5ff094c309f25d7cae2b2ac6b647dcdfb2250f66e6a6a4a28474e3dc27
              • Instruction ID: 2d3aa62b0cd9c0d04471d6c602c5da866f350841dd73c84835b4a5c419731c37
              • Opcode Fuzzy Hash: e28a9b5ff094c309f25d7cae2b2ac6b647dcdfb2250f66e6a6a4a28474e3dc27
              • Instruction Fuzzy Hash: 58518FB9204303ABD311AF69EE86F6E77ACAF84B00F004529F5D6D6191DF79D9048B62
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0102C9C7 Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON
              Download Yara Rule
              APIs
              • FindFirstFileW.KERNEL32(?,?), ref: 0102C9F8
              • FindClose.KERNEL32(00000000), ref: 0102CA4C
              • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0102CA71
              • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0102CA88
              • FileTimeToSystemTime.KERNEL32(?,?), ref: 0102CAAF
              • __swprintf.LIBCMT ref: 0102CAFB
              • __swprintf.LIBCMT ref: 0102CB3E
                • Part of subcall function 00FC7F41: _memmove.LIBCMT ref: 00FC7F82
              • __swprintf.LIBCMT ref: 0102CB92
                • Part of subcall function 00FE38D8: __woutput_l.LIBCMT ref: 00FE3931
              • __swprintf.LIBCMT ref: 0102CBE0
                • Part of subcall function 00FE38D8: __flsbuf.LIBCMT ref: 00FE3953
                • Part of subcall function 00FE38D8: __flsbuf.LIBCMT ref: 00FE396B
              • __swprintf.LIBCMT ref: 0102CC2F
              • __swprintf.LIBCMT ref: 0102CC7E
              • __swprintf.LIBCMT ref: 0102CCCD
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
              • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
              • API String ID: 3953360268-2428617273
              • Opcode ID: c1e10f2127ab2917a274ded19ce4acc0b80eec05fecd2deba20229771951605d
              • Instruction ID: 04800fd5ec1c840ba9d975b6d8d15e96aed7afb9b3e2009d7fd6e85c1f907847
              • Opcode Fuzzy Hash: c1e10f2127ab2917a274ded19ce4acc0b80eec05fecd2deba20229771951605d
              • Instruction Fuzzy Hash: 7CA15FB2408345ABD710EB65CE86EAFB7ECAF84700F40491DF585C3191EB78DA08DB62
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0102F200 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON
              Download Yara Rule
              APIs
              • FindFirstFileW.KERNEL32(?,?,771A8FB0,?,00000000), ref: 0102F221
              • _wcscmp.LIBCMT ref: 0102F236
              • _wcscmp.LIBCMT ref: 0102F24D
              • GetFileAttributesW.KERNEL32(?), ref: 0102F25F
              • SetFileAttributesW.KERNEL32(?,?), ref: 0102F279
              • FindNextFileW.KERNEL32(00000000,?), ref: 0102F291
              • FindClose.KERNEL32(00000000), ref: 0102F29C
              • FindFirstFileW.KERNEL32(*.*,?), ref: 0102F2B8
              • _wcscmp.LIBCMT ref: 0102F2DF
              • _wcscmp.LIBCMT ref: 0102F2F6
              • SetCurrentDirectoryW.KERNEL32(?), ref: 0102F308
              • SetCurrentDirectoryW.KERNEL32(0107A5A0), ref: 0102F326
              • FindNextFileW.KERNEL32(00000000,00000010), ref: 0102F330
              • FindClose.KERNEL32(00000000), ref: 0102F33D
              • FindClose.KERNEL32(00000000), ref: 0102F34F
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
              • String ID: *.*
              • API String ID: 1803514871-438819550
              • Opcode ID: 60c071c229fd0a523425075cadbbba6cf034fa3a5a88ad1f9ad5fea67eea62dd
              • Instruction ID: 686070ed8eac03766aafa56be816abe9fc7ff8f429e043015ccfc10f2b6a7368
              • Opcode Fuzzy Hash: 60c071c229fd0a523425075cadbbba6cf034fa3a5a88ad1f9ad5fea67eea62dd
              • Instruction Fuzzy Hash: 5931F97660022B6FDB20DAB9DC9CEDE7BFC9F092A1F148195E980D3050EB35DA45CB64
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01040AE2 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
              Download Yara Rule
              APIs
              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 01040BDE
              • RegCreateKeyExW.ADVAPI32(?,?,00000000,0104F910,00000000,?,00000000,?,?), ref: 01040C4C
              • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 01040C94
              • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 01040D1D
              • RegCloseKey.ADVAPI32(?), ref: 0104103D
              • RegCloseKey.ADVAPI32(00000000), ref: 0104104A
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: Close$ConnectCreateRegistryValue
              • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
              • API String ID: 536824911-966354055
              • Opcode ID: 25362f91f9d0f4eecfd793fbe395624522fce6755e6cdbaf0cab4e741e84e3b1
              • Instruction ID: 5644c0fb82c1db8ac7f48d6071cf2f06e349d3268ace53f17e3408ee76d3b2dc
              • Opcode Fuzzy Hash: 25362f91f9d0f4eecfd793fbe395624522fce6755e6cdbaf0cab4e741e84e3b1
              • Instruction Fuzzy Hash: EB028D752046029FCB14EF29C985E2AB7E5FF88710F05846DF98A9B761CB79EC40DB81
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0102F35D Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON
              Download Yara Rule
              APIs
              • FindFirstFileW.KERNEL32(?,?,771A8FB0,?,00000000), ref: 0102F37E
              • _wcscmp.LIBCMT ref: 0102F393
              • _wcscmp.LIBCMT ref: 0102F3AA
                • Part of subcall function 010245C1: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 010245DC
              • FindNextFileW.KERNEL32(00000000,?), ref: 0102F3D9
              • FindClose.KERNEL32(00000000), ref: 0102F3E4
              • FindFirstFileW.KERNEL32(*.*,?), ref: 0102F400
              • _wcscmp.LIBCMT ref: 0102F427
              • _wcscmp.LIBCMT ref: 0102F43E
              • SetCurrentDirectoryW.KERNEL32(?), ref: 0102F450
              • SetCurrentDirectoryW.KERNEL32(0107A5A0), ref: 0102F46E
              • FindNextFileW.KERNEL32(00000000,00000010), ref: 0102F478
              • FindClose.KERNEL32(00000000), ref: 0102F485
              • FindClose.KERNEL32(00000000), ref: 0102F497
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
              • String ID: *.*
              • API String ID: 1824444939-438819550
              • Opcode ID: e903157c0471cabe1a25a234ac2d283f1b97de4a99cf8da0490ca80ea98ae7bd
              • Instruction ID: 3939c2a3638435939f8bf36f501735eaf98bf1be64ee9c045d5c057bac3ef404
              • Opcode Fuzzy Hash: e903157c0471cabe1a25a234ac2d283f1b97de4a99cf8da0490ca80ea98ae7bd
              • Instruction Fuzzy Hash: C631FA7550122B6FDB20AA79DC88ADE7BFC9F092A1F144195E9C0D3090DB75DA44CB64
              Uniqueness

              Uniqueness Score: -1.00%

              Function 010181F7 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 0101874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 01018766
                • Part of subcall function 0101874A: GetLastError.KERNEL32(?,0101822A,?,?,?), ref: 01018770
                • Part of subcall function 0101874A: GetProcessHeap.KERNEL32(00000008,?,?,0101822A,?,?,?), ref: 0101877F
                • Part of subcall function 0101874A: HeapAlloc.KERNEL32(00000000,?,0101822A,?,?,?), ref: 01018786
                • Part of subcall function 0101874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0101879D
                • Part of subcall function 010187E7: GetProcessHeap.KERNEL32(00000008,01018240,00000000,00000000,?,01018240,?), ref: 010187F3
                • Part of subcall function 010187E7: HeapAlloc.KERNEL32(00000000,?,01018240,?), ref: 010187FA
                • Part of subcall function 010187E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,01018240,?), ref: 0101880B
              • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 0101825B
              • _memset.LIBCMT ref: 01018270
              • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 0101828F
              • GetLengthSid.ADVAPI32(?), ref: 010182A0
              • GetAce.ADVAPI32(?,00000000,?), ref: 010182DD
              • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 010182F9
              • GetLengthSid.ADVAPI32(?), ref: 01018316
              • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 01018325
              • HeapAlloc.KERNEL32(00000000), ref: 0101832C
              • GetLengthSid.ADVAPI32(?,00000008,?), ref: 0101834D
              • CopySid.ADVAPI32(00000000), ref: 01018354
              • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 01018385
              • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 010183AB
              • SetUserObjectSecurity.USER32(?,00000004,?), ref: 010183BF
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
              • String ID:
              • API String ID: 3996160137-0
              • Opcode ID: 7d7c97a0aaa8a2bdcd1d8b958af619b8327b0464e6248441c246e5fdda5ad538
              • Instruction ID: cbc3c99b3c2c163c81f0aa440f22402fb584fbc30612cffd72df5bc753cf1182
              • Opcode Fuzzy Hash: 7d7c97a0aaa8a2bdcd1d8b958af619b8327b0464e6248441c246e5fdda5ad538
              • Instruction Fuzzy Hash: 0F617C7590020AAFDF14DFA8DD84AEEBBB9FF04200F04C15AF955A7294DB399A01DB60
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00FD6843 Relevance: 18.4, Strings: 14, Instructions: 883COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID:
              • String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)
              • API String ID: 0-4052911093
              • Opcode ID: d73192275475527b772414cfc022a9a27a5cebfc8bd198e66f15e2178d571af4
              • Instruction ID: e5c79fd77671ef6b50e43699bc5fdbddfce0d7b9d3d395c88f89725d30e1da84
              • Opcode Fuzzy Hash: d73192275475527b772414cfc022a9a27a5cebfc8bd198e66f15e2178d571af4
              • Instruction Fuzzy Hash: 81727271E00219DBDB18CF68D8807ADB7F6FF48310F1881AAE999EB394D7749941DB90
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01040665 Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 010410A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,01040038,?,?), ref: 010410BC
              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 01040737
                • Part of subcall function 00FC9997: __itow.LIBCMT ref: 00FC99C2
                • Part of subcall function 00FC9997: __swprintf.LIBCMT ref: 00FC9A0C
              • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 010407D6
              • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 0104086E
              • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 01040AAD
              • RegCloseKey.ADVAPI32(00000000), ref: 01040ABA
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
              • String ID:
              • API String ID: 1240663315-0
              • Opcode ID: 923e07b90a1672b3b6d2e638dfb02080ff336c966824e549391109d21781f97b
              • Instruction ID: f70d9755ba02cd4900e7ca3394f76d2c4441ee153bae463e918ddd4d3ef57441
              • Opcode Fuzzy Hash: 923e07b90a1672b3b6d2e638dfb02080ff336c966824e549391109d21781f97b
              • Instruction Fuzzy Hash: 9FE17D71204201AFCB14DF29C985E6ABBE8FF88714F04896DF58ADB265DB35ED01CB52
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01020219 Relevance: 16.6, APIs: 11, Instructions: 120keyboardCOMMON
              Download Yara Rule
              APIs
              • GetKeyboardState.USER32(?), ref: 01020241
              • GetAsyncKeyState.USER32(000000A0), ref: 010202C2
              • GetKeyState.USER32(000000A0), ref: 010202DD
              • GetAsyncKeyState.USER32(000000A1), ref: 010202F7
              • GetKeyState.USER32(000000A1), ref: 0102030C
              • GetAsyncKeyState.USER32(00000011), ref: 01020324
              • GetKeyState.USER32(00000011), ref: 01020336
              • GetAsyncKeyState.USER32(00000012), ref: 0102034E
              • GetKeyState.USER32(00000012), ref: 01020360
              • GetAsyncKeyState.USER32(0000005B), ref: 01020378
              • GetKeyState.USER32(0000005B), ref: 0102038A
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: State$Async$Keyboard
              • String ID:
              • API String ID: 541375521-0
              • Opcode ID: 4e4376f95228cecdb01f4a859161e98994454f8e2af295aceb2d645ca9fe7fc6
              • Instruction ID: 16d72109504159aa8d68255a0692aa95314a5acb8e9e5675f0c02747c5431e97
              • Opcode Fuzzy Hash: 4e4376f95228cecdb01f4a859161e98994454f8e2af295aceb2d645ca9fe7fc6
              • Instruction Fuzzy Hash: 9241D9746047DA6FFFB28A6C84043A6BEE46F02340F08C0DEE6C6461C7E7A555C887A2
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01034458 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: Clipboard$AllocCloseEmptyGlobalOpen
              • String ID:
              • API String ID: 1737998785-0
              • Opcode ID: 4edd8424470326145187b7c63c67b6918bbfcc0992eb6f8fa72c19e5646d80ce
              • Instruction ID: ff00440354aff274a7889ec3aa26606ad20f242f3b4e5cee167302bf36aa03d2
              • Opcode Fuzzy Hash: 4edd8424470326145187b7c63c67b6918bbfcc0992eb6f8fa72c19e5646d80ce
              • Instruction Fuzzy Hash: A221C9793006129FDB219F69ED49F6E77A8EF44711F00805AF9C6CB2A5CB7AAD00CB54
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01023A2B Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00FC48AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00FC48A1,?,?,00FC37C0,?), ref: 00FC48CE
                • Part of subcall function 01024CD3: GetFileAttributesW.KERNEL32(?,01023947), ref: 01024CD4
              • FindFirstFileW.KERNEL32(?,?), ref: 01023ADF
              • DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 01023B87
              • MoveFileW.KERNEL32(?,?), ref: 01023B9A
              • DeleteFileW.KERNEL32(?,?,?,?,?), ref: 01023BB7
              • FindNextFileW.KERNEL32(00000000,00000010), ref: 01023BD9
              • FindClose.KERNEL32(00000000,?,?,?,?), ref: 01023BF5
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
              • String ID: \*.*
              • API String ID: 4002782344-1173974218
              • Opcode ID: e809285fdd4d1f4d859d581d2092fc540d561f50c790a3872bbc04e4bee407c0
              • Instruction ID: 8d728da8082c0e0aacb50baf8b73efd5e22c0386ce3ecf41c9f253a5613f705c
              • Opcode Fuzzy Hash: e809285fdd4d1f4d859d581d2092fc540d561f50c790a3872bbc04e4bee407c0
              • Instruction Fuzzy Hash: F851633180125E9ACF15FBA4CE93EEDB7B9AF18300F6441A9E58177091DF296F09DB60
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0102F65E Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00FC7F41: _memmove.LIBCMT ref: 00FC7F82
              • FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 0102F6AB
              • Sleep.KERNEL32(0000000A), ref: 0102F6DB
              • _wcscmp.LIBCMT ref: 0102F6EF
              • _wcscmp.LIBCMT ref: 0102F70A
              • FindNextFileW.KERNEL32(?,?), ref: 0102F7A8
              • FindClose.KERNEL32(00000000), ref: 0102F7BE
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
              • String ID: *.*
              • API String ID: 713712311-438819550
              • Opcode ID: b96f26b71a3398369e53755199956d194531c205281088f395129195008c141f
              • Instruction ID: b4511ec4f0967d16eae9e63b47c205abb70f5c38c89cfd50c0269488e35bf9cb
              • Opcode Fuzzy Hash: b96f26b71a3398369e53755199956d194531c205281088f395129195008c141f
              • Instruction Fuzzy Hash: 6F41AF7190021B9FDF61EF68CD89EEEBBB4FF05350F14459AE894A3190DB359A44CB90
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00FD4140 Relevance: 11.6, APIs: 1, Strings: 5, Instructions: 1132COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID:
              • String ID: ERCP$VUUU$VUUU$VUUU$VUUU
              • API String ID: 0-1546025612
              • Opcode ID: ce4d4ba344302b3f548ed25106c882fd932786b3949d59985f5d90bcc83d188c
              • Instruction ID: 6d0aed1e80f38552843c95dba0625cc776b3b4847f380836ce0cdb9abde9d2ca
              • Opcode Fuzzy Hash: ce4d4ba344302b3f548ed25106c882fd932786b3949d59985f5d90bcc83d188c
              • Instruction Fuzzy Hash: C5A27371D0021ACBEF25CF58C9907ADB7B2BF44314F1881AAD996A7380D734AD81EF51
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00FD58C0 Relevance: 11.0, APIs: 7, Instructions: 532COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: _memmove
              • String ID:
              • API String ID: 4104443479-0
              • Opcode ID: c2e79364b10affa515c9f27663765791ea0a369afa3862ce77f88e457dfef4e6
              • Instruction ID: d3cf0c596feb3439809623000febf15a9dc83b4fa80f432ab40f158443feb1d4
              • Opcode Fuzzy Hash: c2e79364b10affa515c9f27663765791ea0a369afa3862ce77f88e457dfef4e6
              • Instruction Fuzzy Hash: 8A12DE70A0060ADFDF14DFA5C981AEEB7F6FF48300F14412AE486A7255EB3AAD51DB50
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0102545F Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 01018CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 01018D0D
                • Part of subcall function 01018CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 01018D3A
                • Part of subcall function 01018CC3: GetLastError.KERNEL32 ref: 01018D47
              • ExitWindowsEx.USER32(?,00000000), ref: 0102549B
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
              • String ID: $@$SeShutdownPrivilege
              • API String ID: 2234035333-194228
              • Opcode ID: 609d7be520e32b907b5bc78627caeb05ccfc0700cdefe409fb7f77605f2dfcf1
              • Instruction ID: 418a9fd985b55aabd1ad42c4fb03464bd9f1e1d9ad76c31af52627156763ea5b
              • Opcode Fuzzy Hash: 609d7be520e32b907b5bc78627caeb05ccfc0700cdefe409fb7f77605f2dfcf1
              • Instruction Fuzzy Hash: 53014C71B562325BF778567CDC4ABFAF2A8EB0425BF140061FDC6D60C2DE954C004298
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01036596 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON
              Download Yara Rule
              APIs
              • socket.WSOCK32(00000002,00000001,00000006), ref: 010365EF
              • WSAGetLastError.WSOCK32(00000000), ref: 010365FE
              • bind.WSOCK32(00000000,?,00000010), ref: 0103661A
              • listen.WSOCK32(00000000,00000005), ref: 01036629
              • WSAGetLastError.WSOCK32(00000000), ref: 01036643
              • closesocket.WSOCK32(00000000), ref: 01036657
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: ErrorLast$bindclosesocketlistensocket
              • String ID:
              • API String ID: 1279440585-0
              • Opcode ID: af4e7968fa7737151c244c702d1442d8703d87b9c0b8002882b3898e6d7b186a
              • Instruction ID: 11e8c4d10e74779b4ffe6241e5017376a03e0c6286f5b1154717eb0dbabc26f0
              • Opcode Fuzzy Hash: af4e7968fa7737151c244c702d1442d8703d87b9c0b8002882b3898e6d7b186a
              • Instruction Fuzzy Hash: 4F21C375200211AFDB10EF68C989F6EB7E9EF89310F118159E996E72C1CB79AD00DB51
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00FD5680 Relevance: 8.0, APIs: 5, Instructions: 516COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00FE0FF6: std::exception::exception.LIBCMT ref: 00FE102C
                • Part of subcall function 00FE0FF6: __CxxThrowException@8.LIBCMT ref: 00FE1041
              • _memmove.LIBCMT ref: 0101062F
              • _memmove.LIBCMT ref: 01010744
              • _memmove.LIBCMT ref: 010107EB
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: _memmove$Exception@8Throwstd::exception::exception
              • String ID:
              • API String ID: 1300846289-0
              • Opcode ID: 2d0bd0cb506cae6fe4160692d8f56ad1ced91bd3a7c6ae0c69fc6366ab99ac78
              • Instruction ID: 818234a8f8e011390c694e351e11cbed824b95407c721fa405e3feb0e965a6b5
              • Opcode Fuzzy Hash: 2d0bd0cb506cae6fe4160692d8f56ad1ced91bd3a7c6ae0c69fc6366ab99ac78
              • Instruction Fuzzy Hash: D002AF70E00209DBDF04DF65D981AAEBBB5FF44300F1480A9F886DB259EB39DA51DB91
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00FC1287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00FC2612: GetWindowLongW.USER32(?,000000EB), ref: 00FC2623
              • DefDlgProcW.USER32(?,?,?,?,?), ref: 00FC19FA
              • GetSysColor.USER32(0000000F), ref: 00FC1A4E
              • SetBkColor.GDI32(?,00000000), ref: 00FC1A61
                • Part of subcall function 00FC1290: DefDlgProcW.USER32(?,00000020,?), ref: 00FC12D8
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: ColorProc$LongWindow
              • String ID:
              • API String ID: 3744519093-0
              • Opcode ID: e06de5c28f90fe10f5a008b3aa09b0fb121bda40bc8f05f05b6e044d7432903d
              • Instruction ID: 60dcac6c8343017f4a808803fcbbcebfbd4de1c7e473f93980601c454f91dc40
              • Opcode Fuzzy Hash: e06de5c28f90fe10f5a008b3aa09b0fb121bda40bc8f05f05b6e044d7432903d
              • Instruction Fuzzy Hash: 74A13BB250644BBAE734AA298E86FBF355CFF83361B14011DF542D5197CA2DCC21B2B1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01036A5A Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 010380A0: inet_addr.WSOCK32(00000000), ref: 010380CB
              • socket.WSOCK32(00000002,00000002,00000011), ref: 01036AB1
              • WSAGetLastError.WSOCK32(00000000), ref: 01036ADA
              • bind.WSOCK32(00000000,?,00000010), ref: 01036B13
              • WSAGetLastError.WSOCK32(00000000), ref: 01036B20
              • closesocket.WSOCK32(00000000), ref: 01036B34
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: ErrorLast$bindclosesocketinet_addrsocket
              • String ID:
              • API String ID: 99427753-0
              • Opcode ID: 5ea990b164cf006b5a803eb20f9651491d1da73bd9b919cdbfe05e383be22c97
              • Instruction ID: 5e3f3a81d71d31ed16d5df46e5d03533cfb8702d53b15bf5cadbdb36ed159ef6
              • Opcode Fuzzy Hash: 5ea990b164cf006b5a803eb20f9651491d1da73bd9b919cdbfe05e383be22c97
              • Instruction Fuzzy Hash: C341D475700611AFEB10AF68DD87F6E77E8DB44B10F04805CF95AAB3C2CAB99D019B91
              Uniqueness

              Uniqueness Score: -1.00%

              Function 010455FD Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: Window$EnabledForegroundIconicVisibleZoomed
              • String ID:
              • API String ID: 292994002-0
              • Opcode ID: 0c6ba2f2ff1c0ef33c991350af335a0866f2c2090dcab3a4529017aba78642f0
              • Instruction ID: cdecad418fbc24b8134fb1da9768c0e65accc14b1443b0cf249b530e14c1acbe
              • Opcode Fuzzy Hash: 0c6ba2f2ff1c0ef33c991350af335a0866f2c2090dcab3a4529017aba78642f0
              • Instruction Fuzzy Hash: C011C4B53005126FE7216F2AED85B2F7BD8EF48721F004079F986D7241CB799901CAA4
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0102C602 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON
              Download Yara Rule
              APIs
              • CoInitialize.OLE32(00000000), ref: 0102C69D
              • CoCreateInstance.OLE32(01052D6C,00000000,00000001,01052BDC,?), ref: 0102C6B5
                • Part of subcall function 00FC7F41: _memmove.LIBCMT ref: 00FC7F82
              • CoUninitialize.OLE32 ref: 0102C922
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: CreateInitializeInstanceUninitialize_memmove
              • String ID: .lnk
              • API String ID: 2683427295-24824748
              • Opcode ID: 5b7b8ec9b1fd3fa00e24f41ca6f459f69271d40191baae30a5cbf1adf9cf892b
              • Instruction ID: a37d6b5d580fcba3039c69bc45ac0d9789697d2e82e10a154eac293cd047ce23
              • Opcode Fuzzy Hash: 5b7b8ec9b1fd3fa00e24f41ca6f459f69271d40191baae30a5cbf1adf9cf892b
              • Instruction Fuzzy Hash: 07A12B71108206AFD300EF64CD86EABB7ECEF94704F00495CF1969B191DBB5EA49DB92
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0103C304 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON
              Download Yara Rule
              APIs
              • LoadLibraryA.KERNEL32(kernel32.dll,?,01001D88,?), ref: 0103C312
              • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0103C324
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: AddressLibraryLoadProc
              • String ID: GetSystemWow64DirectoryW$kernel32.dll
              • API String ID: 2574300362-1816364905
              • Opcode ID: b7bfd4939f32a719189c1fd0dfd7bdd004432492a437b920ad822114fe921d5c
              • Instruction ID: 40edbbd27e4d94a04ec065bce403fa941952ea2782a458e9590f97154eca3de8
              • Opcode Fuzzy Hash: b7bfd4939f32a719189c1fd0dfd7bdd004432492a437b920ad822114fe921d5c
              • Instruction Fuzzy Hash: 97E0C2F8600303CFEB314F2EC654A5676D8EF49244B80C86EE8C5E6220E774D440CBA0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00FD3190 Relevance: 6.6, APIs: 4, Instructions: 587COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: __itow__swprintf
              • String ID:
              • API String ID: 674341424-0
              • Opcode ID: 349ff4fa9969f749814043608256d93e6a262671b2bc5796f35dd36985cfc38c
              • Instruction ID: a01408d7bc764e4b2ab223ee1cb3882b98f1bbee04edb1f2963b09d7db0a1c04
              • Opcode Fuzzy Hash: 349ff4fa9969f749814043608256d93e6a262671b2bc5796f35dd36985cfc38c
              • Instruction Fuzzy Hash: 9622AC715083029FD725DF28C881B6EB7E5AF84710F08491EF6CA97391DB79EA04DB92
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0103F121 Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON
              Download Yara Rule
              APIs
              • CreateToolhelp32Snapshot.KERNEL32 ref: 0103F151
              • Process32FirstW.KERNEL32(00000000,?), ref: 0103F15F
                • Part of subcall function 00FC7F41: _memmove.LIBCMT ref: 00FC7F82
              • Process32NextW.KERNEL32(00000000,?), ref: 0103F21F
              • CloseHandle.KERNEL32(00000000,?,?,?), ref: 0103F22E
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
              • String ID:
              • API String ID: 2576544623-0
              • Opcode ID: 16d31f0e3117a9a76ca501ab0d0f5f437b215ccfe91edfbb3dfe0851dce34373
              • Instruction ID: 6adf5865106df99ed537fce1726483b9c8b64f0b2a5ebf21400516673e7fb9bd
              • Opcode Fuzzy Hash: 16d31f0e3117a9a76ca501ab0d0f5f437b215ccfe91edfbb3dfe0851dce34373
              • Instruction Fuzzy Hash: 6C517C71508302AFD320EF24DD86F6BBBE8AF94B10F10481DF59597291EB74A908DB92
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0101EB07 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON
              Download Yara Rule
              APIs
              • lstrlenW.KERNEL32(?,?,?,00000000), ref: 0101EB19
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: lstrlen
              • String ID: ($|
              • API String ID: 1659193697-1631851259
              • Opcode ID: 9c9fb7998dcfd7a1576682584508fae2600774cb50efd8ccf09f328040b6ec3d
              • Instruction ID: b26db33889195eb5d1dfa31da0068ffb512770c78ad7bd6ef41c26896c46a2bd
              • Opcode Fuzzy Hash: 9c9fb7998dcfd7a1576682584508fae2600774cb50efd8ccf09f328040b6ec3d
              • Instruction Fuzzy Hash: D8323775A007059FDB29CF19C480A6AB7F1FF48320B15C5AEE99ADB3A5D770E981CB40
              Uniqueness

              Uniqueness Score: -1.00%

              Function 010325E2 Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON
              Download Yara Rule
              APIs
              • InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000), ref: 010326D5
              • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 0103270C
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: Internet$AvailableDataFileQueryRead
              • String ID:
              • API String ID: 599397726-0
              • Opcode ID: 3533d870c81066f7cfe1a451e9b01deffcf53a2d827fbf6a43738ab8505ae3f0
              • Instruction ID: c8a82743eda69aaa03e3586e052f85ac36674788dffb5c9dbd68fb0ef6c998cb
              • Opcode Fuzzy Hash: 3533d870c81066f7cfe1a451e9b01deffcf53a2d827fbf6a43738ab8505ae3f0
              • Instruction Fuzzy Hash: 0741F375900209BFEB21DA59DD84EBFB7FCFF84724F0040AAF681A6140EB759E41A650
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0102B59E Relevance: 4.6, APIs: 3, Instructions: 73COMMON
              Download Yara Rule
              APIs
              • SetErrorMode.KERNEL32(00000001), ref: 0102B5AE
              • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 0102B608
              • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 0102B655
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: ErrorMode$DiskFreeSpace
              • String ID:
              • API String ID: 1682464887-0
              • Opcode ID: 61fc4eb641d221a986bc50570dc1fdef5a9951ffc4c17543d8cf2a05472f20e6
              • Instruction ID: a27a5ea0a3137b503f3548f7ed8cbebe455fd9510af48fa5b3891837dc1c83b0
              • Opcode Fuzzy Hash: 61fc4eb641d221a986bc50570dc1fdef5a9951ffc4c17543d8cf2a05472f20e6
              • Instruction Fuzzy Hash: 30219D75A00519EFCB00EFA5D984EEEBBB8FF48310F0480A9E945AB351CB35A905CF50
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01018CC3 Relevance: 4.6, APIs: 3, Instructions: 67COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00FE0FF6: std::exception::exception.LIBCMT ref: 00FE102C
                • Part of subcall function 00FE0FF6: __CxxThrowException@8.LIBCMT ref: 00FE1041
              • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 01018D0D
              • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 01018D3A
              • GetLastError.KERNEL32 ref: 01018D47
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
              • String ID:
              • API String ID: 1922334811-0
              • Opcode ID: e66b01a689c91c1f91832bec79c0b190bf10a0108888b7abb50c3cef02654fc9
              • Instruction ID: 97f06949b3006621c2cd7708e033babfa29bb43e7a8add5e6fbff29093e3c3dc
              • Opcode Fuzzy Hash: e66b01a689c91c1f91832bec79c0b190bf10a0108888b7abb50c3cef02654fc9
              • Instruction Fuzzy Hash: 5311BFB1414309AFE328AF58DC85D6BB7F9FB44710B10C52EF89683205EB74A9408B60
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01024021 Relevance: 4.6, APIs: 3, Instructions: 61fileCOMMON
              Download Yara Rule
              APIs
              • CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0102404B
              • DeviceIoControl.KERNEL32(00000000,002D1400,00000007,0000000C,?,0000000C,?,00000000), ref: 01024088
              • CloseHandle.KERNEL32(00000000,?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 01024091
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: CloseControlCreateDeviceFileHandle
              • String ID:
              • API String ID: 33631002-0
              • Opcode ID: 63786eeb24ba6042bc4f869ee99f1e54509c31de85d9c64c0a5617903cdeb824
              • Instruction ID: bfd208df7a634348a006ba66b23d9460a964fadaeb38642e1589d0a2d53e02e0
              • Opcode Fuzzy Hash: 63786eeb24ba6042bc4f869ee99f1e54509c31de85d9c64c0a5617903cdeb824
              • Instruction Fuzzy Hash: B8117CB1D00239BEE7209AECDC84FAFBBBCEB08610F000656FA44E7181C2B9594487A1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01024C03 Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON
              Download Yara Rule
              APIs
              • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 01024C2C
              • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 01024C43
              • FreeSid.ADVAPI32(?), ref: 01024C53
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: AllocateCheckFreeInitializeMembershipToken
              • String ID:
              • API String ID: 3429775523-0
              • Opcode ID: ffa8cfe6bbd20d0c91a92372532dcf7b5967a96dd7e05e436f935a25ce6f5ae5
              • Instruction ID: a1b0f4fcd513d41c1f68377624c3015b73edb64253f0d9ff37d01260e1757e2b
              • Opcode Fuzzy Hash: ffa8cfe6bbd20d0c91a92372532dcf7b5967a96dd7e05e436f935a25ce6f5ae5
              • Instruction Fuzzy Hash: 09F04F7591130DBFDF14DFF4D989AAEBBBCEF08201F5044A9A501E2180D6756A048B50
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00FCE060 Relevance: 3.5, APIs: 2, Instructions: 539COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0effa848c7a6107863907d51b7cbc2a48dcc76f5865251bce444b459384c8f5c
              • Instruction ID: dd51dfcd61b2fca17bc32c948e80d40c6eeec90229df8f61c43261cef8826180
              • Opcode Fuzzy Hash: 0effa848c7a6107863907d51b7cbc2a48dcc76f5865251bce444b459384c8f5c
              • Instruction Fuzzy Hash: 1A22AD75E00216CFDB24DF58C682BAABBB0FF04310F14846DE9969B381D735A985EB91
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01024F21 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 31COMMON
              Download Yara Rule
              APIs
              • mouse_event.USER32(00000800,00000000,00000000,00000088,00000000), ref: 01024F55
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: mouse_event
              • String ID: DOWN
              • API String ID: 2434400541-711622031
              • Opcode ID: 88bbd8902e5fa89b9fda8dd0d1e4af77c0054c08023beb91385a65d191e85fca
              • Instruction ID: 1f014c770f08fdc9cab9f959315ed8c185247ca3a4ed43ac93b13e6c385a40f5
              • Opcode Fuzzy Hash: 88bbd8902e5fa89b9fda8dd0d1e4af77c0054c08023beb91385a65d191e85fca
              • Instruction Fuzzy Hash: 47E0CD7555C7B23CB99425197C0FEF713CC8B52131F11028AF990D50C1ED992C8215FC
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0102C93C Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON
              Download Yara Rule
              APIs
              • FindFirstFileW.KERNEL32(?,?), ref: 0102C966
              • FindClose.KERNEL32(00000000), ref: 0102C996
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: Find$CloseFileFirst
              • String ID:
              • API String ID: 2295610775-0
              • Opcode ID: 67155c26f9ed0075b050eaa3cd3876e890c3927671875a965440b7338ba93f84
              • Instruction ID: 1f45282fd0ea2f80dc9cc3b2f6e7eab774d90da47bcc0048eace0ce2b81707d4
              • Opcode Fuzzy Hash: 67155c26f9ed0075b050eaa3cd3876e890c3927671875a965440b7338ba93f84
              • Instruction Fuzzy Hash: D9118E766046119FD710EF29D949A2AF7E9EF84324F00851EF8A9C7291DB78AC00CB81
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0102A2D5 Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON
              Download Yara Rule
              APIs
              • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,0103977D,?,0104FB84,?), ref: 0102A302
              • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,0103977D,?,0104FB84,?), ref: 0102A314
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: ErrorFormatLastMessage
              • String ID:
              • API String ID: 3479602957-0
              • Opcode ID: ca9420f4a99797674ea6f41933d8bc993e2c81d4fb69159c02159e0a1a8d8d9a
              • Instruction ID: f0804ff3c79286de3a0bdc51ba6936777327e160e4453cb8ce82ed3ffd2198db
              • Opcode Fuzzy Hash: ca9420f4a99797674ea6f41933d8bc993e2c81d4fb69159c02159e0a1a8d8d9a
              • Instruction Fuzzy Hash: 45F0893554422DE7D721AEA4CC49FEA776DBF08751F008155F948D7141DA749544CBE0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01018713 Relevance: 3.0, APIs: 2, Instructions: 22COMMON
              Download Yara Rule
              APIs
              • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,01018851), ref: 01018728
              • CloseHandle.KERNEL32(?,?,01018851), ref: 0101873A
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: AdjustCloseHandlePrivilegesToken
              • String ID:
              • API String ID: 81990902-0
              • Opcode ID: 5ea808e7feb2602fa0a7ad6ce1bf4470fc56999dfaae3d25cd21f78d65daf52b
              • Instruction ID: 9dfc3e782e16a8657f64e9e64431520e6eaafbd23fa0d38e975d88bc693af7a1
              • Opcode Fuzzy Hash: 5ea808e7feb2602fa0a7ad6ce1bf4470fc56999dfaae3d25cd21f78d65daf52b
              • Instruction Fuzzy Hash: 06E04676000641EFE7712B26ED08D73BBE9FB003507108829B99680834CB36AC90EB10
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00FEA395 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • SetUnhandledExceptionFilter.KERNEL32(00000000,?,00FE8F97,?,?,?,00000001), ref: 00FEA39A
              • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 00FEA3A3
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: ExceptionFilterUnhandled
              • String ID:
              • API String ID: 3192549508-0
              • Opcode ID: b23b5e83bd0310d7bf37c586638e2c19fa78cace12fccb80073330dbeaeef515
              • Instruction ID: bb07037f817804cbf8aa4bb7de2f176aa55bf24a310ff98fa8e38a3ff17c59e7
              • Opcode Fuzzy Hash: b23b5e83bd0310d7bf37c586638e2c19fa78cace12fccb80073330dbeaeef515
              • Instruction Fuzzy Hash: 16B092F505420AABCA102B99E949F883F68EB44AA3F408010F64D84054CBE754508B91
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00FEF419 Relevance: 2.1, APIs: 1, Instructions: 645COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 41c7f0d9b6f76d7cea05d41e13b6d5fbedc3f81df51fd5c028b973f7e4c003a1
              • Instruction ID: c070a543e200d800b647d187868b197cd5f5db5df32a1f6975a7201d8b7f9c9b
              • Opcode Fuzzy Hash: 41c7f0d9b6f76d7cea05d41e13b6d5fbedc3f81df51fd5c028b973f7e4c003a1
              • Instruction Fuzzy Hash: BA323632D29F414DE7239535D832336B248AFB73D4F64D737E819B5A9AEB29C4836200
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00FF267E Relevance: 1.8, APIs: 1, Instructions: 294COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d08bb0a4fcaf705f49e1e5cf49fc60980ce96e5a6b9f2d4c1b8fe4ad51e898dd
              • Instruction ID: 0d2737b424c3f3b8bf0c082180b596ff412e1c33ab66e4382d2bfe6ce1c45cbb
              • Opcode Fuzzy Hash: d08bb0a4fcaf705f49e1e5cf49fc60980ce96e5a6b9f2d4c1b8fe4ad51e898dd
              • Instruction Fuzzy Hash: E4B1E030E2AF418DD72396398831337BA4CAFBB2C9B51D71BFC5675D26EB2685834240
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01028B13 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
              Download Yara Rule
              APIs
              • __time64.LIBCMT ref: 01028B25
                • Part of subcall function 00FE543A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,010291F8,00000000,?,?,?,?,010293A9,00000000,?), ref: 00FE5443
                • Part of subcall function 00FE543A: __aulldiv.LIBCMT ref: 00FE5463
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: Time$FileSystem__aulldiv__time64
              • String ID:
              • API String ID: 2893107130-0
              • Opcode ID: c55a76a3161fe8746c6200d2aa0a72f8f566fb2d1cdf1c5484c00a0bd3c438f1
              • Instruction ID: e6a5a543d70d21fd211ca2fa6a2d4479b1064ad8fde73c499f1e510e5a020b80
              • Opcode Fuzzy Hash: c55a76a3161fe8746c6200d2aa0a72f8f566fb2d1cdf1c5484c00a0bd3c438f1
              • Instruction Fuzzy Hash: A121E4726355108BC72ACF29D441B52B3E1EBA5311B288E6CD0F5CB2C0CA75B905CB94
              Uniqueness

              Uniqueness Score: -1.00%

              Function 010341FD Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
              Download Yara Rule
              APIs
              • BlockInput.USER32(00000001), ref: 01034218
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: BlockInput
              • String ID:
              • API String ID: 3456056419-0
              • Opcode ID: 8dc4da7184afaffe59b3542d5898895be3ce23dc97edade2c5d45a974bba17ba
              • Instruction ID: 057f6bbf6f902cd9315162ad3a929c0d6feca6a0c073851e24507fb2fc40c282
              • Opcode Fuzzy Hash: 8dc4da7184afaffe59b3542d5898895be3ce23dc97edade2c5d45a974bba17ba
              • Instruction Fuzzy Hash: 5DE048752441159FC710DF59D945E5AF7DCAF94760F018019FC49DB352DAB4E8408B90
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01018C93 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
              Download Yara Rule
              APIs
              • LogonUserW.ADVAPI32(?,00000001,?,?,00000000,010188D1), ref: 01018CB3
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: LogonUser
              • String ID:
              • API String ID: 1244722697-0
              • Opcode ID: 516746485f31bde0765aec4314f03c09abeaaae3c4585bd144a212a6ce0d9265
              • Instruction ID: 95a0c2074e34b002979582194e31d00a2a9b2ca88fd0ea86fc0e8266788f9588
              • Opcode Fuzzy Hash: 516746485f31bde0765aec4314f03c09abeaaae3c4585bd144a212a6ce0d9265
              • Instruction Fuzzy Hash: 3BD05E3226050EBBEF018EA8DD01EAF3B69EB04B01F408111FE15C5090C776D835AF60
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01002230 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
              Download Yara Rule
              APIs
              • GetUserNameW.ADVAPI32(?,?), ref: 01002242
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: NameUser
              • String ID:
              • API String ID: 2645101109-0
              • Opcode ID: ede4b890b138d629c709b3c38883c5fbfb9b19ea10fe06ac8a5f7046cb88eba4
              • Instruction ID: f27273387535e839688edfc06459c46e087e07f49f4bd9144a6b12bc36de1914
              • Opcode Fuzzy Hash: ede4b890b138d629c709b3c38883c5fbfb9b19ea10fe06ac8a5f7046cb88eba4
              • Instruction Fuzzy Hash: 45C04CF5800109DBDB15DB90D688DEE77BCAB04304F104055A141F2140D7749B448B71
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00FEA364 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
              Download Yara Rule
              APIs
              • SetUnhandledExceptionFilter.KERNEL32(?), ref: 00FEA36A
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: ExceptionFilterUnhandled
              • String ID:
              • API String ID: 3192549508-0
              • Opcode ID: a1113394a7a91d3e62b39f446db0b4db96821a2d18792700748f43ce13ab6d97
              • Instruction ID: e2acddabd37b928522f9286b3b6c77d078014bc10b01becd397146ab4cd442f0
              • Opcode Fuzzy Hash: a1113394a7a91d3e62b39f446db0b4db96821a2d18792700748f43ce13ab6d97
              • Instruction Fuzzy Hash: D4A012B000010DA78A001A45E8048447F5CD6005917008010F40C4001187B354104680
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00FD8A0E Relevance: .6, Instructions: 608COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f6f2d2eb0a29e12bd6fb37aebf3666dce712a56d3389c50b0a18be9d13c622cc
              • Instruction ID: e64dadec69773dfd6c773c92505e3ba71bcf09e28e54a2cc95ef4aa78e124236
              • Opcode Fuzzy Hash: f6f2d2eb0a29e12bd6fb37aebf3666dce712a56d3389c50b0a18be9d13c622cc
              • Instruction Fuzzy Hash: BB224B31911116CBDF388F19D89467D77A2FB82394F2C846BD8829F395DB389D82DB60
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00FE2405 Relevance: .3, Instructions: 345COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
              • Instruction ID: b08c72a7b92294e1b79326385b18db26e08267b162795b2396f407a8086ce651
              • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
              • Instruction Fuzzy Hash: 76C190326051D309DF6D863B943413EBAE56AA27B131A0B6EE4B3CB5C5FF20D564F620
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00FE283A Relevance: .3, Instructions: 341COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
              • Instruction ID: 9dc724789f6c140d1813bd601d1322f2d832e42e1cc3633806d23a91e65c924a
              • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
              • Instruction Fuzzy Hash: 50C1BF336051D30ADBAD463BD43413EBBE56AA27B131A176DE4B2CB4C5FF20D664B620
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00FE1BB8 Relevance: .3, Instructions: 323COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
              • Instruction ID: ba0bcffb9c1b1587216c65a119040e6ca96b6c09160500111873c45e133ecc5a
              • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
              • Instruction Fuzzy Hash: E9C16D326091D309DF2D463B943417EBAE17AA27B131A0B6DE8B2CB5D4EF30D564F660
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01037B1B Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 491filecommemoryCOMMON
              Download Yara Rule
              APIs
              • DeleteObject.GDI32(00000000), ref: 01037B70
              • DeleteObject.GDI32(00000000), ref: 01037B82
              • DestroyWindow.USER32 ref: 01037B90
              • GetDesktopWindow.USER32 ref: 01037BAA
              • GetWindowRect.USER32(00000000), ref: 01037BB1
              • SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 01037CF2
              • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 01037D02
              • CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01037D4A
              • GetClientRect.USER32(00000000,?), ref: 01037D56
              • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 01037D90
              • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01037DB2
              • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01037DC5
              • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01037DD0
              • GlobalLock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01037DD9
              • ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01037DE8
              • GlobalUnlock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01037DF1
              • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01037DF8
              • GlobalFree.KERNEL32(00000000), ref: 01037E03
              • CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01037E15
              • OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,01052CAC,00000000), ref: 01037E2B
              • GlobalFree.KERNEL32(00000000), ref: 01037E3B
              • CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 01037E61
              • SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 01037E80
              • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01037EA2
              • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0103808F
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
              • String ID: $AutoIt v3$DISPLAY$static
              • API String ID: 2211948467-2373415609
              • Opcode ID: aaf0ab19ab341205bf071bd254bf8bfac9cadae145f1310b7c477f0b00fff8c6
              • Instruction ID: a806223dea2b7766698c591388e88b9022bee6284c49b7afeff992ae8e258a9c
              • Opcode Fuzzy Hash: aaf0ab19ab341205bf071bd254bf8bfac9cadae145f1310b7c477f0b00fff8c6
              • Instruction Fuzzy Hash: 310291B590011AEFDB24DFA8DD89EAE7BB9FF48310F048158F945AB295CB759D00CB60
              Uniqueness

              Uniqueness Score: -1.00%

              Function 010437F3 Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON
              Download Yara Rule
              APIs
              • CharUpperBuffW.USER32(?,?,0104F910), ref: 010438AF
              • IsWindowVisible.USER32(?), ref: 010438D3
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: BuffCharUpperVisibleWindow
              • String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
              • API String ID: 4105515805-45149045
              • Opcode ID: 1a3d27777b9f109d2aa48a65ad20f8c7ad465acc97dea38d97735c127f4793ca
              • Instruction ID: bff33928ad77d62b5d91dff93ed824c5d3bab580008c655bf7222bb45805b8e1
              • Opcode Fuzzy Hash: 1a3d27777b9f109d2aa48a65ad20f8c7ad465acc97dea38d97735c127f4793ca
              • Instruction Fuzzy Hash: B0D1B170204316DBCB24EF15C995AAE7BE1BF94354F00446CB8C65F2A2CF79E94ACB85
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0104A849 Relevance: 49.8, APIs: 33, Instructions: 274COMMON
              Download Yara Rule
              APIs
              • SetTextColor.GDI32(?,00000000), ref: 0104A89F
              • GetSysColorBrush.USER32(0000000F), ref: 0104A8D0
              • GetSysColor.USER32(0000000F), ref: 0104A8DC
              • SetBkColor.GDI32(?,000000FF), ref: 0104A8F6
              • SelectObject.GDI32(?,?), ref: 0104A905
              • InflateRect.USER32(?,000000FF,000000FF), ref: 0104A930
              • GetSysColor.USER32(00000010), ref: 0104A938
              • CreateSolidBrush.GDI32(00000000), ref: 0104A93F
              • FrameRect.USER32(?,?,00000000), ref: 0104A94E
              • DeleteObject.GDI32(00000000), ref: 0104A955
              • InflateRect.USER32(?,000000FE,000000FE), ref: 0104A9A0
              • FillRect.USER32(?,?,?), ref: 0104A9D2
              • GetWindowLongW.USER32(?,000000F0), ref: 0104A9FD
                • Part of subcall function 0104AB60: GetSysColor.USER32(00000012), ref: 0104AB99
                • Part of subcall function 0104AB60: SetTextColor.GDI32(?,?), ref: 0104AB9D
                • Part of subcall function 0104AB60: GetSysColorBrush.USER32(0000000F), ref: 0104ABB3
                • Part of subcall function 0104AB60: GetSysColor.USER32(0000000F), ref: 0104ABBE
                • Part of subcall function 0104AB60: GetSysColor.USER32(00000011), ref: 0104ABDB
                • Part of subcall function 0104AB60: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0104ABE9
                • Part of subcall function 0104AB60: SelectObject.GDI32(?,00000000), ref: 0104ABFA
                • Part of subcall function 0104AB60: SetBkColor.GDI32(?,00000000), ref: 0104AC03
                • Part of subcall function 0104AB60: SelectObject.GDI32(?,?), ref: 0104AC10
                • Part of subcall function 0104AB60: InflateRect.USER32(?,000000FF,000000FF), ref: 0104AC2F
                • Part of subcall function 0104AB60: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0104AC46
                • Part of subcall function 0104AB60: GetWindowLongW.USER32(00000000,000000F0), ref: 0104AC5B
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
              • String ID:
              • API String ID: 4124339563-0
              • Opcode ID: e8457b1201c3265679008d0e386047d16d749ac94b0dcf3820a4577db832d640
              • Instruction ID: c42c9059b6e0cb47b1241efff7f2a83a07509ef2c2443709bb46f9ef6a159a9d
              • Opcode Fuzzy Hash: e8457b1201c3265679008d0e386047d16d749ac94b0dcf3820a4577db832d640
              • Instruction Fuzzy Hash: 31A1A2B5108302EFD7219F68DD88A5B7BE9FF89321F000A29FAA2971D1D735D844CB51
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00FC2C18 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON
              Download Yara Rule
              APIs
              • DestroyWindow.USER32(?,?,?), ref: 00FC2CA2
              • DeleteObject.GDI32(00000000), ref: 00FC2CE8
              • DeleteObject.GDI32(00000000), ref: 00FC2CF3
              • DestroyIcon.USER32(00000000,?,?,?), ref: 00FC2CFE
              • DestroyWindow.USER32(00000000,?,?,?), ref: 00FC2D09
              • SendMessageW.USER32(?,00001308,?,00000000), ref: 00FFC68B
              • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00FFC6C4
              • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00FFCAED
                • Part of subcall function 00FC1B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00FC2036,?,00000000,?,?,?,?,00FC16CB,00000000,?), ref: 00FC1B9A
              • SendMessageW.USER32(?,00001053), ref: 00FFCB2A
              • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00FFCB41
              • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 00FFCB57
              • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 00FFCB62
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
              • String ID: 0
              • API String ID: 464785882-4108050209
              • Opcode ID: b40a9af67b01e42d17074cc23e799de85a7a121e38015b9eae71dfaf0dac1079
              • Instruction ID: b8cae5465f6a3d910a9bceb3e2a529d98a33003a45fe3a0582e25c298c87d196
              • Opcode Fuzzy Hash: b40a9af67b01e42d17074cc23e799de85a7a121e38015b9eae71dfaf0dac1079
              • Instruction Fuzzy Hash: 3012A03590021AEFDB24DF24CA85BB9BBE1FF44320F14456DEA85DB262C735E841EB90
              Uniqueness

              Uniqueness Score: -1.00%

              Function 010377BE Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON
              Download Yara Rule
              APIs
              • DestroyWindow.USER32(00000000), ref: 010377F1
              • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 010378B0
              • SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 010378EE
              • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 01037900
              • CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 01037946
              • GetClientRect.USER32(00000000,?), ref: 01037952
              • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 01037996
              • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 010379A5
              • GetStockObject.GDI32(00000011), ref: 010379B5
              • SelectObject.GDI32(00000000,00000000), ref: 010379B9
              • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 010379C9
              • GetDeviceCaps.GDI32(00000000,0000005A), ref: 010379D2
              • DeleteDC.GDI32(00000000), ref: 010379DB
              • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 01037A07
              • SendMessageW.USER32(00000030,00000000,00000001), ref: 01037A1E
              • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 01037A59
              • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 01037A6D
              • SendMessageW.USER32(00000404,00000001,00000000), ref: 01037A7E
              • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 01037AAE
              • GetStockObject.GDI32(00000011), ref: 01037AB9
              • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 01037AC4
              • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 01037ACE
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
              • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
              • API String ID: 2910397461-517079104
              • Opcode ID: 403b5516b61653b0a588cac2d789b68cbe17b1a7beecf85b93f8ed068dcba8de
              • Instruction ID: a504dc59e669b91f2887219447487e92a680361c7a1de9778b946d7592efaee4
              • Opcode Fuzzy Hash: 403b5516b61653b0a588cac2d789b68cbe17b1a7beecf85b93f8ed068dcba8de
              • Instruction Fuzzy Hash: 95A196B5A40606BFEB24DF68DD4AFAE7BB9EB44710F014154FA54A71D0C779AD00CB60
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0102AF7B Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON
              Download Yara Rule
              APIs
              • SetErrorMode.KERNEL32(00000001), ref: 0102AF89
              • GetDriveTypeW.KERNEL32(?,0104FAC0,?,\\.\,0104F910), ref: 0102B066
              • SetErrorMode.KERNEL32(00000000,0104FAC0,?,\\.\,0104F910), ref: 0102B1C4
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: ErrorMode$DriveType
              • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
              • API String ID: 2907320926-4222207086
              • Opcode ID: 007681081fcdf35d0882d36edb6258f1ef7f175fc2ab3016000ed6c37aeebe99
              • Instruction ID: 0218adf4346e0520db469ca07c4e59ace30f7f94e9241b97c4a168295f6f3456
              • Opcode Fuzzy Hash: 007681081fcdf35d0882d36edb6258f1ef7f175fc2ab3016000ed6c37aeebe99
              • Instruction Fuzzy Hash: 3651D130B84716EBCB10EB15CE92DBCB7B0FB54641764805EF4CBAB250CA79AD41CB45
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00FC6A3C Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: __wcsnicmp
              • String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
              • API String ID: 1038674560-86951937
              • Opcode ID: c16f25fdcffcfa01f319745d04d030c48b76854c16c56777bd581815e2ffea3c
              • Instruction ID: 59d236a816cd00372725bd10534d8511f77ecc2d121c9c008cfe9c33b7e17e9e
              • Opcode Fuzzy Hash: c16f25fdcffcfa01f319745d04d030c48b76854c16c56777bd581815e2ffea3c
              • Instruction Fuzzy Hash: 79814A71A04247ABCB24BE21CE97FBF3759AF14710F044029FD41EA0A1EB69DE41F690
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0104AB60 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON
              Download Yara Rule
              APIs
              • GetSysColor.USER32(00000012), ref: 0104AB99
              • SetTextColor.GDI32(?,?), ref: 0104AB9D
              • GetSysColorBrush.USER32(0000000F), ref: 0104ABB3
              • GetSysColor.USER32(0000000F), ref: 0104ABBE
              • CreateSolidBrush.GDI32(?), ref: 0104ABC3
              • GetSysColor.USER32(00000011), ref: 0104ABDB
              • CreatePen.GDI32(00000000,00000001,00743C00), ref: 0104ABE9
              • SelectObject.GDI32(?,00000000), ref: 0104ABFA
              • SetBkColor.GDI32(?,00000000), ref: 0104AC03
              • SelectObject.GDI32(?,?), ref: 0104AC10
              • InflateRect.USER32(?,000000FF,000000FF), ref: 0104AC2F
              • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0104AC46
              • GetWindowLongW.USER32(00000000,000000F0), ref: 0104AC5B
              • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0104ACA7
              • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0104ACCE
              • InflateRect.USER32(?,000000FD,000000FD), ref: 0104ACEC
              • DrawFocusRect.USER32(?,?), ref: 0104ACF7
              • GetSysColor.USER32(00000011), ref: 0104AD05
              • SetTextColor.GDI32(?,00000000), ref: 0104AD0D
              • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 0104AD21
              • SelectObject.GDI32(?,0104A869), ref: 0104AD38
              • DeleteObject.GDI32(?), ref: 0104AD43
              • SelectObject.GDI32(?,?), ref: 0104AD49
              • DeleteObject.GDI32(?), ref: 0104AD4E
              • SetTextColor.GDI32(?,?), ref: 0104AD54
              • SetBkColor.GDI32(?,?), ref: 0104AD5E
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
              • String ID:
              • API String ID: 1996641542-0
              • Opcode ID: c118dc23787f2d647eaff8b8c6afc68e32f25def1801c40590efaff3045bd8cd
              • Instruction ID: 6676ae296849584af1c6c83f06e8f41e410f46f792a9a5e8c8fc8bfee03ee246
              • Opcode Fuzzy Hash: c118dc23787f2d647eaff8b8c6afc68e32f25def1801c40590efaff3045bd8cd
              • Instruction Fuzzy Hash: EF6191B5900209EFDF219FA8DD88EAE7BB9FB08320F104565FA51AB291D7759940CF90
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01048C44 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 01048D34
              • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 01048D45
              • CharNextW.USER32(0000014E), ref: 01048D74
              • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 01048DB5
              • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 01048DCB
              • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 01048DDC
              • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 01048DF9
              • SetWindowTextW.USER32(?,0000014E), ref: 01048E45
              • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 01048E5B
              • SendMessageW.USER32(?,00001002,00000000,?), ref: 01048E8C
              • _memset.LIBCMT ref: 01048EB1
              • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 01048EFA
              • _memset.LIBCMT ref: 01048F59
              • SendMessageW.USER32(?,00001053,000000FF,?), ref: 01048F83
              • SendMessageW.USER32(?,00001074,?,00000001), ref: 01048FDB
              • SendMessageW.USER32(?,0000133D,?,?), ref: 01049088
              • InvalidateRect.USER32(?,00000000,00000001), ref: 010490AA
              • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 010490F4
              • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 01049121
              • DrawMenuBar.USER32(?), ref: 01049130
              • SetWindowTextW.USER32(?,0000014E), ref: 01049158
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
              • String ID: 0
              • API String ID: 1073566785-4108050209
              • Opcode ID: ea424ab166b88120a4e1f41098a12fc80f184c22a68c37111ffa0fe8167eda0a
              • Instruction ID: de15dfd70bf457fe1718f6b0d63df0b4ad0dc38b63ffbd1ea237b82dbd74e30c
              • Opcode Fuzzy Hash: ea424ab166b88120a4e1f41098a12fc80f184c22a68c37111ffa0fe8167eda0a
              • Instruction Fuzzy Hash: B1E1B4B4901209ABDF209FA5CCC8EEF7BB8FF09754F0085AAFA959A190D7758641CF50
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01044B16 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
              Download Yara Rule
              APIs
              • GetCursorPos.USER32(?), ref: 01044C51
              • GetDesktopWindow.USER32 ref: 01044C66
              • GetWindowRect.USER32(00000000), ref: 01044C6D
              • GetWindowLongW.USER32(?,000000F0), ref: 01044CCF
              • DestroyWindow.USER32(?), ref: 01044CFB
              • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 01044D24
              • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 01044D42
              • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 01044D68
              • SendMessageW.USER32(?,00000421,?,?), ref: 01044D7D
              • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 01044D90
              • IsWindowVisible.USER32(?), ref: 01044DB0
              • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 01044DCB
              • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 01044DDF
              • GetWindowRect.USER32(?,?), ref: 01044DF7
              • MonitorFromPoint.USER32(?,?,00000002), ref: 01044E1D
              • GetMonitorInfoW.USER32(00000000,?), ref: 01044E37
              • CopyRect.USER32(?,?), ref: 01044E4E
              • SendMessageW.USER32(?,00000412,00000000), ref: 01044EB9
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
              • String ID: ($0$tooltips_class32
              • API String ID: 698492251-4156429822
              • Opcode ID: dc4745004e8933d05c654bea73b4708350c5a05d6df386f21259467189a0cf67
              • Instruction ID: 48e894bc250555cd757f3059c0f09554ca2ae632cf322b66d37acf1c0f890e91
              • Opcode Fuzzy Hash: dc4745004e8933d05c654bea73b4708350c5a05d6df386f21259467189a0cf67
              • Instruction Fuzzy Hash: 14B17DB1608341AFD754DF29C989B5ABBE4BF88310F00892CF5D9DB291DB75D804CB95
              Uniqueness

              Uniqueness Score: -1.00%

              Function 010246D6 Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON
              Download Yara Rule
              APIs
              • GetFileVersionInfoSizeW.VERSION(?,?), ref: 010246E8
              • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 0102470E
              • _wcscpy.LIBCMT ref: 0102473C
              • _wcscmp.LIBCMT ref: 01024747
              • _wcscat.LIBCMT ref: 0102475D
              • _wcsstr.LIBCMT ref: 01024768
              • VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 01024784
              • _wcscat.LIBCMT ref: 010247CD
              • _wcscat.LIBCMT ref: 010247D4
              • _wcsncpy.LIBCMT ref: 010247FF
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
              • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
              • API String ID: 699586101-1459072770
              • Opcode ID: 8da8e2c0fe2f23b0b206f55c54edee6635e93bc8febc7ce63e923ca8a97c4cdb
              • Instruction ID: 20769d3fed07107bafff9641fce845a0715074dc252447592b4869b3ac95152c
              • Opcode Fuzzy Hash: 8da8e2c0fe2f23b0b206f55c54edee6635e93bc8febc7ce63e923ca8a97c4cdb
              • Instruction Fuzzy Hash: 64416B71A00291BBE710B77A9C47EBF77BCEF01710F04016AF941E7142EB79A601A7A5
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00FC27D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON
              Download Yara Rule
              APIs
              • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00FC28BC
              • GetSystemMetrics.USER32(00000007), ref: 00FC28C4
              • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00FC28EF
              • GetSystemMetrics.USER32(00000008), ref: 00FC28F7
              • GetSystemMetrics.USER32(00000004), ref: 00FC291C
              • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00FC2939
              • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00FC2949
              • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00FC297C
              • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00FC2990
              • GetClientRect.USER32(00000000,000000FF), ref: 00FC29AE
              • GetStockObject.GDI32(00000011), ref: 00FC29CA
              • SendMessageW.USER32(00000000,00000030,00000000), ref: 00FC29D5
                • Part of subcall function 00FC2344: GetCursorPos.USER32(?), ref: 00FC2357
                • Part of subcall function 00FC2344: ScreenToClient.USER32(010867B0,?), ref: 00FC2374
                • Part of subcall function 00FC2344: GetAsyncKeyState.USER32(00000001), ref: 00FC2399
                • Part of subcall function 00FC2344: GetAsyncKeyState.USER32(00000002), ref: 00FC23A7
              • SetTimer.USER32(00000000,00000000,00000028,00FC1256), ref: 00FC29FC
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
              • String ID: AutoIt v3 GUI
              • API String ID: 1458621304-248962490
              • Opcode ID: c569f43289ceb359ea18e9c9a433696aa9f9ac6f02f60d364b3e662a1e07474e
              • Instruction ID: 0d69264aa33b7c29492c8b44fcc978ae17a4398bc8131ba5f6b649f1fae04ff5
              • Opcode Fuzzy Hash: c569f43289ceb359ea18e9c9a433696aa9f9ac6f02f60d364b3e662a1e07474e
              • Instruction Fuzzy Hash: F8B18075A0020BEFDB24DF68DA85FAD7BB4FF08310F114219FA55E6294DB799800DB90
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01044069 Relevance: 28.3, APIs: 3, Strings: 13, Instructions: 283windowCOMMON
              Download Yara Rule
              APIs
              • CharUpperBuffW.USER32(?,?), ref: 010440F6
              • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 010441B6
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: BuffCharMessageSendUpper
              • String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
              • API String ID: 3974292440-719923060
              • Opcode ID: fa7cce0dfed28b756ac9d0e972ced77ab06ad44c0824ebceaee5280b9cb8dd4f
              • Instruction ID: a50686ae4ef0dbd1f30517b3439c90ce8ee5614afab6c3b64e69a0e286e1b561
              • Opcode Fuzzy Hash: fa7cce0dfed28b756ac9d0e972ced77ab06ad44c0824ebceaee5280b9cb8dd4f
              • Instruction Fuzzy Hash: C5A18E702143029BCB14EF24CE92F6AB7E5BF84314F04896CA8D69B692DF78EC05CB51
              Uniqueness

              Uniqueness Score: -1.00%

              Function 010352F0 Relevance: 27.1, APIs: 18, Instructions: 124COMMON
              Download Yara Rule
              APIs
              • LoadCursorW.USER32(00000000,00007F89), ref: 01035309
              • LoadCursorW.USER32(00000000,00007F8A), ref: 01035314
              • LoadCursorW.USER32(00000000,00007F00), ref: 0103531F
              • LoadCursorW.USER32(00000000,00007F03), ref: 0103532A
              • LoadCursorW.USER32(00000000,00007F8B), ref: 01035335
              • LoadCursorW.USER32(00000000,00007F01), ref: 01035340
              • LoadCursorW.USER32(00000000,00007F81), ref: 0103534B
              • LoadCursorW.USER32(00000000,00007F88), ref: 01035356
              • LoadCursorW.USER32(00000000,00007F80), ref: 01035361
              • LoadCursorW.USER32(00000000,00007F86), ref: 0103536C
              • LoadCursorW.USER32(00000000,00007F83), ref: 01035377
              • LoadCursorW.USER32(00000000,00007F85), ref: 01035382
              • LoadCursorW.USER32(00000000,00007F82), ref: 0103538D
              • LoadCursorW.USER32(00000000,00007F84), ref: 01035398
              • LoadCursorW.USER32(00000000,00007F04), ref: 010353A3
              • LoadCursorW.USER32(00000000,00007F02), ref: 010353AE
              • GetCursorInfo.USER32(?), ref: 010353BE
              • GetLastError.KERNEL32(00000001,00000000), ref: 010353E9
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: Cursor$Load$ErrorInfoLast
              • String ID:
              • API String ID: 3215588206-0
              • Opcode ID: dfe7195430f015a13c50b1e10f55b0612a5bfc8861ebe5aa45ec5b904f47ebc3
              • Instruction ID: 89d4e85903ac44d87f5df2d23e7f531e632e38c10c91681963b4aaabecd764af
              • Opcode Fuzzy Hash: dfe7195430f015a13c50b1e10f55b0612a5bfc8861ebe5aa45ec5b904f47ebc3
              • Instruction Fuzzy Hash: 07414370E083196ADB109FBA8C49D6EFFFCEF91B50F10452FA549E7290DAB89501CE51
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0101AA64 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON
              Download Yara Rule
              APIs
              • GetClassNameW.USER32(?,?,00000100), ref: 0101AAA5
              • __swprintf.LIBCMT ref: 0101AB46
              • _wcscmp.LIBCMT ref: 0101AB59
              • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 0101ABAE
              • _wcscmp.LIBCMT ref: 0101ABEA
              • GetClassNameW.USER32(?,?,00000400), ref: 0101AC21
              • GetDlgCtrlID.USER32(?), ref: 0101AC73
              • GetWindowRect.USER32(?,?), ref: 0101ACA9
              • GetParent.USER32(?), ref: 0101ACC7
              • ScreenToClient.USER32(00000000), ref: 0101ACCE
              • GetClassNameW.USER32(?,?,00000100), ref: 0101AD48
              • _wcscmp.LIBCMT ref: 0101AD5C
              • GetWindowTextW.USER32(?,?,00000400), ref: 0101AD82
              • _wcscmp.LIBCMT ref: 0101AD96
                • Part of subcall function 00FE386C: _iswctype.LIBCMT ref: 00FE3874
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
              • String ID: %s%u
              • API String ID: 3744389584-679674701
              • Opcode ID: b40fe44c3c9401b351865be3e338d3c823f10f3f72cd9851e25eec1560ac9ec9
              • Instruction ID: 4c25d6ce40bf311e5cedfdae06e5b88ee5491c36bb69bc2df0374a00cc74b773
              • Opcode Fuzzy Hash: b40fe44c3c9401b351865be3e338d3c823f10f3f72cd9851e25eec1560ac9ec9
              • Instruction Fuzzy Hash: 3EA1FD71305686EFD715EE68C884BAABBE8FF04315F404629FADAC3185DB38E545CB90
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0101B397 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON
              Download Yara Rule
              APIs
              • GetClassNameW.USER32(00000008,?,00000400), ref: 0101B3DB
              • _wcscmp.LIBCMT ref: 0101B3EC
              • GetWindowTextW.USER32(00000001,?,00000400), ref: 0101B414
              • CharUpperBuffW.USER32(?,00000000), ref: 0101B431
              • _wcscmp.LIBCMT ref: 0101B44F
              • _wcsstr.LIBCMT ref: 0101B460
              • GetClassNameW.USER32(00000018,?,00000400), ref: 0101B498
              • _wcscmp.LIBCMT ref: 0101B4A8
              • GetWindowTextW.USER32(00000002,?,00000400), ref: 0101B4CF
              • GetClassNameW.USER32(00000018,?,00000400), ref: 0101B518
              • _wcscmp.LIBCMT ref: 0101B528
              • GetClassNameW.USER32(00000010,?,00000400), ref: 0101B550
              • GetWindowRect.USER32(00000004,?), ref: 0101B5B9
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
              • String ID: @$ThumbnailClass
              • API String ID: 1788623398-1539354611
              • Opcode ID: a5c5cc9d25db6483d906456cfbb9c3972d2f3f97fb97a03f30798b1c00aae8d7
              • Instruction ID: 3b2d5cbdfcc2f533e27be158888341f6280ff5605d4e7b6f688c59c39263b865
              • Opcode Fuzzy Hash: a5c5cc9d25db6483d906456cfbb9c3972d2f3f97fb97a03f30798b1c00aae8d7
              • Instruction Fuzzy Hash: 4081CF710083069BEB11DF19C985FAA7BE8FF44314F0885A9FDC58A09ADB3CD945CBA1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0101B1E0 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: __wcsnicmp
              • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
              • API String ID: 1038674560-1810252412
              • Opcode ID: 03ffda5206e49e52c39fe8bd22c036e83557175aee52a5b539162df8f8493fa6
              • Instruction ID: bf906cc2b85eecad6fcafa485073fe077dfd7d20649641ce320a98287874de22
              • Opcode Fuzzy Hash: 03ffda5206e49e52c39fe8bd22c036e83557175aee52a5b539162df8f8493fa6
              • Instruction Fuzzy Hash: C131A031A44306A6DB10FA62CE47FEEB7B4AF14B60F60012DF481760D6EF6D6E08D955
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0101C4C1 Relevance: 25.7, APIs: 17, Instructions: 169windowtimeCOMMON
              Download Yara Rule
              APIs
              • LoadIconW.USER32(00000063), ref: 0101C4D4
              • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 0101C4E6
              • SetWindowTextW.USER32(?,?), ref: 0101C4FD
              • GetDlgItem.USER32(?,000003EA), ref: 0101C512
              • SetWindowTextW.USER32(00000000,?), ref: 0101C518
              • GetDlgItem.USER32(?,000003E9), ref: 0101C528
              • SetWindowTextW.USER32(00000000,?), ref: 0101C52E
              • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 0101C54F
              • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 0101C569
              • GetWindowRect.USER32(?,?), ref: 0101C572
              • SetWindowTextW.USER32(?,?), ref: 0101C5DD
              • GetDesktopWindow.USER32 ref: 0101C5E3
              • GetWindowRect.USER32(00000000), ref: 0101C5EA
              • MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 0101C636
              • GetClientRect.USER32(?,?), ref: 0101C643
              • PostMessageW.USER32(?,00000005,00000000,00000000), ref: 0101C668
              • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 0101C693
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
              • String ID:
              • API String ID: 3869813825-0
              • Opcode ID: 692f594a158804cb9672937444fb4852770d93d56d4f3b643630bed89ec1fb3b
              • Instruction ID: 33180d19443c83411e0a6bccd0a359586ad4b3cd8428632e810c370006c227aa
              • Opcode Fuzzy Hash: 692f594a158804cb9672937444fb4852770d93d56d4f3b643630bed89ec1fb3b
              • Instruction Fuzzy Hash: CA51617094070AAFEB20DFA8DE85B6EBBF5FF04705F004958E686A25A4C779E944CB50
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0104A428 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 0104A4C8
              • DestroyWindow.USER32(00000000,?), ref: 0104A542
                • Part of subcall function 00FC7D2C: _memmove.LIBCMT ref: 00FC7D66
              • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 0104A5BC
              • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 0104A5DE
              • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0104A5F1
              • DestroyWindow.USER32(00000000), ref: 0104A613
              • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00FC0000,00000000), ref: 0104A64A
              • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0104A663
              • GetDesktopWindow.USER32 ref: 0104A67C
              • GetWindowRect.USER32(00000000), ref: 0104A683
              • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0104A69B
              • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 0104A6B3
                • Part of subcall function 00FC25DB: GetWindowLongW.USER32(?,000000EB), ref: 00FC25EC
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
              • String ID: 0$tooltips_class32
              • API String ID: 1297703922-3619404913
              • Opcode ID: 4af28a1ce099683c55e639ac04736e7f4fe32ccf03a8e4ab79ca9443ca73c36d
              • Instruction ID: 379f638d7d0791fe695189d67530a9cbefdf5f0ca7d2b084e298ca55d927f94e
              • Opcode Fuzzy Hash: 4af28a1ce099683c55e639ac04736e7f4fe32ccf03a8e4ab79ca9443ca73c36d
              • Instruction Fuzzy Hash: 0C717CB5244205EFE720DF28C885F6A7BE5FB88300F44456DFAC687251D776E905CB61
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0104C8EE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 181windowfileCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00FC2612: GetWindowLongW.USER32(?,000000EB), ref: 00FC2623
              • DragQueryPoint.SHELL32(?,?), ref: 0104C917
                • Part of subcall function 0104ADF1: ClientToScreen.USER32(?,?), ref: 0104AE1A
                • Part of subcall function 0104ADF1: GetWindowRect.USER32(?,?), ref: 0104AE90
                • Part of subcall function 0104ADF1: PtInRect.USER32(?,?,0104C304), ref: 0104AEA0
              • SendMessageW.USER32(?,000000B0,?,?), ref: 0104C980
              • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0104C98B
              • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 0104C9AE
              • _wcscat.LIBCMT ref: 0104C9DE
              • SendMessageW.USER32(?,000000C2,00000001,?), ref: 0104C9F5
              • SendMessageW.USER32(?,000000B0,?,?), ref: 0104CA0E
              • SendMessageW.USER32(?,000000B1,?,?), ref: 0104CA25
              • SendMessageW.USER32(?,000000B1,?,?), ref: 0104CA47
              • DragFinish.SHELL32(?), ref: 0104CA4E
              • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 0104CB41
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
              • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
              • API String ID: 169749273-3440237614
              • Opcode ID: 7686ffa40c8619a5f466819e55ce0e2d384d3397c85455c2ecab49ffd4a4cf34
              • Instruction ID: 79c2c68db08e8154ebe8f7ea3773b94a54181c4a0e08bfb491f225bf4299e55d
              • Opcode Fuzzy Hash: 7686ffa40c8619a5f466819e55ce0e2d384d3397c85455c2ecab49ffd4a4cf34
              • Instruction Fuzzy Hash: 8A619CB1108302AFC710EF64CD85E9FBBE8EF88750F000A1DF5D5961A1DB759A09DB92
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01044619 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON
              Download Yara Rule
              APIs
              • CharUpperBuffW.USER32(?,?), ref: 010446AB
              • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 010446F6
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: BuffCharMessageSendUpper
              • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
              • API String ID: 3974292440-4258414348
              • Opcode ID: a616b81e21b381446c0072b1f3d165300f043a4ca174a81118ce3a28eec86230
              • Instruction ID: 98a90872809e7599f46cb850fa78923eef203ceceb95bc0116ab3f20e3c96c05
              • Opcode Fuzzy Hash: a616b81e21b381446c0072b1f3d165300f043a4ca174a81118ce3a28eec86230
              • Instruction Fuzzy Hash: 67919F746043029BCB14EF14C891B6DB7E1BF94314F0044ACA8D69B7A2CF79ED4ADB41
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0104BAB8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON
              Download Yara Rule
              APIs
              • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 0104BB6E
              • LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,01049431), ref: 0104BBCA
              • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0104BC03
              • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 0104BC46
              • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0104BC7D
              • FreeLibrary.KERNEL32(?), ref: 0104BC89
              • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0104BC99
              • DestroyIcon.USER32(?,?,?,?,?,01049431), ref: 0104BCA8
              • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 0104BCC5
              • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 0104BCD1
                • Part of subcall function 00FE313D: __wcsicmp_l.LIBCMT ref: 00FE31C6
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
              • String ID: .dll$.exe$.icl
              • API String ID: 1212759294-1154884017
              • Opcode ID: 84551d69e4933e7700e96d5feeec3e08edff3e04bfbeee7eaf340b7d0f8b92fc
              • Instruction ID: 3a1a67d6465fdedce858ae7bb38be77c182c56a83387434bce358e3e42e18f33
              • Opcode Fuzzy Hash: 84551d69e4933e7700e96d5feeec3e08edff3e04bfbeee7eaf340b7d0f8b92fc
              • Instruction Fuzzy Hash: EE61D1B1900219BBEB24DF68CDC5FBE7BA8BB08710F104169F955D61C0DBB9E950DBA0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0102A5BD Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00FC9997: __itow.LIBCMT ref: 00FC99C2
                • Part of subcall function 00FC9997: __swprintf.LIBCMT ref: 00FC9A0C
              • CharLowerBuffW.USER32(?,?), ref: 0102A636
              • GetDriveTypeW.KERNEL32 ref: 0102A683
              • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0102A6CB
              • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0102A702
              • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0102A730
                • Part of subcall function 00FC7D2C: _memmove.LIBCMT ref: 00FC7D66
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
              • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
              • API String ID: 2698844021-4113822522
              • Opcode ID: 896c4c2724268be7f426ef14c606eb71465ef82120f3ae939f85c170c377532f
              • Instruction ID: 791e93c8ea47caa3f78d35661c0aa968f3c2393ef3697ee42d99e153ad594963
              • Opcode Fuzzy Hash: 896c4c2724268be7f426ef14c606eb71465ef82120f3ae939f85c170c377532f
              • Instruction Fuzzy Hash: DE5129716043069FC710EF25CD82D6AB7E4FF88718F04495CF89A97251DB39AE09DB51
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0102A45A Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON
              Download Yara Rule
              APIs
              • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0102A47A
              • __swprintf.LIBCMT ref: 0102A49C
              • CreateDirectoryW.KERNEL32(?,00000000), ref: 0102A4D9
              • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 0102A4FE
              • _memset.LIBCMT ref: 0102A51D
              • _wcsncpy.LIBCMT ref: 0102A559
              • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 0102A58E
              • CloseHandle.KERNEL32(00000000), ref: 0102A599
              • RemoveDirectoryW.KERNEL32(?), ref: 0102A5A2
              • CloseHandle.KERNEL32(00000000), ref: 0102A5AC
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
              • String ID: :$\$\??\%s
              • API String ID: 2733774712-3457252023
              • Opcode ID: 9401c972ef9423836056ddecb8503b2332a9877aaf62978ecc3890b5e1754d6d
              • Instruction ID: ef987a842248cc86656e45d6cde76b37c474024b90152a616632af4b8cb2472c
              • Opcode Fuzzy Hash: 9401c972ef9423836056ddecb8503b2332a9877aaf62978ecc3890b5e1754d6d
              • Instruction Fuzzy Hash: F631D2B560012AABDB219FA4DC88FEB77BCEF88701F1041B6FA48D3055EB7493448B24
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0102DB04 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON
              Download Yara Rule
              APIs
              • __wsplitpath.LIBCMT ref: 0102DC7B
              • _wcscat.LIBCMT ref: 0102DC93
              • _wcscat.LIBCMT ref: 0102DCA5
              • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 0102DCBA
              • SetCurrentDirectoryW.KERNEL32(?), ref: 0102DCCE
              • GetFileAttributesW.KERNEL32(?), ref: 0102DCE6
              • SetFileAttributesW.KERNEL32(?,00000000), ref: 0102DD00
              • SetCurrentDirectoryW.KERNEL32(?), ref: 0102DD12
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
              • String ID: *.*
              • API String ID: 34673085-438819550
              • Opcode ID: f698f4c8425d69a178e1001cf494dd09d1adeb2479c2e03a885bf7eb5f4b0311
              • Instruction ID: aea918371ce5fd2f03f6f7b17f131b9b11ee4c6a71cb96f24016393e9790a27f
              • Opcode Fuzzy Hash: f698f4c8425d69a178e1001cf494dd09d1adeb2479c2e03a885bf7eb5f4b0311
              • Instruction Fuzzy Hash: 4681D171504255DFDB60EFA8C8959AEB7E8BB88310F18886EF9C9C7211E634ED44CB52
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0104C49C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00FC2612: GetWindowLongW.USER32(?,000000EB), ref: 00FC2623
              • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 0104C4EC
              • GetFocus.USER32 ref: 0104C4FC
              • GetDlgCtrlID.USER32(00000000), ref: 0104C507
              • _memset.LIBCMT ref: 0104C632
              • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 0104C65D
              • GetMenuItemCount.USER32(?), ref: 0104C67D
              • GetMenuItemID.USER32(?,00000000), ref: 0104C690
              • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 0104C6C4
              • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 0104C70C
              • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0104C744
              • DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 0104C779
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
              • String ID: 0
              • API String ID: 1296962147-4108050209
              • Opcode ID: 320d77c98e4c97957724644dae0af1ab3470aaed106fb38f95fdc8542b9ef7d2
              • Instruction ID: 935b489cf732cc905725ce976b578e20fe037bf8e10c7056debe5cdca7ecdde2
              • Opcode Fuzzy Hash: 320d77c98e4c97957724644dae0af1ab3470aaed106fb38f95fdc8542b9ef7d2
              • Instruction Fuzzy Hash: 68818FB01093019FE761DF18CAC4A6BBBE8FB88314F00456DF9D593251D731E905CBA2
              Uniqueness

              Uniqueness Score: -1.00%

              Function 010183F4 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 0101874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 01018766
                • Part of subcall function 0101874A: GetLastError.KERNEL32(?,0101822A,?,?,?), ref: 01018770
                • Part of subcall function 0101874A: GetProcessHeap.KERNEL32(00000008,?,?,0101822A,?,?,?), ref: 0101877F
                • Part of subcall function 0101874A: HeapAlloc.KERNEL32(00000000,?,0101822A,?,?,?), ref: 01018786
                • Part of subcall function 0101874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0101879D
                • Part of subcall function 010187E7: GetProcessHeap.KERNEL32(00000008,01018240,00000000,00000000,?,01018240,?), ref: 010187F3
                • Part of subcall function 010187E7: HeapAlloc.KERNEL32(00000000,?,01018240,?), ref: 010187FA
                • Part of subcall function 010187E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,01018240,?), ref: 0101880B
              • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 01018458
              • _memset.LIBCMT ref: 0101846D
              • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 0101848C
              • GetLengthSid.ADVAPI32(?), ref: 0101849D
              • GetAce.ADVAPI32(?,00000000,?), ref: 010184DA
              • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 010184F6
              • GetLengthSid.ADVAPI32(?), ref: 01018513
              • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 01018522
              • HeapAlloc.KERNEL32(00000000), ref: 01018529
              • GetLengthSid.ADVAPI32(?,00000008,?), ref: 0101854A
              • CopySid.ADVAPI32(00000000), ref: 01018551
              • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 01018582
              • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 010185A8
              • SetUserObjectSecurity.USER32(?,00000004,?), ref: 010185BC
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
              • String ID:
              • API String ID: 3996160137-0
              • Opcode ID: b2f6e3508c03a77d3cca0204a58a4c30524f51b02ac28ff11c54aab36fa9c959
              • Instruction ID: 2c7064d297ee35d75116c86521a13552edc59dcdacbab66726ab3174468bd597
              • Opcode Fuzzy Hash: b2f6e3508c03a77d3cca0204a58a4c30524f51b02ac28ff11c54aab36fa9c959
              • Instruction Fuzzy Hash: D3615E7590020AAFDF10DF98DD84AEEBBB9FF44310F04815AF955A7284DB399A15CF60
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0103762D Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON
              Download Yara Rule
              APIs
              • GetDC.USER32(00000000), ref: 010376A2
              • CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 010376AE
              • CreateCompatibleDC.GDI32(?), ref: 010376BA
              • SelectObject.GDI32(00000000,?), ref: 010376C7
              • StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 0103771B
              • GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 01037757
              • GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 0103777B
              • SelectObject.GDI32(00000006,?), ref: 01037783
              • DeleteObject.GDI32(?), ref: 0103778C
              • DeleteDC.GDI32(00000006), ref: 01037793
              • ReleaseDC.USER32(00000000,?), ref: 0103779E
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
              • String ID: (
              • API String ID: 2598888154-3887548279
              • Opcode ID: 7f8fe5f1913e8d4322d73c7dafcf45ac99d89639cb790f7f77bf8c688a579587
              • Instruction ID: d60a38849504d3118e6f4c6a3b5574a47726b163e3673341c937bc56070afd35
              • Opcode Fuzzy Hash: 7f8fe5f1913e8d4322d73c7dafcf45ac99d89639cb790f7f77bf8c688a579587
              • Instruction Fuzzy Hash: 7A514CB5900209EFDB25CFA8C984EAEBBF9FF88710F14851DF99997210D735A840CB60
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0102A0B5 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 156COMMON
              Download Yara Rule
              APIs
              • LoadStringW.USER32(00000066,?,00000FFF,0104FB78), ref: 0102A0FC
                • Part of subcall function 00FC7F41: _memmove.LIBCMT ref: 00FC7F82
              • LoadStringW.USER32(?,?,00000FFF,?), ref: 0102A11E
              • __swprintf.LIBCMT ref: 0102A177
              • __swprintf.LIBCMT ref: 0102A190
              • _wprintf.LIBCMT ref: 0102A246
              • _wprintf.LIBCMT ref: 0102A264
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: LoadString__swprintf_wprintf$_memmove
              • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
              • API String ID: 311963372-2391861430
              • Opcode ID: d73e770a65933691dd0ac08a64f051d1a8de13e031fd83195e160b9b41c3db8e
              • Instruction ID: afde35f4e4c6d853ac188b1ba9d3d66ffe1917dc06c6359124960b5d41f25884
              • Opcode Fuzzy Hash: d73e770a65933691dd0ac08a64f051d1a8de13e031fd83195e160b9b41c3db8e
              • Instruction Fuzzy Hash: E6516F7290421AAADF15FBE4CE86EEEB779AF04300F1001A9F54567051DB3A6F48EF60
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00FC6BEC Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00FE0B9B: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00FC6C6C,?,00008000), ref: 00FE0BB7
                • Part of subcall function 00FC48AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00FC48A1,?,?,00FC37C0,?), ref: 00FC48CE
              • SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00FC6D0D
              • SetCurrentDirectoryW.KERNEL32(?), ref: 00FC6E5A
                • Part of subcall function 00FC59CD: _wcscpy.LIBCMT ref: 00FC5A05
                • Part of subcall function 00FE387D: _iswctype.LIBCMT ref: 00FE3885
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
              • String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
              • API String ID: 537147316-1018226102
              • Opcode ID: 4fa6437c639d90977c371848d13f3527d0c91ef3a3fc52663795ab80e1e454fc
              • Instruction ID: 6e1ece3c943f28b6cf53d242f5158281c296860b38ecdc45df93c82c972a3755
              • Opcode Fuzzy Hash: 4fa6437c639d90977c371848d13f3527d0c91ef3a3fc52663795ab80e1e454fc
              • Instruction Fuzzy Hash: 7F0289315083429FC724EF24C982EAFBBE5AF98754F04091DF5C6972A1DB34E949EB42
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00FC45DF Relevance: 19.7, APIs: 13, Instructions: 215windowCOMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 00FC45F9
              • GetMenuItemCount.USER32(01086890), ref: 00FFD7CD
              • GetMenuItemCount.USER32(01086890), ref: 00FFD87D
              • GetCursorPos.USER32(?), ref: 00FFD8C1
              • SetForegroundWindow.USER32(00000000), ref: 00FFD8CA
              • TrackPopupMenuEx.USER32(01086890,00000000,?,00000000,00000000,00000000), ref: 00FFD8DD
              • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00FFD8E9
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow_memset
              • String ID:
              • API String ID: 2751501086-0
              • Opcode ID: a1f7073be8a628b4d687ae60fb8e6a181542e6c64f368f73de1e8ba4f4e03150
              • Instruction ID: 4b7b10187384f3e656c11ef5053f6c669536fa1c44fc0a11f66a106dabd541d9
              • Opcode Fuzzy Hash: a1f7073be8a628b4d687ae60fb8e6a181542e6c64f368f73de1e8ba4f4e03150
              • Instruction Fuzzy Hash: 1F710972A4121ABBEB309F54DD89FBABF65FF05374F200216F6156A1E0C7B56810EB90
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01017D24 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 128registryshareCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00FC7D2C: _memmove.LIBCMT ref: 00FC7D66
              • _memset.LIBCMT ref: 01017DB3
              • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 01017DE8
              • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 01017E04
              • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 01017E20
              • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 01017E4A
              • CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 01017E72
              • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 01017E7D
              • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 01017E82
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset
              • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
              • API String ID: 1411258926-22481851
              • Opcode ID: ac087c3cf8437cf8fcb0691b1a1ba7db1ce032b6664dc22e340b6a88d5e728dc
              • Instruction ID: c268b31ca73ec3eb9cf1d7b1ecc03e6989c67e0ef35875cefa74edc4946743a7
              • Opcode Fuzzy Hash: ac087c3cf8437cf8fcb0691b1a1ba7db1ce032b6664dc22e340b6a88d5e728dc
              • Instruction Fuzzy Hash: D7413672C0022EABDB21EBA4DD86DEEB7B8FF08710F044069F941A3151EB395E05DB90
              Uniqueness

              Uniqueness Score: -1.00%

              Function 010410A5 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON
              Download Yara Rule
              APIs
              • CharUpperBuffW.USER32(?,?,?,?,?,?,?,01040038,?,?), ref: 010410BC
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: BuffCharUpper
              • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
              • API String ID: 3964851224-909552448
              • Opcode ID: 1ffae9be09d4efba0875aef29fe363c1f2783ee63a458c176b9ec032f13ee201
              • Instruction ID: 72bf68602e79e9a6c75d958706e7d7191a2cdcde38d3c532f58aa9a268f4531c
              • Opcode Fuzzy Hash: 1ffae9be09d4efba0875aef29fe363c1f2783ee63a458c176b9ec032f13ee201
              • Instruction Fuzzy Hash: 93414BB055028B9BCF21EF94DE81AEE3764BF45310F404464FCD19B292DF75A99ACBA0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01025569 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00FC7D2C: _memmove.LIBCMT ref: 00FC7D66
                • Part of subcall function 00FC7A84: _memmove.LIBCMT ref: 00FC7B0D
              • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 010255D2
              • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 010255E8
              • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 010255F9
              • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0102560B
              • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0102561C
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: SendString$_memmove
              • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
              • API String ID: 2279737902-1007645807
              • Opcode ID: 076626d24b51d7ae3fc6099ad9c9712c75af5cde4a78c9333833585a3e572e6c
              • Instruction ID: 55b072a02d98347341838f9420fa97aa93b28ba64655021a5e456c685e889e1f
              • Opcode Fuzzy Hash: 076626d24b51d7ae3fc6099ad9c9712c75af5cde4a78c9333833585a3e572e6c
              • Instruction Fuzzy Hash: A311E620A5026AB9E720BA66DC8ADFFBF7CEF85B00F04445DB485A7091DEA41D04C9A4
              Uniqueness

              Uniqueness Score: -1.00%

              Function 010248F3 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
              • String ID: 0.0.0.0
              • API String ID: 208665112-3771769585
              • Opcode ID: bae6f6877b4c9949cbb9857b371e5d3e1528026606c6b242c281fe39a1e087ed
              • Instruction ID: 6847a996192befbdb983c3f212e0ff5e8481720a203ba18888abe58bd2b4efd2
              • Opcode Fuzzy Hash: bae6f6877b4c9949cbb9857b371e5d3e1528026606c6b242c281fe39a1e087ed
              • Instruction Fuzzy Hash: D8112775A04125ABEB20EB29ED49EDE77FCEF00710F0401BAF584D6041EFB99A819751
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01025217 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
              Download Yara Rule
              APIs
              • timeGetTime.WINMM ref: 0102521C
                • Part of subcall function 00FE0719: timeGetTime.WINMM(?,75A4B400,00FD0FF9), ref: 00FE071D
              • Sleep.KERNEL32(0000000A), ref: 01025248
              • EnumThreadWindows.USER32(?,Function_000651CA,00000000), ref: 0102526C
              • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0102528E
              • SetActiveWindow.USER32 ref: 010252AD
              • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 010252BB
              • SendMessageW.USER32(00000010,00000000,00000000), ref: 010252DA
              • Sleep.KERNEL32(000000FA), ref: 010252E5
              • IsWindow.USER32 ref: 010252F1
              • EndDialog.USER32(00000000), ref: 01025302
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
              • String ID: BUTTON
              • API String ID: 1194449130-3405671355
              • Opcode ID: c3ace3f4bae6ea409589f3ae5b8a200f922b674804c422eaf7f5db77af8732e3
              • Instruction ID: 0fafb17964c58a76fadb44a109ed7244ff2bdab15a6413b897ce9df2e65a7ca2
              • Opcode Fuzzy Hash: c3ace3f4bae6ea409589f3ae5b8a200f922b674804c422eaf7f5db77af8732e3
              • Instruction Fuzzy Hash: EC21F6B4204346EFE7205B38EEC8B6E3BA9EB0A356F501058F1C1851D8DBAF9C048775
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0102D7F8 Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00FC9997: __itow.LIBCMT ref: 00FC99C2
                • Part of subcall function 00FC9997: __swprintf.LIBCMT ref: 00FC9A0C
              • CoInitialize.OLE32(00000000), ref: 0102D855
              • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 0102D8E8
              • SHGetDesktopFolder.SHELL32(?), ref: 0102D8FC
              • CoCreateInstance.OLE32(01052D7C,00000000,00000001,0107A89C,?), ref: 0102D948
              • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 0102D9B7
              • CoTaskMemFree.OLE32(?,?), ref: 0102DA0F
              • _memset.LIBCMT ref: 0102DA4C
              • SHBrowseForFolderW.SHELL32(?), ref: 0102DA88
              • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 0102DAAB
              • CoTaskMemFree.OLE32(00000000), ref: 0102DAB2
              • CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 0102DAE9
              • CoUninitialize.OLE32(00000001,00000000), ref: 0102DAEB
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
              • String ID:
              • API String ID: 1246142700-0
              • Opcode ID: aced75c071c5f7f08e9d42bcf1401efdd8b6d7264dda3ea1352c2dbbd6cb31fa
              • Instruction ID: 08b293327973a913f87daf22a6534c3f09da8d61233384baf4bafd90870b2b03
              • Opcode Fuzzy Hash: aced75c071c5f7f08e9d42bcf1401efdd8b6d7264dda3ea1352c2dbbd6cb31fa
              • Instruction Fuzzy Hash: ACB14E75A00119AFDB04DFA8C989EAEBBF9FF88300B048499F949DB251DB75ED41CB50
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0102052C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON
              Download Yara Rule
              APIs
              • GetKeyboardState.USER32(?), ref: 010205A7
              • SetKeyboardState.USER32(?), ref: 01020612
              • GetAsyncKeyState.USER32(000000A0), ref: 01020632
              • GetKeyState.USER32(000000A0), ref: 01020649
              • GetAsyncKeyState.USER32(000000A1), ref: 01020678
              • GetKeyState.USER32(000000A1), ref: 01020689
              • GetAsyncKeyState.USER32(00000011), ref: 010206B5
              • GetKeyState.USER32(00000011), ref: 010206C3
              • GetAsyncKeyState.USER32(00000012), ref: 010206EC
              • GetKeyState.USER32(00000012), ref: 010206FA
              • GetAsyncKeyState.USER32(0000005B), ref: 01020723
              • GetKeyState.USER32(0000005B), ref: 01020731
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: State$Async$Keyboard
              • String ID:
              • API String ID: 541375521-0
              • Opcode ID: df8bc09ef03b926bc6bebdb71d288c965bc24dab9f6e7acb408edab1e2252b91
              • Instruction ID: 66a21cb796df45eb8ef590b6ec8212aef2453db4e1fbf7c00121cc14761ad38f
              • Opcode Fuzzy Hash: df8bc09ef03b926bc6bebdb71d288c965bc24dab9f6e7acb408edab1e2252b91
              • Instruction Fuzzy Hash: 5A512C70A047B819FB75DBB488547EBBFF49F01280F0845C9DAC2561C6DA74978CCB61
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0101C72A Relevance: 18.2, APIs: 12, Instructions: 174COMMON
              Download Yara Rule
              APIs
              • GetDlgItem.USER32(?,00000001), ref: 0101C746
              • GetWindowRect.USER32(00000000,?), ref: 0101C758
              • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 0101C7B6
              • GetDlgItem.USER32(?,00000002), ref: 0101C7C1
              • GetWindowRect.USER32(00000000,?), ref: 0101C7D3
              • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 0101C827
              • GetDlgItem.USER32(?,000003E9), ref: 0101C835
              • GetWindowRect.USER32(00000000,?), ref: 0101C846
              • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 0101C889
              • GetDlgItem.USER32(?,000003EA), ref: 0101C897
              • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 0101C8B4
              • InvalidateRect.USER32(?,00000000,00000001), ref: 0101C8C1
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: Window$ItemMoveRect$Invalidate
              • String ID:
              • API String ID: 3096461208-0
              • Opcode ID: 0bd9cdf719ab75e41f7120c33cf44fc356ec72beb7f85186aa5df910b0b88485
              • Instruction ID: 2de1ac9efd6ceed0b39bc83aaefdd35b4c3faddc74fe05914ec970cef2eb9394
              • Opcode Fuzzy Hash: 0bd9cdf719ab75e41f7120c33cf44fc356ec72beb7f85186aa5df910b0b88485
              • Instruction Fuzzy Hash: A85153B5B00205AFEB18CF7CDE89AAEBBB5FB88310F14816DF555D6294D775D9008B10
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00FC201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00FC1B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00FC2036,?,00000000,?,?,?,?,00FC16CB,00000000,?), ref: 00FC1B9A
              • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 00FC20D3
              • KillTimer.USER32(-00000001,?,?,?,?,00FC16CB,00000000,?,?,00FC1AE2,?,?), ref: 00FC216E
              • DestroyAcceleratorTable.USER32(00000000), ref: 00FFBEF6
              • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00FC16CB,00000000,?,?,00FC1AE2,?,?), ref: 00FFBF27
              • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00FC16CB,00000000,?,?,00FC1AE2,?,?), ref: 00FFBF3E
              • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00FC16CB,00000000,?,?,00FC1AE2,?,?), ref: 00FFBF5A
              • DeleteObject.GDI32(00000000), ref: 00FFBF6C
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
              • String ID:
              • API String ID: 641708696-0
              • Opcode ID: 92e4d7d97726e3a9be57c7786365f8788bbe16765134fb43bdc1cebb82b5dfc5
              • Instruction ID: 19a7b43bc52c8e53eac19e692d75b794347a186d84ddf40db5afcd7a469abd83
              • Opcode Fuzzy Hash: 92e4d7d97726e3a9be57c7786365f8788bbe16765134fb43bdc1cebb82b5dfc5
              • Instruction Fuzzy Hash: D861A075904606DFCB35AF18CA89B3977F1FF40322F14451DE5C2865A8C77AA891EF80
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00FC21A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00FC25DB: GetWindowLongW.USER32(?,000000EB), ref: 00FC25EC
              • GetSysColor.USER32(0000000F), ref: 00FC21D3
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: ColorLongWindow
              • String ID:
              • API String ID: 259745315-0
              • Opcode ID: 7439157c6fbf389b4d71c134bc677e39051ac3385bebad3b3781dd1461f21c74
              • Instruction ID: d5ac86ca2419e936a82a37b2bb9cf8addb196fe772f61dcd173454c3dfb59a30
              • Opcode Fuzzy Hash: 7439157c6fbf389b4d71c134bc677e39051ac3385bebad3b3781dd1461f21c74
              • Instruction Fuzzy Hash: 1D4125354001459FEB219F28DA89FF93B65EB06330F184359FEA58A1E6C7328C42FB60
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0102AB12 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON
              Download Yara Rule
              APIs
              • CharLowerBuffW.USER32(?,?,0104F910), ref: 0102AB76
              • GetDriveTypeW.KERNEL32(00000061,0107A620,00000061), ref: 0102AC40
              • _wcscpy.LIBCMT ref: 0102AC6A
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: BuffCharDriveLowerType_wcscpy
              • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
              • API String ID: 2820617543-1000479233
              • Opcode ID: 64a2b27c052fb48ac07573cba4b0ec2e4e1a5d29163275c732eda40279f70e37
              • Instruction ID: 0cb85804919a9f58134a4dba3fd39422f0f173379a0cf1a79cac068c401ebd03
              • Opcode Fuzzy Hash: 64a2b27c052fb48ac07573cba4b0ec2e4e1a5d29163275c732eda40279f70e37
              • Instruction Fuzzy Hash: 0951AA30208312DBC720EF18CD82EAEB7A5EF84310F14481DF5C69B6A2DF75A949DB52
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00FC9997 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: __i64tow__itow__swprintf
              • String ID: %.15g$0x%p$False$True
              • API String ID: 421087845-2263619337
              • Opcode ID: 5dc0b71d5f8b7f6d81cc6601fd747e505a67ee57f5d37b615f63ef568e097b7c
              • Instruction ID: e3fb74a36be0082ae174813839661ceeb4ef0febfc0702000e23c11254407534
              • Opcode Fuzzy Hash: 5dc0b71d5f8b7f6d81cc6601fd747e505a67ee57f5d37b615f63ef568e097b7c
              • Instruction Fuzzy Hash: 47411672A0420AABDB349B35DD46F7A73E8EF44310F20446EE649D7251EEB59941EB10
              Uniqueness

              Uniqueness Score: -1.00%

              Function 010473C1 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 010473D9
              • CreateMenu.USER32 ref: 010473F4
              • SetMenu.USER32(?,00000000), ref: 01047403
              • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 01047490
              • IsMenu.USER32(?), ref: 010474A6
              • CreatePopupMenu.USER32 ref: 010474B0
              • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 010474DD
              • DrawMenuBar.USER32 ref: 010474E5
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
              • String ID: 0$F
              • API String ID: 176399719-3044882817
              • Opcode ID: 40b3932b48d91e6b9ca2044cb8709a3f9dbdf0bb003c9c90486c886878e53631
              • Instruction ID: 0c9d3352f5fea480b7dd8b4b5ebbe318ee9fc32139ddb8aa15b900043f9cefd7
              • Opcode Fuzzy Hash: 40b3932b48d91e6b9ca2044cb8709a3f9dbdf0bb003c9c90486c886878e53631
              • Instruction Fuzzy Hash: 27414CB9A00205EFDB20DF68D984EAABBF5FF49310F144069FA95A7351DB35A910CF90
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0104772A Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
              Download Yara Rule
              APIs
              • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 010477CD
              • CreateCompatibleDC.GDI32(00000000), ref: 010477D4
              • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 010477E7
              • SelectObject.GDI32(00000000,00000000), ref: 010477EF
              • GetPixel.GDI32(00000000,00000000,00000000), ref: 010477FA
              • DeleteDC.GDI32(00000000), ref: 01047803
              • GetWindowLongW.USER32(?,000000EC), ref: 0104780D
              • SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 01047821
              • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 0104782D
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
              • String ID: static
              • API String ID: 2559357485-2160076837
              • Opcode ID: 069596b31f1038f881b748c40d2d0acecb8652dc0499e252f84d3c4334264054
              • Instruction ID: b241ca93bd7b179c67c567f2a504be2a2a55b9224ae0354e91646062e5d848c0
              • Opcode Fuzzy Hash: 069596b31f1038f881b748c40d2d0acecb8652dc0499e252f84d3c4334264054
              • Instruction Fuzzy Hash: 2A3180B5101116BBEF229F78DC88FDA3BA9FF0D320F110224FA95A6090C736D811DBA4
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00FE7040 Relevance: 16.8, APIs: 11, Instructions: 258COMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 00FE707B
                • Part of subcall function 00FE8D68: __getptd_noexit.LIBCMT ref: 00FE8D68
              • __gmtime64_s.LIBCMT ref: 00FE7114
              • __gmtime64_s.LIBCMT ref: 00FE714A
              • __gmtime64_s.LIBCMT ref: 00FE7167
              • __allrem.LIBCMT ref: 00FE71BD
              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00FE71D9
              • __allrem.LIBCMT ref: 00FE71F0
              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00FE720E
              • __allrem.LIBCMT ref: 00FE7225
              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00FE7243
              • __invoke_watson.LIBCMT ref: 00FE72B4
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
              • String ID:
              • API String ID: 384356119-0
              • Opcode ID: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
              • Instruction ID: c09d1dfd7bc8e9f8ed3262cbe60fd7c7b6ef81639e0397a47531a7f481ac2b2f
              • Opcode Fuzzy Hash: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
              • Instruction Fuzzy Hash: 7471E872E04757ABD714BE7ACC41B6BB3A8AF10730F14422AF614E7691E774E940AB90
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01022A16 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 01022A31
              • GetMenuItemInfoW.USER32(01086890,000000FF,00000000,00000030), ref: 01022A92
              • SetMenuItemInfoW.USER32(01086890,00000004,00000000,00000030), ref: 01022AC8
              • Sleep.KERNEL32(000001F4), ref: 01022ADA
              • GetMenuItemCount.USER32(?), ref: 01022B1E
              • GetMenuItemID.USER32(?,00000000), ref: 01022B3A
              • GetMenuItemID.USER32(?,-00000001), ref: 01022B64
              • GetMenuItemID.USER32(?,?), ref: 01022BA9
              • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 01022BEF
              • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 01022C03
              • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 01022C24
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
              • String ID:
              • API String ID: 4176008265-0
              • Opcode ID: 102532fc3a3855cc6400153a21ae5ea4b4d62a69f6d3dd52420dbc06633557a7
              • Instruction ID: 106370fc8b0acfc3f248f13167a0f5ffb990436b86674c5f8b5b44a2159d1d99
              • Opcode Fuzzy Hash: 102532fc3a3855cc6400153a21ae5ea4b4d62a69f6d3dd52420dbc06633557a7
              • Instruction Fuzzy Hash: B261B4B090025AAFEB22CFE8D988DFE7BB8EB45304F144599E9C197241D736AD45CB21
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01047192 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 01047214
              • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 01047217
              • GetWindowLongW.USER32(?,000000F0), ref: 0104723B
              • _memset.LIBCMT ref: 0104724C
              • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0104725E
              • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 010472D6
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: MessageSend$LongWindow_memset
              • String ID:
              • API String ID: 830647256-0
              • Opcode ID: 3334a13b778f04d77cd596333cdf0b10cf53f435c2b460302c7fee8ed9fbf8d9
              • Instruction ID: f38fef6449d4c2228115f49c98d6f5cedb7ba48373df96deb8c427d71bb787e8
              • Opcode Fuzzy Hash: 3334a13b778f04d77cd596333cdf0b10cf53f435c2b460302c7fee8ed9fbf8d9
              • Instruction Fuzzy Hash: 37618FB5900208EFDB20DFA8CC81EEE77F8EB09710F1441A9FA94A7391D775A941CB50
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0101710E Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON
              Download Yara Rule
              APIs
              • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 01017135
              • SafeArrayAllocData.OLEAUT32(?), ref: 0101718E
              • VariantInit.OLEAUT32(?), ref: 010171A0
              • SafeArrayAccessData.OLEAUT32(?,?), ref: 010171C0
              • VariantCopy.OLEAUT32(?,?), ref: 01017213
              • SafeArrayUnaccessData.OLEAUT32(?), ref: 01017227
              • VariantClear.OLEAUT32(?), ref: 0101723C
              • SafeArrayDestroyData.OLEAUT32(?), ref: 01017249
              • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 01017252
              • VariantClear.OLEAUT32(?), ref: 01017264
              • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0101726F
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
              • String ID:
              • API String ID: 2706829360-0
              • Opcode ID: 81220e4279c08530c16eef0f949fcd65820147cb5ea9fa08ad1e9386b5cf7153
              • Instruction ID: 8a81458fa2502ba68ce235f6d63333451f37953bfa9412559f631166371edaad
              • Opcode Fuzzy Hash: 81220e4279c08530c16eef0f949fcd65820147cb5ea9fa08ad1e9386b5cf7153
              • Instruction Fuzzy Hash: 8841727590011AAFCB14DF68D988DEDBBB9FF48350F008069F985A7215CF39A945CB90
              Uniqueness

              Uniqueness Score: -1.00%

              Function 010386D0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00FC9997: __itow.LIBCMT ref: 00FC99C2
                • Part of subcall function 00FC9997: __swprintf.LIBCMT ref: 00FC9A0C
              • CoInitialize.OLE32 ref: 01038718
              • CoUninitialize.OLE32 ref: 01038723
              • CoCreateInstance.OLE32(?,00000000,00000017,01052BEC,?), ref: 01038783
              • IIDFromString.OLE32(?,?), ref: 010387F6
              • VariantInit.OLEAUT32(?), ref: 01038890
              • VariantClear.OLEAUT32(?), ref: 010388F1
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
              • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
              • API String ID: 834269672-1287834457
              • Opcode ID: d750e4c47f5edb4548d71effaeeb87197e5a08e515bcd374c504e86ebb09bdfc
              • Instruction ID: 7349168f18160fc44b3318a1e62c8392e86aa3f54abb29f9c2ccacbe1725bc51
              • Opcode Fuzzy Hash: d750e4c47f5edb4548d71effaeeb87197e5a08e515bcd374c504e86ebb09bdfc
              • Instruction Fuzzy Hash: 2B61B2706083029FD711DF28D948F5EBBE8AF85714F04898EF5C59B291C774E948CB92
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01035A45 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON
              Download Yara Rule
              APIs
              • WSAStartup.WSOCK32(00000101,?), ref: 01035AA6
              • inet_addr.WSOCK32(?), ref: 01035AEB
              • gethostbyname.WSOCK32(?), ref: 01035AF7
              • IcmpCreateFile.IPHLPAPI ref: 01035B05
              • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 01035B75
              • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 01035B8B
              • IcmpCloseHandle.IPHLPAPI(00000000), ref: 01035C00
              • WSACleanup.WSOCK32 ref: 01035C06
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
              • String ID: Ping
              • API String ID: 1028309954-2246546115
              • Opcode ID: 8fe926df8ccda087049fe09062931c4a5c843f9981199822090b48ee73c2fa0a
              • Instruction ID: e3e28da2d7faa743799441e6bca21da34d90434347bc1fb5dd698271397f92bc
              • Opcode Fuzzy Hash: 8fe926df8ccda087049fe09062931c4a5c843f9981199822090b48ee73c2fa0a
              • Instruction Fuzzy Hash: 485190316047019FD721DF28CD89B2ABBE8EF84710F048969F995DB2A1DB78E840DF41
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0102B72E Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON
              Download Yara Rule
              APIs
              • SetErrorMode.KERNEL32(00000001), ref: 0102B73B
              • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 0102B7B1
              • GetLastError.KERNEL32 ref: 0102B7BB
              • SetErrorMode.KERNEL32(00000000,READY), ref: 0102B828
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: Error$Mode$DiskFreeLastSpace
              • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
              • API String ID: 4194297153-14809454
              • Opcode ID: 0978b10324001ac8cc6f239da6694f0066586af3f962bec3a6139ab94f2bd425
              • Instruction ID: 332d0a101d187ce2b520392d5a5bf2dadb76705e137573120323d7f2e6bb2cb5
              • Opcode Fuzzy Hash: 0978b10324001ac8cc6f239da6694f0066586af3f962bec3a6139ab94f2bd425
              • Instruction Fuzzy Hash: 4C31B235A0021A9FDB50EF68CD85EBE7BF4FF44700F18806AE585DB292DB759942CB50
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01019471 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00FC7F41: _memmove.LIBCMT ref: 00FC7F82
                • Part of subcall function 0101B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0101B0E7
              • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 010194F6
              • GetDlgCtrlID.USER32 ref: 01019501
              • GetParent.USER32 ref: 0101951D
              • SendMessageW.USER32(00000000,?,00000111,?), ref: 01019520
              • GetDlgCtrlID.USER32(?), ref: 01019529
              • GetParent.USER32(?), ref: 01019545
              • SendMessageW.USER32(00000000,?,?,00000111), ref: 01019548
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: MessageSend$CtrlParent$ClassName_memmove
              • String ID: ComboBox$ListBox
              • API String ID: 1536045017-1403004172
              • Opcode ID: 13bce72289aff73b1a1a80b4766d25f69c170d23009553345ff0fe4eb033e625
              • Instruction ID: 1bef25fea2f5601c23881a8e24fa5c1a26eb7a866ae5e05dcf8c3070838a815d
              • Opcode Fuzzy Hash: 13bce72289aff73b1a1a80b4766d25f69c170d23009553345ff0fe4eb033e625
              • Instruction Fuzzy Hash: 9621F174A00205BBDF00AB69CCD5EFEBBB4EF49350F000159B9A297295DB7E9518DB20
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0101955C Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00FC7F41: _memmove.LIBCMT ref: 00FC7F82
                • Part of subcall function 0101B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0101B0E7
              • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 010195DF
              • GetDlgCtrlID.USER32 ref: 010195EA
              • GetParent.USER32 ref: 01019606
              • SendMessageW.USER32(00000000,?,00000111,?), ref: 01019609
              • GetDlgCtrlID.USER32(?), ref: 01019612
              • GetParent.USER32(?), ref: 0101962E
              • SendMessageW.USER32(00000000,?,?,00000111), ref: 01019631
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: MessageSend$CtrlParent$ClassName_memmove
              • String ID: ComboBox$ListBox
              • API String ID: 1536045017-1403004172
              • Opcode ID: 5256bbd2635d0d6bd5dd35a6e2db32ea8048616e78ec4c1437cdc78439b70366
              • Instruction ID: 19976381138c170e88db36afc4bf066f4ccfa3a9ce5ebaa961e5ae42b8d6c76b
              • Opcode Fuzzy Hash: 5256bbd2635d0d6bd5dd35a6e2db32ea8048616e78ec4c1437cdc78439b70366
              • Instruction Fuzzy Hash: 8D21D374900205BBDF00ABB5CCD5EFEBBB8EF58300F000159B99197199DB7E9519DB20
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01019645 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON
              Download Yara Rule
              APIs
              • GetParent.USER32 ref: 01019651
              • GetClassNameW.USER32(00000000,?,00000100), ref: 01019666
              • _wcscmp.LIBCMT ref: 01019678
              • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 010196F3
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: ClassMessageNameParentSend_wcscmp
              • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
              • API String ID: 1704125052-3381328864
              • Opcode ID: bb128bd0978fb9c7f560f6d4e266953c457e5c7cc2a21af5da2c3281ff5f853d
              • Instruction ID: 89354ce76c998eaaaef2dedb314c77034008b3dc729f289e602e52c9555205f9
              • Opcode Fuzzy Hash: bb128bd0978fb9c7f560f6d4e266953c457e5c7cc2a21af5da2c3281ff5f853d
              • Instruction Fuzzy Hash: 74115C7A648313BAF611252ADC2FDA677DC9B09378F10001AF940E5096FE6E6500C768
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01038BC0 Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON
              Download Yara Rule
              APIs
              • VariantInit.OLEAUT32(?), ref: 01038BEC
              • CoInitialize.OLE32(00000000), ref: 01038C19
              • CoUninitialize.OLE32 ref: 01038C23
              • GetRunningObjectTable.OLE32(00000000,?), ref: 01038D23
              • SetErrorMode.KERNEL32(00000001,00000029), ref: 01038E50
              • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,01052C0C), ref: 01038E84
              • CoGetObject.OLE32(?,00000000,01052C0C,?), ref: 01038EA7
              • SetErrorMode.KERNEL32(00000000), ref: 01038EBA
              • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 01038F3A
              • VariantClear.OLEAUT32(?), ref: 01038F4A
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
              • String ID:
              • API String ID: 2395222682-0
              • Opcode ID: 340284ef5ca951b3c6131b7dd5b1f6664c2f4b8040994c57d03563af2b51e843
              • Instruction ID: d52d11481a64b3f29c42682d7a51293d5b78fed81184917cb0088db4f7145dda
              • Opcode Fuzzy Hash: 340284ef5ca951b3c6131b7dd5b1f6664c2f4b8040994c57d03563af2b51e843
              • Instruction Fuzzy Hash: 37C127B1208306AFD700DF68C98496BBBE9FF89748F004A9DF5899B251DB71ED05CB52
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01024189 Relevance: 15.1, APIs: 10, Instructions: 108windowCOMMON
              Download Yara Rule
              APIs
              • __swprintf.LIBCMT ref: 0102419D
              • __swprintf.LIBCMT ref: 010241AA
                • Part of subcall function 00FE38D8: __woutput_l.LIBCMT ref: 00FE3931
              • FindResourceW.KERNEL32(?,?,0000000E), ref: 010241D4
              • LoadResource.KERNEL32(?,00000000), ref: 010241E0
              • LockResource.KERNEL32(00000000), ref: 010241ED
              • FindResourceW.KERNEL32(?,?,00000003), ref: 0102420D
              • LoadResource.KERNEL32(?,00000000), ref: 0102421F
              • SizeofResource.KERNEL32(?,00000000), ref: 0102422E
              • LockResource.KERNEL32(?), ref: 0102423A
              • CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 0102429B
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
              • String ID:
              • API String ID: 1433390588-0
              • Opcode ID: 81da1dfe2c8887e2a16802a900f455d20cd2eab0ba0b8642d5fdc2f396ea7abf
              • Instruction ID: fc1d51308d888d1a64518ad4705c25236c862e2939d8c013b7d9d45d59aeeb1d
              • Opcode Fuzzy Hash: 81da1dfe2c8887e2a16802a900f455d20cd2eab0ba0b8642d5fdc2f396ea7abf
              • Instruction Fuzzy Hash: 7C31C1B5A0122AAFDB219FA5DE88EBF7BACEF05301F044555F981D2140D779DA11CBB0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 010216DE Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON
              Download Yara Rule
              APIs
              • GetCurrentThreadId.KERNEL32 ref: 01021700
              • GetForegroundWindow.USER32(00000000,?,?,?,?,?,01020778,?,00000001), ref: 01021714
              • GetWindowThreadProcessId.USER32(00000000), ref: 0102171B
              • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,01020778,?,00000001), ref: 0102172A
              • GetWindowThreadProcessId.USER32(?,00000000), ref: 0102173C
              • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,01020778,?,00000001), ref: 01021755
              • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,01020778,?,00000001), ref: 01021767
              • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,01020778,?,00000001), ref: 010217AC
              • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,01020778,?,00000001), ref: 010217C1
              • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,01020778,?,00000001), ref: 010217CC
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: Thread$AttachInput$Window$Process$CurrentForeground
              • String ID:
              • API String ID: 2156557900-0
              • Opcode ID: 5ee7027b5ce8c50979c3025bdc274488fc8118ae256f74d074bc6cb70d871a35
              • Instruction ID: 55e9cf9bfd32eb2735a84342cdec4386219881c7a649c4706141f555e3d8243b
              • Opcode Fuzzy Hash: 5ee7027b5ce8c50979c3025bdc274488fc8118ae256f74d074bc6cb70d871a35
              • Instruction Fuzzy Hash: A331B475600614BBEB319F29D984B6E7BF9BB89711F204055F9C0C628AD7799940CB90
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00FCFBBD Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON
              Download Yara Rule
              APIs
              • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00FCFC06
              • OleUninitialize.OLE32(?,00000000), ref: 00FCFCA5
              • UnregisterHotKey.USER32(?), ref: 00FCFDFC
              • DestroyWindow.USER32(?), ref: 01004A00
              • FreeLibrary.KERNEL32(?), ref: 01004A65
              • VirtualFree.KERNEL32(?,00000000,00008000), ref: 01004A92
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
              • String ID: close all
              • API String ID: 469580280-3243417748
              • Opcode ID: 3aeff553afe28915e030095c0d30327da908938913d8938afc716fc3f6df859e
              • Instruction ID: 446da47fa6da12458685a4e63c76fdd7f1de48b163972a118f8a54300e14234a
              • Opcode Fuzzy Hash: 3aeff553afe28915e030095c0d30327da908938913d8938afc716fc3f6df859e
              • Instruction Fuzzy Hash: 5CA1CD317012138FDB2AEF14CA95F69F7A1BF04700F1442ADE94AAB292CB34AD56DF54
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0101A693 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON
              Download Yara Rule
              APIs
              • EnumChildWindows.USER32(?,0101AA64), ref: 0101A9A2
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: ChildEnumWindows
              • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
              • API String ID: 3555792229-1603158881
              • Opcode ID: 0215038d09b370ca31335d275327de10829f527c29a81b83b3f9178be62ad8ec
              • Instruction ID: 2043d53cada96c10b37b45fdc4c39e621ca4b5d43cf6d52f2281d43233ca77b5
              • Opcode Fuzzy Hash: 0215038d09b370ca31335d275327de10829f527c29a81b83b3f9178be62ad8ec
              • Instruction Fuzzy Hash: F491A230A01687EBDB58EF64C881BEDFBB5BF04314F008159D9CAA7145DF386A99DB90
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00FC2E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON
              Download Yara Rule
              APIs
              • SetWindowLongW.USER32(?,000000EB), ref: 00FC2EAE
                • Part of subcall function 00FC1DB3: GetClientRect.USER32(?,?), ref: 00FC1DDC
                • Part of subcall function 00FC1DB3: GetWindowRect.USER32(?,?), ref: 00FC1E1D
                • Part of subcall function 00FC1DB3: ScreenToClient.USER32(?,?), ref: 00FC1E45
              • GetDC.USER32 ref: 00FFCF82
              • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00FFCF95
              • SelectObject.GDI32(00000000,00000000), ref: 00FFCFA3
              • SelectObject.GDI32(00000000,00000000), ref: 00FFCFB8
              • ReleaseDC.USER32(?,00000000), ref: 00FFCFC0
              • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00FFD04B
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
              • String ID: U
              • API String ID: 4009187628-3372436214
              • Opcode ID: 785be575d9860315501aa33e2aff1377a363d9ac24e23a9c79ca01a62703c4c1
              • Instruction ID: 595ffe933c7277aace115b234fd4c795e1c6e498151137c704106655649370cd
              • Opcode Fuzzy Hash: 785be575d9860315501aa33e2aff1377a363d9ac24e23a9c79ca01a62703c4c1
              • Instruction Fuzzy Hash: CE71D77180020EDFCF219F64C985BBA7BB6FF49360F144269EE959A1A9C7358C41FB60
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0104C27C Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00FC2612: GetWindowLongW.USER32(?,000000EB), ref: 00FC2623
                • Part of subcall function 00FC2344: GetCursorPos.USER32(?), ref: 00FC2357
                • Part of subcall function 00FC2344: ScreenToClient.USER32(010867B0,?), ref: 00FC2374
                • Part of subcall function 00FC2344: GetAsyncKeyState.USER32(00000001), ref: 00FC2399
                • Part of subcall function 00FC2344: GetAsyncKeyState.USER32(00000002), ref: 00FC23A7
              • ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?), ref: 0104C2E4
              • ImageList_EndDrag.COMCTL32 ref: 0104C2EA
              • ReleaseCapture.USER32 ref: 0104C2F0
              • SetWindowTextW.USER32(?,00000000), ref: 0104C39A
              • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 0104C3AD
              • DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?), ref: 0104C48F
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
              • String ID: @GUI_DRAGFILE$@GUI_DROPID
              • API String ID: 1924731296-2107944366
              • Opcode ID: 4705e5bf7554e2ad52a0dc5e63f039ebe973b777ab61152ae3d4b3fc8c5845d1
              • Instruction ID: d5e3ca9b30c0bd804530198ff6b8dfe830d0b7e38658d6267bd9dfe818491f2d
              • Opcode Fuzzy Hash: 4705e5bf7554e2ad52a0dc5e63f039ebe973b777ab61152ae3d4b3fc8c5845d1
              • Instruction Fuzzy Hash: 8751AEB4208306AFD710EF24CA96F6E7BE1FB88310F00452DF5D58B2A1DB7AA944DB51
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01031D09 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 134networkCOMMON
              Download Yara Rule
              APIs
              • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 01031D44
              • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 01031D70
              • InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 01031DB2
              • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 01031DC7
              • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 01031DD4
              • HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 01031E04
              • InternetCloseHandle.WININET(00000000), ref: 01031E4B
                • Part of subcall function 01032777: GetLastError.KERNEL32(?,?,01031B0B,00000000,00000000,00000001), ref: 0103278C
                • Part of subcall function 01032777: SetEvent.KERNEL32(?,?,01031B0B,00000000,00000000,00000001), ref: 010327A1
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorEventHandleInfoLastOpenSend
              • String ID:
              • API String ID: 2603140658-3916222277
              • Opcode ID: 15093b612b983d6e61bd47de1f33af492744bf0e69899bee148b4387c310724c
              • Instruction ID: 0cded594cbb9953137f3c733ec581a57674bed84220d9aee383b329e9322b609
              • Opcode Fuzzy Hash: 15093b612b983d6e61bd47de1f33af492744bf0e69899bee148b4387c310724c
              • Instruction Fuzzy Hash: 83418BB5500209BFEB129F54CC89FFF7BACFF49754F004156FA859A284D7799A408BA0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01038F5B Relevance: 13.9, APIs: 9, Instructions: 438COMMON
              Download Yara Rule
              APIs
              • GetModuleFileNameW.KERNEL32(?,?,00000104,?,0104F910), ref: 0103903D
              • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,0104F910), ref: 01039071
              • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 010391EB
              • SysFreeString.OLEAUT32(?), ref: 01039215
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: Free$FileLibraryModuleNamePathQueryStringType
              • String ID:
              • API String ID: 560350794-0
              • Opcode ID: de5b004e0a63396dc9089a0f1307055ca1d982fdca3236f47bbeba11cac9a7af
              • Instruction ID: 9b250065ba37dd12edeb21b8778df0499a8627d4cd7090f7e9c89276ee3be56f
              • Opcode Fuzzy Hash: de5b004e0a63396dc9089a0f1307055ca1d982fdca3236f47bbeba11cac9a7af
              • Instruction Fuzzy Hash: 9FF14D75A00109EFDF14DF98C888EAEB7B9FF89318F108099F556AB251CB71AE45CB50
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0103F9A8 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 0103F9C9
              • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0103FB5C
              • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0103FB80
              • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0103FBC0
              • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0103FBE2
              • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0103FD5E
              • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 0103FD90
              • CloseHandle.KERNEL32(?), ref: 0103FDBF
              • CloseHandle.KERNEL32(?), ref: 0103FE36
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
              • String ID:
              • API String ID: 4090791747-0
              • Opcode ID: 380ab31b831bd9fa520748b5f1eb0f7cbfe9db44b3d0fb48a8cf9b15d245cb7c
              • Instruction ID: ca9cc8ed1d3619a345700b387eb2a71871f220e71ca878d71529d5826c91a42a
              • Opcode Fuzzy Hash: 380ab31b831bd9fa520748b5f1eb0f7cbfe9db44b3d0fb48a8cf9b15d245cb7c
              • Instruction Fuzzy Hash: 25E1C0716043429FCB14EF28C985B6ABBE5AF84350F04845DF9DA8B2A2CB75DC45CB52
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01024F63 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 010248AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,010238D3,?), ref: 010248C7
                • Part of subcall function 010248AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,010238D3,?), ref: 010248E0
                • Part of subcall function 01024CD3: GetFileAttributesW.KERNEL32(?,01023947), ref: 01024CD4
              • lstrcmpiW.KERNEL32(?,?), ref: 01024FE2
              • _wcscmp.LIBCMT ref: 01024FFC
              • MoveFileW.KERNEL32(?,?), ref: 01025017
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
              • String ID:
              • API String ID: 793581249-0
              • Opcode ID: fc46d362a56b79e86d7176d56adf11e31cae33d627f4a8442fa4282258c18ac3
              • Instruction ID: b16bddbcacc5f4da88aea597ace4b6d3276e0dfdbd5a0692744813fd1cdf85da
              • Opcode Fuzzy Hash: fc46d362a56b79e86d7176d56adf11e31cae33d627f4a8442fa4282258c18ac3
              • Instruction Fuzzy Hash: 555173B20083959BC764EB64DC85DDFB7ECAF84341F10492EF2C9D3151EE79A188876A
              Uniqueness

              Uniqueness Score: -1.00%

              Function 010488B4 Relevance: 13.7, APIs: 9, Instructions: 168COMMON
              Download Yara Rule
              APIs
              • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 0104896E
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: InvalidateRect
              • String ID:
              • API String ID: 634782764-0
              • Opcode ID: eb54c13dbc352428e957a8988ec7546bbf8b667668430cccb9516e0dc6ab6497
              • Instruction ID: fdd1258a5d379f6b62818efd2dfaf62844fbba4f026ad00a95c84815c56dda23
              • Opcode Fuzzy Hash: eb54c13dbc352428e957a8988ec7546bbf8b667668430cccb9516e0dc6ab6497
              • Instruction Fuzzy Hash: 1C51D3B0500205BBFF349EA8DCC5B9D7BA4FB04310F108967F694E61D1CBB5A990CB81
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00FC2B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON
              Download Yara Rule
              APIs
              • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 00FFC547
              • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00FFC569
              • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00FFC581
              • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 00FFC59F
              • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00FFC5C0
              • DestroyIcon.USER32(00000000), ref: 00FFC5CF
              • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00FFC5EC
              • DestroyIcon.USER32(?), ref: 00FFC5FB
                • Part of subcall function 0104A71E: DeleteObject.GDI32(00000000), ref: 0104A757
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
              • String ID:
              • API String ID: 2819616528-0
              • Opcode ID: 6c3ef8b1eeac22143ea1a322110b2620695ea7422588e77e1d8841c72e57591d
              • Instruction ID: 79717c661ef6cc9e0d53bab90e569baa839f3cf0004bb2b9aea3ce4b5edb87a1
              • Opcode Fuzzy Hash: 6c3ef8b1eeac22143ea1a322110b2620695ea7422588e77e1d8841c72e57591d
              • Instruction Fuzzy Hash: C7515A74A0020AAFDB24DF24CA46FAA37A5EF58360F140518F94697290DB75ED90EB90
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01019B50 Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 0101AE57: GetWindowThreadProcessId.USER32(?,00000000), ref: 0101AE77
                • Part of subcall function 0101AE57: GetCurrentThreadId.KERNEL32 ref: 0101AE7E
                • Part of subcall function 0101AE57: AttachThreadInput.USER32(00000000,?,01019B65,?,00000001), ref: 0101AE85
              • MapVirtualKeyW.USER32(00000025,00000000), ref: 01019B70
              • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 01019B8D
              • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 01019B90
              • MapVirtualKeyW.USER32(00000025,00000000), ref: 01019B99
              • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 01019BB7
              • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 01019BBA
              • MapVirtualKeyW.USER32(00000025,00000000), ref: 01019BC3
              • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 01019BDA
              • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 01019BDD
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
              • String ID:
              • API String ID: 2014098862-0
              • Opcode ID: a867404daa0c4c8f83f9f691239d52f26709895196546cc0ddb9f90d2a3adef6
              • Instruction ID: 0b8b06ac6d9fac8d6e4ed33df3a88409a1dcc1e22c380f2e344a3c9b95f71fd1
              • Opcode Fuzzy Hash: a867404daa0c4c8f83f9f691239d52f26709895196546cc0ddb9f90d2a3adef6
              • Instruction Fuzzy Hash: 1111E1B5A50219BFF6206B74DC89FAA3B6DEB4C795F100415F284AB094C9F75C10DBA4
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01018E03 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
              Download Yara Rule
              APIs
              • GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,01018A84,00000B00,?,?), ref: 01018E0C
              • HeapAlloc.KERNEL32(00000000,?,01018A84,00000B00,?,?), ref: 01018E13
              • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,01018A84,00000B00,?,?), ref: 01018E28
              • GetCurrentProcess.KERNEL32(?,00000000,?,01018A84,00000B00,?,?), ref: 01018E30
              • DuplicateHandle.KERNEL32(00000000,?,01018A84,00000B00,?,?), ref: 01018E33
              • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,01018A84,00000B00,?,?), ref: 01018E43
              • GetCurrentProcess.KERNEL32(01018A84,00000000,?,01018A84,00000B00,?,?), ref: 01018E4B
              • DuplicateHandle.KERNEL32(00000000,?,01018A84,00000B00,?,?), ref: 01018E4E
              • CreateThread.KERNEL32(00000000,00000000,01018E74,00000000,00000000,00000000), ref: 01018E68
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
              • String ID:
              • API String ID: 1957940570-0
              • Opcode ID: 92df2292e70286867dd3ce00cbd5be44c9615afb89828029f29bc502ecb14473
              • Instruction ID: d25ba754b7db1e1c069e249ac728c3b2dd0363fddfa30633de5e5ed087854a23
              • Opcode Fuzzy Hash: 92df2292e70286867dd3ce00cbd5be44c9615afb89828029f29bc502ecb14473
              • Instruction Fuzzy Hash: 1501BBB9240309BFE720ABA9DD8DF6B3BACEB89711F004411FA45DB195CA759800CB60
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01039428 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 263COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: Variant$ClearInit$_memset
              • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
              • API String ID: 2862541840-625585964
              • Opcode ID: eac271284911080ea0cb17c512566f430fd2fc7106ca52e2506b9b8f736cb622
              • Instruction ID: 69037e3eadfd935f42c50054321875e6e3970365d691e873a8d7cd9525d09417
              • Opcode Fuzzy Hash: eac271284911080ea0cb17c512566f430fd2fc7106ca52e2506b9b8f736cb622
              • Instruction Fuzzy Hash: A191B371A00205EBDF25DFA5C844FAEBBBCEF89318F008559F555AB281D7B09944CFA0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01039A72 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 01017652: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0101758C,80070057,?,?,?,0101799D), ref: 0101766F
                • Part of subcall function 01017652: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0101758C,80070057,?,?), ref: 0101768A
                • Part of subcall function 01017652: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0101758C,80070057,?,?), ref: 01017698
                • Part of subcall function 01017652: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0101758C,80070057,?), ref: 010176A8
              • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 01039B1B
              • _memset.LIBCMT ref: 01039B28
              • _memset.LIBCMT ref: 01039C6B
              • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 01039C97
              • CoTaskMemFree.OLE32(?), ref: 01039CA2
              Strings
              • NULL Pointer assignment, xrefs: 01039CF0
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
              • String ID: NULL Pointer assignment
              • API String ID: 1300414916-2785691316
              • Opcode ID: c27e5b83e6563094b2bf5372450a1b6bf3c82c3bdad5171df144c96732a6f441
              • Instruction ID: ff7e6ef17cea125826480bd4366a456dd30b08dba23c9d6dd5cd8d2a490e043c
              • Opcode Fuzzy Hash: c27e5b83e6563094b2bf5372450a1b6bf3c82c3bdad5171df144c96732a6f441
              • Instruction Fuzzy Hash: 02917771D0022DEBDB10DFA5DC85EDEBBB8AF48710F20415AE509A7240DB75AA40CFA0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01046FEF Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 01047093
              • SendMessageW.USER32(?,00001036,00000000,?), ref: 010470A7
              • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 010470C1
              • _wcscat.LIBCMT ref: 0104711C
              • SendMessageW.USER32(?,00001057,00000000,?), ref: 01047133
              • SendMessageW.USER32(?,00001061,?,0000000F), ref: 01047161
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: MessageSend$Window_wcscat
              • String ID: SysListView32
              • API String ID: 307300125-78025650
              • Opcode ID: 5928bb40eaa78b3f2928363675f002a56495a4fa0b18bbe092fbc470451edcae
              • Instruction ID: 97773ecc20b5ece0a198e24eade10d82465562a9c94f1dd27027b5e90543fb0c
              • Opcode Fuzzy Hash: 5928bb40eaa78b3f2928363675f002a56495a4fa0b18bbe092fbc470451edcae
              • Instruction Fuzzy Hash: 4F4191B5A00309EFEB219F68CC85BEE77E9EF08350F10057AF6C5A7192D77699848B50
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0103EC47 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 01023E91: CreateToolhelp32Snapshot.KERNEL32 ref: 01023EB6
                • Part of subcall function 01023E91: Process32FirstW.KERNEL32(00000000,?), ref: 01023EC4
                • Part of subcall function 01023E91: CloseHandle.KERNEL32(00000000), ref: 01023F8E
              • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0103ECB8
              • GetLastError.KERNEL32 ref: 0103ECCB
              • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0103ECFA
              • TerminateProcess.KERNEL32(00000000,00000000), ref: 0103ED77
              • GetLastError.KERNEL32(00000000), ref: 0103ED82
              • CloseHandle.KERNEL32(00000000), ref: 0103EDB7
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
              • String ID: SeDebugPrivilege
              • API String ID: 2533919879-2896544425
              • Opcode ID: 0a74a5ffc57d2d1c7d438bf631d7f834ff3cedea53f8c04def328bb32dc135b0
              • Instruction ID: f8e6c773f96f6432fdfdc11c89ad086bc1fefd6adf51ecbc775f02ea05d8c4a2
              • Opcode Fuzzy Hash: 0a74a5ffc57d2d1c7d438bf631d7f834ff3cedea53f8c04def328bb32dc135b0
              • Instruction Fuzzy Hash: 3C41B5712042029FDB15EF18CC99F6DB7E5AF80714F08815DF9869F2C2DBB9A804CB55
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01023226 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON
              Download Yara Rule
              APIs
              • LoadIconW.USER32(00000000,00007F03), ref: 010232C5
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: IconLoad
              • String ID: blank$info$question$stop$warning
              • API String ID: 2457776203-404129466
              • Opcode ID: 5751796727ee0d8cf9d4b51d8a6f573ed26bf7dfea98f2dc554ccdd250badb50
              • Instruction ID: e2d06c561c53e696028a50002ce59ad2cd41c8ca4f0c102297e9b1d397cf8221
              • Opcode Fuzzy Hash: 5751796727ee0d8cf9d4b51d8a6f573ed26bf7dfea98f2dc554ccdd250badb50
              • Instruction Fuzzy Hash: 84112B31B083A6BBE7015A59DC47D6EB7DCFF0E670F10005EF580AF182D67D664486A4
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01024534 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON
              Download Yara Rule
              APIs
              • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0102454E
              • LoadStringW.USER32(00000000), ref: 01024555
              • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0102456B
              • LoadStringW.USER32(00000000), ref: 01024572
              • _wprintf.LIBCMT ref: 01024598
              • MessageBoxW.USER32(00000000,?,?,00011010), ref: 010245B6
              Strings
              • %s (%d) : ==> %s: %s %s, xrefs: 01024593
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: HandleLoadModuleString$Message_wprintf
              • String ID: %s (%d) : ==> %s: %s %s
              • API String ID: 3648134473-3128320259
              • Opcode ID: 177894805b5efdba201835129e31388b7c0c1d4344db515e465bc3c83029fd69
              • Instruction ID: 7d7c6515c14c0847aadca8456184883a92551be2265460db750c46286569b514
              • Opcode Fuzzy Hash: 177894805b5efdba201835129e31388b7c0c1d4344db515e465bc3c83029fd69
              • Instruction Fuzzy Hash: A201DBF68002197FE720D7A4DEC9EF7776CD708300F000595BB85D2002EA355E854B70
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0104D74C Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00FC2612: GetWindowLongW.USER32(?,000000EB), ref: 00FC2623
              • GetSystemMetrics.USER32(0000000F), ref: 0104D78A
              • GetSystemMetrics.USER32(0000000F), ref: 0104D7AA
              • MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 0104D9E5
              • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 0104DA03
              • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 0104DA24
              • ShowWindow.USER32(00000003,00000000), ref: 0104DA43
              • InvalidateRect.USER32(?,00000000,00000001), ref: 0104DA68
              • DefDlgProcW.USER32(?,00000005,?,?), ref: 0104DA8B
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
              • String ID:
              • API String ID: 1211466189-0
              • Opcode ID: 05c8309a071f82fbc7528e8cd1269571fedb6a99f5bfe39163d3d40bec074dae
              • Instruction ID: 1c4636f6d3579b25d4951044c690f729c5adc882b5f5f8e257d4ac906bd424dc
              • Opcode Fuzzy Hash: 05c8309a071f82fbc7528e8cd1269571fedb6a99f5bfe39163d3d40bec074dae
              • Instruction Fuzzy Hash: 28B177B5600216EBEF14CFACC5C57AD7BF2BF54701F0881B9ED889A289D735A950CB90
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00FC2A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON
              Download Yara Rule
              APIs
              • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00FFC417,00000004,00000000,00000000,00000000), ref: 00FC2ACF
              • ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,00FFC417,00000004,00000000,00000000,00000000,000000FF), ref: 00FC2B17
              • ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,00FFC417,00000004,00000000,00000000,00000000), ref: 00FFC46A
              • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00FFC417,00000004,00000000,00000000,00000000), ref: 00FFC4D6
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: ShowWindow
              • String ID:
              • API String ID: 1268545403-0
              • Opcode ID: 5a2dd4fab95832eeb50be8e319e1b5676194bd7249e2564786217132205fac7a
              • Instruction ID: ee5f35f63e7ff7394cef47efeb5f9dca98081d61150fbd2039d4f519dd859a14
              • Opcode Fuzzy Hash: 5a2dd4fab95832eeb50be8e319e1b5676194bd7249e2564786217132205fac7a
              • Instruction Fuzzy Hash: DB412A71A086869BC7B9DB2C9FDAF7A3B91FF85320F14880DE18786560C67E9841F750
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01027368 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON
              Download Yara Rule
              APIs
              • InterlockedExchange.KERNEL32(?,000001F5), ref: 0102737F
                • Part of subcall function 00FE0FF6: std::exception::exception.LIBCMT ref: 00FE102C
                • Part of subcall function 00FE0FF6: __CxxThrowException@8.LIBCMT ref: 00FE1041
              • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 010273B6
              • EnterCriticalSection.KERNEL32(?), ref: 010273D2
              • _memmove.LIBCMT ref: 01027420
              • _memmove.LIBCMT ref: 0102743D
              • LeaveCriticalSection.KERNEL32(?), ref: 0102744C
              • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 01027461
              • InterlockedExchange.KERNEL32(?,000001F6), ref: 01027480
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
              • String ID:
              • API String ID: 256516436-0
              • Opcode ID: 6ac30b7636a9cf7edc79a2fcba61c12589d0fa13d366dd864235da6a281a5752
              • Instruction ID: 17a6824fd9f5b5732af7430cce0b532db692985644449915c2d70d51826788f3
              • Opcode Fuzzy Hash: 6ac30b7636a9cf7edc79a2fcba61c12589d0fa13d366dd864235da6a281a5752
              • Instruction Fuzzy Hash: 9131CF75900246EBDF10EF69CD85AAFBBB8FF45310B1440A5F944AB24ADB35DA10DBA0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01046442 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
              Download Yara Rule
              APIs
              • DeleteObject.GDI32(00000000), ref: 0104645A
              • GetDC.USER32(00000000), ref: 01046462
              • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0104646D
              • ReleaseDC.USER32(00000000,00000000), ref: 01046479
              • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 010464B5
              • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 010464C6
              • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,01049299,?,?,000000FF,00000000,?,000000FF,?), ref: 01046500
              • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 01046520
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
              • String ID:
              • API String ID: 3864802216-0
              • Opcode ID: 8d62ac627dd1fa7b7ffc25e4532b813661e5ec872c4ec3298c8dc810c3212542
              • Instruction ID: 372aaa1822fa72986138b2f922b0545e122344ebd0aff47eeb1abaa2aa6853c2
              • Opcode Fuzzy Hash: 8d62ac627dd1fa7b7ffc25e4532b813661e5ec872c4ec3298c8dc810c3212542
              • Instruction Fuzzy Hash: EF3193B52011107FEB218F54CD85FE73FA9EF4A751F0400A5FE489A195D67A9841CBA0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0101C072 Relevance: 12.1, APIs: 8, Instructions: 92COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: _memcmp
              • String ID:
              • API String ID: 2931989736-0
              • Opcode ID: 32ac2192bb84eca07adb2db7adb0eea1f54c5874a06b98be7b4f41493bfa9e35
              • Instruction ID: ae5926950b5102db7bbe2158dd79f481bd64d92381729193cb472fc50f2e4577
              • Opcode Fuzzy Hash: 32ac2192bb84eca07adb2db7adb0eea1f54c5874a06b98be7b4f41493bfa9e35
              • Instruction Fuzzy Hash: 0821D7727C1209B7F392A5278E42FAF379CAF12294B040024FE899A247E769DD11C1A6
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0102ED8E Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00FC9997: __itow.LIBCMT ref: 00FC99C2
                • Part of subcall function 00FC9997: __swprintf.LIBCMT ref: 00FC9A0C
                • Part of subcall function 00FDFEC6: _wcscpy.LIBCMT ref: 00FDFEE9
              • _wcstok.LIBCMT ref: 0102EEFF
              • _wcscpy.LIBCMT ref: 0102EF8E
              • _memset.LIBCMT ref: 0102EFC1
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: _wcscpy$__itow__swprintf_memset_wcstok
              • String ID: X
              • API String ID: 774024439-3081909835
              • Opcode ID: a185a376b19138b64378bb5b1a88ee035400b4a1e68285f07aedfed8184d19dd
              • Instruction ID: b065cd47464cb3e81e7cf0eb153cdb373ad26012739e96cbc1d3989aa1291abe
              • Opcode Fuzzy Hash: a185a376b19138b64378bb5b1a88ee035400b4a1e68285f07aedfed8184d19dd
              • Instruction Fuzzy Hash: 7EC1AF315083529FD764EF24C986E5AB7E4BF84310F00496DF9D98B2A2DB74ED44DB82
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01036E17 Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON
              Download Yara Rule
              APIs
              • __WSAFDIsSet.WSOCK32(00000000,?), ref: 01036F14
              • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 01036F35
              • WSAGetLastError.WSOCK32(00000000), ref: 01036F48
              • htons.WSOCK32(?), ref: 01036FFE
              • inet_ntoa.WSOCK32(?), ref: 01036FBB
                • Part of subcall function 0101AE14: _strlen.LIBCMT ref: 0101AE1E
                • Part of subcall function 0101AE14: _memmove.LIBCMT ref: 0101AE40
              • _strlen.LIBCMT ref: 01037058
              • _memmove.LIBCMT ref: 010370C1
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
              • String ID:
              • API String ID: 3619996494-0
              • Opcode ID: 9c93c77ad63ad19fc493c891da0292f429fd376c2d4a908e14e358307e2682cf
              • Instruction ID: 63e12e0c3018af97015c461e8eb09dd2c0219f9707d05406f41f616d10ea6587
              • Opcode Fuzzy Hash: 9c93c77ad63ad19fc493c891da0292f429fd376c2d4a908e14e358307e2682cf
              • Instruction Fuzzy Hash: 0481DF75104302ABD710EB28CD86F6FB7E9AFC4714F00491CF5959B292DA79AE05CBA1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00FC1424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e96ef96a2fd6f095c114c915078d4fec04398671391c34c170067b1c81a356f9
              • Instruction ID: 1d4338822af0a1421a8c9146f986375a8c977f2c3b473357a22e4fee73991aaf
              • Opcode Fuzzy Hash: e96ef96a2fd6f095c114c915078d4fec04398671391c34c170067b1c81a356f9
              • Instruction Fuzzy Hash: C071807590010AEFCB14CF58CD85FBEBB79FF86324F248149F915AA252C734AA61DB60
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0104B60B Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON
              Download Yara Rule
              APIs
              • IsWindow.USER32(01834D88), ref: 0104B6A5
              • IsWindowEnabled.USER32(01834D88), ref: 0104B6B1
              • SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 0104B795
              • SendMessageW.USER32(01834D88,000000B0,?,?), ref: 0104B7CC
              • IsDlgButtonChecked.USER32(?,?), ref: 0104B809
              • GetWindowLongW.USER32(01834D88,000000EC), ref: 0104B82B
              • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 0104B843
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: MessageSendWindow$ButtonCheckedEnabledLong
              • String ID:
              • API String ID: 4072528602-0
              • Opcode ID: 9de30d596e4d651011b488a885b69921cdc5de79c36d1429a2bf4a6749e859e4
              • Instruction ID: f2360f9b56d9a7d0c728e712d141e39bdfab7c9a59dc80f05dbe7df087ea3fa6
              • Opcode Fuzzy Hash: 9de30d596e4d651011b488a885b69921cdc5de79c36d1429a2bf4a6749e859e4
              • Instruction Fuzzy Hash: 7C719EB4604205AFEB65EF68C8D4FAA7BF9FF09340F0840A9EAC597251C736E941CB50
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0103F732 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 0103F75C
              • _memset.LIBCMT ref: 0103F825
              • ShellExecuteExW.SHELL32(?), ref: 0103F86A
                • Part of subcall function 00FC9997: __itow.LIBCMT ref: 00FC99C2
                • Part of subcall function 00FC9997: __swprintf.LIBCMT ref: 00FC9A0C
                • Part of subcall function 00FDFEC6: _wcscpy.LIBCMT ref: 00FDFEE9
              • GetProcessId.KERNEL32(00000000), ref: 0103F8E1
              • CloseHandle.KERNEL32(00000000), ref: 0103F910
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
              • String ID: @
              • API String ID: 3522835683-2766056989
              • Opcode ID: 5706739efdb877e8706f5e346647a87b0e7149ff73e03cc2a27fad161a5dba5e
              • Instruction ID: c419759055dc6bf615656a4da87e47797c8eb0cd25d8dc6a31fe244dfe675aeb
              • Opcode Fuzzy Hash: 5706739efdb877e8706f5e346647a87b0e7149ff73e03cc2a27fad161a5dba5e
              • Instruction Fuzzy Hash: C461C075E0061ADFCB14EF54C985AAEBBF4FF88310B14805DE88AAB351CB34AD40CB90
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0102145D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON
              Download Yara Rule
              APIs
              • GetParent.USER32(?), ref: 0102149C
              • GetKeyboardState.USER32(?), ref: 010214B1
              • SetKeyboardState.USER32(?), ref: 01021512
              • PostMessageW.USER32(?,00000101,00000010,?), ref: 01021540
              • PostMessageW.USER32(?,00000101,00000011,?), ref: 0102155F
              • PostMessageW.USER32(?,00000101,00000012,?), ref: 010215A5
              • PostMessageW.USER32(?,00000101,0000005B,?), ref: 010215C8
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: MessagePost$KeyboardState$Parent
              • String ID:
              • API String ID: 87235514-0
              • Opcode ID: 7d2ec55a8b7697a9e60233923e1377b11c892661d827287dda885068ebcd5532
              • Instruction ID: 98e9f08d12e6e0fb1a687d0404f8a981c7188d50ac4b06f1f30cd9aa5d6c3e64
              • Opcode Fuzzy Hash: 7d2ec55a8b7697a9e60233923e1377b11c892661d827287dda885068ebcd5532
              • Instruction Fuzzy Hash: 9151C2B0A047F67EFB3646388C45BBA7EE96F06304F0C45C9E2D9558C2D7B99884D750
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01021276 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON
              Download Yara Rule
              APIs
              • GetParent.USER32(00000000), ref: 010212B5
              • GetKeyboardState.USER32(?), ref: 010212CA
              • SetKeyboardState.USER32(?), ref: 0102132B
              • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 01021357
              • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 01021374
              • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 010213B8
              • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 010213D9
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: MessagePost$KeyboardState$Parent
              • String ID:
              • API String ID: 87235514-0
              • Opcode ID: 3bf59876728719ccaa536d7c0b469f2c8ccd472afe11852a3f69d431d8a29a70
              • Instruction ID: aee6b1df716302bb2af0cce2df254e05e2ff76b88c78311742cdc6a481be859d
              • Opcode Fuzzy Hash: 3bf59876728719ccaa536d7c0b469f2c8ccd472afe11852a3f69d431d8a29a70
              • Instruction Fuzzy Hash: 1151D8B05047E63DFB3286288C55BBA7FEA6F06304F0885C9E2D8568C2D7B5A898D750
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0102589F Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: _wcsncpy$LocalTime
              • String ID:
              • API String ID: 2945705084-0
              • Opcode ID: 95b959342bbfde12c382186f302d1910bfcc6e89dfb39920e5dc930bfba85bc5
              • Instruction ID: 7905e644cd0193bb75c4ceebf2fb65eb373e573021e3b74e1990ecb37fbde907
              • Opcode Fuzzy Hash: 95b959342bbfde12c382186f302d1910bfcc6e89dfb39920e5dc930bfba85bc5
              • Instruction Fuzzy Hash: F741A5A5C2026876CB51EBB58C8B9CFB7ACAF05310F508466F658E3111F738E714D7AA
              Uniqueness

              Uniqueness Score: -1.00%

              Function 010238AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 010248AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,010238D3,?), ref: 010248C7
                • Part of subcall function 010248AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,010238D3,?), ref: 010248E0
              • lstrcmpiW.KERNEL32(?,?), ref: 010238F3
              • _wcscmp.LIBCMT ref: 0102390F
              • MoveFileW.KERNEL32(?,?), ref: 01023927
              • _wcscat.LIBCMT ref: 0102396F
              • SHFileOperationW.SHELL32(?), ref: 010239DB
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
              • String ID: \*.*
              • API String ID: 1377345388-1173974218
              • Opcode ID: 7623de0b47f164bd1bd217732442ea1dac5ca6865c3ca65cf29c398f1be03b41
              • Instruction ID: 0e90084cbf2e12a211a93a3a99862f695b6319c361996b701469c9635b2cff97
              • Opcode Fuzzy Hash: 7623de0b47f164bd1bd217732442ea1dac5ca6865c3ca65cf29c398f1be03b41
              • Instruction Fuzzy Hash: 754181B16083959AC791EF68C881ADFB7ECBF89340F00096EF5C9C7151EA39D248C752
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01047500 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 01047519
              • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 010475C0
              • IsMenu.USER32(?), ref: 010475D8
              • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 01047620
              • DrawMenuBar.USER32 ref: 01047633
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: Menu$Item$DrawInfoInsert_memset
              • String ID: 0
              • API String ID: 3866635326-4108050209
              • Opcode ID: 5226639ed959ace99133718c2c9e5af8d5aa744a2afc0f8c2317472e1bd94ea4
              • Instruction ID: cd4f245f1141f5a813ac52be0910837bb36f0a6d5688ca37930d55fcf38ce715
              • Opcode Fuzzy Hash: 5226639ed959ace99133718c2c9e5af8d5aa744a2afc0f8c2317472e1bd94ea4
              • Instruction Fuzzy Hash: 15411AB5A00249EFDB20DF58D9C4E9ABBF9FF08314F048169EE959B250D735A950CF90
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0104122D Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON
              Download Yara Rule
              APIs
              • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 0104125C
              • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 01041286
              • FreeLibrary.KERNEL32(00000000), ref: 0104133D
                • Part of subcall function 0104122D: RegCloseKey.ADVAPI32(?), ref: 010412A3
                • Part of subcall function 0104122D: FreeLibrary.KERNEL32(?), ref: 010412F5
                • Part of subcall function 0104122D: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 01041318
              • RegDeleteKeyW.ADVAPI32(?,?), ref: 010412E0
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: EnumFreeLibrary$CloseDeleteOpen
              • String ID:
              • API String ID: 395352322-0
              • Opcode ID: adf0140bff9599ea61fcfd01762e1ab47c86faa532b1cfa17590747fceb0dc33
              • Instruction ID: 5f97be1ffdd2702bb17c003ef8a6089432ca8d16d325f72dd464003556558c79
              • Opcode Fuzzy Hash: adf0140bff9599ea61fcfd01762e1ab47c86faa532b1cfa17590747fceb0dc33
              • Instruction Fuzzy Hash: 35314FF5901119BFEB159B94D9C5EFEB7BCEF08300F0041A9E591E2140DA756A859BA0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0104653C Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 0104655B
              • GetWindowLongW.USER32(01834D88,000000F0), ref: 0104658E
              • GetWindowLongW.USER32(01834D88,000000F0), ref: 010465C3
              • SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 010465F5
              • SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 0104661F
              • GetWindowLongW.USER32(?,000000F0), ref: 01046630
              • SetWindowLongW.USER32(?,000000F0,00000000), ref: 0104664A
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: LongWindow$MessageSend
              • String ID:
              • API String ID: 2178440468-0
              • Opcode ID: 86eaa37a7be65ad250b88d3ba86129b2deacd357e84658f742a361a2d3fbdb05
              • Instruction ID: 66bdcedb550671b26e9638524d95a22a308d304d1fee8bda5a7ece15d425a8ae
              • Opcode Fuzzy Hash: 86eaa37a7be65ad250b88d3ba86129b2deacd357e84658f742a361a2d3fbdb05
              • Instruction Fuzzy Hash: 513119B4604111AFDB31DF6CE8C4F593BE1FB4A750F1902A4F5858B2AADB77A840CB81
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01036486 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 010380A0: inet_addr.WSOCK32(00000000), ref: 010380CB
              • socket.WSOCK32(00000002,00000001,00000006), ref: 010364D9
              • WSAGetLastError.WSOCK32(00000000), ref: 010364E8
              • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 01036521
              • connect.WSOCK32(00000000,?,00000010), ref: 0103652A
              • WSAGetLastError.WSOCK32 ref: 01036534
              • closesocket.WSOCK32(00000000), ref: 0103655D
              • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 01036576
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
              • String ID:
              • API String ID: 910771015-0
              • Opcode ID: 89263313823b6982da013a44ff32f4e7c15b63746d8506130e786acb4a0df3d1
              • Instruction ID: 4f4e49af2035a04d6312d255add8cd40887a5a66971ebfc6abf711ce6893f56d
              • Opcode Fuzzy Hash: 89263313823b6982da013a44ff32f4e7c15b63746d8506130e786acb4a0df3d1
              • Instruction Fuzzy Hash: 8631B575600119AFEB109F18DD85FBE7BEDEB84714F00806DF989DB281DB79A904CB61
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0101E0B5 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON
              Download Yara Rule
              APIs
              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0101E0FA
              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0101E120
              • SysAllocString.OLEAUT32(00000000), ref: 0101E123
              • SysAllocString.OLEAUT32 ref: 0101E144
              • SysFreeString.OLEAUT32 ref: 0101E14D
              • StringFromGUID2.OLE32(?,?,00000028), ref: 0101E167
              • SysAllocString.OLEAUT32(?), ref: 0101E175
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
              • String ID:
              • API String ID: 3761583154-0
              • Opcode ID: dcbae8410ebcc3aa9afaf9391e42df0cdb334fa4e1e2faf9366a57897cfb503f
              • Instruction ID: fb6076b036189ca195d136db9a7d7defa998d0c204093788aafc8ca76b0063c5
              • Opcode Fuzzy Hash: dcbae8410ebcc3aa9afaf9391e42df0cdb334fa4e1e2faf9366a57897cfb503f
              • Instruction Fuzzy Hash: 2821A776600109AFDB21AFACDC88CAF77ECEB09760B408165FD95CB259DE79DC418B60
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0101FB6E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: __wcsnicmp
              • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
              • API String ID: 1038674560-2734436370
              • Opcode ID: d09f59ecb61d9721012428b6215407c0b5eadfd26e3da719d3a3655b58071cce
              • Instruction ID: 9fb8fbc3b2552855590963b2e8c0c5866bb77d8de4ed3b3bcc883f1ce33781da
              • Opcode Fuzzy Hash: d09f59ecb61d9721012428b6215407c0b5eadfd26e3da719d3a3655b58071cce
              • Instruction Fuzzy Hash: 8A217CB2104253A6D331B6399E52FAB73D8FF05344F04402AFEC687146E79CA985E3A1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0104783C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00FC1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00FC1D73
                • Part of subcall function 00FC1D35: GetStockObject.GDI32(00000011), ref: 00FC1D87
                • Part of subcall function 00FC1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00FC1D91
              • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 010478A1
              • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 010478AE
              • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 010478B9
              • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 010478C8
              • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 010478D4
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: MessageSend$CreateObjectStockWindow
              • String ID: Msctls_Progress32
              • API String ID: 1025951953-3636473452
              • Opcode ID: 3febb89ce44718102afcc7f349c2f1d706e20caa7b30c34cf2796e22b51dd708
              • Instruction ID: f175a384b5db5b5a624edd211b36d34e8d41525399b9a8d7dbcde957629200d8
              • Opcode Fuzzy Hash: 3febb89ce44718102afcc7f349c2f1d706e20caa7b30c34cf2796e22b51dd708
              • Instruction Fuzzy Hash: A01193B155011ABFFF159E64CC85EEB7F6DEF08798F014129B644A6050C7729C21DBA4
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00FE41C9 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,00FE4292,?), ref: 00FE41E3
              • GetProcAddress.KERNEL32(00000000), ref: 00FE41EA
              • EncodePointer.KERNEL32(00000000), ref: 00FE41F6
              • DecodePointer.KERNEL32(00000001,00FE4292,?), ref: 00FE4213
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
              • String ID: RoInitialize$combase.dll
              • API String ID: 3489934621-340411864
              • Opcode ID: abce1ab908f0a5e2ba47f179ed56df646c18968441434528892b9ed581cf3972
              • Instruction ID: 183ea7576ebee70fb2909a08b472208188f64f68cac8384bc3254cb06fcf2e4e
              • Opcode Fuzzy Hash: abce1ab908f0a5e2ba47f179ed56df646c18968441434528892b9ed581cf3972
              • Instruction Fuzzy Hash: 97E012F4E90342AFEF306B75ED49B093595BB11743F508428B9D1D9088D7BF50519F10
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00FE429E Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00FE41B8), ref: 00FE42B8
              • GetProcAddress.KERNEL32(00000000), ref: 00FE42BF
              • EncodePointer.KERNEL32(00000000), ref: 00FE42CA
              • DecodePointer.KERNEL32(00FE41B8), ref: 00FE42E5
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
              • String ID: RoUninitialize$combase.dll
              • API String ID: 3489934621-2819208100
              • Opcode ID: 60724c58d8a832416ea83fa475050ffcce40a03856c3a9c353ec3736597bff20
              • Instruction ID: c7b05fe3c179ec0f2399b36e4b7fa40f45689c4c077f696141dd7c674fbdb496
              • Opcode Fuzzy Hash: 60724c58d8a832416ea83fa475050ffcce40a03856c3a9c353ec3736597bff20
              • Instruction Fuzzy Hash: 09E0BFBCA45302EBEF70AF65EE4DB093AA4BB14B46F104018F9C1D5048DB7E5500DB14
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0102675A Relevance: 9.2, APIs: 6, Instructions: 205COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: _memmove$__itow__swprintf
              • String ID:
              • API String ID: 3253778849-0
              • Opcode ID: da52f7aa59bd86189c3283b216ba2f53a604beb6c066220f3fc8d1d2b7220bb0
              • Instruction ID: 0984039e8a2f08311dc191abf85b8631f5d16122ba368d798a310a060e7b8aeb
              • Opcode Fuzzy Hash: da52f7aa59bd86189c3283b216ba2f53a604beb6c066220f3fc8d1d2b7220bb0
              • Instruction Fuzzy Hash: A661FF305042AAABDF11EF21CD82FFE3BA8AF44308F044158FD895B292DF79A901DB50
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0104046F Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00FC7F41: _memmove.LIBCMT ref: 00FC7F82
                • Part of subcall function 010410A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,01040038,?,?), ref: 010410BC
              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 01040548
              • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 01040588
              • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 010405AB
              • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 010405D4
              • RegCloseKey.ADVAPI32(?,?,00000000), ref: 01040617
              • RegCloseKey.ADVAPI32(00000000), ref: 01040624
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
              • String ID:
              • API String ID: 4046560759-0
              • Opcode ID: 31ff03cee1b4cd96499f0d8fc06e2fa6cf0a5d126e04e7b2f08fd5d77e4da111
              • Instruction ID: c2338fec294e8d267dd3943b2b4b0db43831e35dff6f81c24a23af2b0e5b8e93
              • Opcode Fuzzy Hash: 31ff03cee1b4cd96499f0d8fc06e2fa6cf0a5d126e04e7b2f08fd5d77e4da111
              • Instruction Fuzzy Hash: DF516971108241AFD710EB28CD85EAFBBE8FF88704F04496DF68597291DB76E904DB92
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01045A20 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON
              Download Yara Rule
              APIs
              • GetMenu.USER32(?), ref: 01045A82
              • GetMenuItemCount.USER32(00000000), ref: 01045AB9
              • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 01045AE1
              • GetMenuItemID.USER32(?,?), ref: 01045B50
              • GetSubMenu.USER32(?,?), ref: 01045B5E
              • PostMessageW.USER32(?,00000111,?,00000000), ref: 01045BAF
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: Menu$Item$CountMessagePostString
              • String ID:
              • API String ID: 650687236-0
              • Opcode ID: e93a40ddd64482f929c949bb67d7ebb0f94e74045de8aa78907f7b9a40731a0c
              • Instruction ID: 3b80809884a93bd0529bee6e41e07987703482f4c5b916c7d8faabc9926d2056
              • Opcode Fuzzy Hash: e93a40ddd64482f929c949bb67d7ebb0f94e74045de8aa78907f7b9a40731a0c
              • Instruction Fuzzy Hash: BD5191B5A00216EFDB11DF68CD85AAEB7B4EF48310F1044A9E985BB351CB75AE40CF90
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0101F3DD Relevance: 9.2, APIs: 6, Instructions: 159COMMON
              Download Yara Rule
              APIs
              • VariantInit.OLEAUT32(?), ref: 0101F3F7
              • VariantClear.OLEAUT32(00000013), ref: 0101F469
              • VariantClear.OLEAUT32(00000000), ref: 0101F4C4
              • _memmove.LIBCMT ref: 0101F4EE
              • VariantClear.OLEAUT32(?), ref: 0101F53B
              • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 0101F569
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: Variant$Clear$ChangeInitType_memmove
              • String ID:
              • API String ID: 1101466143-0
              • Opcode ID: 4c9f06770592c76e9b534734b8fb2d75d4b5a36fe7d3f008b5b2d62032abe36b
              • Instruction ID: ff4af890363c013e85e3d0ae7334ab92d38f78db92d30cbd59a113ac1fc77295
              • Opcode Fuzzy Hash: 4c9f06770592c76e9b534734b8fb2d75d4b5a36fe7d3f008b5b2d62032abe36b
              • Instruction Fuzzy Hash: 06516BB5A0020AEFDB10CF58D880AAABBF8FF4C354B158159EA59DB305D734E915CBA0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 010226F9 Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 01022747
              • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 01022792
              • IsMenu.USER32(00000000), ref: 010227B2
              • CreatePopupMenu.USER32 ref: 010227E6
              • GetMenuItemCount.USER32(000000FF), ref: 01022844
              • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 01022875
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
              • String ID:
              • API String ID: 3311875123-0
              • Opcode ID: 65ccbe77380544e641ce0319b0b9264957128e5676cbccc4dd355ba75f2fbe52
              • Instruction ID: 64d06b8263bd2029d2f2dba0205cc56ebefabfb071a047e4de6743d0bd4a3b06
              • Opcode Fuzzy Hash: 65ccbe77380544e641ce0319b0b9264957128e5676cbccc4dd355ba75f2fbe52
              • Instruction Fuzzy Hash: A951B170A0136ADFDF25CFA8C988AAEBBF4BF44314F104299F9919B291D7B0D544CB51
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00FC1765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00FC2612: GetWindowLongW.USER32(?,000000EB), ref: 00FC2623
              • BeginPaint.USER32(?,?,?,?,?,?), ref: 00FC179A
              • GetWindowRect.USER32(?,?), ref: 00FC17FE
              • ScreenToClient.USER32(?,?), ref: 00FC181B
              • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00FC182C
              • EndPaint.USER32(?,?), ref: 00FC1876
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: PaintWindow$BeginClientLongRectScreenViewport
              • String ID:
              • API String ID: 1827037458-0
              • Opcode ID: e30e193eef2508825a69883a706d730958dd6baf06c25d5fb8c6018fe492ba1d
              • Instruction ID: b287fe06997c3b0da90ece751c302ce143501b5d8a1a6dac318d2a83a03789bb
              • Opcode Fuzzy Hash: e30e193eef2508825a69883a706d730958dd6baf06c25d5fb8c6018fe492ba1d
              • Instruction Fuzzy Hash: 9B41A0B1508302DFD720DF24C985FBA7BE8FB4A724F14066CF9D4861A2C73A9855EB61
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0104B958 Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON
              Download Yara Rule
              APIs
              • ShowWindow.USER32(010867B0,00000000,01834D88,?,?,010867B0,?,0104B862,?,?), ref: 0104B9CC
              • EnableWindow.USER32(?,00000000), ref: 0104B9F0
              • ShowWindow.USER32(010867B0,00000000,01834D88,?,?,010867B0,?,0104B862,?,?), ref: 0104BA50
              • ShowWindow.USER32(?,00000004,?,0104B862,?,?), ref: 0104BA62
              • EnableWindow.USER32(?,00000001), ref: 0104BA86
              • SendMessageW.USER32(?,0000130C,?,00000000), ref: 0104BAA9
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: Window$Show$Enable$MessageSend
              • String ID:
              • API String ID: 642888154-0
              • Opcode ID: 75627b7d0907d1216d6fabab5f1f81a161a56d45a3dfc1076e9eda7b247acce4
              • Instruction ID: 4b5eef2e60a8930355a746663b88afe123f8779bbe97e304b625ea0d6e4a6e02
              • Opcode Fuzzy Hash: 75627b7d0907d1216d6fabab5f1f81a161a56d45a3dfc1076e9eda7b247acce4
              • Instruction Fuzzy Hash: 694153B4600241AFDB62DF2CC5C9BA57FE0BB09315F1841F9EA888F2A6C731E855CB51
              Uniqueness

              Uniqueness Score: -1.00%

              Function 010373B1 Relevance: 9.1, APIs: 6, Instructions: 97COMMON
              Download Yara Rule
              APIs
              • GetForegroundWindow.USER32(?,?,?,?,?,?,01035134,?,?,00000000,00000001), ref: 010373BF
                • Part of subcall function 01033C94: GetWindowRect.USER32(?,?), ref: 01033CA7
              • GetDesktopWindow.USER32 ref: 010373E9
              • GetWindowRect.USER32(00000000), ref: 010373F0
              • mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 01037422
                • Part of subcall function 010254E6: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 0102555E
              • GetCursorPos.USER32(?), ref: 0103744E
              • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 010374AC
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
              • String ID:
              • API String ID: 4137160315-0
              • Opcode ID: 40e5cc30a1450cb7859aef050eac4fa1025fa91148e9b8e5e1cfd319c7c374ae
              • Instruction ID: 841e63fbfec329b87f3fe31bb3ca1e3ff4f044ea50e14f3a1cfe2cbbb0811074
              • Opcode Fuzzy Hash: 40e5cc30a1450cb7859aef050eac4fa1025fa91148e9b8e5e1cfd319c7c374ae
              • Instruction Fuzzy Hash: E031B0B2504316ABD720DF58D888F9BBBE9FF98314F004919F9D997181CB75E908CB92
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01018D5B Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 010185F1: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 01018608
                • Part of subcall function 010185F1: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 01018612
                • Part of subcall function 010185F1: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 01018621
                • Part of subcall function 010185F1: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 01018628
                • Part of subcall function 010185F1: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 0101863E
              • GetLengthSid.ADVAPI32(?,00000000,01018977), ref: 01018DAC
              • GetProcessHeap.KERNEL32(00000008,00000000), ref: 01018DB8
              • HeapAlloc.KERNEL32(00000000), ref: 01018DBF
              • CopySid.ADVAPI32(00000000,00000000,?), ref: 01018DD8
              • GetProcessHeap.KERNEL32(00000000,00000000,01018977), ref: 01018DEC
              • HeapFree.KERNEL32(00000000), ref: 01018DF3
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
              • String ID:
              • API String ID: 3008561057-0
              • Opcode ID: 326859dbdbf857ba19bb27a3dd29e5d2558cc029278360ccf2881a3c31fa7fa5
              • Instruction ID: 723fe7897d3460fbb7d73b82a97e7341cc36d854ef7044fdde410740c963fceb
              • Opcode Fuzzy Hash: 326859dbdbf857ba19bb27a3dd29e5d2558cc029278360ccf2881a3c31fa7fa5
              • Instruction Fuzzy Hash: 9A11E175500606FFDB60AFA8CD88BAE7BA9EF51315F50805AF9C597208C73A9A00CB60
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01018AF9 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON
              Download Yara Rule
              APIs
              • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 01018B2A
              • OpenProcessToken.ADVAPI32(00000000), ref: 01018B31
              • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 01018B40
              • CloseHandle.KERNEL32(00000004), ref: 01018B4B
              • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 01018B7A
              • DestroyEnvironmentBlock.USERENV(00000000), ref: 01018B8E
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
              • String ID:
              • API String ID: 1413079979-0
              • Opcode ID: 19dab303adb77ed1158703333b5d20bc9abcf937607faafa44a61fb1cf761a8e
              • Instruction ID: 1179b1785e6d6f1b8a18b5c994680f20cb9ac251dd67e1ccebca0f785a1e2049
              • Opcode Fuzzy Hash: 19dab303adb77ed1158703333b5d20bc9abcf937607faafa44a61fb1cf761a8e
              • Instruction Fuzzy Hash: EA111DB650120AABEB118F98ED89FDA7BE9FB45304F044055FE44A2154C27A9E609B60
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0104C19A Relevance: 9.0, APIs: 6, Instructions: 49COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00FC12F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00FC134D
                • Part of subcall function 00FC12F3: SelectObject.GDI32(?,00000000), ref: 00FC135C
                • Part of subcall function 00FC12F3: BeginPath.GDI32(?), ref: 00FC1373
                • Part of subcall function 00FC12F3: SelectObject.GDI32(?,00000000), ref: 00FC139C
              • MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 0104C1C4
              • LineTo.GDI32(00000000,00000003,?), ref: 0104C1D8
              • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0104C1E6
              • LineTo.GDI32(00000000,00000000,?), ref: 0104C1F6
              • EndPath.GDI32(00000000), ref: 0104C206
              • StrokePath.GDI32(00000000), ref: 0104C216
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
              • String ID:
              • API String ID: 43455801-0
              • Opcode ID: cf29c2c1f10918e90d6f3f0b07c64de7dc4859fe3fa0f9c2c0fe89c65bb7311c
              • Instruction ID: 91da79ab4b8c95d7388c69213b0fe3639adfec00a583c6122065f46010fe5090
              • Opcode Fuzzy Hash: cf29c2c1f10918e90d6f3f0b07c64de7dc4859fe3fa0f9c2c0fe89c65bb7311c
              • Instruction Fuzzy Hash: 0D115EB600010DBFEF219F94DD88FDA3FACEB04354F048021BA8846165C7769D54DBA0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00FE03A2 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
              Download Yara Rule
              APIs
              • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00FE03D3
              • MapVirtualKeyW.USER32(00000010,00000000), ref: 00FE03DB
              • MapVirtualKeyW.USER32(000000A0,00000000), ref: 00FE03E6
              • MapVirtualKeyW.USER32(000000A1,00000000), ref: 00FE03F1
              • MapVirtualKeyW.USER32(00000011,00000000), ref: 00FE03F9
              • MapVirtualKeyW.USER32(00000012,00000000), ref: 00FE0401
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: Virtual
              • String ID:
              • API String ID: 4278518827-0
              • Opcode ID: c246b060f32b71d6900534dba0d7e1e49e82d77212d56a50eb9fcc3cc262a4f3
              • Instruction ID: f38200f2867656847c097720d73222093864512debc349775a3d42b0e966fc47
              • Opcode Fuzzy Hash: c246b060f32b71d6900534dba0d7e1e49e82d77212d56a50eb9fcc3cc262a4f3
              • Instruction Fuzzy Hash: 79016CB090275A7DE3009F6A8C85B52FFA8FF19354F00411BA15C47941C7F5A868CBE5
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0102568B Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON
              Download Yara Rule
              APIs
              • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0102569B
              • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 010256B1
              • GetWindowThreadProcessId.USER32(?,?), ref: 010256C0
              • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 010256CF
              • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 010256D9
              • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 010256E0
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
              • String ID:
              • API String ID: 839392675-0
              • Opcode ID: a52256f202aa07a51422b31774e4049f841d70cf4814ad9ecc8a9c4fcee7aa83
              • Instruction ID: 36433969bd43e1d5cde34f50d507174e1e1cd1e9faeb08e2a2cd941a27d3beb3
              • Opcode Fuzzy Hash: a52256f202aa07a51422b31774e4049f841d70cf4814ad9ecc8a9c4fcee7aa83
              • Instruction Fuzzy Hash: 21F09675141159BBE3315A66DD4DEEF7B7CEFCBB11F000159F940D1041D7A61A0187B5
              Uniqueness

              Uniqueness Score: -1.00%

              Function 010274D2 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • InterlockedExchange.KERNEL32(?,?), ref: 010274E5
              • EnterCriticalSection.KERNEL32(?,?,00FD1044,?,?), ref: 010274F6
              • TerminateThread.KERNEL32(00000000,000001F6,?,00FD1044,?,?), ref: 01027503
              • WaitForSingleObject.KERNEL32(00000000,000003E8,?,00FD1044,?,?), ref: 01027510
                • Part of subcall function 01026ED7: CloseHandle.KERNEL32(00000000,?,0102751D,?,00FD1044,?,?), ref: 01026EE1
              • InterlockedExchange.KERNEL32(?,000001F6), ref: 01027523
              • LeaveCriticalSection.KERNEL32(?,?,00FD1044,?,?), ref: 0102752A
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
              • String ID:
              • API String ID: 3495660284-0
              • Opcode ID: b96826a039c76c010020ae4038ee5bb8685a2974df09002b6c9959224d4c0a2d
              • Instruction ID: 281f3e3bd1c684536e971130f14ebb0eb1e1aa94050f39c793b8cddb65c50377
              • Opcode Fuzzy Hash: b96826a039c76c010020ae4038ee5bb8685a2974df09002b6c9959224d4c0a2d
              • Instruction Fuzzy Hash: 41F054BE540623ABEB212B68FFCC9DB7B69EF45302B000561F682910A8CB7A5401CB50
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01018E74 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
              Download Yara Rule
              APIs
              • WaitForSingleObject.KERNEL32(?,000000FF), ref: 01018E7F
              • UnloadUserProfile.USERENV(?,?), ref: 01018E8B
              • CloseHandle.KERNEL32(?), ref: 01018E94
              • CloseHandle.KERNEL32(?), ref: 01018E9C
              • GetProcessHeap.KERNEL32(00000000,?), ref: 01018EA5
              • HeapFree.KERNEL32(00000000), ref: 01018EAC
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
              • String ID:
              • API String ID: 146765662-0
              • Opcode ID: 625c63b03d8432b702a7b0529286dfceeee090e5ce680978e1c1777cb92f9049
              • Instruction ID: 90cf2ae884b947986d0168f10d42123af3509f03be4b074c3b7eb5fe976aba35
              • Opcode Fuzzy Hash: 625c63b03d8432b702a7b0529286dfceeee090e5ce680978e1c1777cb92f9049
              • Instruction Fuzzy Hash: 14E0EDBA004002BBD7112FE9EE4C906BFB9FF897227108220F255C1478CB3B5420DB50
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01038902 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON
              Download Yara Rule
              APIs
              • VariantInit.OLEAUT32(?), ref: 01038928
              • CharUpperBuffW.USER32(?,?), ref: 01038A37
              • VariantClear.OLEAUT32(?), ref: 01038BAF
                • Part of subcall function 01027804: VariantInit.OLEAUT32(00000000), ref: 01027844
                • Part of subcall function 01027804: VariantCopy.OLEAUT32(00000000,?), ref: 0102784D
                • Part of subcall function 01027804: VariantClear.OLEAUT32(00000000), ref: 01027859
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: Variant$ClearInit$BuffCharCopyUpper
              • String ID: AUTOIT.ERROR$Incorrect Parameter format
              • API String ID: 4237274167-1221869570
              • Opcode ID: 11ccc8b09ff8511129cfa3f3fb3435e68173984a188dc73c800bb9dafe5fd46e
              • Instruction ID: ae932d8ea845bee59c7747cff017f64611d9dd802d925d5e6a7d27de8c8ff714
              • Opcode Fuzzy Hash: 11ccc8b09ff8511129cfa3f3fb3435e68173984a188dc73c800bb9dafe5fd46e
              • Instruction Fuzzy Hash: E5919F74608302DFC714DF28C58595ABBE8EFC8714F048AAEF89A8B351DB35E945CB52
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01022F86 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00FDFEC6: _wcscpy.LIBCMT ref: 00FDFEE9
              • _memset.LIBCMT ref: 01023077
              • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 010230A6
              • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 01023159
              • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 01023187
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: ItemMenu$Info$Default_memset_wcscpy
              • String ID: 0
              • API String ID: 4152858687-4108050209
              • Opcode ID: 34280514322675ec259ea306e93743cdb335060deb96f1805a66d692b347ba66
              • Instruction ID: 2333f6fbc83c90d96f63b26b457a94ae6e3475f2f003fda915c10f10bec2094f
              • Opcode Fuzzy Hash: 34280514322675ec259ea306e93743cdb335060deb96f1805a66d692b347ba66
              • Instruction Fuzzy Hash: 615102316083219BE7A59E28C845B6BBBF4FF48310F140A6DFAC5DB191DB79C9448792
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0101DA5D Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121comlibraryloaderCOMMON
              Download Yara Rule
              APIs
              • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0101DAC5
              • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0101DAFB
              • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0101DB0C
              • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 0101DB8E
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: ErrorMode$AddressCreateInstanceProc
              • String ID: DllGetClassObject
              • API String ID: 753597075-1075368562
              • Opcode ID: ee361bc0681ade029ec7ab610bdb6f4fe4069748288ea0bdbaaaf0a05e722e63
              • Instruction ID: 29b97b28310d5d646912861f49f00d17d20b8f68b53063261905133e8d34dc02
              • Opcode Fuzzy Hash: ee361bc0681ade029ec7ab610bdb6f4fe4069748288ea0bdbaaaf0a05e722e63
              • Instruction Fuzzy Hash: 534185B1600209EFDB15CF99C8C8A9A7BF9FF44314F04819DAE469F209D7B5D940CBA0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01022C42 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 01022CAF
              • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 01022CCB
              • DeleteMenu.USER32(?,00000007,00000000), ref: 01022D11
              • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,01086890,00000000), ref: 01022D5A
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: Menu$Delete$InfoItem_memset
              • String ID: 0
              • API String ID: 1173514356-4108050209
              • Opcode ID: 37df962dcbaf43c649faa7e4dc1f2199a936538c1c675859d2942b7ab4746f25
              • Instruction ID: 5ca3359ba41d9d1383d829a7a6d793eec5265ca512e9a299de25feb5dddfd2de
              • Opcode Fuzzy Hash: 37df962dcbaf43c649faa7e4dc1f2199a936538c1c675859d2942b7ab4746f25
              • Instruction Fuzzy Hash: 5841BF742043529FD720EF68C884B5BBBE8EF85320F14465EFAA5972A1D770E505CBA2
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0103DAB9 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON
              Download Yara Rule
              APIs
              • CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0103DAD9
                • Part of subcall function 00FC79AB: _memmove.LIBCMT ref: 00FC79F9
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: BuffCharLower_memmove
              • String ID: cdecl$none$stdcall$winapi
              • API String ID: 3425801089-567219261
              • Opcode ID: eefd98f682224ebf17daede38c05d682f3cbca6cbbff182ba2492245288850e6
              • Instruction ID: 2d4096834d9df2fddb52695d0f12ccd183d87f0c12c9a061ba25698739e26753
              • Opcode Fuzzy Hash: eefd98f682224ebf17daede38c05d682f3cbca6cbbff182ba2492245288850e6
              • Instruction Fuzzy Hash: B531B27090021AEFCF14EF98CD81DEEB7B8FF85720B408659E8A597691CF75A905CB90
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01019372 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00FC7F41: _memmove.LIBCMT ref: 00FC7F82
                • Part of subcall function 0101B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0101B0E7
              • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 010193F6
              • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 01019409
              • SendMessageW.USER32(?,00000189,?,00000000), ref: 01019439
                • Part of subcall function 00FC7D2C: _memmove.LIBCMT ref: 00FC7D66
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: MessageSend$_memmove$ClassName
              • String ID: ComboBox$ListBox
              • API String ID: 365058703-1403004172
              • Opcode ID: 6792d1e3feff1f3db25ef55824ac7db7e1020380e39f1b207d095d1067a6cad5
              • Instruction ID: 54afbd7e9e2b4808efef86ac62ac43946e8969ade7795e476f267952ebbdca55
              • Opcode Fuzzy Hash: 6792d1e3feff1f3db25ef55824ac7db7e1020380e39f1b207d095d1067a6cad5
              • Instruction Fuzzy Hash: EB2146B1940105BFEB14AB75CC86DFEBBB8DF05364B00411DF9A6971E4CF3D09099A10
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01031B21 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON
              Download Yara Rule
              APIs
              • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 01031B40
              • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 01031B66
              • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 01031B96
              • InternetCloseHandle.WININET(00000000), ref: 01031BDD
                • Part of subcall function 01032777: GetLastError.KERNEL32(?,?,01031B0B,00000000,00000000,00000001), ref: 0103278C
                • Part of subcall function 01032777: SetEvent.KERNEL32(?,?,01031B0B,00000000,00000000,00000001), ref: 010327A1
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
              • String ID:
              • API String ID: 3113390036-3916222277
              • Opcode ID: dfd86a87e8d52eb9cf034739ddd898f5d19cdc9e270a7cebadf3f650ea9222ef
              • Instruction ID: 9e2eef2d0fa44eb869f4cfe3b0b297151cb9b7516de4329f00aeb394037d730f
              • Opcode Fuzzy Hash: dfd86a87e8d52eb9cf034739ddd898f5d19cdc9e270a7cebadf3f650ea9222ef
              • Instruction Fuzzy Hash: 6C21BEB5500209BFEB269F289CC4EBF76ECFB89644F00011AF585E2240EB399D0587B1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01046656 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00FC1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00FC1D73
                • Part of subcall function 00FC1D35: GetStockObject.GDI32(00000011), ref: 00FC1D87
                • Part of subcall function 00FC1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00FC1D91
              • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 010466D0
              • LoadLibraryW.KERNEL32(?), ref: 010466D7
              • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 010466EC
              • DestroyWindow.USER32(?), ref: 010466F4
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
              • String ID: SysAnimate32
              • API String ID: 4146253029-1011021900
              • Opcode ID: 582d942775272bf48474bdaeb584585d20373ec9200ee129cce8d691d18b48b2
              • Instruction ID: 833d6023ba34fc601fd57cc30bed7188b43b558cc4e5e6789066ea31e681b38e
              • Opcode Fuzzy Hash: 582d942775272bf48474bdaeb584585d20373ec9200ee129cce8d691d18b48b2
              • Instruction Fuzzy Hash: 7E218BF1200206ABEF119E68ECC0EBB77E9FB4A364F104639FA9196191E77388519760
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0102710C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
              Download Yara Rule
              APIs
              • GetStdHandle.KERNEL32(000000F6), ref: 0102712B
              • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 0102715D
              • GetStdHandle.KERNEL32(000000F6), ref: 0102716E
              • CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 010271A8
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: CreateHandle$FilePipe
              • String ID: nul
              • API String ID: 4209266947-2873401336
              • Opcode ID: 4be315b8e66a3e742b5dd8e14492f0f3b087c893a4f17ffbbc45dc02e99a3e9e
              • Instruction ID: 424b6276e9f6d9912c6e207a8f64029950755484577e942cfea4ba7da05899dd
              • Opcode Fuzzy Hash: 4be315b8e66a3e742b5dd8e14492f0f3b087c893a4f17ffbbc45dc02e99a3e9e
              • Instruction Fuzzy Hash: EB21B3756002269BEF209F6D8C44A9AB7E9AF65720F300699FDE0D72C0D7719441CB50
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0102703E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
              Download Yara Rule
              APIs
              • GetStdHandle.KERNEL32(0000000C), ref: 0102705E
              • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 01027091
              • GetStdHandle.KERNEL32(0000000C), ref: 010270A3
              • CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 010270DD
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: CreateHandle$FilePipe
              • String ID: nul
              • API String ID: 4209266947-2873401336
              • Opcode ID: b3a11d49d8e0bc51b13580190c0e750dc74b912a2cd0c2abca4486fa60af06c7
              • Instruction ID: 667eeb727a0b6c34eb994edce771695affcfcd93981e6de1bebaa207bb744663
              • Opcode Fuzzy Hash: b3a11d49d8e0bc51b13580190c0e750dc74b912a2cd0c2abca4486fa60af06c7
              • Instruction Fuzzy Hash: 46215378500226DBEF209F2DD884A9EBBE8AF54720F204659FDE1D72D0D775A854CB50
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0102AEAB Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON
              Download Yara Rule
              APIs
              • SetErrorMode.KERNEL32(00000001), ref: 0102AEBF
              • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 0102AF13
              • __swprintf.LIBCMT ref: 0102AF2C
              • SetErrorMode.KERNEL32(00000000,00000001,00000000,0104F910), ref: 0102AF6A
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: ErrorMode$InformationVolume__swprintf
              • String ID: %lu
              • API String ID: 3164766367-685833217
              • Opcode ID: 2bf1a810b7b67671e08f3e19f7170a95f675acef33c79154f7b9652398cdd307
              • Instruction ID: 4c2c00a575750cb319ff1ca04871f91dc50ec5dcba29f5d4e39b4fcf1506ac1f
              • Opcode Fuzzy Hash: 2bf1a810b7b67671e08f3e19f7170a95f675acef33c79154f7b9652398cdd307
              • Instruction Fuzzy Hash: 1F21B374A0010AAFCB10DF69CD85EEE7BB8EF89704B0040A9F949DB251DB75EE01DB21
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0101A52F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68windowCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00FC7D2C: _memmove.LIBCMT ref: 00FC7D66
                • Part of subcall function 0101A37C: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0101A399
                • Part of subcall function 0101A37C: GetWindowThreadProcessId.USER32(?,00000000), ref: 0101A3AC
                • Part of subcall function 0101A37C: GetCurrentThreadId.KERNEL32 ref: 0101A3B3
                • Part of subcall function 0101A37C: AttachThreadInput.USER32(00000000), ref: 0101A3BA
              • GetFocus.USER32 ref: 0101A554
                • Part of subcall function 0101A3C5: GetParent.USER32(?), ref: 0101A3D3
              • GetClassNameW.USER32(?,?,00000100), ref: 0101A59D
              • EnumChildWindows.USER32(?,0101A615), ref: 0101A5C5
              • __swprintf.LIBCMT ref: 0101A5DF
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf_memmove
              • String ID: %s%d
              • API String ID: 1941087503-1110647743
              • Opcode ID: 0de4c12516bee203509edf9c1e3c582386a50e91c00c99ced331962ff4edeb0e
              • Instruction ID: 256e20962f84f14144699c25ace21c93d0077a519203d869c9fb9deed7cdb203
              • Opcode Fuzzy Hash: 0de4c12516bee203509edf9c1e3c582386a50e91c00c99ced331962ff4edeb0e
              • Instruction Fuzzy Hash: B811D2B120024ABBDF10BF74DD85FEA37B8AF88300F004069B988AB046CA7859458B34
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01022017 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON
              Download Yara Rule
              APIs
              • CharUpperBuffW.USER32(?,?), ref: 01022048
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: BuffCharUpper
              • String ID: APPEND$EXISTS$KEYS$REMOVE
              • API String ID: 3964851224-769500911
              • Opcode ID: 78e1abc6ebf89d506dc433abc0adbfcc19329ce9e55b0a6f0f1140d988ba9fdc
              • Instruction ID: ed793858fd7ec64ca87c5229499733ed85dad300be1ebab56379cbd311561465
              • Opcode Fuzzy Hash: 78e1abc6ebf89d506dc433abc0adbfcc19329ce9e55b0a6f0f1140d988ba9fdc
              • Instruction Fuzzy Hash: 6C115730A0011ACFCF10EFE8DD819EEB7B5FF05314B508898E895A7253EB36694ADB50
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0103EE69 Relevance: 7.7, APIs: 5, Instructions: 247COMMON
              Download Yara Rule
              APIs
              • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0103EF1B
              • GetProcessIoCounters.KERNEL32(00000000,?), ref: 0103EF4B
              • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 0103F07E
              • CloseHandle.KERNEL32(?), ref: 0103F0FF
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: Process$CloseCountersHandleInfoMemoryOpen
              • String ID:
              • API String ID: 2364364464-0
              • Opcode ID: e3cfa107d436488422ffa0cc37defea2ba11fd5f1d29394dc776845417df040e
              • Instruction ID: df3aa87872ad353d5ed0a9271bddb77a9240b447b540d6319262f0c246f09f00
              • Opcode Fuzzy Hash: e3cfa107d436488422ffa0cc37defea2ba11fd5f1d29394dc776845417df040e
              • Instruction Fuzzy Hash: 5981A3716047029FD720DF28CD86F6AB7E5AF88710F04881DF599DB292DBB5AC41CB52
              Uniqueness

              Uniqueness Score: -1.00%

              Function 010402C2 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00FC7F41: _memmove.LIBCMT ref: 00FC7F82
                • Part of subcall function 010410A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,01040038,?,?), ref: 010410BC
              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 01040388
              • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 010403C7
              • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0104040E
              • RegCloseKey.ADVAPI32(?,?), ref: 0104043A
              • RegCloseKey.ADVAPI32(00000000), ref: 01040447
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
              • String ID:
              • API String ID: 3440857362-0
              • Opcode ID: 8359fee9e7823f4afbe81e2b03ad9f3b734d23e3fde2492e13e51290ceeea4ee
              • Instruction ID: a30ce784ca45a3799b16d49275c4ad12ae9101022b64bc46adc391e006ce8582
              • Opcode Fuzzy Hash: 8359fee9e7823f4afbe81e2b03ad9f3b734d23e3fde2492e13e51290ceeea4ee
              • Instruction Fuzzy Hash: B6516BB1208205AFD700EB68CDC1FAEBBE8FF84704F04896DB59597291DB75E904DB52
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0103DBDC Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00FC9997: __itow.LIBCMT ref: 00FC99C2
                • Part of subcall function 00FC9997: __swprintf.LIBCMT ref: 00FC9A0C
              • LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0103DC3B
              • GetProcAddress.KERNEL32(00000000,?), ref: 0103DCBE
              • GetProcAddress.KERNEL32(00000000,00000000), ref: 0103DCDA
              • GetProcAddress.KERNEL32(00000000,?), ref: 0103DD1B
              • FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0103DD35
                • Part of subcall function 00FC5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,01027B20,?,?,00000000), ref: 00FC5B8C
                • Part of subcall function 00FC5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,01027B20,?,?,00000000,?,?), ref: 00FC5BB0
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
              • String ID:
              • API String ID: 327935632-0
              • Opcode ID: 4b891774879398b2182f319795e57245eba907d7c9231c35d0bed9743b15b7bf
              • Instruction ID: 317258707279020feaa332733bbb0fd5d125b78b5685c0e2a7d2f2489d30f095
              • Opcode Fuzzy Hash: 4b891774879398b2182f319795e57245eba907d7c9231c35d0bed9743b15b7bf
              • Instruction Fuzzy Hash: 8D514B75A0020A9FCB01EFA8C985DADB7F8FF49310B458099E859AB312DB75ED45CF50
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0102E7DC Relevance: 7.6, APIs: 5, Instructions: 135COMMON
              Download Yara Rule
              APIs
              • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 0102E88A
              • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 0102E8B3
              • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 0102E8F2
                • Part of subcall function 00FC9997: __itow.LIBCMT ref: 00FC99C2
                • Part of subcall function 00FC9997: __swprintf.LIBCMT ref: 00FC9A0C
              • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 0102E917
              • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 0102E91F
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
              • String ID:
              • API String ID: 1389676194-0
              • Opcode ID: 9055a8f426ef8bfc65137fa0d3ef06af5dbb4646e02a20521b797ef59eb011ba
              • Instruction ID: 5611c9d17f374cdb697c18bdbb9ec496092104dadbae063942f2aed5f722afd7
              • Opcode Fuzzy Hash: 9055a8f426ef8bfc65137fa0d3ef06af5dbb4646e02a20521b797ef59eb011ba
              • Instruction Fuzzy Hash: 53513975A00216DFCF01EF65CA85EAEBBF5EF08310B148099E849AB362CB75ED11DB50
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0104A2C5 Relevance: 7.6, APIs: 5, Instructions: 130COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c6e5d11faf1007f367d778e116e3936d7e81c58f3d994a25bbced3089f2de2b0
              • Instruction ID: bcbcb2139b6dc539235d2c7b702dfae59c07e5536bd0bcfa6a530d109ac486db
              • Opcode Fuzzy Hash: c6e5d11faf1007f367d778e116e3936d7e81c58f3d994a25bbced3089f2de2b0
              • Instruction Fuzzy Hash: 8341F2F9A40104EBD760DA2CC8C8BA9BBA4EB09311F0581B4FAD6A72D1EB7199418A50
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00FC2344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON
              Download Yara Rule
              APIs
              • GetCursorPos.USER32(?), ref: 00FC2357
              • ScreenToClient.USER32(010867B0,?), ref: 00FC2374
              • GetAsyncKeyState.USER32(00000001), ref: 00FC2399
              • GetAsyncKeyState.USER32(00000002), ref: 00FC23A7
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: AsyncState$ClientCursorScreen
              • String ID:
              • API String ID: 4210589936-0
              • Opcode ID: a8e3f2f422ddea6e065144c24bd92e75ee89a2ff9078d077fa9263e47600754a
              • Instruction ID: c4e3a94b8c58ffd3a4c08037a8ef2764d620fafebaa1f80a9dd48d63747ff2c6
              • Opcode Fuzzy Hash: a8e3f2f422ddea6e065144c24bd92e75ee89a2ff9078d077fa9263e47600754a
              • Instruction Fuzzy Hash: A5417F7590415AFBDF159FA8C944FEDBB74FF05320F20431AE968922A0C7356950EB91
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01016920 Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON
              Download Yara Rule
              APIs
              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0101695D
              • TranslateAcceleratorW.USER32(?,?,?), ref: 010169A9
              • TranslateMessage.USER32(?), ref: 010169D2
              • DispatchMessageW.USER32(?), ref: 010169DC
              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 010169EB
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: Message$PeekTranslate$AcceleratorDispatch
              • String ID:
              • API String ID: 2108273632-0
              • Opcode ID: 05f2089925491467d09adefc027625dea32ec6231330e0038c4cd0c6a4dd095e
              • Instruction ID: 6448ce8684e19cc985a6dfb8926db93a50e9d97eed4bbc9878494c838057bdf2
              • Opcode Fuzzy Hash: 05f2089925491467d09adefc027625dea32ec6231330e0038c4cd0c6a4dd095e
              • Instruction Fuzzy Hash: 1E31D271904246ABEB71CE799C84FFA7BEDAB05300F1541A9E5E1C3149E7AF9085CBA0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01018F01 Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON
              Download Yara Rule
              APIs
              • GetWindowRect.USER32(?,?), ref: 01018F12
              • PostMessageW.USER32(?,00000201,00000001), ref: 01018FBC
              • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 01018FC4
              • PostMessageW.USER32(?,00000202,00000000), ref: 01018FD2
              • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 01018FDA
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: MessagePostSleep$RectWindow
              • String ID:
              • API String ID: 3382505437-0
              • Opcode ID: 04218b4f00b4063eb70ebc0df6de360b3d46488dbd237ccd725e5b0b489d5441
              • Instruction ID: e8311ddb88a1bd83947fa896efd640e2458f0103f0f77279b77a8a989d35e4c0
              • Opcode Fuzzy Hash: 04218b4f00b4063eb70ebc0df6de360b3d46488dbd237ccd725e5b0b489d5441
              • Instruction Fuzzy Hash: 2E31E2B150021AEFDB14CF6CD98CA9E7BB6EB04315F00825AFAA4A71D5C3B49A14CB50
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0101B6AF Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON
              Download Yara Rule
              APIs
              • IsWindowVisible.USER32(?), ref: 0101B6C7
              • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 0101B6E4
              • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 0101B71C
              • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 0101B742
              • _wcsstr.LIBCMT ref: 0101B74C
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
              • String ID:
              • API String ID: 3902887630-0
              • Opcode ID: a24088f1a24b3595f5520053aa380012f10fc91bb882007a128144cbcb45bee3
              • Instruction ID: 6ba0d5035523cbbc7e5efd354a5a689020c9b46c54dc09a0e33df1208e7ec17e
              • Opcode Fuzzy Hash: a24088f1a24b3595f5520053aa380012f10fc91bb882007a128144cbcb45bee3
              • Instruction Fuzzy Hash: 12212672204244BBEB255B3E9D49E7B7BFCEF49760F044069FD49CA195EF69C84093A0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0104B405 Relevance: 7.6, APIs: 5, Instructions: 85COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00FC2612: GetWindowLongW.USER32(?,000000EB), ref: 00FC2623
              • GetWindowLongW.USER32(?,000000F0), ref: 0104B44C
              • SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 0104B471
              • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 0104B489
              • GetSystemMetrics.USER32(00000004), ref: 0104B4B2
              • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,01031184,00000000), ref: 0104B4D0
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: Window$Long$MetricsSystem
              • String ID:
              • API String ID: 2294984445-0
              • Opcode ID: db35d7d80c8eb441ebec5811e5755a30a878b386792104cf0bfdee1bc9db3705
              • Instruction ID: e5fb8a4b3932eecb04c1d6dd58f83a5ad5bb868172b7df00017058fba20510fc
              • Opcode Fuzzy Hash: db35d7d80c8eb441ebec5811e5755a30a878b386792104cf0bfdee1bc9db3705
              • Instruction Fuzzy Hash: FE2191B1914226AFDB609E3CCC84B6A3BA4FB45720F114778FAA6D21D0EB31D811CB90
              Uniqueness

              Uniqueness Score: -1.00%

              Function 010197E9 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 01019802
                • Part of subcall function 00FC7D2C: _memmove.LIBCMT ref: 00FC7D66
              • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 01019834
              • __itow.LIBCMT ref: 0101984C
              • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 01019874
              • __itow.LIBCMT ref: 01019885
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: MessageSend$__itow$_memmove
              • String ID:
              • API String ID: 2983881199-0
              • Opcode ID: 8925aad39b58a5547b167b2afdbb38db72fd114280654bc16c6fcd381866a5b9
              • Instruction ID: 13b15512053ac1b3542e15c554a1d0200f842e123497d3286a06cd652d059443
              • Opcode Fuzzy Hash: 8925aad39b58a5547b167b2afdbb38db72fd114280654bc16c6fcd381866a5b9
              • Instruction Fuzzy Hash: 2D210A71B00305FBEB10BA798D8AEEE3BA9EF48714F040069FE45DB241D6788D419791
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00FC12F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON
              Download Yara Rule
              APIs
              • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00FC134D
              • SelectObject.GDI32(?,00000000), ref: 00FC135C
              • BeginPath.GDI32(?), ref: 00FC1373
              • SelectObject.GDI32(?,00000000), ref: 00FC139C
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: ObjectSelect$BeginCreatePath
              • String ID:
              • API String ID: 3225163088-0
              • Opcode ID: 3bd501c344f92b074081890cf2de0605a17b1f5d74c1cbb326e99afa883fe277
              • Instruction ID: 285cf9a5721d85fc1a86354edc4ff8600707ef4d5e173e2947f373fae6d76dd6
              • Opcode Fuzzy Hash: 3bd501c344f92b074081890cf2de0605a17b1f5d74c1cbb326e99afa883fe277
              • Instruction Fuzzy Hash: 6E21D8B0C14346DFDB208F54DA09B6D3BB8FB11325F21431AF4C496195D37B8861EB50
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0101C161 Relevance: 7.6, APIs: 5, Instructions: 61COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: _memcmp
              • String ID:
              • API String ID: 2931989736-0
              • Opcode ID: 0a5f63327d2465eddcffd203a53d9a1c057f09a1cc79abbe4c196ca81c9e347d
              • Instruction ID: 105a7c774b4b7a498366bdbadfb5594413ad25c1b1692578232a98344219d1c3
              • Opcode Fuzzy Hash: 0a5f63327d2465eddcffd203a53d9a1c057f09a1cc79abbe4c196ca81c9e347d
              • Instruction Fuzzy Hash: 3601D8B26C4109BBF345A6275E42FAF77DCAF12294F444029FD449B247F768DE1182E2
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01024D35 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON
              Download Yara Rule
              APIs
              • GetCurrentThreadId.KERNEL32 ref: 01024D5C
              • __beginthreadex.LIBCMT ref: 01024D7A
              • MessageBoxW.USER32(?,?,?,?), ref: 01024D8F
              • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 01024DA5
              • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 01024DAC
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
              • String ID:
              • API String ID: 3824534824-0
              • Opcode ID: 4c70bc6909359a4a9e1a26499329bb76844ab268c4ec41b8bd577bfb380cf0b3
              • Instruction ID: cde8718004b4ec5dede15c02f3de5f29073e141c155bbe66d1b384108756a42c
              • Opcode Fuzzy Hash: 4c70bc6909359a4a9e1a26499329bb76844ab268c4ec41b8bd577bfb380cf0b3
              • Instruction Fuzzy Hash: AB1148B6908654BBC7219BACDC44ADE7FECEB45320F144299F994D7241C67A880087A0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0101874A Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON
              Download Yara Rule
              APIs
              • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 01018766
              • GetLastError.KERNEL32(?,0101822A,?,?,?), ref: 01018770
              • GetProcessHeap.KERNEL32(00000008,?,?,0101822A,?,?,?), ref: 0101877F
              • HeapAlloc.KERNEL32(00000000,?,0101822A,?,?,?), ref: 01018786
              • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0101879D
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
              • String ID:
              • API String ID: 842720411-0
              • Opcode ID: 836962771244ec751f94f338de551ddff6c401da8c17cdfb2fb97b08879c5ab7
              • Instruction ID: 2e54191a8609b46b0a57ac1ad7ae4110666099a3eaf325f6e1027d39f90f5911
              • Opcode Fuzzy Hash: 836962771244ec751f94f338de551ddff6c401da8c17cdfb2fb97b08879c5ab7
              • Instruction Fuzzy Hash: B4016DB5200205BFDB245FBADD88D6B7FACFF8A255710446AF989C3254DA36D910CB60
              Uniqueness

              Uniqueness Score: -1.00%

              Function 010254E6 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON
              Download Yara Rule
              APIs
              • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 01025502
              • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 01025510
              • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 01025518
              • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 01025522
              • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 0102555E
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: PerformanceQuery$CounterSleep$Frequency
              • String ID:
              • API String ID: 2833360925-0
              • Opcode ID: 152eaff66b44b3a3c7d4f9b83fed886350595421e1a9360dca2fa1e7d89e122b
              • Instruction ID: 5f7ffa095f2bf7c7ab9b9af4aa93416d932bd7c61ac326203c4f39d376ef389b
              • Opcode Fuzzy Hash: 152eaff66b44b3a3c7d4f9b83fed886350595421e1a9360dca2fa1e7d89e122b
              • Instruction Fuzzy Hash: 25015B75D0063ADBCF10EFE8ED986EDBBB8BB09711F440086E981F2144DB355550C7A5
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01017652 Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON
              Download Yara Rule
              APIs
              • CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0101758C,80070057,?,?,?,0101799D), ref: 0101766F
              • ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0101758C,80070057,?,?), ref: 0101768A
              • lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0101758C,80070057,?,?), ref: 01017698
              • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0101758C,80070057,?), ref: 010176A8
              • CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0101758C,80070057,?,?), ref: 010176B4
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: From$Prog$FreeStringTasklstrcmpi
              • String ID:
              • API String ID: 3897988419-0
              • Opcode ID: 839eb21d80e7c7c2e8108816e9ebdd5aac26e45f5ef53d926a20ae304b9c4ba5
              • Instruction ID: add02ab5f85eb72815dd00ab5230874340bc5fc4c57876d06de4861a8ff190d4
              • Opcode Fuzzy Hash: 839eb21d80e7c7c2e8108816e9ebdd5aac26e45f5ef53d926a20ae304b9c4ba5
              • Instruction Fuzzy Hash: 7401D4B6600215BBEB204F5CDD44BAA7FECEB48651F100458FE84D7209E73ADD4087A0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 010185F1 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
              Download Yara Rule
              APIs
              • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 01018608
              • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 01018612
              • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 01018621
              • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 01018628
              • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 0101863E
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: HeapInformationToken$AllocErrorLastProcess
              • String ID:
              • API String ID: 44706859-0
              • Opcode ID: c3dfc44b8b9bcfe44fabf1363e2099b3dd22bd651c1f0b8eb44abfd9f231c494
              • Instruction ID: 2d902fd6c6d9e3c6065a5b5f360881ee9dd2d26e16cdf2ed2b2dab050d9e25f0
              • Opcode Fuzzy Hash: c3dfc44b8b9bcfe44fabf1363e2099b3dd22bd651c1f0b8eb44abfd9f231c494
              • Instruction Fuzzy Hash: 89F0C274200205AFEB211FACDDCDE6B3FECEF8A654B004416F985C2144CB7A9841DB60
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01018652 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
              Download Yara Rule
              APIs
              • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 01018669
              • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 01018673
              • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 01018682
              • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 01018689
              • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0101869F
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: HeapInformationToken$AllocErrorLastProcess
              • String ID:
              • API String ID: 44706859-0
              • Opcode ID: 83c8a4195c52cbc4219a1437379f22a30da04584553153869cbb5558aef0cc81
              • Instruction ID: 37cafa33ecd0e9b2cf7e5929c6106e780d43075ec18cba96de8a2df1e087739a
              • Opcode Fuzzy Hash: 83c8a4195c52cbc4219a1437379f22a30da04584553153869cbb5558aef0cc81
              • Instruction Fuzzy Hash: 3DF0AFB8200205AFEB211FA8ECC8E673FECEF8A654B100416F985D3144CA6A9900DB60
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0101C6A6 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON
              Download Yara Rule
              APIs
              • GetDlgItem.USER32(?,000003E9), ref: 0101C6BA
              • GetWindowTextW.USER32(00000000,?,00000100), ref: 0101C6D1
              • MessageBeep.USER32(00000000), ref: 0101C6E9
              • KillTimer.USER32(?,0000040A), ref: 0101C705
              • EndDialog.USER32(?,00000001), ref: 0101C71F
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: BeepDialogItemKillMessageTextTimerWindow
              • String ID:
              • API String ID: 3741023627-0
              • Opcode ID: 2cd56716015c8835c56a4ac54069eb42b5872eb319d6c27efd2667ff021f458d
              • Instruction ID: a2a7017dde3e599d4010475c06071e0801866a0f917274196292a7f198dc57cf
              • Opcode Fuzzy Hash: 2cd56716015c8835c56a4ac54069eb42b5872eb319d6c27efd2667ff021f458d
              • Instruction Fuzzy Hash: CE0184744403059BFB315B28EE8EF967BB8BB04701F00055DB6C2A14D5DBE9A9548B40
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00FC13B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
              Download Yara Rule
              APIs
              • EndPath.GDI32(?), ref: 00FC13BF
              • StrokeAndFillPath.GDI32(?,?,00FFBAD8,00000000,?), ref: 00FC13DB
              • SelectObject.GDI32(?,00000000), ref: 00FC13EE
              • DeleteObject.GDI32 ref: 00FC1401
              • StrokePath.GDI32(?), ref: 00FC141C
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: Path$ObjectStroke$DeleteFillSelect
              • String ID:
              • API String ID: 2625713937-0
              • Opcode ID: 074c43ccbdacd7533ee2dd18179fbc750fad4789cd7adc404a931943a2365642
              • Instruction ID: 87fcf251aebb0c5b770dc831b0d7e01da6fda73d6f06ef1569dc3325bf897e8f
              • Opcode Fuzzy Hash: 074c43ccbdacd7533ee2dd18179fbc750fad4789cd7adc404a931943a2365642
              • Instruction Fuzzy Hash: B6F06DB001824ADBDB354F1AEA4DB583BA4BB12326F148318F4E9440E9C33B44A1DF10
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00FD2E5B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00FE0FF6: std::exception::exception.LIBCMT ref: 00FE102C
                • Part of subcall function 00FE0FF6: __CxxThrowException@8.LIBCMT ref: 00FE1041
                • Part of subcall function 00FC7F41: _memmove.LIBCMT ref: 00FC7F82
                • Part of subcall function 00FC7BB1: _memmove.LIBCMT ref: 00FC7C0B
              • __swprintf.LIBCMT ref: 00FD302D
              Strings
              • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00FD2EC6
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
              • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
              • API String ID: 1943609520-557222456
              • Opcode ID: 5656bec02a444db37a2e2f729c3434283ad017e7c7d796b0d7594a3581c4de54
              • Instruction ID: 742775c3b814423c10435a5aa599de400b6bc14e6fb83201a3450bdb8db0915b
              • Opcode Fuzzy Hash: 5656bec02a444db37a2e2f729c3434283ad017e7c7d796b0d7594a3581c4de54
              • Instruction Fuzzy Hash: 5F91AD311083029FD718EF24CD8AD6EB7E5EF85710F44091EF5829B2A1DA75EE44EB52
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0102BBA6 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00FC48AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00FC48A1,?,?,00FC37C0,?), ref: 00FC48CE
              • CoInitialize.OLE32(00000000), ref: 0102BC26
              • CoCreateInstance.OLE32(01052D6C,00000000,00000001,01052BDC,?), ref: 0102BC3F
              • CoUninitialize.OLE32 ref: 0102BC5C
                • Part of subcall function 00FC9997: __itow.LIBCMT ref: 00FC99C2
                • Part of subcall function 00FC9997: __swprintf.LIBCMT ref: 00FC9A0C
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
              • String ID: .lnk
              • API String ID: 2126378814-24824748
              • Opcode ID: adc63f5b52937f71221e8bda5c9e224d4b19c45c57bfd46ea213e0e4f8369d91
              • Instruction ID: 0580efa5a4c143113801fba1d5ed9c7c212355da90d1b7f56c0e5bf1cba1d676
              • Opcode Fuzzy Hash: adc63f5b52937f71221e8bda5c9e224d4b19c45c57bfd46ea213e0e4f8369d91
              • Instruction Fuzzy Hash: FAA143752043129FCB00DF18C985E6ABBE5FF88714F14898CF8999B261CB35ED45CB92
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00FE524D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON
              Download Yara Rule
              APIs
              • __startOneArgErrorHandling.LIBCMT ref: 00FE52DD
                • Part of subcall function 00FF0340: __87except.LIBCMT ref: 00FF037B
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: ErrorHandling__87except__start
              • String ID: pow
              • API String ID: 2905807303-2276729525
              • Opcode ID: 5b35b51a5797108f38b2e8186dfcf873787688cedeb0239a9027b829037d5f72
              • Instruction ID: 6fc721b7d2ecc9dbcc453789b9c9abc61962f2b30455635a6f7252886e7f4a25
              • Opcode Fuzzy Hash: 5b35b51a5797108f38b2e8186dfcf873787688cedeb0239a9027b829037d5f72
              • Instruction Fuzzy Hash: ED51AE71E0974987CB21B625C94137E3B91AF00B64F608D59E2D5812FBEF798CC4BB42
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00FE023B Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID:
              • String ID: #$+
              • API String ID: 0-2552117581
              • Opcode ID: 1fa53b6d83c90de95afe9ba299ebbab4de19ce78cc8822c76195034f00eb1dc5
              • Instruction ID: 326957e0d48567a1cefc2738dad0ceb5de05aa518c2f342b54327874a8e8c871
              • Opcode Fuzzy Hash: 1fa53b6d83c90de95afe9ba299ebbab4de19ce78cc8822c76195034f00eb1dc5
              • Instruction Fuzzy Hash: D35135355042468FDF21AF2DCC89AF97BE4EF9A310F540095E8D19F2A4DB789883DB20
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00FD62F2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 143COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: _memset$_memmove
              • String ID: ERCP
              • API String ID: 2532777613-1384759551
              • Opcode ID: 1d255c593922b31f3e7168a1ea724972d16fa2f30d6e17e416e8adb6aed9d786
              • Instruction ID: 4c2cc0963172324395f2bb7926a1ebb1a69df40541eeaed5ce68c4106723080d
              • Opcode Fuzzy Hash: 1d255c593922b31f3e7168a1ea724972d16fa2f30d6e17e416e8adb6aed9d786
              • Instruction Fuzzy Hash: ED51A171D003099BDB28DF65C8857AABBF5EF04324F14856FE98ACB341E7759684CB40
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01047BB5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON
              Download Yara Rule
              APIs
              • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0104F910,00000000,?,?,?,?), ref: 01047C4E
              • GetWindowLongW.USER32 ref: 01047C6B
              • SetWindowLongW.USER32(?,000000F0,00000000), ref: 01047C7B
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: Window$Long
              • String ID: SysTreeView32
              • API String ID: 847901565-1698111956
              • Opcode ID: 29ac4ec83214688fc33a79149d7f8a57d9d5afbddcbe2a262217007649a632a3
              • Instruction ID: 0a047407d9908d435803ed3b2a7cb92f554ba4356b5321c7ec5784269623e1c5
              • Opcode Fuzzy Hash: 29ac4ec83214688fc33a79149d7f8a57d9d5afbddcbe2a262217007649a632a3
              • Instruction Fuzzy Hash: 4031E37120020AAFDB619E38DC85BEA7BA9FF45324F204729F9B5931D1D735E8509B90
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01047648 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 010476D0
              • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 010476E4
              • SendMessageW.USER32(?,00001002,00000000,?), ref: 01047708
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: MessageSend$Window
              • String ID: SysMonthCal32
              • API String ID: 2326795674-1439706946
              • Opcode ID: fbb3f1c1420c1d1203fb0f329ba79a2f958d658692e9447c2c007d7aaff0b3b5
              • Instruction ID: 6204c10f4b744c40664e4a39f011044d4da4074708cc3d60d42d802800cf51b6
              • Opcode Fuzzy Hash: fbb3f1c1420c1d1203fb0f329ba79a2f958d658692e9447c2c007d7aaff0b3b5
              • Instruction Fuzzy Hash: 0D21B472500219ABDF22CE54CC86FEA3BA5FB4C754F110254FE956B1D1D7B5A8508B90
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01046F1F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 01046FAA
              • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 01046FBA
              • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 01046FDF
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: MessageSend$MoveWindow
              • String ID: Listbox
              • API String ID: 3315199576-2633736733
              • Opcode ID: b5305ac9391f502bc8c3e2bd6e813e83b44438bf4a114aa6d21ae8e433c54f8d
              • Instruction ID: 257dff18516ef531703a7922ae140b5d07be28320a0538b58dfb18be01008918
              • Opcode Fuzzy Hash: b5305ac9391f502bc8c3e2bd6e813e83b44438bf4a114aa6d21ae8e433c54f8d
              • Instruction Fuzzy Hash: 9B21C572610118BFEF128F58CCC5FAB37AAFF8A750F418164F9859B191DA729C51C7A0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0104797D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 010479E1
              • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 010479F6
              • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 01047A03
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: MessageSend
              • String ID: msctls_trackbar32
              • API String ID: 3850602802-1010561917
              • Opcode ID: e833233b23bc6e531705403babfbcc486eb81e4c9a51defaba68b415f3747271
              • Instruction ID: 0466ae7f34f71638ab6eec639d0599b8e46dbd776d1419b05bdc1d220e14d43b
              • Opcode Fuzzy Hash: e833233b23bc6e531705403babfbcc486eb81e4c9a51defaba68b415f3747271
              • Instruction Fuzzy Hash: ED11E772250249BBEF219E74CC45FEB77A9EFC9764F02052DF681A6091D272D811CB60
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00FC4C95 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
              Download Yara Rule
              APIs
              • LoadLibraryA.KERNEL32(kernel32.dll,?,00FC4C2E), ref: 00FC4CA3
              • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00FC4CB5
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: AddressLibraryLoadProc
              • String ID: GetNativeSystemInfo$kernel32.dll
              • API String ID: 2574300362-192647395
              • Opcode ID: f0d661256bcae0dfa440629162172e32702a917cbf22bf093d790775248fd42a
              • Instruction ID: 6fb35f3f32efa3f76585b464e19413891f8b6107471eac1f5694cd58b257668e
              • Opcode Fuzzy Hash: f0d661256bcae0dfa440629162172e32702a917cbf22bf093d790775248fd42a
              • Instruction Fuzzy Hash: 2FD012B4911723CFD7209F39DBA9A0676D5AF06691B11883D98C5D6520D674D880C750
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00FC4D94 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
              Download Yara Rule
              APIs
              • LoadLibraryA.KERNEL32(kernel32.dll,?,00FC4CE1,?), ref: 00FC4DA2
              • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00FC4DB4
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: AddressLibraryLoadProc
              • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
              • API String ID: 2574300362-1355242751
              • Opcode ID: 8698d0fd7577dcac371597c01b0be65b7570fb992fd62ba789d8c92c6e9ea9ae
              • Instruction ID: feee7a2729a405c6e7d75dff812333459acbf2cd9d0865439c09094a755aa006
              • Opcode Fuzzy Hash: 8698d0fd7577dcac371597c01b0be65b7570fb992fd62ba789d8c92c6e9ea9ae
              • Instruction Fuzzy Hash: 8FD0C2B4900313CFC7305F35C659B4672D4AF06290B00883DD8C2C6510D774D880C750
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00FC4D61 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
              Download Yara Rule
              APIs
              • LoadLibraryA.KERNEL32(kernel32.dll,?,00FC4D2E,?,00FC4F4F,?,010862F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00FC4D6F
              • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00FC4D81
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: AddressLibraryLoadProc
              • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
              • API String ID: 2574300362-3689287502
              • Opcode ID: c078213387769f5beb3b86b7a13b858620e5cb5b34c8772ecfe7bcf1ebc570fb
              • Instruction ID: 65b76d246f68a22d3ef8d8678c861e0cb359a0bd9c6fae5bb5b4b2fed352f2d4
              • Opcode Fuzzy Hash: c078213387769f5beb3b86b7a13b858620e5cb5b34c8772ecfe7bcf1ebc570fb
              • Instruction Fuzzy Hash: 69D012B4910713CFD7305F35DA59B1676D8BF162A1B11887D98C7D6210D675D880CB90
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01041072 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
              Download Yara Rule
              APIs
              • LoadLibraryA.KERNEL32(advapi32.dll,?,010412C1), ref: 01041080
              • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 01041092
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: AddressLibraryLoadProc
              • String ID: RegDeleteKeyExW$advapi32.dll
              • API String ID: 2574300362-4033151799
              • Opcode ID: 32fed3d519d14a058d7725263e5af03ed2e2fb1c4efd2ec83b215aae1e0dc788
              • Instruction ID: 46f7fcf38d131e309cbfbcfb99c65da4bade0050e1048d88295eef37b68e84b7
              • Opcode Fuzzy Hash: 32fed3d519d14a058d7725263e5af03ed2e2fb1c4efd2ec83b215aae1e0dc788
              • Instruction Fuzzy Hash: 19D012F49117138FD7305F39D59895676E4AF05251F118C7DA4C5DA110DAB4D4C0C754
              Uniqueness

              Uniqueness Score: -1.00%

              Function 010393F5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
              Download Yara Rule
              APIs
              • LoadLibraryA.KERNEL32(kernel32.dll,00000001,01039009,?,0104F910), ref: 01039403
              • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 01039415
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: AddressLibraryLoadProc
              • String ID: GetModuleHandleExW$kernel32.dll
              • API String ID: 2574300362-199464113
              • Opcode ID: f596ecb23cbd8a9f6a1f7dd6660403c8665e487f8ae949925e8c4fcc38ad6ded
              • Instruction ID: 11bd44c6b307e17edae3b950c7110997fe3762dbd17d89ab0ed3139333788bf4
              • Opcode Fuzzy Hash: f596ecb23cbd8a9f6a1f7dd6660403c8665e487f8ae949925e8c4fcc38ad6ded
              • Instruction Fuzzy Hash: 39D0C2B4900313CFD7204F39C64890776D8AF02241B10C83D94C1C6510DAB4C4C0C750
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01001B3E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: LocalTime__swprintf
              • String ID: %.3d$WIN_XPe
              • API String ID: 2070861257-2409531811
              • Opcode ID: 34844ab1f7fc08c28c37b250e49a640718e191bad41cde71d2c0aceff98b4629
              • Instruction ID: e1ab5b19105051a4878c21270e96686bd06c71d2419302602a2a271f0a6e911b
              • Opcode Fuzzy Hash: 34844ab1f7fc08c28c37b250e49a640718e191bad41cde71d2c0aceff98b4629
              • Instruction Fuzzy Hash: 36D012B6C04519EBDB159A918D89DFD777CAB04301F440592F58692040F379DB849B25
              Uniqueness

              Uniqueness Score: -1.00%

              Function 010176C5 Relevance: 6.3, APIs: 4, Instructions: 333COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2b4756d82395062060e7004c1325a9e840668f110db1ec1a84a6a24a208bae8b
              • Instruction ID: ab3d8b574025ae573560cc5137b8c1cb11098e5a83a213d6e2cf1445f8b1bf36
              • Opcode Fuzzy Hash: 2b4756d82395062060e7004c1325a9e840668f110db1ec1a84a6a24a208bae8b
              • Instruction Fuzzy Hash: EBC19075A00216EFDB14CF98C884EAEBBF5FF48310B148598E985EB255D734EE81CB90
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0103E33E Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON
              Download Yara Rule
              APIs
              • CharLowerBuffW.USER32(?,?), ref: 0103E3D2
              • CharLowerBuffW.USER32(?,?), ref: 0103E415
                • Part of subcall function 0103DAB9: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0103DAD9
              • VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 0103E615
              • _memmove.LIBCMT ref: 0103E628
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: BuffCharLower$AllocVirtual_memmove
              • String ID:
              • API String ID: 3659485706-0
              • Opcode ID: e5e9a011373b1e877a068c131626afea576016f2b804c94c45c585327de6dbd2
              • Instruction ID: 10b031150b8e685a1e9a44a37d27d3b048b7a38ab2c18dcebefefeb248c2c51d
              • Opcode Fuzzy Hash: e5e9a011373b1e877a068c131626afea576016f2b804c94c45c585327de6dbd2
              • Instruction Fuzzy Hash: C8C16B716083428FC754DF28C480A5ABBE4FF88714F048A6DF8999B351DB75E946CF82
              Uniqueness

              Uniqueness Score: -1.00%

              Function 010383A8 Relevance: 6.3, APIs: 4, Instructions: 267COMMON
              Download Yara Rule
              APIs
              • CoInitialize.OLE32(00000000), ref: 010383D8
              • CoUninitialize.OLE32 ref: 010383E3
                • Part of subcall function 0101DA5D: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0101DAC5
              • VariantInit.OLEAUT32(?), ref: 010383EE
              • VariantClear.OLEAUT32(?), ref: 010386BF
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
              • String ID:
              • API String ID: 780911581-0
              • Opcode ID: b92b67b94b87973ac1b1463ec89a371be2b5d70c3b3e23d01d59333f7f1e3986
              • Instruction ID: 93680846187b5d6f475b9540ee4173385e3fdbfc44cad2029073b6b1c59ddb1d
              • Opcode Fuzzy Hash: b92b67b94b87973ac1b1463ec89a371be2b5d70c3b3e23d01d59333f7f1e3986
              • Instruction Fuzzy Hash: BFA127752047029FDB10DF19C985F1ABBE8BF88714F05858DFA9A9B3A1CB74E904DB41
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01017A78 Relevance: 6.2, APIs: 4, Instructions: 231COMMON
              Download Yara Rule
              APIs
              • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,01052C7C,?), ref: 01017C32
              • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,01052C7C,?), ref: 01017C4A
              • CLSIDFromProgID.OLE32(?,?,00000000,0104FB80,000000FF,?,00000000,00000800,00000000,?,01052C7C,?), ref: 01017C6F
              • _memcmp.LIBCMT ref: 01017C90
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: FromProg$FreeTask_memcmp
              • String ID:
              • API String ID: 314563124-0
              • Opcode ID: d937211655293c0f10e895209af8f7648347150295db874cc6da12e035391871
              • Instruction ID: a1f3398de00e89bf79301656e86f0c0b5c3ab83fff64f9553d9ebfe654506a02
              • Opcode Fuzzy Hash: d937211655293c0f10e895209af8f7648347150295db874cc6da12e035391871
              • Instruction Fuzzy Hash: 1E813B76A00109EFCB04DFD8C984EEEB7B9FF89315F204198E545AB254DB35AE45CB60
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01016DF3 Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: Variant$AllocClearCopyInitString
              • String ID:
              • API String ID: 2808897238-0
              • Opcode ID: de9f0b408223535ca4d55b9cb5c7aae0e9844b41f7d1526b44d0f3ec45c2e013
              • Instruction ID: 6889224c4cf0f9fd2176a465e536700bb5f7baa0800ede167c9235b020c5caa9
              • Opcode Fuzzy Hash: de9f0b408223535ca4d55b9cb5c7aae0e9844b41f7d1526b44d0f3ec45c2e013
              • Instruction Fuzzy Hash: 8C51B134604303DADB60AF69D895B6EB7E5AF48310F50881FF6D6CB295DFB9D8808B11
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01049A63 Relevance: 6.1, APIs: 4, Instructions: 140COMMON
              Download Yara Rule
              APIs
              • GetWindowRect.USER32(?,?), ref: 01049AD2
              • ScreenToClient.USER32(00000002,00000002), ref: 01049B05
              • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 01049B72
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: Window$ClientMoveRectScreen
              • String ID:
              • API String ID: 3880355969-0
              • Opcode ID: 7da11f49b51042fe1384832e9deeb1fb553262301ae9277c6524d9eedd779cc8
              • Instruction ID: 82f8fa730de6b68f64ede41c6603f9c9230b1fffd1a5d614f6ccf0d70a1d8948
              • Opcode Fuzzy Hash: 7da11f49b51042fe1384832e9deeb1fb553262301ae9277c6524d9eedd779cc8
              • Instruction Fuzzy Hash: B95141B4900209EFDF21DF58D9C0AAE7BF5FB48324F1082B9F99597291D731A951CB90
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01036CBD Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON
              Download Yara Rule
              APIs
              • socket.WSOCK32(00000002,00000002,00000011), ref: 01036CE4
              • WSAGetLastError.WSOCK32(00000000), ref: 01036CF4
                • Part of subcall function 00FC9997: __itow.LIBCMT ref: 00FC99C2
                • Part of subcall function 00FC9997: __swprintf.LIBCMT ref: 00FC9A0C
              • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 01036D58
              • WSAGetLastError.WSOCK32(00000000), ref: 01036D64
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: ErrorLast$__itow__swprintfsocket
              • String ID:
              • API String ID: 2214342067-0
              • Opcode ID: 05e5714e24a240ab1e0b166f3b3205aa4122b7858d2c75b2a4e95ff3b2437f32
              • Instruction ID: a6f320c4353b3f2ccc1c3df6dabf32d8c08c7545c258500df031fd3d3b7e9b4f
              • Opcode Fuzzy Hash: 05e5714e24a240ab1e0b166f3b3205aa4122b7858d2c75b2a4e95ff3b2437f32
              • Instruction Fuzzy Hash: B041D774740201AFEB20AF28DD8BF7A77E99F44B10F44805CFA599F2C2DAB99D019751
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0103672D Relevance: 6.1, APIs: 4, Instructions: 116COMMON
              Download Yara Rule
              APIs
              • #16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,0104F910), ref: 010367BA
              • _strlen.LIBCMT ref: 010367EC
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: _strlen
              • String ID:
              • API String ID: 4218353326-0
              • Opcode ID: 17399d066d7b022d175d7bbcb2178c792d205799149f3da52185df078dc18b8b
              • Instruction ID: dc7f5cd165432c3ddc25d1df999d20baf6666e0f76eafa5fb64519618fc33618
              • Opcode Fuzzy Hash: 17399d066d7b022d175d7bbcb2178c792d205799149f3da52185df078dc18b8b
              • Instruction Fuzzy Hash: BE41F575A00106BFCB14EB69CDC5FAEB3ADAF88310F048259F9559B292DF75AE40C750
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0102BA5F Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON
              Download Yara Rule
              APIs
              • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 0102BB09
              • GetLastError.KERNEL32(?,00000000), ref: 0102BB2F
              • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 0102BB54
              • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 0102BB80
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: CreateHardLink$DeleteErrorFileLast
              • String ID:
              • API String ID: 3321077145-0
              • Opcode ID: ce016cb6b8042d43590f06e2bb33911600066714f917efbbe22262e54051c879
              • Instruction ID: afd9652f320171d933728f28fd46b59fe72a64cd03834cf282d123965fe78b7f
              • Opcode Fuzzy Hash: ce016cb6b8042d43590f06e2bb33911600066714f917efbbe22262e54051c879
              • Instruction Fuzzy Hash: BB415139200512DFCB21DF19C689E5DBBE1EF49710B058488ED8A9B762CB78FD01DB91
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01048AC0 Relevance: 6.1, APIs: 4, Instructions: 109COMMON
              Download Yara Rule
              APIs
              • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 01048B4D
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: InvalidateRect
              • String ID:
              • API String ID: 634782764-0
              • Opcode ID: 261b271e898dbf09b28aa8ccb98e8fcb67afd164636a68053f98342f80e506fc
              • Instruction ID: 608d71346bbbf1fe6cec0a6d0f9813e27151ca43d0826d4c6095228009aafbb3
              • Opcode Fuzzy Hash: 261b271e898dbf09b28aa8ccb98e8fcb67afd164636a68053f98342f80e506fc
              • Instruction Fuzzy Hash: E131ADF4644204BFEB619AACCCC5FAD3BA4EB09320F14CE67FBD1D6291C635A5508B81
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0104ADF1 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON
              Download Yara Rule
              APIs
              • ClientToScreen.USER32(?,?), ref: 0104AE1A
              • GetWindowRect.USER32(?,?), ref: 0104AE90
              • PtInRect.USER32(?,?,0104C304), ref: 0104AEA0
              • MessageBeep.USER32(00000000), ref: 0104AF11
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: Rect$BeepClientMessageScreenWindow
              • String ID:
              • API String ID: 1352109105-0
              • Opcode ID: 37850da33febc5705a94ef436f28bcf04d8703b137bd9dc29b9cc02beb331964
              • Instruction ID: 5826e397cb91ded9249cb000bb3de181fa81306bcb7e796822418bc5b6faa7da
              • Opcode Fuzzy Hash: 37850da33febc5705a94ef436f28bcf04d8703b137bd9dc29b9cc02beb331964
              • Instruction Fuzzy Hash: AB418FB4744106DFDB21CF59C4C4A9D7BF5FB49340F1581B9E9AA8B245D732A842CB50
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01020FE6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON
              Download Yara Rule
              APIs
              • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 01021037
              • SetKeyboardState.USER32(00000080,?,00000001), ref: 01021053
              • PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 010210B9
              • SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 0102110B
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: KeyboardState$InputMessagePostSend
              • String ID:
              • API String ID: 432972143-0
              • Opcode ID: 5ba0c45b57ec68edc783a07b3784a9fa5d12b00dfa8ee093e75ac9168666320f
              • Instruction ID: 073ae2490bf451b3f6e038e2d8b4efc3aa535aa49a140c459befc02a0e3f04a4
              • Opcode Fuzzy Hash: 5ba0c45b57ec68edc783a07b3784a9fa5d12b00dfa8ee093e75ac9168666320f
              • Instruction Fuzzy Hash: 8F313970F446A8AEFB318A6D8C44BFEBBE9AF44310F04435AF6C0521D1C3BD45818791
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01021121 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON
              Download Yara Rule
              APIs
              • GetKeyboardState.USER32(?,75A4C0D0,?,00008000), ref: 01021176
              • SetKeyboardState.USER32(00000080,?,00008000), ref: 01021192
              • PostMessageW.USER32(00000000,00000101,00000000), ref: 010211F1
              • SendInput.USER32(00000001,?,0000001C,75A4C0D0,?,00008000), ref: 01021243
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: KeyboardState$InputMessagePostSend
              • String ID:
              • API String ID: 432972143-0
              • Opcode ID: 22fab8fef5f0e295ad8afca6c4e5293056e9668456d87f9ed63eb8d51e7a137d
              • Instruction ID: 7b011da4478fe7d153566581b19c9936cbfbd359de9a8da92ad761e2da187a06
              • Opcode Fuzzy Hash: 22fab8fef5f0e295ad8afca6c4e5293056e9668456d87f9ed63eb8d51e7a137d
              • Instruction Fuzzy Hash: 68312670A407286EFF318A6D8804BFEBBFAAB49310F14439AF5C4925D5C37986558791
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00FF6415 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00FF644B
              • __isleadbyte_l.LIBCMT ref: 00FF6479
              • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00FF64A7
              • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00FF64DD
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
              • String ID:
              • API String ID: 3058430110-0
              • Opcode ID: e2d1a65f2962f47ce78d923b4c90d7bc1312d3052951433d5002214cb312a7ca
              • Instruction ID: c25730ce1d82335b599cbe260d34b45ee38a28258385dcfa58cd8d91da05767e
              • Opcode Fuzzy Hash: e2d1a65f2962f47ce78d923b4c90d7bc1312d3052951433d5002214cb312a7ca
              • Instruction Fuzzy Hash: 6331AD31A0024AAFDB21EF65CC85BBA7BB5FF41320F154029EA64D71B1EB35D850EB90
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01045175 Relevance: 6.1, APIs: 4, Instructions: 95COMMON
              Download Yara Rule
              APIs
              • GetForegroundWindow.USER32 ref: 01045189
                • Part of subcall function 0102387D: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 01023897
                • Part of subcall function 0102387D: GetCurrentThreadId.KERNEL32 ref: 0102389E
                • Part of subcall function 0102387D: AttachThreadInput.USER32(00000000,?,010252A7), ref: 010238A5
              • GetCaretPos.USER32(?), ref: 0104519A
              • ClientToScreen.USER32(00000000,?), ref: 010451D5
              • GetForegroundWindow.USER32 ref: 010451DB
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
              • String ID:
              • API String ID: 2759813231-0
              • Opcode ID: ed7c5a08652e758b17cfbf6efc0105cc5c5cdf42e2d0d11401e8e04fca04d3b9
              • Instruction ID: 388eb24d1dda0960efb08a3536c6704ec2e2032c199ef26a8cb53f794e993a72
              • Opcode Fuzzy Hash: ed7c5a08652e758b17cfbf6efc0105cc5c5cdf42e2d0d11401e8e04fca04d3b9
              • Instruction Fuzzy Hash: 50312175900109AFDB10EFA5CD85EEFB7F9EF98300F10406AE455E7241EA799E05CBA0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0104C788 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00FC2612: GetWindowLongW.USER32(?,000000EB), ref: 00FC2623
              • GetCursorPos.USER32(?), ref: 0104C7C2
              • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00FFBBFB,?,?,?,?,?), ref: 0104C7D7
              • GetCursorPos.USER32(?), ref: 0104C824
              • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00FFBBFB,?,?,?), ref: 0104C85E
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: Cursor$LongMenuPopupProcTrackWindow
              • String ID:
              • API String ID: 2864067406-0
              • Opcode ID: e6e38cce01862684d0e1ac798396437306e505b19b51f8bc48297efb4ec53190
              • Instruction ID: 52eb2e5787fd595b92950a9bb0db79877fcc0192100a7e32ffa773da0c161f82
              • Opcode Fuzzy Hash: e6e38cce01862684d0e1ac798396437306e505b19b51f8bc48297efb4ec53190
              • Instruction Fuzzy Hash: F131E175601018AFEB25CF4CC9D8EEA7BF6FB09320F0440A9FA858B251D7369950DFA0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01018B9E Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 01018652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 01018669
                • Part of subcall function 01018652: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 01018673
                • Part of subcall function 01018652: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 01018682
                • Part of subcall function 01018652: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 01018689
                • Part of subcall function 01018652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0101869F
              • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 01018BEB
              • _memcmp.LIBCMT ref: 01018C0E
              • GetProcessHeap.KERNEL32(00000000,00000000), ref: 01018C44
              • HeapFree.KERNEL32(00000000), ref: 01018C4B
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
              • String ID:
              • API String ID: 1592001646-0
              • Opcode ID: 9868f059cd2ac16d81ebd75eee3a00df33288d257773df7604f192be39ddf26f
              • Instruction ID: d9fe4dd7ac8745e640e42eb74634aab3547613f7a86533fc30c5f4f3914e4c69
              • Opcode Fuzzy Hash: 9868f059cd2ac16d81ebd75eee3a00df33288d257773df7604f192be39ddf26f
              • Instruction Fuzzy Hash: A7216D71E01209ABDB10DF98C944BEEB7F8FF44354F14809AE994A7244D739AA05CB50
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00FE0BD0 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
              Download Yara Rule
              APIs
              • __setmode.LIBCMT ref: 00FE0BF2
                • Part of subcall function 00FC5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,01027B20,?,?,00000000), ref: 00FC5B8C
                • Part of subcall function 00FC5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,01027B20,?,?,00000000,?,?), ref: 00FC5BB0
              • _fprintf.LIBCMT ref: 00FE0C29
              • OutputDebugStringW.KERNEL32(?), ref: 01016331
                • Part of subcall function 00FE4CDA: _flsall.LIBCMT ref: 00FE4CF3
              • __setmode.LIBCMT ref: 00FE0C5E
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
              • String ID:
              • API String ID: 521402451-0
              • Opcode ID: e3e04d34ee98587396b7a7b67ba73fca88b1803d896e45cb133ff481e3697c81
              • Instruction ID: 60fcb7a68b789ed8b623ac34c8ad16572f399129426d0b107ed910473caea12a
              • Opcode Fuzzy Hash: e3e04d34ee98587396b7a7b67ba73fca88b1803d896e45cb133ff481e3697c81
              • Instruction Fuzzy Hash: B3113A32A042457BCB04B7BAAC47EBE7B699F41320F24415EF104971C2DE792D816791
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01031A5B Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON
              Download Yara Rule
              APIs
              • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 01031A97
                • Part of subcall function 01031B21: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 01031B40
                • Part of subcall function 01031B21: InternetCloseHandle.WININET(00000000), ref: 01031BDD
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: Internet$CloseConnectHandleOpen
              • String ID:
              • API String ID: 1463438336-0
              • Opcode ID: 33de4ac9abaaa790e5e809277d00dc19ff3377cf2f4bed717f221cf1c20a98f3
              • Instruction ID: 70454c2e1f6e08ff9f71416db47bbafacabd9e5612869b75e91d46e00d3ab835
              • Opcode Fuzzy Hash: 33de4ac9abaaa790e5e809277d00dc19ff3377cf2f4bed717f221cf1c20a98f3
              • Instruction Fuzzy Hash: E521A475200601BFEB169F648C00FBBBBEDFF8C601F00401AFA91D6550E775D41197A0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0101E1AF Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 0101F5AD: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,0101E1C4,?,?,?,0101EFB7,00000000,000000EF,00000119,?,?), ref: 0101F5BC
                • Part of subcall function 0101F5AD: lstrcpyW.KERNEL32(00000000,?), ref: 0101F5E2
                • Part of subcall function 0101F5AD: lstrcmpiW.KERNEL32(00000000,?,0101E1C4,?,?,?,0101EFB7,00000000,000000EF,00000119,?,?), ref: 0101F613
              • lstrlenW.KERNEL32(?,00000002,?,?,?,?,0101EFB7,00000000,000000EF,00000119,?,?,00000000), ref: 0101E1DD
              • lstrcpyW.KERNEL32(00000000,?), ref: 0101E203
              • lstrcmpiW.KERNEL32(00000002,cdecl,?,0101EFB7,00000000,000000EF,00000119,?,?,00000000), ref: 0101E237
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: lstrcmpilstrcpylstrlen
              • String ID: cdecl
              • API String ID: 4031866154-3896280584
              • Opcode ID: 6dade2dd40109d3be3ac2c753f0007a961a260e37f9a25123222b5aca25d436b
              • Instruction ID: a077e7d043f3473b0d79dadbc821d8a15dfe41fae2aadc9314d3547cb39894b9
              • Opcode Fuzzy Hash: 6dade2dd40109d3be3ac2c753f0007a961a260e37f9a25123222b5aca25d436b
              • Instruction Fuzzy Hash: 3511D33A200342EFCB26AF68D844DBE77E8FF45310B40802AED46CB258EB75D850D790
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00FF5332 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • _free.LIBCMT ref: 00FF5351
                • Part of subcall function 00FE594C: __FF_MSGBANNER.LIBCMT ref: 00FE5963
                • Part of subcall function 00FE594C: __NMSG_WRITE.LIBCMT ref: 00FE596A
                • Part of subcall function 00FE594C: RtlAllocateHeap.NTDLL(01820000,00000000,00000001,00000000,?,?,?,00FE1013,?), ref: 00FE598F
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: AllocateHeap_free
              • String ID:
              • API String ID: 614378929-0
              • Opcode ID: 3c6de64db33d65459f540b9ad32c556e3783d39a2b7afb05ee0957178fcfc5f1
              • Instruction ID: 11288a9f0f2a6785d9141f3e5dedafc3be6d8d1ed4ab73f6fb76670d70f2d888
              • Opcode Fuzzy Hash: 3c6de64db33d65459f540b9ad32c556e3783d39a2b7afb05ee0957178fcfc5f1
              • Instruction Fuzzy Hash: 8A11E732904A1AAFCB313FB9EC4477D37995F10BF1F144429FB889A1A1DE7A8941B750
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00FC4531 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 00FC4560
                • Part of subcall function 00FC410D: _memset.LIBCMT ref: 00FC418D
                • Part of subcall function 00FC410D: _wcscpy.LIBCMT ref: 00FC41E1
                • Part of subcall function 00FC410D: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00FC41F1
              • KillTimer.USER32(?,00000001,?,?), ref: 00FC45B5
              • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00FC45C4
              • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00FFD6CE
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
              • String ID:
              • API String ID: 1378193009-0
              • Opcode ID: f9cd1f62cf06ab2d109e3c7c9a1e90c37fd64b62d9e849f9012db05bed7714b2
              • Instruction ID: 49d2b9c5e4b41842d745df90dbed757199921130c054f50acae55f16ea55c0ce
              • Opcode Fuzzy Hash: f9cd1f62cf06ab2d109e3c7c9a1e90c37fd64b62d9e849f9012db05bed7714b2
              • Instruction Fuzzy Hash: 05212571904788AFEB328B248956FF6BBEC9F01318F04009DE3DE96245C7792A84AB41
              Uniqueness

              Uniqueness Score: -1.00%

              Function 010240B1 Relevance: 6.1, APIs: 4, Instructions: 65fileCOMMON
              Download Yara Rule
              APIs
              • CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 010240D1
              • _memset.LIBCMT ref: 010240F2
              • DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 01024144
              • CloseHandle.KERNEL32(00000000), ref: 0102414D
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: CloseControlCreateDeviceFileHandle_memset
              • String ID:
              • API String ID: 1157408455-0
              • Opcode ID: a0caaa9b8d05030f6772e57598152ba597d63e8252a22674c810613c76ac8adf
              • Instruction ID: 164a0fec89ab1b781bf9813710f423aba1b5515f3a6b69abf6855a707c4d03f8
              • Opcode Fuzzy Hash: a0caaa9b8d05030f6772e57598152ba597d63e8252a22674c810613c76ac8adf
              • Instruction Fuzzy Hash: D111AB75D012387AD7305AA99C8DFABBBBCEF45760F1045D6F908D7180D6744E808BA4
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0103667C Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00FC5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,01027B20,?,?,00000000), ref: 00FC5B8C
                • Part of subcall function 00FC5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,01027B20,?,?,00000000,?,?), ref: 00FC5BB0
              • gethostbyname.WSOCK32(?), ref: 010366AC
              • WSAGetLastError.WSOCK32(00000000), ref: 010366B7
              • _memmove.LIBCMT ref: 010366E4
              • inet_ntoa.WSOCK32(?), ref: 010366EF
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
              • String ID:
              • API String ID: 1504782959-0
              • Opcode ID: 443526cf5721a66ad90c8c569a1f4580e1a3e261ec68cc8dbb301385c741eb1f
              • Instruction ID: 1b770fec8a4cc0543ecc33aca47efaea4f534c30a683a22577b8195c12fa5221
              • Opcode Fuzzy Hash: 443526cf5721a66ad90c8c569a1f4580e1a3e261ec68cc8dbb301385c741eb1f
              • Instruction Fuzzy Hash: 2D11907650010AAFCB00EBA5DE86DEEB7B8AF44710B044069F502A7161DF79AF04DB61
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01019023 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(?,000000B0,?,?), ref: 01019043
              • SendMessageW.USER32(?,000000C9,?,00000000), ref: 01019055
              • SendMessageW.USER32(?,000000C9,?,00000000), ref: 0101906B
              • SendMessageW.USER32(?,000000C9,?,00000000), ref: 01019086
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: MessageSend
              • String ID:
              • API String ID: 3850602802-0
              • Opcode ID: 4a4bdc6a944f99576a471ddac9556cc2b6a7db6d8117d4f2d3feb1c2c76f9937
              • Instruction ID: 1149ce3657dc50bf536deb09d092cd5f8081c2f79720f2de91d6d8287237e655
              • Opcode Fuzzy Hash: 4a4bdc6a944f99576a471ddac9556cc2b6a7db6d8117d4f2d3feb1c2c76f9937
              • Instruction Fuzzy Hash: 36115A79901219FFEB11DFA9C984EADBBB8FB48350F204095FA44B7294D6726E10DB90
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00FC1290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00FC2612: GetWindowLongW.USER32(?,000000EB), ref: 00FC2623
              • DefDlgProcW.USER32(?,00000020,?), ref: 00FC12D8
              • GetClientRect.USER32(?,?), ref: 00FFB84B
              • GetCursorPos.USER32(?), ref: 00FFB855
              • ScreenToClient.USER32(?,?), ref: 00FFB860
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: Client$CursorLongProcRectScreenWindow
              • String ID:
              • API String ID: 4127811313-0
              • Opcode ID: a03937b596406e8711b760f167f3da64c8c13cbff6b2563b8aef45b3ec094925
              • Instruction ID: 41749e912415047e02fe89875a48f2afddcc1c74df54e00a469d040f32282bab
              • Opcode Fuzzy Hash: a03937b596406e8711b760f167f3da64c8c13cbff6b2563b8aef45b3ec094925
              • Instruction Fuzzy Hash: 72112B7990001AEBDB10EFA8DA86EEE77B8FB06301F000459E951E7141C735BA61ABA5
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01021652 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON
              Download Yara Rule
              APIs
              • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,010201FD,?,01021250,?,00008000), ref: 0102166F
              • Sleep.KERNEL32(00000000,?,?,?,?,?,?,010201FD,?,01021250,?,00008000), ref: 01021694
              • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,010201FD,?,01021250,?,00008000), ref: 0102169E
              • Sleep.KERNEL32(?,?,?,?,?,?,?,010201FD,?,01021250,?,00008000), ref: 010216D1
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: CounterPerformanceQuerySleep
              • String ID:
              • API String ID: 2875609808-0
              • Opcode ID: 16f6e6f700a6475e6212cf7a7852d82660385fcc52f066216be97e8e57135f93
              • Instruction ID: 3e966406413472210e6c2029d07f8dcb3f461abdf2cf824afa296b508c014f1e
              • Opcode Fuzzy Hash: 16f6e6f700a6475e6212cf7a7852d82660385fcc52f066216be97e8e57135f93
              • Instruction Fuzzy Hash: 25113C71D0052DE7CF20AFA9E988AEEBF78FF0D751F054095E980B6244CB355560CB96
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0101DD22 Relevance: 6.0, APIs: 4, Instructions: 50registryCOMMON
              Download Yara Rule
              APIs
              • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 0101DD3E
              • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 0101DD55
              • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 0101DD6A
              • RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 0101DD88
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: Type$Register$FileLoadModuleNameUser
              • String ID:
              • API String ID: 1352324309-0
              • Opcode ID: ad0444e6477ce3fb86a02e26cc134b7a42fd03d3467f64e976b93e2e914dd7b7
              • Instruction ID: 29c5126fe92f1b43289199f7a9937113170c5f2a2d1dba8693a311f0f0be3d6a
              • Opcode Fuzzy Hash: ad0444e6477ce3fb86a02e26cc134b7a42fd03d3467f64e976b93e2e914dd7b7
              • Instruction Fuzzy Hash: E211A1B5201305EBE720EF54DD4CB96BBBCEF01B08F40855AAA96C6144DBB9E504CBA1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00FF7207 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
              • String ID:
              • API String ID: 3016257755-0
              • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
              • Instruction ID: 6cd2e390a946091f402a1197efef3675b6d33d83954d3cdd7525b065202c31b5
              • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
              • Instruction Fuzzy Hash: AD014C3644824EBBCF126E84DC018EEBF62BF69351B588615FB1858031D237C9B1BF81
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0104B57F Relevance: 6.0, APIs: 4, Instructions: 47COMMON
              Download Yara Rule
              APIs
              • GetWindowRect.USER32(?,?), ref: 0104B59E
              • ScreenToClient.USER32(?,?), ref: 0104B5B6
              • ScreenToClient.USER32(?,?), ref: 0104B5DA
              • InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 0104B5F5
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: ClientRectScreen$InvalidateWindow
              • String ID:
              • API String ID: 357397906-0
              • Opcode ID: 6931e7cb0faca919299a236abe004a37ab2673082c46ab7a544707c1253d0c9e
              • Instruction ID: ed483cf32da9dd4faa6edc280e54afb22fcf3f00aa183ea4f7a5ae4a88e7782c
              • Opcode Fuzzy Hash: 6931e7cb0faca919299a236abe004a37ab2673082c46ab7a544707c1253d0c9e
              • Instruction Fuzzy Hash: 861163B9D0020AEFDB51DFA9C584AEEFBF9FB08310F108166E954E3210D735AA518F90
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0104B8EF Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 0104B8FE
              • _memset.LIBCMT ref: 0104B90D
              • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,01087F20,01087F64), ref: 0104B93C
              • CloseHandle.KERNEL32 ref: 0104B94E
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: _memset$CloseCreateHandleProcess
              • String ID:
              • API String ID: 3277943733-0
              • Opcode ID: 89d6c6a9f415ead19b6cb2d6b41cfcdfba7bf831202ad2e048cd23c138b63cfb
              • Instruction ID: fb0459335d5f1f24e8e031d1257a6954f7106f3176d041ae98ad0f87dd48eb07
              • Opcode Fuzzy Hash: 89d6c6a9f415ead19b6cb2d6b41cfcdfba7bf831202ad2e048cd23c138b63cfb
              • Instruction Fuzzy Hash: 49F082F2544310BBF2202666AC49FBF3A9CEB08758F104060BBC8D618FD77A4D0087A8
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01026E7C Relevance: 6.0, APIs: 4, Instructions: 33COMMON
              Download Yara Rule
              APIs
              • EnterCriticalSection.KERNEL32(?), ref: 01026E88
                • Part of subcall function 0102794E: _memset.LIBCMT ref: 01027983
              • _memmove.LIBCMT ref: 01026EAB
              • _memset.LIBCMT ref: 01026EB8
              • LeaveCriticalSection.KERNEL32(?), ref: 01026EC8
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: CriticalSection_memset$EnterLeave_memmove
              • String ID:
              • API String ID: 48991266-0
              • Opcode ID: 7b6b3c89a90bc4ab35b990e09b0d22ad45ccaa0deda3cca9aae26ca04482692a
              • Instruction ID: b7c40778f4fd2e9de135908e063e7c029bf89759cb4d2638e8aab281056aa324
              • Opcode Fuzzy Hash: 7b6b3c89a90bc4ab35b990e09b0d22ad45ccaa0deda3cca9aae26ca04482692a
              • Instruction Fuzzy Hash: 28F05E7A200210ABCF116F55DD84A8ABB2AEF45320B08C055FE089F21AC736A911DBB4
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0104C00C Relevance: 6.0, APIs: 4, Instructions: 31COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00FC12F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00FC134D
                • Part of subcall function 00FC12F3: SelectObject.GDI32(?,00000000), ref: 00FC135C
                • Part of subcall function 00FC12F3: BeginPath.GDI32(?), ref: 00FC1373
                • Part of subcall function 00FC12F3: SelectObject.GDI32(?,00000000), ref: 00FC139C
              • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0104C030
              • LineTo.GDI32(00000000,?,?), ref: 0104C03D
              • EndPath.GDI32(00000000), ref: 0104C04D
              • StrokePath.GDI32(00000000), ref: 0104C05B
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
              • String ID:
              • API String ID: 1539411459-0
              • Opcode ID: 1dc72ed73465ca6d8ae1e50339241e28fbe74030c6d551a26753d9913e35dafd
              • Instruction ID: 5eebb8efa46d697dd1032382ebb2bd9618206b430c3e33be1a3d0998ba81c9a7
              • Opcode Fuzzy Hash: 1dc72ed73465ca6d8ae1e50339241e28fbe74030c6d551a26753d9913e35dafd
              • Instruction Fuzzy Hash: 11F0BE7500525ABBEB326F58ED0EFCE3F98AF06310F044100FA91210D587BA0160CFA5
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0101A37C Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON
              Download Yara Rule
              APIs
              • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0101A399
              • GetWindowThreadProcessId.USER32(?,00000000), ref: 0101A3AC
              • GetCurrentThreadId.KERNEL32 ref: 0101A3B3
              • AttachThreadInput.USER32(00000000), ref: 0101A3BA
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
              • String ID:
              • API String ID: 2710830443-0
              • Opcode ID: 387c45cc7dede41937c90e6d111b74ef644bc95ab8a4c18127ce200512de7584
              • Instruction ID: f78bf9f569e0fdfa3cb041f493c087578452f4627ac6d1eb440e2c2825b4a91d
              • Opcode Fuzzy Hash: 387c45cc7dede41937c90e6d111b74ef644bc95ab8a4c18127ce200512de7584
              • Instruction Fuzzy Hash: 7CE03071241268BBEB211A65DD4CFD77F5CEF167A1F008015F989D6054C6BA8540C7A0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00FC2218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
              Download Yara Rule
              APIs
              • GetSysColor.USER32(00000008), ref: 00FC2231
              • SetTextColor.GDI32(?,000000FF), ref: 00FC223B
              • SetBkMode.GDI32(?,00000001), ref: 00FC2250
              • GetStockObject.GDI32(00000005), ref: 00FC2258
              • GetWindowDC.USER32(?,00000000), ref: 00FFC0D3
              • GetPixel.GDI32(00000000,00000000,00000000), ref: 00FFC0E0
              • GetPixel.GDI32(00000000,?,00000000), ref: 00FFC0F9
              • GetPixel.GDI32(00000000,00000000,?), ref: 00FFC112
              • GetPixel.GDI32(00000000,?,?), ref: 00FFC132
              • ReleaseDC.USER32(?,00000000), ref: 00FFC13D
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
              • String ID:
              • API String ID: 1946975507-0
              • Opcode ID: 57c3bef8b355d5287d89fa26ea333ca56b78e01e75d55ab35126aa2c1a6a263d
              • Instruction ID: 8aebf47b0d08c6cf6d876fc6331a285e4c115a99f2b109036f339f6ec24618c1
              • Opcode Fuzzy Hash: 57c3bef8b355d5287d89fa26ea333ca56b78e01e75d55ab35126aa2c1a6a263d
              • Instruction Fuzzy Hash: A0E06576500149ABEB315F68FA4D7D83B10EB06332F008356FBA9580F587764590DB51
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01018C5A Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
              Download Yara Rule
              APIs
              • GetCurrentThread.KERNEL32 ref: 01018C63
              • OpenThreadToken.ADVAPI32(00000000,?,?,?,0101882E), ref: 01018C6A
              • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,0101882E), ref: 01018C77
              • OpenProcessToken.ADVAPI32(00000000,?,?,?,0101882E), ref: 01018C7E
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: CurrentOpenProcessThreadToken
              • String ID:
              • API String ID: 3974789173-0
              • Opcode ID: e89a513c7b51361a5fc1446841431d077ca715323376bb57773a7aeabb394687
              • Instruction ID: 093c894f67dcd02a0faa94ef46e66411d479e25370ad56531d0775d769795f2a
              • Opcode Fuzzy Hash: e89a513c7b51361a5fc1446841431d077ca715323376bb57773a7aeabb394687
              • Instruction Fuzzy Hash: 58E086BA642212EBD7705FBC6F4CB573BACEF41792F048858B6C5C9048D63D8041CB51
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01002187 Relevance: 6.0, APIs: 4, Instructions: 20COMMON
              Download Yara Rule
              APIs
              • GetDesktopWindow.USER32 ref: 01002187
              • GetDC.USER32(00000000), ref: 01002191
              • GetDeviceCaps.GDI32(00000000,0000000C), ref: 010021B1
              • ReleaseDC.USER32(?), ref: 010021D2
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: CapsDesktopDeviceReleaseWindow
              • String ID:
              • API String ID: 2889604237-0
              • Opcode ID: 870479243c7edc7ead0b63df9bbf9d35ab516f3aba21b51e9fdcc0bd1341b689
              • Instruction ID: e1cbb5758ecb8fe7dcb63e556d0967538e9fd365f42fb3d51486e4fc7bb8c4b4
              • Opcode Fuzzy Hash: 870479243c7edc7ead0b63df9bbf9d35ab516f3aba21b51e9fdcc0bd1341b689
              • Instruction Fuzzy Hash: 95E0E5B9800606EFDB11AFB5DA49B9E7BB1EB5C350F118409FD9A97250CB7D8141AF40
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0100219B Relevance: 6.0, APIs: 4, Instructions: 19COMMON
              Download Yara Rule
              APIs
              • GetDesktopWindow.USER32 ref: 0100219B
              • GetDC.USER32(00000000), ref: 010021A5
              • GetDeviceCaps.GDI32(00000000,0000000C), ref: 010021B1
              • ReleaseDC.USER32(?), ref: 010021D2
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: CapsDesktopDeviceReleaseWindow
              • String ID:
              • API String ID: 2889604237-0
              • Opcode ID: da4991181ce18a1e0af6708020f2d2a8314b1833b7bb415e6c47579684798a89
              • Instruction ID: 05d1e39e82520574ed549af86d5e3e6ff4da8854e8bee4b383c9a6ecf19d76b1
              • Opcode Fuzzy Hash: da4991181ce18a1e0af6708020f2d2a8314b1833b7bb415e6c47579684798a89
              • Instruction Fuzzy Hash: A5E0E5B9800206AFCB21AFB5CA49A9E7BA1EB4C310F118009FD9A97210CB7D9141AF40
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0101B7B6 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 241comCOMMON
              Download Yara Rule
              APIs
              • OleSetContainedObject.OLE32(?,00000001), ref: 0101B981
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: ContainedObject
              • String ID: AutoIt3GUI$Container
              • API String ID: 3565006973-3941886329
              • Opcode ID: 7c2c1a729384e9a4bf833184c70c5a7b3b7c7b3c6c15c1b460cca42c10d8ed4d
              • Instruction ID: 0efb4f893902c2360365288366f55c66b1dddbcb74642a4ee59cbdca43b258dc
              • Opcode Fuzzy Hash: 7c2c1a729384e9a4bf833184c70c5a7b3b7c7b3c6c15c1b460cca42c10d8ed4d
              • Instruction Fuzzy Hash: F8915B716002029FDB64DF68C884A6ABBF5FF48710F1485ADF98ACB295DB75E841CB50
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0102B217 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00FDFEC6: _wcscpy.LIBCMT ref: 00FDFEE9
                • Part of subcall function 00FC9997: __itow.LIBCMT ref: 00FC99C2
                • Part of subcall function 00FC9997: __swprintf.LIBCMT ref: 00FC9A0C
              • __wcsnicmp.LIBCMT ref: 0102B298
              • WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 0102B361
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
              • String ID: LPT
              • API String ID: 3222508074-1350329615
              • Opcode ID: 5162b67a78c42f6a3082b5145dc9cce8fb4240db445484655daf3a9b8b831f29
              • Instruction ID: 4ab6d482dcca87941766afd58e1aca988fad6065a4ceaeeda45c771a2e5c75a7
              • Opcode Fuzzy Hash: 5162b67a78c42f6a3082b5145dc9cce8fb4240db445484655daf3a9b8b831f29
              • Instruction Fuzzy Hash: E7618375A04225EFCB14DF98C985EAEB7F4EF08710F05809AF986AB351DB74AE44CB50
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00FD2AB7 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
              Download Yara Rule
              APIs
              • Sleep.KERNEL32(00000000), ref: 00FD2AC8
              • GlobalMemoryStatusEx.KERNEL32(?), ref: 00FD2AE1
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: GlobalMemorySleepStatus
              • String ID: @
              • API String ID: 2783356886-2766056989
              • Opcode ID: c8fa42e3e10dba1ce9780456913fadec896166a600ef4fdcb688168f22c36739
              • Instruction ID: aef8466030424f97bab3f4a23bc005cdd4d352d234bb11aa9d1e0d7876479262
              • Opcode Fuzzy Hash: c8fa42e3e10dba1ce9780456913fadec896166a600ef4fdcb688168f22c36739
              • Instruction Fuzzy Hash: 565168714187459BD320AF11DD8AFABBBE8FF84310F42884DF1D981095DB798428DB26
              Uniqueness

              Uniqueness Score: -1.00%

              Function 010299BE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00FC506B: __fread_nolock.LIBCMT ref: 00FC5089
              • _wcscmp.LIBCMT ref: 01029AAE
              • _wcscmp.LIBCMT ref: 01029AC1
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: _wcscmp$__fread_nolock
              • String ID: FILE
              • API String ID: 4029003684-3121273764
              • Opcode ID: a4e0b19dddf2a0f0fce71e5712d99bea1c2f89d8410a4ac3eb545d475a4b7c85
              • Instruction ID: d17354d32d4b9aea3edbbe57eb9de891f2888ae2cffc9a8ba7061fbaf12e11ce
              • Opcode Fuzzy Hash: a4e0b19dddf2a0f0fce71e5712d99bea1c2f89d8410a4ac3eb545d475a4b7c85
              • Instruction Fuzzy Hash: 8D410671A4062ABADF219BA4CC46FEFBBFDDF45B14F000079F940E7181DA75AA4487A1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01032882 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 01032892
              • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 010328C8
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: CrackInternet_memset
              • String ID: |
              • API String ID: 1413715105-2343686810
              • Opcode ID: 91371256fef38153db6bf90e527e1eadf6df0b28c7f6daee8553bbe906c2c86f
              • Instruction ID: 9edc70752d8bdab3d3501bd9d49c3e154c9d34cd5fae6605b1ae920351c3b79b
              • Opcode Fuzzy Hash: 91371256fef38153db6bf90e527e1eadf6df0b28c7f6daee8553bbe906c2c86f
              • Instruction Fuzzy Hash: 4631507180121AAFCF01EFA5CC86EEEBFB9FF08350F10406AF914A6165DB355A56DB60
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01046CD2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
              Download Yara Rule
              APIs
              • DestroyWindow.USER32(?,?,?,?), ref: 01046D86
              • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 01046DC2
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: Window$DestroyMove
              • String ID: static
              • API String ID: 2139405536-2160076837
              • Opcode ID: e20cc9b6d9df66c141c016b13c909e80efdf025b367cb2954b897dd17c844a8c
              • Instruction ID: ada0f5a9cc694d3b58f3b8ee9effe493a3969a21ebd7b8886d4111241d756754
              • Opcode Fuzzy Hash: e20cc9b6d9df66c141c016b13c909e80efdf025b367cb2954b897dd17c844a8c
              • Instruction Fuzzy Hash: DB318FB1500605AFEB11AF28CC80BFB77A8FF49724F108529F9E597191DA36A891DB60
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01022D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 01022E00
              • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 01022E3B
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: InfoItemMenu_memset
              • String ID: 0
              • API String ID: 2223754486-4108050209
              • Opcode ID: 7ab3c99c102cf13596b284460d9d338024c51980f9117711d9942c76ae7e8916
              • Instruction ID: 3b84f1fe6832dc27c4ac97a2b9bc69427d11812dcff083570b64d6da2b083f71
              • Opcode Fuzzy Hash: 7ab3c99c102cf13596b284460d9d338024c51980f9117711d9942c76ae7e8916
              • Instruction Fuzzy Hash: CD31E371600325ABEF649E8DC884BAEBFF9FF05300F1400A9EAC5971A0D7709580EB50
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01046943 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 010469D0
              • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 010469DB
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: MessageSend
              • String ID: Combobox
              • API String ID: 3850602802-2096851135
              • Opcode ID: b73fd399eb641f5b48fe0a15c22031a095aa03600ad9a964ba39e230d95e241b
              • Instruction ID: 8d9e93543d0ff13aaafa4de6422c69d9c4a73a71afcaf418d5c318a728a20c55
              • Opcode Fuzzy Hash: b73fd399eb641f5b48fe0a15c22031a095aa03600ad9a964ba39e230d95e241b
              • Instruction Fuzzy Hash: DE11E9B56101096FEF129E18CCC0EFB37AEEB8A3A4F110135F99897291E6769C5087A0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01046E76 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00FC1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00FC1D73
                • Part of subcall function 00FC1D35: GetStockObject.GDI32(00000011), ref: 00FC1D87
                • Part of subcall function 00FC1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00FC1D91
              • GetWindowRect.USER32(00000000,?), ref: 01046EE0
              • GetSysColor.USER32(00000012), ref: 01046EFA
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: Window$ColorCreateMessageObjectRectSendStock
              • String ID: static
              • API String ID: 1983116058-2160076837
              • Opcode ID: e05a7fe7108e9851aa2e841d106ab3edd28a72b60f7b845282191de9bfcc83d6
              • Instruction ID: 53474c312a18da687908e3e15cb99596b38c42a1e8b17d61f4e27fb57f7ff63f
              • Opcode Fuzzy Hash: e05a7fe7108e9851aa2e841d106ab3edd28a72b60f7b845282191de9bfcc83d6
              • Instruction Fuzzy Hash: 5D2117B261020AAFDB14DFA8C985AEA7BF8FB09314F014669F995D2240E635E8619B50
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01046B8F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
              Download Yara Rule
              APIs
              • GetWindowTextLengthW.USER32(00000000), ref: 01046C11
              • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 01046C20
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: LengthMessageSendTextWindow
              • String ID: edit
              • API String ID: 2978978980-2167791130
              • Opcode ID: fc617fbdb6b6c751f55a2feb22eb991981f2bd43ac36ea686e893baf3777efec
              • Instruction ID: e0a02b5ff545e2fb2656b44e720a71f9bfb13baca6e2c7e1bd9703f22558e89e
              • Opcode Fuzzy Hash: fc617fbdb6b6c751f55a2feb22eb991981f2bd43ac36ea686e893baf3777efec
              • Instruction Fuzzy Hash: 3611BFB1500209ABEB515E68DC81AFB37A9EB06374F104728F9A1971D0D676DC909BA0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01022E9E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 01022F11
              • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 01022F30
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: InfoItemMenu_memset
              • String ID: 0
              • API String ID: 2223754486-4108050209
              • Opcode ID: 9b2e9d3b1e80b5523b9d801414427bca43b900a18f8f1e0f8f7ac8d323bdeac0
              • Instruction ID: c73b9e136482d78a8793880d156fd39b2536241fe88e021cda674c27f450a745
              • Opcode Fuzzy Hash: 9b2e9d3b1e80b5523b9d801414427bca43b900a18f8f1e0f8f7ac8d323bdeac0
              • Instruction Fuzzy Hash: 6811E671905134ABEBA0EADCDC44FAE7BE9EB01310F0500F1EAC4A72A0DBB1A904C795
              Uniqueness

              Uniqueness Score: -1.00%

              Function 010324CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON
              Download Yara Rule
              APIs
              • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 01032520
              • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 01032549
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: Internet$OpenOption
              • String ID: <local>
              • API String ID: 942729171-4266983199
              • Opcode ID: 87f39f98dbdeddc2433ce7b592e8e8726fefc1f030d9dcf7d4c0a7b1f9163ae6
              • Instruction ID: 9b7fce2afd564ce8ef6d162985f964ebeb40074fbef4e9251a980877d5146c99
              • Opcode Fuzzy Hash: 87f39f98dbdeddc2433ce7b592e8e8726fefc1f030d9dcf7d4c0a7b1f9163ae6
              • Instruction Fuzzy Hash: 481106B0500225BADB259F558C99FBBFFACFF46651F00816AF58686081D7706650C7F0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 010380A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55networkCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 0103830B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,010380C8,?,00000000,?,?), ref: 01038322
              • inet_addr.WSOCK32(00000000), ref: 010380CB
              • htons.WSOCK32(00000000), ref: 01038108
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: ByteCharMultiWidehtonsinet_addr
              • String ID: 255.255.255.255
              • API String ID: 2496851823-2422070025
              • Opcode ID: 756a16bcb0deabc14e59fcd5982cf6aa872f61e112707971983acd219734cc87
              • Instruction ID: c6fd15d08da3e4c2a67fdb8eb97b024148909a6e19c3368fcb3a6d08dd868949
              • Opcode Fuzzy Hash: 756a16bcb0deabc14e59fcd5982cf6aa872f61e112707971983acd219734cc87
              • Instruction Fuzzy Hash: F811E574600206ABDB20DF68CC86FEEB368FF44310F10C69BFA5197281DA76A810C755
              Uniqueness

              Uniqueness Score: -1.00%

              Function 010192E7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00FC7F41: _memmove.LIBCMT ref: 00FC7F82
                • Part of subcall function 0101B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0101B0E7
              • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 01019355
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: ClassMessageNameSend_memmove
              • String ID: ComboBox$ListBox
              • API String ID: 372448540-1403004172
              • Opcode ID: 4e776baad4f721ca18f0f2d9acaa162e771763abf8c9dc39524851c6baeb449c
              • Instruction ID: c8a3d157c7781cac4ceac45fb7016b5dc8c734b73def42c0d13cf97f343eaef6
              • Opcode Fuzzy Hash: 4e776baad4f721ca18f0f2d9acaa162e771763abf8c9dc39524851c6baeb449c
              • Instruction Fuzzy Hash: 8301F171A01216ABCB04FBA5CCA2DFE77A9BF06760B00065DF9B2572C5DF396908D750
              Uniqueness

              Uniqueness Score: -1.00%

              Function 010191DF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00FC7F41: _memmove.LIBCMT ref: 00FC7F82
                • Part of subcall function 0101B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0101B0E7
              • SendMessageW.USER32(?,00000180,00000000,?), ref: 0101924D
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: ClassMessageNameSend_memmove
              • String ID: ComboBox$ListBox
              • API String ID: 372448540-1403004172
              • Opcode ID: b067752d1eca55d93c7eeee031149ec13ce34b8f6f89b1214d7d4825e1962ccc
              • Instruction ID: a2b44ff2af167cad63b3ef36c4ee732737c27836937290ad13c94ee0c9eeb758
              • Opcode Fuzzy Hash: b067752d1eca55d93c7eeee031149ec13ce34b8f6f89b1214d7d4825e1962ccc
              • Instruction Fuzzy Hash: FD014271E4120A6BCB04FBA0CEA2EFE77AC9F05740F10015DB98267281EE1D6F0C96B1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01019264 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00FC7F41: _memmove.LIBCMT ref: 00FC7F82
                • Part of subcall function 0101B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0101B0E7
              • SendMessageW.USER32(?,00000182,?,00000000), ref: 010192D0
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: ClassMessageNameSend_memmove
              • String ID: ComboBox$ListBox
              • API String ID: 372448540-1403004172
              • Opcode ID: 65f47d9d3c2d450b090c858b36acd19da6464f869e1023cd898d354c6fc97200
              • Instruction ID: 509372767e9a1d7ca992a9fc30ca0313f45ac33d086158b6dcf30736106392a8
              • Opcode Fuzzy Hash: 65f47d9d3c2d450b090c858b36acd19da6464f869e1023cd898d354c6fc97200
              • Instruction Fuzzy Hash: F0012671E4120A6BCB00FAA5CE92EFE77AC9F10750F14015DB98263285DA2D5F0C96B1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 010251CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: ClassName_wcscmp
              • String ID: #32770
              • API String ID: 2292705959-463685578
              • Opcode ID: fb14bacbf205e0a03e08bb012dd4fc811093037cad311212581d17d8e8627115
              • Instruction ID: 07644d08d8fd743db838f3bc4844b9361f2b9f0c1f8c90819145ddcc01c676eb
              • Opcode Fuzzy Hash: fb14bacbf205e0a03e08bb012dd4fc811093037cad311212581d17d8e8627115
              • Instruction Fuzzy Hash: 4CE02B72A0423957D32095999C49B97F7ACEB41721F00005AF950D3040D565950587E0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 010181BC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON
              Download Yara Rule
              APIs
              • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 010181CA
                • Part of subcall function 00FE3598: _doexit.LIBCMT ref: 00FE35A2
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: Message_doexit
              • String ID: AutoIt$Error allocating memory.
              • API String ID: 1993061046-4017498283
              • Opcode ID: 7092347f715947309570d8d5d9f3dc211c3ea389df48d01166973225118fcade
              • Instruction ID: e0f2163a70135eb313dc36180f37ea71db9fa40599a673360a65bf46723f50b6
              • Opcode Fuzzy Hash: 7092347f715947309570d8d5d9f3dc211c3ea389df48d01166973225118fcade
              • Instruction Fuzzy Hash: 64D05B323C535932D26432BA6D0BFC67D884B05B55F04441ABB48995D38EEA558152DD
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00FFB511 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00FFB564: _memset.LIBCMT ref: 00FFB571
                • Part of subcall function 00FE0B84: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00FFB540,?,?,?,00FC100A), ref: 00FE0B89
              • IsDebuggerPresent.KERNEL32(?,?,?,00FC100A), ref: 00FFB544
              • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00FC100A), ref: 00FFB553
              Strings
              • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00FFB54E
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
              • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
              • API String ID: 3158253471-631824599
              • Opcode ID: 29048dfa1d57ced926229ff448fe3d3fb708e6ec01d70d2451d3755d1d371841
              • Instruction ID: 40664510df01fee249e211ab69aa17f3e328725f7333b51b427221ac02521f66
              • Opcode Fuzzy Hash: 29048dfa1d57ced926229ff448fe3d3fb708e6ec01d70d2451d3755d1d371841
              • Instruction Fuzzy Hash: 4CE06DB46007158BD330DF29DA047527BE4AF00758F08892DE5C6C6255DBBDD444DB61
              Uniqueness

              Uniqueness Score: -1.00%

              Function 01045BEB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
              Download Yara Rule
              APIs
              • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 01045BF5
              • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 01045C08
                • Part of subcall function 010254E6: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 0102555E
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1224790304.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
              • Associated: 00000000.00000002.1224692847.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225416317.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225611549.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.000000000108A000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1225930818.0000000001098000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_fc0000_DPT_590327839_027838893200_____________________________.jbxd
              Similarity
              • API ID: FindMessagePostSleepWindow
              • String ID: Shell_TrayWnd
              • API String ID: 529655941-2988720461
              • Opcode ID: dbb2f83a5bf12dcf1b8bc18204d28a6505cc8dfe6c07242f7a031db678b537e5
              • Instruction ID: 9aa54ff305ee12a4fc1501182b7dc3894b5676d13adabe0d4eed12fab843cb4c
              • Opcode Fuzzy Hash: dbb2f83a5bf12dcf1b8bc18204d28a6505cc8dfe6c07242f7a031db678b537e5
              • Instruction Fuzzy Hash: BCD0A975388312B7E334AA30AC4BFD76A10AB00B40F000828B385AA0C0C8E86800C344
              Uniqueness

              Uniqueness Score: -1.00%