Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
QQpQgSYkjW.exe

Overview

General Information

Sample name:QQpQgSYkjW.exe
renamed because original name is a hash value
Original sample name:abf9e8cf069089a9ed518b17e6572bd573591238bbcda422ef1fd0340d39c91c.exe
Analysis ID:1588911
MD5:e33db30dd474db70813073e864a4d2e4
SHA1:908756dc448c99893880c2a533a1e6891ed36e73
SHA256:abf9e8cf069089a9ed518b17e6572bd573591238bbcda422ef1fd0340d39c91c
Tags:exeFormbookuser-adrian__luca
Infos:

Detection

FormBook
Score:92
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Yara detected FormBook
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Found API chain indicative of sandbox detection
Machine Learning detection for sample
Maps a DLL or memory area into another process
Switches to a custom stack to bypass stack traces
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected non-DNS traffic on DNS port
Detected potential crypto function
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • QQpQgSYkjW.exe (PID: 7712 cmdline: "C:\Users\user\Desktop\QQpQgSYkjW.exe" MD5: E33DB30DD474DB70813073E864A4D2E4)
    • svchost.exe (PID: 7780 cmdline: "C:\Users\user\Desktop\QQpQgSYkjW.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.1662886401.0000000000400000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000002.00000002.1663107017.0000000002D30000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      2.2.svchost.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        2.2.svchost.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security

          Sigma Signatures

          System Summary

          barindex
          Sigma detected: Uncommon Svchost Parent Process
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\QQpQgSYkjW.exe", CommandLine: "C:\Users\user\Desktop\QQpQgSYkjW.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\QQpQgSYkjW.exe", ParentImage: C:\Users\user\Desktop\QQpQgSYkjW.exe, ParentProcessId: 7712, ParentProcessName: QQpQgSYkjW.exe, ProcessCommandLine: "C:\Users\user\Desktop\QQpQgSYkjW.exe", ProcessId: 7780, ProcessName: svchost.exe
          Sigma detected: Windows Processes Suspicious Parent Directory
          Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\QQpQgSYkjW.exe", CommandLine: "C:\Users\user\Desktop\QQpQgSYkjW.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\QQpQgSYkjW.exe", ParentImage: C:\Users\user\Desktop\QQpQgSYkjW.exe, ParentProcessId: 7712, ParentProcessName: QQpQgSYkjW.exe, ProcessCommandLine: "C:\Users\user\Desktop\QQpQgSYkjW.exe", ProcessId: 7780, ProcessName: svchost.exe

          Suricata Signatures

          No Suricata rule has matched

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Antivirus / Scanner detection for submitted sample
          Source: QQpQgSYkjW.exeAvira: detected
          Multi AV Scanner detection for submitted file
          Source: QQpQgSYkjW.exeVirustotal: Detection: 47%Perma Link
          Source: QQpQgSYkjW.exeReversingLabs: Detection: 68%
          Yara detected FormBook
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000002.1662886401.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.1663107017.0000000002D30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          AI detected suspicious sample
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
          Machine Learning detection for sample
          Source: QQpQgSYkjW.exeJoe Sandbox ML: detected
          Source: QQpQgSYkjW.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
          Source: Binary string: wntdll.pdbUGP source: QQpQgSYkjW.exe, 00000000.00000003.1389753415.0000000004290000.00000004.00001000.00020000.00000000.sdmp, QQpQgSYkjW.exe, 00000000.00000003.1389992644.00000000040F0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1624451731.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1626528530.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1663211380.0000000003400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1663211380.000000000359E000.00000040.00001000.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: QQpQgSYkjW.exe, 00000000.00000003.1389753415.0000000004290000.00000004.00001000.00020000.00000000.sdmp, QQpQgSYkjW.exe, 00000000.00000003.1389992644.00000000040F0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.1624451731.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1626528530.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1663211380.0000000003400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1663211380.000000000359E000.00000040.00001000.00020000.00000000.sdmp
          Source: C:\Users\user\Desktop\QQpQgSYkjW.exeCode function: 0_2_0018DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,0_2_0018DBBE
          Source: C:\Users\user\Desktop\QQpQgSYkjW.exeCode function: 0_2_0015C2A2 FindFirstFileExW,0_2_0015C2A2
          Source: C:\Users\user\Desktop\QQpQgSYkjW.exeCode function: 0_2_001968EE FindFirstFileW,FindClose,0_2_001968EE
          Source: C:\Users\user\Desktop\QQpQgSYkjW.exeCode function: 0_2_0019698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,0_2_0019698F
          Source: C:\Users\user\Desktop\QQpQgSYkjW.exeCode function: 0_2_0018D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_0018D076
          Source: C:\Users\user\Desktop\QQpQgSYkjW.exeCode function: 0_2_0018D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_0018D3A9
          Source: C:\Users\user\Desktop\QQpQgSYkjW.exeCode function: 0_2_00199642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00199642
          Source: C:\Users\user\Desktop\QQpQgSYkjW.exeCode function: 0_2_0019979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0019979D
          Source: C:\Users\user\Desktop\QQpQgSYkjW.exeCode function: 0_2_00199B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_00199B2B
          Source: C:\Users\user\Desktop\QQpQgSYkjW.exeCode function: 0_2_00195C97 FindFirstFileW,FindNextFileW,FindClose,0_2_00195C97
          Source: global trafficTCP traffic: 192.168.2.9:51585 -> 162.159.36.2:53
          Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
          Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
          Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
          Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: C:\Users\user\Desktop\QQpQgSYkjW.exeCode function: 0_2_0019CE44 InternetReadFile,SetEvent,GetLastError,SetEvent,0_2_0019CE44
          Source: global trafficDNS traffic detected: DNS query: 206.23.85.13.in-addr.arpa
          Source: C:\Users\user\Desktop\QQpQgSYkjW.exeCode function: 0_2_0019EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_0019EAFF
          Source: C:\Users\user\Desktop\QQpQgSYkjW.exeCode function: 0_2_0019ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_0019ED6A
          Source: C:\Users\user\Desktop\QQpQgSYkjW.exeCode function: 0_2_0019EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_0019EAFF
          Source: C:\Users\user\Desktop\QQpQgSYkjW.exeCode function: 0_2_0018AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,0_2_0018AA57
          Source: C:\Users\user\Desktop\QQpQgSYkjW.exeCode function: 0_2_001B9576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_001B9576

          E-Banking Fraud

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000002.1662886401.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.1663107017.0000000002D30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

          System Summary

          barindex
          Binary is likely a compiled AutoIt script file
          Source: QQpQgSYkjW.exeString found in binary or memory: This is a third-party compiled AutoIt script.
          Source: QQpQgSYkjW.exe, 00000000.00000000.1362492383.00000000001E2000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_1635ccf8-a
          Source: QQpQgSYkjW.exe, 00000000.00000000.1362492383.00000000001E2000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_e4559e69-7
          Source: QQpQgSYkjW.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_0e60f3b0-d
          Source: QQpQgSYkjW.exeString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_bbf39db8-c
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042C9F3 NtClose,2_2_0042C9F3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040AA5D NtAllocateVirtualMemory,2_2_0040AA5D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472B60 NtClose,LdrInitializeThunk,2_2_03472B60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472DF0 NtQuerySystemInformation,LdrInitializeThunk,2_2_03472DF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034735C0 NtCreateMutant,LdrInitializeThunk,2_2_034735C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03474340 NtSetContextThread,2_2_03474340
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03474650 NtSuspendThread,2_2_03474650
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472BE0 NtQueryValueKey,2_2_03472BE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472BF0 NtAllocateVirtualMemory,2_2_03472BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472B80 NtQueryInformationFile,2_2_03472B80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472BA0 NtEnumerateValueKey,2_2_03472BA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472AD0 NtReadFile,2_2_03472AD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472AF0 NtWriteFile,2_2_03472AF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472AB0 NtWaitForSingleObject,2_2_03472AB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472F60 NtCreateProcessEx,2_2_03472F60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472F30 NtCreateSection,2_2_03472F30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472FE0 NtCreateFile,2_2_03472FE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472F90 NtProtectVirtualMemory,2_2_03472F90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472FA0 NtQuerySection,2_2_03472FA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472FB0 NtResumeThread,2_2_03472FB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472E30 NtWriteVirtualMemory,2_2_03472E30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472EE0 NtQueueApcThread,2_2_03472EE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472E80 NtReadVirtualMemory,2_2_03472E80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472EA0 NtAdjustPrivilegesToken,2_2_03472EA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472D00 NtSetInformationFile,2_2_03472D00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472D10 NtMapViewOfSection,2_2_03472D10
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472D30 NtUnmapViewOfSection,2_2_03472D30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472DD0 NtDelayExecution,2_2_03472DD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472DB0 NtEnumerateKey,2_2_03472DB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472C60 NtCreateKey,2_2_03472C60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472C70 NtFreeVirtualMemory,2_2_03472C70
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472C00 NtQueryInformationProcess,2_2_03472C00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472CC0 NtQueryVirtualMemory,2_2_03472CC0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472CF0 NtOpenProcess,2_2_03472CF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472CA0 NtQueryInformationToken,2_2_03472CA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03473010 NtOpenDirectoryObject,2_2_03473010
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03473090 NtSetValueKey,2_2_03473090
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034739B0 NtGetContextThread,2_2_034739B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03473D70 NtOpenThread,2_2_03473D70
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03473D10 NtOpenProcessToken,2_2_03473D10
          Source: C:\Users\user\Desktop\QQpQgSYkjW.exeCode function: 0_2_0018D5EB: CreateFileW,DeviceIoControl,CloseHandle,0_2_0018D5EB
          Source: C:\Users\user\Desktop\QQpQgSYkjW.exeCode function: 0_2_00181201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00181201
          Source: C:\Users\user\Desktop\QQpQgSYkjW.exeCode function: 0_2_0018E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_0018E8F6
          Source: C:\Users\user\Desktop\QQpQgSYkjW.exeCode function: 0_2_001920460_2_00192046
          Source: C:\Users\user\Desktop\QQpQgSYkjW.exeCode function: 0_2_001280600_2_00128060
          Source: C:\Users\user\Desktop\QQpQgSYkjW.exeCode function: 0_2_001882980_2_00188298
          Source: C:\Users\user\Desktop\QQpQgSYkjW.exeCode function: 0_2_0015E4FF0_2_0015E4FF
          Source: C:\Users\user\Desktop\QQpQgSYkjW.exeCode function: 0_2_0015676B0_2_0015676B
          Source: C:\Users\user\Desktop\QQpQgSYkjW.exeCode function: 0_2_001B48730_2_001B4873
          Source: C:\Users\user\Desktop\QQpQgSYkjW.exeCode function: 0_2_0014CAA00_2_0014CAA0
          Source: C:\Users\user\Desktop\QQpQgSYkjW.exeCode function: 0_2_0012CAF00_2_0012CAF0
          Source: C:\Users\user\Desktop\QQpQgSYkjW.exeCode function: 0_2_0013CC390_2_0013CC39
          Source: C:\Users\user\Desktop\QQpQgSYkjW.exeCode function: 0_2_00156DD90_2_00156DD9
          Source: C:\Users\user\Desktop\QQpQgSYkjW.exeCode function: 0_2_0013B1190_2_0013B119
          Source: C:\Users\user\Desktop\QQpQgSYkjW.exeCode function: 0_2_001291C00_2_001291C0
          Source: C:\Users\user\Desktop\QQpQgSYkjW.exeCode function: 0_2_001413940_2_00141394
          Source: C:\Users\user\Desktop\QQpQgSYkjW.exeCode function: 0_2_001417060_2_00141706
          Source: C:\Users\user\Desktop\QQpQgSYkjW.exeCode function: 0_2_0014781B0_2_0014781B
          Source: C:\Users\user\Desktop\QQpQgSYkjW.exeCode function: 0_2_001279200_2_00127920
          Source: C:\Users\user\Desktop\QQpQgSYkjW.exeCode function: 0_2_0013997D0_2_0013997D
          Source: C:\Users\user\Desktop\QQpQgSYkjW.exeCode function: 0_2_001419B00_2_001419B0
          Source: C:\Users\user\Desktop\QQpQgSYkjW.exeCode function: 0_2_00147A4A0_2_00147A4A
          Source: C:\Users\user\Desktop\QQpQgSYkjW.exeCode function: 0_2_00141C770_2_00141C77
          Source: C:\Users\user\Desktop\QQpQgSYkjW.exeCode function: 0_2_00147CA70_2_00147CA7
          Source: C:\Users\user\Desktop\QQpQgSYkjW.exeCode function: 0_2_001ABE440_2_001ABE44
          Source: C:\Users\user\Desktop\QQpQgSYkjW.exeCode function: 0_2_00159EEE0_2_00159EEE
          Source: C:\Users\user\Desktop\QQpQgSYkjW.exeCode function: 0_2_00141F320_2_00141F32
          Source: C:\Users\user\Desktop\QQpQgSYkjW.exeCode function: 0_2_019244A00_2_019244A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004100EA2_2_004100EA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004100F32_2_004100F3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004031502_2_00403150
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004011F02_2_004011F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00416AEE2_2_00416AEE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00416AF32_2_00416AF3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040E2F32_2_0040E2F3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004103132_2_00410313
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040E4432_2_0040E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00401C602_2_00401C60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00402C7B2_2_00402C7B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040E4382_2_0040E438
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00402C802_2_00402C80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040E48C2_2_0040E48C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004047542_2_00404754
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042EFD32_2_0042EFD3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FA3522_2_034FA352
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344E3F02_2_0344E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035003E62_2_035003E6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E02742_2_034E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C02C02_2_034C02C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C81582_2_034C8158
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034301002_2_03430100
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DA1182_2_034DA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F81CC2_2_034F81CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F41A22_2_034F41A2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035001AA2_2_035001AA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D20002_2_034D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034647502_2_03464750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034407702_2_03440770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343C7C02_2_0343C7C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345C6E02_2_0345C6E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034405352_2_03440535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035005912_2_03500591
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F24462_2_034F2446
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E44202_2_034E4420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034EE4F62_2_034EE4F6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FAB402_2_034FAB40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F6BD72_2_034F6BD7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343EA802_2_0343EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034569622_2_03456962
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034429A02_2_034429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0350A9A62_2_0350A9A6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344A8402_2_0344A840
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034428402_2_03442840
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346E8F02_2_0346E8F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034268B82_2_034268B8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B4F402_2_034B4F40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03482F282_2_03482F28
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03460F302_2_03460F30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E2F302_2_034E2F30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03432FC82_2_03432FC8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344CFE02_2_0344CFE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034BEFA02_2_034BEFA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440E592_2_03440E59
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FEE262_2_034FEE26
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FEEDB2_2_034FEEDB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03452E902_2_03452E90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FCE932_2_034FCE93
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344AD002_2_0344AD00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DCD1F2_2_034DCD1F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343ADE02_2_0343ADE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03458DBF2_2_03458DBF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440C002_2_03440C00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03430CF22_2_03430CF2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E0CB52_2_034E0CB5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342D34C2_2_0342D34C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F132D2_2_034F132D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0348739A2_2_0348739A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345B2C02_2_0345B2C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E12ED2_2_034E12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034452A02_2_034452A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0347516C2_2_0347516C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342F1722_2_0342F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0350B16B2_2_0350B16B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344B1B02_2_0344B1B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034EF0CC2_2_034EF0CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034470C02_2_034470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F70E92_2_034F70E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FF0E02_2_034FF0E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FF7B02_2_034FF7B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F16CC2_2_034F16CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F75712_2_034F7571
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DD5B02_2_034DD5B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034314602_2_03431460
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FF43F2_2_034FF43F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FFB762_2_034FFB76
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B5BF02_2_034B5BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0347DBF92_2_0347DBF9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345FB802_2_0345FB80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FFA492_2_034FFA49
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F7A462_2_034F7A46
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B3A6C2_2_034B3A6C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034EDAC62_2_034EDAC6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DDAAC2_2_034DDAAC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03485AA02_2_03485AA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E1AA32_2_034E1AA3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034499502_2_03449950
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345B9502_2_0345B950
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D59102_2_034D5910
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AD8002_2_034AD800
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034438E02_2_034438E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FFF092_2_034FFF09
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03403FD22_2_03403FD2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03403FD52_2_03403FD5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03441F922_2_03441F92
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FFFB12_2_034FFFB1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03449EB02_2_03449EB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03443D402_2_03443D40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F1D5A2_2_034F1D5A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F7D732_2_034F7D73
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345FDC02_2_0345FDC0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B9C322_2_034B9C32
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FFCF22_2_034FFCF2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 034BF290 appears 105 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 034AEA12 appears 86 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0342B970 appears 280 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03475130 appears 58 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03487E54 appears 101 times
          Source: C:\Users\user\Desktop\QQpQgSYkjW.exeCode function: String function: 0013F9F2 appears 40 times
          Source: C:\Users\user\Desktop\QQpQgSYkjW.exeCode function: String function: 00140A30 appears 46 times
          Source: C:\Users\user\Desktop\QQpQgSYkjW.exeCode function: String function: 00144963 appears 31 times
          Source: C:\Users\user\Desktop\QQpQgSYkjW.exeCode function: String function: 00129CB3 appears 31 times
          Source: QQpQgSYkjW.exe, 00000000.00000003.1390991902.000000000440D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs QQpQgSYkjW.exe
          Source: QQpQgSYkjW.exe, 00000000.00000003.1389992644.0000000004213000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs QQpQgSYkjW.exe
          Source: QQpQgSYkjW.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
          Source: classification engineClassification label: mal92.troj.evad.winEXE@3/2@1/0
          Source: C:\Users\user\Desktop\QQpQgSYkjW.exeCode function: 0_2_001937B5 GetLastError,FormatMessageW,0_2_001937B5
          Source: C:\Users\user\Desktop\QQpQgSYkjW.exeCode function: 0_2_001810BF AdjustTokenPrivileges,CloseHandle,0_2_001810BF
          Source: C:\Users\user\Desktop\QQpQgSYkjW.exeCode function: 0_2_001816C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_001816C3
          Source: C:\Users\user\Desktop\QQpQgSYkjW.exeCode function: 0_2_001951CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_001951CD
          Source: C:\Users\user\Desktop\QQpQgSYkjW.exeCode function: 0_2_001AA67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_001AA67C
          Source: C:\Users\user\Desktop\QQpQgSYkjW.exeCode function: 0_2_0019648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,0_2_0019648E
          Source: C:\Users\user\Desktop\QQpQgSYkjW.exeCode function: 0_2_001242A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_001242A2
          Source: C:\Users\user\Desktop\QQpQgSYkjW.exeFile created: C:\Users\user\AppData\Local\Temp\autFF42.tmpJump to behavior
          Source: QQpQgSYkjW.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\QQpQgSYkjW.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: QQpQgSYkjW.exeVirustotal: Detection: 47%
          Source: QQpQgSYkjW.exeReversingLabs: Detection: 68%
          Source: unknownProcess created: C:\Users\user\Desktop\QQpQgSYkjW.exe "C:\Users\user\Desktop\QQpQgSYkjW.exe"
          Source: C:\Users\user\Desktop\QQpQgSYkjW.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\QQpQgSYkjW.exe"
          Source: C:\Users\user\Desktop\QQpQgSYkjW.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\QQpQgSYkjW.exe"Jump to behavior
          Source: C:\Users\user\Desktop\QQpQgSYkjW.exeSection loaded: wsock32.dllJump to behavior
          Source: C:\Users\user\Desktop\QQpQgSYkjW.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\QQpQgSYkjW.exeSection loaded: winmm.dllJump to behavior
          Source: C:\Users\user\Desktop\QQpQgSYkjW.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Users\user\Desktop\QQpQgSYkjW.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Users\user\Desktop\QQpQgSYkjW.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\QQpQgSYkjW.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\Desktop\QQpQgSYkjW.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\Desktop\QQpQgSYkjW.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\QQpQgSYkjW.exeSection loaded: ntmarta.dllJump to behavior
          Source: QQpQgSYkjW.exeStatic file information: File size 1266688 > 1048576
          Source: QQpQgSYkjW.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
          Source: QQpQgSYkjW.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
          Source: QQpQgSYkjW.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
          Source: QQpQgSYkjW.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: QQpQgSYkjW.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
          Source: QQpQgSYkjW.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
          Source: QQpQgSYkjW.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: Binary string: wntdll.pdbUGP source: QQpQgSYkjW.exe, 00000000.00000003.1389753415.0000000004290000.00000004.00001000.00020000.00000000.sdmp, QQpQgSYkjW.exe, 00000000.00000003.1389992644.00000000040F0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1624451731.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1626528530.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1663211380.0000000003400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1663211380.000000000359E000.00000040.00001000.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: QQpQgSYkjW.exe, 00000000.00000003.1389753415.0000000004290000.00000004.00001000.00020000.00000000.sdmp, QQpQgSYkjW.exe, 00000000.00000003.1389992644.00000000040F0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.1624451731.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1626528530.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1663211380.0000000003400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1663211380.000000000359E000.00000040.00001000.00020000.00000000.sdmp
          Source: QQpQgSYkjW.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
          Source: QQpQgSYkjW.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
          Source: QQpQgSYkjW.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
          Source: QQpQgSYkjW.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
          Source: QQpQgSYkjW.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
          Source: C:\Users\user\Desktop\QQpQgSYkjW.exeCode function: 0_2_001242DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_001242DE
          Source: C:\Users\user\Desktop\QQpQgSYkjW.exeCode function: 0_2_00140A76 push ecx; ret 0_2_00140A89
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00411948 push ss; retf 2_2_0041194E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040214C pushad ; retf 2_2_0040214D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004229B7 push es; ret 2_2_004229CA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00416AAC push esp; retf 2_2_00416AAD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00413B33 pushfd ; ret 2_2_00413B79
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004033E0 push eax; ret 2_2_004033E2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00423CA7 pushfd ; ret 2_2_00423CB2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00415D23 push 00000009h; retn 3081h2_2_00415DC4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041F61A push eax; iretd 2_2_0041F61B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041F63F push esp; retf 2_2_0041F648
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00408695 push edx; retf 2_2_004086AE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004086AF push edx; retf 2_2_004086AE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0340225F pushad ; ret 2_2_034027F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034027FA pushad ; ret 2_2_034027F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034309AD push ecx; mov dword ptr [esp], ecx2_2_034309B6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0340283D push eax; iretd 2_2_03402858
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0340135E push eax; iretd 2_2_03401369
          Source: C:\Users\user\Desktop\QQpQgSYkjW.exeCode function: 0_2_0013F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_0013F98E
          Source: C:\Users\user\Desktop\QQpQgSYkjW.exeCode function: 0_2_001B1C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_001B1C41
          Source: C:\Users\user\Desktop\QQpQgSYkjW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion

          barindex
          Found API chain indicative of sandbox detection
          Source: C:\Users\user\Desktop\QQpQgSYkjW.exeSandbox detection routine: GetForegroundWindow, DecisionNode, Sleepgraph_0-99955
          Switches to a custom stack to bypass stack traces
          Source: C:\Users\user\Desktop\QQpQgSYkjW.exeAPI/Special instruction interceptor: Address: 19240C4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0347096E rdtsc 2_2_0347096E
          Source: C:\Users\user\Desktop\QQpQgSYkjW.exeAPI coverage: 4.0 %
          Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.7 %
          Source: C:\Windows\SysWOW64\svchost.exe TID: 7784Thread sleep time: -30000s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\QQpQgSYkjW.exeCode function: 0_2_0018DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,0_2_0018DBBE
          Source: C:\Users\user\Desktop\QQpQgSYkjW.exeCode function: 0_2_0015C2A2 FindFirstFileExW,0_2_0015C2A2
          Source: C:\Users\user\Desktop\QQpQgSYkjW.exeCode function: 0_2_001968EE FindFirstFileW,FindClose,0_2_001968EE
          Source: C:\Users\user\Desktop\QQpQgSYkjW.exeCode function: 0_2_0019698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,0_2_0019698F
          Source: C:\Users\user\Desktop\QQpQgSYkjW.exeCode function: 0_2_0018D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_0018D076
          Source: C:\Users\user\Desktop\QQpQgSYkjW.exeCode function: 0_2_0018D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_0018D3A9
          Source: C:\Users\user\Desktop\QQpQgSYkjW.exeCode function: 0_2_00199642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00199642
          Source: C:\Users\user\Desktop\QQpQgSYkjW.exeCode function: 0_2_0019979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0019979D
          Source: C:\Users\user\Desktop\QQpQgSYkjW.exeCode function: 0_2_00199B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_00199B2B
          Source: C:\Users\user\Desktop\QQpQgSYkjW.exeCode function: 0_2_00195C97 FindFirstFileW,FindNextFileW,FindClose,0_2_00195C97
          Source: C:\Users\user\Desktop\QQpQgSYkjW.exeCode function: 0_2_001242DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_001242DE
          Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0347096E rdtsc 2_2_0347096E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00417A83 LdrLoadDll,2_2_00417A83
          Source: C:\Users\user\Desktop\QQpQgSYkjW.exeCode function: 0_2_0019EAA2 BlockInput,0_2_0019EAA2
          Source: C:\Users\user\Desktop\QQpQgSYkjW.exeCode function: 0_2_00152622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00152622
          Source: C:\Users\user\Desktop\QQpQgSYkjW.exeCode function: 0_2_001242DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_001242DE
          Source: C:\Users\user\Desktop\QQpQgSYkjW.exeCode function: 0_2_00144CE8 mov eax, dword ptr fs:[00000030h]0_2_00144CE8
          Source: C:\Users\user\Desktop\QQpQgSYkjW.exeCode function: 0_2_01924390 mov eax, dword ptr fs:[00000030h]0_2_01924390
          Source: C:\Users\user\Desktop\QQpQgSYkjW.exeCode function: 0_2_01924330 mov eax, dword ptr fs:[00000030h]0_2_01924330
          Source: C:\Users\user\Desktop\QQpQgSYkjW.exeCode function: 0_2_01922D20 mov eax, dword ptr fs:[00000030h]0_2_01922D20
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]2_2_034B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]2_2_034B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]2_2_034B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]2_2_034B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]2_2_034B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]2_2_034B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]2_2_034B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]2_2_034B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]2_2_034B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]2_2_034B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]2_2_034B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]2_2_034B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]2_2_034B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]2_2_034B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]2_2_034B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B035C mov eax, dword ptr fs:[00000030h]2_2_034B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B035C mov eax, dword ptr fs:[00000030h]2_2_034B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B035C mov eax, dword ptr fs:[00000030h]2_2_034B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B035C mov ecx, dword ptr fs:[00000030h]2_2_034B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B035C mov eax, dword ptr fs:[00000030h]2_2_034B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B035C mov eax, dword ptr fs:[00000030h]2_2_034B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FA352 mov eax, dword ptr fs:[00000030h]2_2_034FA352
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D8350 mov ecx, dword ptr fs:[00000030h]2_2_034D8350
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D437C mov eax, dword ptr fs:[00000030h]2_2_034D437C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346A30B mov eax, dword ptr fs:[00000030h]2_2_0346A30B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346A30B mov eax, dword ptr fs:[00000030h]2_2_0346A30B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346A30B mov eax, dword ptr fs:[00000030h]2_2_0346A30B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342C310 mov ecx, dword ptr fs:[00000030h]2_2_0342C310
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03450310 mov ecx, dword ptr fs:[00000030h]2_2_03450310
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034EC3CD mov eax, dword ptr fs:[00000030h]2_2_034EC3CD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A3C0 mov eax, dword ptr fs:[00000030h]2_2_0343A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A3C0 mov eax, dword ptr fs:[00000030h]2_2_0343A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A3C0 mov eax, dword ptr fs:[00000030h]2_2_0343A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A3C0 mov eax, dword ptr fs:[00000030h]2_2_0343A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A3C0 mov eax, dword ptr fs:[00000030h]2_2_0343A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A3C0 mov eax, dword ptr fs:[00000030h]2_2_0343A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034383C0 mov eax, dword ptr fs:[00000030h]2_2_034383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034383C0 mov eax, dword ptr fs:[00000030h]2_2_034383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034383C0 mov eax, dword ptr fs:[00000030h]2_2_034383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034383C0 mov eax, dword ptr fs:[00000030h]2_2_034383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B63C0 mov eax, dword ptr fs:[00000030h]2_2_034B63C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DE3DB mov eax, dword ptr fs:[00000030h]2_2_034DE3DB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DE3DB mov eax, dword ptr fs:[00000030h]2_2_034DE3DB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DE3DB mov ecx, dword ptr fs:[00000030h]2_2_034DE3DB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DE3DB mov eax, dword ptr fs:[00000030h]2_2_034DE3DB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D43D4 mov eax, dword ptr fs:[00000030h]2_2_034D43D4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D43D4 mov eax, dword ptr fs:[00000030h]2_2_034D43D4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034403E9 mov eax, dword ptr fs:[00000030h]2_2_034403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034403E9 mov eax, dword ptr fs:[00000030h]2_2_034403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034403E9 mov eax, dword ptr fs:[00000030h]2_2_034403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034403E9 mov eax, dword ptr fs:[00000030h]2_2_034403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034403E9 mov eax, dword ptr fs:[00000030h]2_2_034403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034403E9 mov eax, dword ptr fs:[00000030h]2_2_034403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034403E9 mov eax, dword ptr fs:[00000030h]2_2_034403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034403E9 mov eax, dword ptr fs:[00000030h]2_2_034403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344E3F0 mov eax, dword ptr fs:[00000030h]2_2_0344E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344E3F0 mov eax, dword ptr fs:[00000030h]2_2_0344E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344E3F0 mov eax, dword ptr fs:[00000030h]2_2_0344E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034663FF mov eax, dword ptr fs:[00000030h]2_2_034663FF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342E388 mov eax, dword ptr fs:[00000030h]2_2_0342E388
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342E388 mov eax, dword ptr fs:[00000030h]2_2_0342E388
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342E388 mov eax, dword ptr fs:[00000030h]2_2_0342E388
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345438F mov eax, dword ptr fs:[00000030h]2_2_0345438F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345438F mov eax, dword ptr fs:[00000030h]2_2_0345438F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03428397 mov eax, dword ptr fs:[00000030h]2_2_03428397
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03428397 mov eax, dword ptr fs:[00000030h]2_2_03428397
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03428397 mov eax, dword ptr fs:[00000030h]2_2_03428397
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B8243 mov eax, dword ptr fs:[00000030h]2_2_034B8243
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B8243 mov ecx, dword ptr fs:[00000030h]2_2_034B8243
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342A250 mov eax, dword ptr fs:[00000030h]2_2_0342A250
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03436259 mov eax, dword ptr fs:[00000030h]2_2_03436259
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034EA250 mov eax, dword ptr fs:[00000030h]2_2_034EA250
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034EA250 mov eax, dword ptr fs:[00000030h]2_2_034EA250
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03434260 mov eax, dword ptr fs:[00000030h]2_2_03434260
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03434260 mov eax, dword ptr fs:[00000030h]2_2_03434260
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03434260 mov eax, dword ptr fs:[00000030h]2_2_03434260
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342826B mov eax, dword ptr fs:[00000030h]2_2_0342826B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]2_2_034E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]2_2_034E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]2_2_034E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]2_2_034E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]2_2_034E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]2_2_034E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]2_2_034E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]2_2_034E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]2_2_034E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]2_2_034E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]2_2_034E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]2_2_034E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342823B mov eax, dword ptr fs:[00000030h]2_2_0342823B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A2C3 mov eax, dword ptr fs:[00000030h]2_2_0343A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A2C3 mov eax, dword ptr fs:[00000030h]2_2_0343A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A2C3 mov eax, dword ptr fs:[00000030h]2_2_0343A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A2C3 mov eax, dword ptr fs:[00000030h]2_2_0343A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A2C3 mov eax, dword ptr fs:[00000030h]2_2_0343A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034402E1 mov eax, dword ptr fs:[00000030h]2_2_034402E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034402E1 mov eax, dword ptr fs:[00000030h]2_2_034402E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034402E1 mov eax, dword ptr fs:[00000030h]2_2_034402E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346E284 mov eax, dword ptr fs:[00000030h]2_2_0346E284
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346E284 mov eax, dword ptr fs:[00000030h]2_2_0346E284
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B0283 mov eax, dword ptr fs:[00000030h]2_2_034B0283
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B0283 mov eax, dword ptr fs:[00000030h]2_2_034B0283
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B0283 mov eax, dword ptr fs:[00000030h]2_2_034B0283
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034402A0 mov eax, dword ptr fs:[00000030h]2_2_034402A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034402A0 mov eax, dword ptr fs:[00000030h]2_2_034402A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C62A0 mov eax, dword ptr fs:[00000030h]2_2_034C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C62A0 mov ecx, dword ptr fs:[00000030h]2_2_034C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C62A0 mov eax, dword ptr fs:[00000030h]2_2_034C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C62A0 mov eax, dword ptr fs:[00000030h]2_2_034C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C62A0 mov eax, dword ptr fs:[00000030h]2_2_034C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C62A0 mov eax, dword ptr fs:[00000030h]2_2_034C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C4144 mov eax, dword ptr fs:[00000030h]2_2_034C4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C4144 mov eax, dword ptr fs:[00000030h]2_2_034C4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C4144 mov ecx, dword ptr fs:[00000030h]2_2_034C4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C4144 mov eax, dword ptr fs:[00000030h]2_2_034C4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C4144 mov eax, dword ptr fs:[00000030h]2_2_034C4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342C156 mov eax, dword ptr fs:[00000030h]2_2_0342C156
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C8158 mov eax, dword ptr fs:[00000030h]2_2_034C8158
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03436154 mov eax, dword ptr fs:[00000030h]2_2_03436154
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03436154 mov eax, dword ptr fs:[00000030h]2_2_03436154
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DE10E mov eax, dword ptr fs:[00000030h]2_2_034DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DE10E mov ecx, dword ptr fs:[00000030h]2_2_034DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DE10E mov eax, dword ptr fs:[00000030h]2_2_034DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DE10E mov eax, dword ptr fs:[00000030h]2_2_034DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DE10E mov ecx, dword ptr fs:[00000030h]2_2_034DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DE10E mov eax, dword ptr fs:[00000030h]2_2_034DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DE10E mov eax, dword ptr fs:[00000030h]2_2_034DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DE10E mov ecx, dword ptr fs:[00000030h]2_2_034DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DE10E mov eax, dword ptr fs:[00000030h]2_2_034DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DE10E mov ecx, dword ptr fs:[00000030h]2_2_034DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DA118 mov ecx, dword ptr fs:[00000030h]2_2_034DA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DA118 mov eax, dword ptr fs:[00000030h]2_2_034DA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DA118 mov eax, dword ptr fs:[00000030h]2_2_034DA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DA118 mov eax, dword ptr fs:[00000030h]2_2_034DA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F0115 mov eax, dword ptr fs:[00000030h]2_2_034F0115
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03460124 mov eax, dword ptr fs:[00000030h]2_2_03460124
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F61C3 mov eax, dword ptr fs:[00000030h]2_2_034F61C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F61C3 mov eax, dword ptr fs:[00000030h]2_2_034F61C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AE1D0 mov eax, dword ptr fs:[00000030h]2_2_034AE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AE1D0 mov eax, dword ptr fs:[00000030h]2_2_034AE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AE1D0 mov ecx, dword ptr fs:[00000030h]2_2_034AE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AE1D0 mov eax, dword ptr fs:[00000030h]2_2_034AE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AE1D0 mov eax, dword ptr fs:[00000030h]2_2_034AE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035061E5 mov eax, dword ptr fs:[00000030h]2_2_035061E5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034601F8 mov eax, dword ptr fs:[00000030h]2_2_034601F8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03470185 mov eax, dword ptr fs:[00000030h]2_2_03470185
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034EC188 mov eax, dword ptr fs:[00000030h]2_2_034EC188
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034EC188 mov eax, dword ptr fs:[00000030h]2_2_034EC188
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D4180 mov eax, dword ptr fs:[00000030h]2_2_034D4180
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D4180 mov eax, dword ptr fs:[00000030h]2_2_034D4180
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B019F mov eax, dword ptr fs:[00000030h]2_2_034B019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B019F mov eax, dword ptr fs:[00000030h]2_2_034B019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B019F mov eax, dword ptr fs:[00000030h]2_2_034B019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B019F mov eax, dword ptr fs:[00000030h]2_2_034B019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342A197 mov eax, dword ptr fs:[00000030h]2_2_0342A197
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342A197 mov eax, dword ptr fs:[00000030h]2_2_0342A197
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342A197 mov eax, dword ptr fs:[00000030h]2_2_0342A197
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03432050 mov eax, dword ptr fs:[00000030h]2_2_03432050
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B6050 mov eax, dword ptr fs:[00000030h]2_2_034B6050
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345C073 mov eax, dword ptr fs:[00000030h]2_2_0345C073
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B4000 mov ecx, dword ptr fs:[00000030h]2_2_034B4000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D2000 mov eax, dword ptr fs:[00000030h]2_2_034D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D2000 mov eax, dword ptr fs:[00000030h]2_2_034D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D2000 mov eax, dword ptr fs:[00000030h]2_2_034D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D2000 mov eax, dword ptr fs:[00000030h]2_2_034D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D2000 mov eax, dword ptr fs:[00000030h]2_2_034D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D2000 mov eax, dword ptr fs:[00000030h]2_2_034D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D2000 mov eax, dword ptr fs:[00000030h]2_2_034D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D2000 mov eax, dword ptr fs:[00000030h]2_2_034D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344E016 mov eax, dword ptr fs:[00000030h]2_2_0344E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344E016 mov eax, dword ptr fs:[00000030h]2_2_0344E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344E016 mov eax, dword ptr fs:[00000030h]2_2_0344E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344E016 mov eax, dword ptr fs:[00000030h]2_2_0344E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342A020 mov eax, dword ptr fs:[00000030h]2_2_0342A020
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342C020 mov eax, dword ptr fs:[00000030h]2_2_0342C020
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C6030 mov eax, dword ptr fs:[00000030h]2_2_034C6030
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B20DE mov eax, dword ptr fs:[00000030h]2_2_034B20DE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342A0E3 mov ecx, dword ptr fs:[00000030h]2_2_0342A0E3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034380E9 mov eax, dword ptr fs:[00000030h]2_2_034380E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B60E0 mov eax, dword ptr fs:[00000030h]2_2_034B60E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342C0F0 mov eax, dword ptr fs:[00000030h]2_2_0342C0F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034720F0 mov ecx, dword ptr fs:[00000030h]2_2_034720F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343208A mov eax, dword ptr fs:[00000030h]2_2_0343208A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C80A8 mov eax, dword ptr fs:[00000030h]2_2_034C80A8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F60B8 mov eax, dword ptr fs:[00000030h]2_2_034F60B8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F60B8 mov ecx, dword ptr fs:[00000030h]2_2_034F60B8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346674D mov esi, dword ptr fs:[00000030h]2_2_0346674D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346674D mov eax, dword ptr fs:[00000030h]2_2_0346674D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346674D mov eax, dword ptr fs:[00000030h]2_2_0346674D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03430750 mov eax, dword ptr fs:[00000030h]2_2_03430750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034BE75D mov eax, dword ptr fs:[00000030h]2_2_034BE75D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472750 mov eax, dword ptr fs:[00000030h]2_2_03472750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472750 mov eax, dword ptr fs:[00000030h]2_2_03472750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B4755 mov eax, dword ptr fs:[00000030h]2_2_034B4755
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03438770 mov eax, dword ptr fs:[00000030h]2_2_03438770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]2_2_03440770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]2_2_03440770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]2_2_03440770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]2_2_03440770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]2_2_03440770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]2_2_03440770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]2_2_03440770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]2_2_03440770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]2_2_03440770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]2_2_03440770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]2_2_03440770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]2_2_03440770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346C700 mov eax, dword ptr fs:[00000030h]2_2_0346C700
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03430710 mov eax, dword ptr fs:[00000030h]2_2_03430710
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03460710 mov eax, dword ptr fs:[00000030h]2_2_03460710
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346C720 mov eax, dword ptr fs:[00000030h]2_2_0346C720
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346C720 mov eax, dword ptr fs:[00000030h]2_2_0346C720
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346273C mov eax, dword ptr fs:[00000030h]2_2_0346273C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346273C mov ecx, dword ptr fs:[00000030h]2_2_0346273C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346273C mov eax, dword ptr fs:[00000030h]2_2_0346273C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AC730 mov eax, dword ptr fs:[00000030h]2_2_034AC730
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343C7C0 mov eax, dword ptr fs:[00000030h]2_2_0343C7C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B07C3 mov eax, dword ptr fs:[00000030h]2_2_034B07C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034527ED mov eax, dword ptr fs:[00000030h]2_2_034527ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034527ED mov eax, dword ptr fs:[00000030h]2_2_034527ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034527ED mov eax, dword ptr fs:[00000030h]2_2_034527ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034BE7E1 mov eax, dword ptr fs:[00000030h]2_2_034BE7E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034347FB mov eax, dword ptr fs:[00000030h]2_2_034347FB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034347FB mov eax, dword ptr fs:[00000030h]2_2_034347FB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D678E mov eax, dword ptr fs:[00000030h]2_2_034D678E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034307AF mov eax, dword ptr fs:[00000030h]2_2_034307AF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E47A0 mov eax, dword ptr fs:[00000030h]2_2_034E47A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344C640 mov eax, dword ptr fs:[00000030h]2_2_0344C640
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F866E mov eax, dword ptr fs:[00000030h]2_2_034F866E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F866E mov eax, dword ptr fs:[00000030h]2_2_034F866E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346A660 mov eax, dword ptr fs:[00000030h]2_2_0346A660
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346A660 mov eax, dword ptr fs:[00000030h]2_2_0346A660
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03462674 mov eax, dword ptr fs:[00000030h]2_2_03462674
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AE609 mov eax, dword ptr fs:[00000030h]2_2_034AE609
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344260B mov eax, dword ptr fs:[00000030h]2_2_0344260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344260B mov eax, dword ptr fs:[00000030h]2_2_0344260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344260B mov eax, dword ptr fs:[00000030h]2_2_0344260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344260B mov eax, dword ptr fs:[00000030h]2_2_0344260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344260B mov eax, dword ptr fs:[00000030h]2_2_0344260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344260B mov eax, dword ptr fs:[00000030h]2_2_0344260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344260B mov eax, dword ptr fs:[00000030h]2_2_0344260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472619 mov eax, dword ptr fs:[00000030h]2_2_03472619
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344E627 mov eax, dword ptr fs:[00000030h]2_2_0344E627
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03466620 mov eax, dword ptr fs:[00000030h]2_2_03466620
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03468620 mov eax, dword ptr fs:[00000030h]2_2_03468620
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343262C mov eax, dword ptr fs:[00000030h]2_2_0343262C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346A6C7 mov ebx, dword ptr fs:[00000030h]2_2_0346A6C7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346A6C7 mov eax, dword ptr fs:[00000030h]2_2_0346A6C7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AE6F2 mov eax, dword ptr fs:[00000030h]2_2_034AE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AE6F2 mov eax, dword ptr fs:[00000030h]2_2_034AE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AE6F2 mov eax, dword ptr fs:[00000030h]2_2_034AE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AE6F2 mov eax, dword ptr fs:[00000030h]2_2_034AE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B06F1 mov eax, dword ptr fs:[00000030h]2_2_034B06F1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B06F1 mov eax, dword ptr fs:[00000030h]2_2_034B06F1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03434690 mov eax, dword ptr fs:[00000030h]2_2_03434690
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03434690 mov eax, dword ptr fs:[00000030h]2_2_03434690
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346C6A6 mov eax, dword ptr fs:[00000030h]2_2_0346C6A6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034666B0 mov eax, dword ptr fs:[00000030h]2_2_034666B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03438550 mov eax, dword ptr fs:[00000030h]2_2_03438550
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03438550 mov eax, dword ptr fs:[00000030h]2_2_03438550
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346656A mov eax, dword ptr fs:[00000030h]2_2_0346656A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346656A mov eax, dword ptr fs:[00000030h]2_2_0346656A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346656A mov eax, dword ptr fs:[00000030h]2_2_0346656A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C6500 mov eax, dword ptr fs:[00000030h]2_2_034C6500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03504500 mov eax, dword ptr fs:[00000030h]2_2_03504500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03504500 mov eax, dword ptr fs:[00000030h]2_2_03504500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03504500 mov eax, dword ptr fs:[00000030h]2_2_03504500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03504500 mov eax, dword ptr fs:[00000030h]2_2_03504500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03504500 mov eax, dword ptr fs:[00000030h]2_2_03504500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03504500 mov eax, dword ptr fs:[00000030h]2_2_03504500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03504500 mov eax, dword ptr fs:[00000030h]2_2_03504500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440535 mov eax, dword ptr fs:[00000030h]2_2_03440535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440535 mov eax, dword ptr fs:[00000030h]2_2_03440535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440535 mov eax, dword ptr fs:[00000030h]2_2_03440535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440535 mov eax, dword ptr fs:[00000030h]2_2_03440535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440535 mov eax, dword ptr fs:[00000030h]2_2_03440535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440535 mov eax, dword ptr fs:[00000030h]2_2_03440535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345E53E mov eax, dword ptr fs:[00000030h]2_2_0345E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345E53E mov eax, dword ptr fs:[00000030h]2_2_0345E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345E53E mov eax, dword ptr fs:[00000030h]2_2_0345E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345E53E mov eax, dword ptr fs:[00000030h]2_2_0345E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345E53E mov eax, dword ptr fs:[00000030h]2_2_0345E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346E5CF mov eax, dword ptr fs:[00000030h]2_2_0346E5CF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346E5CF mov eax, dword ptr fs:[00000030h]2_2_0346E5CF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034365D0 mov eax, dword ptr fs:[00000030h]2_2_034365D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346A5D0 mov eax, dword ptr fs:[00000030h]2_2_0346A5D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346A5D0 mov eax, dword ptr fs:[00000030h]2_2_0346A5D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345E5E7 mov eax, dword ptr fs:[00000030h]2_2_0345E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345E5E7 mov eax, dword ptr fs:[00000030h]2_2_0345E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345E5E7 mov eax, dword ptr fs:[00000030h]2_2_0345E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345E5E7 mov eax, dword ptr fs:[00000030h]2_2_0345E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345E5E7 mov eax, dword ptr fs:[00000030h]2_2_0345E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345E5E7 mov eax, dword ptr fs:[00000030h]2_2_0345E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345E5E7 mov eax, dword ptr fs:[00000030h]2_2_0345E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345E5E7 mov eax, dword ptr fs:[00000030h]2_2_0345E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034325E0 mov eax, dword ptr fs:[00000030h]2_2_034325E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346C5ED mov eax, dword ptr fs:[00000030h]2_2_0346C5ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346C5ED mov eax, dword ptr fs:[00000030h]2_2_0346C5ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03432582 mov eax, dword ptr fs:[00000030h]2_2_03432582
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03432582 mov ecx, dword ptr fs:[00000030h]2_2_03432582
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03464588 mov eax, dword ptr fs:[00000030h]2_2_03464588
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346E59C mov eax, dword ptr fs:[00000030h]2_2_0346E59C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B05A7 mov eax, dword ptr fs:[00000030h]2_2_034B05A7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B05A7 mov eax, dword ptr fs:[00000030h]2_2_034B05A7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B05A7 mov eax, dword ptr fs:[00000030h]2_2_034B05A7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034545B1 mov eax, dword ptr fs:[00000030h]2_2_034545B1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034545B1 mov eax, dword ptr fs:[00000030h]2_2_034545B1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346E443 mov eax, dword ptr fs:[00000030h]2_2_0346E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346E443 mov eax, dword ptr fs:[00000030h]2_2_0346E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346E443 mov eax, dword ptr fs:[00000030h]2_2_0346E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346E443 mov eax, dword ptr fs:[00000030h]2_2_0346E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346E443 mov eax, dword ptr fs:[00000030h]2_2_0346E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346E443 mov eax, dword ptr fs:[00000030h]2_2_0346E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346E443 mov eax, dword ptr fs:[00000030h]2_2_0346E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346E443 mov eax, dword ptr fs:[00000030h]2_2_0346E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034EA456 mov eax, dword ptr fs:[00000030h]2_2_034EA456
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342645D mov eax, dword ptr fs:[00000030h]2_2_0342645D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345245A mov eax, dword ptr fs:[00000030h]2_2_0345245A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034BC460 mov ecx, dword ptr fs:[00000030h]2_2_034BC460
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345A470 mov eax, dword ptr fs:[00000030h]2_2_0345A470
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345A470 mov eax, dword ptr fs:[00000030h]2_2_0345A470
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345A470 mov eax, dword ptr fs:[00000030h]2_2_0345A470
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03468402 mov eax, dword ptr fs:[00000030h]2_2_03468402
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03468402 mov eax, dword ptr fs:[00000030h]2_2_03468402
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03468402 mov eax, dword ptr fs:[00000030h]2_2_03468402
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342E420 mov eax, dword ptr fs:[00000030h]2_2_0342E420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342E420 mov eax, dword ptr fs:[00000030h]2_2_0342E420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342E420 mov eax, dword ptr fs:[00000030h]2_2_0342E420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342C427 mov eax, dword ptr fs:[00000030h]2_2_0342C427
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B6420 mov eax, dword ptr fs:[00000030h]2_2_034B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B6420 mov eax, dword ptr fs:[00000030h]2_2_034B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B6420 mov eax, dword ptr fs:[00000030h]2_2_034B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B6420 mov eax, dword ptr fs:[00000030h]2_2_034B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B6420 mov eax, dword ptr fs:[00000030h]2_2_034B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B6420 mov eax, dword ptr fs:[00000030h]2_2_034B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B6420 mov eax, dword ptr fs:[00000030h]2_2_034B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346A430 mov eax, dword ptr fs:[00000030h]2_2_0346A430
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034304E5 mov ecx, dword ptr fs:[00000030h]2_2_034304E5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034EA49A mov eax, dword ptr fs:[00000030h]2_2_034EA49A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034364AB mov eax, dword ptr fs:[00000030h]2_2_034364AB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034644B0 mov ecx, dword ptr fs:[00000030h]2_2_034644B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034BA4B0 mov eax, dword ptr fs:[00000030h]2_2_034BA4B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E4B4B mov eax, dword ptr fs:[00000030h]2_2_034E4B4B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E4B4B mov eax, dword ptr fs:[00000030h]2_2_034E4B4B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C6B40 mov eax, dword ptr fs:[00000030h]2_2_034C6B40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C6B40 mov eax, dword ptr fs:[00000030h]2_2_034C6B40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FAB40 mov eax, dword ptr fs:[00000030h]2_2_034FAB40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D8B42 mov eax, dword ptr fs:[00000030h]2_2_034D8B42
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DEB50 mov eax, dword ptr fs:[00000030h]2_2_034DEB50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342CB7E mov eax, dword ptr fs:[00000030h]2_2_0342CB7E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AEB1D mov eax, dword ptr fs:[00000030h]2_2_034AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AEB1D mov eax, dword ptr fs:[00000030h]2_2_034AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AEB1D mov eax, dword ptr fs:[00000030h]2_2_034AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AEB1D mov eax, dword ptr fs:[00000030h]2_2_034AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AEB1D mov eax, dword ptr fs:[00000030h]2_2_034AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AEB1D mov eax, dword ptr fs:[00000030h]2_2_034AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AEB1D mov eax, dword ptr fs:[00000030h]2_2_034AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AEB1D mov eax, dword ptr fs:[00000030h]2_2_034AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AEB1D mov eax, dword ptr fs:[00000030h]2_2_034AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345EB20 mov eax, dword ptr fs:[00000030h]2_2_0345EB20
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345EB20 mov eax, dword ptr fs:[00000030h]2_2_0345EB20
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F8B28 mov eax, dword ptr fs:[00000030h]2_2_034F8B28
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F8B28 mov eax, dword ptr fs:[00000030h]2_2_034F8B28
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03450BCB mov eax, dword ptr fs:[00000030h]2_2_03450BCB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03450BCB mov eax, dword ptr fs:[00000030h]2_2_03450BCB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03450BCB mov eax, dword ptr fs:[00000030h]2_2_03450BCB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03430BCD mov eax, dword ptr fs:[00000030h]2_2_03430BCD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03430BCD mov eax, dword ptr fs:[00000030h]2_2_03430BCD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03430BCD mov eax, dword ptr fs:[00000030h]2_2_03430BCD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DEBD0 mov eax, dword ptr fs:[00000030h]2_2_034DEBD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03438BF0 mov eax, dword ptr fs:[00000030h]2_2_03438BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03438BF0 mov eax, dword ptr fs:[00000030h]2_2_03438BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03438BF0 mov eax, dword ptr fs:[00000030h]2_2_03438BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345EBFC mov eax, dword ptr fs:[00000030h]2_2_0345EBFC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034BCBF0 mov eax, dword ptr fs:[00000030h]2_2_034BCBF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440BBE mov eax, dword ptr fs:[00000030h]2_2_03440BBE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440BBE mov eax, dword ptr fs:[00000030h]2_2_03440BBE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E4BB0 mov eax, dword ptr fs:[00000030h]2_2_034E4BB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E4BB0 mov eax, dword ptr fs:[00000030h]2_2_034E4BB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03436A50 mov eax, dword ptr fs:[00000030h]2_2_03436A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03436A50 mov eax, dword ptr fs:[00000030h]2_2_03436A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03436A50 mov eax, dword ptr fs:[00000030h]2_2_03436A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03436A50 mov eax, dword ptr fs:[00000030h]2_2_03436A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03436A50 mov eax, dword ptr fs:[00000030h]2_2_03436A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03436A50 mov eax, dword ptr fs:[00000030h]2_2_03436A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03436A50 mov eax, dword ptr fs:[00000030h]2_2_03436A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440A5B mov eax, dword ptr fs:[00000030h]2_2_03440A5B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440A5B mov eax, dword ptr fs:[00000030h]2_2_03440A5B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346CA6F mov eax, dword ptr fs:[00000030h]2_2_0346CA6F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346CA6F mov eax, dword ptr fs:[00000030h]2_2_0346CA6F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346CA6F mov eax, dword ptr fs:[00000030h]2_2_0346CA6F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DEA60 mov eax, dword ptr fs:[00000030h]2_2_034DEA60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034ACA72 mov eax, dword ptr fs:[00000030h]2_2_034ACA72
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034ACA72 mov eax, dword ptr fs:[00000030h]2_2_034ACA72
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034BCA11 mov eax, dword ptr fs:[00000030h]2_2_034BCA11
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346CA24 mov eax, dword ptr fs:[00000030h]2_2_0346CA24
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345EA2E mov eax, dword ptr fs:[00000030h]2_2_0345EA2E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03454A35 mov eax, dword ptr fs:[00000030h]2_2_03454A35
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03454A35 mov eax, dword ptr fs:[00000030h]2_2_03454A35
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346CA38 mov eax, dword ptr fs:[00000030h]2_2_0346CA38
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03486ACC mov eax, dword ptr fs:[00000030h]2_2_03486ACC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03486ACC mov eax, dword ptr fs:[00000030h]2_2_03486ACC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03486ACC mov eax, dword ptr fs:[00000030h]2_2_03486ACC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03430AD0 mov eax, dword ptr fs:[00000030h]2_2_03430AD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03464AD0 mov eax, dword ptr fs:[00000030h]2_2_03464AD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03464AD0 mov eax, dword ptr fs:[00000030h]2_2_03464AD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346AAEE mov eax, dword ptr fs:[00000030h]2_2_0346AAEE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346AAEE mov eax, dword ptr fs:[00000030h]2_2_0346AAEE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343EA80 mov eax, dword ptr fs:[00000030h]2_2_0343EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343EA80 mov eax, dword ptr fs:[00000030h]2_2_0343EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343EA80 mov eax, dword ptr fs:[00000030h]2_2_0343EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343EA80 mov eax, dword ptr fs:[00000030h]2_2_0343EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343EA80 mov eax, dword ptr fs:[00000030h]2_2_0343EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343EA80 mov eax, dword ptr fs:[00000030h]2_2_0343EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343EA80 mov eax, dword ptr fs:[00000030h]2_2_0343EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343EA80 mov eax, dword ptr fs:[00000030h]2_2_0343EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343EA80 mov eax, dword ptr fs:[00000030h]2_2_0343EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03504A80 mov eax, dword ptr fs:[00000030h]2_2_03504A80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03468A90 mov edx, dword ptr fs:[00000030h]2_2_03468A90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03438AA0 mov eax, dword ptr fs:[00000030h]2_2_03438AA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03438AA0 mov eax, dword ptr fs:[00000030h]2_2_03438AA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03486AA4 mov eax, dword ptr fs:[00000030h]2_2_03486AA4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B0946 mov eax, dword ptr fs:[00000030h]2_2_034B0946
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03456962 mov eax, dword ptr fs:[00000030h]2_2_03456962
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03456962 mov eax, dword ptr fs:[00000030h]2_2_03456962
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03456962 mov eax, dword ptr fs:[00000030h]2_2_03456962
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0347096E mov eax, dword ptr fs:[00000030h]2_2_0347096E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0347096E mov edx, dword ptr fs:[00000030h]2_2_0347096E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0347096E mov eax, dword ptr fs:[00000030h]2_2_0347096E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D4978 mov eax, dword ptr fs:[00000030h]2_2_034D4978
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D4978 mov eax, dword ptr fs:[00000030h]2_2_034D4978
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034BC97C mov eax, dword ptr fs:[00000030h]2_2_034BC97C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AE908 mov eax, dword ptr fs:[00000030h]2_2_034AE908
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AE908 mov eax, dword ptr fs:[00000030h]2_2_034AE908
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034BC912 mov eax, dword ptr fs:[00000030h]2_2_034BC912
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03428918 mov eax, dword ptr fs:[00000030h]2_2_03428918
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03428918 mov eax, dword ptr fs:[00000030h]2_2_03428918
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B892A mov eax, dword ptr fs:[00000030h]2_2_034B892A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C892B mov eax, dword ptr fs:[00000030h]2_2_034C892B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C69C0 mov eax, dword ptr fs:[00000030h]2_2_034C69C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A9D0 mov eax, dword ptr fs:[00000030h]2_2_0343A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A9D0 mov eax, dword ptr fs:[00000030h]2_2_0343A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A9D0 mov eax, dword ptr fs:[00000030h]2_2_0343A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A9D0 mov eax, dword ptr fs:[00000030h]2_2_0343A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A9D0 mov eax, dword ptr fs:[00000030h]2_2_0343A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A9D0 mov eax, dword ptr fs:[00000030h]2_2_0343A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034649D0 mov eax, dword ptr fs:[00000030h]2_2_034649D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FA9D3 mov eax, dword ptr fs:[00000030h]2_2_034FA9D3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034BE9E0 mov eax, dword ptr fs:[00000030h]2_2_034BE9E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034629F9 mov eax, dword ptr fs:[00000030h]2_2_034629F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034629F9 mov eax, dword ptr fs:[00000030h]2_2_034629F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]2_2_034429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]2_2_034429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]2_2_034429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]2_2_034429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]2_2_034429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]2_2_034429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]2_2_034429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]2_2_034429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]2_2_034429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]2_2_034429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]2_2_034429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]2_2_034429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]2_2_034429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034309AD mov eax, dword ptr fs:[00000030h]2_2_034309AD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034309AD mov eax, dword ptr fs:[00000030h]2_2_034309AD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B89B3 mov esi, dword ptr fs:[00000030h]2_2_034B89B3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B89B3 mov eax, dword ptr fs:[00000030h]2_2_034B89B3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B89B3 mov eax, dword ptr fs:[00000030h]2_2_034B89B3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03442840 mov ecx, dword ptr fs:[00000030h]2_2_03442840
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03460854 mov eax, dword ptr fs:[00000030h]2_2_03460854
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03434859 mov eax, dword ptr fs:[00000030h]2_2_03434859
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03434859 mov eax, dword ptr fs:[00000030h]2_2_03434859
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034BE872 mov eax, dword ptr fs:[00000030h]2_2_034BE872
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034BE872 mov eax, dword ptr fs:[00000030h]2_2_034BE872
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C6870 mov eax, dword ptr fs:[00000030h]2_2_034C6870
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C6870 mov eax, dword ptr fs:[00000030h]2_2_034C6870
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034BC810 mov eax, dword ptr fs:[00000030h]2_2_034BC810
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03452835 mov eax, dword ptr fs:[00000030h]2_2_03452835
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03452835 mov eax, dword ptr fs:[00000030h]2_2_03452835
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03452835 mov eax, dword ptr fs:[00000030h]2_2_03452835
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03452835 mov ecx, dword ptr fs:[00000030h]2_2_03452835
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03452835 mov eax, dword ptr fs:[00000030h]2_2_03452835
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03452835 mov eax, dword ptr fs:[00000030h]2_2_03452835
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346A830 mov eax, dword ptr fs:[00000030h]2_2_0346A830
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D483A mov eax, dword ptr fs:[00000030h]2_2_034D483A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D483A mov eax, dword ptr fs:[00000030h]2_2_034D483A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345E8C0 mov eax, dword ptr fs:[00000030h]2_2_0345E8C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FA8E4 mov eax, dword ptr fs:[00000030h]2_2_034FA8E4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346C8F9 mov eax, dword ptr fs:[00000030h]2_2_0346C8F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346C8F9 mov eax, dword ptr fs:[00000030h]2_2_0346C8F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03430887 mov eax, dword ptr fs:[00000030h]2_2_03430887
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034BC89D mov eax, dword ptr fs:[00000030h]2_2_034BC89D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B4F40 mov eax, dword ptr fs:[00000030h]2_2_034B4F40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B4F40 mov eax, dword ptr fs:[00000030h]2_2_034B4F40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B4F40 mov eax, dword ptr fs:[00000030h]2_2_034B4F40
          Source: C:\Users\user\Desktop\QQpQgSYkjW.exeCode function: 0_2_00180B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,0_2_00180B62
          Source: C:\Users\user\Desktop\QQpQgSYkjW.exeCode function: 0_2_00152622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00152622
          Source: C:\Users\user\Desktop\QQpQgSYkjW.exeCode function: 0_2_0014083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0014083F
          Source: C:\Users\user\Desktop\QQpQgSYkjW.exeCode function: 0_2_001409D5 SetUnhandledExceptionFilter,0_2_001409D5
          Source: C:\Users\user\Desktop\QQpQgSYkjW.exeCode function: 0_2_00140C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00140C21

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Maps a DLL or memory area into another process
          Source: C:\Users\user\Desktop\QQpQgSYkjW.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
          Writes to foreign memory regions
          Source: C:\Users\user\Desktop\QQpQgSYkjW.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 6EB008Jump to behavior
          Source: C:\Users\user\Desktop\QQpQgSYkjW.exeCode function: 0_2_00181201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00181201
          Source: C:\Users\user\Desktop\QQpQgSYkjW.exeCode function: 0_2_00162BA5 SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00162BA5
          Source: C:\Users\user\Desktop\QQpQgSYkjW.exeCode function: 0_2_0018B226 SendInput,keybd_event,0_2_0018B226
          Source: C:\Users\user\Desktop\QQpQgSYkjW.exeCode function: 0_2_001A22DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,0_2_001A22DA
          Source: C:\Users\user\Desktop\QQpQgSYkjW.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\QQpQgSYkjW.exe"Jump to behavior
          Source: C:\Users\user\Desktop\QQpQgSYkjW.exeCode function: 0_2_00180B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,0_2_00180B62
          Source: C:\Users\user\Desktop\QQpQgSYkjW.exeCode function: 0_2_00181663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_00181663
          Source: QQpQgSYkjW.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
          Source: QQpQgSYkjW.exeBinary or memory string: Shell_TrayWnd
          Source: C:\Users\user\Desktop\QQpQgSYkjW.exeCode function: 0_2_00140698 cpuid 0_2_00140698
          Source: C:\Users\user\Desktop\QQpQgSYkjW.exeCode function: 0_2_00198195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,0_2_00198195
          Source: C:\Users\user\Desktop\QQpQgSYkjW.exeCode function: 0_2_0017D27A GetUserNameW,0_2_0017D27A
          Source: C:\Users\user\Desktop\QQpQgSYkjW.exeCode function: 0_2_0015B952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,0_2_0015B952
          Source: C:\Users\user\Desktop\QQpQgSYkjW.exeCode function: 0_2_001242DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_001242DE

          Stealing of Sensitive Information

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000002.1662886401.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.1663107017.0000000002D30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: QQpQgSYkjW.exeBinary or memory string: WIN_81
          Source: QQpQgSYkjW.exeBinary or memory string: WIN_XP
          Source: QQpQgSYkjW.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
          Source: QQpQgSYkjW.exeBinary or memory string: WIN_XPe
          Source: QQpQgSYkjW.exeBinary or memory string: WIN_VISTA
          Source: QQpQgSYkjW.exeBinary or memory string: WIN_7
          Source: QQpQgSYkjW.exeBinary or memory string: WIN_8

          Remote Access Functionality

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000002.1662886401.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.1663107017.0000000002D30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: C:\Users\user\Desktop\QQpQgSYkjW.exeCode function: 0_2_001A1204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,0_2_001A1204
          Source: C:\Users\user\Desktop\QQpQgSYkjW.exeCode function: 0_2_001A1806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_001A1806

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire Infrastructure2
          Valid Accounts          		1
          Native API          		1
          DLL Side-Loading          		1
          Exploitation for Privilege Escalation          		1
          Disable or Modify Tools          		21
          Input Capture          		2
          System Time Discovery          		Remote Services1
          Archive Collected Data          		1
          Ingress Tool Transfer          		Exfiltration Over Other Network Medium1
          System Shutdown/Reboot
          CredentialsDomainsDefault AccountsScheduled Task/Job2
          Valid Accounts          		1
          DLL Side-Loading          		1
          Deobfuscate/Decode Files or Information          		LSASS Memory1
          Account Discovery          		Remote Desktop Protocol21
          Input Capture          		1
          Encrypted Channel          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)2
          Valid Accounts          		2
          Obfuscated Files or Information          		Security Account Manager1
          File and Directory Discovery          		SMB/Windows Admin Shares3
          Clipboard Data          		1
          Non-Application Layer Protocol          		Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook21
          Access Token Manipulation          		1
          DLL Side-Loading          		NTDS115
          System Information Discovery          		Distributed Component Object ModelInput Capture1
          Application Layer Protocol          		Traffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script212
          Process Injection          		2
          Valid Accounts          		LSA Secrets24
          Security Software Discovery          		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts12
          Virtualization/Sandbox Evasion          		Cached Domain Credentials12
          Virtualization/Sandbox Evasion          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items21
          Access Token Manipulation          		DCSync3
          Process Discovery          		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job212
          Process Injection          		Proc Filesystem1
          Application Window Discovery          		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
          Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow1
          System Owner/User Discovery          		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          QQpQgSYkjW.exe47%VirustotalBrowse
          QQpQgSYkjW.exe68%ReversingLabsWin32.Trojan.AutoitInject
          QQpQgSYkjW.exe100%AviraHEUR/AGEN.1319493
          QQpQgSYkjW.exe100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          No Antivirus matches

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          s-part-0017.t-0009.t-msedge.net
          		13.107.246.45
          		truefalse
            		high
            206.23.85.13.in-addr.arpa
            		unknown
            		unknownfalse
              		high

              World Map of Contacted IPs

              No contacted IP infos

              General Information

              Joe Sandbox version:42.0.0 Malachite
              Analysis ID:1588911
              Start date and time:2025-01-11 07:03:15 +01:00
              Joe Sandbox product:CloudBasic
              Overall analysis duration:0h 6m 40s
              Hypervisor based Inspection enabled:false
              Report type:full
              Cookbook file name:default.jbs
              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
              Number of analysed new started processes analysed:9
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:0
              Technologies:
              • HCA enabled
              • EGA enabled
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Sample name:QQpQgSYkjW.exe
              renamed because original name is a hash value
              Original Sample Name:abf9e8cf069089a9ed518b17e6572bd573591238bbcda422ef1fd0340d39c91c.exe
              Detection:MAL
              Classification:mal92.troj.evad.winEXE@3/2@1/0
              EGA Information:
              • Successful, ratio: 100%
              HCA Information:
              • Successful, ratio: 97%
              • Number of executed functions: 43
              • Number of non-executed functions: 307
              Cookbook Comments:
              • Found application associated with file extension: .exe

              Warnings

              • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
              • Excluded IPs from analysis (whitelisted): 13.107.246.45, 52.149.20.212, 13.85.23.206, 4.245.163.56
              • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
              • Not all processes where analyzed, report is missing behavior information
              • Report size exceeded maximum capacity and may have missing disassembly code.

              Simulations

              Behavior and APIs

              TimeTypeDescription
              01:04:36API Interceptor3x Sleep call for process: svchost.exe modified

              Joe Sandbox View / Context

              IPs

              No context

              Domains

              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              s-part-0017.t-0009.t-msedge.netty1nyFUMlo.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
              • 13.107.246.45
              1r3DRyrX0T.exeGet hashmaliciousDarkWatchmanBrowse
              • 13.107.246.45
              TBUjHBNHaD.exeGet hashmaliciousDarkWatchmanBrowse
              • 13.107.246.45
              S7s4XhcN1G.exeGet hashmaliciousDarkWatchmanBrowse
              • 13.107.246.45
              6043249381237528594.jsGet hashmaliciousStrela DownloaderBrowse
              • 13.107.246.45
              247624346306918832.jsGet hashmaliciousStrela DownloaderBrowse
              • 13.107.246.45
              https://mrohailkhan.com/energyaustralia/auth/auhs1/Get hashmaliciousUnknownBrowse
              • 13.107.246.45
              T1#U5b89#U88c5#U53051.0.1.msiGet hashmaliciousUnknownBrowse
              • 13.107.246.45
              Xre0Nmqk09.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
              • 13.107.246.45
              22736232701915520651.jsGet hashmaliciousStrela DownloaderBrowse
              • 13.107.246.45

              ASNs

              No context

              JA3 Fingerprints

              No context

              Dropped Files

              No context

              Created / dropped Files

              C:\Users\user\AppData\Local\Temp\autFF42.tmp

              Download File
              Process:C:\Users\user\Desktop\QQpQgSYkjW.exe
              File Type:data
              Category:dropped
              Size (bytes):288256
              Entropy (8bit):7.993696916428443
              Encrypted:true
              SSDEEP:6144:HIyA0CS8vP8WfJtfFURukANmuD4xrq2MFT0kgnWqGs1hb4KJl:HXzCSditfFyu5musqHgnis1hb4KJl
              MD5:607AD2DA5F1D6FFFE5E276E05310BF11
              SHA1:BC444D744FF7D225533261FD3BB3762D9F44E799
              SHA-256:895B5A07836B875B158776BA3C53260DE0A0D62FF1C4B6FB5BE2A2A222549BE0
              SHA-512:B9546F65D964B24C81A45255A0DC7BC7283C6A71AC19465B2BF592F3D647D6756BA9EE5137D3148E6CDFCF19CEADFDC2E579D3C1A36454D5F977C2BE6865C8F4
              Malicious:false
              Reputation:low
              Preview:u..17YYAA3OF..BM.QD14YYA.3OFM3BM8QD14YYAE3OFM3BM8QD14YYAE3OF.3BM6N.?4.P.d.N....%Q"dAF6>3$^o%,],"Lq&T.+,/eZ!f.|.mU> T.TTKa3OFM3BMAPM..9>.xS(.pS%."....9>._..qS%."....9>..Z,.pS%.8QD14YYA.vOF.2CMD..m4YYAE3OF.3@L3PO14.]AE3OFM3BM.DD14IYAECKFM3.M8AD14[YAC3OFM3BM>QD14YYAECKFM1BM8QD16Y..E3_FM#BM8QT14IYAE3OF]3BM8QD14YYAE3OFM3BM8QD14YYAE3OFM3BM8QD14YYAE3OFM3BM8QD14YYAE3OFM3BM8QD14YYAE3OFM3BM8QD14YYAE3OFM3BM8QD14YYAE3OFM3BM8QD14YYAE3OFM3BM.%!I@YYA.`KFM#BM8.@14IYAE3OFM3BM8QD1.YY!E3OFM3BM8QD14YYAE3OFM3BM8QD14YYAE3OFM3BM8QD14YYAE3OFM3BM8QD14YYAE3OFM3BM8QD14YYAE3OFM3BM8QD14YYAE3OFM3BM8QD14YYAE3OFM3BM8QD14YYAE3OFM3BM8QD14YYAE3OFM3BM8QD14YYAE3OFM3BM8QD14YYAE3OFM3BM8QD14YYAE3OFM3BM8QD14YYAE3OFM3BM8QD14YYAE3OFM3BM8QD14YYAE3OFM3BM8QD14YYAE3OFM3BM8QD14YYAE3OFM3BM8QD14YYAE3OFM3BM8QD14YYAE3OFM3BM8QD14YYAE3OFM3BM8QD14YYAE3OFM3BM8QD14YYAE3OFM3BM8QD14YYAE3OFM3BM8QD14YYAE3OFM3BM8QD14YYAE3OFM3BM8QD14YYAE3OFM3BM8QD14YYAE3OFM3BM8QD14YYAE3OFM3BM8QD14YYAE3OFM3BM8QD14YYAE3OFM3BM8QD14YYAE3OFM3BM8QD14YYAE3OFM3BM8QD14YYA

              C:\Users\user\AppData\Local\Temp\bleacher

              Download File
              Process:C:\Users\user\Desktop\QQpQgSYkjW.exe
              File Type:data
              Category:dropped
              Size (bytes):288256
              Entropy (8bit):7.993696916428443
              Encrypted:true
              SSDEEP:6144:HIyA0CS8vP8WfJtfFURukANmuD4xrq2MFT0kgnWqGs1hb4KJl:HXzCSditfFyu5musqHgnis1hb4KJl
              MD5:607AD2DA5F1D6FFFE5E276E05310BF11
              SHA1:BC444D744FF7D225533261FD3BB3762D9F44E799
              SHA-256:895B5A07836B875B158776BA3C53260DE0A0D62FF1C4B6FB5BE2A2A222549BE0
              SHA-512:B9546F65D964B24C81A45255A0DC7BC7283C6A71AC19465B2BF592F3D647D6756BA9EE5137D3148E6CDFCF19CEADFDC2E579D3C1A36454D5F977C2BE6865C8F4
              Malicious:false
              Reputation:low
              Preview:u..17YYAA3OF..BM.QD14YYA.3OFM3BM8QD14YYAE3OFM3BM8QD14YYAE3OF.3BM6N.?4.P.d.N....%Q"dAF6>3$^o%,],"Lq&T.+,/eZ!f.|.mU> T.TTKa3OFM3BMAPM..9>.xS(.pS%."....9>._..qS%."....9>..Z,.pS%.8QD14YYA.vOF.2CMD..m4YYAE3OF.3@L3PO14.]AE3OFM3BM.DD14IYAECKFM3.M8AD14[YAC3OFM3BM>QD14YYAECKFM1BM8QD16Y..E3_FM#BM8QT14IYAE3OF]3BM8QD14YYAE3OFM3BM8QD14YYAE3OFM3BM8QD14YYAE3OFM3BM8QD14YYAE3OFM3BM8QD14YYAE3OFM3BM8QD14YYAE3OFM3BM8QD14YYAE3OFM3BM8QD14YYAE3OFM3BM.%!I@YYA.`KFM#BM8.@14IYAE3OFM3BM8QD1.YY!E3OFM3BM8QD14YYAE3OFM3BM8QD14YYAE3OFM3BM8QD14YYAE3OFM3BM8QD14YYAE3OFM3BM8QD14YYAE3OFM3BM8QD14YYAE3OFM3BM8QD14YYAE3OFM3BM8QD14YYAE3OFM3BM8QD14YYAE3OFM3BM8QD14YYAE3OFM3BM8QD14YYAE3OFM3BM8QD14YYAE3OFM3BM8QD14YYAE3OFM3BM8QD14YYAE3OFM3BM8QD14YYAE3OFM3BM8QD14YYAE3OFM3BM8QD14YYAE3OFM3BM8QD14YYAE3OFM3BM8QD14YYAE3OFM3BM8QD14YYAE3OFM3BM8QD14YYAE3OFM3BM8QD14YYAE3OFM3BM8QD14YYAE3OFM3BM8QD14YYAE3OFM3BM8QD14YYAE3OFM3BM8QD14YYAE3OFM3BM8QD14YYAE3OFM3BM8QD14YYAE3OFM3BM8QD14YYAE3OFM3BM8QD14YYAE3OFM3BM8QD14YYAE3OFM3BM8QD14YYAE3OFM3BM8QD14YYA

              Static File Info

              General

              File type:PE32 executable (GUI) Intel 80386, for MS Windows
              Entropy (8bit):7.155665304834251
              TrID:
              • Win32 Executable (generic) a (10002005/4) 99.96%
              • Generic Win/DOS Executable (2004/3) 0.02%
              • DOS Executable Generic (2002/1) 0.02%
              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
              File name:QQpQgSYkjW.exe
              File size:1'266'688 bytes
              MD5:e33db30dd474db70813073e864a4d2e4
              SHA1:908756dc448c99893880c2a533a1e6891ed36e73
              SHA256:abf9e8cf069089a9ed518b17e6572bd573591238bbcda422ef1fd0340d39c91c
              SHA512:dd67c1edabb4baa923c80717ab391c7b7b3f59bf74cd5b09618bba390f61cde47a409134bf60adcc3bba83886a25da9378f3d23211d8dc1d148f41522ece3a55
              SSDEEP:24576:2qDEvCTbMWu7rQYlBQcBiT6rprG8aVXZQifyGuR2ET9:2TvC/MTQYxsWR7aVui6GuR9
              TLSH:7345CF0273C1C022FFAB92334B5AF65156BD79260523E62F13981DB9BE701B1563E7A3
              File Content Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

              File Icon

              Icon Hash:aaf3e3e3938382a0

              Static PE Info

              General

              Entrypoint:0x420577
              Entrypoint Section:.text
              Digitally signed:false
              Imagebase:0x400000
              Subsystem:windows gui
              Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
              DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
              Time Stamp:0x67616B1F [Tue Dec 17 12:14:23 2024 UTC]
              TLS Callbacks:
              CLR (.Net) Version:
              OS Version Major:5
              OS Version Minor:1
              File Version Major:5
              File Version Minor:1
              Subsystem Version Major:5
              Subsystem Version Minor:1
              Import Hash:948cc502fe9226992dce9417f952fce3

              Entrypoint Preview

              Instruction
              call 00007FE4F0BD5343h
              jmp 00007FE4F0BD4C4Fh
              push ebp
              mov ebp, esp
              push esi
              push dword ptr [ebp+08h]
              mov esi, ecx
              call 00007FE4F0BD4E2Dh
              mov dword ptr [esi], 0049FDF0h
              mov eax, esi
              pop esi
              pop ebp
              retn 0004h
              and dword ptr [ecx+04h], 00000000h
              mov eax, ecx
              and dword ptr [ecx+08h], 00000000h
              mov dword ptr [ecx+04h], 0049FDF8h
              mov dword ptr [ecx], 0049FDF0h
              ret
              push ebp
              mov ebp, esp
              push esi
              push dword ptr [ebp+08h]
              mov esi, ecx
              call 00007FE4F0BD4DFAh
              mov dword ptr [esi], 0049FE0Ch
              mov eax, esi
              pop esi
              pop ebp
              retn 0004h
              and dword ptr [ecx+04h], 00000000h
              mov eax, ecx
              and dword ptr [ecx+08h], 00000000h
              mov dword ptr [ecx+04h], 0049FE14h
              mov dword ptr [ecx], 0049FE0Ch
              ret
              push ebp
              mov ebp, esp
              push esi
              mov esi, ecx
              lea eax, dword ptr [esi+04h]
              mov dword ptr [esi], 0049FDD0h
              and dword ptr [eax], 00000000h
              and dword ptr [eax+04h], 00000000h
              push eax
              mov eax, dword ptr [ebp+08h]
              add eax, 04h
              push eax
              call 00007FE4F0BD79EDh
              pop ecx
              pop ecx
              mov eax, esi
              pop esi
              pop ebp
              retn 0004h
              lea eax, dword ptr [ecx+04h]
              mov dword ptr [ecx], 0049FDD0h
              push eax
              call 00007FE4F0BD7A38h
              pop ecx
              ret
              push ebp
              mov ebp, esp
              push esi
              mov esi, ecx
              lea eax, dword ptr [esi+04h]
              mov dword ptr [esi], 0049FDD0h
              push eax
              call 00007FE4F0BD7A21h
              test byte ptr [ebp+08h], 00000001h
              pop ecx

              Rich Headers

              Programming Language:
              • [ C ] VS2008 SP1 build 30729
              • [IMP] VS2008 SP1 build 30729

              Data Directories

              NameVirtual AddressVirtual Size Is in Section
              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IMPORT0xc8e640x17c.rdata
              IMAGE_DIRECTORY_ENTRY_RESOURCE0xd40000x5e8b8.rsrc
              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
              IMAGE_DIRECTORY_ENTRY_BASERELOC0x1330000x7594.reloc
              IMAGE_DIRECTORY_ENTRY_DEBUG0xb0ff00x1c.rdata
              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
              IMAGE_DIRECTORY_ENTRY_TLS0xc34000x18.rdata
              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xb10100x40.rdata
              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IAT0x9c0000x894.rdata
              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

              Sections

              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
              .text0x10000x9ab1d0x9ac000a1473f3064dcbc32ef93c5c8a90f3a6False0.565500681542811data6.668273581389308IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              .rdata0x9c0000x2fb820x2fc00c9cf2468b60bf4f80f136ed54b3989fbFalse0.35289185209424084data5.691811547483722IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .data0xcc0000x706c0x480053b9025d545d65e23295e30afdbd16d9False0.04356553819444445DOS executable (block device driver @\273\)0.5846666986982398IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              .rsrc0xd40000x5e8b80x5ea00cb0c963d9429226676a9505722d30732False0.9322727460369881data7.90628962447116IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .reloc0x1330000x75940x7600c68ee8931a32d45eb82dc450ee40efc3False0.7628111758474576data6.7972128181359786IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

              Resources

              NameRVASizeTypeLanguageCountryZLIB Complexity
              RT_ICON0xd44a00x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
              RT_ICON0xd45c80x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
              RT_ICON0xd48b00x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
              RT_ICON0xd49d80xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
              RT_ICON0xd58800x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
              RT_ICON0xd61280x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
              RT_ICON0xd66900x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
              RT_ICON0xd8c380x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
              RT_ICON0xd9ce00x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
              RT_STRING0xda1480x594dataEnglishGreat Britain0.3333333333333333
              RT_STRING0xda6dc0x68adataEnglishGreat Britain0.2735961768219833
              RT_STRING0xdad680x490dataEnglishGreat Britain0.3715753424657534
              RT_STRING0xdb1f80x5fcdataEnglishGreat Britain0.3087467362924282
              RT_STRING0xdb7f40x65cdataEnglishGreat Britain0.34336609336609336
              RT_STRING0xdbe500x466dataEnglishGreat Britain0.3605683836589698
              RT_STRING0xdc2b80x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
              RT_RCDATA0xdc4100x55f4ddata1.000329473382243
              RT_GROUP_ICON0x1323600x76dataEnglishGreat Britain0.6610169491525424
              RT_GROUP_ICON0x1323d80x14dataEnglishGreat Britain1.15
              RT_VERSION0x1323ec0xdcdataEnglishGreat Britain0.6181818181818182
              RT_MANIFEST0x1324c80x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

              Imports

              DLLImport
              WSOCK32.dllgethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
              VERSION.dllGetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
              WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
              COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
              MPR.dllWNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
              WININET.dllHttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
              PSAPI.DLLGetProcessMemoryInfo
              IPHLPAPI.DLLIcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
              USERENV.dllDestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
              UxTheme.dllIsThemeActive
              KERNEL32.dllDuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
              USER32.dllGetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
              GDI32.dllEndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
              COMDLG32.dllGetSaveFileNameW, GetOpenFileNameW
              ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
              SHELL32.dllDragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
              ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
              OLEAUT32.dllCreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

              Possible Origin

              Language of compilation systemCountry where language is spokenMap
              EnglishGreat Britain

              Network Behavior

              Network Port Distribution

              TCP Packets

              TimestampSource PortDest PortSource IPDest IP
              Jan 11, 2025 07:04:39.559262991 CET5158553192.168.2.9162.159.36.2
              Jan 11, 2025 07:04:39.564230919 CET5351585162.159.36.2192.168.2.9
              Jan 11, 2025 07:04:39.564331055 CET5158553192.168.2.9162.159.36.2
              Jan 11, 2025 07:04:39.569281101 CET5351585162.159.36.2192.168.2.9
              Jan 11, 2025 07:04:40.016379118 CET5158553192.168.2.9162.159.36.2
              Jan 11, 2025 07:04:40.021399975 CET5351585162.159.36.2192.168.2.9
              Jan 11, 2025 07:04:40.021450043 CET5158553192.168.2.9162.159.36.2

              UDP Packets

              TimestampSource PortDest PortSource IPDest IP
              Jan 11, 2025 07:04:39.558597088 CET5365393162.159.36.2192.168.2.9
              Jan 11, 2025 07:04:40.029628038 CET6365053192.168.2.91.1.1.1
              Jan 11, 2025 07:04:40.036748886 CET53636501.1.1.1192.168.2.9

              DNS Queries

              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
              Jan 11, 2025 07:04:40.029628038 CET192.168.2.91.1.1.10x6543Standard query (0)206.23.85.13.in-addr.arpaPTR (Pointer record)IN (0x0001)false

              DNS Answers

              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
              Jan 11, 2025 07:04:04.247292042 CET1.1.1.1192.168.2.90x70e7No error (0)shed.dual-low.s-part-0017.t-0009.t-msedge.nets-part-0017.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
              Jan 11, 2025 07:04:04.247292042 CET1.1.1.1192.168.2.90x70e7No error (0)s-part-0017.t-0009.t-msedge.net13.107.246.45A (IP address)IN (0x0001)false
              Jan 11, 2025 07:04:40.036748886 CET1.1.1.1192.168.2.90x6543Name error (3)206.23.85.13.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false

              Statistics

              CPU Usage

              Click to jump to process

              Memory Usage

              Click to jump to process

              High Level Behavior Distribution

              Click to dive into process behavior distribution

              Behavior

              Click to jump to process

              System Behavior

              General

              Target ID:0
              Start time:01:04:09
              Start date:11/01/2025
              Path:C:\Users\user\Desktop\QQpQgSYkjW.exe
              Wow64 process (32bit):true
              Commandline:"C:\Users\user\Desktop\QQpQgSYkjW.exe"
              Imagebase:0x120000
              File size:1'266'688 bytes
              MD5 hash:E33DB30DD474DB70813073E864A4D2E4
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:low
              Has exited:true

              General

              Target ID:2
              Start time:01:04:11
              Start date:11/01/2025
              Path:C:\Windows\SysWOW64\svchost.exe
              Wow64 process (32bit):true
              Commandline:"C:\Users\user\Desktop\QQpQgSYkjW.exe"
              Imagebase:0xd20000
              File size:46'504 bytes
              MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1662886401.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1663107017.0000000002D30000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
              Reputation:high
              Has exited:true

              Disassembly

              Reset < >

                Execution Graph

                Execution Coverage:3%
                Dynamic/Decrypted Code Coverage:1.8%
                Signature Coverage:3.3%
                Total number of Nodes:1824
                Total number of Limit Nodes:47
                execution_graph 97713 121033 97718 124c91 97713->97718 97717 121042 97726 12a961 97718->97726 97723 124d9c 97724 121038 97723->97724 97734 1251f7 22 API calls __fread_nolock 97723->97734 97725 1400a3 29 API calls __onexit 97724->97725 97725->97717 97735 13fe0b 97726->97735 97728 12a976 97745 13fddb 97728->97745 97730 124cff 97731 123af0 97730->97731 97770 123b1c 97731->97770 97734->97723 97736 13fddb 97735->97736 97738 13fdfa 97736->97738 97741 13fdfc 97736->97741 97755 14ea0c 97736->97755 97762 144ead 7 API calls 2 library calls 97736->97762 97738->97728 97740 14066d 97764 1432a4 RaiseException 97740->97764 97741->97740 97763 1432a4 RaiseException 97741->97763 97743 14068a 97743->97728 97747 13fde0 97745->97747 97746 14ea0c ___std_exception_copy 21 API calls 97746->97747 97747->97746 97748 13fdfa 97747->97748 97751 13fdfc 97747->97751 97767 144ead 7 API calls 2 library calls 97747->97767 97748->97730 97750 14066d 97769 1432a4 RaiseException 97750->97769 97751->97750 97768 1432a4 RaiseException 97751->97768 97753 14068a 97753->97730 97759 153820 pre_c_initialization 97755->97759 97756 15385e 97766 14f2d9 20 API calls __dosmaperr 97756->97766 97757 153849 RtlAllocateHeap 97757->97759 97760 15385c 97757->97760 97759->97756 97759->97757 97765 144ead 7 API calls 2 library calls 97759->97765 97760->97736 97762->97736 97763->97740 97764->97743 97765->97759 97766->97760 97767->97747 97768->97750 97769->97753 97771 123b0f 97770->97771 97772 123b29 97770->97772 97771->97723 97772->97771 97773 123b30 RegOpenKeyExW 97772->97773 97773->97771 97774 123b4a RegQueryValueExW 97773->97774 97775 123b80 RegCloseKey 97774->97775 97776 123b6b 97774->97776 97775->97771 97776->97775 97777 173f75 97788 13ceb1 97777->97788 97779 173f8b 97787 174006 97779->97787 97855 13e300 23 API calls 97779->97855 97783 174052 97785 174a88 97783->97785 97857 19359c 82 API calls __wsopen_s 97783->97857 97784 173fe6 97784->97783 97856 191abf 22 API calls 97784->97856 97797 12bf40 97787->97797 97789 13ced2 97788->97789 97790 13cebf 97788->97790 97792 13ced7 97789->97792 97793 13cf05 97789->97793 97858 12aceb 23 API calls messages 97790->97858 97794 13fddb 22 API calls 97792->97794 97859 12aceb 23 API calls messages 97793->97859 97796 13cec9 97794->97796 97796->97779 97860 12adf0 97797->97860 97799 12bf9d 97800 1704b6 97799->97800 97801 12bfa9 97799->97801 97879 19359c 82 API calls __wsopen_s 97800->97879 97803 1704c6 97801->97803 97804 12c01e 97801->97804 97880 19359c 82 API calls __wsopen_s 97803->97880 97865 12ac91 97804->97865 97807 12c7da 97812 13fe0b 22 API calls 97807->97812 97811 13fddb 22 API calls 97823 12c039 __fread_nolock messages 97811->97823 97818 12c808 __fread_nolock 97812->97818 97815 1704f5 97817 17055a 97815->97817 97881 13d217 235 API calls 97815->97881 97841 12c603 97817->97841 97882 19359c 82 API calls __wsopen_s 97817->97882 97821 13fe0b 22 API calls 97818->97821 97819 187120 22 API calls 97819->97823 97820 17091a 97916 193209 23 API calls 97820->97916 97853 12c350 __fread_nolock messages 97821->97853 97822 12af8a 22 API calls 97822->97823 97823->97807 97823->97811 97823->97815 97823->97817 97823->97818 97823->97819 97823->97820 97823->97822 97826 12ec40 235 API calls 97823->97826 97827 1708a5 97823->97827 97831 170591 97823->97831 97832 1708f6 97823->97832 97839 12c237 97823->97839 97823->97841 97847 1709bf 97823->97847 97849 12bbe0 40 API calls 97823->97849 97852 13fe0b 22 API calls 97823->97852 97869 12ad81 97823->97869 97884 187099 22 API calls __fread_nolock 97823->97884 97885 1a5745 54 API calls _wcslen 97823->97885 97886 13aa42 22 API calls messages 97823->97886 97887 18f05c 40 API calls 97823->97887 97888 12a993 41 API calls 97823->97888 97889 12aceb 23 API calls messages 97823->97889 97826->97823 97890 12ec40 97827->97890 97830 1708cf 97830->97841 97914 12a81b 41 API calls 97830->97914 97883 19359c 82 API calls __wsopen_s 97831->97883 97915 19359c 82 API calls __wsopen_s 97832->97915 97838 12c253 97842 170976 97838->97842 97845 12c297 messages 97838->97845 97839->97838 97917 12a8c7 97839->97917 97841->97783 97921 12aceb 23 API calls messages 97842->97921 97845->97847 97876 12aceb 23 API calls messages 97845->97876 97847->97841 97922 19359c 82 API calls __wsopen_s 97847->97922 97848 12c335 97848->97847 97850 12c342 97848->97850 97849->97823 97877 12a704 22 API calls messages 97850->97877 97852->97823 97854 12c3ac 97853->97854 97878 13ce17 22 API calls messages 97853->97878 97854->97783 97855->97784 97856->97787 97857->97785 97858->97796 97859->97796 97861 12ae01 97860->97861 97864 12ae1c messages 97860->97864 97923 12aec9 97861->97923 97863 12ae09 CharUpperBuffW 97863->97864 97864->97799 97866 12acae 97865->97866 97868 12acd1 97866->97868 97929 19359c 82 API calls __wsopen_s 97866->97929 97868->97823 97870 12ad92 97869->97870 97871 16fadb 97869->97871 97872 13fddb 22 API calls 97870->97872 97873 12ad99 97872->97873 97930 12adcd 97873->97930 97876->97848 97877->97853 97878->97853 97879->97803 97880->97841 97881->97817 97882->97841 97883->97841 97884->97823 97885->97823 97886->97823 97887->97823 97888->97823 97889->97823 97907 12ec76 messages 97890->97907 97891 12fef7 97897 12a8c7 22 API calls 97891->97897 97906 12ed9d messages 97891->97906 97893 13fddb 22 API calls 97893->97907 97895 174600 97901 12a8c7 22 API calls 97895->97901 97895->97906 97896 174b0b 97953 19359c 82 API calls __wsopen_s 97896->97953 97897->97906 97900 12a8c7 22 API calls 97900->97907 97901->97906 97903 140242 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 97903->97907 97904 12fbe3 97904->97906 97908 174bdc 97904->97908 97913 12f3ae messages 97904->97913 97905 12a961 22 API calls 97905->97907 97906->97830 97907->97891 97907->97893 97907->97895 97907->97896 97907->97900 97907->97903 97907->97904 97907->97905 97907->97906 97909 1400a3 29 API calls pre_c_initialization 97907->97909 97911 174beb 97907->97911 97912 1401f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent __Init_thread_footer 97907->97912 97907->97913 97937 1306a0 97907->97937 97951 1301e0 235 API calls 2 library calls 97907->97951 97954 19359c 82 API calls __wsopen_s 97908->97954 97909->97907 97955 19359c 82 API calls __wsopen_s 97911->97955 97912->97907 97913->97906 97952 19359c 82 API calls __wsopen_s 97913->97952 97914->97832 97915->97841 97916->97839 97918 12a8db 97917->97918 97920 12a8ea __fread_nolock 97917->97920 97919 13fe0b 22 API calls 97918->97919 97918->97920 97919->97920 97920->97838 97921->97847 97922->97841 97924 12aed9 __fread_nolock 97923->97924 97925 12aedc 97923->97925 97924->97863 97926 13fddb 22 API calls 97925->97926 97927 12aee7 97926->97927 97928 13fe0b 22 API calls 97927->97928 97928->97924 97929->97868 97933 12addd 97930->97933 97931 12adb6 97931->97823 97932 13fddb 22 API calls 97932->97933 97933->97931 97933->97932 97934 12a961 22 API calls 97933->97934 97935 12a8c7 22 API calls 97933->97935 97936 12adcd 22 API calls 97933->97936 97934->97933 97935->97933 97936->97933 97941 130863 messages 97937->97941 97945 1306bd 97937->97945 97938 130d36 97942 130847 messages 97938->97942 97959 13acd5 39 API calls 97938->97959 97940 13082a messages 97940->97942 97944 175ffd 97940->97944 97957 13ce17 22 API calls messages 97940->97957 97941->97938 97941->97940 97941->97942 97941->97944 97942->97907 97948 17600f 97944->97948 97958 14cf65 39 API calls 97944->97958 97945->97938 97945->97940 97945->97941 97945->97942 97947 13081e 97945->97947 97947->97940 97950 175e15 97947->97950 97948->97907 97956 14cf65 39 API calls 97950->97956 97951->97907 97952->97906 97953->97906 97954->97911 97955->97906 97956->97950 97957->97940 97958->97948 97959->97942 97960 123156 97963 123170 97960->97963 97964 123187 97963->97964 97965 1231eb 97964->97965 97966 12318c 97964->97966 98003 1231e9 97964->98003 97967 1231f1 97965->97967 97968 162dfb 97965->97968 97969 123265 PostQuitMessage 97966->97969 97970 123199 97966->97970 97972 1231f8 97967->97972 97973 12321d SetTimer RegisterWindowMessageW 97967->97973 98019 1218e2 10 API calls 97968->98019 97993 12316a 97969->97993 97975 1231a4 97970->97975 97976 162e7c 97970->97976 97971 1231d0 DefWindowProcW 97971->97993 97977 123201 KillTimer 97972->97977 97978 162d9c 97972->97978 97980 123246 CreatePopupMenu 97973->97980 97973->97993 97981 1231ae 97975->97981 97982 162e68 97975->97982 98024 18bf30 34 API calls ___scrt_fastfail 97976->98024 98015 1230f2 Shell_NotifyIconW ___scrt_fastfail 97977->98015 97990 162dd7 MoveWindow 97978->97990 97991 162da1 97978->97991 97979 162e1c 98020 13e499 42 API calls 97979->98020 97980->97993 97987 162e4d 97981->97987 97988 1231b9 97981->97988 98008 18c161 97982->98008 97987->97971 98023 180ad7 22 API calls 97987->98023 97994 1231c4 97988->97994 97995 123253 97988->97995 97989 162e8e 97989->97971 97989->97993 97990->97993 97996 162dc6 SetFocus 97991->97996 97997 162da7 97991->97997 97992 123214 98016 123c50 DeleteObject DestroyWindow 97992->98016 97994->97971 98021 1230f2 Shell_NotifyIconW ___scrt_fastfail 97994->98021 98017 12326f 44 API calls ___scrt_fastfail 97995->98017 97996->97993 97997->97994 97998 162db0 97997->97998 98018 1218e2 10 API calls 97998->98018 98003->97971 98004 123263 98004->97993 98006 162e41 98022 123837 49 API calls ___scrt_fastfail 98006->98022 98009 18c179 ___scrt_fastfail 98008->98009 98010 18c276 98008->98010 98025 123923 98009->98025 98010->97993 98012 18c25f KillTimer SetTimer 98012->98010 98013 18c1a0 98013->98012 98014 18c251 Shell_NotifyIconW 98013->98014 98014->98012 98015->97992 98016->97993 98017->98004 98018->97993 98019->97979 98020->97994 98021->98006 98022->98003 98023->98003 98024->97989 98026 123a13 98025->98026 98027 12393f 98025->98027 98026->98013 98047 126270 98027->98047 98030 163393 LoadStringW 98033 1633ad 98030->98033 98031 12395a 98052 126b57 98031->98052 98037 12a8c7 22 API calls 98033->98037 98041 123994 ___scrt_fastfail 98033->98041 98034 12396f 98035 12397c 98034->98035 98036 1633c9 98034->98036 98035->98033 98038 123986 98035->98038 98039 126350 22 API calls 98036->98039 98037->98041 98064 126350 98038->98064 98042 1633d7 98039->98042 98044 1239f9 Shell_NotifyIconW 98041->98044 98042->98041 98073 1233c6 98042->98073 98044->98026 98045 1633f9 98046 1233c6 22 API calls 98045->98046 98046->98041 98048 13fe0b 22 API calls 98047->98048 98049 126295 98048->98049 98050 13fddb 22 API calls 98049->98050 98051 12394d 98050->98051 98051->98030 98051->98031 98053 126b67 _wcslen 98052->98053 98054 164ba1 98052->98054 98057 126ba2 98053->98057 98058 126b7d 98053->98058 98083 1293b2 98054->98083 98056 164baa 98056->98056 98060 13fddb 22 API calls 98057->98060 98082 126f34 22 API calls 98058->98082 98062 126bae 98060->98062 98061 126b85 __fread_nolock 98061->98034 98063 13fe0b 22 API calls 98062->98063 98063->98061 98065 126362 98064->98065 98066 164a51 98064->98066 98087 126373 98065->98087 98097 124a88 22 API calls __fread_nolock 98066->98097 98069 12636e 98069->98041 98070 164a5b 98071 164a67 98070->98071 98072 12a8c7 22 API calls 98070->98072 98072->98071 98074 1630bb 98073->98074 98075 1233dd 98073->98075 98077 13fddb 22 API calls 98074->98077 98103 1233ee 98075->98103 98079 1630c5 _wcslen 98077->98079 98078 1233e8 98078->98045 98080 13fe0b 22 API calls 98079->98080 98081 1630fe __fread_nolock 98080->98081 98082->98061 98084 1293c9 __fread_nolock 98083->98084 98085 1293c0 98083->98085 98084->98056 98085->98084 98086 12aec9 22 API calls 98085->98086 98086->98084 98089 126382 98087->98089 98093 1263b6 __fread_nolock 98087->98093 98088 164a82 98091 13fddb 22 API calls 98088->98091 98089->98088 98090 1263a9 98089->98090 98089->98093 98098 12a587 98090->98098 98094 164a91 98091->98094 98093->98069 98095 13fe0b 22 API calls 98094->98095 98096 164ac5 __fread_nolock 98095->98096 98097->98070 98099 12a59d 98098->98099 98102 12a598 __fread_nolock 98098->98102 98100 16f80f 98099->98100 98101 13fe0b 22 API calls 98099->98101 98101->98102 98102->98093 98104 1233fe _wcslen 98103->98104 98105 123411 98104->98105 98106 16311d 98104->98106 98108 12a587 22 API calls 98105->98108 98107 13fddb 22 API calls 98106->98107 98109 163127 98107->98109 98110 12341e __fread_nolock 98108->98110 98111 13fe0b 22 API calls 98109->98111 98110->98078 98112 163157 __fread_nolock 98111->98112 98113 122e37 98114 12a961 22 API calls 98113->98114 98115 122e4d 98114->98115 98192 124ae3 98115->98192 98117 122e6b 98206 123a5a 98117->98206 98119 122e7f 98213 129cb3 98119->98213 98124 162cb0 98257 192cf9 98124->98257 98125 122ead 98129 12a8c7 22 API calls 98125->98129 98127 162cc3 98128 162ccf 98127->98128 98283 124f39 98127->98283 98133 124f39 68 API calls 98128->98133 98131 122ec3 98129->98131 98241 126f88 22 API calls 98131->98241 98135 162ce5 98133->98135 98134 122ecf 98136 129cb3 22 API calls 98134->98136 98289 123084 22 API calls 98135->98289 98137 122edc 98136->98137 98242 12a81b 41 API calls 98137->98242 98139 122eec 98142 129cb3 22 API calls 98139->98142 98141 162d02 98290 123084 22 API calls 98141->98290 98143 122f12 98142->98143 98243 12a81b 41 API calls 98143->98243 98145 162d1e 98147 123a5a 24 API calls 98145->98147 98148 162d44 98147->98148 98291 123084 22 API calls 98148->98291 98149 122f21 98152 12a961 22 API calls 98149->98152 98151 162d50 98153 12a8c7 22 API calls 98151->98153 98154 122f3f 98152->98154 98155 162d5e 98153->98155 98244 123084 22 API calls 98154->98244 98292 123084 22 API calls 98155->98292 98158 122f4b 98245 144a28 40 API calls 3 library calls 98158->98245 98159 162d6d 98164 12a8c7 22 API calls 98159->98164 98161 122f59 98161->98135 98162 122f63 98161->98162 98246 144a28 40 API calls 3 library calls 98162->98246 98166 162d83 98164->98166 98165 122f6e 98165->98141 98167 122f78 98165->98167 98293 123084 22 API calls 98166->98293 98247 144a28 40 API calls 3 library calls 98167->98247 98169 162d90 98171 122f83 98171->98145 98172 122f8d 98171->98172 98248 144a28 40 API calls 3 library calls 98172->98248 98174 122f98 98175 122fdc 98174->98175 98249 123084 22 API calls 98174->98249 98175->98159 98176 122fe8 98175->98176 98176->98169 98251 1263eb 22 API calls 98176->98251 98179 122fbf 98181 12a8c7 22 API calls 98179->98181 98180 122ff8 98252 126a50 22 API calls 98180->98252 98182 122fcd 98181->98182 98250 123084 22 API calls 98182->98250 98185 123006 98253 1270b0 23 API calls 98185->98253 98189 123021 98190 123065 98189->98190 98254 126f88 22 API calls 98189->98254 98255 1270b0 23 API calls 98189->98255 98256 123084 22 API calls 98189->98256 98193 124af0 __wsopen_s 98192->98193 98194 126b57 22 API calls 98193->98194 98195 124b22 98193->98195 98194->98195 98205 124b58 98195->98205 98294 124c6d 98195->98294 98197 124c6d 22 API calls 98197->98205 98198 129cb3 22 API calls 98200 124c52 98198->98200 98199 129cb3 22 API calls 98199->98205 98201 12515f 22 API calls 98200->98201 98203 124c5e 98201->98203 98203->98117 98204 124c29 98204->98198 98204->98203 98205->98197 98205->98199 98205->98204 98297 12515f 98205->98297 98303 161f50 98206->98303 98209 129cb3 22 API calls 98210 123a8d 98209->98210 98305 123aa2 98210->98305 98212 123a97 98212->98119 98214 129cc2 _wcslen 98213->98214 98215 13fe0b 22 API calls 98214->98215 98216 129cea __fread_nolock 98215->98216 98217 13fddb 22 API calls 98216->98217 98218 122e8c 98217->98218 98219 124ecb 98218->98219 98325 124e90 LoadLibraryA 98219->98325 98224 124ef6 LoadLibraryExW 98333 124e59 LoadLibraryA 98224->98333 98225 163ccf 98226 124f39 68 API calls 98225->98226 98228 163cd6 98226->98228 98230 124e59 3 API calls 98228->98230 98232 163cde 98230->98232 98355 1250f5 98232->98355 98233 124f20 98233->98232 98234 124f2c 98233->98234 98235 124f39 68 API calls 98234->98235 98237 122ea5 98235->98237 98237->98124 98237->98125 98240 163d05 98241->98134 98242->98139 98243->98149 98244->98158 98245->98161 98246->98165 98247->98171 98248->98174 98249->98179 98250->98175 98251->98180 98252->98185 98253->98189 98254->98189 98255->98189 98256->98189 98258 192d15 98257->98258 98259 12511f 64 API calls 98258->98259 98260 192d29 98259->98260 98498 192e66 98260->98498 98263 192d3f 98263->98127 98264 1250f5 40 API calls 98265 192d56 98264->98265 98266 1250f5 40 API calls 98265->98266 98267 192d66 98266->98267 98268 1250f5 40 API calls 98267->98268 98269 192d81 98268->98269 98270 1250f5 40 API calls 98269->98270 98271 192d9c 98270->98271 98272 12511f 64 API calls 98271->98272 98273 192db3 98272->98273 98274 14ea0c ___std_exception_copy 21 API calls 98273->98274 98275 192dba 98274->98275 98276 14ea0c ___std_exception_copy 21 API calls 98275->98276 98277 192dc4 98276->98277 98278 1250f5 40 API calls 98277->98278 98279 192dd8 98278->98279 98280 1928fe 27 API calls 98279->98280 98281 192dee 98280->98281 98281->98263 98504 1922ce 79 API calls 98281->98504 98284 124f43 98283->98284 98286 124f4a 98283->98286 98505 14e678 98284->98505 98287 124f6a FreeLibrary 98286->98287 98288 124f59 98286->98288 98287->98288 98288->98128 98289->98141 98290->98145 98291->98151 98292->98159 98293->98169 98295 12aec9 22 API calls 98294->98295 98296 124c78 98295->98296 98296->98195 98298 12516e 98297->98298 98302 12518f __fread_nolock 98297->98302 98300 13fe0b 22 API calls 98298->98300 98299 13fddb 22 API calls 98301 1251a2 98299->98301 98300->98302 98301->98205 98302->98299 98304 123a67 GetModuleFileNameW 98303->98304 98304->98209 98306 161f50 __wsopen_s 98305->98306 98307 123aaf GetFullPathNameW 98306->98307 98308 123ae9 98307->98308 98309 123ace 98307->98309 98319 12a6c3 98308->98319 98310 126b57 22 API calls 98309->98310 98312 123ada 98310->98312 98315 1237a0 98312->98315 98316 1237ae 98315->98316 98317 1293b2 22 API calls 98316->98317 98318 1237c2 98317->98318 98318->98212 98320 12a6d0 98319->98320 98321 12a6dd 98319->98321 98320->98312 98322 13fddb 22 API calls 98321->98322 98323 12a6e7 98322->98323 98324 13fe0b 22 API calls 98323->98324 98324->98320 98326 124ec6 98325->98326 98327 124ea8 GetProcAddress 98325->98327 98330 14e5eb 98326->98330 98328 124eb8 98327->98328 98328->98326 98329 124ebf FreeLibrary 98328->98329 98329->98326 98363 14e52a 98330->98363 98332 124eea 98332->98224 98332->98225 98334 124e6e GetProcAddress 98333->98334 98335 124e8d 98333->98335 98336 124e7e 98334->98336 98338 124f80 98335->98338 98336->98335 98337 124e86 FreeLibrary 98336->98337 98337->98335 98339 13fe0b 22 API calls 98338->98339 98340 124f95 98339->98340 98424 125722 98340->98424 98342 124fa1 __fread_nolock 98343 124fdc 98342->98343 98344 1250a5 98342->98344 98345 163d1d 98342->98345 98348 163d22 98343->98348 98349 1250f5 40 API calls 98343->98349 98354 12506e messages 98343->98354 98433 12511f 98343->98433 98427 1242a2 CreateStreamOnHGlobal 98344->98427 98438 19304d 74 API calls 98345->98438 98350 12511f 64 API calls 98348->98350 98349->98343 98351 163d45 98350->98351 98352 1250f5 40 API calls 98351->98352 98352->98354 98354->98233 98356 125107 98355->98356 98357 163d70 98355->98357 98460 14e8c4 98356->98460 98360 1928fe 98481 19274e 98360->98481 98362 192919 98362->98240 98365 14e536 __FrameHandler3::FrameUnwindToState 98363->98365 98364 14e544 98388 14f2d9 20 API calls __dosmaperr 98364->98388 98365->98364 98367 14e574 98365->98367 98370 14e586 98367->98370 98371 14e579 98367->98371 98368 14e549 98389 1527ec 26 API calls ___std_exception_copy 98368->98389 98380 158061 98370->98380 98390 14f2d9 20 API calls __dosmaperr 98371->98390 98374 14e58f 98375 14e595 98374->98375 98376 14e5a2 98374->98376 98391 14f2d9 20 API calls __dosmaperr 98375->98391 98392 14e5d4 LeaveCriticalSection __fread_nolock 98376->98392 98377 14e554 __fread_nolock 98377->98332 98381 15806d __FrameHandler3::FrameUnwindToState 98380->98381 98393 152f5e EnterCriticalSection 98381->98393 98383 15807b 98394 1580fb 98383->98394 98387 1580ac __fread_nolock 98387->98374 98388->98368 98389->98377 98390->98377 98391->98377 98392->98377 98393->98383 98402 15811e 98394->98402 98395 158088 98408 1580b7 98395->98408 98396 158177 98413 154c7d 20 API calls 2 library calls 98396->98413 98398 158180 98414 1529c8 98398->98414 98401 158189 98401->98395 98420 153405 11 API calls 2 library calls 98401->98420 98402->98395 98402->98396 98402->98402 98411 14918d EnterCriticalSection 98402->98411 98412 1491a1 LeaveCriticalSection 98402->98412 98404 1581a8 98421 14918d EnterCriticalSection 98404->98421 98407 1581bb 98407->98395 98423 152fa6 LeaveCriticalSection 98408->98423 98410 1580be 98410->98387 98411->98402 98412->98402 98413->98398 98415 1529d3 RtlFreeHeap 98414->98415 98419 1529fc _free 98414->98419 98416 1529e8 98415->98416 98415->98419 98422 14f2d9 20 API calls __dosmaperr 98416->98422 98418 1529ee GetLastError 98418->98419 98419->98401 98420->98404 98421->98407 98422->98418 98423->98410 98425 13fddb 22 API calls 98424->98425 98426 125734 98425->98426 98426->98342 98428 1242bc FindResourceExW 98427->98428 98429 1242d9 98427->98429 98428->98429 98430 1635ba LoadResource 98428->98430 98429->98343 98430->98429 98431 1635cf SizeofResource 98430->98431 98431->98429 98432 1635e3 LockResource 98431->98432 98432->98429 98434 163d90 98433->98434 98435 12512e 98433->98435 98439 14ece3 98435->98439 98438->98348 98442 14eaaa 98439->98442 98441 12513c 98441->98343 98445 14eab6 __FrameHandler3::FrameUnwindToState 98442->98445 98443 14eac2 98455 14f2d9 20 API calls __dosmaperr 98443->98455 98445->98443 98446 14eae8 98445->98446 98457 14918d EnterCriticalSection 98446->98457 98447 14eac7 98456 1527ec 26 API calls ___std_exception_copy 98447->98456 98450 14eaf4 98458 14ec0a 62 API calls 2 library calls 98450->98458 98452 14eb08 98459 14eb27 LeaveCriticalSection __fread_nolock 98452->98459 98454 14ead2 __fread_nolock 98454->98441 98455->98447 98456->98454 98457->98450 98458->98452 98459->98454 98463 14e8e1 98460->98463 98462 125118 98462->98360 98464 14e8ed __FrameHandler3::FrameUnwindToState 98463->98464 98465 14e900 ___scrt_fastfail 98464->98465 98466 14e92d 98464->98466 98468 14e925 __fread_nolock 98464->98468 98476 14f2d9 20 API calls __dosmaperr 98465->98476 98478 14918d EnterCriticalSection 98466->98478 98468->98462 98469 14e937 98479 14e6f8 38 API calls 4 library calls 98469->98479 98472 14e91a 98477 1527ec 26 API calls ___std_exception_copy 98472->98477 98473 14e94e 98480 14e96c LeaveCriticalSection __fread_nolock 98473->98480 98476->98472 98477->98468 98478->98469 98479->98473 98480->98468 98484 14e4e8 98481->98484 98483 19275d 98483->98362 98487 14e469 98484->98487 98486 14e505 98486->98483 98488 14e48c 98487->98488 98489 14e478 98487->98489 98494 14e488 __alldvrm 98488->98494 98497 15333f 11 API calls 2 library calls 98488->98497 98495 14f2d9 20 API calls __dosmaperr 98489->98495 98491 14e47d 98496 1527ec 26 API calls ___std_exception_copy 98491->98496 98494->98486 98495->98491 98496->98494 98497->98494 98502 192e7a 98498->98502 98499 1250f5 40 API calls 98499->98502 98500 192d3b 98500->98263 98500->98264 98501 1928fe 27 API calls 98501->98502 98502->98499 98502->98500 98502->98501 98503 12511f 64 API calls 98502->98503 98503->98502 98504->98263 98506 14e684 __FrameHandler3::FrameUnwindToState 98505->98506 98507 14e695 98506->98507 98508 14e6aa 98506->98508 98535 14f2d9 20 API calls __dosmaperr 98507->98535 98517 14e6a5 __fread_nolock 98508->98517 98518 14918d EnterCriticalSection 98508->98518 98510 14e69a 98536 1527ec 26 API calls ___std_exception_copy 98510->98536 98513 14e6c6 98519 14e602 98513->98519 98515 14e6d1 98537 14e6ee LeaveCriticalSection __fread_nolock 98515->98537 98517->98286 98518->98513 98520 14e624 98519->98520 98521 14e60f 98519->98521 98526 14e61f 98520->98526 98538 14dc0b 98520->98538 98570 14f2d9 20 API calls __dosmaperr 98521->98570 98523 14e614 98571 1527ec 26 API calls ___std_exception_copy 98523->98571 98526->98515 98531 14e646 98555 15862f 98531->98555 98534 1529c8 _free 20 API calls 98534->98526 98535->98510 98536->98517 98537->98517 98539 14dc23 98538->98539 98543 14dc1f 98538->98543 98540 14d955 __fread_nolock 26 API calls 98539->98540 98539->98543 98541 14dc43 98540->98541 98572 1559be 98541->98572 98544 154d7a 98543->98544 98545 14e640 98544->98545 98546 154d90 98544->98546 98548 14d955 98545->98548 98546->98545 98547 1529c8 _free 20 API calls 98546->98547 98547->98545 98549 14d976 98548->98549 98550 14d961 98548->98550 98549->98531 98704 14f2d9 20 API calls __dosmaperr 98550->98704 98552 14d966 98705 1527ec 26 API calls ___std_exception_copy 98552->98705 98554 14d971 98554->98531 98556 158653 98555->98556 98557 15863e 98555->98557 98559 15868e 98556->98559 98564 15867a 98556->98564 98709 14f2c6 20 API calls __dosmaperr 98557->98709 98711 14f2c6 20 API calls __dosmaperr 98559->98711 98561 158643 98710 14f2d9 20 API calls __dosmaperr 98561->98710 98562 158693 98712 14f2d9 20 API calls __dosmaperr 98562->98712 98706 158607 98564->98706 98567 14e64c 98567->98526 98567->98534 98568 15869b 98713 1527ec 26 API calls ___std_exception_copy 98568->98713 98570->98523 98571->98526 98573 1559ca __FrameHandler3::FrameUnwindToState 98572->98573 98574 1559d2 98573->98574 98575 1559ea 98573->98575 98651 14f2c6 20 API calls __dosmaperr 98574->98651 98577 155a88 98575->98577 98581 155a1f 98575->98581 98656 14f2c6 20 API calls __dosmaperr 98577->98656 98578 1559d7 98652 14f2d9 20 API calls __dosmaperr 98578->98652 98597 155147 EnterCriticalSection 98581->98597 98582 155a8d 98657 14f2d9 20 API calls __dosmaperr 98582->98657 98585 155a25 98587 155a56 98585->98587 98588 155a41 98585->98588 98586 155a95 98658 1527ec 26 API calls ___std_exception_copy 98586->98658 98598 155aa9 98587->98598 98653 14f2d9 20 API calls __dosmaperr 98588->98653 98592 1559df __fread_nolock 98592->98543 98593 155a51 98655 155a80 LeaveCriticalSection __wsopen_s 98593->98655 98594 155a46 98654 14f2c6 20 API calls __dosmaperr 98594->98654 98597->98585 98599 155ad7 98598->98599 98600 155ad0 98598->98600 98601 155adb 98599->98601 98602 155afa 98599->98602 98683 140a8c 98600->98683 98666 14f2c6 20 API calls __dosmaperr 98601->98666 98606 155b4b 98602->98606 98607 155b2e 98602->98607 98605 155ae0 98667 14f2d9 20 API calls __dosmaperr 98605->98667 98610 155b61 98606->98610 98672 159424 28 API calls __wsopen_s 98606->98672 98669 14f2c6 20 API calls __dosmaperr 98607->98669 98608 155cb1 98608->98593 98659 15564e 98610->98659 98612 155ae7 98668 1527ec 26 API calls ___std_exception_copy 98612->98668 98615 155b33 98670 14f2d9 20 API calls __dosmaperr 98615->98670 98619 155b3b 98671 1527ec 26 API calls ___std_exception_copy 98619->98671 98620 155b6f 98625 155b95 98620->98625 98626 155b73 98620->98626 98621 155ba8 98623 155c02 WriteFile 98621->98623 98624 155bbc 98621->98624 98627 155c25 GetLastError 98623->98627 98632 155b8b 98623->98632 98629 155bc4 98624->98629 98630 155bf2 98624->98630 98674 15542e 45 API calls 3 library calls 98625->98674 98631 155c69 98626->98631 98673 1555e1 GetLastError WriteConsoleW CreateFileW __wsopen_s 98626->98673 98627->98632 98633 155be2 98629->98633 98634 155bc9 98629->98634 98677 1556c4 7 API calls 2 library calls 98630->98677 98631->98600 98681 14f2d9 20 API calls __dosmaperr 98631->98681 98632->98600 98632->98631 98642 155c45 98632->98642 98676 155891 8 API calls 2 library calls 98633->98676 98634->98631 98639 155bd2 98634->98639 98637 155be0 98637->98632 98675 1557a3 7 API calls 2 library calls 98639->98675 98641 155c8e 98682 14f2c6 20 API calls __dosmaperr 98641->98682 98645 155c60 98642->98645 98646 155c4c 98642->98646 98680 14f2a3 20 API calls 2 library calls 98645->98680 98678 14f2d9 20 API calls __dosmaperr 98646->98678 98649 155c51 98679 14f2c6 20 API calls __dosmaperr 98649->98679 98651->98578 98652->98592 98653->98594 98654->98593 98655->98592 98656->98582 98657->98586 98658->98592 98690 15f89b 98659->98690 98661 15565e 98662 155663 98661->98662 98699 152d74 38 API calls 3 library calls 98661->98699 98662->98620 98662->98621 98664 155686 98664->98662 98665 1556a4 GetConsoleMode 98664->98665 98665->98662 98666->98605 98667->98612 98668->98600 98669->98615 98670->98619 98671->98600 98672->98610 98673->98632 98674->98632 98675->98637 98676->98637 98677->98637 98678->98649 98679->98600 98680->98600 98681->98641 98682->98600 98684 140a95 98683->98684 98685 140a97 IsProcessorFeaturePresent 98683->98685 98684->98608 98687 140c5d 98685->98687 98703 140c21 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 98687->98703 98689 140d40 98689->98608 98691 15f8b5 98690->98691 98692 15f8a8 98690->98692 98694 15f8c1 98691->98694 98701 14f2d9 20 API calls __dosmaperr 98691->98701 98700 14f2d9 20 API calls __dosmaperr 98692->98700 98694->98661 98696 15f8e2 98702 1527ec 26 API calls ___std_exception_copy 98696->98702 98697 15f8ad 98697->98661 98699->98664 98700->98697 98701->98696 98702->98697 98703->98689 98704->98552 98705->98554 98714 158585 98706->98714 98708 15862b 98708->98567 98709->98561 98710->98567 98711->98562 98712->98568 98713->98567 98715 158591 __FrameHandler3::FrameUnwindToState 98714->98715 98725 155147 EnterCriticalSection 98715->98725 98717 15859f 98718 1585c6 98717->98718 98719 1585d1 98717->98719 98726 1586ae 98718->98726 98741 14f2d9 20 API calls __dosmaperr 98719->98741 98722 1585cc 98742 1585fb LeaveCriticalSection __wsopen_s 98722->98742 98724 1585ee __fread_nolock 98724->98708 98725->98717 98743 1553c4 98726->98743 98728 1586be 98729 1586c4 98728->98729 98731 1586f6 98728->98731 98733 1553c4 __wsopen_s 26 API calls 98728->98733 98756 155333 21 API calls 3 library calls 98729->98756 98731->98729 98734 1553c4 __wsopen_s 26 API calls 98731->98734 98732 15871c 98735 15873e 98732->98735 98757 14f2a3 20 API calls 2 library calls 98732->98757 98736 1586ed 98733->98736 98737 158702 CloseHandle 98734->98737 98735->98722 98739 1553c4 __wsopen_s 26 API calls 98736->98739 98737->98729 98740 15870e GetLastError 98737->98740 98739->98731 98740->98729 98741->98722 98742->98724 98744 1553d1 98743->98744 98746 1553e6 98743->98746 98758 14f2c6 20 API calls __dosmaperr 98744->98758 98749 15540b 98746->98749 98760 14f2c6 20 API calls __dosmaperr 98746->98760 98748 1553d6 98759 14f2d9 20 API calls __dosmaperr 98748->98759 98749->98728 98750 155416 98761 14f2d9 20 API calls __dosmaperr 98750->98761 98753 1553de 98753->98728 98754 15541e 98762 1527ec 26 API calls ___std_exception_copy 98754->98762 98756->98732 98757->98735 98758->98748 98759->98753 98760->98750 98761->98754 98762->98753 98763 12105b 98768 12344d 98763->98768 98765 12106a 98799 1400a3 29 API calls __onexit 98765->98799 98767 121074 98769 12345d __wsopen_s 98768->98769 98770 12a961 22 API calls 98769->98770 98771 123513 98770->98771 98772 123a5a 24 API calls 98771->98772 98773 12351c 98772->98773 98800 123357 98773->98800 98776 1233c6 22 API calls 98777 123535 98776->98777 98778 12515f 22 API calls 98777->98778 98779 123544 98778->98779 98780 12a961 22 API calls 98779->98780 98781 12354d 98780->98781 98782 12a6c3 22 API calls 98781->98782 98783 123556 RegOpenKeyExW 98782->98783 98784 163176 RegQueryValueExW 98783->98784 98788 123578 98783->98788 98785 163193 98784->98785 98786 16320c RegCloseKey 98784->98786 98787 13fe0b 22 API calls 98785->98787 98786->98788 98791 16321e _wcslen 98786->98791 98789 1631ac 98787->98789 98788->98765 98790 125722 22 API calls 98789->98790 98792 1631b7 RegQueryValueExW 98790->98792 98791->98788 98796 124c6d 22 API calls 98791->98796 98797 129cb3 22 API calls 98791->98797 98798 12515f 22 API calls 98791->98798 98793 1631d4 98792->98793 98795 1631ee messages 98792->98795 98794 126b57 22 API calls 98793->98794 98794->98795 98795->98786 98796->98791 98797->98791 98798->98791 98799->98767 98801 161f50 __wsopen_s 98800->98801 98802 123364 GetFullPathNameW 98801->98802 98803 123386 98802->98803 98804 126b57 22 API calls 98803->98804 98805 1233a4 98804->98805 98805->98776 98806 121098 98811 1242de 98806->98811 98810 1210a7 98812 12a961 22 API calls 98811->98812 98813 1242f5 GetVersionExW 98812->98813 98814 126b57 22 API calls 98813->98814 98815 124342 98814->98815 98816 1293b2 22 API calls 98815->98816 98828 124378 98815->98828 98817 12436c 98816->98817 98819 1237a0 22 API calls 98817->98819 98818 12441b GetCurrentProcess IsWow64Process 98820 124437 98818->98820 98819->98828 98821 163824 GetSystemInfo 98820->98821 98822 12444f LoadLibraryA 98820->98822 98823 124460 GetProcAddress 98822->98823 98824 12449c GetSystemInfo 98822->98824 98823->98824 98825 124470 GetNativeSystemInfo 98823->98825 98826 124476 98824->98826 98825->98826 98829 12109d 98826->98829 98830 12447a FreeLibrary 98826->98830 98827 1637df 98828->98818 98828->98827 98831 1400a3 29 API calls __onexit 98829->98831 98830->98829 98831->98810 98832 12f7bf 98833 12f7d3 98832->98833 98834 12fcb6 98832->98834 98835 12fcc2 98833->98835 98837 13fddb 22 API calls 98833->98837 98926 12aceb 23 API calls messages 98834->98926 98927 12aceb 23 API calls messages 98835->98927 98839 12f7e5 98837->98839 98839->98835 98840 12f83e 98839->98840 98841 12fd3d 98839->98841 98845 12ed9d messages 98840->98845 98867 131310 98840->98867 98928 191155 22 API calls 98841->98928 98844 174beb 98932 19359c 82 API calls __wsopen_s 98844->98932 98846 12fef7 98846->98845 98851 12a8c7 22 API calls 98846->98851 98847 1306a0 41 API calls 98865 12ec76 messages 98847->98865 98848 13fddb 22 API calls 98848->98865 98850 174b0b 98930 19359c 82 API calls __wsopen_s 98850->98930 98851->98845 98852 174600 98852->98845 98855 12a8c7 22 API calls 98852->98855 98855->98845 98857 12a8c7 22 API calls 98857->98865 98858 140242 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 98858->98865 98859 12fbe3 98859->98845 98861 174bdc 98859->98861 98866 12f3ae messages 98859->98866 98860 12a961 22 API calls 98860->98865 98931 19359c 82 API calls __wsopen_s 98861->98931 98863 1401f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent __Init_thread_footer 98863->98865 98864 1400a3 29 API calls pre_c_initialization 98864->98865 98865->98844 98865->98845 98865->98846 98865->98847 98865->98848 98865->98850 98865->98852 98865->98857 98865->98858 98865->98859 98865->98860 98865->98863 98865->98864 98865->98866 98925 1301e0 235 API calls 2 library calls 98865->98925 98866->98845 98929 19359c 82 API calls __wsopen_s 98866->98929 98868 1317b0 98867->98868 98869 131376 98867->98869 99046 140242 5 API calls __Init_thread_wait 98868->99046 98870 131390 98869->98870 98871 176331 98869->98871 98933 131940 98870->98933 99051 1a709c 235 API calls 98871->99051 98875 1317ba 98878 1317fb 98875->98878 98880 129cb3 22 API calls 98875->98880 98877 17633d 98877->98865 98882 176346 98878->98882 98884 13182c 98878->98884 98879 131940 9 API calls 98881 1313b6 98879->98881 98887 1317d4 98880->98887 98881->98878 98883 1313ec 98881->98883 99052 19359c 82 API calls __wsopen_s 98882->99052 98883->98882 98907 131408 __fread_nolock 98883->98907 99048 12aceb 23 API calls messages 98884->99048 99047 1401f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 98887->99047 98888 131839 99049 13d217 235 API calls 98888->99049 98891 17636e 99053 19359c 82 API calls __wsopen_s 98891->99053 98892 13152f 98894 1763d1 98892->98894 98895 13153c 98892->98895 99055 1a5745 54 API calls _wcslen 98894->99055 98897 131940 9 API calls 98895->98897 98898 131549 98897->98898 98902 1764fa 98898->98902 98904 131940 9 API calls 98898->98904 98899 13fddb 22 API calls 98899->98907 98900 131872 99050 13faeb 23 API calls 98900->99050 98901 13fe0b 22 API calls 98901->98907 98911 176369 98902->98911 99056 19359c 82 API calls __wsopen_s 98902->99056 98909 131563 98904->98909 98906 12ec40 235 API calls 98906->98907 98907->98888 98907->98891 98907->98892 98907->98899 98907->98901 98907->98906 98908 1763b2 98907->98908 98907->98911 99054 19359c 82 API calls __wsopen_s 98908->99054 98909->98902 98912 12a8c7 22 API calls 98909->98912 98914 1315c7 messages 98909->98914 98911->98865 98912->98914 98913 131940 9 API calls 98913->98914 98914->98900 98914->98902 98914->98911 98914->98913 98917 13167b messages 98914->98917 98923 124f39 68 API calls 98914->98923 98943 19f0ec 98914->98943 98952 1a958b 98914->98952 98955 18d4ce 98914->98955 98958 1a959f 98914->98958 98961 191e96 98914->98961 98965 196ef1 98914->98965 98915 13171d 98915->98865 98917->98915 99045 13ce17 22 API calls messages 98917->99045 98923->98914 98925->98865 98926->98835 98927->98841 98928->98845 98929->98845 98930->98845 98931->98844 98932->98845 98934 131981 98933->98934 98941 13195d 98933->98941 99057 140242 5 API calls __Init_thread_wait 98934->99057 98935 1313a0 98935->98879 98938 13198b 98938->98941 99058 1401f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 98938->99058 98939 138727 98939->98935 99060 1401f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 98939->99060 98941->98935 99059 140242 5 API calls __Init_thread_wait 98941->99059 99061 127510 98943->99061 98947 19f136 98948 19f15b 98947->98948 98949 12ec40 235 API calls 98947->98949 98951 19f15f 98948->98951 99112 129c6e 22 API calls 98948->99112 98949->98948 98951->98914 99132 1a7f59 98952->99132 98954 1a959b 98954->98914 99238 18dbbe lstrlenW 98955->99238 98959 1a7f59 120 API calls 98958->98959 98960 1a95af 98959->98960 98960->98914 98962 191e9f 98961->98962 98963 191ea4 98961->98963 99243 190f67 98962->99243 98963->98914 98966 12a961 22 API calls 98965->98966 98967 196f1d 98966->98967 98968 12a961 22 API calls 98967->98968 98969 196f26 98968->98969 98970 196f3a 98969->98970 99415 12b567 39 API calls 98969->99415 98972 127510 53 API calls 98970->98972 98979 196f57 _wcslen 98972->98979 98973 196fbc 98976 127510 53 API calls 98973->98976 98974 1970bf 98975 124ecb 94 API calls 98974->98975 98978 1970d0 98975->98978 98977 196fc8 98976->98977 98982 12a8c7 22 API calls 98977->98982 98987 196fdb 98977->98987 98980 1970e5 98978->98980 98983 124ecb 94 API calls 98978->98983 98979->98973 98979->98974 98986 1970e9 98979->98986 98981 12a961 22 API calls 98980->98981 98980->98986 98984 19711a 98981->98984 98982->98987 98983->98980 98985 12a961 22 API calls 98984->98985 98990 197126 98985->98990 98986->98914 98988 197027 98987->98988 98991 197005 98987->98991 98994 12a8c7 22 API calls 98987->98994 98989 127510 53 API calls 98988->98989 98992 197034 98989->98992 98993 12a961 22 API calls 98990->98993 98995 1233c6 22 API calls 98991->98995 98996 19703d 98992->98996 98997 197047 98992->98997 98998 19712f 98993->98998 98994->98991 98999 19700f 98995->98999 99000 12a8c7 22 API calls 98996->99000 99416 18e199 GetFileAttributesW 98997->99416 99002 12a961 22 API calls 98998->99002 99003 127510 53 API calls 98999->99003 99000->98997 99005 197138 99002->99005 99006 19701b 99003->99006 99004 197050 99007 197063 99004->99007 99010 124c6d 22 API calls 99004->99010 99008 127510 53 API calls 99005->99008 99009 126350 22 API calls 99006->99009 99012 127510 53 API calls 99007->99012 99017 197069 99007->99017 99011 197145 99008->99011 99009->98988 99010->99007 99264 12525f 99011->99264 99013 1970a0 99012->99013 99417 18d076 57 API calls 99013->99417 99016 197166 99018 124c6d 22 API calls 99016->99018 99017->98986 99019 197175 99018->99019 99020 1971a9 99019->99020 99022 124c6d 22 API calls 99019->99022 99021 12a8c7 22 API calls 99020->99021 99024 1971ba 99021->99024 99023 197186 99022->99023 99023->99020 99026 126b57 22 API calls 99023->99026 99025 126350 22 API calls 99024->99025 99027 1971c8 99025->99027 99028 19719b 99026->99028 99029 126350 22 API calls 99027->99029 99030 126b57 22 API calls 99028->99030 99031 1971d6 99029->99031 99030->99020 99032 126350 22 API calls 99031->99032 99033 1971e4 99032->99033 99034 127510 53 API calls 99033->99034 99035 1971f0 99034->99035 99306 18d7bc 99035->99306 99037 197201 99038 18d4ce 4 API calls 99037->99038 99039 19720b 99038->99039 99040 127510 53 API calls 99039->99040 99044 197239 99039->99044 99041 197229 99040->99041 99360 192947 99041->99360 99043 124f39 68 API calls 99043->98986 99044->99043 99045->98917 99046->98875 99047->98878 99048->98888 99049->98900 99050->98900 99051->98877 99052->98911 99053->98911 99054->98911 99055->98909 99056->98911 99057->98938 99058->98941 99059->98939 99060->98935 99062 127525 99061->99062 99078 127522 99061->99078 99063 12755b 99062->99063 99064 12752d 99062->99064 99065 1650f6 99063->99065 99068 12756d 99063->99068 99075 16500f 99063->99075 99113 1451c6 26 API calls 99064->99113 99116 145183 26 API calls 99065->99116 99114 13fb21 51 API calls 99068->99114 99069 12753d 99072 13fddb 22 API calls 99069->99072 99070 16510e 99070->99070 99074 127547 99072->99074 99076 129cb3 22 API calls 99074->99076 99077 13fe0b 22 API calls 99075->99077 99083 165088 99075->99083 99076->99078 99079 165058 99077->99079 99084 129e90 99078->99084 99080 13fddb 22 API calls 99079->99080 99081 16507f 99080->99081 99082 129cb3 22 API calls 99081->99082 99082->99083 99115 13fb21 51 API calls 99083->99115 99085 126270 22 API calls 99084->99085 99110 129eb5 99085->99110 99086 129fd2 99118 12a4a1 99086->99118 99088 129fec 99088->98947 99091 16f7c4 99130 1896e2 84 API calls __wsopen_s 99091->99130 99092 16f699 99099 13fddb 22 API calls 99092->99099 99093 12a6c3 22 API calls 99093->99110 99094 12a405 99094->99088 99131 1896e2 84 API calls __wsopen_s 99094->99131 99098 16f7d2 99100 12a4a1 22 API calls 99098->99100 99101 16f754 99099->99101 99102 16f7e8 99100->99102 99103 13fe0b 22 API calls 99101->99103 99102->99088 99105 12a12c __fread_nolock 99103->99105 99105->99091 99105->99094 99106 12a587 22 API calls 99106->99110 99107 12aec9 22 API calls 99108 12a0db CharUpperBuffW 99107->99108 99126 12a673 22 API calls 99108->99126 99110->99086 99110->99091 99110->99092 99110->99093 99110->99094 99110->99105 99110->99106 99110->99107 99111 12a4a1 22 API calls 99110->99111 99117 124573 41 API calls _wcslen 99110->99117 99127 1248c8 23 API calls 99110->99127 99128 1249bd 22 API calls __fread_nolock 99110->99128 99129 12a673 22 API calls 99110->99129 99111->99110 99112->98951 99113->99069 99114->99069 99115->99065 99116->99070 99117->99110 99119 12a52b 99118->99119 99125 12a4b1 __fread_nolock 99118->99125 99121 13fe0b 22 API calls 99119->99121 99120 13fddb 22 API calls 99123 12a4b8 99120->99123 99121->99125 99122 12a4d6 99122->99088 99123->99122 99124 13fddb 22 API calls 99123->99124 99124->99122 99125->99120 99126->99110 99127->99110 99128->99110 99129->99110 99130->99098 99131->99088 99133 127510 53 API calls 99132->99133 99134 1a7f90 99133->99134 99155 1a7fd5 messages 99134->99155 99170 1a8cd3 99134->99170 99136 1a8281 99137 1a844f 99136->99137 99142 1a828f 99136->99142 99211 1a8ee4 60 API calls 99137->99211 99140 1a845e 99141 1a846a 99140->99141 99140->99142 99141->99155 99183 1a7e86 99142->99183 99143 127510 53 API calls 99160 1a8049 99143->99160 99148 1a82c8 99198 13fc70 99148->99198 99151 1a82e8 99204 19359c 82 API calls __wsopen_s 99151->99204 99152 1a8302 99205 1263eb 22 API calls 99152->99205 99155->98954 99156 1a82f3 GetCurrentProcess TerminateProcess 99156->99152 99157 1a8311 99206 126a50 22 API calls 99157->99206 99159 1a832a 99168 1a8352 99159->99168 99207 1304f0 22 API calls 99159->99207 99160->99136 99160->99143 99160->99155 99202 18417d 22 API calls __fread_nolock 99160->99202 99203 1a851d 42 API calls _strftime 99160->99203 99162 1a84c5 99162->99155 99164 1a84d9 FreeLibrary 99162->99164 99163 1a8341 99208 1a8b7b 75 API calls 99163->99208 99164->99155 99168->99162 99209 1304f0 22 API calls 99168->99209 99210 12aceb 23 API calls messages 99168->99210 99212 1a8b7b 75 API calls 99168->99212 99171 12aec9 22 API calls 99170->99171 99172 1a8cee CharLowerBuffW 99171->99172 99213 188e54 99172->99213 99176 12a961 22 API calls 99177 1a8d2a 99176->99177 99220 126d25 99177->99220 99179 1a8d3e 99180 1293b2 22 API calls 99179->99180 99182 1a8d48 _wcslen 99180->99182 99181 1a8e5e _wcslen 99181->99160 99182->99181 99233 1a851d 42 API calls _strftime 99182->99233 99184 1a7eec 99183->99184 99185 1a7ea1 99183->99185 99189 1a9096 99184->99189 99186 13fe0b 22 API calls 99185->99186 99187 1a7ec3 99186->99187 99187->99184 99188 13fddb 22 API calls 99187->99188 99188->99187 99190 1a92ab messages 99189->99190 99194 1a90ba _strcat _wcslen 99189->99194 99190->99148 99191 12b567 39 API calls 99191->99194 99192 12b6b5 39 API calls 99192->99194 99193 12b38f 39 API calls 99193->99194 99194->99190 99194->99191 99194->99192 99194->99193 99195 14ea0c 21 API calls ___std_exception_copy 99194->99195 99196 127510 53 API calls 99194->99196 99237 18efae 24 API calls _wcslen 99194->99237 99195->99194 99196->99194 99200 13fc85 99198->99200 99199 13fd1d VirtualProtect 99201 13fceb 99199->99201 99200->99199 99200->99201 99201->99151 99201->99152 99202->99160 99203->99160 99204->99156 99205->99157 99206->99159 99207->99163 99208->99168 99209->99168 99210->99168 99211->99140 99212->99168 99214 188e74 _wcslen 99213->99214 99215 188f63 99214->99215 99218 188ea9 99214->99218 99219 188f68 99214->99219 99215->99176 99215->99182 99218->99215 99234 13ce60 41 API calls 99218->99234 99219->99215 99235 13ce60 41 API calls 99219->99235 99221 126d91 99220->99221 99222 126d34 99220->99222 99223 1293b2 22 API calls 99221->99223 99222->99221 99224 126d3f 99222->99224 99229 126d62 __fread_nolock 99223->99229 99225 126d5a 99224->99225 99226 164c9d 99224->99226 99236 126f34 22 API calls 99225->99236 99228 13fddb 22 API calls 99226->99228 99230 164ca7 99228->99230 99229->99179 99231 13fe0b 22 API calls 99230->99231 99232 164cda 99231->99232 99233->99181 99234->99218 99235->99219 99236->99229 99237->99194 99239 18dbdc GetFileAttributesW 99238->99239 99240 18d4d5 99238->99240 99239->99240 99241 18dbe8 FindFirstFileW 99239->99241 99240->98914 99241->99240 99242 18dbf9 FindClose 99241->99242 99242->99240 99244 190f7e 99243->99244 99257 191097 99243->99257 99245 190f9e 99244->99245 99247 190fcb 99244->99247 99248 190fe2 99244->99248 99245->99247 99249 190fb2 99245->99249 99246 13fe0b 22 API calls 99261 190fc0 __fread_nolock 99246->99261 99247->99246 99251 13fe0b 22 API calls 99248->99251 99258 190fff 99248->99258 99252 13fe0b 22 API calls 99249->99252 99250 191026 99253 13fe0b 22 API calls 99250->99253 99251->99258 99252->99261 99254 19102c 99253->99254 99262 13f1d8 22 API calls 99254->99262 99255 13fddb 22 API calls 99255->99257 99257->98963 99258->99249 99258->99250 99258->99261 99259 191038 99263 13f6c9 24 API calls 99259->99263 99261->99255 99262->99259 99263->99261 99265 12a961 22 API calls 99264->99265 99266 125275 99265->99266 99267 12a961 22 API calls 99266->99267 99268 12527d 99267->99268 99269 12a961 22 API calls 99268->99269 99270 125285 99269->99270 99271 12a961 22 API calls 99270->99271 99272 12528d 99271->99272 99273 163df5 99272->99273 99274 1252c1 99272->99274 99275 12a8c7 22 API calls 99273->99275 99276 126d25 22 API calls 99274->99276 99277 163dfe 99275->99277 99278 1252cf 99276->99278 99280 12a6c3 22 API calls 99277->99280 99279 1293b2 22 API calls 99278->99279 99281 1252d9 99279->99281 99282 125304 99280->99282 99281->99282 99283 126d25 22 API calls 99281->99283 99284 125349 99282->99284 99285 125325 99282->99285 99293 163e20 99282->99293 99287 1252fa 99283->99287 99286 126d25 22 API calls 99284->99286 99285->99284 99291 124c6d 22 API calls 99285->99291 99288 12535a 99286->99288 99289 1293b2 22 API calls 99287->99289 99290 125370 99288->99290 99296 12a8c7 22 API calls 99288->99296 99289->99282 99294 125384 99290->99294 99299 12a8c7 22 API calls 99290->99299 99295 125332 99291->99295 99292 126b57 22 API calls 99301 163ee0 99292->99301 99293->99292 99297 12538f 99294->99297 99300 12a8c7 22 API calls 99294->99300 99295->99284 99298 126d25 22 API calls 99295->99298 99296->99290 99302 12a8c7 22 API calls 99297->99302 99303 12539a 99297->99303 99298->99284 99299->99294 99300->99297 99301->99284 99304 124c6d 22 API calls 99301->99304 99418 1249bd 22 API calls __fread_nolock 99301->99418 99302->99303 99303->99016 99304->99301 99307 18d7d8 99306->99307 99308 18d7dd 99307->99308 99309 18d7f3 99307->99309 99311 12a8c7 22 API calls 99308->99311 99359 18d7ee 99308->99359 99310 12a961 22 API calls 99309->99310 99312 18d7fb 99310->99312 99311->99359 99313 12a961 22 API calls 99312->99313 99314 18d803 99313->99314 99315 12a961 22 API calls 99314->99315 99316 18d80e 99315->99316 99317 12a961 22 API calls 99316->99317 99318 18d816 99317->99318 99319 12a961 22 API calls 99318->99319 99320 18d81e 99319->99320 99321 12a961 22 API calls 99320->99321 99322 18d826 99321->99322 99323 12a961 22 API calls 99322->99323 99324 18d82e 99323->99324 99325 12a961 22 API calls 99324->99325 99326 18d836 99325->99326 99327 12525f 22 API calls 99326->99327 99328 18d84d 99327->99328 99329 12525f 22 API calls 99328->99329 99330 18d866 99329->99330 99331 124c6d 22 API calls 99330->99331 99332 18d872 99331->99332 99333 18d885 99332->99333 99334 1293b2 22 API calls 99332->99334 99335 124c6d 22 API calls 99333->99335 99334->99333 99336 18d88e 99335->99336 99337 18d89e 99336->99337 99338 1293b2 22 API calls 99336->99338 99339 18d8b0 99337->99339 99340 12a8c7 22 API calls 99337->99340 99338->99337 99341 126350 22 API calls 99339->99341 99340->99339 99342 18d8bb 99341->99342 99419 18d978 22 API calls 99342->99419 99344 18d8ca 99420 18d978 22 API calls 99344->99420 99346 18d8dd 99347 124c6d 22 API calls 99346->99347 99348 18d8e7 99347->99348 99349 18d8ec 99348->99349 99350 18d8fe 99348->99350 99351 1233c6 22 API calls 99349->99351 99352 124c6d 22 API calls 99350->99352 99353 18d8f9 99351->99353 99354 18d907 99352->99354 99358 126350 22 API calls 99353->99358 99355 18d925 99354->99355 99357 1233c6 22 API calls 99354->99357 99356 126350 22 API calls 99355->99356 99356->99359 99357->99353 99358->99355 99359->99037 99361 192954 __wsopen_s 99360->99361 99362 13fe0b 22 API calls 99361->99362 99363 192971 99362->99363 99364 125722 22 API calls 99363->99364 99365 19297b 99364->99365 99366 19274e 27 API calls 99365->99366 99367 192986 99366->99367 99368 12511f 64 API calls 99367->99368 99369 19299b 99368->99369 99370 192a6c 99369->99370 99371 1929bf 99369->99371 99372 192e66 75 API calls 99370->99372 99373 192e66 75 API calls 99371->99373 99388 192a38 99372->99388 99374 1929c4 99373->99374 99382 192a75 messages 99374->99382 99434 14d583 26 API calls 99374->99434 99376 1250f5 40 API calls 99377 192a91 99376->99377 99378 1250f5 40 API calls 99377->99378 99380 192aa1 99378->99380 99379 1929ed 99435 14d583 26 API calls 99379->99435 99381 1250f5 40 API calls 99380->99381 99384 192abc 99381->99384 99382->99044 99385 1250f5 40 API calls 99384->99385 99386 192acc 99385->99386 99387 1250f5 40 API calls 99386->99387 99389 192ae7 99387->99389 99388->99376 99388->99382 99390 1250f5 40 API calls 99389->99390 99391 192af7 99390->99391 99392 1250f5 40 API calls 99391->99392 99393 192b07 99392->99393 99394 1250f5 40 API calls 99393->99394 99395 192b17 99394->99395 99421 193017 GetTempPathW GetTempFileNameW 99395->99421 99397 192b22 99398 14e5eb 29 API calls 99397->99398 99407 192b33 99398->99407 99399 14e678 67 API calls 99400 192bf8 99399->99400 99402 192bfe DeleteFileW 99400->99402 99403 192c12 99400->99403 99401 1250f5 40 API calls 99401->99407 99402->99382 99404 192c91 CopyFileW 99403->99404 99410 192c18 99403->99410 99405 192cb9 DeleteFileW 99404->99405 99406 192ca7 DeleteFileW 99404->99406 99431 192fd8 CreateFileW 99405->99431 99406->99382 99407->99382 99407->99401 99411 192bed 99407->99411 99422 14dbb3 99407->99422 99436 1922ce 79 API calls 99410->99436 99411->99399 99413 192c7c 99413->99405 99414 192c80 DeleteFileW 99413->99414 99414->99382 99415->98970 99416->99004 99417->99017 99418->99301 99419->99344 99420->99346 99421->99397 99423 14dbc1 99422->99423 99429 14dbdd 99422->99429 99424 14dbe3 99423->99424 99425 14dbcd 99423->99425 99423->99429 99437 14d9cc 99424->99437 99440 14f2d9 20 API calls __dosmaperr 99425->99440 99428 14dbd2 99441 1527ec 26 API calls ___std_exception_copy 99428->99441 99429->99407 99432 192fff SetFileTime CloseHandle 99431->99432 99433 193013 99431->99433 99432->99433 99433->99382 99434->99379 99435->99388 99436->99413 99442 14d97b 99437->99442 99439 14d9f0 99439->99429 99440->99428 99441->99429 99443 14d987 __FrameHandler3::FrameUnwindToState 99442->99443 99450 14918d EnterCriticalSection 99443->99450 99445 14d995 99451 14d9f4 99445->99451 99449 14d9b3 __fread_nolock 99449->99439 99450->99445 99459 1549a1 99451->99459 99457 14d9a2 99458 14d9c0 LeaveCriticalSection __fread_nolock 99457->99458 99458->99449 99460 14d955 __fread_nolock 26 API calls 99459->99460 99461 1549b0 99460->99461 99462 15f89b __fread_nolock 26 API calls 99461->99462 99463 1549b6 99462->99463 99467 14da09 99463->99467 99480 153820 21 API calls 2 library calls 99463->99480 99465 154a15 99466 1529c8 _free 20 API calls 99465->99466 99466->99467 99468 14da3a 99467->99468 99469 14da4c 99468->99469 99474 14da24 99468->99474 99470 14da5a 99469->99470 99469->99474 99477 14da85 __fread_nolock 99469->99477 99481 14f2d9 20 API calls __dosmaperr 99470->99481 99472 14da5f 99482 1527ec 26 API calls ___std_exception_copy 99472->99482 99479 154a56 62 API calls 99474->99479 99475 14dc0b 62 API calls 99475->99477 99476 14d955 __fread_nolock 26 API calls 99476->99477 99477->99474 99477->99475 99477->99476 99478 1559be __wsopen_s 62 API calls 99477->99478 99478->99477 99479->99457 99480->99465 99481->99472 99482->99474 99483 130b9d 99484 130ba6 __fread_nolock 99483->99484 99485 127510 53 API calls 99484->99485 99486 175cb8 99484->99486 99489 130bf7 99484->99489 99490 13fddb 22 API calls 99484->99490 99493 130847 __fread_nolock 99484->99493 99494 13fe0b 22 API calls 99484->99494 99485->99484 99495 124a88 22 API calls __fread_nolock 99486->99495 99488 175cc4 99492 12a8c7 22 API calls 99488->99492 99488->99493 99491 12a587 22 API calls 99489->99491 99490->99484 99491->99493 99492->99493 99494->99484 99495->99488 99496 1403fb 99497 140407 __FrameHandler3::FrameUnwindToState 99496->99497 99525 13feb1 99497->99525 99499 14040e 99500 140561 99499->99500 99503 140438 99499->99503 99552 14083f IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 99500->99552 99502 140568 99553 144e52 28 API calls _abort 99502->99553 99512 140477 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 99503->99512 99536 15247d 99503->99536 99505 14056e 99554 144e04 28 API calls _abort 99505->99554 99509 140576 99510 140457 99516 1404d8 99512->99516 99548 144e1a 38 API calls 3 library calls 99512->99548 99515 1404de 99517 1404f3 99515->99517 99544 140959 99516->99544 99549 140992 GetModuleHandleW 99517->99549 99519 1404fa 99519->99502 99520 1404fe 99519->99520 99521 140507 99520->99521 99550 144df5 28 API calls _abort 99520->99550 99551 140040 13 API calls 2 library calls 99521->99551 99524 14050f 99524->99510 99526 13feba 99525->99526 99555 140698 IsProcessorFeaturePresent 99526->99555 99528 13fec6 99556 142c94 10 API calls 3 library calls 99528->99556 99530 13fecb 99531 13fecf 99530->99531 99557 152317 IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 99530->99557 99531->99499 99533 13fed8 99534 13fee6 99533->99534 99558 142cbd 8 API calls 3 library calls 99533->99558 99534->99499 99537 152494 99536->99537 99538 140a8c CatchGuardHandler 5 API calls 99537->99538 99539 140451 99538->99539 99539->99510 99540 152421 99539->99540 99543 152450 99540->99543 99541 140a8c CatchGuardHandler 5 API calls 99542 152479 99541->99542 99542->99512 99543->99541 99559 142340 99544->99559 99547 14097f 99547->99515 99548->99516 99549->99519 99550->99521 99551->99524 99552->99502 99553->99505 99554->99509 99555->99528 99556->99530 99557->99533 99558->99531 99560 14096c GetStartupInfoW 99559->99560 99560->99547 99561 122de3 99562 122df0 __wsopen_s 99561->99562 99563 122e09 99562->99563 99564 162c2b ___scrt_fastfail 99562->99564 99565 123aa2 23 API calls 99563->99565 99566 162c47 GetOpenFileNameW 99564->99566 99567 122e12 99565->99567 99568 162c96 99566->99568 99577 122da5 99567->99577 99570 126b57 22 API calls 99568->99570 99573 162cab 99570->99573 99573->99573 99574 122e27 99595 1244a8 99574->99595 99578 161f50 __wsopen_s 99577->99578 99579 122db2 GetLongPathNameW 99578->99579 99580 126b57 22 API calls 99579->99580 99581 122dda 99580->99581 99582 123598 99581->99582 99583 12a961 22 API calls 99582->99583 99584 1235aa 99583->99584 99585 123aa2 23 API calls 99584->99585 99586 1235b5 99585->99586 99587 1235c0 99586->99587 99588 1632eb 99586->99588 99590 12515f 22 API calls 99587->99590 99592 16330d 99588->99592 99631 13ce60 41 API calls 99588->99631 99591 1235cc 99590->99591 99625 1235f3 99591->99625 99594 1235df 99594->99574 99596 124ecb 94 API calls 99595->99596 99597 1244cd 99596->99597 99598 163833 99597->99598 99599 124ecb 94 API calls 99597->99599 99600 192cf9 80 API calls 99598->99600 99602 1244e1 99599->99602 99601 163848 99600->99601 99603 16384c 99601->99603 99604 163869 99601->99604 99602->99598 99605 1244e9 99602->99605 99606 124f39 68 API calls 99603->99606 99607 13fe0b 22 API calls 99604->99607 99608 163854 99605->99608 99609 1244f5 99605->99609 99606->99608 99624 1638ae 99607->99624 99633 18da5a 82 API calls 99608->99633 99632 12940c 136 API calls 2 library calls 99609->99632 99612 163862 99612->99604 99613 122e31 99614 163a5f 99619 163a67 99614->99619 99615 124f39 68 API calls 99615->99619 99616 12a4a1 22 API calls 99616->99624 99619->99615 99638 18989b 82 API calls __wsopen_s 99619->99638 99621 129cb3 22 API calls 99621->99624 99624->99614 99624->99616 99624->99619 99624->99621 99634 18967e 22 API calls __fread_nolock 99624->99634 99635 1895ad 42 API calls _wcslen 99624->99635 99636 190b5a 22 API calls 99624->99636 99637 123ff7 22 API calls 99624->99637 99626 123605 99625->99626 99630 123624 __fread_nolock 99625->99630 99628 13fe0b 22 API calls 99626->99628 99627 13fddb 22 API calls 99629 12363b 99627->99629 99628->99630 99629->99594 99630->99627 99631->99588 99632->99613 99633->99612 99634->99624 99635->99624 99636->99624 99637->99624 99638->99619 99639 1923260 99653 1920eb0 99639->99653 99641 192330c 99656 1923150 99641->99656 99643 1923335 CreateFileW 99645 1923389 99643->99645 99646 1923384 99643->99646 99645->99646 99647 19233a0 VirtualAlloc 99645->99647 99647->99646 99648 19233be ReadFile 99647->99648 99648->99646 99649 19233d9 99648->99649 99650 1922150 13 API calls 99649->99650 99651 192340c 99650->99651 99652 192342f ExitProcess 99651->99652 99652->99646 99655 192153b 99653->99655 99659 1924330 GetPEB 99653->99659 99655->99641 99657 1923159 Sleep 99656->99657 99658 1923167 99657->99658 99659->99655 99660 162ba5 99661 122b25 99660->99661 99662 162baf 99660->99662 99688 122b83 7 API calls 99661->99688 99664 123a5a 24 API calls 99662->99664 99666 162bb8 99664->99666 99668 129cb3 22 API calls 99666->99668 99670 162bc6 99668->99670 99669 122b2f 99679 122b44 99669->99679 99692 123837 49 API calls ___scrt_fastfail 99669->99692 99671 162bf5 99670->99671 99672 162bce 99670->99672 99673 1233c6 22 API calls 99671->99673 99675 1233c6 22 API calls 99672->99675 99676 162bf1 GetForegroundWindow ShellExecuteW 99673->99676 99677 162bd9 99675->99677 99682 162c26 99676->99682 99681 126350 22 API calls 99677->99681 99680 122b5f 99679->99680 99693 1230f2 Shell_NotifyIconW ___scrt_fastfail 99679->99693 99685 122b66 SetCurrentDirectoryW 99680->99685 99684 162be7 99681->99684 99682->99680 99686 1233c6 22 API calls 99684->99686 99687 122b7a 99685->99687 99686->99676 99694 122cd4 7 API calls 99688->99694 99690 122b2a 99691 122c63 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 99690->99691 99691->99669 99692->99679 99693->99680 99694->99690 99695 173a41 99699 1910c0 99695->99699 99697 173a4c 99698 1910c0 53 API calls 99697->99698 99698->99697 99701 1910cd 99699->99701 99706 1910fa 99699->99706 99700 1910fc 99711 13fa11 53 API calls 99700->99711 99701->99700 99703 191101 99701->99703 99701->99706 99708 1910f4 99701->99708 99704 127510 53 API calls 99703->99704 99705 191108 99704->99705 99707 126350 22 API calls 99705->99707 99706->99697 99707->99706 99710 12b270 39 API calls 99708->99710 99710->99706 99711->99703 99712 121044 99717 1210f3 99712->99717 99714 12104a 99753 1400a3 29 API calls __onexit 99714->99753 99716 121054 99754 121398 99717->99754 99721 12116a 99722 12a961 22 API calls 99721->99722 99723 121174 99722->99723 99724 12a961 22 API calls 99723->99724 99725 12117e 99724->99725 99726 12a961 22 API calls 99725->99726 99727 121188 99726->99727 99728 12a961 22 API calls 99727->99728 99729 1211c6 99728->99729 99730 12a961 22 API calls 99729->99730 99731 121292 99730->99731 99764 12171c 99731->99764 99735 1212c4 99736 12a961 22 API calls 99735->99736 99737 1212ce 99736->99737 99738 131940 9 API calls 99737->99738 99739 1212f9 99738->99739 99785 121aab 99739->99785 99741 121315 99742 121325 GetStdHandle 99741->99742 99743 162485 99742->99743 99744 12137a 99742->99744 99743->99744 99745 16248e 99743->99745 99747 121387 OleInitialize 99744->99747 99746 13fddb 22 API calls 99745->99746 99748 162495 99746->99748 99747->99714 99792 19011d InitializeCriticalSectionAndSpinCount InterlockedExchange GetCurrentProcess GetCurrentProcess DuplicateHandle 99748->99792 99750 16249e 99793 190944 CreateThread 99750->99793 99752 1624aa CloseHandle 99752->99744 99753->99716 99794 1213f1 99754->99794 99757 1213f1 22 API calls 99758 1213d0 99757->99758 99759 12a961 22 API calls 99758->99759 99760 1213dc 99759->99760 99761 126b57 22 API calls 99760->99761 99762 121129 99761->99762 99763 121bc3 6 API calls 99762->99763 99763->99721 99765 12a961 22 API calls 99764->99765 99766 12172c 99765->99766 99767 12a961 22 API calls 99766->99767 99768 121734 99767->99768 99769 12a961 22 API calls 99768->99769 99770 12174f 99769->99770 99771 13fddb 22 API calls 99770->99771 99772 12129c 99771->99772 99773 121b4a 99772->99773 99774 121b58 99773->99774 99775 12a961 22 API calls 99774->99775 99776 121b63 99775->99776 99777 12a961 22 API calls 99776->99777 99778 121b6e 99777->99778 99779 12a961 22 API calls 99778->99779 99780 121b79 99779->99780 99781 12a961 22 API calls 99780->99781 99782 121b84 99781->99782 99783 13fddb 22 API calls 99782->99783 99784 121b96 RegisterWindowMessageW 99783->99784 99784->99735 99786 121abb 99785->99786 99787 16272d 99785->99787 99788 13fddb 22 API calls 99786->99788 99801 193209 23 API calls 99787->99801 99790 121ac3 99788->99790 99790->99741 99791 162738 99792->99750 99793->99752 99802 19092a 28 API calls 99793->99802 99795 12a961 22 API calls 99794->99795 99796 1213fc 99795->99796 99797 12a961 22 API calls 99796->99797 99798 121404 99797->99798 99799 12a961 22 API calls 99798->99799 99800 1213c6 99799->99800 99800->99757 99801->99791 99803 158402 99804 158418 99803->99804 99805 15842a 99804->99805 99807 160984 99804->99807 99810 160081 99807->99810 99809 16099f 99809->99805 99811 16008d __FrameHandler3::FrameUnwindToState 99810->99811 99812 16009b 99811->99812 99815 1600d4 99811->99815 99868 14f2d9 20 API calls __dosmaperr 99812->99868 99814 1600a0 99869 1527ec 26 API calls ___std_exception_copy 99814->99869 99821 16065b 99815->99821 99820 1600aa __fread_nolock 99820->99809 99871 16042f 99821->99871 99824 1606a6 99889 155221 99824->99889 99825 16068d 99903 14f2c6 20 API calls __dosmaperr 99825->99903 99828 160692 99904 14f2d9 20 API calls __dosmaperr 99828->99904 99829 1606ab 99830 1606b4 99829->99830 99831 1606cb 99829->99831 99905 14f2c6 20 API calls __dosmaperr 99830->99905 99902 16039a CreateFileW 99831->99902 99835 1606b9 99906 14f2d9 20 API calls __dosmaperr 99835->99906 99836 160781 GetFileType 99839 1607d3 99836->99839 99840 16078c GetLastError 99836->99840 99838 160756 GetLastError 99908 14f2a3 20 API calls 2 library calls 99838->99908 99911 15516a 21 API calls 3 library calls 99839->99911 99909 14f2a3 20 API calls 2 library calls 99840->99909 99841 160704 99841->99836 99841->99838 99907 16039a CreateFileW 99841->99907 99845 16079a CloseHandle 99845->99828 99846 1607c3 99845->99846 99910 14f2d9 20 API calls __dosmaperr 99846->99910 99848 160749 99848->99836 99848->99838 99850 1607f4 99852 160840 99850->99852 99912 1605ab 72 API calls 4 library calls 99850->99912 99851 1607c8 99851->99828 99857 16086d 99852->99857 99913 16014d 72 API calls 4 library calls 99852->99913 99855 160866 99856 16087e 99855->99856 99855->99857 99859 1600f8 99856->99859 99860 1608fc CloseHandle 99856->99860 99858 1586ae __wsopen_s 29 API calls 99857->99858 99858->99859 99870 160121 LeaveCriticalSection __wsopen_s 99859->99870 99914 16039a CreateFileW 99860->99914 99862 160927 99863 16095d 99862->99863 99864 160931 GetLastError 99862->99864 99863->99859 99915 14f2a3 20 API calls 2 library calls 99864->99915 99866 16093d 99916 155333 21 API calls 3 library calls 99866->99916 99868->99814 99869->99820 99870->99820 99872 16046a 99871->99872 99873 160450 99871->99873 99917 1603bf 99872->99917 99873->99872 99924 14f2d9 20 API calls __dosmaperr 99873->99924 99876 1604a2 99879 1604d1 99876->99879 99926 14f2d9 20 API calls __dosmaperr 99876->99926 99877 16045f 99925 1527ec 26 API calls ___std_exception_copy 99877->99925 99887 160524 99879->99887 99928 14d70d 26 API calls 2 library calls 99879->99928 99882 16051f 99884 16059e 99882->99884 99882->99887 99883 1604c6 99927 1527ec 26 API calls ___std_exception_copy 99883->99927 99929 1527fc 11 API calls _abort 99884->99929 99887->99824 99887->99825 99888 1605aa 99890 15522d __FrameHandler3::FrameUnwindToState 99889->99890 99932 152f5e EnterCriticalSection 99890->99932 99892 155234 99894 155259 99892->99894 99898 1552c7 EnterCriticalSection 99892->99898 99900 15527b 99892->99900 99936 155000 21 API calls 3 library calls 99894->99936 99896 15525e 99896->99900 99937 155147 EnterCriticalSection 99896->99937 99897 1552a4 __fread_nolock 99897->99829 99898->99900 99901 1552d4 LeaveCriticalSection 99898->99901 99933 15532a 99900->99933 99901->99892 99902->99841 99903->99828 99904->99859 99905->99835 99906->99828 99907->99848 99908->99828 99909->99845 99910->99851 99911->99850 99912->99852 99913->99855 99914->99862 99915->99866 99916->99863 99918 1603d7 99917->99918 99919 1603f2 99918->99919 99930 14f2d9 20 API calls __dosmaperr 99918->99930 99919->99876 99921 160416 99931 1527ec 26 API calls ___std_exception_copy 99921->99931 99923 160421 99923->99876 99924->99877 99925->99872 99926->99883 99927->99879 99928->99882 99929->99888 99930->99921 99931->99923 99932->99892 99938 152fa6 LeaveCriticalSection 99933->99938 99935 155331 99935->99897 99936->99896 99937->99900 99938->99935 99939 172a00 99954 12d7b0 messages 99939->99954 99940 12db11 PeekMessageW 99940->99954 99941 12d807 GetInputState 99941->99940 99941->99954 99942 171cbe TranslateAcceleratorW 99942->99954 99944 12db8f PeekMessageW 99944->99954 99945 12da04 timeGetTime 99945->99954 99946 12db73 TranslateMessage DispatchMessageW 99946->99944 99947 12dbaf Sleep 99961 12dbc0 99947->99961 99948 172b74 Sleep 99948->99961 99949 13e551 timeGetTime 99949->99961 99950 171dda timeGetTime 100000 13e300 23 API calls 99950->100000 99953 172c0b GetExitCodeProcess 99958 172c37 CloseHandle 99953->99958 99959 172c21 WaitForSingleObject 99953->99959 99954->99940 99954->99941 99954->99942 99954->99944 99954->99945 99954->99946 99954->99947 99954->99948 99954->99950 99956 12d9d5 99954->99956 99966 12ec40 235 API calls 99954->99966 99968 131310 235 API calls 99954->99968 99969 12bf40 235 API calls 99954->99969 99971 12dfd0 99954->99971 99994 13edf6 99954->99994 99999 12dd50 235 API calls 99954->99999 100001 193a2a 23 API calls 99954->100001 100002 19359c 82 API calls __wsopen_s 99954->100002 99955 1b29bf GetForegroundWindow 99955->99961 99958->99961 99959->99954 99959->99958 99960 172a31 99960->99956 99961->99949 99961->99953 99961->99954 99961->99955 99961->99956 99961->99960 99962 172ca9 Sleep 99961->99962 100003 1a5658 23 API calls 99961->100003 100004 18e97b QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 99961->100004 100005 18d4dc 47 API calls 99961->100005 99962->99954 99966->99954 99968->99954 99969->99954 99972 12e010 99971->99972 99987 12e0dc messages 99972->99987 100008 140242 5 API calls __Init_thread_wait 99972->100008 99975 172fca 99977 12a961 22 API calls 99975->99977 99975->99987 99976 12a961 22 API calls 99976->99987 99978 172fe4 99977->99978 100009 1400a3 29 API calls __onexit 99978->100009 99982 172fee 100010 1401f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 99982->100010 99986 12ec40 235 API calls 99986->99987 99987->99976 99987->99986 99988 12a8c7 22 API calls 99987->99988 99989 12e3e1 99987->99989 99990 1304f0 22 API calls 99987->99990 99991 19359c 82 API calls 99987->99991 100006 12a81b 41 API calls 99987->100006 100007 13a308 235 API calls 99987->100007 100011 140242 5 API calls __Init_thread_wait 99987->100011 100012 1400a3 29 API calls __onexit 99987->100012 100013 1401f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 99987->100013 100014 1a47d4 235 API calls 99987->100014 100015 1a68c1 235 API calls 99987->100015 99988->99987 99989->99954 99990->99987 99991->99987 99996 13ee09 99994->99996 99998 13ee12 99994->99998 99995 13ee36 IsDialogMessageW 99995->99996 99995->99998 99996->99954 99997 17efaf GetClassLongW 99997->99995 99997->99998 99998->99995 99998->99996 99998->99997 99999->99954 100000->99954 100001->99954 100002->99954 100003->99961 100004->99961 100005->99961 100006->99987 100007->99987 100008->99975 100009->99982 100010->99987 100011->99987 100012->99987 100013->99987 100014->99987 100015->99987 100016 192380b 100019 1923480 100016->100019 100018 1923857 100020 1920eb0 GetPEB 100019->100020 100023 192351f 100020->100023 100022 1923550 CreateFileW 100022->100023 100029 192355d 100022->100029 100024 1923579 VirtualAlloc 100023->100024 100023->100029 100030 1923680 CloseHandle 100023->100030 100031 1923690 VirtualFree 100023->100031 100032 1924390 GetPEB 100023->100032 100025 192359a ReadFile 100024->100025 100024->100029 100026 19235b8 VirtualAlloc 100025->100026 100025->100029 100026->100023 100026->100029 100027 192377a 100027->100018 100028 192376c VirtualFree 100028->100027 100029->100027 100029->100028 100030->100023 100031->100023 100033 19243ba 100032->100033 100033->100022 100034 121cad SystemParametersInfoW

                Executed Functions

                Function 001242DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235libraryloaderCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 234 1242de-12434d call 12a961 GetVersionExW call 126b57 239 163617-16362a 234->239 240 124353 234->240 242 16362b-16362f 239->242 241 124355-124357 240->241 243 163656 241->243 244 12435d-1243bc call 1293b2 call 1237a0 241->244 245 163632-16363e 242->245 246 163631 242->246 249 16365d-163660 243->249 262 1243c2-1243c4 244->262 263 1637df-1637e6 244->263 245->242 248 163640-163642 245->248 246->245 248->241 251 163648-16364f 248->251 252 163666-1636a8 249->252 253 12441b-124435 GetCurrentProcess IsWow64Process 249->253 251->239 255 163651 251->255 252->253 256 1636ae-1636b1 252->256 258 124437 253->258 259 124494-12449a 253->259 255->243 260 1636b3-1636bd 256->260 261 1636db-1636e5 256->261 264 12443d-124449 258->264 259->264 265 1636bf-1636c5 260->265 266 1636ca-1636d6 260->266 268 1636e7-1636f3 261->268 269 1636f8-163702 261->269 262->249 267 1243ca-1243dd 262->267 270 163806-163809 263->270 271 1637e8 263->271 272 163824-163828 GetSystemInfo 264->272 273 12444f-12445e LoadLibraryA 264->273 265->253 266->253 276 163726-16372f 267->276 277 1243e3-1243e5 267->277 268->253 279 163704-163710 269->279 280 163715-163721 269->280 281 1637f4-1637fc 270->281 282 16380b-16381a 270->282 278 1637ee 271->278 274 124460-12446e GetProcAddress 273->274 275 12449c-1244a6 GetSystemInfo 273->275 274->275 283 124470-124474 GetNativeSystemInfo 274->283 284 124476-124478 275->284 287 163731-163737 276->287 288 16373c-163748 276->288 285 1243eb-1243ee 277->285 286 16374d-163762 277->286 278->281 279->253 280->253 281->270 282->278 289 16381c-163822 282->289 283->284 292 124481-124493 284->292 293 12447a-12447b FreeLibrary 284->293 294 1243f4-12440f 285->294 295 163791-163794 285->295 290 163764-16376a 286->290 291 16376f-16377b 286->291 287->253 288->253 289->281 290->253 291->253 293->292 297 163780-16378c 294->297 298 124415 294->298 295->253 296 16379a-1637c1 295->296 299 1637c3-1637c9 296->299 300 1637ce-1637da 296->300 297->253 298->253 299->253 300->253
                APIs
                • GetVersionExW.KERNEL32(?), ref: 0012430D
                  • Part of subcall function 00126B57: _wcslen.LIBCMT ref: 00126B6A
                • GetCurrentProcess.KERNEL32(?,001BCB64,00000000,?,?), ref: 00124422
                • IsWow64Process.KERNEL32(00000000,?,?), ref: 00124429
                • LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00124454
                • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00124466
                • GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00124474
                • FreeLibrary.KERNEL32(00000000,?,?), ref: 0012447B
                • GetSystemInfo.KERNEL32(?,?,?), ref: 001244A0
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
                • String ID: GetNativeSystemInfo$kernel32.dll$|O
                • API String ID: 3290436268-3101561225
                • Opcode ID: 094d5065cd22ef47083324d3f19056398abc39ddffeb0dfe0a247fc48ad413b5
                • Instruction ID: c3abdf9cafdb8af11f0f7afc84eb00937c5d64955fef9d13245526c9bbe6eb49
                • Opcode Fuzzy Hash: 094d5065cd22ef47083324d3f19056398abc39ddffeb0dfe0a247fc48ad413b5
                • Instruction Fuzzy Hash: B1A1B37690A6D4FFC715D76EBC411B57FE47B36320B084899E08593E22D33046D8CB61
                Function 001242A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 553 1242a2-1242ba CreateStreamOnHGlobal 554 1242da-1242dd 553->554 555 1242bc-1242d3 FindResourceExW 553->555 556 1242d9 555->556 557 1635ba-1635c9 LoadResource 555->557 556->554 557->556 558 1635cf-1635dd SizeofResource 557->558 558->556 559 1635e3-1635ee LockResource 558->559 559->556 560 1635f4-163612 559->560 560->556
                APIs
                • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,001250AA,?,?,00000000,00000000), ref: 001242B2
                • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,001250AA,?,?,00000000,00000000), ref: 001242C9
                • LoadResource.KERNEL32(?,00000000,?,?,001250AA,?,?,00000000,00000000,?,?,?,?,?,?,00124F20), ref: 001635BE
                • SizeofResource.KERNEL32(?,00000000,?,?,001250AA,?,?,00000000,00000000,?,?,?,?,?,?,00124F20), ref: 001635D3
                • LockResource.KERNEL32(001250AA,?,?,001250AA,?,?,00000000,00000000,?,?,?,?,?,?,00124F20,?), ref: 001635E6
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                • String ID: SCRIPT
                • API String ID: 3051347437-3967369404
                • Opcode ID: 428f94272fb98f860a886bb5abb16683bc1f49af0b26e72421e9e5e72ac88bed
                • Instruction ID: 44bdfd9a02c21108202be6c8007d177767eb84ad469f7dbed625fd358e31d01f
                • Opcode Fuzzy Hash: 428f94272fb98f860a886bb5abb16683bc1f49af0b26e72421e9e5e72ac88bed
                • Instruction Fuzzy Hash: FF118E70200700FFDB218B66EC88F677BB9EBC5B51F104269F442D6650DB71DC508A70
                Function 00162BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON
                Download Yara Rule

                Control-flow Graph

                APIs
                • SetCurrentDirectoryW.KERNEL32(?), ref: 00122B6B
                  • Part of subcall function 00123A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,001F1418,?,00122E7F,?,?,?,00000000), ref: 00123A78
                  • Part of subcall function 00129CB3: _wcslen.LIBCMT ref: 00129CBD
                • GetForegroundWindow.USER32(runas,?,?,?,?,?,001E2224), ref: 00162C10
                • ShellExecuteW.SHELL32(00000000,?,?,001E2224), ref: 00162C17
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
                • String ID: runas
                • API String ID: 448630720-4000483414
                • Opcode ID: fddec19394b79706bef20ea81c75d29b40ef7e038bf9ff3ec1539b9833cabc74
                • Instruction ID: 13cc40922d181e24f18e94405c1b5990521fe766122b97fa18f898588cbca6c3
                • Opcode Fuzzy Hash: fddec19394b79706bef20ea81c75d29b40ef7e038bf9ff3ec1539b9833cabc74
                • Instruction Fuzzy Hash: E711D031208369BAC714FF64F8529BEB7A4ABF5304F48082DF196570A2CF358A69C752
                Function 0018DBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON
                Download Yara Rule
                APIs
                • lstrlenW.KERNEL32(?,00165222), ref: 0018DBCE
                • GetFileAttributesW.KERNELBASE(?), ref: 0018DBDD
                • FindFirstFileW.KERNELBASE(?,?), ref: 0018DBEE
                • FindClose.KERNEL32(00000000), ref: 0018DBFA
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: FileFind$AttributesCloseFirstlstrlen
                • String ID:
                • API String ID: 2695905019-0
                • Opcode ID: 349ee09e52d48fc40039ea9e3a32fe9931e0a378abf712e8b2c89ab58f408f8a
                • Instruction ID: 5e48f3aa2cb15e881530ff6bc6688ba545e74059be4e7eee4e7dbbbc4e2ee290
                • Opcode Fuzzy Hash: 349ee09e52d48fc40039ea9e3a32fe9931e0a378abf712e8b2c89ab58f408f8a
                • Instruction Fuzzy Hash: 46F0E530810A10578220BB7CFC0D8AA376D9F06334B10474AF836C24F0EBB05E94CBD5
                Function 0012D730 Relevance: 21.6, APIs: 14, Instructions: 625windowsleeptimeCOMMON
                Download Yara Rule
                APIs
                • GetInputState.USER32 ref: 0012D807
                • timeGetTime.WINMM ref: 0012DA07
                • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0012DB28
                • TranslateMessage.USER32(?), ref: 0012DB7B
                • DispatchMessageW.USER32(?), ref: 0012DB89
                • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0012DB9F
                • Sleep.KERNEL32(0000000A), ref: 0012DBB1
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
                • String ID:
                • API String ID: 2189390790-0
                • Opcode ID: 7850efceb4d5512bf6cff7474f7da858a80589cabfbcd7e45978abf1dc127a57
                • Instruction ID: 5fbac00f0ab5aa4b80b54d1ab99c312fbbd7cdbe14c26c3f1dcd48437d549485
                • Opcode Fuzzy Hash: 7850efceb4d5512bf6cff7474f7da858a80589cabfbcd7e45978abf1dc127a57
                • Instruction Fuzzy Hash: CA421230608351EFDB29CF24E894BAAB7F0BF56304F54861DF49987691D770E8A5CB82
                Function 00122CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53windowregistryCOMMON
                Download Yara Rule

                Control-flow Graph

                APIs
                • GetSysColorBrush.USER32(0000000F), ref: 00122D07
                • RegisterClassExW.USER32(00000030), ref: 00122D31
                • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00122D42
                • InitCommonControlsEx.COMCTL32(?), ref: 00122D5F
                • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00122D6F
                • LoadIconW.USER32(000000A9), ref: 00122D85
                • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00122D94
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                • API String ID: 2914291525-1005189915
                • Opcode ID: 815abbf8c29f38405c78b3f812b25213b98634304f556c88481c48e2cd4faff1
                • Instruction ID: 480ce2e535d55373855baa6a6b56fa9c8e3af5b7d9707089fa7b93dd1da49f4c
                • Opcode Fuzzy Hash: 815abbf8c29f38405c78b3f812b25213b98634304f556c88481c48e2cd4faff1
                • Instruction Fuzzy Hash: F821C2B5911318EFDB00DFA4ED89BEDBBB8FB48704F10821AF551A66A0D7B14584CF91
                Function 0016065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 302 16065b-16068b call 16042f 305 1606a6-1606b2 call 155221 302->305 306 16068d-160698 call 14f2c6 302->306 312 1606b4-1606c9 call 14f2c6 call 14f2d9 305->312 313 1606cb-160714 call 16039a 305->313 311 16069a-1606a1 call 14f2d9 306->311 322 16097d-160983 311->322 312->311 320 160716-16071f 313->320 321 160781-16078a GetFileType 313->321 325 160756-16077c GetLastError call 14f2a3 320->325 326 160721-160725 320->326 327 1607d3-1607d6 321->327 328 16078c-1607bd GetLastError call 14f2a3 CloseHandle 321->328 325->311 326->325 331 160727-160754 call 16039a 326->331 329 1607df-1607e5 327->329 330 1607d8-1607dd 327->330 328->311 339 1607c3-1607ce call 14f2d9 328->339 334 1607e9-160837 call 15516a 329->334 335 1607e7 329->335 330->334 331->321 331->325 345 160847-16086b call 16014d 334->345 346 160839-160845 call 1605ab 334->346 335->334 339->311 351 16087e-1608c1 345->351 352 16086d 345->352 346->345 353 16086f-160879 call 1586ae 346->353 355 1608e2-1608f0 351->355 356 1608c3-1608c7 351->356 352->353 353->322 359 1608f6-1608fa 355->359 360 16097b 355->360 356->355 358 1608c9-1608dd 356->358 358->355 359->360 361 1608fc-16092f CloseHandle call 16039a 359->361 360->322 364 160963-160977 361->364 365 160931-16095d GetLastError call 14f2a3 call 155333 361->365 364->360 365->364
                APIs
                  • Part of subcall function 0016039A: CreateFileW.KERNELBASE(00000000,00000000,?,00160704,?,?,00000000,?,00160704,00000000,0000000C), ref: 001603B7
                • GetLastError.KERNEL32 ref: 0016076F
                • __dosmaperr.LIBCMT ref: 00160776
                • GetFileType.KERNELBASE(00000000), ref: 00160782
                • GetLastError.KERNEL32 ref: 0016078C
                • __dosmaperr.LIBCMT ref: 00160795
                • CloseHandle.KERNEL32(00000000), ref: 001607B5
                • CloseHandle.KERNEL32(?), ref: 001608FF
                • GetLastError.KERNEL32 ref: 00160931
                • __dosmaperr.LIBCMT ref: 00160938
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                • String ID: H
                • API String ID: 4237864984-2852464175
                • Opcode ID: 335d69e18a42338af309658d0e42e819a123c4dea79ca9814d676ad39775d564
                • Instruction ID: e2867b5e823ceb5364be7310ed73f231896a4592033f1823b48f3e161ed94cb8
                • Opcode Fuzzy Hash: 335d69e18a42338af309658d0e42e819a123c4dea79ca9814d676ad39775d564
                • Instruction Fuzzy Hash: B9A11432A141048FDF1AEF68DC51BAE7BA1AB5A320F14015DF8159B3E2DB319D62CB91
                Function 0012344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
                Download Yara Rule

                Control-flow Graph

                APIs
                  • Part of subcall function 00123A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,001F1418,?,00122E7F,?,?,?,00000000), ref: 00123A78
                  • Part of subcall function 00123357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00123379
                • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 0012356A
                • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0016318D
                • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 001631CE
                • RegCloseKey.ADVAPI32(?), ref: 00163210
                • _wcslen.LIBCMT ref: 00163277
                • _wcslen.LIBCMT ref: 00163286
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
                • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                • API String ID: 98802146-2727554177
                • Opcode ID: 0a8178bc5b115a0a3a4f8097213ad51875f6dd405d7e6dcf8cc33b65ceb3373c
                • Instruction ID: 84fee739e0e0532ad9546320e908a0b8789c5f48a9eaf749980263bed34c074d
                • Opcode Fuzzy Hash: 0a8178bc5b115a0a3a4f8097213ad51875f6dd405d7e6dcf8cc33b65ceb3373c
                • Instruction Fuzzy Hash: 3771D2B15043059FC314EF29EC819ABBBE8FFA8340F40042EF555D71A0EB349A99CB62
                Function 00122B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63windowregistryCOMMON
                Download Yara Rule

                Control-flow Graph

                APIs
                • GetSysColorBrush.USER32(0000000F), ref: 00122B8E
                • LoadCursorW.USER32(00000000,00007F00), ref: 00122B9D
                • LoadIconW.USER32(00000063), ref: 00122BB3
                • LoadIconW.USER32(000000A4), ref: 00122BC5
                • LoadIconW.USER32(000000A2), ref: 00122BD7
                • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00122BEF
                • RegisterClassExW.USER32(?), ref: 00122C40
                  • Part of subcall function 00122CD4: GetSysColorBrush.USER32(0000000F), ref: 00122D07
                  • Part of subcall function 00122CD4: RegisterClassExW.USER32(00000030), ref: 00122D31
                  • Part of subcall function 00122CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00122D42
                  • Part of subcall function 00122CD4: InitCommonControlsEx.COMCTL32(?), ref: 00122D5F
                  • Part of subcall function 00122CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00122D6F
                  • Part of subcall function 00122CD4: LoadIconW.USER32(000000A9), ref: 00122D85
                  • Part of subcall function 00122CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00122D94
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                • String ID: #$0$AutoIt v3
                • API String ID: 423443420-4155596026
                • Opcode ID: ba04e8aa6ee6eac30aa7a3d7cca2afc11f116d722b8e9a7c0c7afb80d731c398
                • Instruction ID: 85aa39fef47288882a148a41836c28f3d7f06b0d1506231f1fdecd2b003aa786
                • Opcode Fuzzy Hash: ba04e8aa6ee6eac30aa7a3d7cca2afc11f116d722b8e9a7c0c7afb80d731c398
                • Instruction Fuzzy Hash: 80212C70E00315FBDB109FA6EC95AAD7FB4FB88B60F04011AF500A6AA0D7B10594CF90
                Function 00123170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145windowtimeregistryCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 443 123170-123185 444 123187-12318a 443->444 445 1231e5-1231e7 443->445 446 1231eb 444->446 447 12318c-123193 444->447 445->444 448 1231e9 445->448 449 1231f1-1231f6 446->449 450 162dfb-162e23 call 1218e2 call 13e499 446->450 451 123265-12326d PostQuitMessage 447->451 452 123199-12319e 447->452 453 1231d0-1231d8 DefWindowProcW 448->453 454 1231f8-1231fb 449->454 455 12321d-123244 SetTimer RegisterWindowMessageW 449->455 489 162e28-162e2f 450->489 460 123219-12321b 451->460 457 1231a4-1231a8 452->457 458 162e7c-162e90 call 18bf30 452->458 459 1231de-1231e4 453->459 461 123201-123214 KillTimer call 1230f2 call 123c50 454->461 462 162d9c-162d9f 454->462 455->460 464 123246-123251 CreatePopupMenu 455->464 465 1231ae-1231b3 457->465 466 162e68-162e72 call 18c161 457->466 458->460 482 162e96 458->482 460->459 461->460 474 162dd7-162df6 MoveWindow 462->474 475 162da1-162da5 462->475 464->460 471 162e4d-162e54 465->471 472 1231b9-1231be 465->472 478 162e77 466->478 471->453 476 162e5a-162e63 call 180ad7 471->476 480 123253-123263 call 12326f 472->480 481 1231c4-1231ca 472->481 474->460 483 162dc6-162dd2 SetFocus 475->483 484 162da7-162daa 475->484 476->453 478->460 480->460 481->453 481->489 482->453 483->460 484->481 485 162db0-162dc1 call 1218e2 484->485 485->460 489->453 493 162e35-162e48 call 1230f2 call 123837 489->493 493->453
                APIs
                • DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,0012316A,?,?), ref: 001231D8
                • KillTimer.USER32(?,00000001,?,?,?,?,?,0012316A,?,?), ref: 00123204
                • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00123227
                • RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,0012316A,?,?), ref: 00123232
                • CreatePopupMenu.USER32 ref: 00123246
                • PostQuitMessage.USER32(00000000), ref: 00123267
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                • String ID: TaskbarCreated
                • API String ID: 129472671-2362178303
                • Opcode ID: fcb3420833ff88710ce03aea9c4c3fa08775c634106009a2ca24bada46d93d87
                • Instruction ID: 291bce9eff0b27c3defed53c1ff5859bbd2e7c4aa8a35430d3d987ecf08964ed
                • Opcode Fuzzy Hash: fcb3420833ff88710ce03aea9c4c3fa08775c634106009a2ca24bada46d93d87
                • Instruction Fuzzy Hash: 3E413B35200228FBDB186B78BD4DB79362AF745354F040125F962965E2CB7ACAB0D7E1
                Function 01923480 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 499 1923480-192352e call 1920eb0 502 1923535-192355b call 1924390 CreateFileW 499->502 505 1923562-1923572 502->505 506 192355d 502->506 514 1923574 505->514 515 1923579-1923593 VirtualAlloc 505->515 507 19236ad-19236b1 506->507 508 19236f3-19236f6 507->508 509 19236b3-19236b7 507->509 511 19236f9-1923700 508->511 512 19236c3-19236c7 509->512 513 19236b9-19236bc 509->513 518 1923702-192370d 511->518 519 1923755-192376a 511->519 520 19236d7-19236db 512->520 521 19236c9-19236d3 512->521 513->512 514->507 516 1923595 515->516 517 192359a-19235b1 ReadFile 515->517 516->507 522 19235b3 517->522 523 19235b8-19235f8 VirtualAlloc 517->523 524 1923711-192371d 518->524 525 192370f 518->525 526 192377a-1923782 519->526 527 192376c-1923777 VirtualFree 519->527 528 19236eb 520->528 529 19236dd-19236e7 520->529 521->520 522->507 530 19235fa 523->530 531 19235ff-192361a call 19245e0 523->531 532 1923731-192373d 524->532 533 192371f-192372f 524->533 525->519 527->526 528->508 529->528 530->507 539 1923625-192362f 531->539 536 192374a-1923750 532->536 537 192373f-1923748 532->537 535 1923753 533->535 535->511 536->535 537->535 540 1923662-1923676 call 19243f0 539->540 541 1923631-1923660 call 19245e0 539->541 546 192367a-192367e 540->546 547 1923678 540->547 541->539 549 1923680-1923684 CloseHandle 546->549 550 192368a-192368e 546->550 547->507 549->550 551 1923690-192369b VirtualFree 550->551 552 192369e-19236a7 550->552 551->552 552->502 552->507
                APIs
                • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 01923551
                • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 01923777
                Memory Dump Source
                • Source File: 00000000.00000002.1393030386.0000000001920000.00000040.00000020.00020000.00000000.sdmp, Offset: 01920000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1920000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: CreateFileFreeVirtual
                • String ID:
                • API String ID: 204039940-0
                • Opcode ID: e364f936384ad5a75a3e6820b612275e2b186d73597ef444eab7978b091760cf
                • Instruction ID: c99e95b0b8223dee794faaa1add4bbc9945c97f8a9db3ccbd8c668cbe6895123
                • Opcode Fuzzy Hash: e364f936384ad5a75a3e6820b612275e2b186d73597ef444eab7978b091760cf
                • Instruction Fuzzy Hash: EBA13874E00219EBDB14CFA4C895BAEBBB9BF48305F208559E609AB284C7799A40CF54
                Function 00122C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 563 122c63-122cd3 CreateWindowExW * 2 ShowWindow * 2
                APIs
                • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00122C91
                • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00122CB2
                • ShowWindow.USER32(00000000,?,?,?,?,?,?,00121CAD,?), ref: 00122CC6
                • ShowWindow.USER32(00000000,?,?,?,?,?,?,00121CAD,?), ref: 00122CCF
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: Window$CreateShow
                • String ID: AutoIt v3$edit
                • API String ID: 1584632944-3779509399
                • Opcode ID: ace82385f5488bcfa71296f5abba497f9e4d00dc6c1893268961c59306a7d952
                • Instruction ID: 5eab2cee4c423bb354819f6269661f77e76eb08a54ed3a1bac902bbf8a10c4f1
                • Opcode Fuzzy Hash: ace82385f5488bcfa71296f5abba497f9e4d00dc6c1893268961c59306a7d952
                • Instruction Fuzzy Hash: 91F0DA76540290BAEB315717AC08EB73EBDE7C7F70B00005AF900A69A0C7611890DAB0
                Function 01923260 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 142fileCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 678 1923260-1923382 call 1920eb0 call 1923150 CreateFileW 685 1923384 678->685 686 1923389-1923399 678->686 687 1923439-192343e 685->687 689 19233a0-19233ba VirtualAlloc 686->689 690 192339b 686->690 691 19233be-19233d5 ReadFile 689->691 692 19233bc 689->692 690->687 693 19233d7 691->693 694 19233d9-1923413 call 1923190 call 1922150 691->694 692->687 693->687 699 1923415-192342a call 19231e0 694->699 700 192342f-1923437 ExitProcess 694->700 699->700 700->687
                APIs
                  • Part of subcall function 01923150: Sleep.KERNELBASE(000001F4), ref: 01923161
                • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 01923378
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1393030386.0000000001920000.00000040.00000020.00020000.00000000.sdmp, Offset: 01920000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1920000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: CreateFileSleep
                • String ID: 8QD14YYAE3OFM3BM
                • API String ID: 2694422964-388373482
                • Opcode ID: b5d051d272be325655668725cfa138b92c90e9d60a8908c5ecae68e46dfd2a0c
                • Instruction ID: a0a9df6305e186dec8f63556181e4210738a6232d0dd3bb54ba2ea82991d205f
                • Opcode Fuzzy Hash: b5d051d272be325655668725cfa138b92c90e9d60a8908c5ecae68e46dfd2a0c
                • Instruction Fuzzy Hash: 9C518134D04259EBEF11DBA4C854BEEBB79BF58700F004199E608BB2C1D7B91B49CBA5
                Function 00192947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON
                Download Yara Rule

                Control-flow Graph

                APIs
                • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00192C05
                • DeleteFileW.KERNEL32(?), ref: 00192C87
                • CopyFileW.KERNELBASE(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00192C9D
                • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00192CAE
                • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00192CC0
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: File$Delete$Copy
                • String ID:
                • API String ID: 3226157194-0
                • Opcode ID: 12b9dcb50487ffdf7bb3e260b828ccb354955c19f6e3cdab2617993637ce37b3
                • Instruction ID: d8b29561e1ecd41e3f52b3fa672c0e86defac5d2111bc45b5a77fb8540989197
                • Opcode Fuzzy Hash: 12b9dcb50487ffdf7bb3e260b828ccb354955c19f6e3cdab2617993637ce37b3
                • Instruction Fuzzy Hash: 20B13B72D00129ABDF25DBA4DC85EDEBBBDEF58350F1040A6F609E7151EB309A448FA1
                Function 00123B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 844 123b1c-123b27 845 123b99-123b9b 844->845 846 123b29-123b2e 844->846 847 123b8c-123b8f 845->847 846->845 848 123b30-123b48 RegOpenKeyExW 846->848 848->845 849 123b4a-123b69 RegQueryValueExW 848->849 850 123b80-123b8b RegCloseKey 849->850 851 123b6b-123b76 849->851 850->847 852 123b90-123b97 851->852 853 123b78-123b7a 851->853 854 123b7e 852->854 853->854 854->850
                APIs
                • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00123B0F,SwapMouseButtons,00000004,?), ref: 00123B40
                • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00123B0F,SwapMouseButtons,00000004,?), ref: 00123B61
                • RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00123B0F,SwapMouseButtons,00000004,?), ref: 00123B83
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: CloseOpenQueryValue
                • String ID: Control Panel\Mouse
                • API String ID: 3677997916-824357125
                • Opcode ID: e583932c248aa248c76e4ec7d314b301e5e7abe0d5d245e2b1ed4498982fe0b0
                • Instruction ID: 45fc9ff7657e97da407cd8c8547456f9f5ca79b6e30e46ce7e1b32c8e6cdede6
                • Opcode Fuzzy Hash: e583932c248aa248c76e4ec7d314b301e5e7abe0d5d245e2b1ed4498982fe0b0
                • Instruction Fuzzy Hash: 351127B5611228FFDB218FA5EC84AAEBBB8EF44744B10856AB815D7110E3359E509BA0
                Function 01922150 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 855 1922150-19221f0 call 19245c0 * 3 862 19221f2-19221fc 855->862 863 1922207 855->863 862->863 865 19221fe-1922205 862->865 864 192220e-1922217 863->864 866 192221e-19228d0 864->866 865->864 867 19228d2-19228d6 866->867 868 19228e3-1922910 CreateProcessW 866->868 869 19228d8-19228dc 867->869 870 192291c-1922949 867->870 875 1922912-1922915 868->875 876 192291a 868->876 871 1922955-1922982 869->871 872 19228de 869->872 891 1922953 870->891 892 192294b-192294e 870->892 874 192298c-19229a6 Wow64GetThreadContext 871->874 896 1922984-1922987 871->896 872->874 879 19229a8 874->879 880 19229ad-19229c8 ReadProcessMemory 874->880 881 1922d11-1922d13 875->881 876->874 882 1922cba-1922cbe 879->882 883 19229ca 880->883 884 19229cf-19229d8 880->884 889 1922cc0-1922cc4 882->889 890 1922d0f 882->890 883->882 887 1922a01-1922a20 call 1923c40 884->887 888 19229da-19229e9 884->888 903 1922a22 887->903 904 1922a27-1922a4a call 1923d80 887->904 888->887 897 19229eb-19229fa call 1923b90 888->897 893 1922cc6-1922cd2 889->893 894 1922cd9-1922cdd 889->894 890->881 891->874 892->881 893->894 899 1922ce9-1922ced 894->899 900 1922cdf-1922ce2 894->900 896->881 897->887 908 19229fc 897->908 905 1922cf9-1922cfd 899->905 906 1922cef-1922cf2 899->906 900->899 903->882 914 1922a94-1922ab5 call 1923d80 904->914 915 1922a4c-1922a53 904->915 910 1922d0a-1922d0d 905->910 911 1922cff-1922d05 call 1923b90 905->911 906->905 908->882 910->881 911->910 921 1922ab7 914->921 922 1922abc-1922ada call 19245e0 914->922 917 1922a55-1922a86 call 1923d80 915->917 918 1922a8f 915->918 925 1922a88 917->925 926 1922a8d 917->926 918->882 921->882 928 1922ae5-1922aef 922->928 925->882 926->914 929 1922af1-1922b23 call 19245e0 928->929 930 1922b25-1922b29 928->930 929->928 932 1922c14-1922c31 call 1923790 930->932 933 1922b2f-1922b3f 930->933 940 1922c33 932->940 941 1922c38-1922c57 Wow64SetThreadContext 932->941 933->932 936 1922b45-1922b55 933->936 936->932 939 1922b5b-1922b7f 936->939 942 1922b82-1922b86 939->942 940->882 944 1922c5b-1922c66 call 1923ac0 941->944 945 1922c59 941->945 942->932 943 1922b8c-1922ba1 942->943 946 1922bb5-1922bb9 943->946 951 1922c6a-1922c6e 944->951 952 1922c68 944->952 945->882 948 1922bf7-1922c0f 946->948 949 1922bbb-1922bc7 946->949 948->942 953 1922bf5 949->953 954 1922bc9-1922bf3 949->954 955 1922c70-1922c73 951->955 956 1922c7a-1922c7e 951->956 952->882 953->946 954->953 955->956 958 1922c80-1922c83 956->958 959 1922c8a-1922c8e 956->959 958->959 960 1922c90-1922c93 959->960 961 1922c9a-1922c9e 959->961 960->961 962 1922ca0-1922ca6 call 1923b90 961->962 963 1922cab-1922cb4 961->963 962->963 963->866 963->882
                APIs
                • CreateProcessW.KERNELBASE(?,00000000), ref: 0192290B
                • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 019229A1
                • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 019229C3
                Memory Dump Source
                • Source File: 00000000.00000002.1393030386.0000000001920000.00000040.00000020.00020000.00000000.sdmp, Offset: 01920000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1920000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: Process$ContextCreateMemoryReadThreadWow64
                • String ID:
                • API String ID: 2438371351-0
                • Opcode ID: a1064bca5dd4e59baeb4dd15c17425526c3ac906ac097e7eb484fd7342f8cad6
                • Instruction ID: 5a7f877032924a265096c8c56ea66a247cf2d231737bceaa1eec47b61eada9d0
                • Opcode Fuzzy Hash: a1064bca5dd4e59baeb4dd15c17425526c3ac906ac097e7eb484fd7342f8cad6
                • Instruction Fuzzy Hash: D7620C30A14258DBEB24CFA4C850BDEB776EF58300F1095A9D10DEB394E77A9E81CB59
                Function 0012DFD0 Relevance: 6.7, APIs: 2, Strings: 1, Instructions: 1414COMMON
                Download Yara Rule
                Strings
                • Variable must be of type 'Object'., xrefs: 001732B7
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID:
                • String ID: Variable must be of type 'Object'.
                • API String ID: 0-109567571
                • Opcode ID: 9c4d300920f6f48052b76bc92d441db96e9f320ca924ed60b24b2aa675212201
                • Instruction ID: 91be284f43a6cc90404edfc8d11892a8c24896b78dc959c8e5649198bedb7b42
                • Opcode Fuzzy Hash: 9c4d300920f6f48052b76bc92d441db96e9f320ca924ed60b24b2aa675212201
                • Instruction Fuzzy Hash: AFC28C75A00224CFCB24CF98E884AADB7F1FF18310F258169E955AB391D371EDA1CB91
                Function 0012EC40 Relevance: 5.7, APIs: 3, Instructions: 1195COMMON
                Download Yara Rule
                APIs
                • __Init_thread_footer.LIBCMT ref: 0012FE66
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: Init_thread_footer
                • String ID:
                • API String ID: 1385522511-0
                • Opcode ID: 99fa9ed31dba63256185867a79cfded1eaf43ff9f5b5c9f7cce478edb5ef5825
                • Instruction ID: ed32484bc06cedc764396cf89018ccafe00854e239fe8ee00f54ae9e6da8f1c5
                • Opcode Fuzzy Hash: 99fa9ed31dba63256185867a79cfded1eaf43ff9f5b5c9f7cce478edb5ef5825
                • Instruction Fuzzy Hash: F3B27C74608360CFDB28CF18E490A2AB7F1BB99300F25496DE9899B351D771EC96CB52
                Function 0013FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
                Download Yara Rule
                APIs
                • __CxxThrowException@8.LIBVCRUNTIME ref: 00140668
                  • Part of subcall function 001432A4: RaiseException.KERNEL32(?,?,?,0014068A,?,001F1444,?,?,?,?,?,?,0014068A,00121129,001E8738,00121129), ref: 00143304
                • __CxxThrowException@8.LIBVCRUNTIME ref: 00140685
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: Exception@8Throw$ExceptionRaise
                • String ID: Unknown exception
                • API String ID: 3476068407-410509341
                • Opcode ID: f3f774ec641e709c60d026655dea13a93357ae55535e66bd31b17ed5de10fbf4
                • Instruction ID: 599e0fe3561a2b211ed1f7002c2a6b59dc52f949c46ba9c67c9c95642166a1b5
                • Opcode Fuzzy Hash: f3f774ec641e709c60d026655dea13a93357ae55535e66bd31b17ed5de10fbf4
                • Instruction Fuzzy Hash: 81F0C23490060D77CB05BAA6EC4AC9E7B6C9F64310B604535BA28A65F1EF71DA26C980
                Function 00193017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON
                Download Yara Rule
                APIs
                • GetTempPathW.KERNEL32(00000104,?,00000001), ref: 0019302F
                • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00193044
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: Temp$FileNamePath
                • String ID: aut
                • API String ID: 3285503233-3010740371
                • Opcode ID: bd928c0d6546c397ebec909374e41e62f501611de3780469d6c221d1ea341562
                • Instruction ID: 990c107c187f88f62fd939b90a483238f1f9a3924f6ca386ef78a9c302e605ee
                • Opcode Fuzzy Hash: bd928c0d6546c397ebec909374e41e62f501611de3780469d6c221d1ea341562
                • Instruction Fuzzy Hash: 75D05E7290032867DA20A7A5AC0EFCBBA7CDB04750F4002A1B755E2091DBB09984CBE0
                Function 001A7F59 Relevance: 4.9, APIs: 3, Instructions: 430COMMON
                Download Yara Rule
                APIs
                • GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 001A82F5
                • TerminateProcess.KERNEL32(00000000), ref: 001A82FC
                • FreeLibrary.KERNEL32(?,?,?,?), ref: 001A84DD
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: Process$CurrentFreeLibraryTerminate
                • String ID:
                • API String ID: 146820519-0
                • Opcode ID: 5fae4cd279a713de6d2cedd8db56d38123300602d051fda697cb2c25a0e2651a
                • Instruction ID: 8506edeeb9aa4486adf3b580475948cdb2152e1dfbb6b42f4ba80cd9cebcbb6e
                • Opcode Fuzzy Hash: 5fae4cd279a713de6d2cedd8db56d38123300602d051fda697cb2c25a0e2651a
                • Instruction Fuzzy Hash: 82126A75A083019FC714DF28C484B6ABBE5BF99318F04895DF8998B292DB31ED45CF92
                Function 00155AA9 Relevance: 4.7, APIs: 3, Instructions: 186COMMONLIBRARYCODE
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: dd238382df86311fc6866d5b424968d974793ab02460c8fd923811cbe1bb76a3
                • Instruction ID: b8cc779fb84ea3ee1eb3f9f30f771fb33ada1b5d5776c96dda079acf867e9300
                • Opcode Fuzzy Hash: dd238382df86311fc6866d5b424968d974793ab02460c8fd923811cbe1bb76a3
                • Instruction Fuzzy Hash: 3351F271D00609DFCF159FA8C859FAE7BBAAF15312F140059FC21AF2A1D7719A0ACB61
                Function 001210F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00121BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00121BF4
                  • Part of subcall function 00121BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00121BFC
                  • Part of subcall function 00121BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00121C07
                  • Part of subcall function 00121BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00121C12
                  • Part of subcall function 00121BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00121C1A
                  • Part of subcall function 00121BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00121C22
                  • Part of subcall function 00121B4A: RegisterWindowMessageW.USER32(00000004,?,001212C4), ref: 00121BA2
                • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0012136A
                • OleInitialize.OLE32 ref: 00121388
                • CloseHandle.KERNEL32(00000000,00000000), ref: 001624AB
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
                • String ID:
                • API String ID: 1986988660-0
                • Opcode ID: c526ab1d7a254f13cbecc656d5e29b394748121ddd9861a7641886e41172f1d2
                • Instruction ID: c6c213cbe265e587cb3b38358948cab2dded59e764341593adee436046cf8148
                • Opcode Fuzzy Hash: c526ab1d7a254f13cbecc656d5e29b394748121ddd9861a7641886e41172f1d2
                • Instruction Fuzzy Hash: 3F71CDB4901304FFC784EF7ABE456B53AE1FBAA394754822AD10AD7A71EB314485CF40
                Function 0018C161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00123923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00123A04
                • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0018C259
                • KillTimer.USER32(?,00000001,?,?), ref: 0018C261
                • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0018C270
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: IconNotifyShell_Timer$Kill
                • String ID:
                • API String ID: 3500052701-0
                • Opcode ID: 3e7bfc536e5501ed444cba73e4b70c9f6e9d2e50676c646edd65d50f7a2c647f
                • Instruction ID: 637470f2a1ef96429b3f2b2abbfe3672f224a5e3d6d79f8a1e2390802466a534
                • Opcode Fuzzy Hash: 3e7bfc536e5501ed444cba73e4b70c9f6e9d2e50676c646edd65d50f7a2c647f
                • Instruction Fuzzy Hash: 98319570904354AFEB62DF648895BE7BBEDAB16304F00049AE5DA97281C7745B84CFA1
                Function 001586AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • CloseHandle.KERNELBASE(00000000,00000000,?,?,001585CC,?,001E8CC8,0000000C), ref: 00158704
                • GetLastError.KERNEL32(?,001585CC,?,001E8CC8,0000000C), ref: 0015870E
                • __dosmaperr.LIBCMT ref: 00158739
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: CloseErrorHandleLast__dosmaperr
                • String ID:
                • API String ID: 2583163307-0
                • Opcode ID: 472b40cc5e5ff53d2ce3ca168864619f37d0090b9a3b241746a5fd55a1079524
                • Instruction ID: a777ba682a8f85707ddcf601a859e74aee1c448100535a8e458aa63f471c39d5
                • Opcode Fuzzy Hash: 472b40cc5e5ff53d2ce3ca168864619f37d0090b9a3b241746a5fd55a1079524
                • Instruction Fuzzy Hash: 64010832A056209BD7A56234E845B7E674A5B95776F290219FC38AF1E2DFA08C898190
                Function 0012DB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON
                Download Yara Rule
                APIs
                • TranslateMessage.USER32(?), ref: 0012DB7B
                • DispatchMessageW.USER32(?), ref: 0012DB89
                • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0012DB9F
                • Sleep.KERNEL32(0000000A), ref: 0012DBB1
                • TranslateAcceleratorW.USER32(?,?,?), ref: 00171CC9
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: Message$Translate$AcceleratorDispatchPeekSleep
                • String ID:
                • API String ID: 3288985973-0
                • Opcode ID: 6d32d3b1b9ab41a45b36ebd4963f4881d100d2b4483f6f0bba9a034364e630bb
                • Instruction ID: 201530ba9dcf6d1e4bcba1addb58a971e374a0d988762d84a8d3ab650a65e041
                • Opcode Fuzzy Hash: 6d32d3b1b9ab41a45b36ebd4963f4881d100d2b4483f6f0bba9a034364e630bb
                • Instruction Fuzzy Hash: 48F05E30604344ABE730CBA0EC59FEA73B8EB45350F104618E64AC34C0DB309488CB65
                Function 00192FD8 Relevance: 4.5, APIs: 3, Instructions: 27filetimeCOMMON
                Download Yara Rule
                APIs
                • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,00000000,?,?,00192CD4,?,?,?,00000004,00000001), ref: 00192FF2
                • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00192CD4,?,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00193006
                • CloseHandle.KERNEL32(00000000,?,00192CD4,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 0019300D
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: File$CloseCreateHandleTime
                • String ID:
                • API String ID: 3397143404-0
                • Opcode ID: c23c9d80996bc281fc8faac00f1e43ec4835afa43b28aa6df0141f56a496e15f
                • Instruction ID: 2162baac2432c796b90491525e348195787862f877fbd780a89a48444c0dfada
                • Opcode Fuzzy Hash: c23c9d80996bc281fc8faac00f1e43ec4835afa43b28aa6df0141f56a496e15f
                • Instruction Fuzzy Hash: 8CE0863228021077D6302759BC0DF8B3A5CE786B71F104320F769760D047A0154142E8
                Function 00131310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON
                Download Yara Rule
                APIs
                • __Init_thread_footer.LIBCMT ref: 001317F6
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: Init_thread_footer
                • String ID: CALL
                • API String ID: 1385522511-4196123274
                • Opcode ID: 92a23432aa0ade656bc14b1f46174df6df79292a208157f725614e9b9d01d646
                • Instruction ID: 420476aaf5820d973e75bf53e4716d08efd4944f5d9170e80c04029d95810dc6
                • Opcode Fuzzy Hash: 92a23432aa0ade656bc14b1f46174df6df79292a208157f725614e9b9d01d646
                • Instruction Fuzzy Hash: 1A228CB0608201EFC718CF14C484B2ABBF1BF99314F19896DF49A8B361D771E955CB92
                Function 00196EF1 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 297COMMON
                Download Yara Rule
                APIs
                • _wcslen.LIBCMT ref: 00196F6B
                  • Part of subcall function 00124ECB: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,001F1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00124EFD
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: LibraryLoad_wcslen
                • String ID: >>>AUTOIT SCRIPT<<<
                • API String ID: 3312870042-2806939583
                • Opcode ID: 686230beed3528ad2c141ccd2ea08fc5962329b6a1878761181d234c386c5345
                • Instruction ID: 7dcd037e6cf6a530f46ac345216d74ac854492f3456955f67b1dbf7a54d7cecf
                • Opcode Fuzzy Hash: 686230beed3528ad2c141ccd2ea08fc5962329b6a1878761181d234c386c5345
                • Instruction Fuzzy Hash: 40B1A1311183118FCB14EF24E89196EB7E5BFA4304F44896DF496972A2EB30ED59CB92
                Function 00122DE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON
                Download Yara Rule
                APIs
                • GetOpenFileNameW.COMDLG32(?), ref: 00162C8C
                  • Part of subcall function 00123AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00123A97,?,?,00122E7F,?,?,?,00000000), ref: 00123AC2
                  • Part of subcall function 00122DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00122DC4
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: Name$Path$FileFullLongOpen
                • String ID: X
                • API String ID: 779396738-3081909835
                • Opcode ID: d15cd7f1b4ef741007bdd37fb96595869904a03e4276378b65469c6bdc330f12
                • Instruction ID: 71d727bc740a68a31abf388d72cee53de92a0847cfe906a690affafeade1fa25
                • Opcode Fuzzy Hash: d15cd7f1b4ef741007bdd37fb96595869904a03e4276378b65469c6bdc330f12
                • Instruction Fuzzy Hash: FC21A871A00298AFCB01EF94DC45BEE7BF8AF59314F004059E405F7241DBB85A998FA1
                Function 0192214D Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON
                Download Yara Rule
                APIs
                • CreateProcessW.KERNELBASE(?,00000000), ref: 0192290B
                • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 019229A1
                • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 019229C3
                Memory Dump Source
                • Source File: 00000000.00000002.1393030386.0000000001920000.00000040.00000020.00020000.00000000.sdmp, Offset: 01920000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1920000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: Process$ContextCreateMemoryReadThreadWow64
                • String ID:
                • API String ID: 2438371351-0
                • Opcode ID: 6ff7500a3617197a005732162d507dd4d37460c8dcbf147a4ae2be43d63b6423
                • Instruction ID: 1ce5a391050a94dc28e5d55167eedbd3d72dc950c38169fcb602715446a41bfa
                • Opcode Fuzzy Hash: 6ff7500a3617197a005732162d507dd4d37460c8dcbf147a4ae2be43d63b6423
                • Instruction Fuzzy Hash: B512BC24E24658C6EB24DF64D8507DEB232EF68300F1094E9D10DEB7A5E77A4F81CB5A
                Function 0013FC70 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: ProtectVirtual
                • String ID:
                • API String ID: 544645111-0
                • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                • Instruction ID: eb75e4dc192ef99ac155202ee6393cc1b5625cd7346ddff0a9fb3486e1a78cab
                • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                • Instruction Fuzzy Hash: A731F374A00109DBD718CF99D484969FBB1FF49310F2596A9E80ACB656D731EDC2DBC0
                Function 00124ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00124E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00124EDD,?,001F1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00124E9C
                  • Part of subcall function 00124E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00124EAE
                  • Part of subcall function 00124E90: FreeLibrary.KERNEL32(00000000,?,?,00124EDD,?,001F1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00124EC0
                • LoadLibraryExW.KERNEL32(?,00000000,00000002,?,001F1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00124EFD
                  • Part of subcall function 00124E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00163CDE,?,001F1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00124E62
                  • Part of subcall function 00124E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00124E74
                  • Part of subcall function 00124E59: FreeLibrary.KERNEL32(00000000,?,?,00163CDE,?,001F1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00124E87
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: Library$Load$AddressFreeProc
                • String ID:
                • API String ID: 2632591731-0
                • Opcode ID: 768c2736e5b67dcd8c8db9d8fc2ff1e9f81a675a50cd9458fb048a0ad4b72622
                • Instruction ID: 229dfb0afe6efd1a3b48557f1a1d4097bea06424725af2dc457b70efbca43f2f
                • Opcode Fuzzy Hash: 768c2736e5b67dcd8c8db9d8fc2ff1e9f81a675a50cd9458fb048a0ad4b72622
                • Instruction Fuzzy Hash: 43113A31600225ABDF14FF64FD02FAD77A5AFA0710F10842EF542A61C1EF749E249B90
                Function 00158402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: __wsopen_s
                • String ID:
                • API String ID: 3347428461-0
                • Opcode ID: 39988f64e5a42dab1c174354fed8eb7c1ae9b9df8030a5c3e8bad895953b2a7a
                • Instruction ID: 846d8cff31f59462a3e46bdbcdaed55a35b2dd59e54f2dc5b0b41ec79b4499ba
                • Opcode Fuzzy Hash: 39988f64e5a42dab1c174354fed8eb7c1ae9b9df8030a5c3e8bad895953b2a7a
                • Instruction Fuzzy Hash: 6411487590410AEFCB05DF58E940A9A7BF9EF48304F114059FC19AB312DB30DA25CBA4
                Function 0014E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
                • Instruction ID: e7db4f11700876db091733c6f091e6e3ffd063803d151ec1bc14ab07b5a77e71
                • Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
                • Instruction Fuzzy Hash: 62F0A432511A14DADB313A79DC05B9A33DCAF72336F120719F835A72E2DB74D8068AA5
                Function 00153820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • RtlAllocateHeap.NTDLL(00000000,?,001F1444,?,0013FDF5,?,?,0012A976,00000010,001F1440,001213FC,?,001213C6,?,00121129), ref: 00153852
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: AllocateHeap
                • String ID:
                • API String ID: 1279760036-0
                • Opcode ID: be4b43572b56cbb446ce85afe93eeabaed6474fca97ded6bb3622394c432cafa
                • Instruction ID: 7ffd40e25b62a93aa8806c93db49da96873ab40262bff36c0ff8669d151168fe
                • Opcode Fuzzy Hash: be4b43572b56cbb446ce85afe93eeabaed6474fca97ded6bb3622394c432cafa
                • Instruction Fuzzy Hash: B1E0E531100224E7D63926669C00B9A3648AB527F2F050325BC34AB9E0CB51DD0581E0
                Function 00124F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                Download Yara Rule
                APIs
                • FreeLibrary.KERNEL32(?,?,001F1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00124F6D
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: FreeLibrary
                • String ID:
                • API String ID: 3664257935-0
                • Opcode ID: b8ccedcaefe1a0a53ab7e53c25ac0c81fb3fed8c59c7be9d81e21137ae912806
                • Instruction ID: 3504facc0b8937b3beed818e0ccfb99e5bd37bde00a6f598d5b9efabe306f384
                • Opcode Fuzzy Hash: b8ccedcaefe1a0a53ab7e53c25ac0c81fb3fed8c59c7be9d81e21137ae912806
                • Instruction Fuzzy Hash: 23F03071105761CFDB389F68F590812B7E4FF54319311897EE1EA82521C7319894DF50
                Function 00122DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                Download Yara Rule
                APIs
                • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00122DC4
                  • Part of subcall function 00126B57: _wcslen.LIBCMT ref: 00126B6A
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: LongNamePath_wcslen
                • String ID:
                • API String ID: 541455249-0
                • Opcode ID: 03a98dbfce5ad959f6563421ad9b96753ad9d6d6771ac376705c79789d7992d5
                • Instruction ID: 19aee621cdcc0bed90cf21bc1d7eba188f6cdbefc6ce180ca12d8a63b6995ffc
                • Opcode Fuzzy Hash: 03a98dbfce5ad959f6563421ad9b96753ad9d6d6771ac376705c79789d7992d5
                • Instruction Fuzzy Hash: DFE0CD726001245BC72092589C05FDA77DDDFC8790F0401B1FD09D7248DB60AD848590
                Function 00122B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00123837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00123908
                  • Part of subcall function 0012D730: GetInputState.USER32 ref: 0012D807
                • SetCurrentDirectoryW.KERNEL32(?), ref: 00122B6B
                  • Part of subcall function 001230F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 0012314E
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: IconNotifyShell_$CurrentDirectoryInputState
                • String ID:
                • API String ID: 3667716007-0
                • Opcode ID: 0092b8afd277f0f927945d8943be53a993568d6e64e273d29faec840f6d924ef
                • Instruction ID: 826114c51081a31d19feb1f72958eb6c58beb452020a4b5181e1e39abdf900f8
                • Opcode Fuzzy Hash: 0092b8afd277f0f927945d8943be53a993568d6e64e273d29faec840f6d924ef
                • Instruction Fuzzy Hash: D8E07D2130022C17C704BB74B81247DB349DBF1311F40053EF19247173CF2845B583A1
                Function 0016039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • CreateFileW.KERNELBASE(00000000,00000000,?,00160704,?,?,00000000,?,00160704,00000000,0000000C), ref: 001603B7
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: CreateFile
                • String ID:
                • API String ID: 823142352-0
                • Opcode ID: 9f7b47823d0fc6b92c9223170a26d0050d38dcf0a524ecdae04cffafcd24f79a
                • Instruction ID: 561157d79569ac7586af0f1972e164d2ca51e728bb43fb9ad0dc70c2ad9f927a
                • Opcode Fuzzy Hash: 9f7b47823d0fc6b92c9223170a26d0050d38dcf0a524ecdae04cffafcd24f79a
                • Instruction Fuzzy Hash: 96D06C3204010DFBDF029F84DD06EDA3BAAFB48714F014100BE1866020C732E861AB90
                Function 00121CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                Download Yara Rule
                APIs
                • SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00121CBC
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: InfoParametersSystem
                • String ID:
                • API String ID: 3098949447-0
                • Opcode ID: e7396c59d0328b17ba927be60194ba8c58b9cd4de0ed84ebc77582ceec31209b
                • Instruction ID: 46888ee09dd54a2224ea22da113ef4584fd596137d869022d8959a534afae1c3
                • Opcode Fuzzy Hash: e7396c59d0328b17ba927be60194ba8c58b9cd4de0ed84ebc77582ceec31209b
                • Instruction Fuzzy Hash: 4DC09B36380305EFF2145780BC4AF607754B348B10F044001F60955DF3C3B11490D650
                Function 0192314C Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON
                Download Yara Rule
                APIs
                • Sleep.KERNELBASE(000001F4), ref: 01923161
                Memory Dump Source
                • Source File: 00000000.00000002.1393030386.0000000001920000.00000040.00000020.00020000.00000000.sdmp, Offset: 01920000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1920000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: Sleep
                • String ID:
                • API String ID: 3472027048-0
                • Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                • Instruction ID: e71a3a4f9f8953fe385add5626269eca15d2c5bb15fa9cfb7fa8f76f00a2d04e
                • Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                • Instruction Fuzzy Hash: 21E09A7494010EAFDB01EFA4D54969E7BB4FF04301F1005A1FD0596681DB309A548A62
                Function 01923150 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                Download Yara Rule
                APIs
                • Sleep.KERNELBASE(000001F4), ref: 01923161
                Memory Dump Source
                • Source File: 00000000.00000002.1393030386.0000000001920000.00000040.00000020.00020000.00000000.sdmp, Offset: 01920000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1920000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: Sleep
                • String ID:
                • API String ID: 3472027048-0
                • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                • Instruction ID: fdf73dd42491fc01691b366933101527d8f29f4c2b184c3b522a22d7788c8e15
                • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                • Instruction Fuzzy Hash: 7EE0E67494010EDFDB00EFB4D54969E7FB4FF04301F100161FD05D2281D7309E508A62

                Non-executed Functions

                Function 001B9576 Relevance: 74.1, APIs: 39, Strings: 3, Instructions: 625windowkeyboardCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00139BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00139BB2
                • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 001B961A
                • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 001B965B
                • GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 001B969F
                • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 001B96C9
                • SendMessageW.USER32 ref: 001B96F2
                • GetKeyState.USER32(00000011), ref: 001B978B
                • GetKeyState.USER32(00000009), ref: 001B9798
                • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 001B97AE
                • GetKeyState.USER32(00000010), ref: 001B97B8
                • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 001B97E9
                • SendMessageW.USER32 ref: 001B9810
                • SendMessageW.USER32(?,00001030,?,001B7E95), ref: 001B9918
                • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 001B992E
                • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 001B9941
                • SetCapture.USER32(?), ref: 001B994A
                • ClientToScreen.USER32(?,?), ref: 001B99AF
                • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 001B99BC
                • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 001B99D6
                • ReleaseCapture.USER32 ref: 001B99E1
                • GetCursorPos.USER32(?), ref: 001B9A19
                • ScreenToClient.USER32(?,?), ref: 001B9A26
                • SendMessageW.USER32(?,00001012,00000000,?), ref: 001B9A80
                • SendMessageW.USER32 ref: 001B9AAE
                • SendMessageW.USER32(?,00001111,00000000,?), ref: 001B9AEB
                • SendMessageW.USER32 ref: 001B9B1A
                • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 001B9B3B
                • SendMessageW.USER32(?,0000110B,00000009,?), ref: 001B9B4A
                • GetCursorPos.USER32(?), ref: 001B9B68
                • ScreenToClient.USER32(?,?), ref: 001B9B75
                • GetParent.USER32(?), ref: 001B9B93
                • SendMessageW.USER32(?,00001012,00000000,?), ref: 001B9BFA
                • SendMessageW.USER32 ref: 001B9C2B
                • ClientToScreen.USER32(?,?), ref: 001B9C84
                • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 001B9CB4
                • SendMessageW.USER32(?,00001111,00000000,?), ref: 001B9CDE
                • SendMessageW.USER32 ref: 001B9D01
                • ClientToScreen.USER32(?,?), ref: 001B9D4E
                • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 001B9D82
                  • Part of subcall function 00139944: GetWindowLongW.USER32(?,000000EB), ref: 00139952
                • GetWindowLongW.USER32(?,000000F0), ref: 001B9E05
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
                • String ID: @GUI_DRAGID$@U=u$F
                • API String ID: 3429851547-1007936534
                • Opcode ID: 67bf848efc203bbbb52ee531317dc7af05e55aa304fd58fa8b5215be6a759f6a
                • Instruction ID: 345b1ed5f268085b66dd21059cd271147b266bd6f683c82729cc9143955e0917
                • Opcode Fuzzy Hash: 67bf848efc203bbbb52ee531317dc7af05e55aa304fd58fa8b5215be6a759f6a
                • Instruction Fuzzy Hash: 2F42AB74204241AFDB24CF28CC84EEABBE5FF49314F144619F699876A1D771E8A2CF91
                Function 001B4873 Relevance: 61.8, APIs: 33, Strings: 2, Instructions: 566windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 001B48F3
                • SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 001B4908
                • SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 001B4927
                • SendMessageW.USER32(?,00000148,00000000,00000000), ref: 001B494B
                • SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 001B495C
                • SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 001B497B
                • SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 001B49AE
                • SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 001B49D4
                • SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 001B4A0F
                • SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 001B4A56
                • SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 001B4A7E
                • IsMenu.USER32(?), ref: 001B4A97
                • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 001B4AF2
                • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 001B4B20
                • GetWindowLongW.USER32(?,000000F0), ref: 001B4B94
                • SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 001B4BE3
                • SendMessageW.USER32(00000000,00001001,00000000,?), ref: 001B4C82
                • wsprintfW.USER32 ref: 001B4CAE
                • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 001B4CC9
                • GetWindowTextW.USER32(?,00000000,00000001), ref: 001B4CF1
                • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 001B4D13
                • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 001B4D33
                • GetWindowTextW.USER32(?,00000000,00000001), ref: 001B4D5A
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
                • String ID: %d/%02d/%02d$@U=u
                • API String ID: 4054740463-2764005415
                • Opcode ID: 4e41ecf737c507d01f4cb848cec983eb697a2ae37f3b4eab01631e0aba8657bd
                • Instruction ID: e9f1b528d84d2350e8ebd830b49dcb8a9b630e2c01e736af79160ae34442b2b7
                • Opcode Fuzzy Hash: 4e41ecf737c507d01f4cb848cec983eb697a2ae37f3b4eab01631e0aba8657bd
                • Instruction Fuzzy Hash: 8612B171600214ABEB259F68CC49FEE7BF8EF49714F108229F516DB2E2DB749941CB90
                Function 0013F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON
                Download Yara Rule
                APIs
                • GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 0013F998
                • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0017F474
                • IsIconic.USER32(00000000), ref: 0017F47D
                • ShowWindow.USER32(00000000,00000009), ref: 0017F48A
                • SetForegroundWindow.USER32(00000000), ref: 0017F494
                • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0017F4AA
                • GetCurrentThreadId.KERNEL32 ref: 0017F4B1
                • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0017F4BD
                • AttachThreadInput.USER32(?,00000000,00000001), ref: 0017F4CE
                • AttachThreadInput.USER32(?,00000000,00000001), ref: 0017F4D6
                • AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 0017F4DE
                • SetForegroundWindow.USER32(00000000), ref: 0017F4E1
                • MapVirtualKeyW.USER32(00000012,00000000), ref: 0017F4F6
                • keybd_event.USER32(00000012,00000000), ref: 0017F501
                • MapVirtualKeyW.USER32(00000012,00000000), ref: 0017F50B
                • keybd_event.USER32(00000012,00000000), ref: 0017F510
                • MapVirtualKeyW.USER32(00000012,00000000), ref: 0017F519
                • keybd_event.USER32(00000012,00000000), ref: 0017F51E
                • MapVirtualKeyW.USER32(00000012,00000000), ref: 0017F528
                • keybd_event.USER32(00000012,00000000), ref: 0017F52D
                • SetForegroundWindow.USER32(00000000), ref: 0017F530
                • AttachThreadInput.USER32(?,000000FF,00000000), ref: 0017F557
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                • String ID: Shell_TrayWnd
                • API String ID: 4125248594-2988720461
                • Opcode ID: 7dac0dda046d377a8253058c8e9d8f5d61193d4b525ded7227cfe5d314438c5a
                • Instruction ID: 2b49455629e0fcc210cd09828da0cd977c3aa1ad74594f549e2532a0c161828c
                • Opcode Fuzzy Hash: 7dac0dda046d377a8253058c8e9d8f5d61193d4b525ded7227cfe5d314438c5a
                • Instruction Fuzzy Hash: 5E319271B40218BBEB206BB59C4AFBF7E7CEB44B50F10412AFA05E61D1C7B05D41AEA0
                Function 00181201 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 001816C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0018170D
                  • Part of subcall function 001816C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0018173A
                  • Part of subcall function 001816C3: GetLastError.KERNEL32 ref: 0018174A
                • LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00181286
                • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 001812A8
                • CloseHandle.KERNEL32(?), ref: 001812B9
                • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 001812D1
                • GetProcessWindowStation.USER32 ref: 001812EA
                • SetProcessWindowStation.USER32(00000000), ref: 001812F4
                • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00181310
                  • Part of subcall function 001810BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,001811FC), ref: 001810D4
                  • Part of subcall function 001810BF: CloseHandle.KERNEL32(?,?,001811FC), ref: 001810E9
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
                • String ID: $default$winsta0
                • API String ID: 22674027-1027155976
                • Opcode ID: 3a41abfab9972e95244fd9284a7ec4fdb05067e503e93bb0d2806e10ca92456a
                • Instruction ID: e5b04adb30161900613aa485a6a7ad287be716d64b3d438535ba80019b8ca1ee
                • Opcode Fuzzy Hash: 3a41abfab9972e95244fd9284a7ec4fdb05067e503e93bb0d2806e10ca92456a
                • Instruction Fuzzy Hash: 71816D72900249BBDF11AFA4DC89FEE7BBDEF04704F144129F911A62A0D7718A86CF60
                Function 00180B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 001810F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00181114
                  • Part of subcall function 001810F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00180B9B,?,?,?), ref: 00181120
                  • Part of subcall function 001810F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00180B9B,?,?,?), ref: 0018112F
                  • Part of subcall function 001810F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00180B9B,?,?,?), ref: 00181136
                  • Part of subcall function 001810F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0018114D
                • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00180BCC
                • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00180C00
                • GetLengthSid.ADVAPI32(?), ref: 00180C17
                • GetAce.ADVAPI32(?,00000000,?), ref: 00180C51
                • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00180C6D
                • GetLengthSid.ADVAPI32(?), ref: 00180C84
                • GetProcessHeap.KERNEL32(00000008,00000008), ref: 00180C8C
                • HeapAlloc.KERNEL32(00000000), ref: 00180C93
                • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00180CB4
                • CopySid.ADVAPI32(00000000), ref: 00180CBB
                • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00180CEA
                • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00180D0C
                • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00180D1E
                • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00180D45
                • HeapFree.KERNEL32(00000000), ref: 00180D4C
                • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00180D55
                • HeapFree.KERNEL32(00000000), ref: 00180D5C
                • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00180D65
                • HeapFree.KERNEL32(00000000), ref: 00180D6C
                • GetProcessHeap.KERNEL32(00000000,?), ref: 00180D78
                • HeapFree.KERNEL32(00000000), ref: 00180D7F
                  • Part of subcall function 00181193: GetProcessHeap.KERNEL32(00000008,00180BB1,?,00000000,?,00180BB1,?), ref: 001811A1
                  • Part of subcall function 00181193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00180BB1,?), ref: 001811A8
                  • Part of subcall function 00181193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00180BB1,?), ref: 001811B7
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
                • String ID:
                • API String ID: 4175595110-0
                • Opcode ID: b470018c7735560f8bb1c347d27127c08e86603703dcc75ef2a7fea5ee22c06a
                • Instruction ID: f4d40449ebb55edcd8f594d7e63593e0c2b865e5ffa8a8fec302258407443271
                • Opcode Fuzzy Hash: b470018c7735560f8bb1c347d27127c08e86603703dcc75ef2a7fea5ee22c06a
                • Instruction Fuzzy Hash: EC716A7690020AAFDF51EFE4DC44BAEBBB8BF08310F044615F914A7191D771AA49CFA0
                Function 0019EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON
                Download Yara Rule
                APIs
                • OpenClipboard.USER32(001BCC08), ref: 0019EB29
                • IsClipboardFormatAvailable.USER32(0000000D), ref: 0019EB37
                • GetClipboardData.USER32(0000000D), ref: 0019EB43
                • CloseClipboard.USER32 ref: 0019EB4F
                • GlobalLock.KERNEL32(00000000), ref: 0019EB87
                • CloseClipboard.USER32 ref: 0019EB91
                • GlobalUnlock.KERNEL32(00000000), ref: 0019EBBC
                • IsClipboardFormatAvailable.USER32(00000001), ref: 0019EBC9
                • GetClipboardData.USER32(00000001), ref: 0019EBD1
                • GlobalLock.KERNEL32(00000000), ref: 0019EBE2
                • GlobalUnlock.KERNEL32(00000000), ref: 0019EC22
                • IsClipboardFormatAvailable.USER32(0000000F), ref: 0019EC38
                • GetClipboardData.USER32(0000000F), ref: 0019EC44
                • GlobalLock.KERNEL32(00000000), ref: 0019EC55
                • DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 0019EC77
                • DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0019EC94
                • DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0019ECD2
                • GlobalUnlock.KERNEL32(00000000), ref: 0019ECF3
                • CountClipboardFormats.USER32 ref: 0019ED14
                • CloseClipboard.USER32 ref: 0019ED59
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
                • String ID:
                • API String ID: 420908878-0
                • Opcode ID: a3ec4f2d0ccbee62d66b4b343ba51579830cd8919e7b947b04d6a24d9164b6da
                • Instruction ID: f5092074ee3e2579ea1fd90e52d5f84dd155d3d6c2394673f79a5b8bea9131a9
                • Opcode Fuzzy Hash: a3ec4f2d0ccbee62d66b4b343ba51579830cd8919e7b947b04d6a24d9164b6da
                • Instruction Fuzzy Hash: 6961DF34204202AFDB00EF64D885F6AB7E4FF94714F18465DF4569B2A2DB31DD85CBA2
                Function 0019698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON
                Download Yara Rule
                APIs
                • FindFirstFileW.KERNEL32(?,?), ref: 001969BE
                • FindClose.KERNEL32(00000000), ref: 00196A12
                • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00196A4E
                • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00196A75
                  • Part of subcall function 00129CB3: _wcslen.LIBCMT ref: 00129CBD
                • FileTimeToSystemTime.KERNEL32(?,?), ref: 00196AB2
                • FileTimeToSystemTime.KERNEL32(?,?), ref: 00196ADF
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
                • String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
                • API String ID: 3830820486-3289030164
                • Opcode ID: 99dc1f38d3ce2ae9a44988ac3f91ccff2b944a2c5c7852127ac024eb78c00f92
                • Instruction ID: 910281344aa3c180a5f4f4bc2216aad2cd40c752626eb3d48bc96cc3a52b279c
                • Opcode Fuzzy Hash: 99dc1f38d3ce2ae9a44988ac3f91ccff2b944a2c5c7852127ac024eb78c00f92
                • Instruction Fuzzy Hash: 09D16DB2508310AEC710EBA4D991EAFB7ECBF98704F44491DF585C7191EB34DA58CBA2
                Function 00199642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON
                Download Yara Rule
                APIs
                • FindFirstFileW.KERNEL32(?,?,76F88FB0,?,00000000), ref: 00199663
                • GetFileAttributesW.KERNEL32(?), ref: 001996A1
                • SetFileAttributesW.KERNEL32(?,?), ref: 001996BB
                • FindNextFileW.KERNEL32(00000000,?), ref: 001996D3
                • FindClose.KERNEL32(00000000), ref: 001996DE
                • FindFirstFileW.KERNEL32(*.*,?), ref: 001996FA
                • SetCurrentDirectoryW.KERNEL32(?), ref: 0019974A
                • SetCurrentDirectoryW.KERNEL32(001E6B7C), ref: 00199768
                • FindNextFileW.KERNEL32(00000000,00000010), ref: 00199772
                • FindClose.KERNEL32(00000000), ref: 0019977F
                • FindClose.KERNEL32(00000000), ref: 0019978F
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
                • String ID: *.*
                • API String ID: 1409584000-438819550
                • Opcode ID: 652361b646c25fba18219bacd32aa0c4599309c3a4b610f640c9808a64127c4b
                • Instruction ID: b77beea77105e57f4d6e7d78c38ce85bda1fd6a33dc79266d50f0a97f4424448
                • Opcode Fuzzy Hash: 652361b646c25fba18219bacd32aa0c4599309c3a4b610f640c9808a64127c4b
                • Instruction Fuzzy Hash: 5131D5325006196BDF14EFF9DC48EDE77ACAF49320F14429AF805E21A1DB74DD808EA0
                Function 0019979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON
                Download Yara Rule
                APIs
                • FindFirstFileW.KERNEL32(?,?,76F88FB0,?,00000000), ref: 001997BE
                • FindNextFileW.KERNEL32(00000000,?), ref: 00199819
                • FindClose.KERNEL32(00000000), ref: 00199824
                • FindFirstFileW.KERNEL32(*.*,?), ref: 00199840
                • SetCurrentDirectoryW.KERNEL32(?), ref: 00199890
                • SetCurrentDirectoryW.KERNEL32(001E6B7C), ref: 001998AE
                • FindNextFileW.KERNEL32(00000000,00000010), ref: 001998B8
                • FindClose.KERNEL32(00000000), ref: 001998C5
                • FindClose.KERNEL32(00000000), ref: 001998D5
                  • Part of subcall function 0018DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 0018DB00
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
                • String ID: *.*
                • API String ID: 2640511053-438819550
                • Opcode ID: 93d0364eb8a7c6fe0d0df9110cf532042a911ad5274eb85d5b4b0e8a57f16916
                • Instruction ID: f6472da988dfea844d476b05e0e2077671481e715e613e3c1d71f441b3551ae8
                • Opcode Fuzzy Hash: 93d0364eb8a7c6fe0d0df9110cf532042a911ad5274eb85d5b4b0e8a57f16916
                • Instruction Fuzzy Hash: 0D31E63150065D6FDF14EFB9EC48ADE77ACAF0A320F14429EE850A21A1DB70DE84CB60
                Function 00198195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON
                Download Yara Rule
                APIs
                • GetLocalTime.KERNEL32(?), ref: 00198257
                • SystemTimeToFileTime.KERNEL32(?,?), ref: 00198267
                • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00198273
                • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00198310
                • SetCurrentDirectoryW.KERNEL32(?), ref: 00198324
                • SetCurrentDirectoryW.KERNEL32(?), ref: 00198356
                • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0019838C
                • SetCurrentDirectoryW.KERNEL32(?), ref: 00198395
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: CurrentDirectoryTime$File$Local$System
                • String ID: *.*
                • API String ID: 1464919966-438819550
                • Opcode ID: 0389702ac7c2be012d1d42ca74066716da87801004872c0834800475e2390b9c
                • Instruction ID: 99d6b002b5cd13eb233543af30c09566f026d3770dbc18e043aff0bf642723f9
                • Opcode Fuzzy Hash: 0389702ac7c2be012d1d42ca74066716da87801004872c0834800475e2390b9c
                • Instruction Fuzzy Hash: 016148725083059FCB10EF64D8819AEB3E8FF99314F04892EF999D7251DB31EA45CB92
                Function 0018D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00123AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00123A97,?,?,00122E7F,?,?,?,00000000), ref: 00123AC2
                  • Part of subcall function 0018E199: GetFileAttributesW.KERNEL32(?,0018CF95), ref: 0018E19A
                • FindFirstFileW.KERNEL32(?,?), ref: 0018D122
                • DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 0018D1DD
                • MoveFileW.KERNEL32(?,?), ref: 0018D1F0
                • DeleteFileW.KERNEL32(?,?,?,?), ref: 0018D20D
                • FindNextFileW.KERNEL32(00000000,00000010), ref: 0018D237
                  • Part of subcall function 0018D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,0018D21C,?,?), ref: 0018D2B2
                • FindClose.KERNEL32(00000000,?,?,?), ref: 0018D253
                • FindClose.KERNEL32(00000000), ref: 0018D264
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
                • String ID: \*.*
                • API String ID: 1946585618-1173974218
                • Opcode ID: 0c8f917c5e67e9e069423705d7318f2c13a4f78a67ce28fb98b756d3a48cea06
                • Instruction ID: 6b4ec1aa91152fbf1edbb8d2dd16d390a8221f7592c5b609acd82248215f2b37
                • Opcode Fuzzy Hash: 0c8f917c5e67e9e069423705d7318f2c13a4f78a67ce28fb98b756d3a48cea06
                • Instruction Fuzzy Hash: 6D61493180121DAFCF05FBA4EA929EDB7B6AF65300F644165E402B7191EB30AF59CF60
                Function 0019ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                • String ID:
                • API String ID: 1737998785-0
                • Opcode ID: 0a10cf2470250a767306b99e42ea477aea5fc232ac19351a80e27dc71f02d603
                • Instruction ID: d946cfb1706b4e158f48adf80b00137119e1a89e44846fab5b9b0f318396c487
                • Opcode Fuzzy Hash: 0a10cf2470250a767306b99e42ea477aea5fc232ac19351a80e27dc71f02d603
                • Instruction Fuzzy Hash: CC415B35604611AFEB20DF55E888F1ABBE5FF44328F158599E4158BB62C735EC81CBD0
                Function 0018E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 001816C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0018170D
                  • Part of subcall function 001816C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0018173A
                  • Part of subcall function 001816C3: GetLastError.KERNEL32 ref: 0018174A
                • ExitWindowsEx.USER32(?,00000000), ref: 0018E932
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                • String ID: $ $@$SeShutdownPrivilege
                • API String ID: 2234035333-3163812486
                • Opcode ID: 9cfcfae88890e16b5c0988c4aa3182920207038e838504b68f5d6f34fa29e0f0
                • Instruction ID: f99c724e26c53a38b51f526eec161d91121b8b5768a175927c59ac430f169c67
                • Opcode Fuzzy Hash: 9cfcfae88890e16b5c0988c4aa3182920207038e838504b68f5d6f34fa29e0f0
                • Instruction Fuzzy Hash: 8E01D673E10211ABEB6436B49C86FBF729CA714758F154521F812E21E2D7E09E808FE0
                Function 001A1204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON
                Download Yara Rule
                APIs
                • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 001A1276
                • WSAGetLastError.WSOCK32 ref: 001A1283
                • bind.WSOCK32(00000000,?,00000010), ref: 001A12BA
                • WSAGetLastError.WSOCK32 ref: 001A12C5
                • closesocket.WSOCK32(00000000), ref: 001A12F4
                • listen.WSOCK32(00000000,00000005), ref: 001A1303
                • WSAGetLastError.WSOCK32 ref: 001A130D
                • closesocket.WSOCK32(00000000), ref: 001A133C
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: ErrorLast$closesocket$bindlistensocket
                • String ID:
                • API String ID: 540024437-0
                • Opcode ID: ab1cfcc2c343dc4e14a9a4601df8a35609227dee8f0e09134949ec193d3de320
                • Instruction ID: 6659c66db9e4f4d066d2f8c2d8a2adf450ce006f5f28a488c14acbdc681911fd
                • Opcode Fuzzy Hash: ab1cfcc2c343dc4e14a9a4601df8a35609227dee8f0e09134949ec193d3de320
                • Instruction Fuzzy Hash: 4B419535600110AFD710DF64D584B69BBE6BF86328F288199E8569F3D2C771ED81CBE1
                Function 0015B952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • _free.LIBCMT ref: 0015B9D4
                • _free.LIBCMT ref: 0015B9F8
                • _free.LIBCMT ref: 0015BB7F
                • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,001C3700), ref: 0015BB91
                • WideCharToMultiByte.KERNEL32(00000000,00000000,001F121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0015BC09
                • WideCharToMultiByte.KERNEL32(00000000,00000000,001F1270,000000FF,?,0000003F,00000000,?), ref: 0015BC36
                • _free.LIBCMT ref: 0015BD4B
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: _free$ByteCharMultiWide$InformationTimeZone
                • String ID:
                • API String ID: 314583886-0
                • Opcode ID: d710069195218d603979a76bccc59d4cc08408ae2fe38941c7c1de29d4e9f82d
                • Instruction ID: f62e7b90b13982b1667175c3ea1dd7bd623b03df05ad8118d52d111d8d6ae543
                • Opcode Fuzzy Hash: d710069195218d603979a76bccc59d4cc08408ae2fe38941c7c1de29d4e9f82d
                • Instruction Fuzzy Hash: AAC11871908245EFCB249F69CC81ABA7BB9EF51311F24419AECB4EF251E7708E49C750
                Function 0018D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00123AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00123A97,?,?,00122E7F,?,?,?,00000000), ref: 00123AC2
                  • Part of subcall function 0018E199: GetFileAttributesW.KERNEL32(?,0018CF95), ref: 0018E19A
                • FindFirstFileW.KERNEL32(?,?), ref: 0018D420
                • DeleteFileW.KERNEL32(?,?,?,?), ref: 0018D470
                • FindNextFileW.KERNEL32(00000000,00000010), ref: 0018D481
                • FindClose.KERNEL32(00000000), ref: 0018D498
                • FindClose.KERNEL32(00000000), ref: 0018D4A1
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
                • String ID: \*.*
                • API String ID: 2649000838-1173974218
                • Opcode ID: bffb0805c9ce0bf42d7c8b0b23c5942a8776ad6694d0a1d114c64f9b8664d960
                • Instruction ID: 746af29eacf8953fb7ff7323f0d41ebe82f9ffa3f649dd8e6ef57548df21c912
                • Opcode Fuzzy Hash: bffb0805c9ce0bf42d7c8b0b23c5942a8776ad6694d0a1d114c64f9b8664d960
                • Instruction Fuzzy Hash: 38314B710083559FC704FF64E8918AFB7A8BFA5314F844A2DF4D592191EB30AA19CBA3
                Function 0015E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: __floor_pentium4
                • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                • API String ID: 4168288129-2761157908
                • Opcode ID: 4fb429846015856b474e1e23e4e97abae43d93bc7a465b73248894d0bdace243
                • Instruction ID: 746f160832940876d9737a91c4402f7aec83508a3dc949c787fa725234e74470
                • Opcode Fuzzy Hash: 4fb429846015856b474e1e23e4e97abae43d93bc7a465b73248894d0bdace243
                • Instruction Fuzzy Hash: CEC23D71E04628CFDB29CE28DD407EAB7B5EB48306F1541EAD85DEB241E774AE858F40
                Function 0019648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON
                Download Yara Rule
                APIs
                • _wcslen.LIBCMT ref: 001964DC
                • CoInitialize.OLE32(00000000), ref: 00196639
                • CoCreateInstance.OLE32(001BFCF8,00000000,00000001,001BFB68,?), ref: 00196650
                • CoUninitialize.OLE32 ref: 001968D4
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: CreateInitializeInstanceUninitialize_wcslen
                • String ID: .lnk
                • API String ID: 886957087-24824748
                • Opcode ID: 963c4b349d66df73711e311aaa6e7b8ac70bb74a2c1f5572718b0856c34fcc26
                • Instruction ID: 881b31be3d3c64fb674df975eb8752586d48392fe3691d27b1c75d9ca6fd8371
                • Opcode Fuzzy Hash: 963c4b349d66df73711e311aaa6e7b8ac70bb74a2c1f5572718b0856c34fcc26
                • Instruction Fuzzy Hash: ACD14871508211AFD704EF24D89196BB7E8FFA8744F00496DF5958B2A1EB70ED09CBA2
                Function 001A22DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON
                Download Yara Rule
                APIs
                • GetForegroundWindow.USER32(?,?,00000000), ref: 001A22E8
                  • Part of subcall function 0019E4EC: GetWindowRect.USER32(?,?), ref: 0019E504
                • GetDesktopWindow.USER32 ref: 001A2312
                • GetWindowRect.USER32(00000000), ref: 001A2319
                • mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 001A2355
                • GetCursorPos.USER32(?), ref: 001A2381
                • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 001A23DF
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: Window$Rectmouse_event$CursorDesktopForeground
                • String ID:
                • API String ID: 2387181109-0
                • Opcode ID: c4cac67e86a036cee5027d8aa5136ba40ac4f90d80ecca8d88b00acc0e29bff3
                • Instruction ID: a25e4efa840e9ba5fd923f864f2e01485308aa15243dd998f9b4cb756a988b15
                • Opcode Fuzzy Hash: c4cac67e86a036cee5027d8aa5136ba40ac4f90d80ecca8d88b00acc0e29bff3
                • Instruction Fuzzy Hash: 4831AD72504315AFDB20DF58C849A9BBBE9FF8A314F000A19F98597191DB74EA48CBD2
                Function 00199B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00129CB3: _wcslen.LIBCMT ref: 00129CBD
                • FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00199B78
                • FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00199C8B
                  • Part of subcall function 00193874: GetInputState.USER32 ref: 001938CB
                  • Part of subcall function 00193874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00193966
                • Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00199BA8
                • FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00199C75
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
                • String ID: *.*
                • API String ID: 1972594611-438819550
                • Opcode ID: 1c5d2dbe7c05a3d9838683e568fa5551f9b72e6dc69c9587ac844d46a34bd565
                • Instruction ID: 728025c3157837b87dd225bdadf8ada34333f289b725e956cf9f3deca95575c9
                • Opcode Fuzzy Hash: 1c5d2dbe7c05a3d9838683e568fa5551f9b72e6dc69c9587ac844d46a34bd565
                • Instruction Fuzzy Hash: 0841817190060A9FCF14DF68DC85AEEBBB8FF15310F24415AE815A6191EB30AE94CFA1
                Function 0013997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00139BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00139BB2
                • DefDlgProcW.USER32(?,?,?,?,?), ref: 00139A4E
                • GetSysColor.USER32(0000000F), ref: 00139B23
                • SetBkColor.GDI32(?,00000000), ref: 00139B36
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: Color$LongProcWindow
                • String ID:
                • API String ID: 3131106179-0
                • Opcode ID: 2644b2a663bd2743040f74a7ce548ddb791c734ceefcd788239cd2040ab74c50
                • Instruction ID: 1bd047291e147f060d8233a30ceba1fca7d89e9d9040f44c65d6c5b3f2432429
                • Opcode Fuzzy Hash: 2644b2a663bd2743040f74a7ce548ddb791c734ceefcd788239cd2040ab74c50
                • Instruction Fuzzy Hash: D3A10771208444FFE72DAA3D8C99EBB3AADEB42344F168309F502D7AD5CBA59D41C271
                Function 001A1806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 001A304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 001A307A
                  • Part of subcall function 001A304E: _wcslen.LIBCMT ref: 001A309B
                • socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 001A185D
                • WSAGetLastError.WSOCK32 ref: 001A1884
                • bind.WSOCK32(00000000,?,00000010), ref: 001A18DB
                • WSAGetLastError.WSOCK32 ref: 001A18E6
                • closesocket.WSOCK32(00000000), ref: 001A1915
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
                • String ID:
                • API String ID: 1601658205-0
                • Opcode ID: 05b416ceb6da20f0ea9b2724b7a7004dc8787fea53bf3609569ed735ae111005
                • Instruction ID: 5866653ccfc8bff3e6cf72c92951e84a5017ae09ec3b061f1a1982f7d2c20cba
                • Opcode Fuzzy Hash: 05b416ceb6da20f0ea9b2724b7a7004dc8787fea53bf3609569ed735ae111005
                • Instruction Fuzzy Hash: 5B51B275A00210AFDB10AF24D886F2A77E5AB59718F04805CF909AF3C3C775AD41CBE1
                Function 001B1C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: Window$EnabledForegroundIconicVisibleZoomed
                • String ID:
                • API String ID: 292994002-0
                • Opcode ID: c97739ca6ffa4890e50055a39821edafbe454314dabf5f5a0efdfc64fecb62a2
                • Instruction ID: 322be36db647affece77e24d76df70d671c42453dfa536be63272603bee169f8
                • Opcode Fuzzy Hash: c97739ca6ffa4890e50055a39821edafbe454314dabf5f5a0efdfc64fecb62a2
                • Instruction Fuzzy Hash: 3221D6317402116FD7208F2AC864BAA7FA5EF95314F5A8058E845CB351C771DC42CBD0
                Function 00128060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID:
                • String ID: ERCP$VUUU$VUUU$VUUU$VUUU
                • API String ID: 0-1546025612
                • Opcode ID: 098769f4e3a1e170cbeb0cf2f5a8510ff78c68187383213d8adaed59c7bf34c1
                • Instruction ID: 3133302ca2aa8fc4b87679c9c95ee65656de482e6c5f969902513cb5acc8344a
                • Opcode Fuzzy Hash: 098769f4e3a1e170cbeb0cf2f5a8510ff78c68187383213d8adaed59c7bf34c1
                • Instruction Fuzzy Hash: F2A29170E0162ACBDF24CF58D8507ADB7B2BF54310F2581AAE815A7385EB749DA1CF90
                Function 001AA67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON
                Download Yara Rule
                APIs
                • CreateToolhelp32Snapshot.KERNEL32 ref: 001AA6AC
                • Process32FirstW.KERNEL32(00000000,?), ref: 001AA6BA
                  • Part of subcall function 00129CB3: _wcslen.LIBCMT ref: 00129CBD
                • Process32NextW.KERNEL32(00000000,?), ref: 001AA79C
                • CloseHandle.KERNEL32(00000000), ref: 001AA7AB
                  • Part of subcall function 0013CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00163303,?), ref: 0013CE8A
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
                • String ID:
                • API String ID: 1991900642-0
                • Opcode ID: 9b43c3c8e646dde6fac3820171f52f7dcfc4c3f509e9bc91c84b02e65725a7e1
                • Instruction ID: 64ece234c2e4b908d85e104337d8fbb199fd360a35b6b750ddba9731d8b14448
                • Opcode Fuzzy Hash: 9b43c3c8e646dde6fac3820171f52f7dcfc4c3f509e9bc91c84b02e65725a7e1
                • Instruction Fuzzy Hash: 8C516D71508310AFD710EF24D886E6BBBE8FF99754F40492DF58997292EB30D914CB92
                Function 0018AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON
                Download Yara Rule
                APIs
                • GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 0018AAAC
                • SetKeyboardState.USER32(00000080), ref: 0018AAC8
                • PostMessageW.USER32(?,00000102,00000001,00000001), ref: 0018AB36
                • SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 0018AB88
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: KeyboardState$InputMessagePostSend
                • String ID:
                • API String ID: 432972143-0
                • Opcode ID: 985bc00b0650f22d69de82ca60fd47743c4c6669bedda878b6e879fdc3d09456
                • Instruction ID: 81d7c3c0e403a78bdb3671c8fdeb1c7bce703139dddf4bd962ea7d695adef840
                • Opcode Fuzzy Hash: 985bc00b0650f22d69de82ca60fd47743c4c6669bedda878b6e879fdc3d09456
                • Instruction Fuzzy Hash: 0831F630A40648AFFB35AA648C05BFA7BA6AF54310F84421BF581565D1D3759B81CFA2
                Function 0019CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON
                Download Yara Rule
                APIs
                • InternetReadFile.WININET(?,?,00000400,?), ref: 0019CE89
                • GetLastError.KERNEL32(?,00000000), ref: 0019CEEA
                • SetEvent.KERNEL32(?,?,00000000), ref: 0019CEFE
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: ErrorEventFileInternetLastRead
                • String ID:
                • API String ID: 234945975-0
                • Opcode ID: 5c1f613a83d18bc3a61fd14a5be40d6108fa2638306860d86037c223ec1a09f9
                • Instruction ID: e779623dca7de3d97eebdab8b009b3c9d5d182454de9e8144f6f2a4625b4b67f
                • Opcode Fuzzy Hash: 5c1f613a83d18bc3a61fd14a5be40d6108fa2638306860d86037c223ec1a09f9
                • Instruction Fuzzy Hash: 2321AF715007059BDF30DF65D948BA77BFCEB50354F10442EE586D2551E770EE448BA0
                Function 00188298 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 568stringCOMMON
                Download Yara Rule
                APIs
                • lstrlenW.KERNEL32(?,?,?,00000000), ref: 001882AA
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: lstrlen
                • String ID: ($|
                • API String ID: 1659193697-1631851259
                • Opcode ID: 64a1f908f4833f7655e590b51d82b9c36e10cf1f6b3a5b6ecf17aad9d5dc2155
                • Instruction ID: 44a529a391c755a513cc1d31dd708a5a99fb85923bfda1c19085c0ab6601009a
                • Opcode Fuzzy Hash: 64a1f908f4833f7655e590b51d82b9c36e10cf1f6b3a5b6ecf17aad9d5dc2155
                • Instruction Fuzzy Hash: 73323574A006059FCB28DF59C481A6AB7F0FF48710B55C56EE99ADB3A1EB70EA41CF40
                Function 00152622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • IsDebuggerPresent.KERNEL32 ref: 0015271A
                • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00152724
                • UnhandledExceptionFilter.KERNEL32(?), ref: 00152731
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: ExceptionFilterUnhandled$DebuggerPresent
                • String ID:
                • API String ID: 3906539128-0
                • Opcode ID: 392857bd5ca7e7dd0a91c2dbbdb20f4839c45b460ede267a00a58f2cd147def1
                • Instruction ID: f397925927d94b7ab617e18341f97f55f857218b74c087237832fa348e42f402
                • Opcode Fuzzy Hash: 392857bd5ca7e7dd0a91c2dbbdb20f4839c45b460ede267a00a58f2cd147def1
                • Instruction Fuzzy Hash: 7731B5759112289BCB21DF65DC89B9DB7B8BF18310F5042EAE81CA7261E7309F858F85
                Function 001951CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON
                Download Yara Rule
                APIs
                • SetErrorMode.KERNEL32(00000001), ref: 001951DA
                • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00195238
                • SetErrorMode.KERNEL32(00000000), ref: 001952A1
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: ErrorMode$DiskFreeSpace
                • String ID:
                • API String ID: 1682464887-0
                • Opcode ID: dbc4cbe5bb4a06644fa2b53f8ae70fab88f18df061d8e2d2cdb45ff7bfe236c2
                • Instruction ID: 815132e643078304f1075c2562d507da3b25f7925b57d82c89f941116037c83b
                • Opcode Fuzzy Hash: dbc4cbe5bb4a06644fa2b53f8ae70fab88f18df061d8e2d2cdb45ff7bfe236c2
                • Instruction Fuzzy Hash: CE314F75A00518DFDB00DF58D884EADBBF5FF49314F088099E905AB3A2DB31E855CBA0
                Function 001816C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 0013FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00140668
                  • Part of subcall function 0013FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00140685
                • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0018170D
                • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0018173A
                • GetLastError.KERNEL32 ref: 0018174A
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
                • String ID:
                • API String ID: 577356006-0
                • Opcode ID: 8a53685aea80e686445627908c5cdfcbfb5e7d1f10125aec50f3286f554c2659
                • Instruction ID: 4a7a3253c4f1d31ce5000f3d2b71d800113a2d00a819125171f4ff2fc8ee7a30
                • Opcode Fuzzy Hash: 8a53685aea80e686445627908c5cdfcbfb5e7d1f10125aec50f3286f554c2659
                • Instruction Fuzzy Hash: DD118FB2804204BFD718AF54DCC6D6BB7BDEB44714B20852EF05656641EB70BD428B60
                Function 0018D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON
                Download Yara Rule
                APIs
                • CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0018D608
                • DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 0018D645
                • CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0018D650
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: CloseControlCreateDeviceFileHandle
                • String ID:
                • API String ID: 33631002-0
                • Opcode ID: 7e81cb8f164363459a962e05798c6dc1ede7116b83ca128798bdd6c788f954dd
                • Instruction ID: e5fc82969249dba9dd82f77090a8ea5a1c48332e757b71054a05e50dbc936541
                • Opcode Fuzzy Hash: 7e81cb8f164363459a962e05798c6dc1ede7116b83ca128798bdd6c788f954dd
                • Instruction Fuzzy Hash: D7113C75E05228BBDB109F99AC45FAFBBBCEB45B50F108165F904E7290D7704A058BA1
                Function 00181663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                Download Yara Rule
                APIs
                • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0018168C
                • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 001816A1
                • FreeSid.ADVAPI32(?), ref: 001816B1
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: AllocateCheckFreeInitializeMembershipToken
                • String ID:
                • API String ID: 3429775523-0
                • Opcode ID: 92ce790589831309ea4204981b9e28560b790c70c1aa7bd6bc36d959d1912db1
                • Instruction ID: bf2bc4cc9cb81b1205d73383998e93cc6872196c53a2a7017b915853cfd065da
                • Opcode Fuzzy Hash: 92ce790589831309ea4204981b9e28560b790c70c1aa7bd6bc36d959d1912db1
                • Instruction Fuzzy Hash: DEF0F475950309FBDB00EFE49C89AAEBBBCFB08604F504565F501E2181E774AA448BA0
                Function 00144CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • GetCurrentProcess.KERNEL32(001528E9,?,00144CBE,001528E9,001E88B8,0000000C,00144E15,001528E9,00000002,00000000,?,001528E9), ref: 00144D09
                • TerminateProcess.KERNEL32(00000000,?,00144CBE,001528E9,001E88B8,0000000C,00144E15,001528E9,00000002,00000000,?,001528E9), ref: 00144D10
                • ExitProcess.KERNEL32 ref: 00144D22
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: Process$CurrentExitTerminate
                • String ID:
                • API String ID: 1703294689-0
                • Opcode ID: 0f873a0014678214bd9e15702efd001de2e42ba7ce93d948ae4ac31adfcac7c9
                • Instruction ID: 43b5ed85a33bd6ec6ae69aed4394d564b53066c380a18414e738aae84f8ad8ad
                • Opcode Fuzzy Hash: 0f873a0014678214bd9e15702efd001de2e42ba7ce93d948ae4ac31adfcac7c9
                • Instruction Fuzzy Hash: 6BE0B631400148ABCF11AF94DD09A583BA9FB61781B504118FC199B532CB35DE82CA80
                Function 0015C2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID:
                • String ID: /
                • API String ID: 0-2043925204
                • Opcode ID: abbdd0c2a5aac0d3bf3d1fcaf51f6ee3d424d371750456bef02b3a30869a2313
                • Instruction ID: 8b09d7a1e52098f5616f3eddce37dc49bb5ef856826bc7fc1d8a477a270ef16d
                • Opcode Fuzzy Hash: abbdd0c2a5aac0d3bf3d1fcaf51f6ee3d424d371750456bef02b3a30869a2313
                • Instruction Fuzzy Hash: 12412576900319AFCB209FB9CC89EAB77B8EB84315F504269FD25CB180E7709D85CB90
                Function 0017D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                Download Yara Rule
                APIs
                • GetUserNameW.ADVAPI32(?,?), ref: 0017D28C
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: NameUser
                • String ID: X64
                • API String ID: 2645101109-893830106
                • Opcode ID: 8083bb1872d50a071596c1e30f534ffc844add43892cfe2b308859fdeafdb166
                • Instruction ID: 58307c09aa05782779e1b1cda2c68a03a2ac4a041f45fb5ecdf200f93136d291
                • Opcode Fuzzy Hash: 8083bb1872d50a071596c1e30f534ffc844add43892cfe2b308859fdeafdb166
                • Instruction Fuzzy Hash: 45D0CAB880112DEBCB98DBA0EC88DDEB3BCBB04305F104292F50AA2000DB3096898F20
                Function 0014CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
                • Instruction ID: 3846bd230a83d64b55642a663d285274888a038264f546b717da61cc04ebd6d5
                • Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
                • Instruction Fuzzy Hash: E9023C71E012199FDF54CFA9C8806AEFBF1EF98314F25816AD819E7390D731AA418BC0
                Function 001968EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON
                Download Yara Rule
                APIs
                • FindFirstFileW.KERNEL32(?,?), ref: 00196918
                • FindClose.KERNEL32(00000000), ref: 00196961
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: Find$CloseFileFirst
                • String ID:
                • API String ID: 2295610775-0
                • Opcode ID: ad60862d6533aa4714358047567f18915e5fdfef97ed4ca59de9f31ca909db72
                • Instruction ID: 525b821c35d1e7f83aa7e890bbe1516b8d34a51029f1e79b6f497aa0e96e80e4
                • Opcode Fuzzy Hash: ad60862d6533aa4714358047567f18915e5fdfef97ed4ca59de9f31ca909db72
                • Instruction Fuzzy Hash: AA1190316042109FCB10DF29D484A1ABBE5FF89328F14C699E4698F6A2C730EC45CBE1
                Function 001937B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON
                Download Yara Rule
                APIs
                • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,001A4891,?,?,00000035,?), ref: 001937E4
                • FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,001A4891,?,?,00000035,?), ref: 001937F4
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: ErrorFormatLastMessage
                • String ID:
                • API String ID: 3479602957-0
                • Opcode ID: 9f2619278e7b2e2580d38135ca3446935fcad0206124e039c53330f7d3de7230
                • Instruction ID: cd230ec8e77a8dc2450f37d476c7930057f794b9d83113f89f0c960730cbc5df
                • Opcode Fuzzy Hash: 9f2619278e7b2e2580d38135ca3446935fcad0206124e039c53330f7d3de7230
                • Instruction Fuzzy Hash: ECF0E5B06042282AEB2017A69C4DFEB3AAEEFC4761F000265F509D2291DB609944C6F0
                Function 0018B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON
                Download Yara Rule
                APIs
                • SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 0018B25D
                • keybd_event.USER32(?,753DC0D0,?,00000000), ref: 0018B270
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: InputSendkeybd_event
                • String ID:
                • API String ID: 3536248340-0
                • Opcode ID: 163e130068960287cadb5ac97a0a7111e2f33c0fa831bf7107b78e17b0fd7bfd
                • Instruction ID: cad6b3454081e8d8c44b810cc3f891b73ea0b8aeee5bbe3df326446f66a6abc0
                • Opcode Fuzzy Hash: 163e130068960287cadb5ac97a0a7111e2f33c0fa831bf7107b78e17b0fd7bfd
                • Instruction Fuzzy Hash: 16F01D7190428EABDB159FA4C805BEE7BB4FF04305F008019F955A5191C77996519F94
                Function 001810BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON
                Download Yara Rule
                APIs
                • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,001811FC), ref: 001810D4
                • CloseHandle.KERNEL32(?,?,001811FC), ref: 001810E9
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: AdjustCloseHandlePrivilegesToken
                • String ID:
                • API String ID: 81990902-0
                • Opcode ID: ee1bf5bddbea3f79817b2c459c3b812351694b67474e2a979eb015ba275a5028
                • Instruction ID: 61b2b7762770d4ea3e4452b9f15eeba87594be96debea47abf7fb8cf834fae7a
                • Opcode Fuzzy Hash: ee1bf5bddbea3f79817b2c459c3b812351694b67474e2a979eb015ba275a5028
                • Instruction Fuzzy Hash: 93E0BF72418610AFE7252B51FC09E7777E9EB04310F14892DF5A5804B5DB626CD1DB50
                Function 0012CAF0 Relevance: 1.9, Strings: 1, Instructions: 659COMMON
                Download Yara Rule
                Strings
                • Variable is not of type 'Object'., xrefs: 00170C40
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID:
                • String ID: Variable is not of type 'Object'.
                • API String ID: 0-1840281001
                • Opcode ID: ca6e1e836fdb0199519638f616895fa37dd31d28bb7fdb1302b0019b29fcb468
                • Instruction ID: 6cefd2a10dab6e803625ce2ea303896b610e2c12ad784e8c8071a88d22a040d7
                • Opcode Fuzzy Hash: ca6e1e836fdb0199519638f616895fa37dd31d28bb7fdb1302b0019b29fcb468
                • Instruction Fuzzy Hash: 4C32B170900328DFCF19DF94E981AEDB7B5FF19304F108059E90AAB292DB75AE55CB90
                Function 0015676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00156766,?,?,00000008,?,?,0015FEFE,00000000), ref: 00156998
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: ExceptionRaise
                • String ID:
                • API String ID: 3997070919-0
                • Opcode ID: 8aa73c97dd24231093cf8f0760e4c2e2f67f5fe124fa704050b27b0f0d6ac94e
                • Instruction ID: 6bd881c4721d3dc923cce31f9bb39be517af0e2ac97cc57638b1ec1cae1a9e14
                • Opcode Fuzzy Hash: 8aa73c97dd24231093cf8f0760e4c2e2f67f5fe124fa704050b27b0f0d6ac94e
                • Instruction Fuzzy Hash: 93B16D31610608DFD719CF28C486B657BE0FF45366F658658ECA9CF2A2C335D999CB80
                Function 0013B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID: 0-3916222277
                • Opcode ID: 8f4ce0bd991bd10298d117874f8e0fabf10ff6abfeaded1d01b1e82c1cb0712a
                • Instruction ID: fb462d34d0efbf62e0b9da2e664b2ec2e0aeb1e776116bf3b3fd4ede14a550a8
                • Opcode Fuzzy Hash: 8f4ce0bd991bd10298d117874f8e0fabf10ff6abfeaded1d01b1e82c1cb0712a
                • Instruction Fuzzy Hash: 63125E71E042299BCB14CF58C881BEEB7F5FF48710F15819AE949EB255EB349E81CB90
                Function 0019EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
                Download Yara Rule
                APIs
                • BlockInput.USER32(00000001), ref: 0019EABD
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: BlockInput
                • String ID:
                • API String ID: 3456056419-0
                • Opcode ID: 64cb8b9975b0676b3f5411ad1bab0a491e1463939831f16b78caa72fdbd166a6
                • Instruction ID: 5f2f7d4659029419db18c955daca9d8e3b8e7c7b20e7b64dcf76816c0cead671
                • Opcode Fuzzy Hash: 64cb8b9975b0676b3f5411ad1bab0a491e1463939831f16b78caa72fdbd166a6
                • Instruction Fuzzy Hash: 72E04F312002149FDB10EF59E844E9AF7E9AFA8760F048426FD49CB361DB70E8418BE0
                Function 001409D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                Download Yara Rule
                APIs
                • SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,001403EE), ref: 001409DA
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: ExceptionFilterUnhandled
                • String ID:
                • API String ID: 3192549508-0
                • Opcode ID: a6ff5ba3592d3e7f5ce860258c9a36ebcebac4fd9076e4ac1dafbfa639b19007
                • Instruction ID: 83cce5d77c1433a6702f48b1d031cb63cb822b203a2c4ab72f1c96b9eb4041be
                • Opcode Fuzzy Hash: a6ff5ba3592d3e7f5ce860258c9a36ebcebac4fd9076e4ac1dafbfa639b19007
                • Instruction Fuzzy Hash:
                Function 0014781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID:
                • String ID: 0
                • API String ID: 0-4108050209
                • Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
                • Instruction ID: d0aa600431a40360402e13087e443fc2722c40f1d2892211d9da8c8db4bbcb6e
                • Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
                • Instruction Fuzzy Hash: DB51897160C70B9BDF3C8578C85E7BE63899B22358F180919D886D72F2C715DE06D352
                Function 00156DD9 Relevance: .6, Instructions: 637COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 1cce2854834173eb4d678fe795111fbea7082152880a6910a873b6c91c2ccf56
                • Instruction ID: ab9656c980cb12d4d99b19aa1c0c8e5e43d693c2290af8cf09d701ea95d33f4f
                • Opcode Fuzzy Hash: 1cce2854834173eb4d678fe795111fbea7082152880a6910a873b6c91c2ccf56
                • Instruction Fuzzy Hash: 4732D222D29F418ED7239634D822335A649AFB73D6F15D737E82AB9DA5EB29C4C34100
                Function 0013CC39 Relevance: .6, Instructions: 635COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 69b9a0cae9e09a2de7062e7e764208407016b5591757cb25a4b4b0a0dbdbfa30
                • Instruction ID: 4dbf0172358f63f8dd138a5a7771bbaf1f055c43cd98d23800fedef7c4e88aba
                • Opcode Fuzzy Hash: 69b9a0cae9e09a2de7062e7e764208407016b5591757cb25a4b4b0a0dbdbfa30
                • Instruction Fuzzy Hash: 0432F032A041558BCF28CE69C4D46BD7BB1EB45310F29C56EE85EAB291E730DD82DBC1
                Function 00127920 Relevance: .6, Instructions: 563COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 40d0894a800148d5e8e92324eea4504004e40a98e1508f4b4545587d14b3879f
                • Instruction ID: 32d775d99d1f3a8bb32498fce3b4b15a478e8a315ab00a2e671cb7dbef2903da
                • Opcode Fuzzy Hash: 40d0894a800148d5e8e92324eea4504004e40a98e1508f4b4545587d14b3879f
                • Instruction Fuzzy Hash: 9A22D370A0061ADFDF14CFA5D881AAEB3F2FF54300F144529E816A7291EB369D61CB50
                Function 001291C0 Relevance: .5, Instructions: 475COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: dfb278c9c212f0e5dae349ece22a11e60b6267a1a03d34e9ae85aaa943e54768
                • Instruction ID: 02a60f9fdb2658b4ffc6efbb9ba1437258db268c26fded7b96f7fa0bf09a16ed
                • Opcode Fuzzy Hash: dfb278c9c212f0e5dae349ece22a11e60b6267a1a03d34e9ae85aaa943e54768
                • Instruction Fuzzy Hash: 5D02A4B5E00219EFDF04DF64D881AAEB7F1FF54304F118169E8169B291EB31AA61CB91
                Function 001419B0 Relevance: .2, Instructions: 240COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
                • Instruction ID: 46bbf12745adb90e07f851f838487eb3025361aa820a312ef5d1967160b1f8c8
                • Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
                • Instruction Fuzzy Hash: 489132722090E35ADB6D467A857403EFFF19B923A631A079ED4F2CB1E1FF248594D620
                Function 00147A4A Relevance: .2, Instructions: 237COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: a1eb590d0f234c92f5196340be234bb407b127b054ac73eb4b4713c6c05604cf
                • Instruction ID: 56283ea5f5ceeb7d19ec90b40f298e5967875f88a3a32f5582d13097bcc2c4ea
                • Opcode Fuzzy Hash: a1eb590d0f234c92f5196340be234bb407b127b054ac73eb4b4713c6c05604cf
                • Instruction Fuzzy Hash: AA617A7160874A9ADE38AA288D95BBE2394DF51704F280D1EF983DB2F1DB11DE42C356
                Function 00141706 Relevance: .2, Instructions: 232COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
                • Instruction ID: 8ff9064fce29b3725439a2bdd95fed567a98ee66780120b9c5a824b04da9fcf2
                • Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
                • Instruction Fuzzy Hash: 198173336080E359DB6D427AC53443EFFE15B923A631A079DD4F2CA1E1EF248594E620
                Function 019244A0 Relevance: .1, Instructions: 92COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.1393030386.0000000001920000.00000040.00000020.00020000.00000000.sdmp, Offset: 01920000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1920000_QQpQgSYkjW.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                • Instruction ID: ba30dfdcc307d39b1b2175c3f756dbec1d597fd12d1bb01bae46d14f2417f17c
                • Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                • Instruction Fuzzy Hash: EB41D371D1051CEBCF48CFADC991AEEBBF2AF88201F548299D516AB345D730AB41DB80
                Function 00192046 Relevance: .1, Instructions: 72COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 6af327a9fe5a7945e9df43d1e51e623e3dcc37223dfa121cf9125844fc5c15d8
                • Instruction ID: a55996455f96ecab6f89a8ca4478cbcdf5a61b1e2e21111683939cedcccffb80
                • Opcode Fuzzy Hash: 6af327a9fe5a7945e9df43d1e51e623e3dcc37223dfa121cf9125844fc5c15d8
                • Instruction Fuzzy Hash: 1321BB326205158BDB28CF79C81367E73E5A754320F19862EE4A7C37D1DE35AD44C780
                Function 01924390 Relevance: .0, Instructions: 35COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.1393030386.0000000001920000.00000040.00000020.00020000.00000000.sdmp, Offset: 01920000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1920000_QQpQgSYkjW.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                • Instruction ID: 16aacab7a484ce3354e8020d792cd8b8c565b5a88a85582308cae03ae27cca8e
                • Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                • Instruction Fuzzy Hash: 5D019278A01209EFCB44DF98D6909AEF7F5FF48310F208599E919A7305D730AE51DB80
                Function 01924330 Relevance: .0, Instructions: 35COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.1393030386.0000000001920000.00000040.00000020.00020000.00000000.sdmp, Offset: 01920000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1920000_QQpQgSYkjW.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                • Instruction ID: 1587b091e4f71b08d801bdea6b96dab571c9f40dc06eb7c4ede271da1faa0d25
                • Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                • Instruction Fuzzy Hash: 13019278A00209EFCB48DF98C6909AEF7B5FB48310F208599D919A7305E730AE41DB80
                Function 01922D20 Relevance: .0, Instructions: 6COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.1393030386.0000000001920000.00000040.00000020.00020000.00000000.sdmp, Offset: 01920000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1920000_QQpQgSYkjW.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                • Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
                • Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                • Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48
                Function 001A2ADE Relevance: 79.2, APIs: 40, Strings: 5, Instructions: 486filecommemoryCOMMON
                Download Yara Rule
                APIs
                • DeleteObject.GDI32(00000000), ref: 001A2B30
                • DeleteObject.GDI32(00000000), ref: 001A2B43
                • DestroyWindow.USER32 ref: 001A2B52
                • GetDesktopWindow.USER32 ref: 001A2B6D
                • GetWindowRect.USER32(00000000), ref: 001A2B74
                • SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 001A2CA3
                • AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 001A2CB1
                • CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001A2CF8
                • GetClientRect.USER32(00000000,?), ref: 001A2D04
                • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 001A2D40
                • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001A2D62
                • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001A2D75
                • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001A2D80
                • GlobalLock.KERNEL32(00000000), ref: 001A2D89
                • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001A2D98
                • GlobalUnlock.KERNEL32(00000000), ref: 001A2DA1
                • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001A2DA8
                • GlobalFree.KERNEL32(00000000), ref: 001A2DB3
                • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001A2DC5
                • OleLoadPicture.OLEAUT32(?,00000000,00000000,001BFC38,00000000), ref: 001A2DDB
                • GlobalFree.KERNEL32(00000000), ref: 001A2DEB
                • CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 001A2E11
                • SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 001A2E30
                • SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001A2E52
                • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001A303F
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                • String ID: $@U=u$AutoIt v3$DISPLAY$static
                • API String ID: 2211948467-3613752883
                • Opcode ID: cd4114e9e80147eec0a610ec1f60b09a503ff65d24e0173696afaf8c092c1cb8
                • Instruction ID: 05afcb2bc5cc7bf6e99c6f5b5279174b68c5000f525a0c3d0debc6b7dd5a30d4
                • Opcode Fuzzy Hash: cd4114e9e80147eec0a610ec1f60b09a503ff65d24e0173696afaf8c092c1cb8
                • Instruction Fuzzy Hash: B7025D75900215EFDB14DF68DC89EAE7BB9FB49720F008158F915AB2A1C770ED41CBA0
                Function 001B70D5 Relevance: 59.8, APIs: 33, Strings: 1, Instructions: 273COMMON
                Download Yara Rule
                APIs
                • SetTextColor.GDI32(?,00000000), ref: 001B712F
                • GetSysColorBrush.USER32(0000000F), ref: 001B7160
                • GetSysColor.USER32(0000000F), ref: 001B716C
                • SetBkColor.GDI32(?,000000FF), ref: 001B7186
                • SelectObject.GDI32(?,?), ref: 001B7195
                • InflateRect.USER32(?,000000FF,000000FF), ref: 001B71C0
                • GetSysColor.USER32(00000010), ref: 001B71C8
                • CreateSolidBrush.GDI32(00000000), ref: 001B71CF
                • FrameRect.USER32(?,?,00000000), ref: 001B71DE
                • DeleteObject.GDI32(00000000), ref: 001B71E5
                • InflateRect.USER32(?,000000FE,000000FE), ref: 001B7230
                • FillRect.USER32(?,?,?), ref: 001B7262
                • GetWindowLongW.USER32(?,000000F0), ref: 001B7284
                  • Part of subcall function 001B73E8: GetSysColor.USER32(00000012), ref: 001B7421
                  • Part of subcall function 001B73E8: SetTextColor.GDI32(?,?), ref: 001B7425
                  • Part of subcall function 001B73E8: GetSysColorBrush.USER32(0000000F), ref: 001B743B
                  • Part of subcall function 001B73E8: GetSysColor.USER32(0000000F), ref: 001B7446
                  • Part of subcall function 001B73E8: GetSysColor.USER32(00000011), ref: 001B7463
                  • Part of subcall function 001B73E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 001B7471
                  • Part of subcall function 001B73E8: SelectObject.GDI32(?,00000000), ref: 001B7482
                  • Part of subcall function 001B73E8: SetBkColor.GDI32(?,00000000), ref: 001B748B
                  • Part of subcall function 001B73E8: SelectObject.GDI32(?,?), ref: 001B7498
                  • Part of subcall function 001B73E8: InflateRect.USER32(?,000000FF,000000FF), ref: 001B74B7
                  • Part of subcall function 001B73E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 001B74CE
                  • Part of subcall function 001B73E8: GetWindowLongW.USER32(00000000,000000F0), ref: 001B74DB
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
                • String ID: @U=u
                • API String ID: 4124339563-2594219639
                • Opcode ID: b545bed3657be096c73e18c73882873d1f323a7104d66d7a3f802f9e88f6dff7
                • Instruction ID: 5a4235c85e35af18e26a2a71318a5c2967c56ecd9a0d4767248d2157c4ba3158
                • Opcode Fuzzy Hash: b545bed3657be096c73e18c73882873d1f323a7104d66d7a3f802f9e88f6dff7
                • Instruction Fuzzy Hash: 73A17172108301FFD7119F64DC48E9B7BA9FB89321F100B19F9A2A65E1D771E984CBA1
                Function 00138D85 Relevance: 49.5, APIs: 26, Strings: 2, Instructions: 480windowCOMMON
                Download Yara Rule
                APIs
                • DestroyWindow.USER32(?,?), ref: 00138E14
                • SendMessageW.USER32(?,00001308,?,00000000), ref: 00176AC5
                • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00176AFE
                • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00176F43
                  • Part of subcall function 00138F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00138BE8,?,00000000,?,?,?,?,00138BBA,00000000,?), ref: 00138FC5
                • SendMessageW.USER32(?,00001053), ref: 00176F7F
                • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00176F96
                • ImageList_Destroy.COMCTL32(00000000,?), ref: 00176FAC
                • ImageList_Destroy.COMCTL32(00000000,?), ref: 00176FB7
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
                • String ID: 0$@U=u
                • API String ID: 2760611726-975001249
                • Opcode ID: ff3b7037648ef10357ded40dd8fce9edaa1946a1087395bf3b8029f5a9347f93
                • Instruction ID: 58a0cba8b3783673c4424de00a552fb212ecfed3d8382729a13cfa5c94080ebf
                • Opcode Fuzzy Hash: ff3b7037648ef10357ded40dd8fce9edaa1946a1087395bf3b8029f5a9347f93
                • Instruction Fuzzy Hash: 8B128930200A01EFDB25DF24C894BBABBB5FB59314F148569F489DB661CB71EC92CB91
                Function 001A2711 Relevance: 47.6, APIs: 22, Strings: 5, Instructions: 330windowCOMMON
                Download Yara Rule
                APIs
                • DestroyWindow.USER32(00000000), ref: 001A273E
                • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 001A286A
                • SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 001A28A9
                • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 001A28B9
                • CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 001A2900
                • GetClientRect.USER32(00000000,?), ref: 001A290C
                • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 001A2955
                • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 001A2964
                • GetStockObject.GDI32(00000011), ref: 001A2974
                • SelectObject.GDI32(00000000,00000000), ref: 001A2978
                • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 001A2988
                • GetDeviceCaps.GDI32(00000000,0000005A), ref: 001A2991
                • DeleteDC.GDI32(00000000), ref: 001A299A
                • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 001A29C6
                • SendMessageW.USER32(00000030,00000000,00000001), ref: 001A29DD
                • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 001A2A1D
                • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 001A2A31
                • SendMessageW.USER32(00000404,00000001,00000000), ref: 001A2A42
                • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 001A2A77
                • GetStockObject.GDI32(00000011), ref: 001A2A82
                • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 001A2A8D
                • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 001A2A97
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                • String ID: @U=u$AutoIt v3$DISPLAY$msctls_progress32$static
                • API String ID: 2910397461-2771358697
                • Opcode ID: 7ab551c60beff9cbf1b8cb88d98493027a932679e33a635ecf87ced6643cb8dd
                • Instruction ID: 5edbee69bcf63aea96ed376f09cc3a6da2a6e67ec2ad56d537ea89647ffc4485
                • Opcode Fuzzy Hash: 7ab551c60beff9cbf1b8cb88d98493027a932679e33a635ecf87ced6643cb8dd
                • Instruction Fuzzy Hash: 60B14A75A00215BFEB14DFA8DC89EAEBBA9FB59710F004214F915EB690D774AD40CBA0
                Function 001B73E8 Relevance: 47.5, APIs: 26, Strings: 1, Instructions: 201windowCOMMON
                Download Yara Rule
                APIs
                • GetSysColor.USER32(00000012), ref: 001B7421
                • SetTextColor.GDI32(?,?), ref: 001B7425
                • GetSysColorBrush.USER32(0000000F), ref: 001B743B
                • GetSysColor.USER32(0000000F), ref: 001B7446
                • CreateSolidBrush.GDI32(?), ref: 001B744B
                • GetSysColor.USER32(00000011), ref: 001B7463
                • CreatePen.GDI32(00000000,00000001,00743C00), ref: 001B7471
                • SelectObject.GDI32(?,00000000), ref: 001B7482
                • SetBkColor.GDI32(?,00000000), ref: 001B748B
                • SelectObject.GDI32(?,?), ref: 001B7498
                • InflateRect.USER32(?,000000FF,000000FF), ref: 001B74B7
                • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 001B74CE
                • GetWindowLongW.USER32(00000000,000000F0), ref: 001B74DB
                • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 001B752A
                • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 001B7554
                • InflateRect.USER32(?,000000FD,000000FD), ref: 001B7572
                • DrawFocusRect.USER32(?,?), ref: 001B757D
                • GetSysColor.USER32(00000011), ref: 001B758E
                • SetTextColor.GDI32(?,00000000), ref: 001B7596
                • DrawTextW.USER32(?,001B70F5,000000FF,?,00000000), ref: 001B75A8
                • SelectObject.GDI32(?,?), ref: 001B75BF
                • DeleteObject.GDI32(?), ref: 001B75CA
                • SelectObject.GDI32(?,?), ref: 001B75D0
                • DeleteObject.GDI32(?), ref: 001B75D5
                • SetTextColor.GDI32(?,?), ref: 001B75DB
                • SetBkColor.GDI32(?,?), ref: 001B75E5
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                • String ID: @U=u
                • API String ID: 1996641542-2594219639
                • Opcode ID: 562b41e05383ba08a4a519ba39db30a35b4398158a39347a10c8c7df2483bad8
                • Instruction ID: 2710bece66ac9bfab409d7c4091621725842047d6d849ac57e49c3521d4aa3d8
                • Opcode Fuzzy Hash: 562b41e05383ba08a4a519ba39db30a35b4398158a39347a10c8c7df2483bad8
                • Instruction Fuzzy Hash: 9A614E72904218AFDF119FA8DC49EEE7FB9EB48320F114215F915BB2E1D7749980CBA0
                Function 00194ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON
                Download Yara Rule
                APIs
                • SetErrorMode.KERNEL32(00000001), ref: 00194AED
                • GetDriveTypeW.KERNEL32(?,001BCB68,?,\\.\,001BCC08), ref: 00194BCA
                • SetErrorMode.KERNEL32(00000000,001BCB68,?,\\.\,001BCC08), ref: 00194D36
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: ErrorMode$DriveType
                • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                • API String ID: 2907320926-4222207086
                • Opcode ID: 0acfb6b8ad48e8c7238b65a70927f685f456bc9deea72d83586d09963ecfb858
                • Instruction ID: 42aaae9a6191e4b0e4d55ce0f82e833a998dd18872464e12f6d9cf00e143bcc4
                • Opcode Fuzzy Hash: 0acfb6b8ad48e8c7238b65a70927f685f456bc9deea72d83586d09963ecfb858
                • Instruction Fuzzy Hash: 5D61E030605649DFCF08DF69DA82D6DB7B0BF28380BA48055F806AB691DB35ED42DB81
                Function 001B0241 Relevance: 37.1, APIs: 7, Strings: 14, Instructions: 391windowCOMMON
                Download Yara Rule
                APIs
                • CharUpperBuffW.USER32(?,?), ref: 001B02E5
                • _wcslen.LIBCMT ref: 001B031F
                • _wcslen.LIBCMT ref: 001B0389
                • _wcslen.LIBCMT ref: 001B03F1
                • _wcslen.LIBCMT ref: 001B0475
                • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 001B04C5
                • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 001B0504
                  • Part of subcall function 0013F9F2: _wcslen.LIBCMT ref: 0013F9FD
                  • Part of subcall function 0018223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00182258
                  • Part of subcall function 0018223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0018228A
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: _wcslen$MessageSend$BuffCharUpper
                • String ID: @U=u$DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
                • API String ID: 1103490817-1753161424
                • Opcode ID: 8c3c6c338ed3cec13037e807c94cfa3ffcac7ff95805479e1ef93f40b9eb4480
                • Instruction ID: 989f0ec50f0ed213f68e93e929d485d4b632865859044ae37c81f17e010c1709
                • Opcode Fuzzy Hash: 8c3c6c338ed3cec13037e807c94cfa3ffcac7ff95805479e1ef93f40b9eb4480
                • Instruction Fuzzy Hash: 28E19D312086518FC725DF24D5909AFB3E6BF9C314B144A6CF896AB6A1DB30ED46CB81
                Function 001B0FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON
                Download Yara Rule
                APIs
                • GetCursorPos.USER32(?), ref: 001B1128
                • GetDesktopWindow.USER32 ref: 001B113D
                • GetWindowRect.USER32(00000000), ref: 001B1144
                • GetWindowLongW.USER32(?,000000F0), ref: 001B1199
                • DestroyWindow.USER32(?), ref: 001B11B9
                • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 001B11ED
                • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 001B120B
                • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 001B121D
                • SendMessageW.USER32(00000000,00000421,?,?), ref: 001B1232
                • SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 001B1245
                • IsWindowVisible.USER32(00000000), ref: 001B12A1
                • SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 001B12BC
                • SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 001B12D0
                • GetWindowRect.USER32(00000000,?), ref: 001B12E8
                • MonitorFromPoint.USER32(?,?,00000002), ref: 001B130E
                • GetMonitorInfoW.USER32(00000000,?), ref: 001B1328
                • CopyRect.USER32(?,?), ref: 001B133F
                • SendMessageW.USER32(00000000,00000412,00000000), ref: 001B13AA
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                • String ID: ($0$tooltips_class32
                • API String ID: 698492251-4156429822
                • Opcode ID: f950bdfd0e60f815b4f717c26da191338639fd1a12f29a337143e271a75d84e0
                • Instruction ID: 04a2d68bdf00be5fa519ca9c783fd7ed85745ef0548c8dcd2c642dc00a224aed
                • Opcode Fuzzy Hash: f950bdfd0e60f815b4f717c26da191338639fd1a12f29a337143e271a75d84e0
                • Instruction Fuzzy Hash: ECB19C71608351AFD714DF68D894FAABBE4FF88350F408918F9999B2A1D731E844CB91
                Function 00138891 Relevance: 35.3, APIs: 18, Strings: 2, Instructions: 282windowtimeCOMMON
                Download Yara Rule
                APIs
                • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00138968
                • GetSystemMetrics.USER32(00000007), ref: 00138970
                • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0013899B
                • GetSystemMetrics.USER32(00000008), ref: 001389A3
                • GetSystemMetrics.USER32(00000004), ref: 001389C8
                • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 001389E5
                • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 001389F5
                • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00138A28
                • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00138A3C
                • GetClientRect.USER32(00000000,000000FF), ref: 00138A5A
                • GetStockObject.GDI32(00000011), ref: 00138A76
                • SendMessageW.USER32(00000000,00000030,00000000), ref: 00138A81
                  • Part of subcall function 0013912D: GetCursorPos.USER32(?), ref: 00139141
                  • Part of subcall function 0013912D: ScreenToClient.USER32(00000000,?), ref: 0013915E
                  • Part of subcall function 0013912D: GetAsyncKeyState.USER32(00000001), ref: 00139183
                  • Part of subcall function 0013912D: GetAsyncKeyState.USER32(00000002), ref: 0013919D
                • SetTimer.USER32(00000000,00000000,00000028,001390FC), ref: 00138AA8
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                • String ID: @U=u$AutoIt v3 GUI
                • API String ID: 1458621304-2077007950
                • Opcode ID: a595adec645d1bac293f0ed5d8ae5c4f7e5badd5f93d544b93c59bdf8f35a62e
                • Instruction ID: 62dc72db3e4ae46ae2b23861837cd1dc4c17be2e045fbe2c03c85993082d3994
                • Opcode Fuzzy Hash: a595adec645d1bac293f0ed5d8ae5c4f7e5badd5f93d544b93c59bdf8f35a62e
                • Instruction Fuzzy Hash: A7B16D71A00209EFDB18DFA8CD45BAE7BB5FB48354F114229FA15A7290DB74E880CB91
                Function 00185A1B Relevance: 33.4, APIs: 18, Strings: 1, Instructions: 198windowtimeCOMMON
                Download Yara Rule
                APIs
                • LoadIconW.USER32(00000063), ref: 00185A2E
                • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00185A40
                • SetWindowTextW.USER32(?,?), ref: 00185A57
                • GetDlgItem.USER32(?,000003EA), ref: 00185A6C
                • SetWindowTextW.USER32(00000000,?), ref: 00185A72
                • GetDlgItem.USER32(?,000003E9), ref: 00185A82
                • SetWindowTextW.USER32(00000000,?), ref: 00185A88
                • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00185AA9
                • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00185AC3
                • GetWindowRect.USER32(?,?), ref: 00185ACC
                • _wcslen.LIBCMT ref: 00185B33
                • SetWindowTextW.USER32(?,?), ref: 00185B6F
                • GetDesktopWindow.USER32 ref: 00185B75
                • GetWindowRect.USER32(00000000), ref: 00185B7C
                • MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00185BD3
                • GetClientRect.USER32(?,?), ref: 00185BE0
                • PostMessageW.USER32(?,00000005,00000000,?), ref: 00185C05
                • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00185C2F
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
                • String ID: @U=u
                • API String ID: 895679908-2594219639
                • Opcode ID: 5b4234344d08f6323e003444e38f94217d1e808fbbb3a3c7a3592e055eae2029
                • Instruction ID: bf9d211d377f09ac7396f5d8948ddc92b78461eb176a84f5ef5694d720a50a5c
                • Opcode Fuzzy Hash: 5b4234344d08f6323e003444e38f94217d1e808fbbb3a3c7a3592e055eae2029
                • Instruction Fuzzy Hash: BD715D31900B05AFDB20EFA8CE85AAEBBF6FF58705F104618E542A75A0D775AA44CF50
                Function 001B091E Relevance: 31.9, APIs: 6, Strings: 12, Instructions: 372windowCOMMON
                Download Yara Rule
                APIs
                • CharUpperBuffW.USER32(?,?), ref: 001B09C6
                • _wcslen.LIBCMT ref: 001B0A01
                • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 001B0A54
                • _wcslen.LIBCMT ref: 001B0A8A
                • _wcslen.LIBCMT ref: 001B0B06
                • _wcslen.LIBCMT ref: 001B0B81
                  • Part of subcall function 0013F9F2: _wcslen.LIBCMT ref: 0013F9FD
                  • Part of subcall function 00182BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00182BFA
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: _wcslen$MessageSend$BuffCharUpper
                • String ID: @U=u$CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                • API String ID: 1103490817-383632319
                • Opcode ID: 811aa53c30dd6738fd5562bed8b03e46a448624c06639b823146b6527b4ce9aa
                • Instruction ID: 8709f2a4753befc3fd2a3e2f5a160eba39ab17771e1fcd66d7f7d3e902de2e59
                • Opcode Fuzzy Hash: 811aa53c30dd6738fd5562bed8b03e46a448624c06639b823146b6527b4ce9aa
                • Instruction Fuzzy Hash: 06E1AA352087018FC715EF24C55096BB7E1BFA8308F15895CF89AAB3A2DB30ED46CB81
                Function 00180D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 001810F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00181114
                  • Part of subcall function 001810F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00180B9B,?,?,?), ref: 00181120
                  • Part of subcall function 001810F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00180B9B,?,?,?), ref: 0018112F
                  • Part of subcall function 001810F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00180B9B,?,?,?), ref: 00181136
                  • Part of subcall function 001810F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0018114D
                • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00180DF5
                • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00180E29
                • GetLengthSid.ADVAPI32(?), ref: 00180E40
                • GetAce.ADVAPI32(?,00000000,?), ref: 00180E7A
                • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00180E96
                • GetLengthSid.ADVAPI32(?), ref: 00180EAD
                • GetProcessHeap.KERNEL32(00000008,00000008), ref: 00180EB5
                • HeapAlloc.KERNEL32(00000000), ref: 00180EBC
                • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00180EDD
                • CopySid.ADVAPI32(00000000), ref: 00180EE4
                • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00180F13
                • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00180F35
                • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00180F47
                • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00180F6E
                • HeapFree.KERNEL32(00000000), ref: 00180F75
                • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00180F7E
                • HeapFree.KERNEL32(00000000), ref: 00180F85
                • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00180F8E
                • HeapFree.KERNEL32(00000000), ref: 00180F95
                • GetProcessHeap.KERNEL32(00000000,?), ref: 00180FA1
                • HeapFree.KERNEL32(00000000), ref: 00180FA8
                  • Part of subcall function 00181193: GetProcessHeap.KERNEL32(00000008,00180BB1,?,00000000,?,00180BB1,?), ref: 001811A1
                  • Part of subcall function 00181193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00180BB1,?), ref: 001811A8
                  • Part of subcall function 00181193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00180BB1,?), ref: 001811B7
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
                • String ID:
                • API String ID: 4175595110-0
                • Opcode ID: 417ccc608fa50fd07bca864b13a7ad1b088ea3ea47ade55a4aca586c3e767b2e
                • Instruction ID: 6590e28977be29a37a47dafd313b114c40bf9150146b6cc456ed67aa14b2cad5
                • Opcode Fuzzy Hash: 417ccc608fa50fd07bca864b13a7ad1b088ea3ea47ade55a4aca586c3e767b2e
                • Instruction Fuzzy Hash: 3E71507290020AEBDF61AFA4DC44FAEBBB8BF08350F148215FA55E6151D7719A49CFA0
                Function 001B833C Relevance: 31.7, APIs: 14, Strings: 4, Instructions: 196windowlibraryCOMMON
                Download Yara Rule
                APIs
                • _wcslen.LIBCMT ref: 001B835A
                • _wcslen.LIBCMT ref: 001B836E
                • _wcslen.LIBCMT ref: 001B8391
                • _wcslen.LIBCMT ref: 001B83B4
                • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 001B83F2
                • LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,001B361A,?), ref: 001B844E
                • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 001B8487
                • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 001B84CA
                • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 001B8501
                • FreeLibrary.KERNEL32(?), ref: 001B850D
                • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 001B851D
                • DestroyIcon.USER32(?), ref: 001B852C
                • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 001B8549
                • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 001B8555
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
                • String ID: .dll$.exe$.icl$@U=u
                • API String ID: 799131459-1639919054
                • Opcode ID: 5a76d08b08ce3088e968d35b6673c847f6c849b3b993f1e0c4b8dae2e3ef0035
                • Instruction ID: e07dc53073f0e424b712b77b0c64a767fe57bddcc666b6de0c82159983c2c7a4
                • Opcode Fuzzy Hash: 5a76d08b08ce3088e968d35b6673c847f6c849b3b993f1e0c4b8dae2e3ef0035
                • Instruction Fuzzy Hash: 2161CE71500615BBEB24DF64DC81BFE77ACBB18B21F104609F815E61E1DF74AA90CBA0
                Function 001AC3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON
                Download Yara Rule
                APIs
                • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 001AC4BD
                • RegCreateKeyExW.ADVAPI32(?,?,00000000,001BCC08,00000000,?,00000000,?,?), ref: 001AC544
                • RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 001AC5A4
                • _wcslen.LIBCMT ref: 001AC5F4
                • _wcslen.LIBCMT ref: 001AC66F
                • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 001AC6B2
                • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 001AC7C1
                • RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 001AC84D
                • RegCloseKey.ADVAPI32(?), ref: 001AC881
                • RegCloseKey.ADVAPI32(00000000), ref: 001AC88E
                • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 001AC960
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: Value$Close$_wcslen$ConnectCreateRegistry
                • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                • API String ID: 9721498-966354055
                • Opcode ID: fe77fa7e1d92f73f51f564aba28da1ee84bb65a32ae2a24b308832f4413ef6f0
                • Instruction ID: a7a00b570217add46d78fa6db2a2643162406dec2d197afef2ee557289247fdd
                • Opcode Fuzzy Hash: fe77fa7e1d92f73f51f564aba28da1ee84bb65a32ae2a24b308832f4413ef6f0
                • Instruction Fuzzy Hash: 741258396042119FDB14DF24D881A2AB7E5FF89714F15889CF88A9B3A2DB31ED41CB81
                Function 001AC998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: _wcslen$BuffCharUpper
                • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                • API String ID: 1256254125-909552448
                • Opcode ID: d84048233860ce776f8bbfa33112f4342f1bb5601caf041db3ec0d18ef6fc756
                • Instruction ID: bf97e85639bc60b6f669fd3be8852b60b0ec01ece5e9c9aa7804a9dcba677516
                • Opcode Fuzzy Hash: d84048233860ce776f8bbfa33112f4342f1bb5601caf041db3ec0d18ef6fc756
                • Instruction Fuzzy Hash: 7671F93AA0056A8BCB10DE7CD9516BF3391AFB67A4F150528F856AB284F731CD85C3E0
                Function 00127778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID:
                • String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                • API String ID: 0-1645009161
                • Opcode ID: 500f0e831cd153c1bef78fb777079714a7e6e8f719857bf30c698b20f6070dab
                • Instruction ID: 30e85ff65a02b1ba9b18660bbb43f1db2fca9e5376d2ca8abcbdeff3f23945db
                • Opcode Fuzzy Hash: 500f0e831cd153c1bef78fb777079714a7e6e8f719857bf30c698b20f6070dab
                • Instruction Fuzzy Hash: BD810B71604625BBDB24BF65EC46FEF37A9AF26300F044024F905AB1D6EB70DA62C791
                Function 001B856F Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 131filecommemoryCOMMON
                Download Yara Rule
                APIs
                • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?), ref: 001B8592
                • GetFileSize.KERNEL32(00000000,00000000), ref: 001B85A2
                • GlobalAlloc.KERNEL32(00000002,00000000), ref: 001B85AD
                • CloseHandle.KERNEL32(00000000), ref: 001B85BA
                • GlobalLock.KERNEL32(00000000), ref: 001B85C8
                • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 001B85D7
                • GlobalUnlock.KERNEL32(00000000), ref: 001B85E0
                • CloseHandle.KERNEL32(00000000), ref: 001B85E7
                • CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 001B85F8
                • OleLoadPicture.OLEAUT32(?,00000000,00000000,001BFC38,?), ref: 001B8611
                • GlobalFree.KERNEL32(00000000), ref: 001B8621
                • GetObjectW.GDI32(?,00000018,000000FF), ref: 001B8641
                • CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 001B8671
                • DeleteObject.GDI32(00000000), ref: 001B8699
                • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 001B86AF
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                • String ID: @U=u
                • API String ID: 3840717409-2594219639
                • Opcode ID: 05e3f23764e3de8ef0b510998d6e6f3a9302900f74c788e9cb9cf6b52044e191
                • Instruction ID: 51afe1f9a19e4b7de575d4cd6d6e344f96245cfa42fc72a206919312a9bf29b4
                • Opcode Fuzzy Hash: 05e3f23764e3de8ef0b510998d6e6f3a9302900f74c788e9cb9cf6b52044e191
                • Instruction Fuzzy Hash: 7641F775600209AFDB119FA9DC88EAA7BBCFF89B15F104259F909E7260DB709941CF60
                Function 001400C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON
                Download Yara Rule
                APIs
                • __scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 001400C6
                  • Part of subcall function 001400ED: InitializeCriticalSectionAndSpinCount.KERNEL32(001F070C,00000FA0,4367B6BF,?,?,?,?,001623B3,000000FF), ref: 0014011C
                  • Part of subcall function 001400ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,001623B3,000000FF), ref: 00140127
                  • Part of subcall function 001400ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,001623B3,000000FF), ref: 00140138
                  • Part of subcall function 001400ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 0014014E
                  • Part of subcall function 001400ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 0014015C
                  • Part of subcall function 001400ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 0014016A
                  • Part of subcall function 001400ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00140195
                  • Part of subcall function 001400ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 001401A0
                • ___scrt_fastfail.LIBCMT ref: 001400E7
                  • Part of subcall function 001400A3: __onexit.LIBCMT ref: 001400A9
                Strings
                • kernel32.dll, xrefs: 00140133
                • WakeAllConditionVariable, xrefs: 00140162
                • SleepConditionVariableCS, xrefs: 00140154
                • api-ms-win-core-synch-l1-2-0.dll, xrefs: 00140122
                • InitializeConditionVariable, xrefs: 00140148
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
                • String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
                • API String ID: 66158676-1714406822
                • Opcode ID: cd80648122bcf953de0310e24cdd07c8a6797054592d01924aaebb9c5b28ebe5
                • Instruction ID: 89a055f760e0abfb2420c068dbf870619500cc70f8b428b07e37c84a10152415
                • Opcode Fuzzy Hash: cd80648122bcf953de0310e24cdd07c8a6797054592d01924aaebb9c5b28ebe5
                • Instruction Fuzzy Hash: C8210B32A44710ABD7126BA9EC45B6933D4EF5CF61F010239FA01E36A2DB74DC408ED0
                Function 001830F7 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: _wcslen
                • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                • API String ID: 176396367-1603158881
                • Opcode ID: 3aa04eabe468abd536a43eb70874367ca2aef9358e1e046a945b24c8db36af7a
                • Instruction ID: 5d28b5011e456921ff7f3f0701f4f17ba127413e9a8c46f16ceed6cbee7d369c
                • Opcode Fuzzy Hash: 3aa04eabe468abd536a43eb70874367ca2aef9358e1e046a945b24c8db36af7a
                • Instruction Fuzzy Hash: 64E1E631A00516ABCB18AF68C4517EEFBB1BF54B14F588129E466B7250DB30AF85DF90
                Function 001944C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON
                Download Yara Rule
                APIs
                • CharLowerBuffW.USER32(00000000,00000000,001BCC08), ref: 00194527
                • _wcslen.LIBCMT ref: 0019453B
                • _wcslen.LIBCMT ref: 00194599
                • _wcslen.LIBCMT ref: 001945F4
                • _wcslen.LIBCMT ref: 0019463F
                • _wcslen.LIBCMT ref: 001946A7
                  • Part of subcall function 0013F9F2: _wcslen.LIBCMT ref: 0013F9FD
                • GetDriveTypeW.KERNEL32(?,001E6BF0,00000061), ref: 00194743
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: _wcslen$BuffCharDriveLowerType
                • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                • API String ID: 2055661098-1000479233
                • Opcode ID: c455432aaa8441f46ec11749a90cfb23f6c2db5c91e0e22123732deb6e3a2d45
                • Instruction ID: 980a99a048fbd1f55ee340b37f61942f04407f9b3ba18bd41ce04070d26faa37
                • Opcode Fuzzy Hash: c455432aaa8441f46ec11749a90cfb23f6c2db5c91e0e22123732deb6e3a2d45
                • Instruction Fuzzy Hash: 8EB122716083029FCB14DF28D890E6EB7E5BFA9764F50491DF496C7291E730D846CBA2
                Function 001B6CD9 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 194windowCOMMON
                Download Yara Rule
                APIs
                • DestroyWindow.USER32(?,?), ref: 001B6DEB
                  • Part of subcall function 00126B57: _wcslen.LIBCMT ref: 00126B6A
                • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 001B6E5F
                • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 001B6E81
                • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 001B6E94
                • DestroyWindow.USER32(?), ref: 001B6EB5
                • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00120000,00000000), ref: 001B6EE4
                • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 001B6EFD
                • GetDesktopWindow.USER32 ref: 001B6F16
                • GetWindowRect.USER32(00000000), ref: 001B6F1D
                • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 001B6F35
                • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 001B6F4D
                  • Part of subcall function 00139944: GetWindowLongW.USER32(?,000000EB), ref: 00139952
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
                • String ID: 0$@U=u$tooltips_class32
                • API String ID: 2429346358-1130792468
                • Opcode ID: 5c8e737f732f1099944c1bc6b48e346261289aa65e4ab8ddd00ccfdd46ea155d
                • Instruction ID: 622120c8db54105310bc1b113d5602ac6b470781af128875ecaa2b25b18defd9
                • Opcode Fuzzy Hash: 5c8e737f732f1099944c1bc6b48e346261289aa65e4ab8ddd00ccfdd46ea155d
                • Instruction Fuzzy Hash: 28717771504244AFDB21CF28DC58FBABBE9FBA9304F04051DF989872A1C774E946CB51
                Function 001B911E Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 181windowfileCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00139BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00139BB2
                • DragQueryPoint.SHELL32(?,?), ref: 001B9147
                  • Part of subcall function 001B7674: ClientToScreen.USER32(?,?), ref: 001B769A
                  • Part of subcall function 001B7674: GetWindowRect.USER32(?,?), ref: 001B7710
                  • Part of subcall function 001B7674: PtInRect.USER32(?,?,001B8B89), ref: 001B7720
                • SendMessageW.USER32(?,000000B0,?,?), ref: 001B91B0
                • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 001B91BB
                • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 001B91DE
                • SendMessageW.USER32(?,000000C2,00000001,?), ref: 001B9225
                • SendMessageW.USER32(?,000000B0,?,?), ref: 001B923E
                • SendMessageW.USER32(?,000000B1,?,?), ref: 001B9255
                • SendMessageW.USER32(?,000000B1,?,?), ref: 001B9277
                • DragFinish.SHELL32(?), ref: 001B927E
                • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 001B9371
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
                • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$@U=u
                • API String ID: 221274066-762882726
                • Opcode ID: cb118b333632300168d00203c8ee1f921a22e1c57b552d8f8238edacd87d5fe3
                • Instruction ID: 8242514ac09cf838af79f331a35c836f1b8dd10e696dee823bf99616ca8ce54e
                • Opcode Fuzzy Hash: cb118b333632300168d00203c8ee1f921a22e1c57b552d8f8238edacd87d5fe3
                • Instruction Fuzzy Hash: B6615971108301AFD701DF64DC85DAFBBE8FF99750F000A2EF695921A0DB709A59CBA2
                Function 001AAFF9 Relevance: 24.4, APIs: 16, Instructions: 418processCOMMON
                Download Yara Rule
                APIs
                • _wcslen.LIBCMT ref: 001AB198
                • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 001AB1B0
                • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 001AB1D4
                • _wcslen.LIBCMT ref: 001AB200
                • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 001AB214
                • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 001AB236
                • _wcslen.LIBCMT ref: 001AB332
                  • Part of subcall function 001905A7: GetStdHandle.KERNEL32(000000F6), ref: 001905C6
                • _wcslen.LIBCMT ref: 001AB34B
                • _wcslen.LIBCMT ref: 001AB366
                • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 001AB3B6
                • GetLastError.KERNEL32(00000000), ref: 001AB407
                • CloseHandle.KERNEL32(?), ref: 001AB439
                • CloseHandle.KERNEL32(00000000), ref: 001AB44A
                • CloseHandle.KERNEL32(00000000), ref: 001AB45C
                • CloseHandle.KERNEL32(00000000), ref: 001AB46E
                • CloseHandle.KERNEL32(?), ref: 001AB4E3
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
                • String ID:
                • API String ID: 2178637699-0
                • Opcode ID: 999951cda1f260b19cb1787da9301e379de95b27a5260b36ff33088cc187e0d3
                • Instruction ID: 903c751e10f1f599a70f49b9748536c486689b89c80ad6c1d28810594764d117
                • Opcode Fuzzy Hash: 999951cda1f260b19cb1787da9301e379de95b27a5260b36ff33088cc187e0d3
                • Instruction Fuzzy Hash: 6EF19D355083809FCB14EF24D891B6EBBE1BF9A314F14855DF4899B2A2CB31EC45CB92
                Function 0012326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON
                Download Yara Rule
                APIs
                • GetMenuItemCount.USER32(001F1990), ref: 00162F8D
                • GetMenuItemCount.USER32(001F1990), ref: 0016303D
                • GetCursorPos.USER32(?), ref: 00163081
                • SetForegroundWindow.USER32(00000000), ref: 0016308A
                • TrackPopupMenuEx.USER32(001F1990,00000000,?,00000000,00000000,00000000), ref: 0016309D
                • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 001630A9
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
                • String ID: 0
                • API String ID: 36266755-4108050209
                • Opcode ID: 9309a7e52dfd1a10698a0d01848c58ab5c5445a2da85067cedd6f95c8bcb9bc9
                • Instruction ID: 6470d35e23de876912ff4b38d38f229ea15277370b7b6f508e2bed0614efe542
                • Opcode Fuzzy Hash: 9309a7e52dfd1a10698a0d01848c58ab5c5445a2da85067cedd6f95c8bcb9bc9
                • Instruction Fuzzy Hash: A9714930644616BFFB259F64DC89FAABF69FF05324F204216F5246A1E0C7B1AD60CB90
                Function 0019C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON
                Download Yara Rule
                APIs
                • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0019C4B0
                • GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0019C4C3
                • SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0019C4D7
                • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0019C4F0
                • InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 0019C533
                • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0019C549
                • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0019C554
                • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0019C584
                • GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0019C5DC
                • SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0019C5F0
                • InternetCloseHandle.WININET(00000000), ref: 0019C5FB
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
                • String ID:
                • API String ID: 3800310941-3916222277
                • Opcode ID: f8415f24a195d7c39be973c472f4d380979bb3f7c4974c332c19b8992b45e208
                • Instruction ID: 23f0532a927b58244630e10154cd3ef3e5ac50c44afef213c9035614d9fd7b35
                • Opcode Fuzzy Hash: f8415f24a195d7c39be973c472f4d380979bb3f7c4974c332c19b8992b45e208
                • Instruction Fuzzy Hash: 90514BB1600209BFEF218FA5C988AAB7BFCFF08754F014519F98696650DB34E944DBE0
                Function 001914BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON
                Download Yara Rule
                APIs
                • VariantInit.OLEAUT32(00000000), ref: 00191502
                • VariantCopy.OLEAUT32(?,?), ref: 0019150B
                • VariantClear.OLEAUT32(?), ref: 00191517
                • VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 001915FB
                • VarR8FromDec.OLEAUT32(?,?), ref: 00191657
                • VariantInit.OLEAUT32(?), ref: 00191708
                • SysFreeString.OLEAUT32(?), ref: 0019178C
                • VariantClear.OLEAUT32(?), ref: 001917D8
                • VariantClear.OLEAUT32(?), ref: 001917E7
                • VariantInit.OLEAUT32(00000000), ref: 00191823
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
                • String ID: %4d%02d%02d%02d%02d%02d$Default
                • API String ID: 1234038744-3931177956
                • Opcode ID: af9e1e698ec31f3644cc5bb16c23d03de34d47b37cacb4931807a969018a9d3f
                • Instruction ID: bca642faf9796248fb9626aefa74a2f81cf36343c5e5124c054170c0bb84195e
                • Opcode Fuzzy Hash: af9e1e698ec31f3644cc5bb16c23d03de34d47b37cacb4931807a969018a9d3f
                • Instruction Fuzzy Hash: 15D10631A00116FBEF089FA5E885B7DB7B5BF45700F12805AF446AB590DB30DD92DBA1
                Function 001AB60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00129CB3: _wcslen.LIBCMT ref: 00129CBD
                  • Part of subcall function 001AC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,001AB6AE,?,?), ref: 001AC9B5
                  • Part of subcall function 001AC998: _wcslen.LIBCMT ref: 001AC9F1
                  • Part of subcall function 001AC998: _wcslen.LIBCMT ref: 001ACA68
                  • Part of subcall function 001AC998: _wcslen.LIBCMT ref: 001ACA9E
                • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 001AB6F4
                • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 001AB772
                • RegDeleteValueW.ADVAPI32(?,?), ref: 001AB80A
                • RegCloseKey.ADVAPI32(?), ref: 001AB87E
                • RegCloseKey.ADVAPI32(?), ref: 001AB89C
                • LoadLibraryA.KERNEL32(advapi32.dll), ref: 001AB8F2
                • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 001AB904
                • RegDeleteKeyW.ADVAPI32(?,?), ref: 001AB922
                • FreeLibrary.KERNEL32(00000000), ref: 001AB983
                • RegCloseKey.ADVAPI32(00000000), ref: 001AB994
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
                • String ID: RegDeleteKeyExW$advapi32.dll
                • API String ID: 146587525-4033151799
                • Opcode ID: 22f49712881bcf7b4e0fd823f5617a2b4bf1ba8dd28081b535680961b7320173
                • Instruction ID: b3a2f4749b089407a60947802004a2cb1a8f10ffcc99c4dc80863dbcdc26d750
                • Opcode Fuzzy Hash: 22f49712881bcf7b4e0fd823f5617a2b4bf1ba8dd28081b535680961b7320173
                • Instruction Fuzzy Hash: 22C18A78208281EFD714DF28C494F2ABBE5BF85308F14855CF59A8B6A2CB75EC45CB91
                Function 001B541D Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 191windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 001B5504
                • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 001B5515
                • CharNextW.USER32(00000158), ref: 001B5544
                • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 001B5585
                • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 001B559B
                • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 001B55AC
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: MessageSend$CharNext
                • String ID: @U=u
                • API String ID: 1350042424-2594219639
                • Opcode ID: 8e69883e3fef597238d5e49a3cc53a3479a42db48a4d4cf9261586443b2acc07
                • Instruction ID: ac6baf5dfae291ac49f7948f54455374fd5df975882bb57c3b9db9cccb7cbd7f
                • Opcode Fuzzy Hash: 8e69883e3fef597238d5e49a3cc53a3479a42db48a4d4cf9261586443b2acc07
                • Instruction Fuzzy Hash: 5B618C30900608EFDF209F94CC84EFE7BBAEF09765F104145F925AB290D7749A81DBA0
                Function 001A255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON
                Download Yara Rule
                APIs
                • GetDC.USER32(00000000), ref: 001A25D8
                • CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 001A25E8
                • CreateCompatibleDC.GDI32(?), ref: 001A25F4
                • SelectObject.GDI32(00000000,?), ref: 001A2601
                • StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 001A266D
                • GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 001A26AC
                • GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 001A26D0
                • SelectObject.GDI32(?,?), ref: 001A26D8
                • DeleteObject.GDI32(?), ref: 001A26E1
                • DeleteDC.GDI32(?), ref: 001A26E8
                • ReleaseDC.USER32(00000000,?), ref: 001A26F3
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                • String ID: (
                • API String ID: 2598888154-3887548279
                • Opcode ID: a86d31db0843e8a92b2a1078956030bfb43e7cd7537180b41332ee75197cd634
                • Instruction ID: def42bbc099e4a0f75f853aa2054e61e21ec755d20e8cc44115155bd8cf86a69
                • Opcode Fuzzy Hash: a86d31db0843e8a92b2a1078956030bfb43e7cd7537180b41332ee75197cd634
                • Instruction Fuzzy Hash: 3B61E475D00219EFCF04CFA8D984EAEBBB6FF58310F208529E955A7250D770A941CFA0
                Function 0018E6B0 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 72sleepwindowtimeCOMMON
                Download Yara Rule
                APIs
                • timeGetTime.WINMM ref: 0018E6B4
                  • Part of subcall function 0013E551: timeGetTime.WINMM(?,?,0018E6D4), ref: 0013E555
                • Sleep.KERNEL32(0000000A), ref: 0018E6E1
                • EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 0018E705
                • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0018E727
                • SetActiveWindow.USER32 ref: 0018E746
                • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 0018E754
                • SendMessageW.USER32(00000010,00000000,00000000), ref: 0018E773
                • Sleep.KERNEL32(000000FA), ref: 0018E77E
                • IsWindow.USER32 ref: 0018E78A
                • EndDialog.USER32(00000000), ref: 0018E79B
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                • String ID: @U=u$BUTTON
                • API String ID: 1194449130-2582809321
                • Opcode ID: 124153c5d7d7099c8e12ef1d3e6527027c34543059bf4bee63e316656c894983
                • Instruction ID: 11b7b94453a044d248d0b686b5147b003e7a3d015f7e79356ac8e5eb963a528c
                • Opcode Fuzzy Hash: 124153c5d7d7099c8e12ef1d3e6527027c34543059bf4bee63e316656c894983
                • Instruction Fuzzy Hash: 532154B0200205AFEB106F64ECC9E353BA9F754759F601525F916C29B1DBB1AD80DFA4
                Function 0015DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • ___free_lconv_mon.LIBCMT ref: 0015DAA1
                  • Part of subcall function 0015D63C: _free.LIBCMT ref: 0015D659
                  • Part of subcall function 0015D63C: _free.LIBCMT ref: 0015D66B
                  • Part of subcall function 0015D63C: _free.LIBCMT ref: 0015D67D
                  • Part of subcall function 0015D63C: _free.LIBCMT ref: 0015D68F
                  • Part of subcall function 0015D63C: _free.LIBCMT ref: 0015D6A1
                  • Part of subcall function 0015D63C: _free.LIBCMT ref: 0015D6B3
                  • Part of subcall function 0015D63C: _free.LIBCMT ref: 0015D6C5
                  • Part of subcall function 0015D63C: _free.LIBCMT ref: 0015D6D7
                  • Part of subcall function 0015D63C: _free.LIBCMT ref: 0015D6E9
                  • Part of subcall function 0015D63C: _free.LIBCMT ref: 0015D6FB
                  • Part of subcall function 0015D63C: _free.LIBCMT ref: 0015D70D
                  • Part of subcall function 0015D63C: _free.LIBCMT ref: 0015D71F
                  • Part of subcall function 0015D63C: _free.LIBCMT ref: 0015D731
                • _free.LIBCMT ref: 0015DA96
                  • Part of subcall function 001529C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0015D7D1,00000000,00000000,00000000,00000000,?,0015D7F8,00000000,00000007,00000000,?,0015DBF5,00000000), ref: 001529DE
                  • Part of subcall function 001529C8: GetLastError.KERNEL32(00000000,?,0015D7D1,00000000,00000000,00000000,00000000,?,0015D7F8,00000000,00000007,00000000,?,0015DBF5,00000000,00000000), ref: 001529F0
                • _free.LIBCMT ref: 0015DAB8
                • _free.LIBCMT ref: 0015DACD
                • _free.LIBCMT ref: 0015DAD8
                • _free.LIBCMT ref: 0015DAFA
                • _free.LIBCMT ref: 0015DB0D
                • _free.LIBCMT ref: 0015DB1B
                • _free.LIBCMT ref: 0015DB26
                • _free.LIBCMT ref: 0015DB5E
                • _free.LIBCMT ref: 0015DB65
                • _free.LIBCMT ref: 0015DB82
                • _free.LIBCMT ref: 0015DB9A
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                • String ID:
                • API String ID: 161543041-0
                • Opcode ID: bdd6a461088283eb928fb914c58e18d2ea84fac1322bb4b95d0dd3852b9f34d1
                • Instruction ID: 945c855cfb420bff0f283ca668b0ac3a4a860912e311d8e4c2ced25a69ef4893
                • Opcode Fuzzy Hash: bdd6a461088283eb928fb914c58e18d2ea84fac1322bb4b95d0dd3852b9f34d1
                • Instruction Fuzzy Hash: 96314D32604705DFEB31AA39E845B9A77E9FF12316F154419E869EF291DF31AC88C720
                Function 0018365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON
                Download Yara Rule
                APIs
                • GetClassNameW.USER32(?,?,00000100), ref: 0018369C
                • _wcslen.LIBCMT ref: 001836A7
                • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00183797
                • GetClassNameW.USER32(?,?,00000400), ref: 0018380C
                • GetDlgCtrlID.USER32(?), ref: 0018385D
                • GetWindowRect.USER32(?,?), ref: 00183882
                • GetParent.USER32(?), ref: 001838A0
                • ScreenToClient.USER32(00000000), ref: 001838A7
                • GetClassNameW.USER32(?,?,00000100), ref: 00183921
                • GetWindowTextW.USER32(?,?,00000400), ref: 0018395D
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
                • String ID: %s%u
                • API String ID: 4010501982-679674701
                • Opcode ID: 081792d2a215335889bf80c535a143be13a80f2f1e145d7c82c99d2a041be493
                • Instruction ID: c6a0e9cd4d09819d11a5f16fb3b94f30710f2aed0b2b81b7a8ff5e87c3a68e1c
                • Opcode Fuzzy Hash: 081792d2a215335889bf80c535a143be13a80f2f1e145d7c82c99d2a041be493
                • Instruction Fuzzy Hash: 7591D471604606AFD718EF24C885FAAF7A9FF44714F044629F9A9C2190EB30EB45CFA1
                Function 00184954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON
                Download Yara Rule
                APIs
                • GetClassNameW.USER32(?,?,00000400), ref: 00184994
                • GetWindowTextW.USER32(?,?,00000400), ref: 001849DA
                • _wcslen.LIBCMT ref: 001849EB
                • CharUpperBuffW.USER32(?,00000000), ref: 001849F7
                • _wcsstr.LIBVCRUNTIME ref: 00184A2C
                • GetClassNameW.USER32(00000018,?,00000400), ref: 00184A64
                • GetWindowTextW.USER32(?,?,00000400), ref: 00184A9D
                • GetClassNameW.USER32(00000018,?,00000400), ref: 00184AE6
                • GetClassNameW.USER32(?,?,00000400), ref: 00184B20
                • GetWindowRect.USER32(?,?), ref: 00184B8B
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
                • String ID: ThumbnailClass
                • API String ID: 1311036022-1241985126
                • Opcode ID: 6e8ba400e5622837238ef38a9708646051f52b7c64ea43e44868c3cae3e9eab0
                • Instruction ID: 5672a855a3c3126d8e448265206954e50f20eaf333d96634bfc40db9cb7f8a3a
                • Opcode Fuzzy Hash: 6e8ba400e5622837238ef38a9708646051f52b7c64ea43e44868c3cae3e9eab0
                • Instruction Fuzzy Hash: DE91AC710042069BDB18EF14C985FAA77E9FF94314F04846AFD869A196EF30EE45CFA1
                Function 001B8D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00139BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00139BB2
                • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 001B8D5A
                • GetFocus.USER32 ref: 001B8D6A
                • GetDlgCtrlID.USER32(00000000), ref: 001B8D75
                • DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 001B8E1D
                • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 001B8ECF
                • GetMenuItemCount.USER32(?), ref: 001B8EEC
                • GetMenuItemID.USER32(?,00000000), ref: 001B8EFC
                • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 001B8F2E
                • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 001B8F70
                • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 001B8FA1
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
                • String ID: 0
                • API String ID: 1026556194-4108050209
                • Opcode ID: 11db609ba90058b01cd7d1aaeaa5eeda14a0cd5959af629b31b7a3004a4baab2
                • Instruction ID: 8a5a76541a43b423b21fa8225c8927278d1042955635780d818150a332eca02e
                • Opcode Fuzzy Hash: 11db609ba90058b01cd7d1aaeaa5eeda14a0cd5959af629b31b7a3004a4baab2
                • Instruction Fuzzy Hash: 03816C71508301AFDB20CF24D884AEBBBEDFB98B54F140A1EF99597291DB70D941CBA1
                Function 0018DC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON
                Download Yara Rule
                APIs
                • GetFileVersionInfoSizeW.VERSION(?,?), ref: 0018DC20
                • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 0018DC46
                • _wcslen.LIBCMT ref: 0018DC50
                • _wcsstr.LIBVCRUNTIME ref: 0018DCA0
                • VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 0018DCBC
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
                • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                • API String ID: 1939486746-1459072770
                • Opcode ID: 298ae47387bf32781695c46daa2d6e8d67473acd9c4141c423c049f8bc00e183
                • Instruction ID: 011c5b1852107b4d149165445b85ec6231e75e641d05a85a63dde854731545b7
                • Opcode Fuzzy Hash: 298ae47387bf32781695c46daa2d6e8d67473acd9c4141c423c049f8bc00e183
                • Instruction Fuzzy Hash: 9141EF72A403047ADB14B7B5EC47EFF77ACEF61750F10016AF900A61D2EB649A019BA5
                Function 001ACC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON
                Download Yara Rule
                APIs
                • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 001ACC64
                • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 001ACC8D
                • FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 001ACD48
                  • Part of subcall function 001ACC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 001ACCAA
                  • Part of subcall function 001ACC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 001ACCBD
                  • Part of subcall function 001ACC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 001ACCCF
                  • Part of subcall function 001ACC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 001ACD05
                  • Part of subcall function 001ACC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 001ACD28
                • RegDeleteKeyW.ADVAPI32(?,?), ref: 001ACCF3
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
                • String ID: RegDeleteKeyExW$advapi32.dll
                • API String ID: 2734957052-4033151799
                • Opcode ID: 21a147914df9dbe48204b1d62c34ec267d091d97bc82a89fdac8cc1c98c08a70
                • Instruction ID: a24c1e89ff0810811d2cc5e99d1b273c7f77336230795d9d81f2c3f9d2fd09f8
                • Opcode Fuzzy Hash: 21a147914df9dbe48204b1d62c34ec267d091d97bc82a89fdac8cc1c98c08a70
                • Instruction Fuzzy Hash: 3931AD79901128BBDB209B95DC88EFFBB7CEF56750F000165F906E2241DB708A85DAF0
                Function 0018E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00129CB3: _wcslen.LIBCMT ref: 00129CBD
                • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0018EA5D
                • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0018EA73
                • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0018EA84
                • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0018EA96
                • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0018EAA7
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: SendString$_wcslen
                • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                • API String ID: 2420728520-1007645807
                • Opcode ID: 5ab28d27f176caaff535db3a046d807174f4b5a55a049f6f2b05b96555ec3205
                • Instruction ID: f90502d1a80df1cda67381aefa942b7fdbb2221a7db6028a17daec3114a5133b
                • Opcode Fuzzy Hash: 5ab28d27f176caaff535db3a046d807174f4b5a55a049f6f2b05b96555ec3205
                • Instruction Fuzzy Hash: 6B1124316502697DD724F766EC4ADFF6ABCEBE1F44F400429B411A20D1EF705A55CAB0
                Function 00138BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00138F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00138BE8,?,00000000,?,?,?,?,00138BBA,00000000,?), ref: 00138FC5
                • DestroyWindow.USER32(?), ref: 00138C81
                • KillTimer.USER32(00000000,?,?,?,?,00138BBA,00000000,?), ref: 00138D1B
                • DestroyAcceleratorTable.USER32(00000000), ref: 00176973
                • ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00138BBA,00000000,?), ref: 001769A1
                • ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00138BBA,00000000,?), ref: 001769B8
                • ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00138BBA,00000000), ref: 001769D4
                • DeleteObject.GDI32(00000000), ref: 001769E6
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                • String ID:
                • API String ID: 641708696-0
                • Opcode ID: 77b90b6d61f5e1483c949d914d8dc856bb78b9791f7224cdcc6e1f2d093e19c4
                • Instruction ID: d99da8323a7882f0eaed709b9dad48a23aea794cd88e2b52e4adf34321684e98
                • Opcode Fuzzy Hash: 77b90b6d61f5e1483c949d914d8dc856bb78b9791f7224cdcc6e1f2d093e19c4
                • Instruction Fuzzy Hash: 53616A31502B00EFCB259F25DA58B66B7F1FB5031AF14951CF046AB9A0CB75ADC0DBA0
                Function 00139838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00139944: GetWindowLongW.USER32(?,000000EB), ref: 00139952
                • GetSysColor.USER32(0000000F), ref: 00139862
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: ColorLongWindow
                • String ID:
                • API String ID: 259745315-0
                • Opcode ID: f7ac4ac02bec73373bb96c5805e93b4e2d5e384beaba19adf2536ef27962e683
                • Instruction ID: 8a449e27edc5ff2a6503f75cfdde598730740a2fbb40247db9b5e39f2b24c257
                • Opcode Fuzzy Hash: f7ac4ac02bec73373bb96c5805e93b4e2d5e384beaba19adf2536ef27962e683
                • Instruction Fuzzy Hash: 2941A231104644EFDF205F3C9C88BBA7BA5EB86330F144655F9A6972E1D7B19C81DB50
                Function 001B50D4 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 162windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(?,00002001,00000000,00000000), ref: 001B5186
                • ShowWindow.USER32(?,00000000), ref: 001B51C7
                • ShowWindow.USER32(?,00000005,?,00000000), ref: 001B51CD
                • SetFocus.USER32(?,?,00000005,?,00000000), ref: 001B51D1
                  • Part of subcall function 001B6FBA: DeleteObject.GDI32(00000000), ref: 001B6FE6
                • GetWindowLongW.USER32(?,000000F0), ref: 001B520D
                • SetWindowLongW.USER32(?,000000F0,00000000), ref: 001B521A
                • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 001B524D
                • SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 001B5287
                • SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 001B5296
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
                • String ID: @U=u
                • API String ID: 3210457359-2594219639
                • Opcode ID: ba8b9edc6ca74aa6f41c814460bd223599be1e85bf8cd2172ba6bba86131b5a5
                • Instruction ID: b443977fab5f57bb278d2e0ae5c83ad1af019ad2d6b2193dac0b17bdc3052ca8
                • Opcode Fuzzy Hash: ba8b9edc6ca74aa6f41c814460bd223599be1e85bf8cd2172ba6bba86131b5a5
                • Instruction Fuzzy Hash: 4551C030A42A08FFEF249F28DC4ABD83B67FB15365F184152F615962E0C7B5A980DB41
                Function 00138B06 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 155windowCOMMON
                Download Yara Rule
                APIs
                • LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00176890
                • ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 001768A9
                • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 001768B9
                • ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 001768D1
                • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 001768F2
                • DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00138874,00000000,00000000,00000000,000000FF,00000000), ref: 00176901
                • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0017691E
                • DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00138874,00000000,00000000,00000000,000000FF,00000000), ref: 0017692D
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: Icon$DestroyExtractImageLoadMessageSend
                • String ID: @U=u
                • API String ID: 1268354404-2594219639
                • Opcode ID: ca72515af33fbccf652122977034165579ea05b672613395942b844ec3089ecf
                • Instruction ID: f3afe80d7ed9162a3bac8a93d357d192d862ce1b034b0402744b56a797945a5d
                • Opcode Fuzzy Hash: ca72515af33fbccf652122977034165579ea05b672613395942b844ec3089ecf
                • Instruction Fuzzy Hash: 29519A7060070AEFDB24CF24CC55FAABBB5FB58354F104618F946A72A0DBB0E990DB90
                Function 001896E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON
                Download Yara Rule
                APIs
                • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,0016F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00189717
                • LoadStringW.USER32(00000000,?,0016F7F8,00000001), ref: 00189720
                  • Part of subcall function 00129CB3: _wcslen.LIBCMT ref: 00129CBD
                • GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,0016F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00189742
                • LoadStringW.USER32(00000000,?,0016F7F8,00000001), ref: 00189745
                • MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00189866
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: HandleLoadModuleString$Message_wcslen
                • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                • API String ID: 747408836-2268648507
                • Opcode ID: 42ab205ba83520585f61f5aad19de74c25dbb8d556d8a40a8c70191a2c91f368
                • Instruction ID: 852b6f1a972b42573d28a345665ca15a28abf121f60dcbd8114bf3aa33ccf74d
                • Opcode Fuzzy Hash: 42ab205ba83520585f61f5aad19de74c25dbb8d556d8a40a8c70191a2c91f368
                • Instruction Fuzzy Hash: 79412B7290021DAACB04FBE5EE86DEEB778AF25340F540465F50572092EB356F58CF61
                Function 001806DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00126B57: _wcslen.LIBCMT ref: 00126B6A
                • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 001807A2
                • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 001807BE
                • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 001807DA
                • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00180804
                • CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 0018082C
                • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00180837
                • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0018083C
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
                • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                • API String ID: 323675364-22481851
                • Opcode ID: d2bd497b8812e61778f16d9be6f873dcc6d65b4d461292409cdd99e5602a8d2d
                • Instruction ID: d486cc5d323aac52047db369c3d3c3e78a44c590f03f04122491c6502d496fb2
                • Opcode Fuzzy Hash: d2bd497b8812e61778f16d9be6f873dcc6d65b4d461292409cdd99e5602a8d2d
                • Instruction Fuzzy Hash: 87411672C1022DABCF11EBA4EC858EDB778BF18354F444129F911A71A1EB309E58CFA0
                Function 001A3C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON
                Download Yara Rule
                APIs
                • VariantInit.OLEAUT32(?), ref: 001A3C5C
                • CoInitialize.OLE32(00000000), ref: 001A3C8A
                • CoUninitialize.OLE32 ref: 001A3C94
                • _wcslen.LIBCMT ref: 001A3D2D
                • GetRunningObjectTable.OLE32(00000000,?), ref: 001A3DB1
                • SetErrorMode.KERNEL32(00000001,00000029), ref: 001A3ED5
                • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 001A3F0E
                • CoGetObject.OLE32(?,00000000,001BFB98,?), ref: 001A3F2D
                • SetErrorMode.KERNEL32(00000000), ref: 001A3F40
                • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 001A3FC4
                • VariantClear.OLEAUT32(?), ref: 001A3FD8
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
                • String ID:
                • API String ID: 429561992-0
                • Opcode ID: 9cc2072459c19ade325d509b8cedc017969be2050af18f16d476edb30f622816
                • Instruction ID: d04295e8185fd4ae067f7f8b30da6672b2b18c73051aa318c6849be6b6001378
                • Opcode Fuzzy Hash: 9cc2072459c19ade325d509b8cedc017969be2050af18f16d476edb30f622816
                • Instruction Fuzzy Hash: C9C144756083059FC700DF68C884A2BBBE9FF8A744F10491DF99A9B251D730EE46CB92
                Function 00197A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON
                Download Yara Rule
                APIs
                • CoInitialize.OLE32(00000000), ref: 00197AF3
                • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00197B8F
                • SHGetDesktopFolder.SHELL32(?), ref: 00197BA3
                • CoCreateInstance.OLE32(001BFD08,00000000,00000001,001E6E6C,?), ref: 00197BEF
                • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00197C74
                • CoTaskMemFree.OLE32(?,?), ref: 00197CCC
                • SHBrowseForFolderW.SHELL32(?), ref: 00197D57
                • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00197D7A
                • CoTaskMemFree.OLE32(00000000), ref: 00197D81
                • CoTaskMemFree.OLE32(00000000), ref: 00197DD6
                • CoUninitialize.OLE32 ref: 00197DDC
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
                • String ID:
                • API String ID: 2762341140-0
                • Opcode ID: 54c6b93bea5da8241340fcbcea69cf5e09ff57c567ced2e916f2792780af0a10
                • Instruction ID: f573b146cee5d35099b479d8e0bbaab9dc43592275971fc33904e3386aa411aa
                • Opcode Fuzzy Hash: 54c6b93bea5da8241340fcbcea69cf5e09ff57c567ced2e916f2792780af0a10
                • Instruction Fuzzy Hash: E6C12A75A04119AFCB14DFA4D884DAEBBF9FF48304B148599F81ADB661D730EE81CB90
                Function 0017FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON
                Download Yara Rule
                APIs
                • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 0017FAAF
                • SafeArrayAllocData.OLEAUT32(?), ref: 0017FB08
                • VariantInit.OLEAUT32(?), ref: 0017FB1A
                • SafeArrayAccessData.OLEAUT32(?,?), ref: 0017FB3A
                • VariantCopy.OLEAUT32(?,?), ref: 0017FB8D
                • SafeArrayUnaccessData.OLEAUT32(?), ref: 0017FBA1
                • VariantClear.OLEAUT32(?), ref: 0017FBB6
                • SafeArrayDestroyData.OLEAUT32(?), ref: 0017FBC3
                • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0017FBCC
                • VariantClear.OLEAUT32(?), ref: 0017FBDE
                • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0017FBE9
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                • String ID:
                • API String ID: 2706829360-0
                • Opcode ID: 41802e99fb8f9118cf9d68a33746474cf21bbeb56f3ac7eafb9a065a532d6f82
                • Instruction ID: 4d2616eb613784395c456c7d6af120fa82c5da6e345d48de0b8b91cf488ce214
                • Opcode Fuzzy Hash: 41802e99fb8f9118cf9d68a33746474cf21bbeb56f3ac7eafb9a065a532d6f82
                • Instruction Fuzzy Hash: E4415F35A00219DFCB00DF68D8549EEBBB9EF58344F008169E959A7661CB30AA46CFA0
                Function 001A055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON
                Download Yara Rule
                APIs
                • WSAStartup.WSOCK32(00000101,?), ref: 001A05BC
                • inet_addr.WSOCK32(?), ref: 001A061C
                • gethostbyname.WSOCK32(?), ref: 001A0628
                • IcmpCreateFile.IPHLPAPI ref: 001A0636
                • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 001A06C6
                • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 001A06E5
                • IcmpCloseHandle.IPHLPAPI(?), ref: 001A07B9
                • WSACleanup.WSOCK32 ref: 001A07BF
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                • String ID: Ping
                • API String ID: 1028309954-2246546115
                • Opcode ID: ff0062a70988dfc9fca8255af6e8ff3344075e0e572b91eefdb62dd56c720fdf
                • Instruction ID: 84a89c5156b86da8a4850dcb4b16cfeec50bd694ae807e8a1460e26bd478594f
                • Opcode Fuzzy Hash: ff0062a70988dfc9fca8255af6e8ff3344075e0e572b91eefdb62dd56c720fdf
                • Instruction Fuzzy Hash: C691B0795042019FD321CF19D888F1ABBE0AF49318F1585A9F4A99B7A2C730FD85CF91
                Function 001A8CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: _wcslen$BuffCharLower
                • String ID: cdecl$none$stdcall$winapi
                • API String ID: 707087890-567219261
                • Opcode ID: d4f34131ac90ffacae30199cf3840cc7170984805e821ba71f7a5d810c6c4fc2
                • Instruction ID: c37522272701cf2287ca63ec43299ecc1c75a8e9a5324de7c06932eeb0bb9012
                • Opcode Fuzzy Hash: d4f34131ac90ffacae30199cf3840cc7170984805e821ba71f7a5d810c6c4fc2
                • Instruction Fuzzy Hash: DF519035A00516DBCF14DFACC9509BEB7A5BF66724B214229E426E72C4EB30DD40C790
                Function 001A372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON
                Download Yara Rule
                APIs
                • CoInitialize.OLE32 ref: 001A3774
                • CoUninitialize.OLE32 ref: 001A377F
                • CoCreateInstance.OLE32(?,00000000,00000017,001BFB78,?), ref: 001A37D9
                • IIDFromString.OLE32(?,?), ref: 001A384C
                • VariantInit.OLEAUT32(?), ref: 001A38E4
                • VariantClear.OLEAUT32(?), ref: 001A3936
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
                • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                • API String ID: 636576611-1287834457
                • Opcode ID: 56a718f978b476492485ecd2f7aee045ea142a09afffe0ff39a53e51bbeb22ff
                • Instruction ID: 7daff0098cba165ff521b87dc9f86295780768710f9ac69cf962dbacf05b8576
                • Opcode Fuzzy Hash: 56a718f978b476492485ecd2f7aee045ea142a09afffe0ff39a53e51bbeb22ff
                • Instruction Fuzzy Hash: 5F61DF74608301AFD311DF54D888F6ABBE8EF4A710F10090DF9959B291C774EE48CB92
                Function 00125BEA Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 184windowCOMMON
                Download Yara Rule
                APIs
                • SetWindowLongW.USER32(?,000000EB), ref: 00125C7A
                  • Part of subcall function 00125D0A: GetClientRect.USER32(?,?), ref: 00125D30
                  • Part of subcall function 00125D0A: GetWindowRect.USER32(?,?), ref: 00125D71
                  • Part of subcall function 00125D0A: ScreenToClient.USER32(?,?), ref: 00125D99
                • GetDC.USER32 ref: 001646F5
                • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00164708
                • SelectObject.GDI32(00000000,00000000), ref: 00164716
                • SelectObject.GDI32(00000000,00000000), ref: 0016472B
                • ReleaseDC.USER32(?,00000000), ref: 00164733
                • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 001647C4
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                • String ID: @U=u$U
                • API String ID: 4009187628-4110099822
                • Opcode ID: f6aa6e87cbfad0cf31f3bc0ef25afaa8bced640fb2a4be0d5e51848c057cb957
                • Instruction ID: ed6a7bc0452dd57e8dbb8399e16fc7a409ae1846c70837c6b220b6181612f973
                • Opcode Fuzzy Hash: f6aa6e87cbfad0cf31f3bc0ef25afaa8bced640fb2a4be0d5e51848c057cb957
                • Instruction Fuzzy Hash: 1771EE31400205EFCF25CF64CD84AFA3BB6FF4A364F184269ED555A2A6D73098A1DFA0
                Function 001B8B02 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 149windowCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00139BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00139BB2
                  • Part of subcall function 0013912D: GetCursorPos.USER32(?), ref: 00139141
                  • Part of subcall function 0013912D: ScreenToClient.USER32(00000000,?), ref: 0013915E
                  • Part of subcall function 0013912D: GetAsyncKeyState.USER32(00000001), ref: 00139183
                  • Part of subcall function 0013912D: GetAsyncKeyState.USER32(00000002), ref: 0013919D
                • ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 001B8B6B
                • ImageList_EndDrag.COMCTL32 ref: 001B8B71
                • ReleaseCapture.USER32 ref: 001B8B77
                • SetWindowTextW.USER32(?,00000000), ref: 001B8C12
                • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 001B8C25
                • DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 001B8CFF
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
                • String ID: @GUI_DRAGFILE$@GUI_DROPID$@U=u
                • API String ID: 1924731296-2104563098
                • Opcode ID: 1c52e72318f06db345eca59ec173c20c8cb5e53c9fcf6808073f176bc10491f4
                • Instruction ID: cfb3dbf17d3da615fe332f5e1ae736e8b73c38c8bc1299960efadc7a62c14ed1
                • Opcode Fuzzy Hash: 1c52e72318f06db345eca59ec173c20c8cb5e53c9fcf6808073f176bc10491f4
                • Instruction Fuzzy Hash: 01519D71204304AFD700EF24DC56FAA77E4FB98714F00062DF956A72E1DB71A954CBA2
                Function 00193388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON
                Download Yara Rule
                APIs
                • LoadStringW.USER32(00000066,?,00000FFF,?), ref: 001933CF
                  • Part of subcall function 00129CB3: _wcslen.LIBCMT ref: 00129CBD
                • LoadStringW.USER32(00000072,?,00000FFF,?), ref: 001933F0
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: LoadString$_wcslen
                • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
                • API String ID: 4099089115-3080491070
                • Opcode ID: 08eee8004a02568ba903849ea6cacff1e861ea1ba8c23b91435f136ca1cc4b6b
                • Instruction ID: 21007245480dff81b311097c342dd096cc3cb1793e833d11dd2394987115a3bd
                • Opcode Fuzzy Hash: 08eee8004a02568ba903849ea6cacff1e861ea1ba8c23b91435f136ca1cc4b6b
                • Instruction Fuzzy Hash: E9518C72D00219AADF15EBA0ED42EEEB778BF28340F144065F41572092EB356FA8DB61
                Function 0018B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: _wcslen$BuffCharUpper
                • String ID: APPEND$EXISTS$KEYS$REMOVE
                • API String ID: 1256254125-769500911
                • Opcode ID: a290dab3a45d0fd2eb83715ddcc0565a68e77f094c961789711cbabf0941c1ae
                • Instruction ID: 32c6d872e6894548eedea47de4e5128819d8025ea9be2bbe73fc82f76d4a337c
                • Opcode Fuzzy Hash: a290dab3a45d0fd2eb83715ddcc0565a68e77f094c961789711cbabf0941c1ae
                • Instruction Fuzzy Hash: 1141D432A081269BCB207F7DC9D05BE77A5AF74794B754129E425DB284F731CE81CB90
                Function 00195393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON
                Download Yara Rule
                APIs
                • SetErrorMode.KERNEL32(00000001), ref: 001953A0
                • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00195416
                • GetLastError.KERNEL32 ref: 00195420
                • SetErrorMode.KERNEL32(00000000,READY), ref: 001954A7
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: Error$Mode$DiskFreeLastSpace
                • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                • API String ID: 4194297153-14809454
                • Opcode ID: 38e823f706fad3ed2e804bf6e8ae01782078b08043f37d4fb716f7482f04d888
                • Instruction ID: e8dfd460d3b1381fd381bd6b1db37045b01bdc9156e192be7186d59a9d78df7a
                • Opcode Fuzzy Hash: 38e823f706fad3ed2e804bf6e8ae01782078b08043f37d4fb716f7482f04d888
                • Instruction Fuzzy Hash: 9131D235A00604DFCB52DF68D888AAEBBF5FF54345F548065E405EB292E730ED82CBA0
                Function 001B3C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON
                Download Yara Rule
                APIs
                • CreateMenu.USER32 ref: 001B3C79
                • SetMenu.USER32(?,00000000), ref: 001B3C88
                • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 001B3D10
                • IsMenu.USER32(?), ref: 001B3D24
                • CreatePopupMenu.USER32 ref: 001B3D2E
                • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 001B3D5B
                • DrawMenuBar.USER32 ref: 001B3D63
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: Menu$CreateItem$DrawInfoInsertPopup
                • String ID: 0$F
                • API String ID: 161812096-3044882817
                • Opcode ID: d05a62472e9df68414654aeb59bb344e4bad9911a2f4dfb5a22a6f34a9a4c432
                • Instruction ID: ed9ed9d76d9ec3c6e073b711ea97d91e79de71fc8c35fd345a35ffffb5cf9102
                • Opcode Fuzzy Hash: d05a62472e9df68414654aeb59bb344e4bad9911a2f4dfb5a22a6f34a9a4c432
                • Instruction Fuzzy Hash: 17416B79A01209EFDB24CFA4D844EEA7BB5FF49350F140129F956A7360D770AA60CF94
                Function 001B2D03 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 95windowCOMMON
                Download Yara Rule
                APIs
                • DeleteObject.GDI32(00000000), ref: 001B2D1B
                • GetDC.USER32(00000000), ref: 001B2D23
                • GetDeviceCaps.GDI32(00000000,0000005A), ref: 001B2D2E
                • ReleaseDC.USER32(00000000,00000000), ref: 001B2D3A
                • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 001B2D76
                • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 001B2D87
                • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,001B5A65,?,?,000000FF,00000000,?,000000FF,?), ref: 001B2DC2
                • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 001B2DE1
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                • String ID: @U=u
                • API String ID: 3864802216-2594219639
                • Opcode ID: 4c259c9052369133f401269ba9402dd3e5e240d646cd814a92147e6ed0351dd4
                • Instruction ID: 92641ccd2a83552f5bdfe0309570c3b4926e21f08707b65cce1ffe892c8a556c
                • Opcode Fuzzy Hash: 4c259c9052369133f401269ba9402dd3e5e240d646cd814a92147e6ed0351dd4
                • Instruction Fuzzy Hash: 65316976201214BBEB218F54CC8AFEB3BA9EF49715F044155FE089A291C7B59C91CBA4
                Function 0018209F Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 71windowCOMMON
                Download Yara Rule
                APIs
                • GetParent.USER32 ref: 001820AB
                • GetClassNameW.USER32(00000000,?,00000100), ref: 001820C0
                • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0018214D
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: ClassMessageNameParentSend
                • String ID: @U=u$SHELLDLL_DefView$details$largeicons$list$smallicons
                • API String ID: 1290815626-1428604138
                • Opcode ID: e38d5295278d99b5056029b56a11bebf12df74befa9fc15eb85d4031b2d94e8b
                • Instruction ID: 0ab20f77c9fe1196b720eb7317d5d1fabf9f13185edbccd72289c776af0b32f3
                • Opcode Fuzzy Hash: e38d5295278d99b5056029b56a11bebf12df74befa9fc15eb85d4031b2d94e8b
                • Instruction Fuzzy Hash: D9112976688B06BAF7067321DC0BDEB379EDB15328B300116FB05A51E2FFB169415B54
                Function 001B3A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 001B3A9D
                • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 001B3AA0
                • GetWindowLongW.USER32(?,000000F0), ref: 001B3AC7
                • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 001B3AEA
                • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 001B3B62
                • SendMessageW.USER32(?,00001074,00000000,00000007), ref: 001B3BAC
                • SendMessageW.USER32(?,00001057,00000000,00000000), ref: 001B3BC7
                • SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 001B3BE2
                • SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 001B3BF6
                • SendMessageW.USER32(?,00001008,00000000,00000007), ref: 001B3C13
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: MessageSend$LongWindow
                • String ID:
                • API String ID: 312131281-0
                • Opcode ID: 9c050717863f5de75b38418bcf0344b9901d21600784389c398308346d1b2f48
                • Instruction ID: 6c5ceee07a0c64ffd204809d1445898c6330973ddb6e0d81cfce641bb20d6693
                • Opcode Fuzzy Hash: 9c050717863f5de75b38418bcf0344b9901d21600784389c398308346d1b2f48
                • Instruction Fuzzy Hash: 2F617A75A00248AFDB10DFA8CD81EEE77B8EF09704F10019AFA15E72A1D770AE95DB50
                Function 0018B12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON
                Download Yara Rule
                APIs
                • GetCurrentThreadId.KERNEL32 ref: 0018B151
                • GetForegroundWindow.USER32(00000000,?,?,?,?,?,0018A1E1,?,00000001), ref: 0018B165
                • GetWindowThreadProcessId.USER32(00000000), ref: 0018B16C
                • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0018A1E1,?,00000001), ref: 0018B17B
                • GetWindowThreadProcessId.USER32(?,00000000), ref: 0018B18D
                • AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,0018A1E1,?,00000001), ref: 0018B1A6
                • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0018A1E1,?,00000001), ref: 0018B1B8
                • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,0018A1E1,?,00000001), ref: 0018B1FD
                • AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,0018A1E1,?,00000001), ref: 0018B212
                • AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,0018A1E1,?,00000001), ref: 0018B21D
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                • String ID:
                • API String ID: 2156557900-0
                • Opcode ID: 215fc6cdce69dcd730e9219ca4223006ca3884cc3900d5e834c2cb33d71d34ce
                • Instruction ID: d321c7b5cbe6cb8ac88eca528e31e0d27aec2540348417095377f3094162ab2c
                • Opcode Fuzzy Hash: 215fc6cdce69dcd730e9219ca4223006ca3884cc3900d5e834c2cb33d71d34ce
                • Instruction Fuzzy Hash: 8B3182B5504604BFDB10AF64EC88F7DBBAABB51311F104116FA15D6690DBB4AF80CF64
                Function 00152C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                Download Yara Rule
                APIs
                • _free.LIBCMT ref: 00152C94
                  • Part of subcall function 001529C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0015D7D1,00000000,00000000,00000000,00000000,?,0015D7F8,00000000,00000007,00000000,?,0015DBF5,00000000), ref: 001529DE
                  • Part of subcall function 001529C8: GetLastError.KERNEL32(00000000,?,0015D7D1,00000000,00000000,00000000,00000000,?,0015D7F8,00000000,00000007,00000000,?,0015DBF5,00000000,00000000), ref: 001529F0
                • _free.LIBCMT ref: 00152CA0
                • _free.LIBCMT ref: 00152CAB
                • _free.LIBCMT ref: 00152CB6
                • _free.LIBCMT ref: 00152CC1
                • _free.LIBCMT ref: 00152CCC
                • _free.LIBCMT ref: 00152CD7
                • _free.LIBCMT ref: 00152CE2
                • _free.LIBCMT ref: 00152CED
                • _free.LIBCMT ref: 00152CFB
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: _free$ErrorFreeHeapLast
                • String ID:
                • API String ID: 776569668-0
                • Opcode ID: 94fab5eed8cb07091c84505a04d406d3daa056668ddc29104005a4410bc6646e
                • Instruction ID: 3e0ebdd482c042881de37bbbab9c6c29cecd096a47f90bda75cc000af9241fda
                • Opcode Fuzzy Hash: 94fab5eed8cb07091c84505a04d406d3daa056668ddc29104005a4410bc6646e
                • Instruction Fuzzy Hash: 5A11B276100118EFCB02EF94D882CDD3BA5BF16355F4144A4FA58AF322DB31EA549B90
                Function 00121410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332comCOMMON
                Download Yara Rule
                APIs
                • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00121459
                • OleUninitialize.OLE32(?,00000000), ref: 001214F8
                • UnregisterHotKey.USER32(?), ref: 001216DD
                • DestroyWindow.USER32(?), ref: 001624B9
                • FreeLibrary.KERNEL32(?), ref: 0016251E
                • VirtualFree.KERNEL32(?,00000000,00008000), ref: 0016254B
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                • String ID: close all
                • API String ID: 469580280-3243417748
                • Opcode ID: 1f15c2f6f177c0ff4fca822ce8e46a6fd224a888c621e78218b41918b3f1cb42
                • Instruction ID: 0b451849ca832008a82932b9ed444118b713dc960e316439d0e80a6cd18850d8
                • Opcode Fuzzy Hash: 1f15c2f6f177c0ff4fca822ce8e46a6fd224a888c621e78218b41918b3f1cb42
                • Instruction Fuzzy Hash: 44D17031701622DFDB29EF14D899A69F7A4BF25700F1542ADE84A6B251DB30ED32CF90
                Function 0019359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON
                Download Yara Rule
                APIs
                • LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 001935E4
                  • Part of subcall function 00129CB3: _wcslen.LIBCMT ref: 00129CBD
                • LoadStringW.USER32(001F2390,?,00000FFF,?), ref: 0019360A
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: LoadString$_wcslen
                • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                • API String ID: 4099089115-2391861430
                • Opcode ID: 86a7cce9f3457f500b86ee37f0048582b73ddca9febf39d8720fd8b776ae1b17
                • Instruction ID: f8cc5bc45fffe920948fb222ce9ae3fae6f9c8c78cbc93b541982a389bcdae7d
                • Opcode Fuzzy Hash: 86a7cce9f3457f500b86ee37f0048582b73ddca9febf39d8720fd8b776ae1b17
                • Instruction Fuzzy Hash: 11514A7180021ABACF15EBE1EC42EEEBB78BF24354F144125F115721A1EB311BA9DFA1
                Function 001B3886 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 141windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 001B3925
                • SendMessageW.USER32(00000000,00001036,00000000,?), ref: 001B393A
                • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 001B3954
                • _wcslen.LIBCMT ref: 001B3999
                • SendMessageW.USER32(?,00001057,00000000,?), ref: 001B39C6
                • SendMessageW.USER32(?,00001061,?,0000000F), ref: 001B39F4
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: MessageSend$Window_wcslen
                • String ID: @U=u$SysListView32
                • API String ID: 2147712094-1908207174
                • Opcode ID: b10f36472266a05a09cb5b8da550cab61432e9b5a7e7975e4c50d76e7dd8d7b1
                • Instruction ID: d89d327ffcef15e57ccd27f5289fb096d48b6bec215202c2478d8c774f6d721c
                • Opcode Fuzzy Hash: b10f36472266a05a09cb5b8da550cab61432e9b5a7e7975e4c50d76e7dd8d7b1
                • Instruction Fuzzy Hash: D941A571A00219BBEF219F64CC49FEA7BA9FF18354F100526F968E7291D7B19D90CB90
                Function 001B2DFD Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 99windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 001B2E1C
                • GetWindowLongW.USER32(00000000,000000F0), ref: 001B2E4F
                • GetWindowLongW.USER32(00000000,000000F0), ref: 001B2E84
                • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 001B2EB6
                • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 001B2EE0
                • GetWindowLongW.USER32(00000000,000000F0), ref: 001B2EF1
                • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 001B2F0B
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: LongWindow$MessageSend
                • String ID: @U=u
                • API String ID: 2178440468-2594219639
                • Opcode ID: d232339f373d29501840ce410b261ef7b15079a6a0aceceff2ddd3cee969708f
                • Instruction ID: 6c7d4cbb1abf67f201b2e5d603abeeed6a1cd6e63df3afffe732c00156672c46
                • Opcode Fuzzy Hash: d232339f373d29501840ce410b261ef7b15079a6a0aceceff2ddd3cee969708f
                • Instruction Fuzzy Hash: 2331FF30604250AFEB218F5ADC84FE537E5FB9A714F1501A4F9008B6B2CBB1E888DB91
                Function 0019C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON
                Download Yara Rule
                APIs
                • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0019C272
                • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0019C29A
                • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0019C2CA
                • GetLastError.KERNEL32 ref: 0019C322
                • SetEvent.KERNEL32(?), ref: 0019C336
                • InternetCloseHandle.WININET(00000000), ref: 0019C341
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
                • String ID:
                • API String ID: 3113390036-3916222277
                • Opcode ID: 8c68d4436ea21472b142a84b8478fc20e6529be9a86b1faf5c120c663b3f0ad9
                • Instruction ID: 3d0a95935ef1d5e9b7b2c4bc87e7b03d57c0fe009b9aa712dc247a826b02e6c5
                • Opcode Fuzzy Hash: 8c68d4436ea21472b142a84b8478fc20e6529be9a86b1faf5c120c663b3f0ad9
                • Instruction Fuzzy Hash: 28318EB1600208AFDB219FA4CC88AAB7BFCFB59744F14851EF486D2610DB30DE449BE1
                Function 0018989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON
                Download Yara Rule
                APIs
                • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00163AAF,?,?,Bad directive syntax error,001BCC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 001898BC
                • LoadStringW.USER32(00000000,?,00163AAF,?), ref: 001898C3
                  • Part of subcall function 00129CB3: _wcslen.LIBCMT ref: 00129CBD
                • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00189987
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: HandleLoadMessageModuleString_wcslen
                • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                • API String ID: 858772685-4153970271
                • Opcode ID: c446574e642e4aae5cb0e04935951181b003967bd5c438a844bf2397245a6249
                • Instruction ID: 64e449bd7ee97e88c5c5a24ab51fc82ca66a57f599daf47343ef14215ac1ffcb
                • Opcode Fuzzy Hash: c446574e642e4aae5cb0e04935951181b003967bd5c438a844bf2397245a6249
                • Instruction Fuzzy Hash: F4218D31C0021EBBCF15EF90DC06EEE7775BF28304F084469F515660A2EB719A68DB60
                Function 00158D45 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 27febc42370cfe5041fbdd2bb80c5b880a2deb5c44c36221d28cc4ddf5500f12
                • Instruction ID: e72b5d31b90dc5c5c93123d00e18b0622770a067d4a968b928959273cbc374bb
                • Opcode Fuzzy Hash: 27febc42370cfe5041fbdd2bb80c5b880a2deb5c44c36221d28cc4ddf5500f12
                • Instruction Fuzzy Hash: 24C1F074A04249EFCF11DFA8C845BADBBB4AF19311F044199FC25AB3D2C770994ACB62
                Function 0015CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: _free$EnvironmentVariable___from_strstr_to_strchr
                • String ID:
                • API String ID: 1282221369-0
                • Opcode ID: 99620404ecb10ebbad76a906dae310f7f6448eda7ce93e01b00dddae33e494ee
                • Instruction ID: 3641675d10f4fb6d86d612905520c2cacc26026c2ea826a5119ebc38d100974d
                • Opcode Fuzzy Hash: 99620404ecb10ebbad76a906dae310f7f6448eda7ce93e01b00dddae33e494ee
                • Instruction Fuzzy Hash: 7B612472904310EFDB22AFB4D881A7E7BE5AF16316F04416EFD64AF282D7319949C790
                Function 0019C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON
                Download Yara Rule
                APIs
                • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0019C182
                • GetLastError.KERNEL32 ref: 0019C195
                • SetEvent.KERNEL32(?), ref: 0019C1A9
                  • Part of subcall function 0019C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0019C272
                  • Part of subcall function 0019C253: GetLastError.KERNEL32 ref: 0019C322
                  • Part of subcall function 0019C253: SetEvent.KERNEL32(?), ref: 0019C336
                  • Part of subcall function 0019C253: InternetCloseHandle.WININET(00000000), ref: 0019C341
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
                • String ID:
                • API String ID: 337547030-0
                • Opcode ID: 5b4d348c1eb24d0c9172c4caa48ed83bbee5633fd708ebb7882f15e814bc3989
                • Instruction ID: 06b5beb1df521952a2515cc4d96bf060c555ba3c95808232a66bc289abd0f232
                • Opcode Fuzzy Hash: 5b4d348c1eb24d0c9172c4caa48ed83bbee5633fd708ebb7882f15e814bc3989
                • Instruction Fuzzy Hash: 3E319C71200701EFDF259FA5DC44A66BBF9FF68700B14452DF99682A20DB30E854DBE0
                Function 001825A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00183A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00183A57
                  • Part of subcall function 00183A3D: GetCurrentThreadId.KERNEL32 ref: 00183A5E
                  • Part of subcall function 00183A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,001825B3), ref: 00183A65
                • MapVirtualKeyW.USER32(00000025,00000000), ref: 001825BD
                • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 001825DB
                • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 001825DF
                • MapVirtualKeyW.USER32(00000025,00000000), ref: 001825E9
                • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00182601
                • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00182605
                • MapVirtualKeyW.USER32(00000025,00000000), ref: 0018260F
                • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00182623
                • Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00182627
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                • String ID:
                • API String ID: 2014098862-0
                • Opcode ID: 176e1bd5071e62eccfb465eec189e82091ff87afd4978b784f03ac558af5f572
                • Instruction ID: 1aec96ee07a776cf76640a874374f54ff031e1d0f0e5c3d348ba0ebbaa869dd5
                • Opcode Fuzzy Hash: 176e1bd5071e62eccfb465eec189e82091ff87afd4978b784f03ac558af5f572
                • Instruction Fuzzy Hash: F501D470390610BBFB107768DC8AF993F59DB5EB12F100102F368AF1D1CAF225848EA9
                Function 00181803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                Download Yara Rule
                APIs
                • GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00181449,?,?,00000000), ref: 0018180C
                • HeapAlloc.KERNEL32(00000000,?,00181449,?,?,00000000), ref: 00181813
                • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00181449,?,?,00000000), ref: 00181828
                • GetCurrentProcess.KERNEL32(?,00000000,?,00181449,?,?,00000000), ref: 00181830
                • DuplicateHandle.KERNEL32(00000000,?,00181449,?,?,00000000), ref: 00181833
                • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00181449,?,?,00000000), ref: 00181843
                • GetCurrentProcess.KERNEL32(00181449,00000000,?,00181449,?,?,00000000), ref: 0018184B
                • DuplicateHandle.KERNEL32(00000000,?,00181449,?,?,00000000), ref: 0018184E
                • CreateThread.KERNEL32(00000000,00000000,00181874,00000000,00000000,00000000), ref: 00181868
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                • String ID:
                • API String ID: 1957940570-0
                • Opcode ID: 6c5ae66697c3b0a0813f849eb2c3bea850f85537ab6b648083b5969f7171f169
                • Instruction ID: c614394d5911d13a38e82b80723e496d44e72fbee17f07cf7199c3dd7fd6286a
                • Opcode Fuzzy Hash: 6c5ae66697c3b0a0813f849eb2c3bea850f85537ab6b648083b5969f7171f169
                • Instruction Fuzzy Hash: D301ACB5240304FFE610AFA5DC49F573BACEB89B11F404511FA05EB5A1C67098408B60
                Function 001AA0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 0018D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 0018D501
                  • Part of subcall function 0018D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 0018D50F
                  • Part of subcall function 0018D4DC: CloseHandle.KERNEL32(00000000), ref: 0018D5DC
                • OpenProcess.KERNEL32(00000001,00000000,?), ref: 001AA16D
                • GetLastError.KERNEL32 ref: 001AA180
                • OpenProcess.KERNEL32(00000001,00000000,?), ref: 001AA1B3
                • TerminateProcess.KERNEL32(00000000,00000000), ref: 001AA268
                • GetLastError.KERNEL32(00000000), ref: 001AA273
                • CloseHandle.KERNEL32(00000000), ref: 001AA2C4
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                • String ID: SeDebugPrivilege
                • API String ID: 2533919879-2896544425
                • Opcode ID: adc4c23daab67ce5494ee6d720eab1bf2e5a990b060b14b73f430af06fa6b008
                • Instruction ID: 1503cbd45dfc430195a59205008f046c8e1463122b4d8d16faac2027a299992c
                • Opcode Fuzzy Hash: adc4c23daab67ce5494ee6d720eab1bf2e5a990b060b14b73f430af06fa6b008
                • Instruction Fuzzy Hash: F461A034204242AFD720DF18D494F2ABBE1AF55318F54849DE4668BBA3C772ED49CBD2
                Function 0018BC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON
                Download Yara Rule
                APIs
                • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0018BCFD
                • IsMenu.USER32(00000000), ref: 0018BD1D
                • CreatePopupMenu.USER32 ref: 0018BD53
                • GetMenuItemCount.USER32(018A63B8), ref: 0018BDA4
                • InsertMenuItemW.USER32(018A63B8,?,00000001,00000030), ref: 0018BDCC
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: Menu$Item$CountCreateInfoInsertPopup
                • String ID: 0$2
                • API String ID: 93392585-3793063076
                • Opcode ID: 4ac2a96edec609bcc727d418ab338cafd78a454806c08aadb4f941fc81056a6d
                • Instruction ID: ccb46beee5bfe436cb29d95b99e1f5a70cd7b8a9dc46b8a660132e72891cb956
                • Opcode Fuzzy Hash: 4ac2a96edec609bcc727d418ab338cafd78a454806c08aadb4f941fc81056a6d
                • Instruction Fuzzy Hash: 31519E70A08205ABDB20EFE8D8C4BAEBBF4AF55318F144319E451972A1D7709A45CF61
                Function 001B81DB Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 104windowCOMMON
                Download Yara Rule
                APIs
                • ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,0017F3AB,00000000,?,?,00000000,?,0017682C,00000004,00000000,00000000), ref: 001B824C
                • EnableWindow.USER32(00000000,00000000), ref: 001B8272
                • ShowWindow.USER32(FFFFFFFF,00000000), ref: 001B82D1
                • ShowWindow.USER32(00000000,00000004), ref: 001B82E5
                • EnableWindow.USER32(00000000,00000001), ref: 001B830B
                • SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 001B832F
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: Window$Show$Enable$MessageSend
                • String ID: @U=u
                • API String ID: 642888154-2594219639
                • Opcode ID: 7177cf7dc8edc38fbdaf00c92862c478dad43b95ca9c9f7b5f0a03ac989c6143
                • Instruction ID: fd63c38b2c943bd87d0ae20526e655cefc61d09da52d715170d4dd8ab0a19b81
                • Opcode Fuzzy Hash: 7177cf7dc8edc38fbdaf00c92862c478dad43b95ca9c9f7b5f0a03ac989c6143
                • Instruction Fuzzy Hash: F3419434601644EFDB11DF15C899BE47BF5BB1AB14F1852A9E5084F672CB71AC81CB90
                Function 00184C7D Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 87windowCOMMON
                Download Yara Rule
                APIs
                • IsWindowVisible.USER32(?), ref: 00184C95
                • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00184CB2
                • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00184CEA
                • _wcslen.LIBCMT ref: 00184D08
                • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00184D10
                • _wcsstr.LIBVCRUNTIME ref: 00184D1A
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
                • String ID: @U=u
                • API String ID: 72514467-2594219639
                • Opcode ID: 3229b2a23b6f0d4112797505ea71b82b67e8dbeecd34295886a4243f32539229
                • Instruction ID: be9e2633402f4d26521169cb82cedf003621669d6f8bf2ecb1b1d131ca0822ee
                • Opcode Fuzzy Hash: 3229b2a23b6f0d4112797505ea71b82b67e8dbeecd34295886a4243f32539229
                • Instruction Fuzzy Hash: 31216832604201BBEB156B79EC49EBB7B9CDF59750F10813EF809CA291EF60CD418BA0
                Function 0018C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON
                Download Yara Rule
                APIs
                • LoadIconW.USER32(00000000,00007F03), ref: 0018C913
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: IconLoad
                • String ID: blank$info$question$stop$warning
                • API String ID: 2457776203-404129466
                • Opcode ID: a585bbe0b5f6c9d2309572c5db1076678067cb7b0078a295dec10599d5a0db8b
                • Instruction ID: ef30db56b92468008dff9a89eb80bde28c1b4a976cf1d01156096260296418a4
                • Opcode Fuzzy Hash: a585bbe0b5f6c9d2309572c5db1076678067cb7b0078a295dec10599d5a0db8b
                • Instruction Fuzzy Hash: F7115B31A89B06BBE7047B109C83DAE339CDF25368B61006FF500A6282E7745F405BF5
                Function 00177439 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 37windowCOMMON
                Download Yara Rule
                APIs
                • GetClientRect.USER32(?), ref: 00177452
                • SendMessageW.USER32(?,00001328,00000000,?), ref: 00177469
                • GetWindowDC.USER32(?), ref: 00177475
                • GetPixel.GDI32(00000000,?,?), ref: 00177484
                • ReleaseDC.USER32(?,00000000), ref: 00177496
                • GetSysColor.USER32(00000005), ref: 001774B0
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: ClientColorMessagePixelRectReleaseSendWindow
                • String ID: @U=u
                • API String ID: 272304278-2594219639
                • Opcode ID: 55013c55806cff73275028477f73356bf5f89b29a019e48cdec02ad072d5fa5e
                • Instruction ID: ce8e6a0bf750ef71392e4d87b9828430ad65bd1dceb725d0d6c5edb70ed34583
                • Opcode Fuzzy Hash: 55013c55806cff73275028477f73356bf5f89b29a019e48cdec02ad072d5fa5e
                • Instruction Fuzzy Hash: 40014B31500215EFDB515F64DC08FEABBB6FB04321F514264F91AA25A1CB311E91EB90
                Function 0018ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: _wcslen$LocalTime
                • String ID:
                • API String ID: 952045576-0
                • Opcode ID: 99ad88c685b92c906161a3196ae2c671ebc3610d8bc6785da650bcdef6d86b19
                • Instruction ID: 3529a9db8a5f48c746a3cd6ac99ee9f00e85527cca843f39e134f8c718cc617c
                • Opcode Fuzzy Hash: 99ad88c685b92c906161a3196ae2c671ebc3610d8bc6785da650bcdef6d86b19
                • Instruction Fuzzy Hash: 20418D65C1021876CB11FBF4C88AADFB7A8AF55710F508562E518E3122EB34E356C7A6
                Function 0013F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON
                Download Yara Rule
                APIs
                • ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0017682C,00000004,00000000,00000000), ref: 0013F953
                • ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,0017682C,00000004,00000000,00000000), ref: 0017F3D1
                • ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0017682C,00000004,00000000,00000000), ref: 0017F454
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: ShowWindow
                • String ID:
                • API String ID: 1268545403-0
                • Opcode ID: 64799ff2638b5475c076af817abad68f860323b0d77a95cd12030801374039cf
                • Instruction ID: 00be9d804179fe2323b937159a676fddcf2c26199082bf9c9ff098d5463a7403
                • Opcode Fuzzy Hash: 64799ff2638b5475c076af817abad68f860323b0d77a95cd12030801374039cf
                • Instruction Fuzzy Hash: 7E41DA31A08640FBD7399B29888877B7BA2BB56328F15853CF04B56A61D772A8C3C751
                Function 00185622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: _memcmp
                • String ID:
                • API String ID: 2931989736-0
                • Opcode ID: cdd739d17407bf104862cae28731c0475ae518ed15e89e6936ef72364d1448f8
                • Instruction ID: a9a31faa9b24f5a2beaecf2115ee520707d39cbc6eb92204eb390f2470096ede
                • Opcode Fuzzy Hash: cdd739d17407bf104862cae28731c0475ae518ed15e89e6936ef72364d1448f8
                • Instruction Fuzzy Hash: 3121A761650A0977D7187920CE82FFA375FFF20394FA44024FD049A581F721EF518BA5
                Function 001A4FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID:
                • String ID: NULL Pointer assignment$Not an Object type
                • API String ID: 0-572801152
                • Opcode ID: 915e5b24cbeaf0a0da211dfcde5a069f3a7d595cef62fff1a92dea14a2c64db9
                • Instruction ID: 9e4df753db8df8e3b31a5cd9b42c17350f472f36644424104dfceda2c1549c7b
                • Opcode Fuzzy Hash: 915e5b24cbeaf0a0da211dfcde5a069f3a7d595cef62fff1a92dea14a2c64db9
                • Instruction Fuzzy Hash: CFD1D479A0460AAFDF14CFA8C880BAEB7B6FF49344F158069F915AB281D770DD45CB90
                Function 00161522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON
                Download Yara Rule
                APIs
                • GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,001617FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 001615CE
                • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,001617FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00161651
                • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,001617FB,?,001617FB,00000000,00000000,?,00000000,?,?,?,?), ref: 001616E4
                • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,001617FB,00000000,00000000,?,00000000,?,?,?,?), ref: 001616FB
                  • Part of subcall function 00153820: RtlAllocateHeap.NTDLL(00000000,?,001F1444,?,0013FDF5,?,?,0012A976,00000010,001F1440,001213FC,?,001213C6,?,00121129), ref: 00153852
                • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,001617FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00161777
                • __freea.LIBCMT ref: 001617A2
                • __freea.LIBCMT ref: 001617AE
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
                • String ID:
                • API String ID: 2829977744-0
                • Opcode ID: a791097c9a1fa0b75b1baef5c8385e090dae8768e5e8b5a3bfe6ee5aec96019d
                • Instruction ID: a3a932f143ebb9e3da5e3e60e3ba04017b00e5958a5cd144d50bde62725f7514
                • Opcode Fuzzy Hash: a791097c9a1fa0b75b1baef5c8385e090dae8768e5e8b5a3bfe6ee5aec96019d
                • Instruction Fuzzy Hash: 8591D372E00216BADB248EB4CC91AEEBBB5AF49310F1C4659E902E7190DB35CD54CBA0
                Function 001A4523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: Variant$ClearInit
                • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                • API String ID: 2610073882-625585964
                • Opcode ID: 10701bcc1df9fbf0512d2e66a5be2bf3643351f3c812ca3620ee22802788cf3a
                • Instruction ID: ec4e6a3cda8f17a17db68ee718ef256940582fbc1cd0b1899e8028e3d41bf01c
                • Opcode Fuzzy Hash: 10701bcc1df9fbf0512d2e66a5be2bf3643351f3c812ca3620ee22802788cf3a
                • Instruction Fuzzy Hash: 6191AF75E00219AFDF24CFA5D884FAEBBB8EF86710F108559F505AB281D7B09945CFA0
                Function 00191187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON
                Download Yara Rule
                APIs
                • SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 0019125C
                • SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00191284
                • SafeArrayUnaccessData.OLEAUT32(00000001), ref: 001912A8
                • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 001912D8
                • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 0019135F
                • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 001913C4
                • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00191430
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: ArraySafe$Data$Access$UnaccessVartype
                • String ID:
                • API String ID: 2550207440-0
                • Opcode ID: 0f5b45d8ef208ce5fde09af61ae06be317d7716ba4ea238c65d2e90aabbb99e6
                • Instruction ID: 40af2da8e853c9515507d4014bb218170a0530a4e8d9582a77ed25b6c2086453
                • Opcode Fuzzy Hash: 0f5b45d8ef208ce5fde09af61ae06be317d7716ba4ea238c65d2e90aabbb99e6
                • Instruction Fuzzy Hash: 7491D575A0021AAFDF01DFA4C885BFE77B5FF58315F214429E900EB291D774A981CB90
                Function 0013948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: ObjectSelect$BeginCreatePath
                • String ID:
                • API String ID: 3225163088-0
                • Opcode ID: 7027363f0d21061e12eb7fedad9b5f79d7db63f01305ce992eaec08bfc8ee2e5
                • Instruction ID: fca4a5ae4e7df87a2559b7ea56b13d814507ca4daf858a46563bc4530f7d4bd2
                • Opcode Fuzzy Hash: 7027363f0d21061e12eb7fedad9b5f79d7db63f01305ce992eaec08bfc8ee2e5
                • Instruction Fuzzy Hash: 6E911571E00219EFCB15CFA9C884AEEBBB8FF49320F148556E515B7291D374A981CBA0
                Function 001A3947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON
                Download Yara Rule
                APIs
                • VariantInit.OLEAUT32(?), ref: 001A396B
                • CharUpperBuffW.USER32(?,?), ref: 001A3A7A
                • _wcslen.LIBCMT ref: 001A3A8A
                • VariantClear.OLEAUT32(?), ref: 001A3C1F
                  • Part of subcall function 00190CDF: VariantInit.OLEAUT32(00000000), ref: 00190D1F
                  • Part of subcall function 00190CDF: VariantCopy.OLEAUT32(?,?), ref: 00190D28
                  • Part of subcall function 00190CDF: VariantClear.OLEAUT32(?), ref: 00190D34
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
                • String ID: AUTOIT.ERROR$Incorrect Parameter format
                • API String ID: 4137639002-1221869570
                • Opcode ID: a15eb0779a3466895922eed1daedb941381ce7af18777534a62a146a039d8c32
                • Instruction ID: 747473b1a5845334df67402663a7d9e0de8806859098ef3eda87e0d552c6ea09
                • Opcode Fuzzy Hash: a15eb0779a3466895922eed1daedb941381ce7af18777534a62a146a039d8c32
                • Instruction Fuzzy Hash: A8917A796083059FC704DF28D480A6AB7E5FF9A314F14892DF89A9B351DB30EE45CB92
                Function 001A4BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 0018000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0017FF41,80070057,?,?,?,0018035E), ref: 0018002B
                  • Part of subcall function 0018000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0017FF41,80070057,?,?), ref: 00180046
                  • Part of subcall function 0018000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0017FF41,80070057,?,?), ref: 00180054
                  • Part of subcall function 0018000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0017FF41,80070057,?), ref: 00180064
                • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 001A4C51
                • _wcslen.LIBCMT ref: 001A4D59
                • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 001A4DCF
                • CoTaskMemFree.OLE32(?), ref: 001A4DDA
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
                • String ID: NULL Pointer assignment
                • API String ID: 614568839-2785691316
                • Opcode ID: 948eb440bc82906a79b55f1f9f8c32add107081d777e43176f8392c239af14dc
                • Instruction ID: 3adb6099d40e7564aefa1c49aa7c9a756a6510938ab6de7faddc7e746aa9f7fe
                • Opcode Fuzzy Hash: 948eb440bc82906a79b55f1f9f8c32add107081d777e43176f8392c239af14dc
                • Instruction Fuzzy Hash: 38914871D0022DEFDF14DFA4D880AEEB7B8BF59310F108169E915AB251EB749A54CFA0
                Function 001B20FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON
                Download Yara Rule
                APIs
                • GetMenu.USER32(?), ref: 001B2183
                • GetMenuItemCount.USER32(00000000), ref: 001B21B5
                • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 001B21DD
                • _wcslen.LIBCMT ref: 001B2213
                • GetMenuItemID.USER32(?,?), ref: 001B224D
                • GetSubMenu.USER32(?,?), ref: 001B225B
                  • Part of subcall function 00183A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00183A57
                  • Part of subcall function 00183A3D: GetCurrentThreadId.KERNEL32 ref: 00183A5E
                  • Part of subcall function 00183A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,001825B3), ref: 00183A65
                • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 001B22E3
                  • Part of subcall function 0018E97B: Sleep.KERNEL32 ref: 0018E9F3
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
                • String ID:
                • API String ID: 4196846111-0
                • Opcode ID: b4937a28af8cfdf01098e6d11d4736f76f4ea5211795579fbedd6e0db89e3ab9
                • Instruction ID: 6b903899412b4a61acf76e65758603397dbea47e5bb6b264659c66eba8983687
                • Opcode Fuzzy Hash: b4937a28af8cfdf01098e6d11d4736f76f4ea5211795579fbedd6e0db89e3ab9
                • Instruction Fuzzy Hash: B4719F75E00215AFCB14EF68C885AEEB7F1EF48310F158499E916EB351D734EE468B90
                Function 0018AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON
                Download Yara Rule
                APIs
                • GetParent.USER32(?), ref: 0018AEF9
                • GetKeyboardState.USER32(?), ref: 0018AF0E
                • SetKeyboardState.USER32(?), ref: 0018AF6F
                • PostMessageW.USER32(?,00000101,00000010,?), ref: 0018AF9D
                • PostMessageW.USER32(?,00000101,00000011,?), ref: 0018AFBC
                • PostMessageW.USER32(?,00000101,00000012,?), ref: 0018AFFD
                • PostMessageW.USER32(?,00000101,0000005B,?), ref: 0018B020
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: MessagePost$KeyboardState$Parent
                • String ID:
                • API String ID: 87235514-0
                • Opcode ID: 917bc83e21fffd14f8f0e2c4be1ab4e5ac1adbd624e99211eb834ad2c9585186
                • Instruction ID: 25bfa5f93ae3c7292b1810cf17c2ffee43b69d7bde47d9de322c1248e15a3ed3
                • Opcode Fuzzy Hash: 917bc83e21fffd14f8f0e2c4be1ab4e5ac1adbd624e99211eb834ad2c9585186
                • Instruction Fuzzy Hash: B351E5A06087D53EFB3662348C85BBBBFA95F06304F08858AF2D5558C2D3D8AED4DB51
                Function 0018ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON
                Download Yara Rule
                APIs
                • GetParent.USER32(00000000), ref: 0018AD19
                • GetKeyboardState.USER32(?), ref: 0018AD2E
                • SetKeyboardState.USER32(?), ref: 0018AD8F
                • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 0018ADBB
                • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 0018ADD8
                • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 0018AE17
                • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 0018AE38
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: MessagePost$KeyboardState$Parent
                • String ID:
                • API String ID: 87235514-0
                • Opcode ID: c418834f41e9c17b6c3214bfd540922c2f88fae57dd6fd3a2fc3a43a1f2c729b
                • Instruction ID: 948f0a14b85165900ac082078c2be6dd4ff6a8f37a249ecd8467cad166c76c5d
                • Opcode Fuzzy Hash: c418834f41e9c17b6c3214bfd540922c2f88fae57dd6fd3a2fc3a43a1f2c729b
                • Instruction Fuzzy Hash: 9F5139A05087D13EFB33A3748C95B7ABFA95F05301F48898AE1D5868C3D394EE84DB52
                Function 0015542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • GetConsoleCP.KERNEL32(00163CD6,?,?,?,?,?,?,?,?,00155BA3,?,?,00163CD6,?,?), ref: 00155470
                • __fassign.LIBCMT ref: 001554EB
                • __fassign.LIBCMT ref: 00155506
                • WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00163CD6,00000005,00000000,00000000), ref: 0015552C
                • WriteFile.KERNEL32(?,00163CD6,00000000,00155BA3,00000000,?,?,?,?,?,?,?,?,?,00155BA3,?), ref: 0015554B
                • WriteFile.KERNEL32(?,?,00000001,00155BA3,00000000,?,?,?,?,?,?,?,?,?,00155BA3,?), ref: 00155584
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                • String ID:
                • API String ID: 1324828854-0
                • Opcode ID: bbdad29df02d9aec2db05dd0543b1cd83e91a4476133fef8cd31efc8a9797361
                • Instruction ID: ab96d062a85c9f0434c2bb888d7b29286ba902780e430355093cf737deb3d6dd
                • Opcode Fuzzy Hash: bbdad29df02d9aec2db05dd0543b1cd83e91a4476133fef8cd31efc8a9797361
                • Instruction Fuzzy Hash: E751E670910649DFDB11CFA8D855AEEBBFAEF08301F14411AF965EB291E7309A45CB60
                Function 001B6B76 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 131windowCOMMON
                Download Yara Rule
                APIs
                • SetWindowLongW.USER32(00000002,000000F0,?), ref: 001B6C33
                • SetWindowLongW.USER32(?,000000EC,?), ref: 001B6C4A
                • SendMessageW.USER32(00000002,00001036,00000000,?), ref: 001B6C73
                • ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,0019AB79,00000000,00000000), ref: 001B6C98
                • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 001B6CC7
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: Window$Long$MessageSendShow
                • String ID: @U=u
                • API String ID: 3688381893-2594219639
                • Opcode ID: ce053e0144875691246ec997e93539c2e12a34c352006208e31f013cd9d4941c
                • Instruction ID: e35679da99e9c8d664bee9d754d59fe077e09f004a6ac656e89997e609a382f9
                • Opcode Fuzzy Hash: ce053e0144875691246ec997e93539c2e12a34c352006208e31f013cd9d4941c
                • Instruction Fuzzy Hash: 2841D135A04104AFDB24CF28CD58FF97FA5EB1A360F150268F999A72E0C375ED41DA90
                Function 00142D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON
                Download Yara Rule
                APIs
                • _ValidateLocalCookies.LIBCMT ref: 00142D4B
                • ___except_validate_context_record.LIBVCRUNTIME ref: 00142D53
                • _ValidateLocalCookies.LIBCMT ref: 00142DE1
                • __IsNonwritableInCurrentImage.LIBCMT ref: 00142E0C
                • _ValidateLocalCookies.LIBCMT ref: 00142E61
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                • String ID: csm
                • API String ID: 1170836740-1018135373
                • Opcode ID: 3593844589f5a66b89b589028d8864dccd90e6119be9247ffaa470c88c01e3d5
                • Instruction ID: 4a9a7846cae8b60cf21fd722c3fce8a1fae9bc72a7df017002df6112bf82ea57
                • Opcode Fuzzy Hash: 3593844589f5a66b89b589028d8864dccd90e6119be9247ffaa470c88c01e3d5
                • Instruction Fuzzy Hash: 5F41AF34E00209EBCF14DFA8C885A9EBBB5BF44324F548155F915AB3A2D731AA81CBD0
                Function 001A10B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 001A304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 001A307A
                  • Part of subcall function 001A304E: _wcslen.LIBCMT ref: 001A309B
                • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 001A1112
                • WSAGetLastError.WSOCK32 ref: 001A1121
                • WSAGetLastError.WSOCK32 ref: 001A11C9
                • closesocket.WSOCK32(00000000), ref: 001A11F9
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
                • String ID:
                • API String ID: 2675159561-0
                • Opcode ID: 137aebdd1107c76891937d2dc93038a34c331395341b3d4b9631697355b8c976
                • Instruction ID: d045045aa6dc74b4fe44ceae96a455a6e937675e73d8ceee13f025da83e7ac40
                • Opcode Fuzzy Hash: 137aebdd1107c76891937d2dc93038a34c331395341b3d4b9631697355b8c976
                • Instruction Fuzzy Hash: 43410639600214AFDB109F24D884BAABBEAFF46364F148159FD159F292D770ED81CBE1
                Function 0018CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 0018DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0018CF22,?), ref: 0018DDFD
                  • Part of subcall function 0018DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0018CF22,?), ref: 0018DE16
                • lstrcmpiW.KERNEL32(?,?), ref: 0018CF45
                • MoveFileW.KERNEL32(?,?), ref: 0018CF7F
                • _wcslen.LIBCMT ref: 0018D005
                • _wcslen.LIBCMT ref: 0018D01B
                • SHFileOperationW.SHELL32(?), ref: 0018D061
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
                • String ID: \*.*
                • API String ID: 3164238972-1173974218
                • Opcode ID: 2d0bc137b997a6282b1ace8e36585fb53c48347988749031d07c22f541bfa854
                • Instruction ID: 6fd58ab052d8b973c5cafdc9eb0c1a7289245b0747ae75d09b8d565eede758c5
                • Opcode Fuzzy Hash: 2d0bc137b997a6282b1ace8e36585fb53c48347988749031d07c22f541bfa854
                • Instruction Fuzzy Hash: FD4115719452185FDF16FBA4D981EDEB7B9AF18380F1000E6E605EB151EB34A785CF50
                Function 00187726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON
                Download Yara Rule
                APIs
                • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00187769
                • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0018778F
                • SysAllocString.OLEAUT32(00000000), ref: 00187792
                • SysAllocString.OLEAUT32(?), ref: 001877B0
                • SysFreeString.OLEAUT32(?), ref: 001877B9
                • StringFromGUID2.OLE32(?,?,00000028), ref: 001877DE
                • SysAllocString.OLEAUT32(?), ref: 001877EC
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                • String ID:
                • API String ID: 3761583154-0
                • Opcode ID: 93d05664dafea2630b8d6a1be09b7d7346fe04162568974b7c4fb113222c3be7
                • Instruction ID: e580de2a8a18c671dc98f874d4ed7c81e9bc570f25a9e2aa84881e4424c6a1b4
                • Opcode Fuzzy Hash: 93d05664dafea2630b8d6a1be09b7d7346fe04162568974b7c4fb113222c3be7
                • Instruction Fuzzy Hash: 14219276604219AFDB10EFA8CC88CBB77ACEB09764B148525F915DB190D770DE81CBA0
                Function 001877FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON
                Download Yara Rule
                APIs
                • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00187842
                • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00187868
                • SysAllocString.OLEAUT32(00000000), ref: 0018786B
                • SysAllocString.OLEAUT32 ref: 0018788C
                • SysFreeString.OLEAUT32 ref: 00187895
                • StringFromGUID2.OLE32(?,?,00000028), ref: 001878AF
                • SysAllocString.OLEAUT32(?), ref: 001878BD
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                • String ID:
                • API String ID: 3761583154-0
                • Opcode ID: c3338988d783bf04256ea2e2b3a1845973346f988117e60ba9c4fa30fd005286
                • Instruction ID: 22d367d5c33455213b40486857c27c2b7bc7ec721769fffd93c852d26266719e
                • Opcode Fuzzy Hash: c3338988d783bf04256ea2e2b3a1845973346f988117e60ba9c4fa30fd005286
                • Instruction Fuzzy Hash: BB217131608204AFDB10AFA8DC88DAA77ECEB09760B208125F915CB2A1DB70DD81CF74
                Function 001B5706 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 82windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(?,00001053,000000FF,?), ref: 001B5745
                • SendMessageW.USER32(?,00001074,?,00000001), ref: 001B579D
                • _wcslen.LIBCMT ref: 001B57AF
                • _wcslen.LIBCMT ref: 001B57BA
                • SendMessageW.USER32(?,00001002,00000000,?), ref: 001B5816
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: MessageSend$_wcslen
                • String ID: @U=u
                • API String ID: 763830540-2594219639
                • Opcode ID: 1b7fe54324ee262a8513095f2a036cff4070b20cf2d8a69f805b10796685e8c7
                • Instruction ID: 9dcbb9f436191895af41aa5cd7b0c3c649cc1fd6d222e64f1080c1343f32b2df
                • Opcode Fuzzy Hash: 1b7fe54324ee262a8513095f2a036cff4070b20cf2d8a69f805b10796685e8c7
                • Instruction Fuzzy Hash: 09217E71A04618EADB209FA0CC85BEE7BB9FF14724F108216E929EB1C0E7708985CF50
                Function 001904D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON
                Download Yara Rule
                APIs
                • GetStdHandle.KERNEL32(0000000C), ref: 001904F2
                • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 0019052E
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: CreateHandlePipe
                • String ID: nul
                • API String ID: 1424370930-2873401336
                • Opcode ID: ca7bf62e84a86eb41e0a4d168278f4634efbe4ab5aa6354c0dd5516fa7852a86
                • Instruction ID: 11889f68059d38d390d3b590c6702a89b43f7722a6c42bea23d123e8df335a35
                • Opcode Fuzzy Hash: ca7bf62e84a86eb41e0a4d168278f4634efbe4ab5aa6354c0dd5516fa7852a86
                • Instruction Fuzzy Hash: B3218B71500305AFEF219F29DC04A9A7BF8BF49764F614A29F8A1E72E0D7709980CF60
                Function 001905A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON
                Download Yara Rule
                APIs
                • GetStdHandle.KERNEL32(000000F6), ref: 001905C6
                • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00190601
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: CreateHandlePipe
                • String ID: nul
                • API String ID: 1424370930-2873401336
                • Opcode ID: dadf52c813f0b5b9543026318bb78d30644b058b3dfa805713ca1aa774191904
                • Instruction ID: 0a1881bce82654660384283f987574854d32376496904aba3074be8b8ec697e3
                • Opcode Fuzzy Hash: dadf52c813f0b5b9543026318bb78d30644b058b3dfa805713ca1aa774191904
                • Instruction Fuzzy Hash: 042174755003059FDF219F69DC04A9A77E8BF99734F200B19F8A1E72E0E77099A0CB60
                Function 001B40AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 0012600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0012604C
                  • Part of subcall function 0012600E: GetStockObject.GDI32(00000011), ref: 00126060
                  • Part of subcall function 0012600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0012606A
                • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 001B4112
                • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 001B411F
                • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 001B412A
                • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 001B4139
                • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 001B4145
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: MessageSend$CreateObjectStockWindow
                • String ID: Msctls_Progress32
                • API String ID: 1025951953-3636473452
                • Opcode ID: ad6279d2b22c979827253ff6366bf092a32b05c11a1b480cb9dedc26476d2754
                • Instruction ID: 17df6ac10dcb9dbeb9257bfda7c7148893843efdae67f113fa7112e0b9363be4
                • Opcode Fuzzy Hash: ad6279d2b22c979827253ff6366bf092a32b05c11a1b480cb9dedc26476d2754
                • Instruction Fuzzy Hash: E711B2B2150219BFEF119F64CC85EE77F5DEF18798F018111FA18A2190C7729C61DBA4
                Function 0015D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                  • Part of subcall function 0015D7A3: _free.LIBCMT ref: 0015D7CC
                • _free.LIBCMT ref: 0015D82D
                  • Part of subcall function 001529C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0015D7D1,00000000,00000000,00000000,00000000,?,0015D7F8,00000000,00000007,00000000,?,0015DBF5,00000000), ref: 001529DE
                  • Part of subcall function 001529C8: GetLastError.KERNEL32(00000000,?,0015D7D1,00000000,00000000,00000000,00000000,?,0015D7F8,00000000,00000007,00000000,?,0015DBF5,00000000,00000000), ref: 001529F0
                • _free.LIBCMT ref: 0015D838
                • _free.LIBCMT ref: 0015D843
                • _free.LIBCMT ref: 0015D897
                • _free.LIBCMT ref: 0015D8A2
                • _free.LIBCMT ref: 0015D8AD
                • _free.LIBCMT ref: 0015D8B8
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: _free$ErrorFreeHeapLast
                • String ID:
                • API String ID: 776569668-0
                • Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
                • Instruction ID: 57dab20c191dc67da4e25a37c06dcb936870d57c6e2b1a25bce7aa4ba6dcf975
                • Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
                • Instruction Fuzzy Hash: 1B118C32540B04EAD531BFF0DC06FCB7B9CAF29306F400824FAA9AE992CBB4A5094751
                Function 0018DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON
                Download Yara Rule
                APIs
                • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0018DA74
                • LoadStringW.USER32(00000000), ref: 0018DA7B
                • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0018DA91
                • LoadStringW.USER32(00000000), ref: 0018DA98
                • MessageBoxW.USER32(00000000,?,?,00011010), ref: 0018DADC
                Strings
                • %s (%d) : ==> %s: %s %s, xrefs: 0018DAB9
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: HandleLoadModuleString$Message
                • String ID: %s (%d) : ==> %s: %s %s
                • API String ID: 4072794657-3128320259
                • Opcode ID: 74f762a243490af3e21926f95c287bd2717c1ce74ff5ac60a253b49c4bec9b6c
                • Instruction ID: faa68229d9e949691d7b8ccac6b11c3858ffae2a420edfa4155c95c3bd6bb719
                • Opcode Fuzzy Hash: 74f762a243490af3e21926f95c287bd2717c1ce74ff5ac60a253b49c4bec9b6c
                • Instruction Fuzzy Hash: 690112F6900208BFE711ABA4DD89EEB776CE708701F404595B746E2081EB749E848FB5
                Function 0019096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON
                Download Yara Rule
                APIs
                • InterlockedExchange.KERNEL32(0189F2A0,0189F2A0), ref: 0019097B
                • EnterCriticalSection.KERNEL32(0189F280,00000000), ref: 0019098D
                • TerminateThread.KERNEL32(00000000,000001F6), ref: 0019099B
                • WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 001909A9
                • CloseHandle.KERNEL32(00000000), ref: 001909B8
                • InterlockedExchange.KERNEL32(0189F2A0,000001F6), ref: 001909C8
                • LeaveCriticalSection.KERNEL32(0189F280), ref: 001909CF
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                • String ID:
                • API String ID: 3495660284-0
                • Opcode ID: c835c514177cc50cc7ce2607422284dc92e9930bb267ec9d467af6be985fdb38
                • Instruction ID: cab14d2b4fae060308a52a955a0268ae03cabc2d764133c3271d08ad2a96f963
                • Opcode Fuzzy Hash: c835c514177cc50cc7ce2607422284dc92e9930bb267ec9d467af6be985fdb38
                • Instruction Fuzzy Hash: 16F0CD31442512ABDB565F94EE89AD67A25BF05706F401166F10150CA1C77598A5CFD0
                Function 001501B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON
                Download Yara Rule
                APIs
                • __allrem.LIBCMT ref: 001500BA
                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 001500D6
                • __allrem.LIBCMT ref: 001500ED
                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0015010B
                • __allrem.LIBCMT ref: 00150122
                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00150140
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                • String ID:
                • API String ID: 1992179935-0
                • Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
                • Instruction ID: b40eda4b03e8d6a28786e632f58da71fc344d61cc1a40011fbf452a437e7aa3e
                • Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
                • Instruction Fuzzy Hash: 48813972A00B02DBD7259F68CC81B6B73E8AF55365F24413DF820DA7D1E7B0D9098750
                Function 001561FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON
                Download Yara Rule
                APIs
                • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,001482D9,001482D9,?,?,?,0015644F,00000001,00000001,8BE85006), ref: 00156258
                • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0015644F,00000001,00000001,8BE85006,?,?,?), ref: 001562DE
                • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 001563D8
                • __freea.LIBCMT ref: 001563E5
                  • Part of subcall function 00153820: RtlAllocateHeap.NTDLL(00000000,?,001F1444,?,0013FDF5,?,?,0012A976,00000010,001F1440,001213FC,?,001213C6,?,00121129), ref: 00153852
                • __freea.LIBCMT ref: 001563EE
                • __freea.LIBCMT ref: 00156413
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: ByteCharMultiWide__freea$AllocateHeap
                • String ID:
                • API String ID: 1414292761-0
                • Opcode ID: d217cd1eb6203953d932f455e532e4959d10dd7a8a8b5651314d9947ecde221a
                • Instruction ID: 87e96ef55620a2d83e53f0d98fbbee2eb1d1db037751389ee352efaccf4e7d48
                • Opcode Fuzzy Hash: d217cd1eb6203953d932f455e532e4959d10dd7a8a8b5651314d9947ecde221a
                • Instruction Fuzzy Hash: F551BF72A00216EFEB258F64CC81EAF77A9EB54751F554629FC29DF140EB34DC48C6A0
                Function 001ABBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00129CB3: _wcslen.LIBCMT ref: 00129CBD
                  • Part of subcall function 001AC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,001AB6AE,?,?), ref: 001AC9B5
                  • Part of subcall function 001AC998: _wcslen.LIBCMT ref: 001AC9F1
                  • Part of subcall function 001AC998: _wcslen.LIBCMT ref: 001ACA68
                  • Part of subcall function 001AC998: _wcslen.LIBCMT ref: 001ACA9E
                • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 001ABCCA
                • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 001ABD25
                • RegCloseKey.ADVAPI32(00000000), ref: 001ABD6A
                • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 001ABD99
                • RegCloseKey.ADVAPI32(?,?,00000000), ref: 001ABDF3
                • RegCloseKey.ADVAPI32(?), ref: 001ABDFF
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
                • String ID:
                • API String ID: 1120388591-0
                • Opcode ID: 9ec0e8082e8a2a4883f8d07135113c14022bacd3b735cbfa0f0b5039d10e7abf
                • Instruction ID: 8341536acf91268060f8f16cddc38d8b9cba631a989c8e6590d549814f60b5de
                • Opcode Fuzzy Hash: 9ec0e8082e8a2a4883f8d07135113c14022bacd3b735cbfa0f0b5039d10e7abf
                • Instruction Fuzzy Hash: D4818C74208281AFD714DF64C8C5E2ABBE5FF85318F14896CF4598B2A2DB31ED45CB92
                Function 0017F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON
                Download Yara Rule
                APIs
                • VariantInit.OLEAUT32(00000035), ref: 0017F7B9
                • SysAllocString.OLEAUT32(00000001), ref: 0017F860
                • VariantCopy.OLEAUT32(0017FA64,00000000), ref: 0017F889
                • VariantClear.OLEAUT32(0017FA64), ref: 0017F8AD
                • VariantCopy.OLEAUT32(0017FA64,00000000), ref: 0017F8B1
                • VariantClear.OLEAUT32(?), ref: 0017F8BB
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: Variant$ClearCopy$AllocInitString
                • String ID:
                • API String ID: 3859894641-0
                • Opcode ID: 2305d4dc49dd95ad1fad9cd3cbfdd3c820cd2caf9d0afe2583d3604eb3b85ac1
                • Instruction ID: cfedb8f72cc8c04c0a89081cd2f6004f6c2115afa10e770ad2c978676e934d63
                • Opcode Fuzzy Hash: 2305d4dc49dd95ad1fad9cd3cbfdd3c820cd2caf9d0afe2583d3604eb3b85ac1
                • Instruction Fuzzy Hash: 5451E431600310BACF24AB65D895B6AB3B8EF55314F24D46EF909EF291DB708D42C7A6
                Function 0019910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00127620: _wcslen.LIBCMT ref: 00127625
                  • Part of subcall function 00126B57: _wcslen.LIBCMT ref: 00126B6A
                • GetOpenFileNameW.COMDLG32(00000058), ref: 001994E5
                • _wcslen.LIBCMT ref: 00199506
                • _wcslen.LIBCMT ref: 0019952D
                • GetSaveFileNameW.COMDLG32(00000058), ref: 00199585
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: _wcslen$FileName$OpenSave
                • String ID: X
                • API String ID: 83654149-3081909835
                • Opcode ID: 8d1ad55a02ad813cfebed1ddd6e9a2b20b6cdfc808920365a3b41fb902abae50
                • Instruction ID: da55a7e08f00c6100c65fd816ef369106d71d1818928fb0d6244aba59464a60b
                • Opcode Fuzzy Hash: 8d1ad55a02ad813cfebed1ddd6e9a2b20b6cdfc808920365a3b41fb902abae50
                • Instruction Fuzzy Hash: 17E1C4315083509FDB24DF28D481A6EB7E4BF94314F04896DF8899B2A2DB31DD05CB92
                Function 0013920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00139BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00139BB2
                • BeginPaint.USER32(?,?,?), ref: 00139241
                • GetWindowRect.USER32(?,?), ref: 001392A5
                • ScreenToClient.USER32(?,?), ref: 001392C2
                • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 001392D3
                • EndPaint.USER32(?,?,?,?,?), ref: 00139321
                • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 001771EA
                  • Part of subcall function 00139339: BeginPath.GDI32(00000000), ref: 00139357
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
                • String ID:
                • API String ID: 3050599898-0
                • Opcode ID: f0344e99d15fc775a7debb7735edb75ae7639caaf0eb1c96c233e95b594e22d0
                • Instruction ID: a3f1bbd2c272ca098544e23aa3209e2a43a0090a4f32de27bc03ef17c7caca88
                • Opcode Fuzzy Hash: f0344e99d15fc775a7debb7735edb75ae7639caaf0eb1c96c233e95b594e22d0
                • Instruction Fuzzy Hash: D6419D70104200EFD711DF24CC84FBA7BB8FB59724F140669F995972E1C7B19885DBA1
                Function 001907EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON
                Download Yara Rule
                APIs
                • InterlockedExchange.KERNEL32(?,000001F5), ref: 0019080C
                • ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00190847
                • EnterCriticalSection.KERNEL32(?), ref: 00190863
                • LeaveCriticalSection.KERNEL32(?), ref: 001908DC
                • ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 001908F3
                • InterlockedExchange.KERNEL32(?,000001F6), ref: 00190921
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
                • String ID:
                • API String ID: 3368777196-0
                • Opcode ID: b52bd5cbc88747b5d5297cac8a4243c4e36c3d8619f0d0b615597fb03f657f7d
                • Instruction ID: e35a9088823485ef451b2a77e48d4d9ea1a47153e9935bb7fe8c902636976fa4
                • Opcode Fuzzy Hash: b52bd5cbc88747b5d5297cac8a4243c4e36c3d8619f0d0b615597fb03f657f7d
                • Instruction Fuzzy Hash: F6415971A00205EFDF15AF54DC85AAA77B8FF08314F1440B9ED04AA297DB30DEA5DBA0
                Function 0019581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00123AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00123A97,?,?,00122E7F,?,?,?,00000000), ref: 00123AC2
                • _wcslen.LIBCMT ref: 0019587B
                • CoInitialize.OLE32(00000000), ref: 00195995
                • CoCreateInstance.OLE32(001BFCF8,00000000,00000001,001BFB68,?), ref: 001959AE
                • CoUninitialize.OLE32 ref: 001959CC
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
                • String ID: .lnk
                • API String ID: 3172280962-24824748
                • Opcode ID: 88bdab59abdfa1da0e5f972b88014591898893747a28c8c77b3a9818d59734c0
                • Instruction ID: fc5aafa7a2a2065819fd0787e23ff6aea870ecd81b07fe6463bf0ef6dc12d0fb
                • Opcode Fuzzy Hash: 88bdab59abdfa1da0e5f972b88014591898893747a28c8c77b3a9818d59734c0
                • Instruction Fuzzy Hash: 07D163716087119FCB04DF24D480A2ABBE2FF99314F14885DF88AAB361DB31EC45CB92
                Function 0018175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00180FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00180FCA
                  • Part of subcall function 00180FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00180FD6
                  • Part of subcall function 00180FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00180FE5
                  • Part of subcall function 00180FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00180FEC
                  • Part of subcall function 00180FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00181002
                • GetLengthSid.ADVAPI32(?,00000000,00181335), ref: 001817AE
                • GetProcessHeap.KERNEL32(00000008,00000000), ref: 001817BA
                • HeapAlloc.KERNEL32(00000000), ref: 001817C1
                • CopySid.ADVAPI32(00000000,00000000,?), ref: 001817DA
                • GetProcessHeap.KERNEL32(00000000,00000000,00181335), ref: 001817EE
                • HeapFree.KERNEL32(00000000), ref: 001817F5
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
                • String ID:
                • API String ID: 3008561057-0
                • Opcode ID: b68ac1156a9a77892ead5f999303ec134f650fc7b1ce681aafb1ee62bc6eba08
                • Instruction ID: 0930f2620912d973ef496ed1cf2ea891c44d168d0e882b480c661d376ec6d1ac
                • Opcode Fuzzy Hash: b68ac1156a9a77892ead5f999303ec134f650fc7b1ce681aafb1ee62bc6eba08
                • Instruction Fuzzy Hash: A7117972600205FFDB14AFA8DC49BAE7BADEB45755F10411DF481A7210D736AA85CFA0
                Function 001814CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON
                Download Yara Rule
                APIs
                • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 001814FF
                • OpenProcessToken.ADVAPI32(00000000), ref: 00181506
                • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00181515
                • CloseHandle.KERNEL32(00000004), ref: 00181520
                • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0018154F
                • DestroyEnvironmentBlock.USERENV(00000000), ref: 00181563
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                • String ID:
                • API String ID: 1413079979-0
                • Opcode ID: 09fcc5ee278b05eccc5a37cb1dd0ec1d0da163acecf436616364c5049407a8b7
                • Instruction ID: 168743def08829b1859d95a23b7a38bf93698d4aaad21abebeb240c37efa6f61
                • Opcode Fuzzy Hash: 09fcc5ee278b05eccc5a37cb1dd0ec1d0da163acecf436616364c5049407a8b7
                • Instruction Fuzzy Hash: A4115672504209BBDF119FA8ED49FDE7BADEF48704F044124FA05A2060C3718EA1DBA0
                Function 00143382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • GetLastError.KERNEL32(?,?,00143379,00142FE5), ref: 00143390
                • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0014339E
                • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 001433B7
                • SetLastError.KERNEL32(00000000,?,00143379,00142FE5), ref: 00143409
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: ErrorLastValue___vcrt_
                • String ID:
                • API String ID: 3852720340-0
                • Opcode ID: 40ebaaab48556ba3521e4baa69ecbb43ab31c46fd3328a0bd78c4a2faf618166
                • Instruction ID: 551788a651cadb16bcecc34029af1f77e7eb3c861559d5c5c5163b45ec3e1f3a
                • Opcode Fuzzy Hash: 40ebaaab48556ba3521e4baa69ecbb43ab31c46fd3328a0bd78c4a2faf618166
                • Instruction Fuzzy Hash: 6401F733609322BFA62D2BB5BCC5A6B2A95FB25B797200329F430892F1EF114F4255D4
                Function 00152D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • GetLastError.KERNEL32(?,?,00155686,00163CD6,?,00000000,?,00155B6A,?,?,?,?,?,0014E6D1,?,001E8A48), ref: 00152D78
                • _free.LIBCMT ref: 00152DAB
                • _free.LIBCMT ref: 00152DD3
                • SetLastError.KERNEL32(00000000,?,?,?,?,0014E6D1,?,001E8A48,00000010,00124F4A,?,?,00000000,00163CD6), ref: 00152DE0
                • SetLastError.KERNEL32(00000000,?,?,?,?,0014E6D1,?,001E8A48,00000010,00124F4A,?,?,00000000,00163CD6), ref: 00152DEC
                • _abort.LIBCMT ref: 00152DF2
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: ErrorLast$_free$_abort
                • String ID:
                • API String ID: 3160817290-0
                • Opcode ID: eae559b1ecba95150b82701fd910461d9242c360480808370e24ff59d2328ab7
                • Instruction ID: 9337c56ef2aa6c71cbe90a6dffc808639f8d1ec89aa52903c2c2b7d8ae59fc2b
                • Opcode Fuzzy Hash: eae559b1ecba95150b82701fd910461d9242c360480808370e24ff59d2328ab7
                • Instruction Fuzzy Hash: 11F0A933504900EBC21227B4AC06E5E26A56BD37A7F254519FC349F5A2DF34884D5160
                Function 001B8A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00139639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00139693
                  • Part of subcall function 00139639: SelectObject.GDI32(?,00000000), ref: 001396A2
                  • Part of subcall function 00139639: BeginPath.GDI32(?), ref: 001396B9
                  • Part of subcall function 00139639: SelectObject.GDI32(?,00000000), ref: 001396E2
                • MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 001B8A4E
                • LineTo.GDI32(?,00000003,00000000), ref: 001B8A62
                • MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 001B8A70
                • LineTo.GDI32(?,00000000,00000003), ref: 001B8A80
                • EndPath.GDI32(?), ref: 001B8A90
                • StrokePath.GDI32(?), ref: 001B8AA0
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                • String ID:
                • API String ID: 43455801-0
                • Opcode ID: 4d303f2f4751aec18cc9795349b1738d067a59ed92d05da50c0b48798a01c9da
                • Instruction ID: 34f0b5ecad312be42cb8308c27158106fb280fe46036d4587764fd6b48f19a50
                • Opcode Fuzzy Hash: 4d303f2f4751aec18cc9795349b1738d067a59ed92d05da50c0b48798a01c9da
                • Instruction Fuzzy Hash: 30110576400109FFEB129F94DC88EAA7F6CEB08354F008122FA199A5A1C7719D95DFA0
                Function 001851FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                Download Yara Rule
                APIs
                • GetDC.USER32(00000000), ref: 00185218
                • GetDeviceCaps.GDI32(00000000,00000058), ref: 00185229
                • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00185230
                • ReleaseDC.USER32(00000000,00000000), ref: 00185238
                • MulDiv.KERNEL32(000009EC,?,00000000), ref: 0018524F
                • MulDiv.KERNEL32(000009EC,00000001,?), ref: 00185261
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: CapsDevice$Release
                • String ID:
                • API String ID: 1035833867-0
                • Opcode ID: 1a51070e2c25a82ba41a855245b7a47b42dce1a22db1be2e66eea00f8ae1ebba
                • Instruction ID: e60f429b0de3e0620968b3d898e1f76bf182af4ead430450b27772e664266c7e
                • Opcode Fuzzy Hash: 1a51070e2c25a82ba41a855245b7a47b42dce1a22db1be2e66eea00f8ae1ebba
                • Instruction Fuzzy Hash: 73014F75E00718BBEB10ABA99C49E5EBFB9EB48751F044165FA04A7681DB709900CFA0
                Function 00121BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                Download Yara Rule
                APIs
                • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00121BF4
                • MapVirtualKeyW.USER32(00000010,00000000), ref: 00121BFC
                • MapVirtualKeyW.USER32(000000A0,00000000), ref: 00121C07
                • MapVirtualKeyW.USER32(000000A1,00000000), ref: 00121C12
                • MapVirtualKeyW.USER32(00000011,00000000), ref: 00121C1A
                • MapVirtualKeyW.USER32(00000012,00000000), ref: 00121C22
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: Virtual
                • String ID:
                • API String ID: 4278518827-0
                • Opcode ID: f7fa99afa540318584738592845460d1d1720456c9720bad07fb83950a0570fe
                • Instruction ID: c2d10d6c4a4bd828490e005ced6cf4def69411299a923f21bed8b30d3adad884
                • Opcode Fuzzy Hash: f7fa99afa540318584738592845460d1d1720456c9720bad07fb83950a0570fe
                • Instruction Fuzzy Hash: A5016CB09027597DE3008F5A8C85B52FFA8FF19354F00411B915C47A41C7F5A864CBE5
                Function 0018EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON
                Download Yara Rule
                APIs
                • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0018EB30
                • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0018EB46
                • GetWindowThreadProcessId.USER32(?,?), ref: 0018EB55
                • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0018EB64
                • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0018EB6E
                • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0018EB75
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                • String ID:
                • API String ID: 839392675-0
                • Opcode ID: 22bb2606510fb3f0e0dd7ff8941899381f289decc3be9b97c9d9bf0a644475af
                • Instruction ID: c1f55aa60f80b3874e1ae0c994c3b65de55420d288b98c9e50fa13e776a29963
                • Opcode Fuzzy Hash: 22bb2606510fb3f0e0dd7ff8941899381f289decc3be9b97c9d9bf0a644475af
                • Instruction Fuzzy Hash: 5BF03A72240158BBE7215B629C0EEEF3B7CEFCAB11F000269FA01E1591E7A05A41CAF5
                Function 00181874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
                Download Yara Rule
                APIs
                • WaitForSingleObject.KERNEL32(?,000000FF), ref: 0018187F
                • UnloadUserProfile.USERENV(?,?), ref: 0018188B
                • CloseHandle.KERNEL32(?), ref: 00181894
                • CloseHandle.KERNEL32(?), ref: 0018189C
                • GetProcessHeap.KERNEL32(00000000,?), ref: 001818A5
                • HeapFree.KERNEL32(00000000), ref: 001818AC
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                • String ID:
                • API String ID: 146765662-0
                • Opcode ID: 778bb83862a01098b0e121196c22afb9e62a6ff815c21d2b728c560e0ca8c767
                • Instruction ID: 659058d27d524dab145342090e45db62944c081b09c0cb85a655aa2a60a4507f
                • Opcode Fuzzy Hash: 778bb83862a01098b0e121196c22afb9e62a6ff815c21d2b728c560e0ca8c767
                • Instruction Fuzzy Hash: 69E07576104505FBDB015FA5ED0C94ABF79FF49B22B508725F22591871CB3294A1DFA0
                Function 0018C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00127620: _wcslen.LIBCMT ref: 00127625
                • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0018C6EE
                • _wcslen.LIBCMT ref: 0018C735
                • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0018C79C
                • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0018C7CA
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: ItemMenu$Info_wcslen$Default
                • String ID: 0
                • API String ID: 1227352736-4108050209
                • Opcode ID: ccedef55cabc5584d4fcc91bf6ab87f8a84f412baeadaf5000658c597df12a35
                • Instruction ID: 5e959b5e114ed4685241f509e2ce7969f96f09faf94bf2444f8b7e264d5c6e86
                • Opcode Fuzzy Hash: ccedef55cabc5584d4fcc91bf6ab87f8a84f412baeadaf5000658c597df12a35
                • Instruction Fuzzy Hash: B051B1726143019BD714AF28D885B6B77E4AF59314F140A3DF995D32A0EB70DA44CFE2
                Function 001AAD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON
                Download Yara Rule
                APIs
                • ShellExecuteExW.SHELL32(0000003C), ref: 001AAEA3
                  • Part of subcall function 00127620: _wcslen.LIBCMT ref: 00127625
                • GetProcessId.KERNEL32(00000000), ref: 001AAF38
                • CloseHandle.KERNEL32(00000000), ref: 001AAF67
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: CloseExecuteHandleProcessShell_wcslen
                • String ID: <$@
                • API String ID: 146682121-1426351568
                • Opcode ID: ff01a14217a568b3feb76415958fbfe539c67e6087c16f9e06b3b55fea85f2b2
                • Instruction ID: 50c6801a6dc29fda70a302e8e7c4a8ccb6e4a4dc029e58f6aa21d0f02c2cc206
                • Opcode Fuzzy Hash: ff01a14217a568b3feb76415958fbfe539c67e6087c16f9e06b3b55fea85f2b2
                • Instruction Fuzzy Hash: AA71AD75A00229DFCB14DFA4D484A9EBBF0FF09310F448499E856AB3A2C774ED55CB91
                Function 001B6278 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 138COMMON
                Download Yara Rule
                APIs
                • GetWindowRect.USER32(018AF298,?), ref: 001B62E2
                • ScreenToClient.USER32(?,?), ref: 001B6315
                • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 001B6382
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: Window$ClientMoveRectScreen
                • String ID: @U=u
                • API String ID: 3880355969-2594219639
                • Opcode ID: 5608737aa7235cae407c151d168cf594ffa1dd0e3c2a3d988689f76fbd565ed5
                • Instruction ID: 221814fad2593b42f6218bdccf347a41841e2fb8793c99f96bfd9204437bcea6
                • Opcode Fuzzy Hash: 5608737aa7235cae407c151d168cf594ffa1dd0e3c2a3d988689f76fbd565ed5
                • Instruction Fuzzy Hash: 67511974A00209EFDB10DF68D8809EE7BF5FB65364F108269F9599B2A0D774AD81CB90
                Function 00182716 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 121windowCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 0018B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,001821D0,?,?,00000034,00000800,?,00000034), ref: 0018B42D
                • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00182760
                  • Part of subcall function 0018B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,001821FF,?,?,00000800,?,00001073,00000000,?,?), ref: 0018B3F8
                  • Part of subcall function 0018B32A: GetWindowThreadProcessId.USER32(?,?), ref: 0018B355
                  • Part of subcall function 0018B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00182194,00000034,?,?,00001004,00000000,00000000), ref: 0018B365
                  • Part of subcall function 0018B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00182194,00000034,?,?,00001004,00000000,00000000), ref: 0018B37B
                • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 001827CD
                • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0018281A
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                • String ID: @$@U=u
                • API String ID: 4150878124-826235744
                • Opcode ID: d69b974c559ca7928730490602837ab5555bef9b7936bdebac0b1db4b2157b07
                • Instruction ID: 8273968a3afbdfb7f323bbb8d5f19709e57391ffb5f798d2cb24dc8c1bbdb240
                • Opcode Fuzzy Hash: d69b974c559ca7928730490602837ab5555bef9b7936bdebac0b1db4b2157b07
                • Instruction Fuzzy Hash: 9C410A72900218BFDB11EBA4C986AEEBBB8AB19700F104055FA55B7181DB706F85CFA1
                Function 0018719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON
                Download Yara Rule
                APIs
                • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00187206
                • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0018723C
                • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0018724D
                • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 001872CF
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: ErrorMode$AddressCreateInstanceProc
                • String ID: DllGetClassObject
                • API String ID: 753597075-1075368562
                • Opcode ID: a16b8239df9c5d46e4759fbc1edb1591412d1b087c8e6a34f9987985219b8825
                • Instruction ID: bdf3c4dddbcf7d111452be0ddfbb10dfc779853fa177bc1d7a32c62e54eaab1c
                • Opcode Fuzzy Hash: a16b8239df9c5d46e4759fbc1edb1591412d1b087c8e6a34f9987985219b8825
                • Instruction Fuzzy Hash: 7F416171604204EFDB15DF94C884A9A7BAAEF44310F2580ADBD05AF29AD7B1DA45CFA0
                Function 001B52C1 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 104windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(?,00001024,00000000,?), ref: 001B5352
                • GetWindowLongW.USER32(?,000000F0), ref: 001B5375
                • SetWindowLongW.USER32(?,000000F0,00000000), ref: 001B5382
                • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 001B53A8
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: LongWindow$InvalidateMessageRectSend
                • String ID: @U=u
                • API String ID: 3340791633-2594219639
                • Opcode ID: f6751cfe7abfff2e69012f0ea801a24a6155c8b1964e4bac39ef55a5ae195326
                • Instruction ID: 993d61255bdc74f440ae551170527a02a7d7029737aed4fd15306098c064c5cd
                • Opcode Fuzzy Hash: f6751cfe7abfff2e69012f0ea801a24a6155c8b1964e4bac39ef55a5ae195326
                • Instruction Fuzzy Hash: 64318B34A55A08EFEB349B14CC56FE877E7BB04390F584102FA11963F1C7B5A980DB92
                Function 001AC9EA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: _wcslen
                • String ID: HKEY_LOCAL_MACHINE$HKLM
                • API String ID: 176396367-4004644295
                • Opcode ID: 2082e093fb66590620f7bafc71e1e9276d25ed8ae5344e44c92f2a9b8c5b51b7
                • Instruction ID: a7423c48ab2e23928a52a7194574ace0a2b352fb31f55865f9a9a88d3ba965dd
                • Opcode Fuzzy Hash: 2082e093fb66590620f7bafc71e1e9276d25ed8ae5344e44c92f2a9b8c5b51b7
                • Instruction Fuzzy Hash: C031047BA0056E8BDB20DF6DD9401BE3391ABB7754B054029E845AB284FB70CE81D3E0
                Function 001B2F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 001B2F8D
                • LoadLibraryW.KERNEL32(?), ref: 001B2F94
                • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 001B2FA9
                • DestroyWindow.USER32(?), ref: 001B2FB1
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: MessageSend$DestroyLibraryLoadWindow
                • String ID: SysAnimate32
                • API String ID: 3529120543-1011021900
                • Opcode ID: 24135a5a52f74ae398adf0c1d0425efae8d000c8650bb23ead5728924af2825b
                • Instruction ID: 9a30b900fede6ad7fd1306e9d9bbe8b7a5b206036e2f0acb6fcdf0dc9f9d9b63
                • Opcode Fuzzy Hash: 24135a5a52f74ae398adf0c1d0425efae8d000c8650bb23ead5728924af2825b
                • Instruction Fuzzy Hash: BE218972204209ABEF108FA4DC84EFB77B9EB69364F10462CFA50D61A0D771DC9597A0
                Function 001B5660 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 67windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(?,00001060,?,00000004), ref: 001B56BB
                • _wcslen.LIBCMT ref: 001B56CD
                • _wcslen.LIBCMT ref: 001B56D8
                • SendMessageW.USER32(?,00001002,00000000,?), ref: 001B5816
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: MessageSend_wcslen
                • String ID: @U=u
                • API String ID: 455545452-2594219639
                • Opcode ID: 4e680ce028c0ac3c011930d962173992ea45a0009651af753dbe1a3fc1b9b230
                • Instruction ID: c64567e4512687bff6758d110389206c47a534ad382ab3c5d6c90cef1647cbee
                • Opcode Fuzzy Hash: 4e680ce028c0ac3c011930d962173992ea45a0009651af753dbe1a3fc1b9b230
                • Instruction Fuzzy Hash: 9311E275A00608AADF20DF61CC85BFE77BCEF24768F50412AF915D6081EBB0CA80CB60
                Function 0012600E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 53windowCOMMON
                Download Yara Rule
                APIs
                • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0012604C
                • GetStockObject.GDI32(00000011), ref: 00126060
                • SendMessageW.USER32(00000000,00000030,00000000), ref: 0012606A
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: CreateMessageObjectSendStockWindow
                • String ID: @U=u
                • API String ID: 3970641297-2594219639
                • Opcode ID: 44bc037ac586e3753c22b74e1c1d93ac2980af38f3ff03b4ee393f97cd719a6c
                • Instruction ID: f8d9bf2a2f9ccd93206d9670f110630496293d3ec502c6ba41825e90916da3d9
                • Opcode Fuzzy Hash: 44bc037ac586e3753c22b74e1c1d93ac2980af38f3ff03b4ee393f97cd719a6c
                • Instruction Fuzzy Hash: 7511AD72101518FFEF164FA4AC44EEABB6AFF193A4F000201FA0452150C736DCA0EBA0
                Function 00144D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00144D1E,001528E9,?,00144CBE,001528E9,001E88B8,0000000C,00144E15,001528E9,00000002), ref: 00144D8D
                • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00144DA0
                • FreeLibrary.KERNEL32(00000000,?,?,?,00144D1E,001528E9,?,00144CBE,001528E9,001E88B8,0000000C,00144E15,001528E9,00000002,00000000), ref: 00144DC3
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: AddressFreeHandleLibraryModuleProc
                • String ID: CorExitProcess$mscoree.dll
                • API String ID: 4061214504-1276376045
                • Opcode ID: 051ac54638685bb241135184f4dc741910cd71665c93bbbdb81e545b05cc43e2
                • Instruction ID: d3949dc42ac2d481bcd4864e7dda109b982d7f1a464bb2f2315ad5a859760564
                • Opcode Fuzzy Hash: 051ac54638685bb241135184f4dc741910cd71665c93bbbdb81e545b05cc43e2
                • Instruction Fuzzy Hash: BEF04F35A40208FBDB159F94DC49BEDBBF9EF58751F0001A8F909A2660CB709A80CAD1
                Function 0017D3A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON
                Download Yara Rule
                APIs
                • LoadLibraryA.KERNEL32 ref: 0017D3AD
                • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0017D3BF
                • FreeLibrary.KERNEL32(00000000), ref: 0017D3E5
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: Library$AddressFreeLoadProc
                • String ID: GetSystemWow64DirectoryW$X64
                • API String ID: 145871493-2590602151
                • Opcode ID: 9b31e52d83f1e3bf80cf0d45aff857c796cd8ab9deec01ef91f94d10202bf88f
                • Instruction ID: 3bf3fc533d98b5121c44d6e2413e72fb7080ee6e27e9e2b34d7c8442ba7d431c
                • Opcode Fuzzy Hash: 9b31e52d83f1e3bf80cf0d45aff857c796cd8ab9deec01ef91f94d10202bf88f
                • Instruction Fuzzy Hash: BBF055B1801A29DBD3385714AC589AD7334BF10B01F93C258F80EF2056DB60CD8286D2
                Function 00124E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON
                Download Yara Rule
                APIs
                • LoadLibraryA.KERNEL32(kernel32.dll,?,?,00124EDD,?,001F1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00124E9C
                • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00124EAE
                • FreeLibrary.KERNEL32(00000000,?,?,00124EDD,?,001F1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00124EC0
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: Library$AddressFreeLoadProc
                • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                • API String ID: 145871493-3689287502
                • Opcode ID: 241fc4938042e5af496c68284b7041d6ef18bf43ee56514061d2ef769d9bc0b3
                • Instruction ID: e9ec6fbd74094741757da8e77b81c19aa4acf7df8517a3cddb4d8dcf06940247
                • Opcode Fuzzy Hash: 241fc4938042e5af496c68284b7041d6ef18bf43ee56514061d2ef769d9bc0b3
                • Instruction Fuzzy Hash: 14E0CD35A016329BE231172DBC1CB9F6558AF81F627060215FC01F3200DBA4CD4245F4
                Function 00124E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON
                Download Yara Rule
                APIs
                • LoadLibraryA.KERNEL32(kernel32.dll,?,?,00163CDE,?,001F1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00124E62
                • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00124E74
                • FreeLibrary.KERNEL32(00000000,?,?,00163CDE,?,001F1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00124E87
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: Library$AddressFreeLoadProc
                • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                • API String ID: 145871493-1355242751
                • Opcode ID: ada1513cfb19cd80d0a4868ade1354f744f3d32ec1cd7bd5cb6131f8f269e5ef
                • Instruction ID: f19d664c36e7c8a9079cca8057de6658bc86160c1648ffbea97bd0bca96cc310
                • Opcode Fuzzy Hash: ada1513cfb19cd80d0a4868ade1354f744f3d32ec1cd7bd5cb6131f8f269e5ef
                • Instruction Fuzzy Hash: D9D01235502A3297BA221B297C1CDCF6A18AF85B513060615F915B6124CF64CD5285E0
                Function 001AA387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON
                Download Yara Rule
                APIs
                • GetCurrentProcessId.KERNEL32 ref: 001AA427
                • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 001AA435
                • GetProcessIoCounters.KERNEL32(00000000,?), ref: 001AA468
                • CloseHandle.KERNEL32(?), ref: 001AA63D
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: Process$CloseCountersCurrentHandleOpen
                • String ID:
                • API String ID: 3488606520-0
                • Opcode ID: 1a1af6aa2ddd3a991b9fc06612538f9172ee5d8bc49daea81aae42adb754d54f
                • Instruction ID: 0adc1c2b078ee98b2088025ac4f31b96ae4afbe945f4f628c929bf156e5bb0c0
                • Opcode Fuzzy Hash: 1a1af6aa2ddd3a991b9fc06612538f9172ee5d8bc49daea81aae42adb754d54f
                • Instruction Fuzzy Hash: 54A1C075604300AFD720DF28D886F2AB7E1AF98714F54881DF59A9B2D2D7B0EC45CB92
                Function 0015BB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,001C3700), ref: 0015BB91
                • WideCharToMultiByte.KERNEL32(00000000,00000000,001F121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0015BC09
                • WideCharToMultiByte.KERNEL32(00000000,00000000,001F1270,000000FF,?,0000003F,00000000,?), ref: 0015BC36
                • _free.LIBCMT ref: 0015BB7F
                  • Part of subcall function 001529C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0015D7D1,00000000,00000000,00000000,00000000,?,0015D7F8,00000000,00000007,00000000,?,0015DBF5,00000000), ref: 001529DE
                  • Part of subcall function 001529C8: GetLastError.KERNEL32(00000000,?,0015D7D1,00000000,00000000,00000000,00000000,?,0015D7F8,00000000,00000007,00000000,?,0015DBF5,00000000,00000000), ref: 001529F0
                • _free.LIBCMT ref: 0015BD4B
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
                • String ID:
                • API String ID: 1286116820-0
                • Opcode ID: 6108997ab5a92454571b9c6b9aed12d027c9fcffac25e224dbbf43d05c4d615c
                • Instruction ID: 090e5a75c0f17bb12fbf1096e84832d42bc050ca9a3614ed83224b7b82e94a5b
                • Opcode Fuzzy Hash: 6108997ab5a92454571b9c6b9aed12d027c9fcffac25e224dbbf43d05c4d615c
                • Instruction Fuzzy Hash: B151D871908209EFCB10DFA9DCC19BEB7B8BF55311B20426AE974EB191EB705D49C790
                Function 0018E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 0018DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0018CF22,?), ref: 0018DDFD
                  • Part of subcall function 0018DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0018CF22,?), ref: 0018DE16
                  • Part of subcall function 0018E199: GetFileAttributesW.KERNEL32(?,0018CF95), ref: 0018E19A
                • lstrcmpiW.KERNEL32(?,?), ref: 0018E473
                • MoveFileW.KERNEL32(?,?), ref: 0018E4AC
                • _wcslen.LIBCMT ref: 0018E5EB
                • _wcslen.LIBCMT ref: 0018E603
                • SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 0018E650
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
                • String ID:
                • API String ID: 3183298772-0
                • Opcode ID: 6500693e6bfd5ada8d0e9f240dbcdd9f696878fbe1d15da2c825d9041e7b96f3
                • Instruction ID: a4b3fe3d0353ddb61d058ff30708659affd09483d8023891fe18d341abfafbff
                • Opcode Fuzzy Hash: 6500693e6bfd5ada8d0e9f240dbcdd9f696878fbe1d15da2c825d9041e7b96f3
                • Instruction Fuzzy Hash: 835153B24083459BC724EBA4DC819DFB3ECAF95340F00492EF589D3191EF74A6888B66
                Function 001AB9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00129CB3: _wcslen.LIBCMT ref: 00129CBD
                  • Part of subcall function 001AC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,001AB6AE,?,?), ref: 001AC9B5
                  • Part of subcall function 001AC998: _wcslen.LIBCMT ref: 001AC9F1
                  • Part of subcall function 001AC998: _wcslen.LIBCMT ref: 001ACA68
                  • Part of subcall function 001AC998: _wcslen.LIBCMT ref: 001ACA9E
                • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 001ABAA5
                • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 001ABB00
                • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 001ABB63
                • RegCloseKey.ADVAPI32(?,?), ref: 001ABBA6
                • RegCloseKey.ADVAPI32(00000000), ref: 001ABBB3
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
                • String ID:
                • API String ID: 826366716-0
                • Opcode ID: d5e703ae13cd5b84a15804dbf5a5f6e0b63965333ed320cfc9b79fb7bd529ce7
                • Instruction ID: 3ee5665805687f3f7426037c5efe033d9c190c261fa1bebdb163dc2658b9921f
                • Opcode Fuzzy Hash: d5e703ae13cd5b84a15804dbf5a5f6e0b63965333ed320cfc9b79fb7bd529ce7
                • Instruction Fuzzy Hash: C561AF75208241AFD714DF24C4D0E2ABBE5FF85308F54896CF4998B2A2DB31ED45CBA2
                Function 00188BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON
                Download Yara Rule
                APIs
                • VariantInit.OLEAUT32(?), ref: 00188BCD
                • VariantClear.OLEAUT32 ref: 00188C3E
                • VariantClear.OLEAUT32 ref: 00188C9D
                • VariantClear.OLEAUT32(?), ref: 00188D10
                • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00188D3B
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: Variant$Clear$ChangeInitType
                • String ID:
                • API String ID: 4136290138-0
                • Opcode ID: 8d46746668c5436a46ac7d1e49e72123558306bb51e1665b171658fc75bff790
                • Instruction ID: c70f869ea1a7633799a6db22acc11b51ee5e8baf13a79fcf7d35cf538cb67b62
                • Opcode Fuzzy Hash: 8d46746668c5436a46ac7d1e49e72123558306bb51e1665b171658fc75bff790
                • Instruction Fuzzy Hash: 7D516BB5A00619EFCB14DF68C894AAAB7F8FF89310B158559F905DB354E730EA12CF90
                Function 00198AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON
                Download Yara Rule
                APIs
                • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00198BAE
                • GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00198BDA
                • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00198C32
                • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00198C57
                • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00198C5F
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: PrivateProfile$SectionWrite$String
                • String ID:
                • API String ID: 2832842796-0
                • Opcode ID: 3f0a790468fd6003d828303b35462ee34cb01145b759da4c19b6e9b0175f9d0e
                • Instruction ID: c78453fbb21f25c139d35608302bd286f8f951be3887052ba9c68abf4037cb8d
                • Opcode Fuzzy Hash: 3f0a790468fd6003d828303b35462ee34cb01145b759da4c19b6e9b0175f9d0e
                • Instruction Fuzzy Hash: 7C512B35A002159FCF05DF64D881AAEBBF5FF49314F088498E849AB3A2DB35ED51CB90
                Function 001A8EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON
                Download Yara Rule
                APIs
                • LoadLibraryW.KERNEL32(?,00000000,?), ref: 001A8F40
                • GetProcAddress.KERNEL32(00000000,?), ref: 001A8FD0
                • GetProcAddress.KERNEL32(00000000,00000000), ref: 001A8FEC
                • GetProcAddress.KERNEL32(00000000,?), ref: 001A9032
                • FreeLibrary.KERNEL32(00000000), ref: 001A9052
                  • Part of subcall function 0013F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00191043,?,75B8E610), ref: 0013F6E6
                  • Part of subcall function 0013F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,0017FA64,00000000,00000000,?,?,00191043,?,75B8E610,?,0017FA64), ref: 0013F70D
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
                • String ID:
                • API String ID: 666041331-0
                • Opcode ID: e680d26a94d4d692331f9896d796cb5cac8caab2aecd381db4b84b4f291ec1b4
                • Instruction ID: 03acd67fdcc38661e90d0acacd53b56e49001a814afeea1338bdee48f1aa328d
                • Opcode Fuzzy Hash: e680d26a94d4d692331f9896d796cb5cac8caab2aecd381db4b84b4f291ec1b4
                • Instruction Fuzzy Hash: FA513A38604215DFCB15DF58D4848ADBBF1FF5A314F0980A8E806AB362DB31ED86CB90
                Function 00152051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: _free
                • String ID:
                • API String ID: 269201875-0
                • Opcode ID: 02a93f4e352fe17e6a1dc9d3c29aca8f9b94f23e5a1b88e4ab320bb4a5a5de0a
                • Instruction ID: 416124b841df13777450dec6639bd29060224b910582ccc1b2ec5e3b5c63c843
                • Opcode Fuzzy Hash: 02a93f4e352fe17e6a1dc9d3c29aca8f9b94f23e5a1b88e4ab320bb4a5a5de0a
                • Instruction Fuzzy Hash: 8141AF37A00200DBCB24DFB8C981A5EB7E5EF8A314F154568E925EF391D731AD05CB80
                Function 0013912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON
                Download Yara Rule
                APIs
                • GetCursorPos.USER32(?), ref: 00139141
                • ScreenToClient.USER32(00000000,?), ref: 0013915E
                • GetAsyncKeyState.USER32(00000001), ref: 00139183
                • GetAsyncKeyState.USER32(00000002), ref: 0013919D
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: AsyncState$ClientCursorScreen
                • String ID:
                • API String ID: 4210589936-0
                • Opcode ID: 775e086697b4290b856614a1be82b7b3adafda63dffe8d898f1fc18443e3f803
                • Instruction ID: be10393787921958c76a9243ae6df61b752ab107d756cfec660844cedc06ed7d
                • Opcode Fuzzy Hash: 775e086697b4290b856614a1be82b7b3adafda63dffe8d898f1fc18443e3f803
                • Instruction Fuzzy Hash: B5414D71A0861ABBDF19AF64C848BEEB774FB05330F208229E429A72D0C7706954CF91
                Function 00193874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON
                Download Yara Rule
                APIs
                • GetInputState.USER32 ref: 001938CB
                • TranslateAcceleratorW.USER32(?,00000000,?), ref: 00193922
                • TranslateMessage.USER32(?), ref: 0019394B
                • DispatchMessageW.USER32(?), ref: 00193955
                • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00193966
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: Message$Translate$AcceleratorDispatchInputPeekState
                • String ID:
                • API String ID: 2256411358-0
                • Opcode ID: 456e8bc4efc9832b1d7de24b47c6fb7d2d40ad3503d6485aeabcf168f27533ee
                • Instruction ID: 21ca445df4ce71e50697d62c6098ff79a5a9ad6bf26b152abcadef87ffced3dd
                • Opcode Fuzzy Hash: 456e8bc4efc9832b1d7de24b47c6fb7d2d40ad3503d6485aeabcf168f27533ee
                • Instruction Fuzzy Hash: 7231A070904342EEEF39CB359848BB637E8AB15308F04066DE476C65E0E7B4AAC5CB61
                Function 0019CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON
                Download Yara Rule
                APIs
                • InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,0019C21E,00000000), ref: 0019CF38
                • InternetReadFile.WININET(?,00000000,?,?), ref: 0019CF6F
                • GetLastError.KERNEL32(?,00000000,?,?,?,0019C21E,00000000), ref: 0019CFB4
                • SetEvent.KERNEL32(?,?,00000000,?,?,?,0019C21E,00000000), ref: 0019CFC8
                • SetEvent.KERNEL32(?,?,00000000,?,?,?,0019C21E,00000000), ref: 0019CFF2
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: EventInternet$AvailableDataErrorFileLastQueryRead
                • String ID:
                • API String ID: 3191363074-0
                • Opcode ID: a9487dec5bdf26190e78df5334facc8bdbff4f6162de5a2aad762d95d4de65c5
                • Instruction ID: ef79ab106f40d2d4d31b421cacef91f0be299bddb3cb57a326d98fae794749f0
                • Opcode Fuzzy Hash: a9487dec5bdf26190e78df5334facc8bdbff4f6162de5a2aad762d95d4de65c5
                • Instruction Fuzzy Hash: C3315C71A00205EFDF24DFA5C884AABBBF9EB14350B10442EF556D2551EB30AE41DBA0
                Function 00181901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON
                Download Yara Rule
                APIs
                • GetWindowRect.USER32(?,?), ref: 00181915
                • PostMessageW.USER32(00000001,00000201,00000001), ref: 001819C1
                • Sleep.KERNEL32(00000000,?,?,?), ref: 001819C9
                • PostMessageW.USER32(00000001,00000202,00000000), ref: 001819DA
                • Sleep.KERNEL32(00000000,?,?,?,?), ref: 001819E2
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: MessagePostSleep$RectWindow
                • String ID:
                • API String ID: 3382505437-0
                • Opcode ID: e6613b4e1809d7f876fe4ea4aaa16ae6ebc6a2aff38581e0f9ac426f70ba8b98
                • Instruction ID: 3aa78051b2bafdfa586c10eb0d114f85c4237ce978e2c7698000357e19505e34
                • Opcode Fuzzy Hash: e6613b4e1809d7f876fe4ea4aaa16ae6ebc6a2aff38581e0f9ac426f70ba8b98
                • Instruction Fuzzy Hash: EE31AF72900219EFCB04DFA8C999AEE3BB9EB04319F104225F961A72D1C7709A45CF90
                Function 001A0930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON
                Download Yara Rule
                APIs
                • IsWindow.USER32(00000000), ref: 001A0951
                • GetForegroundWindow.USER32 ref: 001A0968
                • GetDC.USER32(00000000), ref: 001A09A4
                • GetPixel.GDI32(00000000,?,00000003), ref: 001A09B0
                • ReleaseDC.USER32(00000000,00000003), ref: 001A09E8
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: Window$ForegroundPixelRelease
                • String ID:
                • API String ID: 4156661090-0
                • Opcode ID: 26553b64ec76f6a4f92980e8413926bbda378e5d0d31f7bc3b324b2960b96cb5
                • Instruction ID: 8d2c07717d48ff39a5bd8b3940080dc5767d85a7f61a93ab81c0ccdc94b4c5b9
                • Opcode Fuzzy Hash: 26553b64ec76f6a4f92980e8413926bbda378e5d0d31f7bc3b324b2960b96cb5
                • Instruction Fuzzy Hash: F7218135600214AFD704EF69DC85AAEBBE9EF59700F048168F84AD7752CB30AC44CB90
                Function 0015CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                Download Yara Rule
                APIs
                • GetEnvironmentStringsW.KERNEL32 ref: 0015CDC6
                • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0015CDE9
                  • Part of subcall function 00153820: RtlAllocateHeap.NTDLL(00000000,?,001F1444,?,0013FDF5,?,?,0012A976,00000010,001F1440,001213FC,?,001213C6,?,00121129), ref: 00153852
                • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0015CE0F
                • _free.LIBCMT ref: 0015CE22
                • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0015CE31
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                • String ID:
                • API String ID: 336800556-0
                • Opcode ID: 106691ff0646501db8867fd14ae8dc8358ed2479ace41f7bf8b7dcae0cb604c6
                • Instruction ID: 4c8b7f35ac4f3a34da8458be75962dad3e0e69055e3191389b1632e6d2f5b44d
                • Opcode Fuzzy Hash: 106691ff0646501db8867fd14ae8dc8358ed2479ace41f7bf8b7dcae0cb604c6
                • Instruction Fuzzy Hash: AE018872601315FF23211EBA6C4AD7B6D6DEFC6BA23150229FD25DB211DB618D0581F0
                Function 00139639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON
                Download Yara Rule
                APIs
                • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00139693
                • SelectObject.GDI32(?,00000000), ref: 001396A2
                • BeginPath.GDI32(?), ref: 001396B9
                • SelectObject.GDI32(?,00000000), ref: 001396E2
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: ObjectSelect$BeginCreatePath
                • String ID:
                • API String ID: 3225163088-0
                • Opcode ID: 717b7a3f326e80fa57395db106ac17ac1ee8dac52a7cd9a30519f08eb7bc7b0f
                • Instruction ID: 66f033f119b74d2bbe35aa450f98d1a9778d867bcac2d15b24d4778ca38fed07
                • Opcode Fuzzy Hash: 717b7a3f326e80fa57395db106ac17ac1ee8dac52a7cd9a30519f08eb7bc7b0f
                • Instruction Fuzzy Hash: F82149B0802305FBDB119F69ED1ABB93BA9BB50369F104216F814A65A0D3F098D1CFD4
                Function 00185711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: _memcmp
                • String ID:
                • API String ID: 2931989736-0
                • Opcode ID: 4312ec623ad871b1202d844ec497b57245c70f80a957ea37be25dce721705d93
                • Instruction ID: fa45b8840f798960558b43a4ac483b5e1b72b5af8d9f8842a6250ea222d2cc0b
                • Opcode Fuzzy Hash: 4312ec623ad871b1202d844ec497b57245c70f80a957ea37be25dce721705d93
                • Instruction Fuzzy Hash: 5901B565641609BBE3086511DE82FFB735FEB313A4F808034FD049A242F760EE518BA4
                Function 00152DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • GetLastError.KERNEL32(?,?,?,0014F2DE,00153863,001F1444,?,0013FDF5,?,?,0012A976,00000010,001F1440,001213FC,?,001213C6), ref: 00152DFD
                • _free.LIBCMT ref: 00152E32
                • _free.LIBCMT ref: 00152E59
                • SetLastError.KERNEL32(00000000,00121129), ref: 00152E66
                • SetLastError.KERNEL32(00000000,00121129), ref: 00152E6F
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: ErrorLast$_free
                • String ID:
                • API String ID: 3170660625-0
                • Opcode ID: 5e0b9049f946ec4fb104d8003de97398ef38a981e14983ba0245e7abc91804b3
                • Instruction ID: 7b5e84f30c4ec3e6efb230651e096eb28a1927dd66cec39ac76df239d73eeb28
                • Opcode Fuzzy Hash: 5e0b9049f946ec4fb104d8003de97398ef38a981e14983ba0245e7abc91804b3
                • Instruction Fuzzy Hash: CE01F933105A00E7C61267746C87D6B2699EBE33A7B254129FC31AF292EF309C4D4160
                Function 0018000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON
                Download Yara Rule
                APIs
                • CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0017FF41,80070057,?,?,?,0018035E), ref: 0018002B
                • ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0017FF41,80070057,?,?), ref: 00180046
                • lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0017FF41,80070057,?,?), ref: 00180054
                • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0017FF41,80070057,?), ref: 00180064
                • CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0017FF41,80070057,?,?), ref: 00180070
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: From$Prog$FreeStringTasklstrcmpi
                • String ID:
                • API String ID: 3897988419-0
                • Opcode ID: ed5c76a7100a61f89bd8f6366e0763f92e0eb5e4d652875ab9a0d7ba1e175fde
                • Instruction ID: 99cd4d3f0baf23aee3093f49909608fb19cc76e8b708c4b3ce75199dd2274bf4
                • Opcode Fuzzy Hash: ed5c76a7100a61f89bd8f6366e0763f92e0eb5e4d652875ab9a0d7ba1e175fde
                • Instruction Fuzzy Hash: 6C01A272600208BFDB525F68DC44BAA7BEDEF48792F144228F905D6210D771DE849BA0
                Function 0018E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON
                Download Yara Rule
                APIs
                • QueryPerformanceCounter.KERNEL32(?), ref: 0018E997
                • QueryPerformanceFrequency.KERNEL32(?), ref: 0018E9A5
                • Sleep.KERNEL32(00000000), ref: 0018E9AD
                • QueryPerformanceCounter.KERNEL32(?), ref: 0018E9B7
                • Sleep.KERNEL32 ref: 0018E9F3
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: PerformanceQuery$CounterSleep$Frequency
                • String ID:
                • API String ID: 2833360925-0
                • Opcode ID: 7c5af8d79c94e826202b4f562fc6c0c4eb5b967f50fdbe8385fb3161419f858d
                • Instruction ID: 83d4b9e9642f6b8bbb7738cecf30be5fe61e2eb1012446b9f5fcb7053f34edda
                • Opcode Fuzzy Hash: 7c5af8d79c94e826202b4f562fc6c0c4eb5b967f50fdbe8385fb3161419f858d
                • Instruction Fuzzy Hash: CF015E31D0162DDBCF04AFE9DD59AEDBBB8FF09705F010656E542B2241CB709694CBA1
                Function 001810F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON
                Download Yara Rule
                APIs
                • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00181114
                • GetLastError.KERNEL32(?,00000000,00000000,?,?,00180B9B,?,?,?), ref: 00181120
                • GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00180B9B,?,?,?), ref: 0018112F
                • HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00180B9B,?,?,?), ref: 00181136
                • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0018114D
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                • String ID:
                • API String ID: 842720411-0
                • Opcode ID: aef25387393d34d3494023d06166f34cea0ada117978144f5911d590db79ba01
                • Instruction ID: b5087d913a52a4948e4922472d3f2c99c9dddde722b8b72a01a0be0637a50ccb
                • Opcode Fuzzy Hash: aef25387393d34d3494023d06166f34cea0ada117978144f5911d590db79ba01
                • Instruction Fuzzy Hash: 3C01697A200205BFDB115FA8DC4DAAA3B6EEF893A0B240419FA41D3360DB31DD408FA0
                Function 00180FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON
                Download Yara Rule
                APIs
                • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00180FCA
                • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00180FD6
                • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00180FE5
                • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00180FEC
                • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00181002
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: HeapInformationToken$AllocErrorLastProcess
                • String ID:
                • API String ID: 44706859-0
                • Opcode ID: 3488555bcac7b067d1591bd7119c45e9d04c6df725ec2f4108c8d4cd42dd7177
                • Instruction ID: 5adc5a363e2e814d53750fbeb88aad8c94b56796cd2f6bd6b8eaf1d0353e1fc1
                • Opcode Fuzzy Hash: 3488555bcac7b067d1591bd7119c45e9d04c6df725ec2f4108c8d4cd42dd7177
                • Instruction Fuzzy Hash: 80F0497A200301FBDB216FA8DC89F563BADEF89762F204525FA45D6251CB70DC818AA0
                Function 00181014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON
                Download Yara Rule
                APIs
                • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0018102A
                • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00181036
                • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00181045
                • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0018104C
                • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00181062
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: HeapInformationToken$AllocErrorLastProcess
                • String ID:
                • API String ID: 44706859-0
                • Opcode ID: 446a4192d463c22eb18b1783f4c97f98cecd34aef7c9053de432c1282615f771
                • Instruction ID: 68af8d5a6aed7dee5328eb35503faa683b3e1e1933a440b3d542b3a7bb73bc8e
                • Opcode Fuzzy Hash: 446a4192d463c22eb18b1783f4c97f98cecd34aef7c9053de432c1282615f771
                • Instruction Fuzzy Hash: A8F0497A200301FBDB216FA8EC49F573BADEF89761F200925FA45D6250CB70D9818AA0
                Function 0019030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON
                Download Yara Rule
                APIs
                • CloseHandle.KERNEL32(?,?,?,?,0019017D,?,001932FC,?,00000001,00162592,?), ref: 00190324
                • CloseHandle.KERNEL32(?,?,?,?,0019017D,?,001932FC,?,00000001,00162592,?), ref: 00190331
                • CloseHandle.KERNEL32(?,?,?,?,0019017D,?,001932FC,?,00000001,00162592,?), ref: 0019033E
                • CloseHandle.KERNEL32(?,?,?,?,0019017D,?,001932FC,?,00000001,00162592,?), ref: 0019034B
                • CloseHandle.KERNEL32(?,?,?,?,0019017D,?,001932FC,?,00000001,00162592,?), ref: 00190358
                • CloseHandle.KERNEL32(?,?,?,?,0019017D,?,001932FC,?,00000001,00162592,?), ref: 00190365
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: CloseHandle
                • String ID:
                • API String ID: 2962429428-0
                • Opcode ID: 8f0187ddaf9218d9c2584e9944a7eaa379bb7e27239214664c353540bb52641a
                • Instruction ID: eb52d6704e99047c3660311fdef89ed61618e3e94e5ef78d368c077def766768
                • Opcode Fuzzy Hash: 8f0187ddaf9218d9c2584e9944a7eaa379bb7e27239214664c353540bb52641a
                • Instruction Fuzzy Hash: 4401AE72800B159FCB31AF66D880812FBF9BF647153158A3FD19652931C3B1AA98DF80
                Function 0015D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • _free.LIBCMT ref: 0015D752
                  • Part of subcall function 001529C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0015D7D1,00000000,00000000,00000000,00000000,?,0015D7F8,00000000,00000007,00000000,?,0015DBF5,00000000), ref: 001529DE
                  • Part of subcall function 001529C8: GetLastError.KERNEL32(00000000,?,0015D7D1,00000000,00000000,00000000,00000000,?,0015D7F8,00000000,00000007,00000000,?,0015DBF5,00000000,00000000), ref: 001529F0
                • _free.LIBCMT ref: 0015D764
                • _free.LIBCMT ref: 0015D776
                • _free.LIBCMT ref: 0015D788
                • _free.LIBCMT ref: 0015D79A
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: _free$ErrorFreeHeapLast
                • String ID:
                • API String ID: 776569668-0
                • Opcode ID: 6623f596dabd7f70ffd4cae3153977af0dea8e4dcaa719150990dc8e729f0882
                • Instruction ID: 385042054a37eb950654c0d223bb5220d143ee7d52c37b114e76622409df2983
                • Opcode Fuzzy Hash: 6623f596dabd7f70ffd4cae3153977af0dea8e4dcaa719150990dc8e729f0882
                • Instruction Fuzzy Hash: 78F04433500258EB8635EB94F9C1C5A7BDDBB0971A7940805F864EF502C730FCC487A0
                Function 00185C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON
                Download Yara Rule
                APIs
                • GetDlgItem.USER32(?,000003E9), ref: 00185C58
                • GetWindowTextW.USER32(00000000,?,00000100), ref: 00185C6F
                • MessageBeep.USER32(00000000), ref: 00185C87
                • KillTimer.USER32(?,0000040A), ref: 00185CA3
                • EndDialog.USER32(?,00000001), ref: 00185CBD
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: BeepDialogItemKillMessageTextTimerWindow
                • String ID:
                • API String ID: 3741023627-0
                • Opcode ID: 79c5d9ccb84f53d32e3f051a80a7d329ee0fe3c85fa01c48cc2e873b9c9a6fd8
                • Instruction ID: 9320e2b3f01cab8a3f56c90e35ffe94fb6e763eb1d43bee0deb68537b5b03576
                • Opcode Fuzzy Hash: 79c5d9ccb84f53d32e3f051a80a7d329ee0fe3c85fa01c48cc2e873b9c9a6fd8
                • Instruction Fuzzy Hash: 42018130500B04ABEB256B11ED4EFA677BDFB00B05F001659A583A19E1DBF0AA848F90
                Function 001522A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                Download Yara Rule
                APIs
                • _free.LIBCMT ref: 001522BE
                  • Part of subcall function 001529C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0015D7D1,00000000,00000000,00000000,00000000,?,0015D7F8,00000000,00000007,00000000,?,0015DBF5,00000000), ref: 001529DE
                  • Part of subcall function 001529C8: GetLastError.KERNEL32(00000000,?,0015D7D1,00000000,00000000,00000000,00000000,?,0015D7F8,00000000,00000007,00000000,?,0015DBF5,00000000,00000000), ref: 001529F0
                • _free.LIBCMT ref: 001522D0
                • _free.LIBCMT ref: 001522E3
                • _free.LIBCMT ref: 001522F4
                • _free.LIBCMT ref: 00152305
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: _free$ErrorFreeHeapLast
                • String ID:
                • API String ID: 776569668-0
                • Opcode ID: 2ebea9538d7b1b5f0e30fd97aab47be7ef8bd3969270e39b8581c29c6f78ef9d
                • Instruction ID: aa6bcade993958ea0c7965e55cc695b19f68038db358e654d043ffcae4c064c1
                • Opcode Fuzzy Hash: 2ebea9538d7b1b5f0e30fd97aab47be7ef8bd3969270e39b8581c29c6f78ef9d
                • Instruction Fuzzy Hash: BCF03076800120EB8713AF94FC4186C3B64B729B52B100506F830EB772C7310896DFE4
                Function 001395C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                Download Yara Rule
                APIs
                • EndPath.GDI32(?), ref: 001395D4
                • StrokeAndFillPath.GDI32(?,?,001771F7,00000000,?,?,?), ref: 001395F0
                • SelectObject.GDI32(?,00000000), ref: 00139603
                • DeleteObject.GDI32 ref: 00139616
                • StrokePath.GDI32(?), ref: 00139631
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: Path$ObjectStroke$DeleteFillSelect
                • String ID:
                • API String ID: 2625713937-0
                • Opcode ID: b8822fbcf15eb357c1f6e2a95ef48eb9c19c137755d4db730447979660ecf32d
                • Instruction ID: fc689285bc768a61e1bf51eea18bd2955eecbd149dc121efb2544bd6de856155
                • Opcode Fuzzy Hash: b8822fbcf15eb357c1f6e2a95ef48eb9c19c137755d4db730447979660ecf32d
                • Instruction Fuzzy Hash: 33F014B4006208EBDB266F69ED18B793B65BB1032AF048314F465658F0C7B089D5DFA0
                Function 00150F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: __freea$_free
                • String ID: a/p$am/pm
                • API String ID: 3432400110-3206640213
                • Opcode ID: 532cfd26fcfaf2260ea7bf46b6694051eb68bd97bedad71d38575711c126dcd5
                • Instruction ID: 2207688703e1856301f8c964c2073a0ccd5383c6687b518c2dcad0b06c84c5e7
                • Opcode Fuzzy Hash: 532cfd26fcfaf2260ea7bf46b6694051eb68bd97bedad71d38575711c126dcd5
                • Instruction Fuzzy Hash: A3D13431900206EACB2A9F68C8A5BFEB7B1FF05712F250159ED319F690D3359D88CB91
                Function 001A7B7E Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 230COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00140242: EnterCriticalSection.KERNEL32(001F070C,001F1884,?,?,0013198B,001F2518,?,?,?,001212F9,00000000), ref: 0014024D
                  • Part of subcall function 00140242: LeaveCriticalSection.KERNEL32(001F070C,?,0013198B,001F2518,?,?,?,001212F9,00000000), ref: 0014028A
                  • Part of subcall function 00129CB3: _wcslen.LIBCMT ref: 00129CBD
                  • Part of subcall function 001400A3: __onexit.LIBCMT ref: 001400A9
                • __Init_thread_footer.LIBCMT ref: 001A7BFB
                  • Part of subcall function 001401F8: EnterCriticalSection.KERNEL32(001F070C,?,?,00138747,001F2514), ref: 00140202
                  • Part of subcall function 001401F8: LeaveCriticalSection.KERNEL32(001F070C,?,00138747,001F2514), ref: 00140235
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
                • String ID: 5$G$Variable must be of type 'Object'.
                • API String ID: 535116098-3733170431
                • Opcode ID: fa3800753d8d4e969905179c00c99acfdba1a89ac750c7f6aa372e468b974443
                • Instruction ID: 7ab6a667efa6b90c6dfbafd56df174c3ab129f6567a25c13232fba576ac9deb3
                • Opcode Fuzzy Hash: fa3800753d8d4e969905179c00c99acfdba1a89ac750c7f6aa372e468b974443
                • Instruction Fuzzy Hash: 00918C78A04209EFCB04EF94D9919BDB7B2FF5A300F148059F906AB292DB71AF45CB51
                Function 0015172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON
                Download Yara Rule
                APIs
                • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\QQpQgSYkjW.exe,00000104), ref: 00151769
                • _free.LIBCMT ref: 00151834
                • _free.LIBCMT ref: 0015183E
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: _free$FileModuleName
                • String ID: C:\Users\user\Desktop\QQpQgSYkjW.exe
                • API String ID: 2506810119-1031708830
                • Opcode ID: 098f84f18d2f86392df4b0a49a052a3328a677853114db5451691e515b9a530b
                • Instruction ID: 891ba15806a1ec34f013a39d1f96e3f111e2d04c6d7d8f1a1250da5fdb513272
                • Opcode Fuzzy Hash: 098f84f18d2f86392df4b0a49a052a3328a677853114db5451691e515b9a530b
                • Instruction Fuzzy Hash: F6318375A40218FFDB22DB99D881E9EBBFCEB99311B144166FC249B211D7708E45CB90
                Function 0018C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON
                Download Yara Rule
                APIs
                • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 0018C306
                • DeleteMenu.USER32(?,00000007,00000000), ref: 0018C34C
                • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,001F1990,018A63B8), ref: 0018C395
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: Menu$Delete$InfoItem
                • String ID: 0
                • API String ID: 135850232-4108050209
                • Opcode ID: 63bde8d701d15b4f40e9e001d1623c06a7a3c626af005e5bc2c4a900eac0c972
                • Instruction ID: b03f1b683bba67c4db8c7d05bfcc91cc79c37a73b662d0f5ec5792c4f751ddb7
                • Opcode Fuzzy Hash: 63bde8d701d15b4f40e9e001d1623c06a7a3c626af005e5bc2c4a900eac0c972
                • Instruction Fuzzy Hash: BF418D312043019FD724EF29D884B5ABBE4BB95320F148A2DFDA597291D730AA05CFA2
                Function 001B4416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON
                Download Yara Rule
                APIs
                • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,001BCC08,00000000,?,?,?,?), ref: 001B44AA
                • GetWindowLongW.USER32 ref: 001B44C7
                • SetWindowLongW.USER32(?,000000F0,00000000), ref: 001B44D7
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: Window$Long
                • String ID: SysTreeView32
                • API String ID: 847901565-1698111956
                • Opcode ID: 2e55f2361d9cd0c06602eb96c4b362c4c73fcd01f9204e6584c3184ba97fe127
                • Instruction ID: 81be10abdefca39a9e035677a937735d9cf6dd33ef8939a35b49f91808b70a27
                • Opcode Fuzzy Hash: 2e55f2361d9cd0c06602eb96c4b362c4c73fcd01f9204e6584c3184ba97fe127
                • Instruction Fuzzy Hash: 5C319E31210605AFDF208E38DC45FEA7BA9EB08334F208715F975922D1D770EC6097A0
                Function 001A304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 001A335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,001A3077,?,?), ref: 001A3378
                • inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 001A307A
                • _wcslen.LIBCMT ref: 001A309B
                • htons.WSOCK32(00000000,?,?,00000000), ref: 001A3106
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: ByteCharMultiWide_wcslenhtonsinet_addr
                • String ID: 255.255.255.255
                • API String ID: 946324512-2422070025
                • Opcode ID: 087db102d8daaa291f450324a59f206d8836e81f4fd615ed652716d9e40539fe
                • Instruction ID: 0b2f6e879021a78f44ebae791f0f183b8fb96dd47c56d81ce6cd5e8807c176c6
                • Opcode Fuzzy Hash: 087db102d8daaa291f450324a59f206d8836e81f4fd615ed652716d9e40539fe
                • Instruction Fuzzy Hash: 2031CF792042059FCB20CF68C586FAA77E0EF56318F258059F8258B3A2DB32EE45C760
                Function 001B4653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 001B4705
                • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 001B4713
                • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 001B471A
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: MessageSend$DestroyWindow
                • String ID: msctls_updown32
                • API String ID: 4014797782-2298589950
                • Opcode ID: eadc295989b45e27a71c13a218757389770c46750e938879eb1bb3606449801e
                • Instruction ID: 42e60b7ad50d3f46c5f22df070d1f7877a1e8a4d8024ab351be1b143ed257a1f
                • Opcode Fuzzy Hash: eadc295989b45e27a71c13a218757389770c46750e938879eb1bb3606449801e
                • Instruction Fuzzy Hash: A0213EB5600209AFDB11DF64DC81DF737ADEB5A398B044159FA009B291CB71EC51CAA0
                Function 001895AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: _wcslen
                • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                • API String ID: 176396367-2734436370
                • Opcode ID: 171dff23f89794f2c0320fc4cf2a218921060a25c69da23e41104784580e5401
                • Instruction ID: 2e2d7b17e0efe95e07d6575f09d5b15f7eef7a75d87e25af11adbaa808852c85
                • Opcode Fuzzy Hash: 171dff23f89794f2c0320fc4cf2a218921060a25c69da23e41104784580e5401
                • Instruction Fuzzy Hash: 71213A72204621A6D335BB24DC02FBB73D89FA5310F28443AF94997181FB51AF52C7D5
                Function 001B37B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 001B3840
                • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 001B3850
                • MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 001B3876
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: MessageSend$MoveWindow
                • String ID: Listbox
                • API String ID: 3315199576-2633736733
                • Opcode ID: 27d49b9218f5455642c83cf082d117c38f6c34dc74e5c69482f307bb40a6cdc2
                • Instruction ID: f52e7526673cde8bfb6305b32e389c183a6ed53ed628b279373fad6c3527fe94
                • Opcode Fuzzy Hash: 27d49b9218f5455642c83cf082d117c38f6c34dc74e5c69482f307bb40a6cdc2
                • Instruction Fuzzy Hash: DC218E72610218BBEB219F55DC85EFB376EEF99750F118224F9149B190CB71DC6287E0
                Function 0018223F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 83windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00182258
                  • Part of subcall function 00126B57: _wcslen.LIBCMT ref: 00126B6A
                • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0018228A
                • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 001822CA
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: MessageSend$_wcslen
                • String ID: @U=u
                • API String ID: 763830540-2594219639
                • Opcode ID: 0c17c0e921eaab5fd2dfcd396523080272d98bd190c14f23c40fd657bd263d44
                • Instruction ID: 6169d09be4f374ff7f2ae191cbb08565e5817f9cf0253f31f25386c5e15bb064
                • Opcode Fuzzy Hash: 0c17c0e921eaab5fd2dfcd396523080272d98bd190c14f23c40fd657bd263d44
                • Instruction Fuzzy Hash: 1F21C931700214BBDB21BB559D49FEE3BA9EB6D710F044025FE05D7281DBB4CA458BA1
                Function 001949F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON
                Download Yara Rule
                APIs
                • SetErrorMode.KERNEL32(00000001), ref: 00194A08
                • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00194A5C
                • SetErrorMode.KERNEL32(00000000,?,?,001BCC08), ref: 00194AD0
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: ErrorMode$InformationVolume
                • String ID: %lu
                • API String ID: 2507767853-685833217
                • Opcode ID: 47a7ca1d58563b3cbfbd751f50170b0110aa658f5b65a189a7dc92aafa78650e
                • Instruction ID: 259304a7b53961331be271c0824e71690ae58a03018a0fa7bfdb40ae53e3c6a3
                • Opcode Fuzzy Hash: 47a7ca1d58563b3cbfbd751f50170b0110aa658f5b65a189a7dc92aafa78650e
                • Instruction Fuzzy Hash: CF317375A00108AFDB10DF58C885EAA7BF8EF08308F1440A5F505EB252D771ED46CBA1
                Function 00181B2C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(?,000000B0,?,?), ref: 00181B4F
                • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00181B61
                • SendMessageW.USER32(?,0000000D,?,00000000), ref: 00181B99
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: MessageSend
                • String ID: @U=u
                • API String ID: 3850602802-2594219639
                • Opcode ID: fb13381677f6e1ae878a6a33806ef00954bf523e912d9229dc12b98c4dc8590f
                • Instruction ID: 358a9e4bc3ebd3987044e2a4aad1250d6417546cd66cccc7c51cd5361f0bda06
                • Opcode Fuzzy Hash: fb13381677f6e1ae878a6a33806ef00954bf523e912d9229dc12b98c4dc8590f
                • Instruction Fuzzy Hash: C9218E32A00118BFDB25EBA9D841DEEB7FEAF44350F11046AE105E3290EB71AE418B94
                Function 001A0CD5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 69windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(00000402,00000000,00000000), ref: 001A0D24
                • SendMessageW.USER32(0000000C,00000000,?), ref: 001A0D65
                • SendMessageW.USER32(0000000C,00000000,?), ref: 001A0D8D
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: MessageSend
                • String ID: @U=u
                • API String ID: 3850602802-2594219639
                • Opcode ID: 6871fab4234e654a491d68eb1f7782c68855f70c075577ded0e289a7e8148a20
                • Instruction ID: a3bd9ea9cc03bc7b80cf842ce6852b12d2ca381863664b6eb53b4ee42d8372e6
                • Opcode Fuzzy Hash: 6871fab4234e654a491d68eb1f7782c68855f70c075577ded0e289a7e8148a20
                • Instruction Fuzzy Hash: 0E21567A204510EFD711EBA4E981D6AB7E6FF1A320B018555F909DBA71CB70FCA0CB90
                Function 001B41EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 001B424F
                • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 001B4264
                • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 001B4271
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: MessageSend
                • String ID: msctls_trackbar32
                • API String ID: 3850602802-1010561917
                • Opcode ID: aec7618e7d7faadac5396374586c9554b9e4b403188290916aa808ebedd20915
                • Instruction ID: 503dd1ad3dc50f7f57541286e0bedd57f18534b612edcbf79b1bc8165182bede
                • Opcode Fuzzy Hash: aec7618e7d7faadac5396374586c9554b9e4b403188290916aa808ebedd20915
                • Instruction Fuzzy Hash: 5B11E371240248BFEF209E29DC06FEB3BACEF95B54F014114FA55E2091D371DC519B50
                Function 00182F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00126B57: _wcslen.LIBCMT ref: 00126B6A
                  • Part of subcall function 00182DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00182DC5
                  • Part of subcall function 00182DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00182DD6
                  • Part of subcall function 00182DA7: GetCurrentThreadId.KERNEL32 ref: 00182DDD
                  • Part of subcall function 00182DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00182DE4
                • GetFocus.USER32 ref: 00182F78
                  • Part of subcall function 00182DEE: GetParent.USER32(00000000), ref: 00182DF9
                • GetClassNameW.USER32(?,?,00000100), ref: 00182FC3
                • EnumChildWindows.USER32(?,0018303B), ref: 00182FEB
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
                • String ID: %s%d
                • API String ID: 1272988791-1110647743
                • Opcode ID: 78fb15367d1490a51323d0945124cfaebdfd12c9e2465d30195ba6de6357f4d0
                • Instruction ID: 6b53144a0b691a4d82af2042a2308a624202011a79154e6e41f280ea620660ec
                • Opcode Fuzzy Hash: 78fb15367d1490a51323d0945124cfaebdfd12c9e2465d30195ba6de6357f4d0
                • Instruction Fuzzy Hash: 2911B1B57002056BCF157FB09C85EEE3B6AAFA4704F044075F9199B292DF309A498F70
                Function 001B3429 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 64windowCOMMON
                Download Yara Rule
                APIs
                • GetWindowTextLengthW.USER32(00000000), ref: 001B34AB
                • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 001B34BA
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: LengthMessageSendTextWindow
                • String ID: @U=u$edit
                • API String ID: 2978978980-590756393
                • Opcode ID: 233a0c57d009f9b320c6c7822957a10efe9b3a379e6fbac1f670aab1d5bee0cf
                • Instruction ID: 34f194d2f4b4f6db1e041d68d08ced9b04da00cea9c3ff5b36f8dcbe5a77fa57
                • Opcode Fuzzy Hash: 233a0c57d009f9b320c6c7822957a10efe9b3a379e6fbac1f670aab1d5bee0cf
                • Instruction Fuzzy Hash: C1114C71100208AFEB228E68DC84AFB376AEF15778F504724F975971E0C771DDA1ABA0
                Function 00181BD8 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 50windowCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00129CB3: _wcslen.LIBCMT ref: 00129CBD
                  • Part of subcall function 00183CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00183CCA
                • SendMessageW.USER32(?,00000180,00000000,?), ref: 00181C46
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: ClassMessageNameSend_wcslen
                • String ID: @U=u$ComboBox$ListBox
                • API String ID: 624084870-2258501812
                • Opcode ID: 396063526406004e218a5ed4791f76fe863509016391a595d5f692979eeae22d
                • Instruction ID: b08a3bd724af52a3ad91f57c7d4d9386891fa565985f39ee6412a4854e7aa1b7
                • Opcode Fuzzy Hash: 396063526406004e218a5ed4791f76fe863509016391a595d5f692979eeae22d
                • Instruction Fuzzy Hash: CD01A776A8111877CB08FB94D951DFF77ADAB25740F140019B41667281EB209F199BB1
                Function 00181C5C Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 49windowCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00129CB3: _wcslen.LIBCMT ref: 00129CBD
                  • Part of subcall function 00183CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00183CCA
                • SendMessageW.USER32(?,00000182,?,00000000), ref: 00181CC8
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: ClassMessageNameSend_wcslen
                • String ID: @U=u$ComboBox$ListBox
                • API String ID: 624084870-2258501812
                • Opcode ID: fe7624e0ecabc22f255781acf1d600a8008232985fccf97d4fbc17351e71191c
                • Instruction ID: daaca96e6bc86e75cf760890416129e71249685d3f1cfc2eebcc0b92e0094e2e
                • Opcode Fuzzy Hash: fe7624e0ecabc22f255781acf1d600a8008232985fccf97d4fbc17351e71191c
                • Instruction Fuzzy Hash: 4A01F9B6B8011877CB04FBA5DA11EFF73ADAB21740F540015B80277281EB609F19DB71
                Function 001B5882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON
                Download Yara Rule
                APIs
                • GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 001B58C1
                • SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 001B58EE
                • DrawMenuBar.USER32(?), ref: 001B58FD
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: Menu$InfoItem$Draw
                • String ID: 0
                • API String ID: 3227129158-4108050209
                • Opcode ID: 172ae13ae7a511f8b6fdc5757d48d844e99846199b0d0b9bafbb99145915bd5b
                • Instruction ID: b3444826f4998f024412687c4b3aac3feb30ad0ac38e80a3ce89781643c0a4ae
                • Opcode Fuzzy Hash: 172ae13ae7a511f8b6fdc5757d48d844e99846199b0d0b9bafbb99145915bd5b
                • Instruction Fuzzy Hash: 7C012D31600218EFDB219F11DC44BEEBBB5FB45365F1480AAE849D6151DB308A95DF61
                Function 001B7803 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41windowCOMMON
                Download Yara Rule
                APIs
                • GetForegroundWindow.USER32(?,001F18B0,001BA364,000000FC,?,00000000,00000000,?,?,?,001776CF,?,?,?,?,?), ref: 001B7805
                • GetFocus.USER32 ref: 001B780D
                  • Part of subcall function 00139BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00139BB2
                  • Part of subcall function 00139944: GetWindowLongW.USER32(?,000000EB), ref: 00139952
                • SendMessageW.USER32(018AF298,000000B0,000001BC,000001C0), ref: 001B787A
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: Window$Long$FocusForegroundMessageSend
                • String ID: @U=u
                • API String ID: 3601265619-2594219639
                • Opcode ID: 994b88c57cb8b3899a72b79492e611b43651c126f2889b2e6145e3ae2bc52727
                • Instruction ID: e8294ae82fcc99c5d5a2f0af468b1240a5b7d90a35f7010354a8e8e367c0e514
                • Opcode Fuzzy Hash: 994b88c57cb8b3899a72b79492e611b43651c126f2889b2e6145e3ae2bc52727
                • Instruction Fuzzy Hash: 55018F31601100DFD325DB28E858AF633E6BFCA324F18026DE415876E0DB716C42CB80
                Function 0018007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 166a6a01a95d410f1a78f0567e249b00028ffa34734a18ef45081f6462325a21
                • Instruction ID: 201e8da7aa6dc1cc3974b2270d43354bc64d9601192ddb70f1c58cb481233aba
                • Opcode Fuzzy Hash: 166a6a01a95d410f1a78f0567e249b00028ffa34734a18ef45081f6462325a21
                • Instruction Fuzzy Hash: 5DC18C75A0020AEFDB55DFA4C898AAEB7B5FF48304F118198E805EB251C770EE85CF90
                Function 001A342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: Variant$ClearInitInitializeUninitialize
                • String ID:
                • API String ID: 1998397398-0
                • Opcode ID: cd9f74ca2c310e6a1b8520451a6ce8e981bdfc6cada42a2fdd514a2d6d9911b8
                • Instruction ID: 25569b8264cbcf34f0cb5fa14cf7c321dc54531c1da37f0161ae79dbde9d7ae9
                • Opcode Fuzzy Hash: cd9f74ca2c310e6a1b8520451a6ce8e981bdfc6cada42a2fdd514a2d6d9911b8
                • Instruction Fuzzy Hash: C2A14A796043109FC704DF28D585A2AB7E5FF99714F048859F99AAB3A2DB30EE01CB91
                Function 00180436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON
                Download Yara Rule
                APIs
                • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,001BFC08,?), ref: 001805F0
                • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,001BFC08,?), ref: 00180608
                • CLSIDFromProgID.OLE32(?,?,00000000,001BCC40,000000FF,?,00000000,00000800,00000000,?,001BFC08,?), ref: 0018062D
                • _memcmp.LIBVCRUNTIME ref: 0018064E
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: FromProg$FreeTask_memcmp
                • String ID:
                • API String ID: 314563124-0
                • Opcode ID: efa26a7bb5544ceca365144abbc3e7d122ef4d8f67c3ef6361efd51faead8d6c
                • Instruction ID: 99057381209e6b2d49c0e63b22fe2586baeec34ba1664bf2d7b13931c55373c7
                • Opcode Fuzzy Hash: efa26a7bb5544ceca365144abbc3e7d122ef4d8f67c3ef6361efd51faead8d6c
                • Instruction Fuzzy Hash: 7D810971A00209EFCB45DF94C984EEEB7B9FF89315F204558E506AB250DB71AE4ACF60
                Function 00161391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: _free
                • String ID:
                • API String ID: 269201875-0
                • Opcode ID: 13d3e59c2c7bfeb77d44f39b2f2fd0ab23646b593d1e920708a92548e5536b29
                • Instruction ID: 699821b62964988b787465770f313e6e19b343950b7bb73f651af596933e6131
                • Opcode Fuzzy Hash: 13d3e59c2c7bfeb77d44f39b2f2fd0ab23646b593d1e920708a92548e5536b29
                • Instruction Fuzzy Hash: 9F414F31900111FBDB257BFD9C46ABE3AA5FF61370F1C4225F819D72A1EB7488625262
                Function 001A1AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON
                Download Yara Rule
                APIs
                • socket.WSOCK32(00000002,00000002,00000011), ref: 001A1AFD
                • WSAGetLastError.WSOCK32 ref: 001A1B0B
                • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 001A1B8A
                • WSAGetLastError.WSOCK32 ref: 001A1B94
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: ErrorLast$socket
                • String ID:
                • API String ID: 1881357543-0
                • Opcode ID: d5667c000ba2357ba42e43b5610bbfaf7c579ae6e007c82a2abcfa0d3d6edcfd
                • Instruction ID: a9c4670e49b499b535f67e0c41034b73572ad01b2049c5c3736f10c2f1a5c101
                • Opcode Fuzzy Hash: d5667c000ba2357ba42e43b5610bbfaf7c579ae6e007c82a2abcfa0d3d6edcfd
                • Instruction Fuzzy Hash: DD41C338600210AFE720AF24D886F2A77E5AF59718F54844CF91A9F7D2D772DD41CB90
                Function 0015B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 7aa36b4e9e5b0db3935e00eba58b8d2211c7b163644dabf31a6c7a305f0fee5e
                • Instruction ID: 3475f06c0b30aa5bff8769bf7aad3d0d2f8674d3052b9f78328790a36f5331b1
                • Opcode Fuzzy Hash: 7aa36b4e9e5b0db3935e00eba58b8d2211c7b163644dabf31a6c7a305f0fee5e
                • Instruction Fuzzy Hash: F541E472A04314FFD7249F38CC81B6ABBA9EB98711F20452EF962DF292D771D9058780
                Function 001956D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON
                Download Yara Rule
                APIs
                • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00195783
                • GetLastError.KERNEL32(?,00000000), ref: 001957A9
                • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 001957CE
                • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 001957FA
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: CreateHardLink$DeleteErrorFileLast
                • String ID:
                • API String ID: 3321077145-0
                • Opcode ID: bd32ae9b50bdb2ec3dab551ea7c9fca75e0e045689bb6ecb793208973d7aec1a
                • Instruction ID: d37e1d63d4598d97d7461d74a37c113e0be17f352abd5c728379851ac711119a
                • Opcode Fuzzy Hash: bd32ae9b50bdb2ec3dab551ea7c9fca75e0e045689bb6ecb793208973d7aec1a
                • Instruction Fuzzy Hash: A6411D39600620DFCB15EF55D544A5EBBE2EF99320B198488E94AAB362CB34FD50CB91
                Function 0015D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,00146D71,00000000,00000000,001482D9,?,001482D9,?,00000001,00146D71,8BE85006,00000001,001482D9,001482D9), ref: 0015D910
                • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0015D999
                • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0015D9AB
                • __freea.LIBCMT ref: 0015D9B4
                  • Part of subcall function 00153820: RtlAllocateHeap.NTDLL(00000000,?,001F1444,?,0013FDF5,?,?,0012A976,00000010,001F1440,001213FC,?,001213C6,?,00121129), ref: 00153852
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                • String ID:
                • API String ID: 2652629310-0
                • Opcode ID: 766f2084a030f4f90aea9a6d6c81c74ed1e3b4eef56ed57fc5a06f42421c49de
                • Instruction ID: 823ec4f9bb5d8e0e12212a0a427a98576b635a26379b78ac496887955d52428e
                • Opcode Fuzzy Hash: 766f2084a030f4f90aea9a6d6c81c74ed1e3b4eef56ed57fc5a06f42421c49de
                • Instruction Fuzzy Hash: 1A31D072A0020AEBDF25DF64EC41EAE7BA5EB41315F050268FC24EB160EB35CD58CB90
                Function 0018AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON
                Download Yara Rule
                APIs
                • GetKeyboardState.USER32(?,753DC0D0,?,00008000), ref: 0018ABF1
                • SetKeyboardState.USER32(00000080,?,00008000), ref: 0018AC0D
                • PostMessageW.USER32(00000000,00000101,00000000), ref: 0018AC74
                • SendInput.USER32(00000001,?,0000001C,753DC0D0,?,00008000), ref: 0018ACC6
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: KeyboardState$InputMessagePostSend
                • String ID:
                • API String ID: 432972143-0
                • Opcode ID: 5b9fc7e31811337aa8cc54a17d9d141b46fd92ed3ba1667125ec8a50300186d7
                • Instruction ID: 3fa05fb885d0cae75c1d0d747d632927adf7e1a91f686b5f1d9dae880dab1d12
                • Opcode Fuzzy Hash: 5b9fc7e31811337aa8cc54a17d9d141b46fd92ed3ba1667125ec8a50300186d7
                • Instruction Fuzzy Hash: 79310970A047186FFF35EB658C04BFA7BA5AF49310F88431BE485561D1C3759B858F92
                Function 001B7674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON
                Download Yara Rule
                APIs
                • ClientToScreen.USER32(?,?), ref: 001B769A
                • GetWindowRect.USER32(?,?), ref: 001B7710
                • PtInRect.USER32(?,?,001B8B89), ref: 001B7720
                • MessageBeep.USER32(00000000), ref: 001B778C
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: Rect$BeepClientMessageScreenWindow
                • String ID:
                • API String ID: 1352109105-0
                • Opcode ID: f8008b1324ded0c2424fc83b0e782fa5574173fc302e63c62366658243a55526
                • Instruction ID: 75d75ad9a871b1ca421904dcb7d75f8ab3b82919722ae525a944201128993cbc
                • Opcode Fuzzy Hash: f8008b1324ded0c2424fc83b0e782fa5574173fc302e63c62366658243a55526
                • Instruction Fuzzy Hash: F441AB34A09254EFCB11CF59C898EE9B7F4FB98304F1541A8E8159B2A1CB70E981CF90
                Function 001B16DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON
                Download Yara Rule
                APIs
                • GetForegroundWindow.USER32 ref: 001B16EB
                  • Part of subcall function 00183A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00183A57
                  • Part of subcall function 00183A3D: GetCurrentThreadId.KERNEL32 ref: 00183A5E
                  • Part of subcall function 00183A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,001825B3), ref: 00183A65
                • GetCaretPos.USER32(?), ref: 001B16FF
                • ClientToScreen.USER32(00000000,?), ref: 001B174C
                • GetForegroundWindow.USER32 ref: 001B1752
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                • String ID:
                • API String ID: 2759813231-0
                • Opcode ID: f214ed5cdaa12518329146be08944522b6cd75861043d14ce6c33fa772b8353f
                • Instruction ID: 2a58d63606905e293210e9776b62583b38d0c579a1c1da7f17c1926e403eba6d
                • Opcode Fuzzy Hash: f214ed5cdaa12518329146be08944522b6cd75861043d14ce6c33fa772b8353f
                • Instruction Fuzzy Hash: 12317071D00159AFCB04EFA9D881CEEBBF9EF58304B5480A9E415E7651EB319E45CBA0
                Function 0018D4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON
                Download Yara Rule
                APIs
                • CreateToolhelp32Snapshot.KERNEL32 ref: 0018D501
                • Process32FirstW.KERNEL32(00000000,?), ref: 0018D50F
                • Process32NextW.KERNEL32(00000000,?), ref: 0018D52F
                • CloseHandle.KERNEL32(00000000), ref: 0018D5DC
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                • String ID:
                • API String ID: 420147892-0
                • Opcode ID: b12bbe782c866def8a4e64e6d5d751756344a9b1d7f8dbabeec025043d48d043
                • Instruction ID: 2cfda7e032f2ac99e855ba24b25f3186e298fc1221d2ebf8dbf195fbabeca523
                • Opcode Fuzzy Hash: b12bbe782c866def8a4e64e6d5d751756344a9b1d7f8dbabeec025043d48d043
                • Instruction Fuzzy Hash: D431D4310083009FD300EF54E881AAFBBF8FFA9354F14092DF581971A1EB719A89CB92
                Function 001B8FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00139BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00139BB2
                • GetCursorPos.USER32(?), ref: 001B9001
                • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00177711,?,?,?,?,?), ref: 001B9016
                • GetCursorPos.USER32(?), ref: 001B905E
                • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00177711,?,?,?), ref: 001B9094
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: Cursor$LongMenuPopupProcTrackWindow
                • String ID:
                • API String ID: 2864067406-0
                • Opcode ID: 4f630d8c9e10769571e348b60b42cd482bd01d32ac09d44af06aede547b005ee
                • Instruction ID: 4990af44fea035401c85262adff5f325f949324778a318f7f0c7260ce814eace
                • Opcode Fuzzy Hash: 4f630d8c9e10769571e348b60b42cd482bd01d32ac09d44af06aede547b005ee
                • Instruction Fuzzy Hash: 4F21AE35600018FFDB259F94CC98EFA7BB9FF8A350F044169FA059B261C3719991DBA0
                Function 0018D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                Download Yara Rule
                APIs
                • GetFileAttributesW.KERNEL32(?,001BCB68), ref: 0018D2FB
                • GetLastError.KERNEL32 ref: 0018D30A
                • CreateDirectoryW.KERNEL32(?,00000000), ref: 0018D319
                • CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,001BCB68), ref: 0018D376
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: CreateDirectory$AttributesErrorFileLast
                • String ID:
                • API String ID: 2267087916-0
                • Opcode ID: 1dd5a8ca3c91a62b6f557b2d5774d5f6e67741bad6e4eff5fdefae4d8a4bdefa
                • Instruction ID: e9561f213a96cd4750aa6ba05f9c7f461e242212450dcd61476872d230d7d17c
                • Opcode Fuzzy Hash: 1dd5a8ca3c91a62b6f557b2d5774d5f6e67741bad6e4eff5fdefae4d8a4bdefa
                • Instruction Fuzzy Hash: 5E216DB05093019F8710EF28E8818AEB7E4BF5A364F504A1DF899C72E1D7319A46CF93
                Function 00181571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00181014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0018102A
                  • Part of subcall function 00181014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00181036
                  • Part of subcall function 00181014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00181045
                  • Part of subcall function 00181014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0018104C
                  • Part of subcall function 00181014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00181062
                • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 001815BE
                • _memcmp.LIBVCRUNTIME ref: 001815E1
                • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00181617
                • HeapFree.KERNEL32(00000000), ref: 0018161E
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
                • String ID:
                • API String ID: 1592001646-0
                • Opcode ID: 1ddc9dd9874aad4171ad83d9b5b698d6feeb99f168061fcf287cf8e628f75f3c
                • Instruction ID: 5d617301997da19595d70c420d341a5e4458b0ecd158e80da28418702a420b1d
                • Opcode Fuzzy Hash: 1ddc9dd9874aad4171ad83d9b5b698d6feeb99f168061fcf287cf8e628f75f3c
                • Instruction Fuzzy Hash: 8E212772E00109FFDB10EFA4C945BEEB7B8EF45354F184459E441AB241E770AA46CFA0
                Function 001B2782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON
                Download Yara Rule
                APIs
                • GetWindowLongW.USER32(?,000000EC), ref: 001B280A
                • SetWindowLongW.USER32(?,000000EC,00000000), ref: 001B2824
                • SetWindowLongW.USER32(?,000000EC,00000000), ref: 001B2832
                • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 001B2840
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: Window$Long$AttributesLayered
                • String ID:
                • API String ID: 2169480361-0
                • Opcode ID: 0f72eca7538f7ab3b951958e75d1aad6f8770d67262477201a23d3ddc181a22d
                • Instruction ID: f5fe7ba24b90cb403f5f00ee8e2db00bdb570d66f73f99e112b5659f9b0e8a1a
                • Opcode Fuzzy Hash: 0f72eca7538f7ab3b951958e75d1aad6f8770d67262477201a23d3ddc181a22d
                • Instruction Fuzzy Hash: E021B331308511AFD7149B24D845FEA7B99AF59324F148258F4268B6E2CB71FC86C7D0
                Function 001878F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00188D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,0018790A,?,000000FF,?,00188754,00000000,?,0000001C,?,?), ref: 00188D8C
                  • Part of subcall function 00188D7D: lstrcpyW.KERNEL32(00000000,?,?,0018790A,?,000000FF,?,00188754,00000000,?,0000001C,?,?,00000000), ref: 00188DB2
                  • Part of subcall function 00188D7D: lstrcmpiW.KERNEL32(00000000,?,0018790A,?,000000FF,?,00188754,00000000,?,0000001C,?,?), ref: 00188DE3
                • lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00188754,00000000,?,0000001C,?,?,00000000), ref: 00187923
                • lstrcpyW.KERNEL32(00000000,?,?,00188754,00000000,?,0000001C,?,?,00000000), ref: 00187949
                • lstrcmpiW.KERNEL32(00000002,cdecl,?,00188754,00000000,?,0000001C,?,?,00000000), ref: 00187984
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: lstrcmpilstrcpylstrlen
                • String ID: cdecl
                • API String ID: 4031866154-3896280584
                • Opcode ID: 2226f4f41f52a3f82583afdda52d81e4b20bac519a50e8279a5bfa4885465ce5
                • Instruction ID: 7073e5c3f0b248277faca558e2ddf345ce81d8bbd3b886454fff08907228e582
                • Opcode Fuzzy Hash: 2226f4f41f52a3f82583afdda52d81e4b20bac519a50e8279a5bfa4885465ce5
                • Instruction Fuzzy Hash: 6311293A600342ABCB15BF39C844D7A77A9FF553A4B50412AF842C72A4EF31D901CB91
                Function 00181A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(?,000000B0,?,?), ref: 00181A47
                • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00181A59
                • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00181A6F
                • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00181A8A
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: MessageSend
                • String ID:
                • API String ID: 3850602802-0
                • Opcode ID: 05e8c8ac0eac9cdae7de94f698de22482cc346bcc6f1b427ddeee933123a7774
                • Instruction ID: ab65c9477001dc1691b7153afceb2280631399d86d19356e27133b55d649f2ad
                • Opcode Fuzzy Hash: 05e8c8ac0eac9cdae7de94f698de22482cc346bcc6f1b427ddeee933123a7774
                • Instruction Fuzzy Hash: 8F11273A901219FFEB10ABA4C985FADBB79EB08750F200091EA10B7290D7716F51DB94
                Function 0018E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON
                Download Yara Rule
                APIs
                • GetCurrentThreadId.KERNEL32 ref: 0018E1FD
                • MessageBoxW.USER32(?,?,?,?), ref: 0018E230
                • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0018E246
                • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0018E24D
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: CloseCurrentHandleMessageObjectSingleThreadWait
                • String ID:
                • API String ID: 2880819207-0
                • Opcode ID: b9c624eb6ad538f602732dc7a0d2cfb26cc3b7e3b4ba698dd8692df5e1c84db1
                • Instruction ID: 433f9707a40091f83f8be662dcf622dd0ec468816237bf99a8bf5f664ade2980
                • Opcode Fuzzy Hash: b9c624eb6ad538f602732dc7a0d2cfb26cc3b7e3b4ba698dd8692df5e1c84db1
                • Instruction Fuzzy Hash: 1411DB76904254FBC701AFA89C05AAF7FEEAB45320F544365F915E3691D7B0CE44CBA0
                Function 0014D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON
                Download Yara Rule
                APIs
                • CreateThread.KERNEL32(00000000,?,0014CFF9,00000000,00000004,00000000), ref: 0014D218
                • GetLastError.KERNEL32 ref: 0014D224
                • __dosmaperr.LIBCMT ref: 0014D22B
                • ResumeThread.KERNEL32(00000000), ref: 0014D249
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: Thread$CreateErrorLastResume__dosmaperr
                • String ID:
                • API String ID: 173952441-0
                • Opcode ID: 082bd412f2cbb1c7101e167627bad19e26ef5f025cebe72f04b8f44bd91fc711
                • Instruction ID: 6b0902a7bfc21536b44561e60feeb87b9b517e8c9a90dad51d0e61856ecfe8d5
                • Opcode Fuzzy Hash: 082bd412f2cbb1c7101e167627bad19e26ef5f025cebe72f04b8f44bd91fc711
                • Instruction Fuzzy Hash: 7601D236805214BBCF115BA5EC09FAE7AA9EF91731F100329F925961F0CFB0C945C6E0
                Function 00143B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • ___BuildCatchObject.LIBVCRUNTIME ref: 00143B56
                  • Part of subcall function 00143AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00143AD2
                  • Part of subcall function 00143AA3: ___AdjustPointer.LIBCMT ref: 00143AED
                • _UnwindNestedFrames.LIBCMT ref: 00143B6B
                • __FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00143B7C
                • CallCatchBlock.LIBVCRUNTIME ref: 00143BA4
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
                • String ID:
                • API String ID: 737400349-0
                • Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
                • Instruction ID: 1b091a12bb0c4c552292e34e0e1de3de7d30ba2fa069f017a2980fbb3436e4a6
                • Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
                • Instruction Fuzzy Hash: 1E010832100149BBDF126E95CC46EEB7F6EEFA8754F044118FE58A6131C732E961EBA0
                Function 00153073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,001213C6,00000000,00000000,?,0015301A,001213C6,00000000,00000000,00000000,?,0015328B,00000006,FlsSetValue), ref: 001530A5
                • GetLastError.KERNEL32(?,0015301A,001213C6,00000000,00000000,00000000,?,0015328B,00000006,FlsSetValue,001C2290,FlsSetValue,00000000,00000364,?,00152E46), ref: 001530B1
                • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0015301A,001213C6,00000000,00000000,00000000,?,0015328B,00000006,FlsSetValue,001C2290,FlsSetValue,00000000), ref: 001530BF
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: LibraryLoad$ErrorLast
                • String ID:
                • API String ID: 3177248105-0
                • Opcode ID: 0a650472d57af5fa19fc0f5ff907e6b6a6333c90443e768d1878a3456b387ae1
                • Instruction ID: 8517c3339c14b9020f796eea6ed2a84d08944552a6d732d11dc567866f55f209
                • Opcode Fuzzy Hash: 0a650472d57af5fa19fc0f5ff907e6b6a6333c90443e768d1878a3456b387ae1
                • Instruction Fuzzy Hash: 3101D432301322EBCB224A78DC849677B98AF45BE2B110720FD35EB180C721D949C6E0
                Function 00187464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON
                Download Yara Rule
                APIs
                • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 0018747F
                • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00187497
                • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 001874AC
                • RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 001874CA
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: Type$Register$FileLoadModuleNameUser
                • String ID:
                • API String ID: 1352324309-0
                • Opcode ID: 59c4a894568008e06871136485151faaf0d62e8ba1e14dc05eacf529b26cdbc3
                • Instruction ID: 3f3b16a59ed26e548e87f0bf285a71a04dddc6b0bd7330606eaea1236cfff435
                • Opcode Fuzzy Hash: 59c4a894568008e06871136485151faaf0d62e8ba1e14dc05eacf529b26cdbc3
                • Instruction Fuzzy Hash: 8E11C0B1209310AFE720AF54DC08FA27FFCEB00B10F208569A656D6591D7B0EA44DFA0
                Function 0018B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON
                Download Yara Rule
                APIs
                • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0018ACD3,?,00008000), ref: 0018B0C4
                • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0018ACD3,?,00008000), ref: 0018B0E9
                • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0018ACD3,?,00008000), ref: 0018B0F3
                • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0018ACD3,?,00008000), ref: 0018B126
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: CounterPerformanceQuerySleep
                • String ID:
                • API String ID: 2875609808-0
                • Opcode ID: 8a2570d086b3ab92876c03728131da19f6ad8959ce7c2c3fa6f3b77530fbb30a
                • Instruction ID: 8bb6f72be4f0b7e2a95fafa689d6b6e62e243b15c6f839910cddb522037c4c7b
                • Opcode Fuzzy Hash: 8a2570d086b3ab92876c03728131da19f6ad8959ce7c2c3fa6f3b77530fbb30a
                • Instruction Fuzzy Hash: 47115B71C0562CEBCF04EFE8E9A86EEBB78FF09711F114186E981B6181CB3056908B91
                Function 00182DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON
                Download Yara Rule
                APIs
                • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00182DC5
                • GetWindowThreadProcessId.USER32(?,00000000), ref: 00182DD6
                • GetCurrentThreadId.KERNEL32 ref: 00182DDD
                • AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00182DE4
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                • String ID:
                • API String ID: 2710830443-0
                • Opcode ID: 5ed60016c57cb143e6af3eba3de145c433a5ad1f1b65bf5a540383ec67887fa2
                • Instruction ID: 3a99732c72af303ae8b505694add592365ef468a431e644d5df3b416e7d4e5a0
                • Opcode Fuzzy Hash: 5ed60016c57cb143e6af3eba3de145c433a5ad1f1b65bf5a540383ec67887fa2
                • Instruction Fuzzy Hash: F6E0ED72501224BBD7212BA69C0DEEB7F6CEB56BA1F400215F505D1591ABA58981CAF0
                Function 001B8863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00139639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00139693
                  • Part of subcall function 00139639: SelectObject.GDI32(?,00000000), ref: 001396A2
                  • Part of subcall function 00139639: BeginPath.GDI32(?), ref: 001396B9
                  • Part of subcall function 00139639: SelectObject.GDI32(?,00000000), ref: 001396E2
                • MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 001B8887
                • LineTo.GDI32(?,?,?), ref: 001B8894
                • EndPath.GDI32(?), ref: 001B88A4
                • StrokePath.GDI32(?), ref: 001B88B2
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                • String ID:
                • API String ID: 1539411459-0
                • Opcode ID: 5e438dd9071b5371ea4e18862a587daa81accf7e3841d7a7ae9cb3991ba7541a
                • Instruction ID: 9ab927976a1019df3d5a3366833eb9eb603cb6896597b32560c2ffe21bd9df70
                • Opcode Fuzzy Hash: 5e438dd9071b5371ea4e18862a587daa81accf7e3841d7a7ae9cb3991ba7541a
                • Instruction Fuzzy Hash: 43F0823A041259FBDB126F94AC0EFDE3F59AF06710F048100FA11654E1C7B55591CFE5
                Function 001398B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                Download Yara Rule
                APIs
                • GetSysColor.USER32(00000008), ref: 001398CC
                • SetTextColor.GDI32(?,?), ref: 001398D6
                • SetBkMode.GDI32(?,00000001), ref: 001398E9
                • GetStockObject.GDI32(00000005), ref: 001398F1
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: Color$ModeObjectStockText
                • String ID:
                • API String ID: 4037423528-0
                • Opcode ID: 12b586624e4fd81091d16edd42973f2a4ca253dd294ed26c5f177d7b54c4744b
                • Instruction ID: 0acaad84c9534a4ad208fc934e194ec4b5c105c5463695a577cafbbe90c63e9a
                • Opcode Fuzzy Hash: 12b586624e4fd81091d16edd42973f2a4ca253dd294ed26c5f177d7b54c4744b
                • Instruction Fuzzy Hash: 2DE06D31244280EADB215B79AC09BE83F21AB52336F04C319F6FA684E1C37146809B20
                Function 0018162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON
                Download Yara Rule
                APIs
                • GetCurrentThread.KERNEL32 ref: 00181634
                • OpenThreadToken.ADVAPI32(00000000,?,?,?,001811D9), ref: 0018163B
                • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,001811D9), ref: 00181648
                • OpenProcessToken.ADVAPI32(00000000,?,?,?,001811D9), ref: 0018164F
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: CurrentOpenProcessThreadToken
                • String ID:
                • API String ID: 3974789173-0
                • Opcode ID: a4e384fb962aa544a2d2c1a262295a29c5e4c5b2dcb544cfd1fc0a154f9c4014
                • Instruction ID: 3e29adb8fd7dde1912b172fb4f3666dd2fe5fa2a0cd6211dd413956a632d28f5
                • Opcode Fuzzy Hash: a4e384fb962aa544a2d2c1a262295a29c5e4c5b2dcb544cfd1fc0a154f9c4014
                • Instruction Fuzzy Hash: A9E08636601211EBD7202FA09D0DB873B7CAF54791F184918F285C9090E7744581CBA0
                Function 0017D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                Download Yara Rule
                APIs
                • GetDesktopWindow.USER32 ref: 0017D858
                • GetDC.USER32(00000000), ref: 0017D862
                • GetDeviceCaps.GDI32(00000000,0000000C), ref: 0017D882
                • ReleaseDC.USER32(?), ref: 0017D8A3
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: CapsDesktopDeviceReleaseWindow
                • String ID:
                • API String ID: 2889604237-0
                • Opcode ID: ef4506b7cc76b5e32ce10f6c0fd2d45c96226145282eb80031612656f95be27d
                • Instruction ID: a1328ea046efbd75fb15ab21eb0b422e7b3c115e5c80c634c47f535f18466947
                • Opcode Fuzzy Hash: ef4506b7cc76b5e32ce10f6c0fd2d45c96226145282eb80031612656f95be27d
                • Instruction Fuzzy Hash: 0CE01AB4C00204DFCB45AFA4E948A6DBBB1FB48310F118109F806E7750C7384991AF90
                Function 0017D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON
                Download Yara Rule
                APIs
                • GetDesktopWindow.USER32 ref: 0017D86C
                • GetDC.USER32(00000000), ref: 0017D876
                • GetDeviceCaps.GDI32(00000000,0000000C), ref: 0017D882
                • ReleaseDC.USER32(?), ref: 0017D8A3
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: CapsDesktopDeviceReleaseWindow
                • String ID:
                • API String ID: 2889604237-0
                • Opcode ID: 454cefad7a0b21e26fa37c1b5e18c3eeebbc1d7579dac0b6461329ae9a6b130a
                • Instruction ID: d5b768b576ce1493713bebbfc698578b83e52a932c1a9305a401a67fda38c525
                • Opcode Fuzzy Hash: 454cefad7a0b21e26fa37c1b5e18c3eeebbc1d7579dac0b6461329ae9a6b130a
                • Instruction Fuzzy Hash: C0E012B4C00204EFCB40AFA8E848A6DBBB1BB48310F108108F90AE7750CB385981AF90
                Function 00194D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00127620: _wcslen.LIBCMT ref: 00127625
                • WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00194ED4
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: Connection_wcslen
                • String ID: *$LPT
                • API String ID: 1725874428-3443410124
                • Opcode ID: b6ae502d01f0773a1d87cd6f804ae16ffe112ed2da1ab19c8d885220de513b96
                • Instruction ID: 501192f71e3288f7af80a18934fdac34bd9c78489b461a16890f0cecf5b06d63
                • Opcode Fuzzy Hash: b6ae502d01f0773a1d87cd6f804ae16ffe112ed2da1ab19c8d885220de513b96
                • Instruction Fuzzy Hash: 12917175A002159FCB14DF58C484EAABBF1BF48304F198099E80A9F7A2D735ED86CB91
                Function 0014E27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                Download Yara Rule
                APIs
                • __startOneArgErrorHandling.LIBCMT ref: 0014E30D
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: ErrorHandling__start
                • String ID: pow
                • API String ID: 3213639722-2276729525
                • Opcode ID: 7218483f8b64d7c6395249ee794c77f09cd665a7621e8e69091cc26988729808
                • Instruction ID: 5ff6ea64886f49594c98cde2ceaf35572b825e12b51b92efecf2f61ac1178436
                • Opcode Fuzzy Hash: 7218483f8b64d7c6395249ee794c77f09cd665a7621e8e69091cc26988729808
                • Instruction Fuzzy Hash: 9C518E61A0C202D7CB167B14E9137793BE4FB50742F344968E8E58A2F9DB31CCC99A46
                Function 0013E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID:
                • String ID: #
                • API String ID: 0-1885708031
                • Opcode ID: fe0c4c036b17520e134753e8d6f071a05f347e3e4b7c33263d0e3d68092c9ed4
                • Instruction ID: d1181666c979c95bfe3371d8f6a8de631316395ec46a986dd885eee0e8599e97
                • Opcode Fuzzy Hash: fe0c4c036b17520e134753e8d6f071a05f347e3e4b7c33263d0e3d68092c9ed4
                • Instruction Fuzzy Hash: C4512335504346EFDB19DF68D481ABA7BF8EF29310F248099F8959B2D0D7349D52CBA0
                Function 0013F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
                Download Yara Rule
                APIs
                • Sleep.KERNEL32(00000000), ref: 0013F2A2
                • GlobalMemoryStatusEx.KERNEL32(?), ref: 0013F2BB
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: GlobalMemorySleepStatus
                • String ID: @
                • API String ID: 2783356886-2766056989
                • Opcode ID: 93fff316f6be2e31da707982c82c6b16a03fd20afe13d472a6fb5b8b49ad36de
                • Instruction ID: 1203bec449c4423e0ce5983f67619601798ebae293c9eda62bc3996a215808a0
                • Opcode Fuzzy Hash: 93fff316f6be2e31da707982c82c6b16a03fd20afe13d472a6fb5b8b49ad36de
                • Instruction Fuzzy Hash: 6A512872408744ABD320AF54EC86BAFBBF8FB95300F81885DF1D941195EB708579CBA6
                Function 00182999 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 130windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 001829EB
                • SendMessageW.USER32(?,0000110A,00000001,?), ref: 00182A8D
                  • Part of subcall function 00182C75: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 00182CE0
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: MessageSend
                • String ID: @U=u
                • API String ID: 3850602802-2594219639
                • Opcode ID: 08e105fc1c78b2287fb6b1f5d1ff31367b479c5a7ca8539ee3ae30c68b2a16e8
                • Instruction ID: a84b3fa7140adc8728e590e1eb49848d4c312a614c444ef362943bf24836cf28
                • Opcode Fuzzy Hash: 08e105fc1c78b2287fb6b1f5d1ff31367b479c5a7ca8539ee3ae30c68b2a16e8
                • Instruction Fuzzy Hash: 86419370A00218AFDF2AEF54D845BFE7BB9AF58710F040029F906A3291DB749B55CFA1
                Function 001A5745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON
                Download Yara Rule
                APIs
                • CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 001A57E0
                • _wcslen.LIBCMT ref: 001A57EC
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: BuffCharUpper_wcslen
                • String ID: CALLARGARRAY
                • API String ID: 157775604-1150593374
                • Opcode ID: 48b3b545ab00634f1a179e479690d96f680fbf6c829fd2d57d042c726663bd1f
                • Instruction ID: 416c032b58f4aec6b41b6d60309fea77823b70acc799a004f2e8edaca4909b0b
                • Opcode Fuzzy Hash: 48b3b545ab00634f1a179e479690d96f680fbf6c829fd2d57d042c726663bd1f
                • Instruction Fuzzy Hash: 3541A135E042099FCB14DFA9C8819AEBBF6FF6A324F144029E505A7291E7349D81CB90
                Function 0019D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON
                Download Yara Rule
                APIs
                • _wcslen.LIBCMT ref: 0019D130
                • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 0019D13A
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: CrackInternet_wcslen
                • String ID: |
                • API String ID: 596671847-2343686810
                • Opcode ID: 45e0e6504629e2dd4851d365410b3add9ff44adc7f84e4ad030dce44b6114cba
                • Instruction ID: 781972ecca4b06841685832290dc35deba3673ff3ac6604b652b1ed055f1f880
                • Opcode Fuzzy Hash: 45e0e6504629e2dd4851d365410b3add9ff44adc7f84e4ad030dce44b6114cba
                • Instruction Fuzzy Hash: 63315071D01219ABCF15EFA4DC85EEE7FB9FF14300F100069F815A6162DB31AA56DB60
                Function 001B356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON
                Download Yara Rule
                APIs
                • DestroyWindow.USER32(?,?,?,?), ref: 001B3621
                • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 001B365C
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: Window$DestroyMove
                • String ID: static
                • API String ID: 2139405536-2160076837
                • Opcode ID: 829cef6df724e74ae0f3d0fd3400422ffb372c2c95239bb0e3516ebbd459d873
                • Instruction ID: dfe589ad1fcbdd43233f6be7c73a19cd3ad33527cf3deb7b8bce95d22c0dee11
                • Opcode Fuzzy Hash: 829cef6df724e74ae0f3d0fd3400422ffb372c2c95239bb0e3516ebbd459d873
                • Instruction Fuzzy Hash: CE319E71110604AEDB24DF28DC80EFB73A9FF98760F008619F9A597290DB31AD91D7A0
                Function 001B4537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(?,00001132,00000000,?), ref: 001B461F
                • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 001B4634
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: MessageSend
                • String ID: '
                • API String ID: 3850602802-1997036262
                • Opcode ID: 6ddb27542e125d3eac4295420cf15823ae50e1e7a2da89e8b93b9ba3611a6d14
                • Instruction ID: e769327421d848a2293980bbf49000e5e202a74e697e687c19c194e39916abc0
                • Opcode Fuzzy Hash: 6ddb27542e125d3eac4295420cf15823ae50e1e7a2da89e8b93b9ba3611a6d14
                • Instruction Fuzzy Hash: DD311974A01719AFDF14CFA9C990BEA7BB5FF49300F14806AE905AB352D770A941CF90
                Function 00123923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON
                Download Yara Rule
                APIs
                • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 001633A2
                  • Part of subcall function 00126B57: _wcslen.LIBCMT ref: 00126B6A
                • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00123A04
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: IconLoadNotifyShell_String_wcslen
                • String ID: Line:
                • API String ID: 2289894680-1585850449
                • Opcode ID: 5074f0e98c32a3b714f83e7a025fb6b73b701ab177a0d7cec3815ee99f9e7d67
                • Instruction ID: e83c38368b6dd7e06ab5588a24c17b175ecad22ea313d46b77a404ec4c44a535
                • Opcode Fuzzy Hash: 5074f0e98c32a3b714f83e7a025fb6b73b701ab177a0d7cec3815ee99f9e7d67
                • Instruction Fuzzy Hash: 7531F471508324ABC725EB20EC45FEBB3D8BF55324F00092AF5A9835D1DB749AA9C7C2
                Function 0018286B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 90windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(?,0000110A,00000000,00000000), ref: 00182884
                • SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 001828B6
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: MessageSend
                • String ID: @U=u
                • API String ID: 3850602802-2594219639
                • Opcode ID: b4c69580ca1227f39f745b54c755e7f9f68748216015e204d612a661bfbc0c70
                • Instruction ID: 69dfe43cb3299e98caf24c66b582a31a533f8778374d36cf7451ff4aa57fe800
                • Opcode Fuzzy Hash: b4c69580ca1227f39f745b54c755e7f9f68748216015e204d612a661bfbc0c70
                • Instruction Fuzzy Hash: D021EA32E00224ABCB16BF94D481DFE77B9EF99714F144129F915A7290EB749E41CBA0
                Function 00183BC4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 80windowCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00183D03: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00183D18
                • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00183C23
                • _strlen.LIBCMT ref: 00183C2E
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: MessageSend$Timeout_strlen
                • String ID: @U=u
                • API String ID: 2777139624-2594219639
                • Opcode ID: 6367586adcde0c5b42569cf33a10d0d10e68caf7f035a16e04c31c67e0470f9f
                • Instruction ID: cca71885cdb89e771082c92d8b35a510b4919f217177bd7020cf91457f948bd2
                • Opcode Fuzzy Hash: 6367586adcde0c5b42569cf33a10d0d10e68caf7f035a16e04c31c67e0470f9f
                • Instruction Fuzzy Hash: 1011B73270011527CB297ABCD8929BE77658F65F40F18003EF916AB292DF609F428BE4
                Function 001B336F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 75windowCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 0018ED19: GetLocalTime.KERNEL32 ref: 0018ED2A
                  • Part of subcall function 0018ED19: _wcslen.LIBCMT ref: 0018ED3B
                  • Part of subcall function 0018ED19: _wcslen.LIBCMT ref: 0018ED79
                  • Part of subcall function 0018ED19: _wcslen.LIBCMT ref: 0018EDAF
                  • Part of subcall function 0018ED19: _wcslen.LIBCMT ref: 0018EDDF
                  • Part of subcall function 0018ED19: _wcslen.LIBCMT ref: 0018EDEF
                  • Part of subcall function 0018ED19: _wcslen.LIBCMT ref: 0018EE2B
                • SendMessageW.USER32(?,00001002,00000000,?), ref: 001B340A
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: _wcslen$LocalMessageSendTime
                • String ID: @U=u$SysDateTimePick32
                • API String ID: 2216836867-2530228043
                • Opcode ID: 6ad7da72b60b751b2a1cad11648ce4efb2f01a29b697845f78894e750beac13d
                • Instruction ID: 1f227de4c2e6e7a50c0f42f3e3e5097dc55ff0e481b9e60514fece089caef8c2
                • Opcode Fuzzy Hash: 6ad7da72b60b751b2a1cad11648ce4efb2f01a29b697845f78894e750beac13d
                • Instruction Fuzzy Hash: 8A21B1713502196BEF229E54DC82FEF73AAEB54754F200519F950AB1E0DBB1ECA187A0
                Function 0018215F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00182178
                  • Part of subcall function 0018B32A: GetWindowThreadProcessId.USER32(?,?), ref: 0018B355
                  • Part of subcall function 0018B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00182194,00000034,?,?,00001004,00000000,00000000), ref: 0018B365
                  • Part of subcall function 0018B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00182194,00000034,?,?,00001004,00000000,00000000), ref: 0018B37B
                  • Part of subcall function 0018B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,001821D0,?,?,00000034,00000800,?,00000034), ref: 0018B42D
                • SendMessageW.USER32(?,00001073,00000000,?), ref: 001821DF
                  • Part of subcall function 0018B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,001821FF,?,?,00000800,?,00001073,00000000,?,?), ref: 0018B3F8
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: Process$MemoryMessageSend$AllocOpenReadThreadVirtualWindowWrite
                • String ID: @U=u
                • API String ID: 1045663743-2594219639
                • Opcode ID: 9f98a886e70dbeb7f6a524cf24bdb78bf696c3cff01574ac421c5772a57f8fb4
                • Instruction ID: 0493a5f26227bda4f3e2d17a9fba87e190338e39a0cf2d0173c68298809b837c
                • Opcode Fuzzy Hash: 9f98a886e70dbeb7f6a524cf24bdb78bf696c3cff01574ac421c5772a57f8fb4
                • Instruction Fuzzy Hash: FE215C31901128ABEF12EBA8DC81FDDBBB9FF19350F1001A5E949A7190EB705B84CF90
                Function 001B31EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 001B327C
                • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 001B3287
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: MessageSend
                • String ID: Combobox
                • API String ID: 3850602802-2096851135
                • Opcode ID: 6cc007db906cee0e07b735102bc676481a6f99752645e869975a039b9f747770
                • Instruction ID: 3c7bb358b7228ec09a722b532d67cc8b40e91571c67d300117e8f20eee6a185b
                • Opcode Fuzzy Hash: 6cc007db906cee0e07b735102bc676481a6f99752645e869975a039b9f747770
                • Instruction Fuzzy Hash: 2211B2713002087FFF259E94DC81EFB376AEB983A4F104268F92897290D7719D6197A0
                Function 001B3710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 0012600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0012604C
                  • Part of subcall function 0012600E: GetStockObject.GDI32(00000011), ref: 00126060
                  • Part of subcall function 0012600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0012606A
                • GetWindowRect.USER32(00000000,?), ref: 001B377A
                • GetSysColor.USER32(00000012), ref: 001B3794
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: Window$ColorCreateMessageObjectRectSendStock
                • String ID: static
                • API String ID: 1983116058-2160076837
                • Opcode ID: d0f5c556eea77c5b298616049e6bdcf286305dd99a349ab4f55e30be2b0a54df
                • Instruction ID: 2519ea942ebe5b0fa94b612d29346e261d0d3222e61cf1f29654bb0eff81a1a1
                • Opcode Fuzzy Hash: d0f5c556eea77c5b298616049e6bdcf286305dd99a349ab4f55e30be2b0a54df
                • Instruction Fuzzy Hash: D9113AB2610209AFDF01DFA8CC45EFA7BB8FB08354F004614F965E2250EB35E861DBA0
                Function 001B6181 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 001B61FC
                • SendMessageW.USER32(?,00000194,00000000,00000000), ref: 001B6225
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: MessageSend
                • String ID: @U=u
                • API String ID: 3850602802-2594219639
                • Opcode ID: ba227c32d40915b17890116a9d0776b9b0ed71360d41b12f60708c444fce1668
                • Instruction ID: c4f55f4ad9ad0b50adabf0cc09342e9dd3d50a9667b0fc12794056970be94dee
                • Opcode Fuzzy Hash: ba227c32d40915b17890116a9d0776b9b0ed71360d41b12f60708c444fce1668
                • Instruction Fuzzy Hash: 82119D32140214BFFF159F68DC59FFA3BA5EB29314F004195FA16AA1E1D3B8DA50DB50
                Function 0019CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON
                Download Yara Rule
                APIs
                • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0019CD7D
                • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 0019CDA6
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: Internet$OpenOption
                • String ID: <local>
                • API String ID: 942729171-4266983199
                • Opcode ID: 1c0d2e7a66333bf155d631bc247098875157f16a5e8451a07c482ccc6fc790b1
                • Instruction ID: 3d89e3ceab5eb84ec7097a315a1e02c22fbd1e3bb6a1ea9f6f71de9e06cd7645
                • Opcode Fuzzy Hash: 1c0d2e7a66333bf155d631bc247098875157f16a5e8451a07c482ccc6fc790b1
                • Instruction Fuzzy Hash: 7211E9B12056317ADB384BA68C45FF7BEECEF127A4F004236B18983080D7709840D6F0
                Function 001B4F80 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(?,?,?,?), ref: 001B4FCC
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: MessageSend
                • String ID: @U=u
                • API String ID: 3850602802-2594219639
                • Opcode ID: ea46844d001a39bacb45390a17acd39df0406b75c9e4fbd3e607453c930d163a
                • Instruction ID: b3d7bc55f6eb603eafb2bd6c274cab42002df8ca46162dafdb9f41e59d5eccaf
                • Opcode Fuzzy Hash: ea46844d001a39bacb45390a17acd39df0406b75c9e4fbd3e607453c930d163a
                • Instruction Fuzzy Hash: C321D37A60011AEFCB15DFA8C9409EA7BB6FB4D340B004154F905A7310D731E961DB90
                Function 001B30D2 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 58windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(?,00000401,?,00000000), ref: 001B3147
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: MessageSend
                • String ID: @U=u$button
                • API String ID: 3850602802-1762282863
                • Opcode ID: b9a5e6ab31419afcf4cd563e79728bf06d571eaeea0486d414dadf71224e1820
                • Instruction ID: 91bd788374a687496fb81d2492f46042ffe2de31c9ad7f3888507dbf8f79a870
                • Opcode Fuzzy Hash: b9a5e6ab31419afcf4cd563e79728bf06d571eaeea0486d414dadf71224e1820
                • Instruction Fuzzy Hash: D511C432250205BBDF119F68DC41FEB3B6AFF18754F140114FA64A7190C776E8A1AB50
                Function 00186C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00129CB3: _wcslen.LIBCMT ref: 00129CBD
                • CharUpperBuffW.USER32(?,?,?), ref: 00186CB6
                • _wcslen.LIBCMT ref: 00186CC2
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: _wcslen$BuffCharUpper
                • String ID: STOP
                • API String ID: 1256254125-2411985666
                • Opcode ID: 94c564e9bb5823dffee8b04241bab0cfbf6caaf510c8706dce2f828f7d1f1e69
                • Instruction ID: 26e6f6d827eed9a1b4395703e94907208e2042201380220f1eb09504cb6b1444
                • Opcode Fuzzy Hash: 94c564e9bb5823dffee8b04241bab0cfbf6caaf510c8706dce2f828f7d1f1e69
                • Instruction Fuzzy Hash: 3F01C4326105268BCB21BFFDDC809BF77A5FB71754B510624E85296190EB31DA50CB50
                Function 001823DB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53windowCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 0018B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,001821D0,?,?,00000034,00000800,?,00000034), ref: 0018B42D
                • SendMessageW.USER32(?,0000102B,?,00000000), ref: 0018243B
                • SendMessageW.USER32(?,0000102B,?,00000000), ref: 0018245E
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: MessageSend$MemoryProcessWrite
                • String ID: @U=u
                • API String ID: 1195347164-2594219639
                • Opcode ID: 05b74a06b88b12daf1639184fdc636c0d6d845cb42502531f530c447a9c910d2
                • Instruction ID: 7f4d3a42d9e32fee0c7c8d98ba630756c3483561b954d095f457e8529983efce
                • Opcode Fuzzy Hash: 05b74a06b88b12daf1639184fdc636c0d6d845cb42502531f530c447a9c910d2
                • Instruction Fuzzy Hash: 15019632900218ABEB15BF64DC86FEEBB79DB28310F104166F515A61D1DBB05E95CF60
                Function 001B4366 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(?,0000133E,00000000,?), ref: 001B43AF
                • InvalidateRect.USER32(?,00000000,00000001,?,?), ref: 001B4408
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: InvalidateMessageRectSend
                • String ID: @U=u
                • API String ID: 909852535-2594219639
                • Opcode ID: eb5377cc61e858237c41f52ea11081cfb76e955243b40144de01048d591cef5c
                • Instruction ID: b6bcdb19348cb0084d2af0531179decce1b88dc17c13178ed30b14796254dba2
                • Opcode Fuzzy Hash: eb5377cc61e858237c41f52ea11081cfb76e955243b40144de01048d591cef5c
                • Instruction Fuzzy Hash: 9311BF30500744AFE721DF24C891BE7BBE4BF09310F10851CE8AB97392C7706951CB90
                Function 0018250B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(?,00000406,00000000,00000000), ref: 00182531
                • SendMessageW.USER32(?,0000040D,?,00000000), ref: 00182564
                  • Part of subcall function 0018B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,001821FF,?,?,00000800,?,00001073,00000000,?,?), ref: 0018B3F8
                  • Part of subcall function 00126B57: _wcslen.LIBCMT ref: 00126B6A
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: MessageSend$MemoryProcessRead_wcslen
                • String ID: @U=u
                • API String ID: 1083363909-2594219639
                • Opcode ID: 4e7acd3d72ab3420efb8dc554b4472f0c3ef536c637248763a218327b11eadc9
                • Instruction ID: 1c2ee806245cac5bc7a7b17d8371b0e8cce73c380531c2cdfe84c779de313a00
                • Opcode Fuzzy Hash: 4e7acd3d72ab3420efb8dc554b4472f0c3ef536c637248763a218327b11eadc9
                • Instruction Fuzzy Hash: 0B011B72900128AFDB51AF94DC91EEA77B9FB28344F8080A5F649A6150DF705F99CF90
                Function 001B90A1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44windowCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00139BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00139BB2
                • DefDlgProcW.USER32(?,0000002B,?,?,?,?,?,?,?,0017769C,?,?,?), ref: 001B9111
                  • Part of subcall function 00139944: GetWindowLongW.USER32(?,000000EB), ref: 00139952
                • SendMessageW.USER32(?,00000401,00000000,00000000), ref: 001B90F7
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: LongWindow$MessageProcSend
                • String ID: @U=u
                • API String ID: 982171247-2594219639
                • Opcode ID: fc2d384023fa53909ca0751c223b1a50fbefc3ab7129d8fade2917268045e260
                • Instruction ID: a0130adbdb29ed2eda58c19cfc31f54fee28d5e02b0beab158227302a591a9cf
                • Opcode Fuzzy Hash: fc2d384023fa53909ca0751c223b1a50fbefc3ab7129d8fade2917268045e260
                • Instruction Fuzzy Hash: AF01B130200214FBDB21AF18DC49FE63BA6FB85375F100118FA511A6E1C7726842DB60
                Function 0018246C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00182480
                • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00182497
                  • Part of subcall function 001823DB: SendMessageW.USER32(?,0000102B,?,00000000), ref: 0018243B
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: MessageSend
                • String ID: @U=u
                • API String ID: 3850602802-2594219639
                • Opcode ID: 51141adfdca0586645149c7c0034e5d95cc31c97876b22151b7bce3d73dad57c
                • Instruction ID: 25384b404225529dde18a7e788c43d80c9882bb5af914133ccdaff5986eb4862
                • Opcode Fuzzy Hash: 51141adfdca0586645149c7c0034e5d95cc31c97876b22151b7bce3d73dad57c
                • Instruction Fuzzy Hash: 53F0E230601121BBEB212B56CC0ACDFBF6DDF5A760B100114F805A2151C7F15E81CBF0
                Function 001A747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: _wcslen
                • String ID: 3, 3, 16, 1
                • API String ID: 176396367-3042988571
                • Opcode ID: 4af36cf9bf2a1f5c281537610731853790dd0115f214fc403684a2e2735e4537
                • Instruction ID: 8f82b0d93a5e32117c56cd9afc8b749eff4ebaabd9240fa15287f6b5ae6bed68
                • Opcode Fuzzy Hash: 4af36cf9bf2a1f5c281537610731853790dd0115f214fc403684a2e2735e4537
                • Instruction Fuzzy Hash: 40E02B0A21422011D231127AECC1A7F57CDDFDE750710182BF985C22F6EF948E92A3A0
                Function 00182BE8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00182BFA
                • SendMessageW.USER32(?,0000110A,00000000,00000000), ref: 00182C2A
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: MessageSend
                • String ID: @U=u
                • API String ID: 3850602802-2594219639
                • Opcode ID: 95f9ccf8d64cf6f93c3fa21b87bcb751203d485b647f6394c19181967ed9c5ca
                • Instruction ID: f5a2d6eba255c6fd96c89b80b767002d925be332f3ca9907dc3fe3c18303d4f1
                • Opcode Fuzzy Hash: 95f9ccf8d64cf6f93c3fa21b87bcb751203d485b647f6394c19181967ed9c5ca
                • Instruction Fuzzy Hash: 7AF0A075340304BFFA166B80EC4AFFA3B58EB29761F000014F7055A1D0CBE25D509BA0
                Function 00182D60 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31windowCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 0018286B: SendMessageW.USER32(?,0000110A,00000000,00000000), ref: 00182884
                  • Part of subcall function 0018286B: SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 001828B6
                • SendMessageW.USER32(?,0000110B,00000005,00000000), ref: 00182D80
                • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00182D90
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: MessageSend
                • String ID: @U=u
                • API String ID: 3850602802-2594219639
                • Opcode ID: 34acab7ed30d086ecbb1daeb495f6f615df1dab732b67d20144adfbf58fbd020
                • Instruction ID: 95329d7c7d1815403beaa6a136f742303800b7d64c267edc36b767efce4b3309
                • Opcode Fuzzy Hash: 34acab7ed30d086ecbb1daeb495f6f615df1dab732b67d20144adfbf58fbd020
                • Instruction Fuzzy Hash: 38E0D8753443057FFA272A919C4AEE33B9DD759751F100126F30465191DFF2CC605B60
                Function 001B5829 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(?,0000133D,?,?), ref: 001B5855
                • InvalidateRect.USER32(?,?,00000001), ref: 001B5877
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: InvalidateMessageRectSend
                • String ID: @U=u
                • API String ID: 909852535-2594219639
                • Opcode ID: 0d526d48f4efc917b30f7c3123f2f36abefef882bef4efc69962e768e1be4cd1
                • Instruction ID: b8fbf408ea75a4ad73c7247e918a0bdc725b41a535b495133e54b46aad1c129e
                • Opcode Fuzzy Hash: 0d526d48f4efc917b30f7c3123f2f36abefef882bef4efc69962e768e1be4cd1
                • Instruction Fuzzy Hash: D1F08232604140AFDB209F65DC44FEEBFF9EB85325F0445B2E55AD9151D7308A81CB60
                Function 00180B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON
                Download Yara Rule
                APIs
                • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00180B23
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: Message
                • String ID: AutoIt$Error allocating memory.
                • API String ID: 2030045667-4017498283
                • Opcode ID: 6adb1c35d67d8196e1609b6c4f9b3c6a1ba580e924711ba26b323b0013188d38
                • Instruction ID: 3a5c33386958062a1603e4682bd1c003ab232474834998dd982b33a473bef3fb
                • Opcode Fuzzy Hash: 6adb1c35d67d8196e1609b6c4f9b3c6a1ba580e924711ba26b323b0013188d38
                • Instruction Fuzzy Hash: F8E0803224435837D21437957C47FC97B858F19F55F10042AFB58655D38FE2659047E9
                Function 00140D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 0013F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00140D71,?,?,?,0012100A), ref: 0013F7CE
                • IsDebuggerPresent.KERNEL32(?,?,?,0012100A), ref: 00140D75
                • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0012100A), ref: 00140D84
                Strings
                • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00140D7F
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
                • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                • API String ID: 55579361-631824599
                • Opcode ID: 8850cf002fa2d75976bf048d296641a0bd223c98801f2bfa83c6ffa2eef67aab
                • Instruction ID: 121d0e81a260060e196195ccee5f27bedfde0f5aad6fdb33a7823166e3963923
                • Opcode Fuzzy Hash: 8850cf002fa2d75976bf048d296641a0bd223c98801f2bfa83c6ffa2eef67aab
                • Instruction Fuzzy Hash: B1E092746003118BD3319FBDE9087927BE1BF18740F004A6DE586C6A61DBB5E489CBE1
                Function 0017D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: LocalTime
                • String ID: %.3d$X64
                • API String ID: 481472006-1077770165
                • Opcode ID: 9c4f5b862dc3e116b60d8e926c35c401ab2ad2a1b1380fa1d7cc9c1d7ad1f1cb
                • Instruction ID: 8b715349a6116cfde9d8b464d4c4ac1ee79cf0816779de215c4dd4cb2869f563
                • Opcode Fuzzy Hash: 9c4f5b862dc3e116b60d8e926c35c401ab2ad2a1b1380fa1d7cc9c1d7ad1f1cb
                • Instruction Fuzzy Hash: B1D012A1C0810CEACB9896D0EC458BEB37CBF18341F52C452F90AA1041D724C54A6761
                Function 001B2322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                Download Yara Rule
                APIs
                • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 001B232C
                • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 001B233F
                  • Part of subcall function 0018E97B: Sleep.KERNEL32 ref: 0018E9F3
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: FindMessagePostSleepWindow
                • String ID: Shell_TrayWnd
                • API String ID: 529655941-2988720461
                • Opcode ID: c87d41dddb943784c9af8dc80b58ee8b873d517f359137d53269cecf6f6139a8
                • Instruction ID: 69a1a8df57e08acf065832c89b5ada8fac07bb2991c74b8b381b776ed3e38f95
                • Opcode Fuzzy Hash: c87d41dddb943784c9af8dc80b58ee8b873d517f359137d53269cecf6f6139a8
                • Instruction Fuzzy Hash: 85D0C9367D4350B6E664B7719C0FFDA7A549B14B14F004A16B685AA1D0DAE0A8818A94
                Function 001B2356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                Download Yara Rule
                APIs
                • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 001B236C
                • PostMessageW.USER32(00000000), ref: 001B2373
                  • Part of subcall function 0018E97B: Sleep.KERNEL32 ref: 0018E9F3
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: FindMessagePostSleepWindow
                • String ID: Shell_TrayWnd
                • API String ID: 529655941-2988720461
                • Opcode ID: c2db9fb792587dd2d9468330fdd1f80c523789875752ab40f1d827bf2748e16b
                • Instruction ID: 6d2ace6f09a07131980f4e7d6a90fdbacde3ef2f7f687cf0491bc78c968cbad3
                • Opcode Fuzzy Hash: c2db9fb792587dd2d9468330fdd1f80c523789875752ab40f1d827bf2748e16b
                • Instruction Fuzzy Hash: D2D0C9327C13507AE664B7719C0FFDA76549B14B14F404A16B685AA1D0DAE0A8818A94
                Function 00182313 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 0018231F
                • SendMessageW.USER32(00000000,00001200,00000000,00000000), ref: 0018232D
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1392452889.0000000000121000.00000020.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                • Associated: 00000000.00000002.1392434062.0000000000120000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001BC000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392506852.00000000001E2000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392552711.00000000001EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1392585634.00000000001F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_120000_QQpQgSYkjW.jbxd
                Similarity
                • API ID: MessageSend
                • String ID: @U=u
                • API String ID: 3850602802-2594219639
                • Opcode ID: 2e97acd62fbf531875de8fe815437e6c1b3367a24982dea94f4b3f42bbaa2808
                • Instruction ID: e5c80a414ba44898107558276e7c67f94ea941fa74432340f0e9d8d5a14b88f6
                • Opcode Fuzzy Hash: 2e97acd62fbf531875de8fe815437e6c1b3367a24982dea94f4b3f42bbaa2808
                • Instruction Fuzzy Hash: ACC00231140180BBE6211B67AD0DDD73E3DE7DAF517101258B215955A586A50095D664