Edit tour

Windows Analysis Report
PI-236031.exe

Overview

General Information

Sample name:	PI-236031.exe
Analysis ID:	1447910
MD5:	05d95a552838cb5c6d45a79473c9f430
SHA1:	535c4d854628081163b1da1afdea892204a88eef
SHA256:	9f8325d8345d383ed22e18f47303b03947c1e652ad304b7ca88a270355eb8f4d
Tags:	AgentTeslaexe
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

Yara detected AntiVM3

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Check if machine is in data center or colocation facility

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Contains functionality to log keystrokes (.Net Source)

Machine Learning detection for sample

Maps a DLL or memory area into another process

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Yara detected Generic Downloader

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found evasive API chain (date check)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May check the online IP address of the machine

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

PI-236031.exe (PID: 6324 cmdline: "C:\Users\user\Desktop\PI-236031.exe" MD5: 05D95A552838CB5C6D45A79473C9F430)

RegSvcs.exe (PID: 420 cmdline: "C:\Users\user\Desktop\PI-236031.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://asec.ahnlab.com/ko/29133/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "FTP", "Host": "ftp://ftp.fosna.net", "Username": "sarthiever@fosna.net", "Password": "(=8fPSH$KO_!"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.2777857768.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.2777857768.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.1537890077.0000000002F80000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1537890077.0000000002F80000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
00000000.00000002.1537890077.0000000002F80000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.1537890077.0000000002F80000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x343c5:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x34437:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x344c1:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x34553:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x345bd:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3462f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x346c5:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x34755:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
00000000.00000002.1537890077.0000000002F80000.00000004.00001000.00020000.00000000.sdmp	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x3158d:$s2: GetPrivateProfileString 0x30c5d:$s3: get_OSFullName 0x322a3:$s5: remove_Key 0x32493:$s5: remove_Key 0x333ac:$s6: FtpWebRequest 0x343a7:$s7: logins 0x34919:$s7: logins 0x375fc:$s7: logins 0x376dc:$s7: logins 0x39031:$s7: logins 0x38276:$s9: 1.85 (Hash, version 2, native byte-order)
00000002.00000002.2778973187.0000000002925000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: PI-236031.exe PID: 6324	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: PI-236031.exe PID: 6324	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: PI-236031.exe PID: 6324	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: RegSvcs.exe PID: 420	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 420	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 8 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.PI-236031.exe.2f80000.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.PI-236031.exe.2f80000.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.PI-236031.exe.2f80000.1.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x325c5:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x32637:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x326c1:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x32753:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x327bd:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3282f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x328c5:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x32955:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.PI-236031.exe.2f80000.1.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x2f78d:$s2: GetPrivateProfileString 0x2ee5d:$s3: get_OSFullName 0x304a3:$s5: remove_Key 0x30693:$s5: remove_Key 0x315ac:$s6: FtpWebRequest 0x325a7:$s7: logins 0x32b19:$s7: logins 0x357fc:$s7: logins 0x358dc:$s7: logins 0x37231:$s7: logins 0x36476:$s9: 1.85 (Hash, version 2, native byte-order)
2.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
2.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
2.2.RegSvcs.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x343c5:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x34437:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x344c1:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x34553:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x345bd:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3462f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x346c5:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x34755:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
2.2.RegSvcs.exe.400000.0.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x3158d:$s2: GetPrivateProfileString 0x30c5d:$s3: get_OSFullName 0x322a3:$s5: remove_Key 0x32493:$s5: remove_Key 0x333ac:$s6: FtpWebRequest 0x343a7:$s7: logins 0x34919:$s7: logins 0x375fc:$s7: logins 0x376dc:$s7: logins 0x39031:$s7: logins 0x38276:$s9: 1.85 (Hash, version 2, native byte-order)
0.2.PI-236031.exe.2f80000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.PI-236031.exe.2f80000.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.PI-236031.exe.2f80000.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.PI-236031.exe.2f80000.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x343c5:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x34437:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x344c1:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x34553:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x345bd:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3462f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x346c5:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x34755:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.PI-236031.exe.2f80000.1.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x3158d:$s2: GetPrivateProfileString 0x30c5d:$s3: get_OSFullName 0x322a3:$s5: remove_Key 0x32493:$s5: remove_Key 0x333ac:$s6: FtpWebRequest 0x343a7:$s7: logins 0x34919:$s7: logins 0x375fc:$s7: logins 0x376dc:$s7: logins 0x39031:$s7: logins 0x38276:$s9: 1.85 (Hash, version 2, native byte-order)
Click to see the 9 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 0.2.PI-236031.exe.2f80000.1.raw.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "FTP", "Host": "ftp://ftp.fosna.net", "Username": "sarthiever@fosna.net", "Password": "(=8fPSH$KO_!"}

Multi AV Scanner detection for submitted file

Source: PI-236031.exe	Virustotal: Detection: 32%			Perma Link
Source: PI-236031.exe	ReversingLabs: Detection: 54%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 94.9% probability

Machine Learning detection for sample

Source: PI-236031.exe

Joe Sandbox ML: detected

Source: PI-236031.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: wntdll.pdbUGP source: PI-236031.exe, 00000000.00000003.1523773063.0000000003610000.00000004.00001000.00020000.00000000.sdmp, PI-236031.exe, 00000000.00000003.1525137714.0000000003470000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: PI-236031.exe, 00000000.00000003.1523773063.0000000003610000.00000004.00001000.00020000.00000000.sdmp, PI-236031.exe, 00000000.00000003.1525137714.0000000003470000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\PI-236031.exe	Code function: 0_2_00DC4696 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00DC4696
Source: C:\Users\user\Desktop\PI-236031.exe	Code function: 0_2_00DCC9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_00DCC9C7
Source: C:\Users\user\Desktop\PI-236031.exe	Code function: 0_2_00DCC93C FindFirstFileW,FindClose,	0_2_00DCC93C
Source: C:\Users\user\Desktop\PI-236031.exe	Code function: 0_2_00DCF200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00DCF200
Source: C:\Users\user\Desktop\PI-236031.exe	Code function: 0_2_00DCF35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00DCF35D
Source: C:\Users\user\Desktop\PI-236031.exe	Code function: 0_2_00DCF65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00DCF65E
Source: C:\Users\user\Desktop\PI-236031.exe	Code function: 0_2_00DC3A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00DC3A2B
Source: C:\Users\user\Desktop\PI-236031.exe	Code function: 0_2_00DC3D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00DC3D4E
Source: C:\Users\user\Desktop\PI-236031.exe	Code function: 0_2_00DCBF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00DCBF27

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PI-236031.exe.2f80000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1537890077.0000000002F80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: Joe Sandbox View

IP Address: 208.95.112.1 208.95.112.1

Source: Joe Sandbox View

ASN Name: TUT-ASUS TUT-ASUS

Source: unknown

DNS query: name: ip-api.com

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\PI-236031.exe

Code function: 0_2_00DD25E2 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_00DD25E2

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: global traffic

DNS traffic detected: DNS query: ip-api.com

Source: RegSvcs.exe, 00000002.00000002.2778973187.00000000029D4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2778973187.00000000028F1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2778973187.00000000029CC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com
Source: PI-236031.exe, 00000000.00000002.1537890077.0000000002F80000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2778167994.0000000000A4E000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2778973187.00000000028F1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2778973187.00000000029BA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2777857768.0000000000402000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: RegSvcs.exe, 00000002.00000002.2778973187.00000000028F1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2778973187.00000000029BA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: PI-236031.exe, 00000000.00000002.1537890077.0000000002F80000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2777857768.0000000000402000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 0.2.PI-236031.exe.2f80000.1.raw.unpack, oAKy.cs

.Net Code: ExGJKp0bbyd

Source: C:\Users\user\Desktop\PI-236031.exe

Code function: 0_2_00DD425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00DD425A

Source: C:\Users\user\Desktop\PI-236031.exe

Code function: 0_2_00DD4458 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00DD4458

Source: C:\Users\user\Desktop\PI-236031.exe

0_2_00DD425A

Source: C:\Users\user\Desktop\PI-236031.exe

Code function: 0_2_00DC0219 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_00DC0219

Source: C:\Users\user\Desktop\PI-236031.exe

Code function: 0_2_00DECDAC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00DECDAC

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.PI-236031.exe.2f80000.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.PI-236031.exe.2f80000.1.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.PI-236031.exe.2f80000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.PI-236031.exe.2f80000.1.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 00000000.00000002.1537890077.0000000002F80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 00000000.00000002.1537890077.0000000002F80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\PI-236031.exe	Code function: This is a third-party compiled AutoIt script.	0_2_00D63B4C
Source: PI-236031.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: PI-236031.exe, 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_67d39ba7-e
Source: PI-236031.exe, 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_1511af21-8
Source: PI-236031.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_66650618-2
Source: PI-236031.exe	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_fb263eef-4

Source: C:\Users\user\Desktop\PI-236031.exe

Code function: 0_2_00DC40B1: CreateFileW,_memset,DeviceIoControl,CloseHandle,

0_2_00DC40B1

Source: C:\Users\user\Desktop\PI-236031.exe

Code function: 0_2_00DB8858 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00DB8858

Source: C:\Users\user\Desktop\PI-236031.exe

Code function: 0_2_00DC545F ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_00DC545F

Source: C:\Users\user\Desktop\PI-236031.exe	Code function: 0_2_00D6E800	0_2_00D6E800
Source: C:\Users\user\Desktop\PI-236031.exe	Code function: 0_2_00D8DBB5	0_2_00D8DBB5
Source: C:\Users\user\Desktop\PI-236031.exe	Code function: 0_2_00DE804A	0_2_00DE804A
Source: C:\Users\user\Desktop\PI-236031.exe	Code function: 0_2_00D6E060	0_2_00D6E060
Source: C:\Users\user\Desktop\PI-236031.exe	Code function: 0_2_00D74140	0_2_00D74140
Source: C:\Users\user\Desktop\PI-236031.exe	Code function: 0_2_00D82405	0_2_00D82405
Source: C:\Users\user\Desktop\PI-236031.exe	Code function: 0_2_00D96522	0_2_00D96522
Source: C:\Users\user\Desktop\PI-236031.exe	Code function: 0_2_00D9267E	0_2_00D9267E
Source: C:\Users\user\Desktop\PI-236031.exe	Code function: 0_2_00DE0665	0_2_00DE0665
Source: C:\Users\user\Desktop\PI-236031.exe	Code function: 0_2_00D76843	0_2_00D76843
Source: C:\Users\user\Desktop\PI-236031.exe	Code function: 0_2_00D8283A	0_2_00D8283A
Source: C:\Users\user\Desktop\PI-236031.exe	Code function: 0_2_00D989DF	0_2_00D989DF
Source: C:\Users\user\Desktop\PI-236031.exe	Code function: 0_2_00DE0AE2	0_2_00DE0AE2
Source: C:\Users\user\Desktop\PI-236031.exe	Code function: 0_2_00D96A94	0_2_00D96A94
Source: C:\Users\user\Desktop\PI-236031.exe	Code function: 0_2_00D78A0E	0_2_00D78A0E
Source: C:\Users\user\Desktop\PI-236031.exe	Code function: 0_2_00DC8B13	0_2_00DC8B13
Source: C:\Users\user\Desktop\PI-236031.exe	Code function: 0_2_00DBEB07	0_2_00DBEB07
Source: C:\Users\user\Desktop\PI-236031.exe	Code function: 0_2_00D8CD61	0_2_00D8CD61
Source: C:\Users\user\Desktop\PI-236031.exe	Code function: 0_2_00D97006	0_2_00D97006
Source: C:\Users\user\Desktop\PI-236031.exe	Code function: 0_2_00D73190	0_2_00D73190
Source: C:\Users\user\Desktop\PI-236031.exe	Code function: 0_2_00D7710E	0_2_00D7710E
Source: C:\Users\user\Desktop\PI-236031.exe	Code function: 0_2_00D61287	0_2_00D61287
Source: C:\Users\user\Desktop\PI-236031.exe	Code function: 0_2_00D833C7	0_2_00D833C7
Source: C:\Users\user\Desktop\PI-236031.exe	Code function: 0_2_00D8F419	0_2_00D8F419
Source: C:\Users\user\Desktop\PI-236031.exe	Code function: 0_2_00D816C4	0_2_00D816C4
Source: C:\Users\user\Desktop\PI-236031.exe	Code function: 0_2_00D75680	0_2_00D75680
Source: C:\Users\user\Desktop\PI-236031.exe	Code function: 0_2_00D878D3	0_2_00D878D3
Source: C:\Users\user\Desktop\PI-236031.exe	Code function: 0_2_00D758C0	0_2_00D758C0
Source: C:\Users\user\Desktop\PI-236031.exe	Code function: 0_2_00D81BB8	0_2_00D81BB8
Source: C:\Users\user\Desktop\PI-236031.exe	Code function: 0_2_00D99D05	0_2_00D99D05
Source: C:\Users\user\Desktop\PI-236031.exe	Code function: 0_2_00D6FE40	0_2_00D6FE40
Source: C:\Users\user\Desktop\PI-236031.exe	Code function: 0_2_00D81FD0	0_2_00D81FD0
Source: C:\Users\user\Desktop\PI-236031.exe	Code function: 0_2_00D8BFE6	0_2_00D8BFE6
Source: C:\Users\user\Desktop\PI-236031.exe	Code function: 0_2_02F73660	0_2_02F73660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00F0A6DB	2_2_00F0A6DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00F0D890	2_2_00F0D890
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00F04A88	2_2_00F04A88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00F03E70	2_2_00F03E70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00F041B8	2_2_00F041B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06112300	2_2_06112300
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06111150	2_2_06111150
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06113AB0	2_2_06113AB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_061133C8	2_2_061133C8

Source: C:\Users\user\Desktop\PI-236031.exe	Code function: String function: 00D80D27 appears 70 times
Source: C:\Users\user\Desktop\PI-236031.exe	Code function: String function: 00D67F41 appears 35 times
Source: C:\Users\user\Desktop\PI-236031.exe	Code function: String function: 00D88B40 appears 42 times

Source: PI-236031.exe, 00000000.00000003.1527585930.000000000373D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs PI-236031.exe
Source: PI-236031.exe, 00000000.00000003.1525889513.0000000003593000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs PI-236031.exe
Source: PI-236031.exe, 00000000.00000002.1537890077.0000000002F80000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilename88e10d5e-7fd5-494e-a8ee-82170ba0d629.exe4 vs PI-236031.exe

Source: PI-236031.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 0.2.PI-236031.exe.2f80000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.PI-236031.exe.2f80000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.PI-236031.exe.2f80000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.PI-236031.exe.2f80000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 00000000.00000002.1537890077.0000000002F80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 00000000.00000002.1537890077.0000000002F80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload

Source: 0.2.PI-236031.exe.2f80000.1.raw.unpack, ekKu0.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.PI-236031.exe.2f80000.1.raw.unpack, vKf1z6NvS.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.PI-236031.exe.2f80000.1.raw.unpack, ZNAvlD7qmXc.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformBlock'
Source: 0.2.PI-236031.exe.2f80000.1.raw.unpack, U2doU2.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.PI-236031.exe.2f80000.1.raw.unpack, BgffYko.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.PI-236031.exe.2f80000.1.raw.unpack, HrTdA63.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.PI-236031.exe.2f80000.1.raw.unpack, Vvp22TrBv9g.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.PI-236031.exe.2f80000.1.raw.unpack, Vvp22TrBv9g.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.PI-236031.exe.2f80000.1.raw.unpack, Vvp22TrBv9g.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.PI-236031.exe.2f80000.1.raw.unpack, Vvp22TrBv9g.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/4@1/1

Source: C:\Users\user\Desktop\PI-236031.exe

Code function: 0_2_00DCA2D5 GetLastError,FormatMessageW,

0_2_00DCA2D5

Source: C:\Users\user\Desktop\PI-236031.exe	Code function: 0_2_00DB8713 AdjustTokenPrivileges,CloseHandle,		0_2_00DB8713
Source: C:\Users\user\Desktop\PI-236031.exe	Code function: 0_2_00DB8CC3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_00DB8CC3

Source: C:\Users\user\Desktop\PI-236031.exe

Code function: 0_2_00DCB59E SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_00DCB59E

Source: C:\Users\user\Desktop\PI-236031.exe

Code function: 0_2_00DDF121 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_00DDF121

Source: C:\Users\user\Desktop\PI-236031.exe

Code function: 0_2_00DD86D0 CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear,

0_2_00DD86D0

Source: C:\Users\user\Desktop\PI-236031.exe

Code function: 0_2_00D64FE9 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00D64FE9

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\PI-236031.exe

File created: C:\Users\user\AppData\Local\Temp\autE024.tmp

Jump to behavior

Source: PI-236031.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\PI-236031.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: RegSvcs.exe, 00000002.00000002.2778973187.0000000002A04000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2778973187.00000000029F1000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: PI-236031.exe	Virustotal: Detection: 32%
Source: PI-236031.exe	ReversingLabs: Detection: 54%

Source: unknown	Process created: C:\Users\user\Desktop\PI-236031.exe "C:\Users\user\Desktop\PI-236031.exe"
Source: C:\Users\user\Desktop\PI-236031.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\PI-236031.exe"
Source: C:\Users\user\Desktop\PI-236031.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\PI-236031.exe"	Jump to behavior

Source: C:\Users\user\Desktop\PI-236031.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\PI-236031.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\PI-236031.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\PI-236031.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\PI-236031.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\PI-236031.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PI-236031.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\PI-236031.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\PI-236031.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\PI-236031.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\PI-236031.exe	Section loaded: wldp.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: PI-236031.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: PI-236031.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: PI-236031.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: PI-236031.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: PI-236031.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: PI-236031.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: PI-236031.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wntdll.pdbUGP source: PI-236031.exe, 00000000.00000003.1523773063.0000000003610000.00000004.00001000.00020000.00000000.sdmp, PI-236031.exe, 00000000.00000003.1525137714.0000000003470000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: PI-236031.exe, 00000000.00000003.1523773063.0000000003610000.00000004.00001000.00020000.00000000.sdmp, PI-236031.exe, 00000000.00000003.1525137714.0000000003470000.00000004.00001000.00020000.00000000.sdmp

Source: PI-236031.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: PI-236031.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: PI-236031.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: PI-236031.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: PI-236031.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\PI-236031.exe

Code function: 0_2_00DDC304 LoadLibraryA,GetProcAddress,

0_2_00DDC304

Source: C:\Users\user\Desktop\PI-236031.exe

Code function: 0_2_00D88B85 push ecx; ret

0_2_00D88B98

Source: C:\Users\user\Desktop\PI-236031.exe	Code function: 0_2_00D64A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_00D64A35
Source: C:\Users\user\Desktop\PI-236031.exe	Code function: 0_2_00DE55FD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00DE55FD

Source: C:\Users\user\Desktop\PI-236031.exe

Code function: 0_2_00D833C7 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00D833C7

Source: C:\Users\user\Desktop\PI-236031.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PI-236031.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: PI-236031.exe PID: 6324, type: MEMORYSTR

Check if machine is in data center or colocation facility

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: PI-236031.exe, 00000000.00000002.1537890077.0000000002F80000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2778973187.00000000029D4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2777857768.0000000000402000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2778973187.0000000002925000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\PI-236031.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_0-99194

Source: C:\Users\user\Desktop\PI-236031.exe

API coverage: 5.1 %

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\PI-236031.exe	Code function: 0_2_00DC4696 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00DC4696
Source: C:\Users\user\Desktop\PI-236031.exe	Code function: 0_2_00DCC9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_00DCC9C7
Source: C:\Users\user\Desktop\PI-236031.exe	Code function: 0_2_00DCC93C FindFirstFileW,FindClose,	0_2_00DCC93C
Source: C:\Users\user\Desktop\PI-236031.exe	Code function: 0_2_00DCF200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00DCF200
Source: C:\Users\user\Desktop\PI-236031.exe	Code function: 0_2_00DCF35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00DCF35D
Source: C:\Users\user\Desktop\PI-236031.exe	Code function: 0_2_00DCF65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00DCF65E
Source: C:\Users\user\Desktop\PI-236031.exe	Code function: 0_2_00DC3A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00DC3A2B
Source: C:\Users\user\Desktop\PI-236031.exe	Code function: 0_2_00DC3D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00DC3D4E
Source: C:\Users\user\Desktop\PI-236031.exe	Code function: 0_2_00DCBF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00DCBF27

Source: C:\Users\user\Desktop\PI-236031.exe

Code function: 0_2_00D64AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00D64AFE

Source: RegSvcs.exe, 00000002.00000002.2778973187.0000000002925000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware
Source: RegSvcs.exe, 00000002.00000002.2778973187.0000000002925000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: RegSvcs.exe, 00000002.00000002.2780069977.0000000005B94000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll4
Source: RegSvcs.exe, 00000002.00000002.2777857768.0000000000402000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: VMwareVBoxESelect * from Win32_ComputerSystem

Source: C:\Users\user\Desktop\PI-236031.exe	API call chain: ExitProcess graph end node			graph_0-98310
Source: C:\Users\user\Desktop\PI-236031.exe	API call chain: ExitProcess graph end node			graph_0-98236

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 2_2_00F07070 CheckRemoteDebuggerPresent,

2_2_00F07070

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Users\user\Desktop\PI-236031.exe

Code function: 0_2_00DD41FD BlockInput,

0_2_00DD41FD

Source: C:\Users\user\Desktop\PI-236031.exe

Code function: 0_2_00D63B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00D63B4C

Source: C:\Users\user\Desktop\PI-236031.exe

Code function: 0_2_00D95CCC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_00D95CCC

Source: C:\Users\user\Desktop\PI-236031.exe

Code function: 0_2_00DDC304 LoadLibraryA,GetProcAddress,

0_2_00DDC304

Source: C:\Users\user\Desktop\PI-236031.exe	Code function: 0_2_02F734F0 mov eax, dword ptr fs:[00000030h]	0_2_02F734F0
Source: C:\Users\user\Desktop\PI-236031.exe	Code function: 0_2_02F73550 mov eax, dword ptr fs:[00000030h]	0_2_02F73550
Source: C:\Users\user\Desktop\PI-236031.exe	Code function: 0_2_02F71ED0 mov eax, dword ptr fs:[00000030h]	0_2_02F71ED0

Source: C:\Users\user\Desktop\PI-236031.exe

Code function: 0_2_00DB81F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_00DB81F7

Source: C:\Users\user\Desktop\PI-236031.exe	Code function: 0_2_00D8A395 SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_00D8A395
Source: C:\Users\user\Desktop\PI-236031.exe	Code function: 0_2_00D8A364 SetUnhandledExceptionFilter,		0_2_00D8A364

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\PI-236031.exe

Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\PI-236031.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 6E0008

Jump to behavior

Source: C:\Users\user\Desktop\PI-236031.exe

Code function: 0_2_00DB8C93 LogonUserW,

0_2_00DB8C93

Source: C:\Users\user\Desktop\PI-236031.exe

Code function: 0_2_00D63B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00D63B4C

Source: C:\Users\user\Desktop\PI-236031.exe

Code function: 0_2_00D64A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_00D64A35

Source: C:\Users\user\Desktop\PI-236031.exe

Code function: 0_2_00DC4EC9 mouse_event,

0_2_00DC4EC9

Source: C:\Users\user\Desktop\PI-236031.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\PI-236031.exe"

Jump to behavior

Source: C:\Users\user\Desktop\PI-236031.exe

0_2_00DB81F7

Source: C:\Users\user\Desktop\PI-236031.exe

Code function: 0_2_00DC4C03 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00DC4C03

Source: PI-236031.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: PI-236031.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\PI-236031.exe

Code function: 0_2_00D8886B cpuid

0_2_00D8886B

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\PI-236031.exe

Code function: 0_2_00D950D7 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00D950D7

Source: C:\Users\user\Desktop\PI-236031.exe

Code function: 0_2_00DA2230 GetUserNameW,

0_2_00DA2230

Source: C:\Users\user\Desktop\PI-236031.exe

Code function: 0_2_00D9418A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_00D9418A

Source: C:\Users\user\Desktop\PI-236031.exe

Code function: 0_2_00D64AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00D64AFE

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 0.2.PI-236031.exe.2f80000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PI-236031.exe.2f80000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2777857768.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1537890077.0000000002F80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PI-236031.exe PID: 6324, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 420, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: PI-236031.exe	Binary or memory string: WIN_81
Source: PI-236031.exe	Binary or memory string: WIN_XP
Source: PI-236031.exe	Binary or memory string: WIN_XPe
Source: PI-236031.exe	Binary or memory string: WIN_VISTA
Source: PI-236031.exe	Binary or memory string: WIN_7
Source: PI-236031.exe	Binary or memory string: WIN_8
Source: PI-236031.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 5USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Source: Yara match	File source: 0.2.PI-236031.exe.2f80000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PI-236031.exe.2f80000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2777857768.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1537890077.0000000002F80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2778973187.0000000002925000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PI-236031.exe PID: 6324, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 420, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 0.2.PI-236031.exe.2f80000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PI-236031.exe.2f80000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2777857768.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1537890077.0000000002F80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PI-236031.exe PID: 6324, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 420, type: MEMORYSTR

Source: C:\Users\user\Desktop\PI-236031.exe	Code function: 0_2_00DD6596 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		0_2_00DD6596
Source: C:\Users\user\Desktop\PI-236031.exe	Code function: 0_2_00DD6A5A socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00DD6A5A

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	221 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	11 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	11 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	2 Native API	2 Valid Accounts	1 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	121 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	2 Valid Accounts	2 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	38 System Information Discovery	Distributed Component Object Model	121 Input Capture	2 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	212 Process Injection	2 Valid Accounts	LSA Secrets	551 Security Software Discovery	SSH	3 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	22 Virtualization/Sandbox Evasion	Cached Domain Credentials	22 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	21 Access Token Manipulation	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	212 Process Injection	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	Dynamic API Resolution	Network Sniffing	1 System Network Configuration Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
PI-236031.exe	33%	Virustotal		Browse
PI-236031.exe	54%	ReversingLabs	Win32.Spyware.Negasteal
PI-236031.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
ip-api.com	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
https://account.dyn.com/	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
http://ip-api.com/line/?fields=hosting	0%	URL Reputation	safe
http://ip-api.com	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ip-api.com	208.95.112.1	true	true	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://ip-api.com/line/?fields=hosting	false	URL Reputation: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://account.dyn.com/	PI-236031.exe, 00000000.00000002.1537890077.0000000002F80000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2777857768.0000000000402000.00000040.80000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	RegSvcs.exe, 00000002.00000002.2778973187.00000000028F1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2778973187.00000000029BA000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://ip-api.com	RegSvcs.exe, 00000002.00000002.2778973187.00000000029D4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2778973187.00000000028F1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2778973187.00000000029CC000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
208.95.112.1	ip-api.com	United States		53334	TUT-ASUS	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1447910
Start date and time:	2024-05-27 12:18:19 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 15s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	PI-236031.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/4@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 58 Number of non-executed functions: 283
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtQueryValueKey calls found.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
208.95.112.1	INV 0983 OSY 240524_PDF.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	99200032052824.bat.exe	Get hash	malicious	GuLoader	Browse	ip-api.com/line/?fields=hosting
	PO_27052024.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	Reiven RFQ-27-05-2024.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	ev1NIvTd6f.exe	Get hash	malicious	Unknown	Browse	/json/
	https://mega.nz/file/wncXiYhZ#ABJEpmoiGH0hIeVVKQy7V_ALtGclDnJ4rFrDjwZ8kDE	Get hash	malicious	DCRat	Browse	ip-api.com/line/?fields=hosting
	uChcvn3L6R.exe	Get hash	malicious	DCRat	Browse	ip-api.com/line/?fields=hosting
	uChcvn3L6R.exe	Get hash	malicious	DCRat	Browse	ip-api.com/line/?fields=hosting
	SecuriteInfo.com.FileRepMalware.1834.13764.exe	Get hash	malicious	Discord Token Stealer, XWorm	Browse	ip-api.com/line/?fields=hosting
	NFs_468.msi	Get hash	malicious	VMdetect	Browse	ip-api.com/json/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ip-api.com	INV 0983 OSY 240524_PDF.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	99200032052824.bat.exe	Get hash	malicious	GuLoader	Browse	208.95.112.1
	PO_27052024.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	Reiven RFQ-27-05-2024.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	ev1NIvTd6f.exe	Get hash	malicious	Unknown	Browse	208.95.112.1
	https://mega.nz/file/wncXiYhZ#ABJEpmoiGH0hIeVVKQy7V_ALtGclDnJ4rFrDjwZ8kDE	Get hash	malicious	DCRat	Browse	208.95.112.1
	uChcvn3L6R.exe	Get hash	malicious	DCRat	Browse	208.95.112.1
	uChcvn3L6R.exe	Get hash	malicious	DCRat	Browse	208.95.112.1
	SecuriteInfo.com.FileRepMalware.1834.13764.exe	Get hash	malicious	Discord Token Stealer, XWorm	Browse	208.95.112.1
	NFs_468.msi	Get hash	malicious	VMdetect	Browse	208.95.112.1

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TUT-ASUS	INV 0983 OSY 240524_PDF.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	99200032052824.bat.exe	Get hash	malicious	GuLoader	Browse	208.95.112.1
	PO_27052024.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	Reiven RFQ-27-05-2024.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	ev1NIvTd6f.exe	Get hash	malicious	Unknown	Browse	208.95.112.1
	https://mega.nz/file/wncXiYhZ#ABJEpmoiGH0hIeVVKQy7V_ALtGclDnJ4rFrDjwZ8kDE	Get hash	malicious	DCRat	Browse	208.95.112.1
	uChcvn3L6R.exe	Get hash	malicious	DCRat	Browse	208.95.112.1
	uChcvn3L6R.exe	Get hash	malicious	DCRat	Browse	208.95.112.1
	SecuriteInfo.com.FileRepMalware.1834.13764.exe	Get hash	malicious	Discord Token Stealer, XWorm	Browse	208.95.112.1
	NFs_468.msi	Get hash	malicious	VMdetect	Browse	208.95.112.1

Process:	C:\Users\user\Desktop\PI-236031.exe
File Type:	data
Category:	dropped
Size (bytes):	153578
Entropy (8bit):	7.9359429885564605
Encrypted:	false
SSDEEP:	3072:1eg4R+7CZo9meyKdiwTOYPFD5QGdKdLUivOWEKc0ccdwQKVUFjK/BbsE:gzyAo9BOYPFYXvScSwKCE
MD5:	F467DE18D894C7744612337DDC8B93C2
SHA1:	9BBDD78C91E786CA218295AF6E8D5FEA2F6B3C7E
SHA-256:	B39CC986EA6A1E8A05F303376B4D038572829EB146E7ECA1CE57BAD7456DC7CA
SHA-512:	4B6462BA5DEEA94AFC079A83E09BCD5FC2CA00F8CF2095E6850E7FBCB3F1CBFB625B58E6C11DD7F4D069B8F4EB1447ADE3447FA5F917BF4F6735DCE5FE1AB405
Malicious:	false
Reputation:	low
Preview:	EA06.....X.uj\.D.Rf.N^.gX.Liu...H.R(.@.2iT..(@.y....}`.2.+..f.......A.<.CA.M(.j...9...u.,....KbS..j.^.E"..]..$..#..,......v.1..'S;g.q.._..3.V....#.K.M( .X......L...Q........)5....c30..\g.:.(...i.SmX.Hiu.H..X.M+ ....h.....#`....9...9>Z."mH...~...5.2.....q......M..9(....r...3.0.P.`....gX.G.2]@.L.P@...3../.9......Law.]Zu'..(...:n...]T.c...7....7..L.0......3....SZL.d....R...._....)6..........[..&....+&..d.}...[..6.....2..fxJl....N.{..c....].......3.bAa...r...u......F.I.3/...I.n.S[.n1..a.].ss...m6.........JM8.KmVyEF.F..[.....\|s^..;C].G.7Z...e....=.......Y.'s+<..+..%..D..h.0....rW@9...!I......,.0..{...r..._.=.x.Q...{..~.G...B.gO.x.Iz.~........J.V_b......%..[.0}]^U..D..M~.y..W.....5..-4..oS.Mi.y..s..k\|....T..T.......]<W...sqZ......3P..of4...)..R7`...i..8@...V.L..M.'o4..S.uR.%.D....QB.E.....2..% 9...S9.....jq..Z.8.q.q...a..R..u.gV.S#.I.6?5.U#.X..U..j.j.".>.Uf.J...Q...s......Q&S...iR.NhS.}.O1...T..z.5..ds:..7...fuj.H...H.UY....'....6...&.-..i.*u

C:\Users\user\AppData\Local\Temp\autE083.tmp

Download File

Process:	C:\Users\user\Desktop\PI-236031.exe
File Type:	data
Category:	dropped
Size (bytes):	9908
Entropy (8bit):	7.597195603822302
Encrypted:	false
SSDEEP:	192:yyaFcTokxCW/EeiNo/GONuVROF9cfsSEyUsmnZNufPCR6QayB1JupI0Q0+v:cFxkUWceiNo3NiWeUXZsPCIwBrkIMy
MD5:	0477013B3C57A2C0B0B147D061C01F6D
SHA1:	E3EE6608F3B749EEA77830BE86488EA8B82E4B9E
SHA-256:	1A50D90AA4269F8596209AE5E81127F125F51D7A288F046BCEA825374E6B1BAD
SHA-512:	98B8200ABF9C9A208824C115473F5F735B113FFF19A541D9D2848A622E19639A37A2967F9FA4C90C8B2825BF0FAB20BCEC85614559B30CB14A526A338DC5BBA5
Malicious:	false
Reputation:	low
Preview:	EA06..p4.M(...aD..fT)..D.Mh.z,.gA....5.......B.Mh..%.mF.Mf....qb.....-..c.L...$.m5...k..c0.M....k8.X.3i...l..%.o2....A8.6,.........3k....e.N&s0.oNf.)...k.K$.eb....5..f.........6.0.o.p....l39....V0...S..$.if...6....f.I...@.....i8........X@.4.1..........$.P...0z.5..$}3Y.....=5..`d....!d..V...7f.[$..8...\|.I..W.d...\|vI..W.d...\|vK..W.d...\|vK(.W.e...\|vY..W,.O...k.`..X@..9..^.8..F.6.z..G......`......i..G../Z...zqd...l.;.........\|......7...}3{(........;^..l =..p.........3p.o....,.......x.....H<.lX.:...b.....,. ...2...f.[...K.)....b..i\|v F......X......`....,.9....5...._..l......>K.....ir.e....[4..d..f.y.....,.....S >..p...........s9.... !..Y....f...ja4....ea.h,.p.....,.a8.,..3........f.....f ....,j.0..&...J......f ....6K%.ke..f....L..;2.X...4.Y.V@.Fn.....f@....l..05.....!;3.X...c )D.g6... ...'&`....,f.6..&....r...Brh.....l...i2...B....@.......d.L.`!.....P...@X5d..lSK...9...!;5.X...cVY......'.B...,vl.!..>.a..l...M..@...X...b.M&.X..B.a.Q...sp..X..9..o5..f.!...,vn.

C:\Users\user\AppData\Local\Temp\leucoryx

Download File

Process:	C:\Users\user\Desktop\PI-236031.exe
File Type:	data
Category:	dropped
Size (bytes):	244224
Entropy (8bit):	6.64975718476219
Encrypted:	false
SSDEEP:	6144:MmtFJT+tD4CcNShwh6BvjC+LDqBHm89brvJ30P:Mm/JTe4Csj4vjC+YHmUBEP
MD5:	4E8114448E5E959F3C0D21856A288B76
SHA1:	C2560B54716D66E9A7F5D8AC2A3AB0E071BD3571
SHA-256:	B7D88D5F8039A35A7ADCDED3D58138485F412F4255B015DA374E5202A71CEDB2
SHA-512:	23CFBC8216C3A7145837160F0A19243BB4856D8A7D9E5178ED5E2E8219075824517FA977A652272E2AA2F1CD698313F7BAE0C11BD71125EA0B76DEBC44269CB0
Malicious:	false
Reputation:	low
Preview:	.c.VK2HD0I74.3X.1KQ93VHrHD4I744T3XB1KQ93VH2HD4I744T3XB1KQ93.H2HJ+.94.].y.0...g>!Ah4F&PFU9.;#_%>M.4-.:1Zi^Z..\|.b\$5\.[E8lD4I744Tc.B1.P:3l.8.D4I744T3.B3JZ88VH.KD4A744T3X..HQ9.VH2.G4I7t4T.XB1IQ97VH2HD4I344T3XB1Kq=3VJ2HD4I764..XB!KQ)3VH2XD4Y744T3XR1KQ93VH2HD4..74.3XB1.R9uSH2HD4I744T3XB1KQ93VH6HH4I744T3XB1KQ93VH2HD4I744T3XB1KQ93VH2HD4I744T3XB1KQ93vH2@D4I744T3XB1Cq93.H2HD4I744T3v6T3%93V..KD4i744.0XB3KQ93VH2HD4I744t3X".9"KPVH2.A4I7.7T3^B1K.:3VH2HD4I744T3.B1..KV:'QHD8I744T7XB3KQ9.UH2HD4I744T3XBqKQ{3VH2HD4I744T3XB1..:3VH2H.4I764Q3..3K..2VK2HD5I724T3XB1KQ93VH2HD4I744T3XB1KQ93VH2HD4I744T3XB1KQ93K.....\|Ij9:E.m.^.U..[.0.{;.&.9%.ru[.....nB2..3.M....:...1.A2M5....s12BX a?k;(.)..o...?.r.P&.2...I..:5\|.....u...;=il..G..R$<.R&8^-jg(QUF=.Z.0KQ93.....]L.iuA>Ue+K....[Ob...<1KQ]3VH@HD4(744.3XB^KQ9]VH26D4II44TuXB1.Q93aH2Ha4I7Y4T3\|B1K/93V.OGK...]G..XB1KQ...x.%..h....t@./bQn.. ...n1..W*.<.ut..<._..#f?5{.iLP?7SJ5LG8t9...y@5OT;4RK>uJ...........B....>.5744T3X.1K.93V.H.4I7.4.3..1KQ..V.2.D..4

C:\Users\user\AppData\Local\Temp\seskin

Download File

Process:	C:\Users\user\Desktop\PI-236031.exe
File Type:	ASCII text, with very long lines (28724), with no line terminators
Category:	dropped
Size (bytes):	28724
Entropy (8bit):	3.597914128032766
Encrypted:	false
SSDEEP:	768:ViTZ+2QoioGRk6ZklputwjpjBkCiw2RuJ3nXKUrvzjsNboE+I026c024vfF3if68:ViTZ+2QoioGRk6ZklputwjpjBkCiw2Rv
MD5:	4A36F238137241184628781B082059A3
SHA1:	B89CF4F02420AD3699E9A352DCD5D48BE85DDCF1
SHA-256:	C9D368A94A094270B9206BEBCCBF2EBE33DB388C91D62CCF79E397C9959CFDCA
SHA-512:	A3015A5F0A903AE9832855820277BEA478F39E360EBBD5B781915475C20916974746FCA3A45DAE449A08F562B70FC822D5DE688AEF67203FB806033114910EFF
Malicious:	false
Reputation:	low
Preview:	84F98E0D192B10FD05E7E43AEF7957D5930866ABD5D0DA6FF50x558bec81eccc0200005657b86b00000066894584b96500000066894d86ba7200000066895588b86e0000006689458ab96500000066894d8cba6c0000006689558eb83300000066894590b93200000066894d92ba2e00000066895594b86400000066894596b96c00000066894d98ba6c0000006689559a33c06689459cb96e00000066898d44ffffffba7400000066899546ffffffb86400000066898548ffffffb96c00000066898d4affffffba6c0000006689954cffffffb82e0000006689854effffffb96400000066898d50ffffffba6c00000066899552ffffffb86c00000066898554ffffff33c966898d56ffffffba75000000668955d0b873000000668945d2b96500000066894dd4ba72000000668955d6b833000000668945d8b93200000066894ddaba2e000000668955dcb864000000668945deb96c00000066894de0ba6c000000668955e233c0668945e4b96100000066898d68ffffffba640000006689956affffffb8760000006689856cffffffb96100000066898d6effffffba7000000066899570ffffffb86900000066898572ffffffb93300000066898d74ffffffba3200000066899576ffffffb82e00000066898578ffffffb96400000066898d7affffffba6c0000006689957cffffffb86c0000

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.93519305571913
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	PI-236031.exe
File size:	1'037'312 bytes
MD5:	05d95a552838cb5c6d45a79473c9f430
SHA1:	535c4d854628081163b1da1afdea892204a88eef
SHA256:	9f8325d8345d383ed22e18f47303b03947c1e652ad304b7ca88a270355eb8f4d
SHA512:	4bab7d8da8541f46b7b048838f02c6d7a3408fe4615970375024fc7986bf2dbd790358a4aa2d68deb3a7ebdb4ab55b0bba85b54b390c695da7c645918f3d414c
SSDEEP:	24576:OAHnh+eWsN3skA4RV1Hom2KXMmHauvhieQkXRGQ5:5h+ZkldoPK8YauikX/
TLSH:	3C25AD0273D1C036FFABA2739B6AF64556BC79250123852F13981DB9BD701B2273E663
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..R...R...R....C..P.....;.S..._@#.a..._@......_@..g...[j..[...[jo.w...R...r.............#.S..._@'.S...R.k.S.....".S...RichR..

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x42800a
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x6653D72F [Mon May 27 00:43:27 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	afcdf79be1557326c854b6e20cb900a7

Entrypoint Preview

Instruction
call 00007FC931656ADDh
jmp 00007FC931649894h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push edi
push esi
mov esi, dword ptr [esp+10h]
mov ecx, dword ptr [esp+14h]
mov edi, dword ptr [esp+0Ch]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007FC931649A1Ah
cmp edi, eax
jc 00007FC931649D7Eh
bt dword ptr [004C41FCh], 01h
jnc 00007FC931649A19h
rep movsb
jmp 00007FC931649D2Ch
cmp ecx, 00000080h
jc 00007FC931649BE4h
mov eax, edi
xor eax, esi
test eax, 0000000Fh
jne 00007FC931649A20h
bt dword ptr [004BF324h], 01h
jc 00007FC931649EF0h
bt dword ptr [004C41FCh], 00000000h
jnc 00007FC931649BBDh
test edi, 00000003h
jne 00007FC931649BCEh
test esi, 00000003h
jne 00007FC931649BADh
bt edi, 02h
jnc 00007FC931649A1Fh
mov eax, dword ptr [esi]
sub ecx, 04h
lea esi, dword ptr [esi+04h]
mov dword ptr [edi], eax
lea edi, dword ptr [edi+04h]
bt edi, 03h
jnc 00007FC931649A23h
movq xmm1, qword ptr [esi]
sub ecx, 08h
lea esi, dword ptr [esi+08h]
movq qword ptr [edi], xmm1
lea edi, dword ptr [edi+08h]
test esi, 00000007h
je 00007FC931649A75h
bt esi, 03h

Rich Headers

Programming Language:

[ASM] VS2013 build 21005
[ C ] VS2013 build 21005
[C++] VS2013 build 21005
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2013 UPD5 build 40629
[RES] VS2013 build 21005
[LNK] VS2013 UPD5 build 40629

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xbc0cc	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc8000	0x32d3c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xfb000	0x7134	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x92bc0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xa4b50	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8f000	0x884	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8dfdd	0x8e000	310e36668512d53489c005622bb1b4a9	False	0.5735602580325704	data	6.675248351711057	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8f000	0x2fd8e	0x2fe00	748cf1ab2605ce1fd72d53d912abb68f	False	0.32828818537859006	data	5.763244005758284	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xbf000	0x8f74	0x5200	aae9601d920f07080bdfadf43dfeff12	False	0.1017530487804878	data	1.1963819235530628	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xc8000	0x32d3c	0x32e00	88f581fcbef880e42cdfbe48864c4b9e	False	0.870690648034398	data	7.748125869394679	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xfb000	0x7134	0x7200	f04128ad0f87f42830e4a6cdbc38c719	False	0.7617530153508771	data	6.783955557128661	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xc85a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xc86d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xc87f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xc8920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xc8c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xc8d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xc9bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xca480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xca9e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xccf90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xce038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xce4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xce4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xcea84	0x68a	data	English	Great Britain	0.2747909199522103
RT_STRING	0xcf110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xcf5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xcfb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xd01f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xd0660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xd07b8	0x29fd4	data			1.0003546759076214
RT_GROUP_ICON	0xfa78c	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xfa804	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xfa818	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xfa82c	0x14	data	English	Great Britain	1.25
RT_VERSION	0xfa840	0x10c	data	English	Great Britain	0.5932835820895522
RT_MANIFEST	0xfa94c	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	WSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
VERSION.dll	GetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
WININET.dll	InternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
USERENV.dll	DestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
USER32.dll	AdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
GDI32.dll	StrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
COMDLG32.dll	GetOpenFileNameW, GetSaveFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
SHELL32.dll	DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
OLEAUT32.dll	LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 27, 2024 12:19:34.979962111 CEST	49705	80	192.168.2.9	208.95.112.1
May 27, 2024 12:19:34.984883070 CEST	80	49705	208.95.112.1	192.168.2.9
May 27, 2024 12:19:34.984951019 CEST	49705	80	192.168.2.9	208.95.112.1
May 27, 2024 12:19:34.985723972 CEST	49705	80	192.168.2.9	208.95.112.1
May 27, 2024 12:19:34.990551949 CEST	80	49705	208.95.112.1	192.168.2.9
May 27, 2024 12:19:35.481146097 CEST	80	49705	208.95.112.1	192.168.2.9
May 27, 2024 12:19:35.530163050 CEST	49705	80	192.168.2.9	208.95.112.1
May 27, 2024 12:20:22.556051016 CEST	80	49705	208.95.112.1	192.168.2.9
May 27, 2024 12:20:22.556154966 CEST	49705	80	192.168.2.9	208.95.112.1
May 27, 2024 12:21:15.503360033 CEST	49705	80	192.168.2.9	208.95.112.1
May 27, 2024 12:21:15.508423090 CEST	80	49705	208.95.112.1	192.168.2.9

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 27, 2024 12:19:34.961880922 CEST	55278	53	192.168.2.9	1.1.1.1
May 27, 2024 12:19:34.974106073 CEST	53	55278	1.1.1.1	192.168.2.9

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
May 27, 2024 12:19:34.961880922 CEST	192.168.2.9	1.1.1.1	0x884c	Standard query (0)	ip-api.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
May 27, 2024 12:19:34.974106073 CEST	1.1.1.1	192.168.2.9	0x884c	No error (0)	ip-api.com		208.95.112.1	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

ip-api.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.9	49705	208.95.112.1	80	420	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
May 27, 2024 12:19:34.985723972 CEST	80	OUT	GET /line/?fields=hosting HTTP/1.1 Host: ip-api.com Connection: Keep-Alive
May 27, 2024 12:19:35.481146097 CEST	175	IN	HTTP/1.1 200 OK Date: Mon, 27 May 2024 10:19:34 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 6 Access-Control-Allow-Origin: * X-Ttl: 60 X-Rl: 44 Data Raw: 66 61 6c 73 65 0a Data Ascii: false

Target ID:	0
Start time:	06:19:31
Start date:	27/05/2024
Path:	C:\Users\user\Desktop\PI-236031.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\PI-236031.exe"
Imagebase:	0xd60000
File size:	1'037'312 bytes
MD5 hash:	05D95A552838CB5C6D45A79473C9F430
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1537890077.0000000002F80000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000000.00000002.1537890077.0000000002F80000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1537890077.0000000002F80000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: 00000000.00000002.1537890077.0000000002F80000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen Rule: MALWARE_Win_AgentTeslaV2, Description: AgenetTesla Type 2 Keylogger payload, Source: 00000000.00000002.1537890077.0000000002F80000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	06:19:32
Start date:	27/05/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\PI-236031.exe"
Imagebase:	0x530000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.2777857768.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.2777857768.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.2778973187.0000000002925000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	4%
Dynamic/Decrypted Code Coverage:	0.4%
Signature Coverage:	5.7%
Total number of Nodes:	2000
Total number of Limit Nodes:	158

Executed Functions

Function 00D63B4C Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00D63B7A
IsDebuggerPresent.KERNEL32 ref: 00D63B8C
GetFullPathNameW.KERNEL32(00007FFF,?,?,00E262F8,00E262E0,?,?), ref: 00D63BFD

Part of subcall function 00D67D2C: _memmove.LIBCMT ref: 00D67D66

Part of subcall function 00D70A8D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00D63C26,00E262F8,?,?,?), ref: 00D70ACE

SetCurrentDirectoryW.KERNEL32(?), ref: 00D63C81
MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,00E193F0,00000010), ref: 00D9D4BC
SetCurrentDirectoryW.KERNEL32(?,00E262F8,?,?,?), ref: 00D9D4F4
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00E15D40,00E262F8,?,?,?), ref: 00D9D57A
ShellExecuteW.SHELL32(00000000,?,?), ref: 00D9D581

Part of subcall function 00D63A58: GetSysColorBrush.USER32(0000000F), ref: 00D63A62
Part of subcall function 00D63A58: LoadCursorW.USER32(00000000,00007F00), ref: 00D63A71
Part of subcall function 00D63A58: LoadIconW.USER32(00000063), ref: 00D63A88
Part of subcall function 00D63A58: LoadIconW.USER32(000000A4), ref: 00D63A9A
Part of subcall function 00D63A58: LoadIconW.USER32(000000A2), ref: 00D63AAC
Part of subcall function 00D63A58: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00D63AD2
Part of subcall function 00D63A58: RegisterClassExW.USER32(?), ref: 00D63B28

Part of subcall function 00D639E7: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00D63A15
Part of subcall function 00D639E7: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00D63A36
Part of subcall function 00D639E7: ShowWindow.USER32(00000000,?,?), ref: 00D63A4A
Part of subcall function 00D639E7: ShowWindow.USER32(00000000,?,?), ref: 00D63A53

Part of subcall function 00D643DB: _memset.LIBCMT ref: 00D64401
Part of subcall function 00D643DB: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00D644A6

Strings

This is a third-party compiled AutoIt script., xrefs: 00D9D4B4
runas, xrefs: 00D9D575

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
String ID: This is a third-party compiled AutoIt script.$runas
API String ID: 529118366-3287110873
Opcode ID: 1b09cfb42d34fa75e94faa03a21c2979b9fa3598b63f4c932159f1ba57914485
Instruction ID: 26d7d6e1c5802b28fd147049a458ecb6f389c47a5464300b8458a8a8e884dc17
Opcode Fuzzy Hash: 1b09cfb42d34fa75e94faa03a21c2979b9fa3598b63f4c932159f1ba57914485
Instruction Fuzzy Hash: CA51E531904289EFCF11EBB4EC56EED7B75EB45304B044265F451B62B2DA709A4ACB31

Function 00D64AFE Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00D64B2B

Part of subcall function 00D67D2C: _memmove.LIBCMT ref: 00D67D66

GetCurrentProcess.KERNEL32(?,00DEFAEC,00000000,00000000,?), ref: 00D64BF8
IsWow64Process.KERNEL32(00000000), ref: 00D64BFF
GetNativeSystemInfo.KERNELBASE(00000000), ref: 00D64C45
FreeLibrary.KERNEL32(00000000), ref: 00D64C50
GetSystemInfo.KERNEL32(00000000), ref: 00D64C81
GetSystemInfo.KERNEL32(00000000), ref: 00D64C8D

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
String ID:
API String ID: 1986165174-0
Opcode ID: 45b8be79d5fdc1dd830385cebd4d6cc2c5b033f716918408c71e492dd315f437
Instruction ID: e174446af2987305273c17c9e4dfe86c661d3bd7a8586f993c50f5b7c27124fb
Opcode Fuzzy Hash: 45b8be79d5fdc1dd830385cebd4d6cc2c5b033f716918408c71e492dd315f437
Instruction Fuzzy Hash: 9D91C37154ABC4DFCB31DB68C5511AABFE5AF2A300B484E9ED0CA97B01D220E948C739

Function 00D64FE9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00D64EEE,?,?,00000000,00000000), ref: 00D64FF9
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00D64EEE,?,?,00000000,00000000), ref: 00D65010
LoadResource.KERNEL32(?,00000000,?,?,00D64EEE,?,?,00000000,00000000,?,?,?,?,?,?,00D64F8F), ref: 00D9DD60
SizeofResource.KERNEL32(?,00000000,?,?,00D64EEE,?,?,00000000,00000000,?,?,?,?,?,?,00D64F8F), ref: 00D9DD75
LockResource.KERNEL32(00D64EEE,?,?,00D64EEE,?,?,00000000,00000000,?,?,?,?,?,?,00D64F8F,00000000), ref: 00D9DD88

Strings

SCRIPT, xrefs: 00D65006

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 5be34552982fad4be211b46b176561f23d6ae1af05a47810a9bca167aa0d2e87
Instruction ID: 4ad90bd5fb0362932d16b6e5a328b003f8ce75dc6e84e74ee462cd1511d865b0
Opcode Fuzzy Hash: 5be34552982fad4be211b46b176561f23d6ae1af05a47810a9bca167aa0d2e87
Instruction Fuzzy Hash: 7B117C75200741BFD7219B65EC98F677BB9EBC9B12F24816CF506CA260DB71EC408670

Function 00D6E800 Relevance: 7.4, Strings: 5, Instructions: 1102COMMON

Download Yara Rule

Strings

Dt, xrefs: 00DA3F58
Variable must be of type 'Object'., xrefs: 00DA428C
Dt, xrefs: 00DA3F1F
Dt, xrefs: 00D6EC1A
Dt, xrefs: 00D6EC21

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID:
String ID: Dt$Dt$Dt$Dt$Variable must be of type 'Object'.
API String ID: 0-3952547859
Opcode ID: c71e6c50b48b682e1565fe41e8e60c224c654fad00ea96cf0aa191f8e645d9d8
Instruction ID: 8beb83d8bc9daee2d2564b8cea85ad12b56babfde26fbce65c15b54a625fe74d
Opcode Fuzzy Hash: c71e6c50b48b682e1565fe41e8e60c224c654fad00ea96cf0aa191f8e645d9d8
Instruction Fuzzy Hash: 2DA2AF79A04205CFCB24CF58C480AAEB7B2FF59304F288069E956AB351D775ED46CBB1

Function 00DC4696 Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,00D9E7C1), ref: 00DC46A6
FindFirstFileW.KERNELBASE(?,?), ref: 00DC46B7
FindClose.KERNEL32(00000000), ref: 00DC46C7

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: 0598e50eef2255db48c7b615f173318408f3edc5d46b644c2bd85eedea30b3e7
Instruction ID: 34e908161ca369dc0691048c9d023f8b7e2dbd242aaa6849cd55da161d5eb63e
Opcode Fuzzy Hash: 0598e50eef2255db48c7b615f173318408f3edc5d46b644c2bd85eedea30b3e7
Instruction Fuzzy Hash: B2E0D8318106015B86107738EC9D9EA775CDE06335F100719F935C21E0E7B09D5085B9

Function 00D70B30 Relevance: 64.3, APIs: 27, Strings: 9, Instructions: 1300windowsleeptimeCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00D70BBB
timeGetTime.WINMM ref: 00D70E76
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00D70FB3
TranslateMessage.USER32(?), ref: 00D70FC7
DispatchMessageW.USER32(?), ref: 00D70FD5
Sleep.KERNEL32(0000000A), ref: 00D70FDF
LockWindowUpdate.USER32(00000000,?,?), ref: 00D7105A
DestroyWindow.USER32 ref: 00D71066
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00D71080
Sleep.KERNEL32(0000000A,?,?), ref: 00DA52AD
TranslateMessage.USER32(?), ref: 00DA608A
DispatchMessageW.USER32(?), ref: 00DA6098
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00DA60AC

Strings

@COM_EVENTOBJ, xrefs: 00DA591A
pr, xrefs: 00DA542D
pr, xrefs: 00DA53D8
@GUI_WINHANDLE, xrefs: 00DA53B9
pr, xrefs: 00DA5BDE
pr, xrefs: 00DA5383
@GUI_CTRLID, xrefs: 00DA5364
@TRAY_ID, xrefs: 00DA5BB9
@GUI_CTRLHANDLE, xrefs: 00DA540E

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: Message$DispatchPeekSleepTranslateWindow$DestroyLockTimeUpdatetime
String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID$pr$pr$pr$pr
API String ID: 4003667617-1825247661
Opcode ID: 5e2677f820ab433dff1ade617868e21e025360346a52533d1066877a3e551963
Instruction ID: 87a819200e2b605e8557b59d78e9bb8a1b1db60436457dfbdc731d6db7043b1f
Opcode Fuzzy Hash: 5e2677f820ab433dff1ade617868e21e025360346a52533d1066877a3e551963
Instruction Fuzzy Hash: 29B29E70608741DFD724DF24D894BAABBE4EF85304F18891DF48A972A1DB71E845CBB2

Function 00DC93DF Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00DC91E9: __time64.LIBCMT ref: 00DC91F3

Part of subcall function 00D65045: _fseek.LIBCMT ref: 00D6505D

__wsplitpath.LIBCMT ref: 00DC94BE

Part of subcall function 00D8432E: __wsplitpath_helper.LIBCMT ref: 00D8436E

_wcscpy.LIBCMT ref: 00DC94D1
_wcscat.LIBCMT ref: 00DC94E4
__wsplitpath.LIBCMT ref: 00DC9509
_wcscat.LIBCMT ref: 00DC951F
_wcscat.LIBCMT ref: 00DC9532

Part of subcall function 00DC922F: _memmove.LIBCMT ref: 00DC9268
Part of subcall function 00DC922F: _memmove.LIBCMT ref: 00DC9277

_wcscmp.LIBCMT ref: 00DC9479

Part of subcall function 00DC99BE: _wcscmp.LIBCMT ref: 00DC9AAE
Part of subcall function 00DC99BE: _wcscmp.LIBCMT ref: 00DC9AC1

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00DC96DC
_wcsncpy.LIBCMT ref: 00DC974F
DeleteFileW.KERNEL32(?,?), ref: 00DC9785
CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00DC979B
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00DC97AC
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00DC97BE

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
String ID:
API String ID: 1500180987-0
Opcode ID: 0328a8fc35373e4334c4edaadcc09e83e860dd4a4154969dfc568ec544d4cb87
Instruction ID: 6bb81d588fb8ca574e56f66e81c19cadebd5f5dd0b80904a9e82b9e041709488
Opcode Fuzzy Hash: 0328a8fc35373e4334c4edaadcc09e83e860dd4a4154969dfc568ec544d4cb87
Instruction Fuzzy Hash: F9C1E8B190022AAADF21DF95CC95EDEB7B9EF45310F0040AAF609E7151DB709A848F75

Function 00D63015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 73
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00D63074
RegisterClassExW.USER32(00000030), ref: 00D6309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00D630AF
InitCommonControlsEx.COMCTL32(?), ref: 00D630CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00D630DC
LoadIconW.USER32(000000A9), ref: 00D630F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00D63101

Strings

0, xrefs: 00D63056
+, xrefs: 00D6305D
AutoIt v3 GUI, xrefs: 00D63090
TaskbarCreated, xrefs: 00D630A4

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 0f2a035842d4f305728da9c41eebf4f848d52642bdac866e14be761aca41006d
Instruction ID: 8274b10d8fca5b3f24fc53c5a3d24f360dc21c2816d4ccb04bd13acbccc85c89
Opcode Fuzzy Hash: 0f2a035842d4f305728da9c41eebf4f848d52642bdac866e14be761aca41006d
Instruction Fuzzy Hash: 8F3138B1841349EFDB50EFA5D885BC9BBF0FB09310F10462AE580EA2A0D3B90586CF61

Function 00D63041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00D63074
RegisterClassExW.USER32(00000030), ref: 00D6309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00D630AF
InitCommonControlsEx.COMCTL32(?), ref: 00D630CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00D630DC
LoadIconW.USER32(000000A9), ref: 00D630F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00D63101

Strings

0, xrefs: 00D63056
+, xrefs: 00D6305D
AutoIt v3 GUI, xrefs: 00D63090
TaskbarCreated, xrefs: 00D630A4

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: c1504b6079c55f03d5b702761a10728463b473daaeba1eed29ab9ee2c1245956
Instruction ID: cf04790a86e0cd7e08af75cfe0bd9d9c73971e7517a5cd7a21a72b703a8c4a70
Opcode Fuzzy Hash: c1504b6079c55f03d5b702761a10728463b473daaeba1eed29ab9ee2c1245956
Instruction Fuzzy Hash: 6421B7B1901358EFDB14EF95E889B9DBBF4FB08700F10462AF511EA3A0D7B145498FA5

Function 00D671EB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00D64864: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00E262F8,?,00D637C0,?), ref: 00D64882

Part of subcall function 00D8074F: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00D672C5), ref: 00D80771

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00D67308
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00D9ECF1
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00D9ED32
RegCloseKey.ADVAPI32(?), ref: 00D9ED70
_wcscat.LIBCMT ref: 00D9EDC9

Strings

Software\AutoIt v3\AutoIt, xrefs: 00D672FE
Include, xrefs: 00D9ECE8, 00D9ED29
\, xrefs: 00D9EDEC
\Include\, xrefs: 00D672C5

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 2673923337-2727554177
Opcode ID: 8c1fab3628c608068ba7822b649a584cff5f28edff17ecfa4681297503af2b66
Instruction ID: 69131d3c2e481487ffe8d3a99138734bc891c03c946ba14554865b14192793a0
Opcode Fuzzy Hash: 8c1fab3628c608068ba7822b649a584cff5f28edff17ecfa4681297503af2b66
Instruction Fuzzy Hash: 737129B2409305DEC724EF66EC8196BBBE8FF58740B44492EF485972B1EB309949CB71

Function 00D63A58 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00D63A62
LoadCursorW.USER32(00000000,00007F00), ref: 00D63A71
LoadIconW.USER32(00000063), ref: 00D63A88
LoadIconW.USER32(000000A4), ref: 00D63A9A
LoadIconW.USER32(000000A2), ref: 00D63AAC
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00D63AD2
RegisterClassExW.USER32(?), ref: 00D63B28

Part of subcall function 00D63041: GetSysColorBrush.USER32(0000000F), ref: 00D63074
Part of subcall function 00D63041: RegisterClassExW.USER32(00000030), ref: 00D6309E
Part of subcall function 00D63041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00D630AF
Part of subcall function 00D63041: InitCommonControlsEx.COMCTL32(?), ref: 00D630CC
Part of subcall function 00D63041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00D630DC
Part of subcall function 00D63041: LoadIconW.USER32(000000A9), ref: 00D630F2
Part of subcall function 00D63041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00D63101

Strings

#, xrefs: 00D63B0D
0, xrefs: 00D63B06
AutoIt v3, xrefs: 00D63B17

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: e91644246d945a6fe37d873cff272684acbba006d2d093ce5bf72eb163b12533
Instruction ID: 58787fec87a4429dfb39590d85884ddef801a7548aac7fc392cede025a722995
Opcode Fuzzy Hash: e91644246d945a6fe37d873cff272684acbba006d2d093ce5bf72eb163b12533
Instruction Fuzzy Hash: 12214D72D00304EFEB21AFA6EC49B9D7BB5FB08710F004229F504BA2B0D3B556598F64

Function 00D63778 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 267
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

>>>AUTOIT NO CMDEXECUTE<<<, xrefs: 00D637C0
CMDLINERAW, xrefs: 00D6380D
CMDLINE, xrefs: 00D63834
/AutoIt3OutputDebug, xrefs: 00D638A4
/ErrorStdOut, xrefs: 00D6388F
b, xrefs: 00D9D44E
/AutoIt3ExecuteScript, xrefs: 00D638CE
/AutoIt3ExecuteLine, xrefs: 00D638B9

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW$b
API String ID: 1825951767-3834736419
Opcode ID: 96412bdffcc7a7e236d5d49fc456d79fde8f4ea4b644a8a23cb2fe82c0bc56cc
Instruction ID: 956b513592387c02441d38a557c196f66442ca02dd36616e2dd56769257f2024
Opcode Fuzzy Hash: 96412bdffcc7a7e236d5d49fc456d79fde8f4ea4b644a8a23cb2fe82c0bc56cc
Instruction Fuzzy Hash: E9A14A729102299BCB14EBA1DC96AEEB778FF14300F14052AF416B7192DB75AA09CB70

Function 00D63633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 00D636D2
KillTimer.USER32(?,00000001), ref: 00D636FC
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00D6371F
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00D6372A
CreatePopupMenu.USER32 ref: 00D6373E
PostQuitMessage.USER32(00000000), ref: 00D6375F

Strings

TaskbarCreated, xrefs: 00D63725

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 77d188b5f80fec51637239f868cce576a34003fe23f58d3b143183d2d0d78359
Instruction ID: 776e60d321ef669d231c1301a82fe6a61df849b6cc8c0209a1ea79c4fcfbc7c8
Opcode Fuzzy Hash: 77d188b5f80fec51637239f868cce576a34003fe23f58d3b143183d2d0d78359
Instruction Fuzzy Hash: AB41E6B2204245ABDF247FA8EC4AB793755EB50300F180229F942E63A1DB74DE559771

Function 02F72640 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 02F72711
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 02F72937

Memory Dump Source

Source File: 00000000.00000002.1537868093.0000000002F70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f70000_PI-236031.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: 7a8af28d10d872e8c42d0e09e8738e4af41cabd85448581b7ead53f150642b41
Instruction ID: 6746854e752128b856da1e6838fa4c21dd645e388e78bc581ad671d5f48dee3a
Opcode Fuzzy Hash: 7a8af28d10d872e8c42d0e09e8738e4af41cabd85448581b7ead53f150642b41
Instruction Fuzzy Hash: 77A1F675E00209EBDB14CFA4C994FEEBBB5BF48304F20815AE605BB281D7759A81CF95

Function 00D6F8CF Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 168
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00D803A2: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00D803D3
Part of subcall function 00D803A2: MapVirtualKeyW.USER32(00000010,00000000), ref: 00D803DB
Part of subcall function 00D803A2: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00D803E6
Part of subcall function 00D803A2: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00D803F1
Part of subcall function 00D803A2: MapVirtualKeyW.USER32(00000011,00000000), ref: 00D803F9
Part of subcall function 00D803A2: MapVirtualKeyW.USER32(00000012,00000000), ref: 00D80401

Part of subcall function 00D76259: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,00D6FA90), ref: 00D762B4

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00D6FB2D
OleInitialize.OLE32(00000000), ref: 00D6FBAA
CloseHandle.KERNEL32(00000000), ref: 00DA49F2

Strings

c, xrefs: 00D6F94B
\d, xrefs: 00D6F957
<g, xrefs: 00D6FA90

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID: <g$\d$c
API String ID: 1986988660-2468412954
Opcode ID: c246a6190305c511532affe7212db5678dc0797beaf3e90b7ea940c7d2aa642a
Instruction ID: 672022075012ea9657428211f458df510aa0227dd47115b33f4bae57615b3d79
Opcode Fuzzy Hash: c246a6190305c511532affe7212db5678dc0797beaf3e90b7ea940c7d2aa642a
Instruction Fuzzy Hash: B381A7B0901290CFC7A4EF2ABD516257BF5FB98308314876AD0A9E7362EB71550E8F20

Function 00D639E7 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00D63A15
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00D63A36
ShowWindow.USER32(00000000,?,?), ref: 00D63A4A
ShowWindow.USER32(00000000,?,?), ref: 00D63A53

Strings

edit, xrefs: 00D63A30
AutoIt v3, xrefs: 00D63A0D, 00D63A12, 00D63A13

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 763d50e18012508010e78e1a7f645809e6649c80132350aa13bae6be1426712c
Instruction ID: 4fe8b2b1d5a7d6c73b809849664f86eab5f744ca727bd59f79cec4789f61c742
Opcode Fuzzy Hash: 763d50e18012508010e78e1a7f645809e6649c80132350aa13bae6be1426712c
Instruction Fuzzy Hash: D3F0DA72641290FEEA3127276C49E772E7DD7C6F50B01422AB904B6270C6B51C56DAB0

Function 02F72410 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 145
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02F72300: Sleep.KERNELBASE(000001F4), ref: 02F72311

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 02F72534

Strings

Q93VH2HD4I744T3XB1K, xrefs: 02F72597, 02F7259A

Memory Dump Source

Source File: 00000000.00000002.1537868093.0000000002F70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f70000_PI-236031.jbxd

Similarity

API ID: CreateFileSleep
String ID: Q93VH2HD4I744T3XB1K
API String ID: 2694422964-1951057454
Opcode ID: b28bf6e0113eef8ddffc41508f53435efcd434f7d6619170e7c0f1f8394f1dfc
Instruction ID: d7d729e49aff6760d89c9abacf4d21e41786f78c7fff34b0269099a7032ae825
Opcode Fuzzy Hash: b28bf6e0113eef8ddffc41508f53435efcd434f7d6619170e7c0f1f8394f1dfc
Instruction Fuzzy Hash: 47518671D04249DBEF11DBE4C859BEEBB79AF09344F00419AE604BB2C0D7B91B45CB65

Function 00D6410D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00D9D5EC

Part of subcall function 00D67D2C: _memmove.LIBCMT ref: 00D67D66

_memset.LIBCMT ref: 00D6418D
_wcscpy.LIBCMT ref: 00D641E1
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00D641F1

Strings

Line: , xrefs: 00D9D615

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
String ID: Line:
API String ID: 3942752672-1585850449
Opcode ID: 089624cb73f24e02a0661e32587211c871891faab7ebe9f8e8a7f090e68ae866
Instruction ID: 424f31f802e00034e823e70a1b0355e42d615eac2e81e7ba35411be5ce1e7d30
Opcode Fuzzy Hash: 089624cb73f24e02a0661e32587211c871891faab7ebe9f8e8a7f090e68ae866
Instruction Fuzzy Hash: 8B31D172008348AFD731EB60DC46FDB77E8EF45304F10461AF184A20A1EB74AA49C7B2

Function 00D8564D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 00D856AB
_memcpy_s.LIBCMT ref: 00D8571D
__read_nolock.LIBCMT ref: 00D8577B
__filbuf.LIBCMT ref: 00D8579E
_memset.LIBCMT ref: 00D857E2

Part of subcall function 00D88D68: __getptd_noexit.LIBCMT ref: 00D88D68

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
String ID:
API String ID: 1559183368-0
Opcode ID: cbc132a2d90f1fa170c901e77712e707e3c45fd9b9f6dd10e42efcbbdaed9f46
Instruction ID: 2a7d672ef01da0fefec98e74a3a6787917fb6a455a6ea928bd99a37773083033
Opcode Fuzzy Hash: cbc132a2d90f1fa170c901e77712e707e3c45fd9b9f6dd10e42efcbbdaed9f46
Instruction Fuzzy Hash: 6851C434A00B06DFDB24AF69EC8166E77A5EF40320F68C729F825962D8E7709D508B70

Function 00D669CA Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON

Download Yara Rule

APIs

Part of subcall function 00D64F3D: LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,00E262F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00D64F6F

_free.LIBCMT ref: 00D9E68C
_free.LIBCMT ref: 00D9E6D3

Part of subcall function 00D66BEC: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00D66D0D

Strings

Bad directive syntax error, xrefs: 00D9E6BB
>>>AUTOIT SCRIPT<<<, xrefs: 00D9E462

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad
String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
API String ID: 2861923089-1757145024
Opcode ID: 4ec853a17715760351593cbf9317aa188465718f8adf1a1fbbee2cbe0a2313e7
Instruction ID: 7111c6730684211a72fa7e2b30a4348461f57b44ee4f4aa966b4fb22e9b033f2
Opcode Fuzzy Hash: 4ec853a17715760351593cbf9317aa188465718f8adf1a1fbbee2cbe0a2313e7
Instruction Fuzzy Hash: 29910771910219AFCF14EFA4CC919EDBBB4FF19314F14446AE856AB2A1EB30E945CB70

Function 00D635B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,00D635A1,SwapMouseButtons,00000004,?), ref: 00D635D4
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,00D635A1,SwapMouseButtons,00000004,?,?,?,?,00D62754), ref: 00D635F5
RegCloseKey.KERNELBASE(00000000,?,?,00D635A1,SwapMouseButtons,00000004,?,?,?,?,00D62754), ref: 00D63617

Strings

Control Panel\Mouse, xrefs: 00D635D2

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: f4e1dabfe997263fa573c1d6fba1647625e3726f8436065f0c1593ed995e3eec
Instruction ID: ccf0626bc8372f97c0495c1f74999b6efa29a974847a17771d28fc0133630d50
Opcode Fuzzy Hash: f4e1dabfe997263fa573c1d6fba1647625e3726f8436065f0c1593ed995e3eec
Instruction Fuzzy Hash: 2C115771610218BFDB20DFA8DC80EAEBBB8EF04740F008469F805DB210E2719F409BB0

Function 02F71300 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 02F71B2D
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 02F71B51
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 02F71B73

Memory Dump Source

Source File: 00000000.00000002.1537868093.0000000002F70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f70000_PI-236031.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: cc658a0e6010fd3573e63fe9dffc1f366d2843c5c23e1a249a06af30add5367b
Instruction ID: d1cc8b15f9fd9df17ef5d4783ad104fca8b4ac7ce3a9699c56eb83891ce3f03f
Opcode Fuzzy Hash: cc658a0e6010fd3573e63fe9dffc1f366d2843c5c23e1a249a06af30add5367b
Instruction Fuzzy Hash: 88620A30A14258DBEB24CFA4C850BDEB376EF58740F1091A9D20DEB390E7759E85CB59

Function 00D8493A Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00D849D0
__flush.LIBCMT ref: 00D849F0
__write.LIBCMT ref: 00D84A23
__flsbuf.LIBCMT ref: 00D84A51

Part of subcall function 00D88D68: __getptd_noexit.LIBCMT ref: 00D88D68

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: 14470a6213cb86a88b8286372661136e60ed3d9327b1e96cf2061ba74b92ecb7
Instruction ID: 63bfe9871cd53c4f92ec086e6c7bf270aaf152189c7fcc2cb1b94778359e7272
Opcode Fuzzy Hash: 14470a6213cb86a88b8286372661136e60ed3d9327b1e96cf2061ba74b92ecb7
Instruction Fuzzy Hash: 3A41C4706006079BDB2CFFA9C8809AF77AAEF80364B28816DE8558B680D770DD408B74

Function 00D673E5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00D9EE62
GetOpenFileNameW.COMDLG32(?), ref: 00D9EEAC

Part of subcall function 00D648AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00D648A1,?,?,00D637C0,?), ref: 00D648CE

Part of subcall function 00D809D5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00D809F4

Strings

X, xrefs: 00D9EE7A

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen_memset
String ID: X
API String ID: 3777226403-3081909835
Opcode ID: 13abdb5342ed8675caeea3043c3ead7744fcdf309fbfd082706271383643a091
Instruction ID: 5bc1bce8101f57203eea0267e6cb8152d1bcb3036a1ceb253e7d5c34e340c509
Opcode Fuzzy Hash: 13abdb5342ed8675caeea3043c3ead7744fcdf309fbfd082706271383643a091
Instruction Fuzzy Hash: A4218171A0025C9BDF11DF94C845BEE7BF99F49714F04405AE408F7242DBB49A8A8FB1

Function 00DC901B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00DC9036
__fread_nolock.LIBCMT ref: 00DC904B

Strings

EA06, xrefs: 00DC907D

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: __fread_nolock_memmove
String ID: EA06
API String ID: 1988441806-3962188686
Opcode ID: 5da2e936a61dd4fb7aa42f97738fdce56b70b13d0c6e57d24e43cf6e7855015f
Instruction ID: 90aedd5dd7b7cdcd5435b8f397208c851273b2ad999c257df73ff6965fd83315
Opcode Fuzzy Hash: 5da2e936a61dd4fb7aa42f97738fdce56b70b13d0c6e57d24e43cf6e7855015f
Instruction Fuzzy Hash: 9001D671804218AEDB28D6A8DC1AFFEBBF8DB01301F00419FE552D2181E575A6089770

Function 00DC9B6D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 00DC9B82
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00DC9B99

Strings

aut, xrefs: 00DC9B93

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 1356ac9b4c4332ac01cd7c8d47dd7ecb07f5de04550dd07b168ff3d33f0c5de6
Instruction ID: 2feffd373c52706fd981822627faea68c2ff3cae2a2296dd9e3a1940586a926e
Opcode Fuzzy Hash: 1356ac9b4c4332ac01cd7c8d47dd7ecb07f5de04550dd07b168ff3d33f0c5de6
Instruction Fuzzy Hash: AFD05E7954030DABDB10AB94DC4EFEA772CE704705F0042B1BF64D91A2DEB055988BA6

Function 00DDCDF1 Relevance: 4.9, APIs: 3, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04dc7fe090bc7e647c7457afe2198d7c27e7c4572153068fb00c8d7b62c663ee
Instruction ID: a7be44aba84f879e867798cb596ca7d87ec7750857fa8e9db19f011bc6a0a14b
Opcode Fuzzy Hash: 04dc7fe090bc7e647c7457afe2198d7c27e7c4572153068fb00c8d7b62c663ee
Instruction Fuzzy Hash: BDF138716083419FCB14DF28C494A6ABBE6FF88314F14892EF8999B351D731E945CFA2

Function 00D643DB Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00D64401
Shell_NotifyIconW.SHELL32(00000000,?), ref: 00D644A6
Shell_NotifyIconW.SHELL32(00000001,?), ref: 00D644C3

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: IconNotifyShell_$_memset
String ID:
API String ID: 1505330794-0
Opcode ID: ee5ee44b5b4c9935005c3e09db9cc91464a33dd99f882e00ed2f23b4c2cc35dc
Instruction ID: 2d39439472af04c9003ef841c53bae1c20e0c68867083305536342ee86c88a37
Opcode Fuzzy Hash: ee5ee44b5b4c9935005c3e09db9cc91464a33dd99f882e00ed2f23b4c2cc35dc
Instruction Fuzzy Hash: FD319371504301CFD721DF25D885B97BBF8FB48308F040A2EF59A93251DBB5A948CBA2

Function 00D8594C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 00D85963

Part of subcall function 00D8A3AB: __NMSG_WRITE.LIBCMT ref: 00D8A3D2
Part of subcall function 00D8A3AB: __NMSG_WRITE.LIBCMT ref: 00D8A3DC

__NMSG_WRITE.LIBCMT ref: 00D8596A

Part of subcall function 00D8A408: GetModuleFileNameW.KERNEL32(00000000,00E243BA,00000104,?,00000001,00000000), ref: 00D8A49A
Part of subcall function 00D8A408: ___crtMessageBoxW.LIBCMT ref: 00D8A548

Part of subcall function 00D832DF: ___crtCorExitProcess.LIBCMT ref: 00D832E5
Part of subcall function 00D832DF: ExitProcess.KERNEL32 ref: 00D832EE

Part of subcall function 00D88D68: __getptd_noexit.LIBCMT ref: 00D88D68

RtlAllocateHeap.NTDLL(008C0000,00000000,00000001,00000000,?,?,?,00D81013,?), ref: 00D8598F

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: 6411558a280cd4437f6a3a05d34ed939cc58689df4a03be94f35b27836f9a75e
Instruction ID: 8af501dff2e0169ad832c5549d271a23310f276f50b4234fe21fb0b9984443ee
Opcode Fuzzy Hash: 6411558a280cd4437f6a3a05d34ed939cc58689df4a03be94f35b27836f9a75e
Instruction Fuzzy Hash: A601F532200B15EEE6217B6AFC42B2E7288CF52B70F55002AF405AA1D1DE709D018BB1

Function 00DC9B2C Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,00DC97D2,?,?,?,?,?,00000004), ref: 00DC9B45
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00DC97D2,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 00DC9B5B
CloseHandle.KERNEL32(00000000,?,00DC97D2,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00DC9B62

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: 6e01aaec3bb8ef501498b3199f253f8e86f2fb9f07682afdedfc0831ad88e1ec
Instruction ID: d79facd61fc445222d4aea322dbba375d8b0ac05fcbbf9b803a9661f9714b94d
Opcode Fuzzy Hash: 6e01aaec3bb8ef501498b3199f253f8e86f2fb9f07682afdedfc0831ad88e1ec
Instruction Fuzzy Hash: 5BE08632580318B7D7212B94EC49FCA7B29AB05761F148120FB14AD1E087B1291197A8

Function 00DC8F97 Relevance: 4.5, APIs: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00DC8FA5

Part of subcall function 00D82F95: RtlFreeHeap.NTDLL(00000000,00000000,?,00D89C64), ref: 00D82FA9
Part of subcall function 00D82F95: GetLastError.KERNEL32(00000000,?,00D89C64), ref: 00D82FBB

_free.LIBCMT ref: 00DC8FB6
_free.LIBCMT ref: 00DC8FC8

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: efa5cfa9b1b2f41bce9affd07bef402890ef9bb67adc050918c04926c1923072
Instruction ID: a6ba323c168e167784ed7806c68c22e4623a71efbea6c3a10ff57a6d2df3a6b9
Opcode Fuzzy Hash: efa5cfa9b1b2f41bce9affd07bef402890ef9bb67adc050918c04926c1923072
Instruction Fuzzy Hash: 9CE012B16097025ACA24B579AD40FB357EE9F88350B1C081DB609DB142DE24E841D274

Function 00D6AB23 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON

Download Yara Rule

Strings

CALL, xrefs: 00DA002B

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID:
String ID: CALL
API String ID: 0-4196123274
Opcode ID: 71a085217d4a1457cb56da1b641c322391ce0416831ce842549604ba0150dd31
Instruction ID: 82eb7ae00f15965324cd98811548dfc7718a3f26a20bf79db7b1d73b23ef1f76
Opcode Fuzzy Hash: 71a085217d4a1457cb56da1b641c322391ce0416831ce842549604ba0150dd31
Instruction Fuzzy Hash: 55222774508341CFC724DF18C490A6ABBE1FF85314F19895DE89A9B262D735EC85CFA2

Function 00D64DD0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00D64E1A

Strings

EA06, xrefs: 00D9DCF5

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: _memmove
String ID: EA06
API String ID: 4104443479-3962188686
Opcode ID: eee5baf73258876f0a1cbde072441dd039ee079330e716bc7e83aebf34756f47
Instruction ID: 98101fe5c3b5e1f8468d3950d9577b1c7e6987a61a7ee861cdb4dbfabd3af178
Opcode Fuzzy Hash: eee5baf73258876f0a1cbde072441dd039ee079330e716bc7e83aebf34756f47
Instruction Fuzzy Hash: AB416D31A04554ABCF219B64D8517BF7FA6EF05300F2C4065F8829B287C626DD8487F1

Function 00D6492E Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 00D64992

Part of subcall function 00D835AC: __lock.LIBCMT ref: 00D835B2
Part of subcall function 00D835AC: DecodePointer.KERNEL32(00000001,?,00D649A7,00DB81BC), ref: 00D835BE
Part of subcall function 00D835AC: EncodePointer.KERNEL32(?,?,00D649A7,00DB81BC), ref: 00D835C9

Part of subcall function 00D64A5B: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00D64A73
Part of subcall function 00D64A5B: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00D64A88

Part of subcall function 00D63B4C: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00D63B7A
Part of subcall function 00D63B4C: IsDebuggerPresent.KERNEL32 ref: 00D63B8C
Part of subcall function 00D63B4C: GetFullPathNameW.KERNEL32(00007FFF,?,?,00E262F8,00E262E0,?,?), ref: 00D63BFD
Part of subcall function 00D63B4C: SetCurrentDirectoryW.KERNEL32(?), ref: 00D63C81

SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00D649D2

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
String ID:
API String ID: 1438897964-0
Opcode ID: e3431565f04f47f9f5b36f9b78c4b64a014644ab3d3a7326843530da2e9ba29d
Instruction ID: 767d361b7e2c4ea3bce9b045f8205aef4210a0ca82d3115f348d46e341b22f96
Opcode Fuzzy Hash: e3431565f04f47f9f5b36f9b78c4b64a014644ab3d3a7326843530da2e9ba29d
Instruction Fuzzy Hash: EB118C72908351DFC310EF6ADC4590AFBE8EF94710F00461EF095972B1DB70964ACBA2

Function 00D65DF9 Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000,?,00D65981,?,?,?,?), ref: 00D65E27
CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,00000000,?,00D65981,?,?,?,?), ref: 00D9E19C

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: f48f5f1c75604b56ac9c945eef9a83fb1a492db9b5423bd1c70c85863028f052
Instruction ID: 1a71ec5c4bdb519872f688311e0a4f883863e995fc00ccdb007d49b3f0d3b2f5
Opcode Fuzzy Hash: f48f5f1c75604b56ac9c945eef9a83fb1a492db9b5423bd1c70c85863028f052
Instruction Fuzzy Hash: 1A01B570244708BFFB245E24DC8AF663B9CEB01768F14C318BAE56A1E1C6B55E858B70

Function 00D80FF6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00D8594C: __FF_MSGBANNER.LIBCMT ref: 00D85963
Part of subcall function 00D8594C: __NMSG_WRITE.LIBCMT ref: 00D8596A
Part of subcall function 00D8594C: RtlAllocateHeap.NTDLL(008C0000,00000000,00000001,00000000,?,?,?,00D81013,?), ref: 00D8598F

std::exception::exception.LIBCMT ref: 00D8102C
__CxxThrowException@8.LIBCMT ref: 00D81041

Part of subcall function 00D887DB: RaiseException.KERNEL32(?,?,?,00E1BAF8,00000000,?,?,?,?,00D81046,?,00E1BAF8,?,00000001), ref: 00D88830

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID:
API String ID: 3902256705-0
Opcode ID: 2096de33fc97ed3a0feeeec4ccb59d9ff42bca4491dac77597c317bd477cc6ff
Instruction ID: ca7cf54ca7c4edc349fd765b8b4c2e6bbc995236db96d81d04df607f3b13fbe8
Opcode Fuzzy Hash: 2096de33fc97ed3a0feeeec4ccb59d9ff42bca4491dac77597c317bd477cc6ff
Instruction Fuzzy Hash: 6BF0283850031DA6CB20BA58EC02AEF7BACDF00350F104425F904A2281EFB1CA8597F1

Function 00D8582D Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 00D8585C
__lock_file.LIBCMT ref: 00D8587D

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: __lock_file_memset
String ID:
API String ID: 26237723-0
Opcode ID: 3d423cfa7b3212356d7c5572738400beb364dcfd56ab6009213313b3dd2a0bdd
Instruction ID: 9cc124bcf79496ec924ce9c4eff5f244e0f8dac42cf88d8e60632eef9d2816fc
Opcode Fuzzy Hash: 3d423cfa7b3212356d7c5572738400beb364dcfd56ab6009213313b3dd2a0bdd
Instruction Fuzzy Hash: 09014471800609EBCF22BF699C0699F7B71EF80760F588256B8145A1A5DB31CA51EBB1

Function 00D855D6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00D88D68: __getptd_noexit.LIBCMT ref: 00D88D68

__lock_file.LIBCMT ref: 00D8561B

Part of subcall function 00D86E4E: __lock.LIBCMT ref: 00D86E71

__fclose_nolock.LIBCMT ref: 00D85626

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: 53e2001b174a88e241451745b19cf8944ee210b3590b54b811546d3590aa967f
Instruction ID: 0027b087b426f083d15cbc9b2e031c06f3ab541eb6d4a7689a81f5bad26d702f
Opcode Fuzzy Hash: 53e2001b174a88e241451745b19cf8944ee210b3590b54b811546d3590aa967f
Instruction Fuzzy Hash: 50F02431800B009AD720BF35A803B6E77E0EF41330F948209A411BB0C5DF7C8901ABB1

Function 00D681C1 Relevance: 2.6, APIs: 2, Instructions: 54COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000001,00000000,00000000,?,?,?,00D6558F,?,?,?,?,?), ref: 00D681DA
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000001,00000000,?,?,?,00D6558F,?,?,?,?,?), ref: 00D6820D

Part of subcall function 00D678AD: _memmove.LIBCMT ref: 00D678E9

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: ByteCharMultiWide$_memmove
String ID:
API String ID: 3033907384-0
Opcode ID: cbb9fdb3239bf9a92d5b497f22382e02a119c4151645e3547a5299764cac6b9f
Instruction ID: 2c6f1172122bf5bd578cb0a29801c4e27aa2721f8556e4d440008e5a42246b3a
Opcode Fuzzy Hash: cbb9fdb3239bf9a92d5b497f22382e02a119c4151645e3547a5299764cac6b9f
Instruction Fuzzy Hash: DE018B35201248BFEB24AB25DD9AE7B7F6CEB89760F10812AFD05CE291DE2198009671

Function 02F712FD Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 02F71B2D
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 02F71B51
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 02F71B73

Memory Dump Source

Source File: 00000000.00000002.1537868093.0000000002F70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f70000_PI-236031.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: d88754d343c0358fec48bb39518f6d050a5efe1528146ba10a354079ac39ca1d
Instruction ID: 5530f95f5b7b1a1aa51ebc92d579f30e325293d4f17d65d5b05e32cc0572793d
Opcode Fuzzy Hash: d88754d343c0358fec48bb39518f6d050a5efe1528146ba10a354079ac39ca1d
Instruction Fuzzy Hash: 0012FF20E24658C6EB24DF64D8507DEB232EF68340F1091E9910DEB7A4E77A4F85CF5A

Function 00D72123 Relevance: 1.7, APIs: 1, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b094650d5e4c682fe1a73da2db43fef799b7ecc70f2f8a93b7b24b6ed9f6431
Instruction ID: b9c2e5da6e4e12c205f6c4ce62d9ac8c9b8a62fc5907e19ea7fbb20ca153c6d6
Opcode Fuzzy Hash: 3b094650d5e4c682fe1a73da2db43fef799b7ecc70f2f8a93b7b24b6ed9f6431
Instruction Fuzzy Hash: E6517035600604EFCF14EB68C991EBE77A6EF45710F188168F94AAB292DB34ED05CB71

Function 00D65C4E Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,00000001,00000000,00000000,?,?,00000000), ref: 00D65CF6

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 483103b44cb5ac33e7ef5fa0c9f95635f2d52c94c7ebfcd6ed059d3b77c50973
Instruction ID: 39203d61abb870786372cc9ef6a550519b011c09be43c6b35414c5620150cca4
Opcode Fuzzy Hash: 483103b44cb5ac33e7ef5fa0c9f95635f2d52c94c7ebfcd6ed059d3b77c50973
Instruction Fuzzy Hash: FA316D31A00B0AEFCB18DF2DD48465DB7B1FF48310F198629D81993754D731B9A0DBA0

Function 00DA00D6 Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00DA00E1

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: bdda130017cd1ca85bcc7762f1a598b9434bc12285df6b2e744d76a35a610355
Instruction ID: 45d98482e8244ebee2ac00209edec29f994d4b0b8044eefd67d7bff98ce07993
Opcode Fuzzy Hash: bdda130017cd1ca85bcc7762f1a598b9434bc12285df6b2e744d76a35a610355
Instruction Fuzzy Hash: A941F6745043518FDB14DF18C484B1ABBE0BF45318F19889CE8999B762D736E885CF62

Function 00D65B19 Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00D65B61

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 053cef42567fbed355a96f0dbadfbdfa667347391b37d3aeaf395d25c7a0f30a
Instruction ID: c8af31555de5598d93fadc5f9ae5be042da449acac6236191dd62cadcef82d89
Opcode Fuzzy Hash: 053cef42567fbed355a96f0dbadfbdfa667347391b37d3aeaf395d25c7a0f30a
Instruction Fuzzy Hash: 9E21AE30A00A08EBDF109F56E8856AE7FB8FF14350F21846AE489E5014EB7194E49B75

Function 00D64F3D Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00D64D13: FreeLibrary.KERNEL32(00000000,?), ref: 00D64D4D

Part of subcall function 00D8548B: __wfsopen.LIBCMT ref: 00D85496

LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,00E262F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00D64F6F

Part of subcall function 00D64CC8: FreeLibrary.KERNEL32(00000000), ref: 00D64D02

Part of subcall function 00D64DD0: _memmove.LIBCMT ref: 00D64E1A

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: Library$Free$Load__wfsopen_memmove
String ID:
API String ID: 1396898556-0
Opcode ID: 38d318d5ad1d451a4e10dff492f0907b844a089d8daea06e759e0ff940554d52
Instruction ID: f067643f614ec8f7e223b2bf181b4991965f41ae20717a0e7f4a72f358eca50b
Opcode Fuzzy Hash: 38d318d5ad1d451a4e10dff492f0907b844a089d8daea06e759e0ff940554d52
Instruction Fuzzy Hash: 5B11C131A00309ABCB10BF70D812FAE77A9DF80701F108429F581AA2C1DB719A459BB0

Function 00DA01AF Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 00DA01BB

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: f54840f66649ca398aafdba22fd46a9220f19e6b4e27969d952dc4ed9098c663
Instruction ID: 8d82c8da02b5288264df672d4a9cf2ab8d60c93687a9afe21720cdc76812fd27
Opcode Fuzzy Hash: f54840f66649ca398aafdba22fd46a9220f19e6b4e27969d952dc4ed9098c663
Instruction Fuzzy Hash: 2A2102B4608341CFCB14DF58C845A1ABBE4BF85314F098968F88A5B762D732E849CF62

Function 00D80941 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00D809F4

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: LongNamePath
String ID:
API String ID: 82841172-0
Opcode ID: 70f0d041ac8cfaf5d69a0ac5361f666f51bea34a980da922b97982c75ee2e6a4
Instruction ID: 20703cff4c9e0bf63b210fbd8d0ed8bbcb866f413459ca4a1f70cc17a6a9d62e
Opcode Fuzzy Hash: 70f0d041ac8cfaf5d69a0ac5361f666f51bea34a980da922b97982c75ee2e6a4
Instruction Fuzzy Hash: DC017C3218D240CFCB12DBD5D8E97C07BB4EE0732431951CAD8818B47ACA64A81AFB75

Function 00D65D20 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,?,00010000,?,00000000,00000000,?,00010000,?,00D65807,00000000,00010000,00000000,00000000,00000000,00000000), ref: 00D65D76

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 00318a42c60a0c0a56203009d057742fe604f6754f32349f5f217cee734922a3
Instruction ID: 9854bb8bfefac2c01c8fb99595af4485cd785ae7544709ff132a40f846b50003
Opcode Fuzzy Hash: 00318a42c60a0c0a56203009d057742fe604f6754f32349f5f217cee734922a3
Instruction Fuzzy Hash: 68110A31200B059FD330CF15D484B66B7E5EF45750F14C92EE5AA86A94D7B1E985CF60

Function 00D65BDA Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00D9E141

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 9b54afcf07a23b9ff4e0bf05bec20c5cd47f57aecc711df460a32f44145caaaf
Instruction ID: d1a5168a6773405746a9724f986c33746a51d785da47934d9080fa5c16a478a3
Opcode Fuzzy Hash: 9b54afcf07a23b9ff4e0bf05bec20c5cd47f57aecc711df460a32f44145caaaf
Instruction Fuzzy Hash: AD018FB9604942AFC305EB69D841D2AFBA9FF8A3107148159F819C7702DB30EC21CBF0

Function 00D84A93 Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 00D84AD6

Part of subcall function 00D88D68: __getptd_noexit.LIBCMT ref: 00D88D68

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: __getptd_noexit__lock_file
String ID:
API String ID: 2597487223-0
Opcode ID: 236ac48940de909214b0f0434c09bcb8f54f43742d3fc1fa93be8fbbc0a78307
Instruction ID: ad7c48377757e74a3b96e6961b02863bb32093e4068aea6925c4c6a3c673ad22
Opcode Fuzzy Hash: 236ac48940de909214b0f0434c09bcb8f54f43742d3fc1fa93be8fbbc0a78307
Instruction Fuzzy Hash: 05F0AF3194020AABDF61BF64CC067DE76A1EF00329F488518F424AB1D1DB788A50EF71

Function 00D64FAA Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00E262F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00D64FDE

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 7dddb3bc618fe672cee05e2fbd526926b04f58c8ea2f0c4b530fef37a12647b4
Instruction ID: 52a8bf8ea28b6c7fab20d1d3b28d7b5166d1a24fdccc674af9416e38c56615bd
Opcode Fuzzy Hash: 7dddb3bc618fe672cee05e2fbd526926b04f58c8ea2f0c4b530fef37a12647b4
Instruction Fuzzy Hash: D3F06D71105712CFCB349F64E494812BBF1FF043293248A7EE1DB82610C771A844DF60

Function 00D809D5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00D809F4

Part of subcall function 00D67D2C: _memmove.LIBCMT ref: 00D67D66

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: LongNamePath_memmove
String ID:
API String ID: 2514874351-0
Opcode ID: 403e628e49a8d6aa02d66eb16f3de28f5f1a05e5c8794148718c1fba7fb34759
Instruction ID: b39ffc1168e0760cb0090ea5d24afcb86fd908d8c5e42c9f1463cae21d005fa8
Opcode Fuzzy Hash: 403e628e49a8d6aa02d66eb16f3de28f5f1a05e5c8794148718c1fba7fb34759
Instruction Fuzzy Hash: 6FE0863690422857C720E6589C05FFA77ADDF89694F0401B5FD0CD7204D9609C8186B0

Function 00DC9129 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 00DC914B

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 7603a7e23398706fbe611478ecf9e3358d47b441acc83f726054c373298f7434
Instruction ID: 538ebdf41954a60d5478f39abd2a26225ffbf7be2428d6adb3e0fa8f33c5e999
Opcode Fuzzy Hash: 7603a7e23398706fbe611478ecf9e3358d47b441acc83f726054c373298f7434
Instruction Fuzzy Hash: CAE092B0104B015FDB348A24D815BE3B3E0FB06315F04081DF29A83341EB6278418769

Function 00D65DAE Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,00000000,00000000,?,00000001,?,?,?,00D9E16B,?,?,00000000), ref: 00D65DBF

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: b51ef8294a414d9e60ef3be6d39d69b4b83bf90fc5f0a3082a93c2e76865329b
Instruction ID: 5de893d6a29043f9af71f1001abe45b03f5099fd1d237f0d32895c834aa48421
Opcode Fuzzy Hash: b51ef8294a414d9e60ef3be6d39d69b4b83bf90fc5f0a3082a93c2e76865329b
Instruction Fuzzy Hash: 9FD0C77464030CBFE710DB80DC46FA9777CD745711F100194FD0496390D6B27E508795

Function 00D8548B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

__wfsopen.LIBCMT ref: 00D85496

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: __wfsopen
String ID:
API String ID: 197181222-0
Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction ID: d111b22eae553cbe517016d828aa84c62cc130cf8aa524af0b7e888592113fc4
Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction Fuzzy Hash: D8B0927684020C77DF022E86FC02A593B199B40678F808020FB0C18162A673A6A096A9

Function 00DCD2E6 Relevance: 1.4, APIs: 1, Instructions: 198COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000002,00000000), ref: 00DCD46A

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 39e9bc11742937dbde39939eb2ef8ce5102646bec66b322eb52e42c4b5c3280b
Instruction ID: 6e0667ba7d9c3fbb62b5aa07d28de04234d11fae5e97a904f11a9e9715b895ac
Opcode Fuzzy Hash: 39e9bc11742937dbde39939eb2ef8ce5102646bec66b322eb52e42c4b5c3280b
Instruction Fuzzy Hash: 557130302087029FC714EF64D891F6AB7E5EF89314F08456DF5969B2A1DB30E949CB72

Function 00D80E48 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 00D80EF7

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: 4937f35b3c2b66a46bf035257ff59adf1b5ca2a9a215b60d32a6043e919cefdd
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 4A31E470A00105DFC7A9EF59C48096AFBA6FF59300B688AA5F449CB651D731EDC5CBE0

Function 02F72300 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 02F72311

Memory Dump Source

Source File: 00000000.00000002.1537868093.0000000002F70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f70000_PI-236031.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: ec005c8fa26f8e017dbfc0f835ddbbf67aff806ecd1c69fb8b6797b6da987785
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: A5E0E67494010DDFDB00EFB4D54969E7FF4EF04301F100561FD05D2280D7309D508A62

Non-executed Functions

Function 00DECDAC Relevance: 77.6, APIs: 40, Strings: 4, Instructions: 637windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00D62612: GetWindowLongW.USER32(?,000000EB), ref: 00D62623

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00DECE50
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00DECE91
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 00DECED6
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00DECF00
SendMessageW.USER32 ref: 00DECF29
_wcsncpy.LIBCMT ref: 00DECFA1
GetKeyState.USER32(00000011), ref: 00DECFC2
GetKeyState.USER32(00000009), ref: 00DECFCF
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00DECFE5
GetKeyState.USER32(00000010), ref: 00DECFEF
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00DED018
SendMessageW.USER32 ref: 00DED03F
SendMessageW.USER32(?,00001030,?,00DEB602), ref: 00DED145
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00DED15B
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00DED16E
SetCapture.USER32(?), ref: 00DED177
ClientToScreen.USER32(?,?), ref: 00DED1DC
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00DED1E9
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00DED203
ReleaseCapture.USER32 ref: 00DED20E
GetCursorPos.USER32(?), ref: 00DED248
ScreenToClient.USER32(?,?), ref: 00DED255
SendMessageW.USER32(?,00001012,00000000,?), ref: 00DED2B1
SendMessageW.USER32 ref: 00DED2DF
SendMessageW.USER32(?,00001111,00000000,?), ref: 00DED31C
SendMessageW.USER32 ref: 00DED34B
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00DED36C
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00DED37B
GetCursorPos.USER32(?), ref: 00DED39B
ScreenToClient.USER32(?,?), ref: 00DED3A8
GetParent.USER32(?), ref: 00DED3C8
SendMessageW.USER32(?,00001012,00000000,?), ref: 00DED431
SendMessageW.USER32 ref: 00DED462
ClientToScreen.USER32(?,?), ref: 00DED4C0
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00DED4F0
SendMessageW.USER32(?,00001111,00000000,?), ref: 00DED51A
SendMessageW.USER32 ref: 00DED53D
ClientToScreen.USER32(?,?), ref: 00DED58F
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00DED5C3

Part of subcall function 00D625DB: GetWindowLongW.USER32(?,000000EB), ref: 00D625EC

GetWindowLongW.USER32(?,000000F0), ref: 00DED65F

Strings

@U=u, xrefs: 00DECE91, 00DECF00, 00DECF29, 00DECFE5, 00DED018, 00DED03F, 00DED145, 00DED2B1, 00DED2DF, 00DED31C, 00DED34B, 00DED431, 00DED462, 00DED51A, 00DED53D
pr, xrefs: 00DED1BD
F, xrefs: 00DED543
@GUI_DRAGID, xrefs: 00DED1AA

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
String ID: @GUI_DRAGID$@U=u$F$pr
API String ID: 3977979337-103735452
Opcode ID: cdd1c0513a5e46c196907f956ce2221a3568fc9f1cad0607a6ecb64fbd6a6779
Instruction ID: 298a3a3cb81ebe4ef7972cc8aec510bdba60a62efc98e827b5ed06a880c3579b
Opcode Fuzzy Hash: cdd1c0513a5e46c196907f956ce2221a3568fc9f1cad0607a6ecb64fbd6a6779
Instruction Fuzzy Hash: 74429E30204381AFD725EF29C884BAABBE5FF49714F18061DF695972A0CB31D955CBB2

Function 00DE804A Relevance: 61.8, APIs: 33, Strings: 2, Instructions: 571windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000400,00000000,00000000), ref: 00DE873F

Strings

@U=u, xrefs: 00DE80E0, 00DE8134, 00DE81E7, 00DE822E, 00DE8256, 00DE83BB, 00DE8456, 00DE84A0, 00DE84EA, 00DE850A, 00DE85EC, 00DE8625, 00DE8676, 00DE86E1, 00DE873F
%d/%02d/%02d, xrefs: 00DE8478

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: MessageSend
String ID: %d/%02d/%02d$@U=u
API String ID: 3850602802-2764005415
Opcode ID: be7ddd173cf77693bc58e0e72f6ea8359c6badf25f01daae57f191bf8d90f951
Instruction ID: 2fbb68b4cf6620809c6eaafe1d81b25519d984ad8e8d33f36a1c31b6f086b538
Opcode Fuzzy Hash: be7ddd173cf77693bc58e0e72f6ea8359c6badf25f01daae57f191bf8d90f951
Instruction Fuzzy Hash: AA12C371500384ABEB25AF65CC89FAE7BB8EF45710F244129F519EA2E1DF709941DB30

Function 00D7710E Relevance: 50.6, APIs: 19, Strings: 7, Instructions: 5093COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00D775C2
_memset.LIBCMT ref: 00D776B1
_memmove.LIBCMT ref: 00D77C4B
_memmove.LIBCMT ref: 00D77E4F

Strings

\b(?<=\w), xrefs: 00DB3C41
DEFINE, xrefs: 00DB25AF
\b(?=\w), xrefs: 00DB3C34
[:<:]], xrefs: 00D775F1
[:>:]], xrefs: 00D7760A
0w, xrefs: 00DB1F5B
Q\E, xrefs: 00D781C1

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: _memmove$_memset
String ID: 0w$DEFINE$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)
API String ID: 1357608183-3460961967
Opcode ID: a42fa86408ebec32c715385d737332ca9d7e4b6dfe1ad6fb252a51a09ce84115
Instruction ID: 7a3bcedf3d4994ca4e33301a614b603ea49b21d3b080a08713fe37d17fbd56bc
Opcode Fuzzy Hash: a42fa86408ebec32c715385d737332ca9d7e4b6dfe1ad6fb252a51a09ce84115
Instruction Fuzzy Hash: 86938275A00215DBDB24CF58C8817FDB7B1FF48710F29856AE94AEB281E7709D81DB60

Function 00D64A35 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,?), ref: 00D64A3D
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00D9DA8E
IsIconic.USER32(?), ref: 00D9DA97
ShowWindow.USER32(?,00000009), ref: 00D9DAA4
SetForegroundWindow.USER32(?), ref: 00D9DAAE
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00D9DAC4
GetCurrentThreadId.KERNEL32 ref: 00D9DACB
GetWindowThreadProcessId.USER32(?,00000000), ref: 00D9DAD7
AttachThreadInput.USER32(?,00000000,00000001), ref: 00D9DAE8
AttachThreadInput.USER32(?,00000000,00000001), ref: 00D9DAF0
AttachThreadInput.USER32(00000000,?,00000001), ref: 00D9DAF8
SetForegroundWindow.USER32(?), ref: 00D9DAFB
MapVirtualKeyW.USER32(00000012,00000000), ref: 00D9DB10
keybd_event.USER32(00000012,00000000), ref: 00D9DB1B
MapVirtualKeyW.USER32(00000012,00000000), ref: 00D9DB25
keybd_event.USER32(00000012,00000000), ref: 00D9DB2A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00D9DB33
keybd_event.USER32(00000012,00000000), ref: 00D9DB38
MapVirtualKeyW.USER32(00000012,00000000), ref: 00D9DB42
keybd_event.USER32(00000012,00000000), ref: 00D9DB47
SetForegroundWindow.USER32(?), ref: 00D9DB4A
AttachThreadInput.USER32(?,?,00000000), ref: 00D9DB71

Strings

Shell_TrayWnd, xrefs: 00D9DA89

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: db19aebb159d55c2bdaf6f6e50ff5d9ff8486c87b8c74f16ec709b4b8b5e86cb
Instruction ID: 3a806a9d1c04dcd468a4f321bc1dd416a52f18cdc307086fec1c588a47a7050c
Opcode Fuzzy Hash: db19aebb159d55c2bdaf6f6e50ff5d9ff8486c87b8c74f16ec709b4b8b5e86cb
Instruction Fuzzy Hash: 3D317371A40358BBEF216FA19C89F7F3E6DEB54B50F154025FA04EA2D0C6B15910AAB0

Function 00DB8858 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON

Download Yara Rule

APIs

Part of subcall function 00DB8CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00DB8D0D
Part of subcall function 00DB8CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00DB8D3A
Part of subcall function 00DB8CC3: GetLastError.KERNEL32 ref: 00DB8D47

_memset.LIBCMT ref: 00DB889B
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 00DB88ED
CloseHandle.KERNEL32(?), ref: 00DB88FE
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00DB8915
GetProcessWindowStation.USER32 ref: 00DB892E
SetProcessWindowStation.USER32(00000000), ref: 00DB8938
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00DB8952

Part of subcall function 00DB8713: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00DB8851), ref: 00DB8728
Part of subcall function 00DB8713: CloseHandle.KERNEL32(?,?,00DB8851), ref: 00DB873A

Strings

default, xrefs: 00DB894D
, xrefs: 00DB88AA
winsta0, xrefs: 00DB8910

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
String ID: $default$winsta0
API String ID: 2063423040-1027155976
Opcode ID: 32d940520c26c632cd2cede6fd1022da36f625c6dcb660c04528867966406d6f
Instruction ID: 649382412263bf7f44f963ff6ab89040a2d4cc37d1944af36fc36a7864b9081c
Opcode Fuzzy Hash: 32d940520c26c632cd2cede6fd1022da36f625c6dcb660c04528867966406d6f
Instruction Fuzzy Hash: E4810B71901249EFDF11EFA4DC45AEEBBBDEF04304F18416AF911A6261DB318A15EB70

Function 00DD425A Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00DEF910), ref: 00DD4284
IsClipboardFormatAvailable.USER32(0000000D), ref: 00DD4292
GetClipboardData.USER32(0000000D), ref: 00DD429A
CloseClipboard.USER32 ref: 00DD42A6
GlobalLock.KERNEL32(00000000), ref: 00DD42C2
CloseClipboard.USER32 ref: 00DD42CC
GlobalUnlock.KERNEL32(00000000,00000000), ref: 00DD42E1
IsClipboardFormatAvailable.USER32(00000001), ref: 00DD42EE
GetClipboardData.USER32(00000001), ref: 00DD42F6
GlobalLock.KERNEL32(00000000), ref: 00DD4303
GlobalUnlock.KERNEL32(00000000,00000000,?), ref: 00DD4337
CloseClipboard.USER32 ref: 00DD4447

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
String ID:
API String ID: 3222323430-0
Opcode ID: 4b61132c6585ae6e5139f60e62f3811c31ce48ccb1b035d4b9eed550e24c7472
Instruction ID: 2e2c33efb55f558c42448f3ac83d57ca8bd82adff3651bee1880e426c50c12d4
Opcode Fuzzy Hash: 4b61132c6585ae6e5139f60e62f3811c31ce48ccb1b035d4b9eed550e24c7472
Instruction Fuzzy Hash: BD519B31204346ABD711BF64ECD6F6E77A8EF84B00F04452AF59ADA2A1DF70D9048B76

Function 00DCC9C7 Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00DCC9F8
FindClose.KERNEL32(00000000), ref: 00DCCA4C
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00DCCA71
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00DCCA88
FileTimeToSystemTime.KERNEL32(?,?), ref: 00DCCAAF
__swprintf.LIBCMT ref: 00DCCAFB
__swprintf.LIBCMT ref: 00DCCB3E

Part of subcall function 00D67F41: _memmove.LIBCMT ref: 00D67F82

__swprintf.LIBCMT ref: 00DCCB92

Part of subcall function 00D838D8: __woutput_l.LIBCMT ref: 00D83931

__swprintf.LIBCMT ref: 00DCCBE0

Part of subcall function 00D838D8: __flsbuf.LIBCMT ref: 00D83953
Part of subcall function 00D838D8: __flsbuf.LIBCMT ref: 00D8396B

__swprintf.LIBCMT ref: 00DCCC2F
__swprintf.LIBCMT ref: 00DCCC7E
__swprintf.LIBCMT ref: 00DCCCCD

Strings

%4d, xrefs: 00DCCB38
%02d, xrefs: 00DCCB86, 00DCCB90, 00DCCBDE, 00DCCC2D, 00DCCC7C, 00DCCCCB
%4d%02d%02d%02d%02d%02d, xrefs: 00DCCAF5

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 3953360268-2428617273
Opcode ID: 32957962a7e2ae20ce001240f0c8a493e6a4264d03a25348c6ae233f639be48a
Instruction ID: 5152012767e2b2e2e9eb2d1506d730b8c8a19bcef53238ca17acfd4348621c41
Opcode Fuzzy Hash: 32957962a7e2ae20ce001240f0c8a493e6a4264d03a25348c6ae233f639be48a
Instruction Fuzzy Hash: 0BA12DB2508305ABC700FBA4C895DAFB7ECEF94704F444929F586C7191EA34EA48CB72

Function 00DCF200 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,76F88FB0,?,00000000), ref: 00DCF221
_wcscmp.LIBCMT ref: 00DCF236
_wcscmp.LIBCMT ref: 00DCF24D
GetFileAttributesW.KERNEL32(?), ref: 00DCF25F
SetFileAttributesW.KERNEL32(?,?), ref: 00DCF279
FindNextFileW.KERNEL32(00000000,?), ref: 00DCF291
FindClose.KERNEL32(00000000), ref: 00DCF29C
FindFirstFileW.KERNEL32(*.*,?), ref: 00DCF2B8
_wcscmp.LIBCMT ref: 00DCF2DF
_wcscmp.LIBCMT ref: 00DCF2F6
SetCurrentDirectoryW.KERNEL32(?), ref: 00DCF308
SetCurrentDirectoryW.KERNEL32(00E1A5A0), ref: 00DCF326
FindNextFileW.KERNEL32(00000000,00000010), ref: 00DCF330
FindClose.KERNEL32(00000000), ref: 00DCF33D
FindClose.KERNEL32(00000000), ref: 00DCF34F

Strings

*.*, xrefs: 00DCF2B3

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1803514871-438819550
Opcode ID: 97b2a443261cca8f0f88d7341539cd63b299e9b0d506b18f6d84a51d238be83c
Instruction ID: 89350ad53303bdb1f88fe2906114dce8e0f60dd8e3e23c3c4892117ac0149bba
Opcode Fuzzy Hash: 97b2a443261cca8f0f88d7341539cd63b299e9b0d506b18f6d84a51d238be83c
Instruction Fuzzy Hash: 9831C47650134A6ADB10EBB0DC88FDEB7ADDF48361F144179E904E3190DB30DA458A74

Function 00DE0AE2 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00DE0BDE
RegCreateKeyExW.ADVAPI32(?,?,00000000,00DEF910,00000000,?,00000000,?,?), ref: 00DE0C4C
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00DE0C94
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00DE0D1D
RegCloseKey.ADVAPI32(?), ref: 00DE103D
RegCloseKey.ADVAPI32(00000000), ref: 00DE104A

Strings

REG_DWORD, xrefs: 00DE0F0E
REG_EXPAND_SZ, xrefs: 00DE0CBA
REG_MULTI_SZ, xrefs: 00DE0E05
REG_BINARY, xrefs: 00DE0FD8
REG_SZ, xrefs: 00DE0D5B
REG_QWORD, xrefs: 00DE0F8B

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: Close$ConnectCreateRegistryValue
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 536824911-966354055
Opcode ID: d3dfe22d21e6d4eb4e1b3d7d81bfeee6ffeff134ef50478d3353e7f124284e6e
Instruction ID: 63b0a97f1b3d5bdadbb99b1881ab3571f224bd2780bb804c91ad0945e09869fb
Opcode Fuzzy Hash: d3dfe22d21e6d4eb4e1b3d7d81bfeee6ffeff134ef50478d3353e7f124284e6e
Instruction Fuzzy Hash: BB025E752006519FCB14EF25C895E2ABBE5FF88714F08885DF88A9B362CB70ED45CB61

Function 00DCF35D Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,76F88FB0,?,00000000), ref: 00DCF37E
_wcscmp.LIBCMT ref: 00DCF393
_wcscmp.LIBCMT ref: 00DCF3AA

Part of subcall function 00DC45C1: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00DC45DC

FindNextFileW.KERNEL32(00000000,?), ref: 00DCF3D9
FindClose.KERNEL32(00000000), ref: 00DCF3E4
FindFirstFileW.KERNEL32(*.*,?), ref: 00DCF400
_wcscmp.LIBCMT ref: 00DCF427
_wcscmp.LIBCMT ref: 00DCF43E
SetCurrentDirectoryW.KERNEL32(?), ref: 00DCF450
SetCurrentDirectoryW.KERNEL32(00E1A5A0), ref: 00DCF46E
FindNextFileW.KERNEL32(00000000,00000010), ref: 00DCF478
FindClose.KERNEL32(00000000), ref: 00DCF485
FindClose.KERNEL32(00000000), ref: 00DCF497

Strings

*.*, xrefs: 00DCF3FB

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 1824444939-438819550
Opcode ID: 7c20d7013eb201bef991a0605ff2229b902597646e8bdbb8a172267a247a67c7
Instruction ID: 8c88cb5cc96b5aee53abe934e4e4b0c2da24efa5d31e55607e322e4d2811f121
Opcode Fuzzy Hash: 7c20d7013eb201bef991a0605ff2229b902597646e8bdbb8a172267a247a67c7
Instruction Fuzzy Hash: E331D57250535A6FCB14AF64EC88FDE77AD9F49321F180279E844E31A0D730DA44CA74

Function 00DB81F7 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00DB874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00DB8766
Part of subcall function 00DB874A: GetLastError.KERNEL32(?,00DB822A,?,?,?), ref: 00DB8770
Part of subcall function 00DB874A: GetProcessHeap.KERNEL32(00000008,?,?,00DB822A,?,?,?), ref: 00DB877F
Part of subcall function 00DB874A: HeapAlloc.KERNEL32(00000000,?,00DB822A,?,?,?), ref: 00DB8786
Part of subcall function 00DB874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00DB879D

Part of subcall function 00DB87E7: GetProcessHeap.KERNEL32(00000008,00DB8240,00000000,00000000,?,00DB8240,?), ref: 00DB87F3
Part of subcall function 00DB87E7: HeapAlloc.KERNEL32(00000000,?,00DB8240,?), ref: 00DB87FA
Part of subcall function 00DB87E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00DB8240,?), ref: 00DB880B

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00DB825B
_memset.LIBCMT ref: 00DB8270
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00DB828F
GetLengthSid.ADVAPI32(?), ref: 00DB82A0
GetAce.ADVAPI32(?,00000000,?), ref: 00DB82DD
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00DB82F9
GetLengthSid.ADVAPI32(?), ref: 00DB8316
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00DB8325
HeapAlloc.KERNEL32(00000000), ref: 00DB832C
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00DB834D
CopySid.ADVAPI32(00000000), ref: 00DB8354
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00DB8385
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00DB83AB
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00DB83BF

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: 7e3ec8a738a005cf837e8e6859de46e141bebaf1d43669215049fa93c44c9f8d
Instruction ID: 541628f129b9da820a2da42eb157fed34f0624c42a14a631f9d02b97501d925a
Opcode Fuzzy Hash: 7e3ec8a738a005cf837e8e6859de46e141bebaf1d43669215049fa93c44c9f8d
Instruction Fuzzy Hash: 66613771900209EBDF10AFA4DC85AEEBBB9FF04704F148169E816EB291DB359A45DF70

Function 00D76843 Relevance: 19.6, Strings: 15, Instructions: 883COMMON

Download Yara Rule

Strings

LIMIT_MATCH=, xrefs: 00DB15A9
CR), xrefs: 00DB16C0
BSR_UNICODE), xrefs: 00DB1771
NO_START_OPT), xrefs: 00DB1588
UCP), xrefs: 00DB1546
LIMIT_RECURSION=, xrefs: 00DB1635
NO_AUTO_POSSESS), xrefs: 00DB1567
ANYCRLF), xrefs: 00DB1734
BSR_ANYCRLF), xrefs: 00DB1757
PJ, xrefs: 00D768B3
CRLF), xrefs: 00DB16FA
UTF16), xrefs: 00DB1508
LF), xrefs: 00DB16DD
UTF), xrefs: 00DB1533
ANY), xrefs: 00DB1717

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID:
String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$PJ$UCP)$UTF)$UTF16)
API String ID: 0-1624373025
Opcode ID: 8b5ab84c304262d46e10235985462995dd9d9061b0eee3cd83f906b86ea3bd1d
Instruction ID: 046bf7eb4d134a2e84ec936d8a84b8caf2e350b5e5d3b0ae22df782bbe9db23c
Opcode Fuzzy Hash: 8b5ab84c304262d46e10235985462995dd9d9061b0eee3cd83f906b86ea3bd1d
Instruction Fuzzy Hash: C0726075E00619DBDB24CF59C8517EEB7B5FF48310F54816AE94AEB280EB70D9818BA0

Function 00DE0665 Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00DE10A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00DE0038,?,?), ref: 00DE10BC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00DE0737

Part of subcall function 00D69997: __itow.LIBCMT ref: 00D699C2
Part of subcall function 00D69997: __swprintf.LIBCMT ref: 00D69A0C

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00DE07D6
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00DE086E
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00DE0AAD
RegCloseKey.ADVAPI32(00000000), ref: 00DE0ABA

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: 838686cac5412c1591c8b21835e28271624792d335fe4e58c9e6db05ac26c5e3
Instruction ID: 2f0b9d50a82d116fc4102238a59709a59e33f1f8be31560a9098aa46af39d300
Opcode Fuzzy Hash: 838686cac5412c1591c8b21835e28271624792d335fe4e58c9e6db05ac26c5e3
Instruction Fuzzy Hash: 13E15131204354AFCB14EF25C895E6ABBE8EF89714F08856DF489DB262DB30ED45CB61

Function 00DC0219 Relevance: 16.6, APIs: 11, Instructions: 120keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00DC0241
GetAsyncKeyState.USER32(000000A0), ref: 00DC02C2
GetKeyState.USER32(000000A0), ref: 00DC02DD
GetAsyncKeyState.USER32(000000A1), ref: 00DC02F7
GetKeyState.USER32(000000A1), ref: 00DC030C
GetAsyncKeyState.USER32(00000011), ref: 00DC0324
GetKeyState.USER32(00000011), ref: 00DC0336
GetAsyncKeyState.USER32(00000012), ref: 00DC034E
GetKeyState.USER32(00000012), ref: 00DC0360
GetAsyncKeyState.USER32(0000005B), ref: 00DC0378
GetKeyState.USER32(0000005B), ref: 00DC038A

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: b9439472466fd2569699bbad8bd00eb030e42b0e8b3192ff59b8c2792a13b9ca
Instruction ID: 46241e65c17191bcc3a8d04b64e8a21d555d45ad1c538b2fc9c10124bfcd5da5
Opcode Fuzzy Hash: b9439472466fd2569699bbad8bd00eb030e42b0e8b3192ff59b8c2792a13b9ca
Instruction Fuzzy Hash: C941A8245047CBEEFF319BA4C848BA5FEA06F12340F1C409DD5C64B6C2EB9499C48BB6

Function 00DD86D0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON

Download Yara Rule

APIs

Part of subcall function 00D69997: __itow.LIBCMT ref: 00D699C2
Part of subcall function 00D69997: __swprintf.LIBCMT ref: 00D69A0C

CoInitialize.OLE32 ref: 00DD8718
CoUninitialize.OLE32 ref: 00DD8723
CoCreateInstance.OLE32(?,00000000,00000017,00DF2BEC,?), ref: 00DD8783
IIDFromString.OLE32(?,?), ref: 00DD87F6
VariantInit.OLEAUT32(?), ref: 00DD8890
VariantClear.OLEAUT32(?), ref: 00DD88F1

Strings

NULL Pointer assignment, xrefs: 00DD87C8
Invalid parameter, xrefs: 00DD880F
Failed to create object, xrefs: 00DD878E, 00DD8844

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 834269672-1287834457
Opcode ID: 99e766084e533dd009ecee298c45fff6ce3a2a5fe83efe56797d7310ba68e041
Instruction ID: a05e656ed6f1c80fba7431ef7509360b8553e7d4e9fd9f094bf06e15e6c0a34d
Opcode Fuzzy Hash: 99e766084e533dd009ecee298c45fff6ce3a2a5fe83efe56797d7310ba68e041
Instruction Fuzzy Hash: E0618D70608301AFD711DF64D884B6ABBE8EF48714F14481AF9859B391DB70ED48EBB2

Function 00DD4458 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00DD447F
EmptyClipboard.USER32 ref: 00DD4485
GlobalAlloc.KERNEL32(00000002,?), ref: 00DD449A
CloseClipboard.USER32 ref: 00DD4539

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: e1f28e7966f2cf30429151e431e954432a38978a1f0b6d9ec9af1a8c860336b1
Instruction ID: 89a62c7de1f6b92648adcc8a05bb049691a07b404e2784d81998c325d8676513
Opcode Fuzzy Hash: e1f28e7966f2cf30429151e431e954432a38978a1f0b6d9ec9af1a8c860336b1
Instruction Fuzzy Hash: 29216B352002109FDB11BF64EC99B6EB7A8EF44711F14802AF946DB3A1CB74AD01CB74

Function 00DC3A2B Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00D648AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00D648A1,?,?,00D637C0,?), ref: 00D648CE

Part of subcall function 00DC4CD3: GetFileAttributesW.KERNEL32(?,00DC3947), ref: 00DC4CD4

FindFirstFileW.KERNEL32(?,?), ref: 00DC3ADF
DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 00DC3B87
MoveFileW.KERNEL32(?,?), ref: 00DC3B9A
DeleteFileW.KERNEL32(?,?,?,?,?), ref: 00DC3BB7
FindNextFileW.KERNEL32(00000000,00000010), ref: 00DC3BD9
FindClose.KERNEL32(00000000,?,?,?,?), ref: 00DC3BF5

Strings

\*.*, xrefs: 00DC3A8A, 00DC3A93, 00DC3AA8

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 4002782344-1173974218
Opcode ID: fe7622d6bbcc6a462ab1845422f78ca28c6dc01d0dea00238ae4151a84f445ac
Instruction ID: 70d9ba2a0f093f6130fa371023c1a7d640ca633c06dbfe08b7592b43a26a9e14
Opcode Fuzzy Hash: fe7622d6bbcc6a462ab1845422f78ca28c6dc01d0dea00238ae4151a84f445ac
Instruction Fuzzy Hash: CB513D3180524EABCB15EBA0DA92EEDB779EF14304F648169E442B7191DF216F49CBB0

Function 00DCF65E Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00D67F41: _memmove.LIBCMT ref: 00D67F82

FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 00DCF6AB
Sleep.KERNEL32(0000000A), ref: 00DCF6DB
_wcscmp.LIBCMT ref: 00DCF6EF
_wcscmp.LIBCMT ref: 00DCF70A
FindNextFileW.KERNEL32(?,?), ref: 00DCF7A8
FindClose.KERNEL32(00000000), ref: 00DCF7BE

Strings

*.*, xrefs: 00DCF690

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
String ID: *.*
API String ID: 713712311-438819550
Opcode ID: 098decbfea64c9bb9176e95e0a8b3c5c3cda405df258fa5a281adc98477f6a0d
Instruction ID: 8fb19ce2f5f2e94071e0609156e90d5a8d65accda2f8955da3ce2edf9c210341
Opcode Fuzzy Hash: 098decbfea64c9bb9176e95e0a8b3c5c3cda405df258fa5a281adc98477f6a0d
Instruction Fuzzy Hash: 32413A7190020A9BDF15EF64CC85EEEBBB5FF05310F14456AE815A72A1DB309E84CBB0

Function 00D74140 Relevance: 11.6, APIs: 1, Strings: 5, Instructions: 1132COMMON

Download Yara Rule

Strings

VUUU, xrefs: 00D744DB
VUUU, xrefs: 00D744ED
ERCP, xrefs: 00D7421F
VUUU, xrefs: 00D74520
VUUU, xrefs: 00DA7B0C

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: e7a0f28e52587d96f7716baebb33492a61ee8a69826302bd23f14f3e02a00637
Instruction ID: 9191abde9a579183ab889ee4caf5820e1913a619bc315208bda1de636b6fdbef
Opcode Fuzzy Hash: e7a0f28e52587d96f7716baebb33492a61ee8a69826302bd23f14f3e02a00637
Instruction Fuzzy Hash: 8AA28F70E0421ACBDF25CF58C9907ADB7B1BF55314F18C1AAD95AA7280E7309E81DFA1

Function 00D758C0 Relevance: 11.0, APIs: 7, Instructions: 532COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00D75A05
_memmove.LIBCMT ref: 00D75A55
_memmove.LIBCMT ref: 00D75ABB

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 024dfe467cffa8705e32a8236ab303ff00ddcbbbf762f98f6364fa605f58e136
Instruction ID: 0f0f190555a09f80133ad518805f63cab17caf02e140c9805532727203c33b90
Opcode Fuzzy Hash: 024dfe467cffa8705e32a8236ab303ff00ddcbbbf762f98f6364fa605f58e136
Instruction Fuzzy Hash: 47129970A00609DFDF04DFA5D981AEEB7F5FF48300F248629E44AA7254EB35AA15CB71

Function 00DC545F Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00DB8CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00DB8D0D
Part of subcall function 00DB8CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00DB8D3A
Part of subcall function 00DB8CC3: GetLastError.KERNEL32 ref: 00DB8D47

ExitWindowsEx.USER32(?,00000000), ref: 00DC549B

Strings

SeShutdownPrivilege, xrefs: 00DC546B
@, xrefs: 00DC548E
, xrefs: 00DC5489

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: d43a0550340d9200b7a7bc6a96480999e2b7f9dfa3af1d409aa4de8ca5bb3037
Instruction ID: 21528ee142e63b6ea6b75ae45ec2d23707c190a6d821dfdea87542d93731f0c1
Opcode Fuzzy Hash: d43a0550340d9200b7a7bc6a96480999e2b7f9dfa3af1d409aa4de8ca5bb3037
Instruction Fuzzy Hash: 0F01F131659B03AAEB2C6274FC8AFBA7258EB00342F280128F846D70C6DA607CC081B0

Function 00DD6596 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00DD65EF
WSAGetLastError.WSOCK32(00000000), ref: 00DD65FE
bind.WSOCK32(00000000,?,00000010), ref: 00DD661A
listen.WSOCK32(00000000,00000005), ref: 00DD6629
WSAGetLastError.WSOCK32(00000000), ref: 00DD6643
closesocket.WSOCK32(00000000,00000000), ref: 00DD6657

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: edd977954e21da5ac86b4f348ed26f869390246f65fc0449e5e7ebd4f667dcaf
Instruction ID: f4e7e168d4a51dbdf8de06ccf81269e66874dffae5d5b38e87cf2e2955751398
Opcode Fuzzy Hash: edd977954e21da5ac86b4f348ed26f869390246f65fc0449e5e7ebd4f667dcaf
Instruction Fuzzy Hash: B6216D356002049FDB10FF64D895B6EB7A9EF48720F19819AF956EB391CB70ED018BB1

Function 00D75680 Relevance: 8.0, APIs: 5, Instructions: 516COMMON

Download Yara Rule

APIs

Part of subcall function 00D80FF6: std::exception::exception.LIBCMT ref: 00D8102C
Part of subcall function 00D80FF6: __CxxThrowException@8.LIBCMT ref: 00D81041

_memmove.LIBCMT ref: 00DB062F
_memmove.LIBCMT ref: 00DB0744
_memmove.LIBCMT ref: 00DB07EB

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: _memmove$Exception@8Throwstd::exception::exception
String ID:
API String ID: 1300846289-0
Opcode ID: 3f15bede0042d8a12584f089fd1ac21b68346f0ae668fc4e39530ac0f48477cf
Instruction ID: 21b092b17f2614a8192fa0e3545b03bfcc7b8e51f50c5d41dc513b7f2b8ddb73
Opcode Fuzzy Hash: 3f15bede0042d8a12584f089fd1ac21b68346f0ae668fc4e39530ac0f48477cf
Instruction Fuzzy Hash: 6B028FB0A00209DFDF04DF69D981AAEBBB5EF44300F14C069E84ADB255EB35DA55CBB1

Function 00D61287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON

Download Yara Rule

APIs

Part of subcall function 00D62612: GetWindowLongW.USER32(?,000000EB), ref: 00D62623

DefDlgProcW.USER32(?,?,?,?,?), ref: 00D619FA
GetSysColor.USER32(0000000F), ref: 00D61A4E
SetBkColor.GDI32(?,00000000), ref: 00D61A61

Part of subcall function 00D61290: DefDlgProcW.USER32(?,00000020,?), ref: 00D612D8

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: ColorProc$LongWindow
String ID:
API String ID: 3744519093-0
Opcode ID: ce654ccb4e1dac344f4d5221dbfc21b2c794fa687fbad32fa69a93a13fb81ee6
Instruction ID: a27483c050718c56c35ecf6217c1b2840da3fd1c5563d446d9362dad08ac8f63
Opcode Fuzzy Hash: ce654ccb4e1dac344f4d5221dbfc21b2c794fa687fbad32fa69a93a13fb81ee6
Instruction Fuzzy Hash: 22A18A79101585BFEB38ABAAAD49D7F359DDB4235AB1D021BF442D61D2CE20CD03D2B1

Function 00DD6A5A Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00DD80A0: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00DD80CB

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00DD6AB1
WSAGetLastError.WSOCK32(00000000), ref: 00DD6ADA
bind.WSOCK32(00000000,?,00000010), ref: 00DD6B13
WSAGetLastError.WSOCK32(00000000), ref: 00DD6B20
closesocket.WSOCK32(00000000,00000000), ref: 00DD6B34

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: ErrorLast$bindclosesocketinet_addrsocket
String ID:
API String ID: 99427753-0
Opcode ID: aa91c98f4ab9bd0ca6232f3251799c725cabd0b5f47663df837f86166dc86338
Instruction ID: 28c543a442017d2b6ba59737c6e78ad703540d6b7b85e31f5db2e73cbc39d9ca
Opcode Fuzzy Hash: aa91c98f4ab9bd0ca6232f3251799c725cabd0b5f47663df837f86166dc86338
Instruction Fuzzy Hash: 6D41B175740210AFEB10BF64DC96F6EB7A9DF48710F048159F95AAB3C2CA719D008BB1

Function 00DE55FD Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00DE564C
IsWindowEnabled.USER32 ref: 00DE565A
GetForegroundWindow.USER32(?,?,00000001), ref: 00DE5667
IsIconic.USER32 ref: 00DE5675
IsZoomed.USER32 ref: 00DE5683

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 7804331548c5f6931136a5f0f54f6275ff17cb7c6b74c814463f0d40d07c4c2c
Instruction ID: 36e54864089dc1c83c8cfa54b464c00d509f1ffbc1788501bf87629afe1f2fc7
Opcode Fuzzy Hash: 7804331548c5f6931136a5f0f54f6275ff17cb7c6b74c814463f0d40d07c4c2c
Instruction Fuzzy Hash: 0A11B231340A916FEB217F27EC54B2BB798EF547A5B88442DF846DB241CB70D9018AB4

Function 00DDC304 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00DA1D88,?), ref: 00DDC312
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00DDC324

Strings

kernel32.dll, xrefs: 00DDC30D
GetSystemWow64DirectoryW, xrefs: 00DDC31E

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetSystemWow64DirectoryW$kernel32.dll
API String ID: 2574300362-1816364905
Opcode ID: f0447142ca6493c12477b01a67d6d0d8cd2f95e5a427958e7372bd60921e2a0a
Instruction ID: 3b60dc2abb260039c80635374d1035d7b1004116f1e8ae445c71122fc1c72912
Opcode Fuzzy Hash: f0447142ca6493c12477b01a67d6d0d8cd2f95e5a427958e7372bd60921e2a0a
Instruction Fuzzy Hash: D9E0EC74611B53CFDB206F65D844A86B6D4EB08755F94D43AE895D6360E770D880CA70

Function 00D73190 Relevance: 6.6, APIs: 4, Instructions: 587COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: __itow__swprintf
String ID:
API String ID: 674341424-0
Opcode ID: 79c977f4f9ec790922fbef62b44a9a146ee5266aec39327bcb5313d4c8b6ce01
Instruction ID: 1b5d7d6d9ab14edd61c5c130ca137f956c3aef0af0e2b5ac2922e4c219cf0016
Opcode Fuzzy Hash: 79c977f4f9ec790922fbef62b44a9a146ee5266aec39327bcb5313d4c8b6ce01
Instruction Fuzzy Hash: 1A2279716083019FC724DF24C891BAEB7E4EF85714F14891DF89A97291EB71EA04DBB2

Function 00DDF121 Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00DDF151
Process32FirstW.KERNEL32(00000000,?), ref: 00DDF15F

Part of subcall function 00D67F41: _memmove.LIBCMT ref: 00D67F82

Process32NextW.KERNEL32(00000000,?), ref: 00DDF21F
CloseHandle.KERNEL32(00000000,?,?,?), ref: 00DDF22E

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
String ID:
API String ID: 2576544623-0
Opcode ID: 6a175101e4bb0b8ae6b219dc112b5f4b896e2e45f23169591aa95b3983320805
Instruction ID: dde03d1771f9d3ef0739cf63b84d946b4630d33d7033f07be797067963a408be
Opcode Fuzzy Hash: 6a175101e4bb0b8ae6b219dc112b5f4b896e2e45f23169591aa95b3983320805
Instruction Fuzzy Hash: 15515B71504301AFD310EF64DC95A6BBBE8EF98710F14492DF496972A1EB70A908CBB2

Function 00DC40B1 Relevance: 6.1, APIs: 4, Instructions: 65fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 00DC40D1
_memset.LIBCMT ref: 00DC40F2
DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 00DC4144
CloseHandle.KERNEL32(00000000), ref: 00DC414D

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle_memset
String ID:
API String ID: 1157408455-0
Opcode ID: f28afa537b2b98bcfda193d1e9a48b139f222bf39d341534721aec6e819e2fcc
Instruction ID: 7f369447645e3426dfda0c8f9e85afd9de1490fa5955d97f82913ae66333d4fd
Opcode Fuzzy Hash: f28afa537b2b98bcfda193d1e9a48b139f222bf39d341534721aec6e819e2fcc
Instruction Fuzzy Hash: 8D11A775D413287AD730ABA5AC4DFABBB7CEF44760F1041AAF908D7280D6744E808BB4

Function 00DBEB07 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 00DBEB19

Strings

|, xrefs: 00DBEB49
(, xrefs: 00DBEB5F

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 6381a2b1db79e1aafa8b27da16272ce647a01ead5a9843bce96c6b2b18f89eff
Instruction ID: a27bec74bfb7cf0eaaeb69faea320d799ecb4e226f6a56e688f39d922f4d68e7
Opcode Fuzzy Hash: 6381a2b1db79e1aafa8b27da16272ce647a01ead5a9843bce96c6b2b18f89eff
Instruction Fuzzy Hash: 5B323575A00605DFCB28DF19C481AAAB7F0FF48310B15C56EE89ADB3A1EB70E941CB54

Function 00DD25E2 Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000), ref: 00DD26D5
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00DD270C

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: 510924fcc68e0a72589a0d8c5f63c3d1cda6308d6a0b77581b1cfb9db8ddd406
Instruction ID: 7d05e891f26ad6b696e0bafd271481d6293b3445628a406edd57b21d90740174
Opcode Fuzzy Hash: 510924fcc68e0a72589a0d8c5f63c3d1cda6308d6a0b77581b1cfb9db8ddd406
Instruction Fuzzy Hash: B841B075500309BFEB20AA94DC85EBBB7BCEB50724F14406BF641A6340EAB1DE459674

Function 00DCB59E Relevance: 4.6, APIs: 3, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00DCB5AE
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00DCB608
SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 00DCB655

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 3dd876434a6b245c23ba16e35669b3023444a33a2becbe07fb096d3a76154358
Instruction ID: f79a5e08e4a67aa2a663e06f554628c81bd9e253e6e6077bc4210fa987d2b787
Opcode Fuzzy Hash: 3dd876434a6b245c23ba16e35669b3023444a33a2becbe07fb096d3a76154358
Instruction Fuzzy Hash: B9215135A00618EFCB00EFA5D891EEDBBB8FF48314F1480A9E945EB351DB319955CB61

Function 00DB8CC3 Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00D80FF6: std::exception::exception.LIBCMT ref: 00D8102C
Part of subcall function 00D80FF6: __CxxThrowException@8.LIBCMT ref: 00D81041

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00DB8D0D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00DB8D3A
GetLastError.KERNEL32 ref: 00DB8D47

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
String ID:
API String ID: 1922334811-0
Opcode ID: 2d505dca3bdc8500338d5ced0946c42f6325eef2b2521b9567e483aa56416905
Instruction ID: b594954e26a83f51029b6bfee76c9d90497577a877e7a431d6d4a72b86c6c16f
Opcode Fuzzy Hash: 2d505dca3bdc8500338d5ced0946c42f6325eef2b2521b9567e483aa56416905
Instruction Fuzzy Hash: 8E116DB1414309AFD728AF54DC85DABBBBCEB44710B24852EF45696251EB30AC45CB70

Function 00DC4C03 Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00DC4C2C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00DC4C43
FreeSid.ADVAPI32(?), ref: 00DC4C53

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 76ea8c7a099145e898ac4f2412116282314b9f1786df5a9cd46ad87288cc5be4
Instruction ID: e734cf4f4ce1c3afdeb51385be5f1eb7b68f7852e59352042f37aaf53302c0f4
Opcode Fuzzy Hash: 76ea8c7a099145e898ac4f2412116282314b9f1786df5a9cd46ad87288cc5be4
Instruction Fuzzy Hash: 3EF04975A1130DBFDF04DFF0DD89AAEBBBCEF08211F4044A9A901E6281E6706A048B60

Function 00DC8B13 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 00DC8B25

Part of subcall function 00D8543A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00DC91F8,00000000,?,?,?,?,00DC93A9,00000000,?), ref: 00D85443
Part of subcall function 00D8543A: __aulldiv.LIBCMT ref: 00D85463

Strings

0u, xrefs: 00DC8B1C

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: Time$FileSystem__aulldiv__time64
String ID: 0u
API String ID: 2893107130-1339160046
Opcode ID: d8560cafd3687c1c16a35a6aa8f2e07a74bffcafba7918d6c9ae051000556dd9
Instruction ID: 1bbbdd3538b8a08c717680daa2ab8dd51eb9d0bfcc584e529187a240da9bdfc0
Opcode Fuzzy Hash: d8560cafd3687c1c16a35a6aa8f2e07a74bffcafba7918d6c9ae051000556dd9
Instruction Fuzzy Hash: F721C0726255108FC329CF29D841F52B3E1EBA5311B288E6CD0E5CB2D0CA74BD05DBA4

Function 00D6E060 Relevance: 3.5, APIs: 2, Instructions: 539COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74db4b24221747ba1c60f68fea043c9207e35f49e6db1b9ab9b9bf420c7ad001
Instruction ID: 8cc1c9a2f37d9aac4deeef9421270d5b09fb96d0a889278edcbca3dcd7171601
Opcode Fuzzy Hash: 74db4b24221747ba1c60f68fea043c9207e35f49e6db1b9ab9b9bf420c7ad001
Instruction Fuzzy Hash: EF22A078A00215CFDB24DF58C490AAEB7F1FF19310F188569E8969B351E734E985CBB1

Function 00DCC93C Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00DCC966
FindClose.KERNEL32(00000000), ref: 00DCC996

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 5592089d3931e78b9c990614cdfd53671798604db5bed32b39e3b651371627da
Instruction ID: f0c5a39c26555127c9b5000cdc2b73fc25407cf6714d50d73aad6b093badf3ec
Opcode Fuzzy Hash: 5592089d3931e78b9c990614cdfd53671798604db5bed32b39e3b651371627da
Instruction Fuzzy Hash: 271152716106009FD710EF29D855A2AF7E9EF44325F04851EF9A9DB291DB34AC01CBA1

Function 00DCA2D5 Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,00DD977D,?,00DEFB84,?), ref: 00DCA302
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,00DD977D,?,00DEFB84,?), ref: 00DCA314

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: e4d6cc6e97304d87ec75bb2950004c73829cbab830b360f96d8f80666aa55b5a
Instruction ID: 2a786ad591399b04ec423afdc4ce7be5dc90c2f7d68bded00a1cd91041849fb6
Opcode Fuzzy Hash: e4d6cc6e97304d87ec75bb2950004c73829cbab830b360f96d8f80666aa55b5a
Instruction Fuzzy Hash: CFF0823554436EABDB10AFA4CC48FEA776DFF09765F004169F908D7281D6309940CBB1

Function 00DB8713 Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00DB8851), ref: 00DB8728
CloseHandle.KERNEL32(?,?,00DB8851), ref: 00DB873A

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: e8cbf120eec767551f53c9f158e8946265223efd0593b17664580b30e9638d67
Instruction ID: 9842ecd7e0324336b1fd4b0a72e5bb1901d89f472e2252a15e40bb88245c2e33
Opcode Fuzzy Hash: e8cbf120eec767551f53c9f158e8946265223efd0593b17664580b30e9638d67
Instruction Fuzzy Hash: 7EE0B676010650EEE7263B60EC09E777BADEB04354B248829F496C4470DB62AC91DB30

Function 00D8A395 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,00D88F97,?,?,?,00000001), ref: 00D8A39A
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 00D8A3A3

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 69fd2b0bb652d8f3eb0152f17bd5853a786cd2abe6862d9069f3c3d9cd692c1e
Instruction ID: 85f47f8010b9e6d7b2c541ac60d9dd8d57e332b01b6d01e4fff1aeab561dad83
Opcode Fuzzy Hash: 69fd2b0bb652d8f3eb0152f17bd5853a786cd2abe6862d9069f3c3d9cd692c1e
Instruction Fuzzy Hash: 5BB09231054348ABCA003B91EC49B883F68EB44AA2F404020F60DC8664CB6255508AA1

Function 00D8F419 Relevance: 2.1, APIs: 1, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e17c024115855895e28dbbc0de4ccdf13d54527fe297ff5f4e7fb74f8e12810
Instruction ID: 271e85a39274ca5b95eeb8dd491f842d0e62e9b9a1db0e8c2bcb127eb594a3f3
Opcode Fuzzy Hash: 3e17c024115855895e28dbbc0de4ccdf13d54527fe297ff5f4e7fb74f8e12810
Instruction Fuzzy Hash: 99321622D69F014DD723A634D872336A289AFB73D4F15D737F819F5AA6EB28C5834210

Function 00D9267E Relevance: 1.8, APIs: 1, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cd43f80015a7aeec743084ebed1f00424b9997a12127263774252edcc1076be
Instruction ID: a5f7db439456291a9469f37a58d07cf1d08478a798303e02011259554d0a449f
Opcode Fuzzy Hash: 1cd43f80015a7aeec743084ebed1f00424b9997a12127263774252edcc1076be
Instruction Fuzzy Hash: 55B11361D2AF414DD72396398871336B78CAFBB2D5F51D71BFC1AB4E22EB2185838141

Function 00DD41FD Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 00DD4218

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 606d4735f4c54556c39ba2e1e051475badedc6b672314110cec779c5c3195013
Instruction ID: 59b4f5c4dc666962a9b5c7aee2dddf867869a95aeb037e7477f0cbcd89fe56ea
Opcode Fuzzy Hash: 606d4735f4c54556c39ba2e1e051475badedc6b672314110cec779c5c3195013
Instruction Fuzzy Hash: 99E04F312402149FC710EF69D854A9AFBECEFA4760F05802AFC49CB352DA70E8408BB0

Function 00DC4EC9 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 00DC4EEC

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: 5378805933ae29ed7fd0d75ad8bb67d1e5f1836d76a45ff39478bec083debacc
Instruction ID: 2ce351f428422d258f5bbc0ea483db01ef67086ed4e87d24959c3176a99bee4d
Opcode Fuzzy Hash: 5378805933ae29ed7fd0d75ad8bb67d1e5f1836d76a45ff39478bec083debacc
Instruction Fuzzy Hash: 44D09E9916074779EE585B249C7FF77111DF300785FDA554EF542CB1C2D8E0AC556031

Function 00DB8C93 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00DB88D1), ref: 00DB8CB3

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: bd893961cc3cf799af2a0aec300e50231fa392c76cc61c3b968f422cd58ec5dc
Instruction ID: 402af7163f924326d982de921be4acaa3ba878a9bb763c74cd92abd638e009ed
Opcode Fuzzy Hash: bd893961cc3cf799af2a0aec300e50231fa392c76cc61c3b968f422cd58ec5dc
Instruction Fuzzy Hash: 3DD05E3226060EABEF019FA4DC01EAE3B69EB04B01F408111FE15C51A1C775D835AB60

Function 00DA2230 Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 00DA2242

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 184a38e11fe5773e007758ba4934c2d05642f1486028128fc9a6768dcdcbbbdf
Instruction ID: cb04340c3b4ac75840f2a4cb3e1a26de04a8faaf3b88e613ec560fa8cccdccaa
Opcode Fuzzy Hash: 184a38e11fe5773e007758ba4934c2d05642f1486028128fc9a6768dcdcbbbdf
Instruction Fuzzy Hash: 75C04CF5800109DBDB05EB90D988DEE77BCAB05304F104455A141F2140D7749B448A71

Function 00D8A364 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 00D8A36A

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 32aac58e547cb3e5da117d48ed1d761b2d15a7f0336a63ccbb84bfa930d7afd6
Instruction ID: 89afd232e8980f9bfef5ee59f968bdb93ce12e4a43872c0b33914674aeb6df58
Opcode Fuzzy Hash: 32aac58e547cb3e5da117d48ed1d761b2d15a7f0336a63ccbb84bfa930d7afd6
Instruction Fuzzy Hash: 26A0113000020CAB8A002B82EC08888BFACEA002A0B008020F80C882228B32A8208AA0

Function 00D78A0E Relevance: .6, Instructions: 608COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a650207e0f22c0dab34d484b187b3416a56834689a880af8b29e274150be099b
Instruction ID: 49001d3cecba101f120e42bc01737e1c3f2b6e7d74dc02ae926acc0a98c633dc
Opcode Fuzzy Hash: a650207e0f22c0dab34d484b187b3416a56834689a880af8b29e274150be099b
Instruction Fuzzy Hash: 86220530A41616CBDF298B18D5987BD77A1EB41300F6CC46AD88B9B295EB30DD81EB70

Function 00D82405 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction ID: 0791b6910bcd0a5bb327225e3a180e134b84a64c682d886e590ced32e82fd71e
Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction Fuzzy Hash: DAC180372050A30ADF2D963A943503EBAE55EA27B131E075DE4B2CB5D4EF24D529D730

Function 00D8283A Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction ID: c5172377cba2f0b69c2cccbfa4e1189c29fa45ca87f382f3eefbe4053f7cfc1d
Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction Fuzzy Hash: 24C18E372051A30ADF2D563A843403EBAE55EA27B131E076DE4B2DB5C4EF24D529E730

Function 02F73660 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1537868093.0000000002F70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f70000_PI-236031.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction ID: 3ac0ef1ad381a9df2b28ab6f6ade6ca1eaabea50edc0a6f489229ebd3ac7b528
Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction Fuzzy Hash: 1441B3B1D1051CEBCF48CFADC991AEEBBF2AF88201F548299D516AB345D730AB41DB50

Function 02F734F0 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1537868093.0000000002F70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f70000_PI-236031.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction ID: eedbe949da27b7b194ab753a9241f75ed805ab539a9bf7bf9e7e97eb863254bc
Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction Fuzzy Hash: 8C019279E00109EFCB48DF98C5909AEF7B5FB48350F2085DAD909A7701D731AE41DB80

Function 02F73550 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1537868093.0000000002F70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f70000_PI-236031.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction ID: 26417c2d1c628f6220b913c1a2021708cdb82cc78d4a62c39a540ea20046e163
Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction Fuzzy Hash: D7018079E00109EFCB44DF98C5909AEFBB5FB88350F20869AD919A7701D730AE41DB80

Function 02F71ED0 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1537868093.0000000002F70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f70000_PI-236031.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48

Function 00DEA849 Relevance: 59.8, APIs: 33, Strings: 1, Instructions: 274COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 00DEA89F
GetSysColorBrush.USER32(0000000F), ref: 00DEA8D0
GetSysColor.USER32(0000000F), ref: 00DEA8DC
SetBkColor.GDI32(?,000000FF), ref: 00DEA8F6
SelectObject.GDI32(?,?), ref: 00DEA905
InflateRect.USER32(?,000000FF,000000FF), ref: 00DEA930
GetSysColor.USER32(00000010), ref: 00DEA938
CreateSolidBrush.GDI32(00000000), ref: 00DEA93F
FrameRect.USER32(?,?,00000000), ref: 00DEA94E
DeleteObject.GDI32(00000000), ref: 00DEA955
InflateRect.USER32(?,000000FE,000000FE), ref: 00DEA9A0
FillRect.USER32(?,?,?), ref: 00DEA9D2
GetWindowLongW.USER32(?,000000F0), ref: 00DEA9FD

Part of subcall function 00DEAB60: GetSysColor.USER32(00000012), ref: 00DEAB99
Part of subcall function 00DEAB60: SetTextColor.GDI32(?,?), ref: 00DEAB9D
Part of subcall function 00DEAB60: GetSysColorBrush.USER32(0000000F), ref: 00DEABB3
Part of subcall function 00DEAB60: GetSysColor.USER32(0000000F), ref: 00DEABBE
Part of subcall function 00DEAB60: GetSysColor.USER32(00000011), ref: 00DEABDB
Part of subcall function 00DEAB60: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00DEABE9
Part of subcall function 00DEAB60: SelectObject.GDI32(?,00000000), ref: 00DEABFA
Part of subcall function 00DEAB60: SetBkColor.GDI32(?,00000000), ref: 00DEAC03
Part of subcall function 00DEAB60: SelectObject.GDI32(?,?), ref: 00DEAC10
Part of subcall function 00DEAB60: InflateRect.USER32(?,000000FF,000000FF), ref: 00DEAC2F
Part of subcall function 00DEAB60: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00DEAC46
Part of subcall function 00DEAB60: GetWindowLongW.USER32(00000000,000000F0), ref: 00DEAC5B

Strings

@U=u, xrefs: 00DEAA4E

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID: @U=u
API String ID: 4124339563-2594219639
Opcode ID: 5d01bf1da489e21fa89d88c2f087d86ced1cd9ef5acded8f5859748e1539c825
Instruction ID: 920ee9e64c0f33605ac21d2f89515f609ad10f681bd429b6bae205c35bb58463
Opcode Fuzzy Hash: 5d01bf1da489e21fa89d88c2f087d86ced1cd9ef5acded8f5859748e1539c825
Instruction Fuzzy Hash: 5EA18271008386AFD711AF65DC48A5F7BA9FF88321F144A29F562DA2E1D730D944CF62

Function 00DE37F3 Relevance: 52.9, APIs: 6, Strings: 24, Instructions: 365windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,00DEF910), ref: 00DE38AF
IsWindowVisible.USER32(?), ref: 00DE38D3

Strings

HIDEDROPDOWN, xrefs: 00DE3988
@U=u, xrefs: 00DE3B6B, 00DE3B92, 00DE3C1B
ISVISIBLE, xrefs: 00DE38BF
SHOWDROPDOWN, xrefs: 00DE3968
GETCURRENTCOL, xrefs: 00DE3BB0
GETLINECOUNT, xrefs: 00DE3B4E
GETSELECTED, xrefs: 00DE3B2B
ISCHECKED, xrefs: 00DE3AC1
TABRIGHT, xrefs: 00DE3925
TABLEFT, xrefs: 00DE390F
GETCURRENTSELECTION, xrefs: 00DE3A6B
DELSTRING, xrefs: 00DE39D1
SENDCOMMANDID, xrefs: 00DE3C62
ISENABLED, xrefs: 00DE38F3
GETCURRENTLINE, xrefs: 00DE3B75
UNCHECK, xrefs: 00DE3B0B
CURRENTTAB, xrefs: 00DE3945
FINDSTRING, xrefs: 00DE39FE
SELECTSTRING, xrefs: 00DE3A8E
SETCURRENTSELECTION, xrefs: 00DE3A3E
GETLINE, xrefs: 00DE3C23
EDITPASTE, xrefs: 00DE3BE7
ADDSTRING, xrefs: 00DE399E
CHECK, xrefs: 00DE3AF5

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: BuffCharUpperVisibleWindow
String ID: @U=u$ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
API String ID: 4105515805-3469695742
Opcode ID: 91441c6ae12af2bad46e1ac560a5861861b2c3bd72a59c5b438bde97e3eb9e12
Instruction ID: 0d58d08ee39843dadde5c6c4ebfffff9ce49750354f188e3a4d72f12183beece
Opcode Fuzzy Hash: 91441c6ae12af2bad46e1ac560a5861861b2c3bd72a59c5b438bde97e3eb9e12
Instruction Fuzzy Hash: 82D15130204345DBCB14FF21C455ABEBBA6EF94344F148458B8966B7A2DB31EE4ACB71

Function 00D62C18 Relevance: 51.2, APIs: 27, Strings: 2, Instructions: 486windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?), ref: 00D62CA2
DeleteObject.GDI32(00000000), ref: 00D62CE8
DeleteObject.GDI32(00000000), ref: 00D62CF3
DestroyIcon.USER32(00000000,?,?,?), ref: 00D62CFE
DestroyWindow.USER32(00000000,?,?,?), ref: 00D62D09
SendMessageW.USER32(?,00001308,?,00000000), ref: 00D9C68B
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00D9C6C4
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00D9CAED

Part of subcall function 00D61B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00D62036,?,00000000,?,?,?,?,00D616CB,00000000,?), ref: 00D61B9A

SendMessageW.USER32(?,00001053), ref: 00D9CB2A
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00D9CB41
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 00D9CB57
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 00D9CB62

Strings

0, xrefs: 00D9C981
@U=u, xrefs: 00D9C68B, 00D9C792, 00D9CA6D

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
String ID: 0$@U=u
API String ID: 464785882-975001249
Opcode ID: ba2086ed63d99b74fef18378c33f605a953d0d550cd436935c91894718505350
Instruction ID: c41585e21661a508e241ad056d763f5ef1d40d469718caccb07251241b4b4866
Opcode Fuzzy Hash: ba2086ed63d99b74fef18378c33f605a953d0d550cd436935c91894718505350
Instruction Fuzzy Hash: C7129A30614641EFDB21DF24C888BA9BBE5FF45311F585569E889DB262C731E842CFB1

Function 00DD77BE Relevance: 47.5, APIs: 22, Strings: 5, Instructions: 284windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 00DD77F1
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00DD78B0
SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 00DD78EE
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 00DD7900
CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00DD7946
GetClientRect.USER32(00000000,?), ref: 00DD7952
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00DD7996
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00DD79A5
GetStockObject.GDI32(00000011), ref: 00DD79B5
SelectObject.GDI32(00000000,00000000), ref: 00DD79B9
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 00DD79C9
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00DD79D2
DeleteDC.GDI32(00000000), ref: 00DD79DB
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00DD7A07
SendMessageW.USER32(00000030,00000000,00000001), ref: 00DD7A1E
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00DD7A59
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00DD7A6D
SendMessageW.USER32(00000404,00000001,00000000), ref: 00DD7A7E
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 00DD7AAE
GetStockObject.GDI32(00000011), ref: 00DD7AB9
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00DD7AC4
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 00DD7ACE

Strings

DISPLAY, xrefs: 00DD799B
static, xrefs: 00DD7990, 00DD7AA8
msctls_progress32, xrefs: 00DD7A4F
@U=u, xrefs: 00DD7A0D
AutoIt v3, xrefs: 00DD793E

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: @U=u$AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-2771358697
Opcode ID: c61e19aead6115a21afe5a766abb8749900a2d18d88b57023ecff51a0656d596
Instruction ID: 0454f746292b9c16aa97523461d89ad09cecb421d0637193560270a21b4da533
Opcode Fuzzy Hash: c61e19aead6115a21afe5a766abb8749900a2d18d88b57023ecff51a0656d596
Instruction Fuzzy Hash: 01A17171A40209BFEB149BA4DC4AFAE7BB9EB44710F144615FA15EB2E0D770AD01CB70

Function 00DEAB60 Relevance: 47.5, APIs: 26, Strings: 1, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00DEAB99
SetTextColor.GDI32(?,?), ref: 00DEAB9D
GetSysColorBrush.USER32(0000000F), ref: 00DEABB3
GetSysColor.USER32(0000000F), ref: 00DEABBE
CreateSolidBrush.GDI32(?), ref: 00DEABC3
GetSysColor.USER32(00000011), ref: 00DEABDB
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00DEABE9
SelectObject.GDI32(?,00000000), ref: 00DEABFA
SetBkColor.GDI32(?,00000000), ref: 00DEAC03
SelectObject.GDI32(?,?), ref: 00DEAC10
InflateRect.USER32(?,000000FF,000000FF), ref: 00DEAC2F
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00DEAC46
GetWindowLongW.USER32(00000000,000000F0), ref: 00DEAC5B
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00DEACA7
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00DEACCE
InflateRect.USER32(?,000000FD,000000FD), ref: 00DEACEC
DrawFocusRect.USER32(?,?), ref: 00DEACF7
GetSysColor.USER32(00000011), ref: 00DEAD05
SetTextColor.GDI32(?,00000000), ref: 00DEAD0D
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 00DEAD21
SelectObject.GDI32(?,00DEA869), ref: 00DEAD38
DeleteObject.GDI32(?), ref: 00DEAD43
SelectObject.GDI32(?,?), ref: 00DEAD49
DeleteObject.GDI32(?), ref: 00DEAD4E
SetTextColor.GDI32(?,?), ref: 00DEAD54
SetBkColor.GDI32(?,?), ref: 00DEAD5E

Strings

@U=u, xrefs: 00DEACA7

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID: @U=u
API String ID: 1996641542-2594219639
Opcode ID: 684f86c4f5ef292854dd110a6fe84191dcbe6113444c53ba39e6dbed2f4c8641
Instruction ID: 51fc94789a947741e0dc55e64bbf7d58a59ef0b2cf32983ffa4d283cc4b41473
Opcode Fuzzy Hash: 684f86c4f5ef292854dd110a6fe84191dcbe6113444c53ba39e6dbed2f4c8641
Instruction Fuzzy Hash: 96616171900259EFDF11AFA9DC88EAE7B79EF08320F244125F915EB2A1D6719D40DBA0

Function 00DCAF7B Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00DCAF89
GetDriveTypeW.KERNEL32(?,00DEFAC0,?,\\.\,00DEF910), ref: 00DCB066
SetErrorMode.KERNEL32(00000000,00DEFAC0,?,\\.\,00DEF910), ref: 00DCB1C4

Strings

RAMDisk, xrefs: 00DCB090
\\.\, xrefs: 00DCAFDB
MMC, xrefs: 00DCB185
SATA, xrefs: 00DCB177
Unknown, xrefs: 00DCB086, 00DCB12A
Network, xrefs: 00DCB0A4
Virtual, xrefs: 00DCB18C
PhysicalDrive, xrefs: 00DCB012
SSD, xrefs: 00DCB0F1
FileBackedVirtual, xrefs: 00DCB193
ATA, xrefs: 00DCB13F
1394, xrefs: 00DCB146
iSCSI, xrefs: 00DCB169
SAS, xrefs: 00DCB170
SCSI, xrefs: 00DCB131
RAID, xrefs: 00DCB162
Fixed, xrefs: 00DCB0AE
ATAPI, xrefs: 00DCB138
SSA, xrefs: 00DCB14D
CDROM, xrefs: 00DCB09A
Removable, xrefs: 00DCB0B8
Fibre, xrefs: 00DCB154
USB, xrefs: 00DCB15B

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: c1e2b829562c0a5a690db430169a74e7f9d424c62078dffe2f31e63074d123d6
Instruction ID: 2c2692e3e54db3a39c54932ff66af7296b457cc27ed186a2e905e9525b16dfd6
Opcode Fuzzy Hash: c1e2b829562c0a5a690db430169a74e7f9d424c62078dffe2f31e63074d123d6
Instruction Fuzzy Hash: EE518330A813469B8B10DF10C9A3EB973B0EB15362F2C402FE446B7291C735DE829B72

Function 00D66A3C Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00D66A91
__wcsnicmp.LIBCMT ref: 00D66AA9
__wcsnicmp.LIBCMT ref: 00D66AC1
__wcsnicmp.LIBCMT ref: 00D66AD9
__wcsnicmp.LIBCMT ref: 00D66AF1
__wcsnicmp.LIBCMT ref: 00D66B09
__wcsnicmp.LIBCMT ref: 00D66B21
__wcsnicmp.LIBCMT ref: 00D66B35
__wcsnicmp.LIBCMT ref: 00D66B76
__wcsnicmp.LIBCMT ref: 00D66B8A
__wcsnicmp.LIBCMT ref: 00D66B9E
__wcsnicmp.LIBCMT ref: 00D66BB2

Strings

#ce, xrefs: 00D66BAC
#pragma compile, xrefs: 00D66A8B
#cs, xrefs: 00D66B2F, 00D66B84
#include, xrefs: 00D66B03
Bad directive syntax error, xrefs: 00D9E743
#OnAutoItStartRegister, xrefs: 00D66AD3
#comments-start, xrefs: 00D66B1B, 00D66B70
#comments-end, xrefs: 00D66B98
#requireadmin, xrefs: 00D66ABB
#notrayicon, xrefs: 00D66AA3
#include-once, xrefs: 00D66AEB
Cannot parse #include, xrefs: 00D9E819
Unterminated group of comments, xrefs: 00D9E82C

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 1038674560-86951937
Opcode ID: d6f42f2f78bfa174665a353baf7e38f78a09d499d64edb7fa83ac205b6b46a8e
Instruction ID: e7a3063f06616e3440e3926662f8c68ba7444ca0f251412a18ca13d1a828c9a2
Opcode Fuzzy Hash: d6f42f2f78bfa174665a353baf7e38f78a09d499d64edb7fa83ac205b6b46a8e
Instruction Fuzzy Hash: 2481F570640345FBCF24BBA4DD92FBE7768EF15700F084025FA45AA186EB60EA55C7B2

Function 00DE8C44 Relevance: 40.7, APIs: 21, Strings: 2, Instructions: 401windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00DE8D34
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00DE8D45
CharNextW.USER32(0000014E), ref: 00DE8D74
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00DE8DB5
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00DE8DCB
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00DE8DDC
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00DE8DF9
SetWindowTextW.USER32(?,0000014E), ref: 00DE8E45
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00DE8E5B
SendMessageW.USER32(?,00001002,00000000,?), ref: 00DE8E8C
_memset.LIBCMT ref: 00DE8EB1
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00DE8EFA
_memset.LIBCMT ref: 00DE8F59
SendMessageW.USER32(?,00001053,000000FF,?), ref: 00DE8F83
SendMessageW.USER32(?,00001074,?,00000001), ref: 00DE8FDB
SendMessageW.USER32(?,0000133D,?,?), ref: 00DE9088
InvalidateRect.USER32(?,00000000,00000001), ref: 00DE90AA
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00DE90F4
SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00DE9121
DrawMenuBar.USER32(?), ref: 00DE9130
SetWindowTextW.USER32(?,0000014E), ref: 00DE9158

Strings

@U=u, xrefs: 00DE8D34, 00DE8D45, 00DE8D7A, 00DE8DF9, 00DE8E5B, 00DE8E8C, 00DE8EFA, 00DE8F83, 00DE8FDB, 00DE9088
0, xrefs: 00DE90C2

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
String ID: 0$@U=u
API String ID: 1073566785-975001249
Opcode ID: 29bc1396227577bc57077ed4e85f0703a5250d4a047ce67ad2ab780cc0bd795d
Instruction ID: 2bfdf37cd21ade29d8cad6ce25174084baecfdaec7c8729f0861cfa4f3302c2b
Opcode Fuzzy Hash: 29bc1396227577bc57077ed4e85f0703a5250d4a047ce67ad2ab780cc0bd795d
Instruction Fuzzy Hash: D6E1A270901399AFDF20AF62CC84EEE7B79EF05710F148159F919AA290DB708A81DF71

Function 00DE4B16 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00DE4C51
GetDesktopWindow.USER32 ref: 00DE4C66
GetWindowRect.USER32(00000000), ref: 00DE4C6D
GetWindowLongW.USER32(?,000000F0), ref: 00DE4CCF
DestroyWindow.USER32(?), ref: 00DE4CFB
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00DE4D24
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00DE4D42
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00DE4D68
SendMessageW.USER32(?,00000421,?,?), ref: 00DE4D7D
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00DE4D90
IsWindowVisible.USER32(?), ref: 00DE4DB0
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00DE4DCB
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00DE4DDF
GetWindowRect.USER32(?,?), ref: 00DE4DF7
MonitorFromPoint.USER32(?,?,00000002), ref: 00DE4E1D
GetMonitorInfoW.USER32(00000000,?), ref: 00DE4E37
CopyRect.USER32(?,?), ref: 00DE4E4E
SendMessageW.USER32(?,00000412,00000000), ref: 00DE4EB9

Strings

0, xrefs: 00DE4BFC
(, xrefs: 00DE4E2A
tooltips_class32, xrefs: 00DE4D1D

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: f63c4544e48c714566a354896d9f743bc2cd97b1fce0984c10841cd6b3490ae8
Instruction ID: 869ae11b666f8c29f74d346bdd858256eca12e3e9416f19f16616b6e75c74e89
Opcode Fuzzy Hash: f63c4544e48c714566a354896d9f743bc2cd97b1fce0984c10841cd6b3490ae8
Instruction Fuzzy Hash: B9B18C71604380AFDB04EF65C888B6ABBE4FF88714F04891DF5999B2A1D771EC05CBA1

Function 00DC46D6 Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 00DC46E8
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00DC470E
_wcscpy.LIBCMT ref: 00DC473C
_wcscmp.LIBCMT ref: 00DC4747
_wcscat.LIBCMT ref: 00DC475D
_wcsstr.LIBCMT ref: 00DC4768
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00DC4784
_wcscat.LIBCMT ref: 00DC47CD
_wcscat.LIBCMT ref: 00DC47D4
_wcsncpy.LIBCMT ref: 00DC47FF

Strings

DefaultLangCodepage, xrefs: 00DC47E7
StringFileInfo\, xrefs: 00DC4757
%u.%u.%u.%u, xrefs: 00DC4862
\VarFileInfo\Translation, xrefs: 00DC477C
04090000, xrefs: 00DC47BA

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 699586101-1459072770
Opcode ID: 893d55c6a07a9f009f37274a05c9f2766cd7e86d0c82ebbb98be2af5e00d3966
Instruction ID: cedc13ec6c3f44378ab015a0dd00d61bc6dcd6f345127fbee1e76f981839da02
Opcode Fuzzy Hash: 893d55c6a07a9f009f37274a05c9f2766cd7e86d0c82ebbb98be2af5e00d3966
Instruction Fuzzy Hash: B241D072A002117AEB20BB658C42FBF77ACDF41720F04416AF905A7182EB75AA0197B5

Function 00D627D9 Relevance: 35.3, APIs: 18, Strings: 2, Instructions: 286windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00D628BC
GetSystemMetrics.USER32(00000007), ref: 00D628C4
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00D628EF
GetSystemMetrics.USER32(00000008), ref: 00D628F7
GetSystemMetrics.USER32(00000004), ref: 00D6291C
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00D62939
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00D62949
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00D6297C
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00D62990
GetClientRect.USER32(00000000,000000FF), ref: 00D629AE
GetStockObject.GDI32(00000011), ref: 00D629CA
SendMessageW.USER32(00000000,00000030,00000000), ref: 00D629D5

Part of subcall function 00D62344: GetCursorPos.USER32(?), ref: 00D62357
Part of subcall function 00D62344: ScreenToClient.USER32(00E267B0,?), ref: 00D62374
Part of subcall function 00D62344: GetAsyncKeyState.USER32(00000001), ref: 00D62399
Part of subcall function 00D62344: GetAsyncKeyState.USER32(00000002), ref: 00D623A7

SetTimer.USER32(00000000,00000000,00000028,00D61256), ref: 00D629FC

Strings

@U=u, xrefs: 00D629D5
AutoIt v3 GUI, xrefs: 00D62974

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: @U=u$AutoIt v3 GUI
API String ID: 1458621304-2077007950
Opcode ID: b9fbcf361620d26ffef6f3795d2b59c01989c839a529d9fb3b6189a6538714b7
Instruction ID: 65514c396254932764a84970ef6409e82ac027fa1ab8701a62cac4a630e4b366
Opcode Fuzzy Hash: b9fbcf361620d26ffef6f3795d2b59c01989c839a529d9fb3b6189a6538714b7
Instruction Fuzzy Hash: 6FB14E7160064ADFDB14DFA8DC85BAE7BB4FB48314F148229FA15E7290DB74D941CB60

Function 00DBC4C1 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 169windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00DBC4D4
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00DBC4E6
SetWindowTextW.USER32(?,?), ref: 00DBC4FD
GetDlgItem.USER32(?,000003EA), ref: 00DBC512
SetWindowTextW.USER32(00000000,?), ref: 00DBC518
GetDlgItem.USER32(?,000003E9), ref: 00DBC528
SetWindowTextW.USER32(00000000,?), ref: 00DBC52E
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00DBC54F
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00DBC569
GetWindowRect.USER32(?,?), ref: 00DBC572
SetWindowTextW.USER32(?,?), ref: 00DBC5DD
GetDesktopWindow.USER32 ref: 00DBC5E3
GetWindowRect.USER32(00000000), ref: 00DBC5EA
MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 00DBC636
GetClientRect.USER32(?,?), ref: 00DBC643
PostMessageW.USER32(?,00000005,00000000,00000000), ref: 00DBC668
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00DBC693

Strings

@U=u, xrefs: 00DBC4E6

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
String ID: @U=u
API String ID: 3869813825-2594219639
Opcode ID: e363452601a569cc730bd6e493953eb5c2788462922b3af5acc44fe10f89524e
Instruction ID: f08427893a1d10e6b9bfc83f46dc433c36c6264fab127ad63b8036f5bfa456c2
Opcode Fuzzy Hash: e363452601a569cc730bd6e493953eb5c2788462922b3af5acc44fe10f89524e
Instruction Fuzzy Hash: 4D514071900709EFDB20AFA8DD85BAEBBF5FF04705F00452DE686A66A0D774B944CB60

Function 00DE4069 Relevance: 30.0, APIs: 3, Strings: 14, Instructions: 283windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00DE40F6
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00DE41B6

Strings

@U=u, xrefs: 00DE41B6, 00DE41E8
DESELECT, xrefs: 00DE42A4
ISSELECTED, xrefs: 00DE41C1
GETSELECTED, xrefs: 00DE42E4
SELECTCLEAR, xrefs: 00DE4235
GETTEXT, xrefs: 00DE415F
GETSELECTEDCOUNT, xrefs: 00DE4199
FINDITEM, xrefs: 00DE4329
SELECT, xrefs: 00DE4250
SELECTALL, xrefs: 00DE421D
VIEWCHANGE, xrefs: 00DE4375
GETSUBITEMCOUNT, xrefs: 00DE4141
SELECTINVERT, xrefs: 00DE4286
GETITEMCOUNT, xrefs: 00DE4128

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: @U=u$DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 3974292440-1753161424
Opcode ID: 75023ef0debe3ed48e6439f8e77d0cc548755b46909e606057926ade5361eb9c
Instruction ID: 40d34583524b6f4b397ae0ba059b8271c6a42020aaef9163fc411b82304418d4
Opcode Fuzzy Hash: 75023ef0debe3ed48e6439f8e77d0cc548755b46909e606057926ade5361eb9c
Instruction Fuzzy Hash: 11A16F302543819BCB14FF21C962A6AB7EAFF94314F14496CB8969B792DB30EC05CB71

Function 00DEC8EE Relevance: 28.2, APIs: 11, Strings: 5, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00D62612: GetWindowLongW.USER32(?,000000EB), ref: 00D62623

DragQueryPoint.SHELL32(?,?), ref: 00DEC917

Part of subcall function 00DEADF1: ClientToScreen.USER32(?,?), ref: 00DEAE1A
Part of subcall function 00DEADF1: GetWindowRect.USER32(?,?), ref: 00DEAE90
Part of subcall function 00DEADF1: PtInRect.USER32(?,?,00DEC304), ref: 00DEAEA0

SendMessageW.USER32(?,000000B0,?,?), ref: 00DEC980
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00DEC98B
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00DEC9AE
_wcscat.LIBCMT ref: 00DEC9DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00DEC9F5
SendMessageW.USER32(?,000000B0,?,?), ref: 00DECA0E
SendMessageW.USER32(?,000000B1,?,?), ref: 00DECA25
SendMessageW.USER32(?,000000B1,?,?), ref: 00DECA47
DragFinish.SHELL32(?), ref: 00DECA4E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00DECB41

Strings

@U=u, xrefs: 00DEC980, 00DEC9F5, 00DECA0E, 00DECA25, 00DECA47
@GUI_DRAGFILE, xrefs: 00DECAF0
@GUI_DRAGID, xrefs: 00DECAB9
pr, xrefs: 00DECA8B
@GUI_DROPID, xrefs: 00DECA6E

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$@U=u$pr
API String ID: 169749273-182758532
Opcode ID: 3457cfe21ddd1fa10e3d32946226949a47a7f592d2c312579cddb798f37897d2
Instruction ID: b383c5cbfe02ecaf5460c12c22d0692d36d29c19677f1eef34be6fe5abc851c8
Opcode Fuzzy Hash: 3457cfe21ddd1fa10e3d32946226949a47a7f592d2c312579cddb798f37897d2
Instruction Fuzzy Hash: 17615B71108381AFC711EF65DC85D9FBBE8EF88710F040A2EF595962A1DB709A49CB72

Function 00DD52F0 Relevance: 27.1, APIs: 18, Instructions: 124COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 00DD5309
LoadCursorW.USER32(00000000,00007F8A), ref: 00DD5314
LoadCursorW.USER32(00000000,00007F00), ref: 00DD531F
LoadCursorW.USER32(00000000,00007F03), ref: 00DD532A
LoadCursorW.USER32(00000000,00007F8B), ref: 00DD5335
LoadCursorW.USER32(00000000,00007F01), ref: 00DD5340
LoadCursorW.USER32(00000000,00007F81), ref: 00DD534B
LoadCursorW.USER32(00000000,00007F88), ref: 00DD5356
LoadCursorW.USER32(00000000,00007F80), ref: 00DD5361
LoadCursorW.USER32(00000000,00007F86), ref: 00DD536C
LoadCursorW.USER32(00000000,00007F83), ref: 00DD5377
LoadCursorW.USER32(00000000,00007F85), ref: 00DD5382
LoadCursorW.USER32(00000000,00007F82), ref: 00DD538D
LoadCursorW.USER32(00000000,00007F84), ref: 00DD5398
LoadCursorW.USER32(00000000,00007F04), ref: 00DD53A3
LoadCursorW.USER32(00000000,00007F02), ref: 00DD53AE
GetCursorInfo.USER32(?), ref: 00DD53BE
GetLastError.KERNEL32(00000001,00000000), ref: 00DD53E9

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: 2f7e59437ed6f68eb73b69f365320194f9ae3b365b184306a613c4b1964964e1
Instruction ID: b93ce746bc5b08e952075638ffa868a37321b52aca86d57ed9a0224c7b2f1fb6
Opcode Fuzzy Hash: 2f7e59437ed6f68eb73b69f365320194f9ae3b365b184306a613c4b1964964e1
Instruction Fuzzy Hash: 1E418270E44319AADB109FBA9C49C6FFFF8EF51B10B10452FE509E7290DAB8A400CE61

Function 00DBAA64 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00DBAAA5
__swprintf.LIBCMT ref: 00DBAB46
_wcscmp.LIBCMT ref: 00DBAB59
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00DBABAE
_wcscmp.LIBCMT ref: 00DBABEA
GetClassNameW.USER32(?,?,00000400), ref: 00DBAC21
GetDlgCtrlID.USER32(?), ref: 00DBAC73
GetWindowRect.USER32(?,?), ref: 00DBACA9
GetParent.USER32(?), ref: 00DBACC7
ScreenToClient.USER32(00000000), ref: 00DBACCE
GetClassNameW.USER32(?,?,00000100), ref: 00DBAD48
_wcscmp.LIBCMT ref: 00DBAD5C
GetWindowTextW.USER32(?,?,00000400), ref: 00DBAD82
_wcscmp.LIBCMT ref: 00DBAD96

Part of subcall function 00D8386C: _iswctype.LIBCMT ref: 00D83874

Strings

%s%u, xrefs: 00DBAB40

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
String ID: %s%u
API String ID: 3744389584-679674701
Opcode ID: f40278bdb7cbbed4df252844fc955ccd0d5c03d14bece4f7eade19611416f313
Instruction ID: 28deacea8b4301e401d183264cca2947183c1aea6d5a53851a7f889f64b29ad9
Opcode Fuzzy Hash: f40278bdb7cbbed4df252844fc955ccd0d5c03d14bece4f7eade19611416f313
Instruction Fuzzy Hash: C3A1AF71204346EBD714DF28C884BEAB7E8FF04315F144629F9AAD2191EB30E955CBB2

Function 00DBB397 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(00000008,?,00000400), ref: 00DBB3DB
_wcscmp.LIBCMT ref: 00DBB3EC
GetWindowTextW.USER32(00000001,?,00000400), ref: 00DBB414
CharUpperBuffW.USER32(?,00000000), ref: 00DBB431
_wcscmp.LIBCMT ref: 00DBB44F
_wcsstr.LIBCMT ref: 00DBB460
GetClassNameW.USER32(00000018,?,00000400), ref: 00DBB498
_wcscmp.LIBCMT ref: 00DBB4A8
GetWindowTextW.USER32(00000002,?,00000400), ref: 00DBB4CF
GetClassNameW.USER32(00000018,?,00000400), ref: 00DBB518
_wcscmp.LIBCMT ref: 00DBB528
GetClassNameW.USER32(00000010,?,00000400), ref: 00DBB550
GetWindowRect.USER32(00000004,?), ref: 00DBB5B9

Strings

ThumbnailClass, xrefs: 00DBB4A3, 00DBB523
@, xrefs: 00DBB3BC

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: 3a5881959032e267c884fda1414fe03ca2c9a0ee75cc2aae34a1556e0ce3f4cc
Instruction ID: 9a125e21c3adda29fbbab6160970f5513abb3b296749a19548d54f966cdd0b67
Opcode Fuzzy Hash: 3a5881959032e267c884fda1414fe03ca2c9a0ee75cc2aae34a1556e0ce3f4cc
Instruction Fuzzy Hash: E8818B71008345DBDB10DF10C885FAA7BE8EF44728F08856AED8A9A192DBB0DE45CB71

Function 00DEA428 Relevance: 26.5, APIs: 12, Strings: 3, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00DEA4C8
DestroyWindow.USER32(?,?), ref: 00DEA542

Part of subcall function 00D67D2C: _memmove.LIBCMT ref: 00D67D66

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00DEA5BC
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00DEA5DE
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00DEA5F1
DestroyWindow.USER32(00000000), ref: 00DEA613
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00D60000,00000000), ref: 00DEA64A
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00DEA663
GetDesktopWindow.USER32 ref: 00DEA67C
GetWindowRect.USER32(00000000), ref: 00DEA683
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00DEA69B
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00DEA6B3

Part of subcall function 00D625DB: GetWindowLongW.USER32(?,000000EB), ref: 00D625EC

Strings

@U=u, xrefs: 00DEA5DE, 00DEA5F1, 00DEA663, 00DEA68D
0, xrefs: 00DEA4DE
tooltips_class32, xrefs: 00DEA5B5, 00DEA643

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
String ID: 0$@U=u$tooltips_class32
API String ID: 1297703922-1130792468
Opcode ID: af9c9f52dec3b683fadcafd50566b95f6fc91b3580fbe98d142ce6f9e9dee53e
Instruction ID: ead289d522273ad7118c1d2ecd8e91ee612a28c7d0e82b2164c13185017b7dc6
Opcode Fuzzy Hash: af9c9f52dec3b683fadcafd50566b95f6fc91b3580fbe98d142ce6f9e9dee53e
Instruction Fuzzy Hash: 1B71AF71140786AFD724EF29CC49F6677E5FB89304F08492DF985972A0D770E946CB22

Function 00DBB1E0 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00DBB23F

Strings

[CLASS:, xrefs: 00DBB28F
ALL, xrefs: 00DBB2D3
[ALL, xrefs: 00DBB2E5
[LAST, xrefs: 00DBB2EC
CLASSNAME=, xrefs: 00DBB27C
REGEXP=, xrefs: 00DBB254
[ACTIVE, xrefs: 00DBB22C
HANDLE=, xrefs: 00DBB238
[REGEXPTITLE:, xrefs: 00DBB267
[HANDLE:, xrefs: 00DBB24B
LAST, xrefs: 00DBB204
ACTIVE, xrefs: 00DBB21A

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: 82e8138c3eae0860d161ab92404c7a9ab67153b64a2054ac3ed7e5c90ba47b2b
Instruction ID: 270a848142ac679b34fe0f87c9018b87e909d0cd5bcb08ac5e9e3ee5a838cc72
Opcode Fuzzy Hash: 82e8138c3eae0860d161ab92404c7a9ab67153b64a2054ac3ed7e5c90ba47b2b
Instruction Fuzzy Hash: DE31B231A44309EBDB14FA60CD63EEE77A4DF10B60F60012AF446710D6EFA1AE44C675

Function 00DE4619 Relevance: 24.8, APIs: 2, Strings: 12, Instructions: 251windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00DE46AB
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00DE46F6

Strings

SELECT, xrefs: 00DE48A7
@U=u, xrefs: 00DE46F6
EXISTS, xrefs: 00DE475F
EXPAND, xrefs: 00DE47A8
UNCHECK, xrefs: 00DE48D2
GETSELECTED, xrefs: 00DE4806
ISCHECKED, xrefs: 00DE4879
GETITEMCOUNT, xrefs: 00DE47D8
GETTEXT, xrefs: 00DE4849
GETTOTALCOUNT, xrefs: 00DE46DD
CHECK, xrefs: 00DE4716
COLLAPSE, xrefs: 00DE473C

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: @U=u$CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-383632319
Opcode ID: 948662b087976bb4744e6319d290d7bda1f9c1e2707eb6763f5731857902b2ce
Instruction ID: 0d0c4888b3229c51cef6ec818c658fdd47c7f4e3b2b4b062b5407947f837b8ce
Opcode Fuzzy Hash: 948662b087976bb4744e6319d290d7bda1f9c1e2707eb6763f5731857902b2ce
Instruction Fuzzy Hash: 869160342043419FCB14FF21C461AAABBA6EF94314F04845DF8966B7A2DB30ED49CBB1

Function 00DEBAB8 Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 197windowlibraryCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00DEBB6E
LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,00DE6D80,?), ref: 00DEBBCA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00DEBC03
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00DEBC46
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00DEBC7D
FreeLibrary.KERNEL32(?), ref: 00DEBC89
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00DEBC99
DestroyIcon.USER32(?), ref: 00DEBCA8
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00DEBCC5
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00DEBCD1

Part of subcall function 00D8313D: __wcsicmp_l.LIBCMT ref: 00D831C6

Strings

.dll, xrefs: 00DEBB27
.icl, xrefs: 00DEBAE4
@U=u, xrefs: 00DEBCB1
.exe, xrefs: 00DEBB04

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
String ID: .dll$.exe$.icl$@U=u
API String ID: 1212759294-1639919054
Opcode ID: 934933695f4d0a13d30e8e49902c5f2c9fb25ae57534042561cfac3dce2b5222
Instruction ID: 6d83fa9638f5cb3a3ad64e32551f0c9f86ddcae1c598fb7ce223ef2dcc5d4feb
Opcode Fuzzy Hash: 934933695f4d0a13d30e8e49902c5f2c9fb25ae57534042561cfac3dce2b5222
Instruction Fuzzy Hash: EC61A171500755BAEB14EF75CC85FBB77A8EB08B20F204616F915DA1D0DB74AA90CBB0

Function 00DCA5BD Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00D69997: __itow.LIBCMT ref: 00D699C2
Part of subcall function 00D69997: __swprintf.LIBCMT ref: 00D69A0C

CharLowerBuffW.USER32(?,?), ref: 00DCA636
GetDriveTypeW.KERNEL32 ref: 00DCA683
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00DCA6CB
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00DCA702
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00DCA730

Part of subcall function 00D67D2C: _memmove.LIBCMT ref: 00D67D66

Strings

close, xrefs: 00DCA63C
wait, xrefs: 00DCA6ED
open , xrefs: 00DCA692
type cdaudio alias cd wait, xrefs: 00DCA6AE
close cd wait, xrefs: 00DCA71B
set cd door , xrefs: 00DCA6D1
open, xrefs: 00DCA65D
closed, xrefs: 00DCA64A, 00DCA653

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 2698844021-4113822522
Opcode ID: 51d756a7bdd195affd6bfb297ac3ae2abef7f8c3356dc480bab644d76908e1f3
Instruction ID: dc93867f1afa92d90269ef62e7b816ca7b099057795f9ce07c25d77c0990ce36
Opcode Fuzzy Hash: 51d756a7bdd195affd6bfb297ac3ae2abef7f8c3356dc480bab644d76908e1f3
Instruction Fuzzy Hash: FA512A711043099FC700EF24C89196AB7F8FF94718F18496DF896972A1DB31EE0ACB62

Function 00DCA45A Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00DCA47A
__swprintf.LIBCMT ref: 00DCA49C
CreateDirectoryW.KERNEL32(?,00000000), ref: 00DCA4D9
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00DCA4FE
_memset.LIBCMT ref: 00DCA51D
_wcsncpy.LIBCMT ref: 00DCA559
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00DCA58E
CloseHandle.KERNEL32(00000000), ref: 00DCA599
RemoveDirectoryW.KERNEL32(?), ref: 00DCA5A2
CloseHandle.KERNEL32(00000000), ref: 00DCA5AC

Strings

:, xrefs: 00DCA4BD
\??\%s, xrefs: 00DCA496
\, xrefs: 00DCA4B2

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: 7c76d9113dc9870a4071629c4cf2a5556d1b0e9198a473d94fa204e767476cbb
Instruction ID: 40307dccf7b12b5007e635cac437abc3e0641ad8720fa29ad12bb5c2125bac39
Opcode Fuzzy Hash: 7c76d9113dc9870a4071629c4cf2a5556d1b0e9198a473d94fa204e767476cbb
Instruction Fuzzy Hash: 3B31807590024AABDB21AFA4DC89FEB73BCEF88705F1441BAFA08D6150E77097458B35

Function 00DEC49C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00D62612: GetWindowLongW.USER32(?,000000EB), ref: 00D62623

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00DEC4EC
GetFocus.USER32 ref: 00DEC4FC
GetDlgCtrlID.USER32(00000000), ref: 00DEC507
_memset.LIBCMT ref: 00DEC632
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00DEC65D
GetMenuItemCount.USER32(?), ref: 00DEC67D
GetMenuItemID.USER32(?,00000000), ref: 00DEC690
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00DEC6C4
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00DEC70C
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00DEC744
DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 00DEC779

Strings

0, xrefs: 00DEC62A

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
String ID: 0
API String ID: 1296962147-4108050209
Opcode ID: bd73a02fec33ac2a104e6087ec3c23afea20d57dcc4c7cdb60369d8c66723116
Instruction ID: 1d9abcd0f9c86f867bcbe02e1f0a1f9d775da08f679ea65f43926718d22f4729
Opcode Fuzzy Hash: bd73a02fec33ac2a104e6087ec3c23afea20d57dcc4c7cdb60369d8c66723116
Instruction Fuzzy Hash: 228190702183819FD720EF15C884A6BBBE4FB88314F04552DF99597291D770D906CFB2

Function 00DB83F4 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00DB874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00DB8766
Part of subcall function 00DB874A: GetLastError.KERNEL32(?,00DB822A,?,?,?), ref: 00DB8770
Part of subcall function 00DB874A: GetProcessHeap.KERNEL32(00000008,?,?,00DB822A,?,?,?), ref: 00DB877F
Part of subcall function 00DB874A: HeapAlloc.KERNEL32(00000000,?,00DB822A,?,?,?), ref: 00DB8786
Part of subcall function 00DB874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00DB879D

Part of subcall function 00DB87E7: GetProcessHeap.KERNEL32(00000008,00DB8240,00000000,00000000,?,00DB8240,?), ref: 00DB87F3
Part of subcall function 00DB87E7: HeapAlloc.KERNEL32(00000000,?,00DB8240,?), ref: 00DB87FA
Part of subcall function 00DB87E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00DB8240,?), ref: 00DB880B

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00DB8458
_memset.LIBCMT ref: 00DB846D
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00DB848C
GetLengthSid.ADVAPI32(?), ref: 00DB849D
GetAce.ADVAPI32(?,00000000,?), ref: 00DB84DA
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00DB84F6
GetLengthSid.ADVAPI32(?), ref: 00DB8513
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00DB8522
HeapAlloc.KERNEL32(00000000), ref: 00DB8529
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00DB854A
CopySid.ADVAPI32(00000000), ref: 00DB8551
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00DB8582
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00DB85A8
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00DB85BC

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: 7f1a4dfe66e2ba8e484290e25efab0b0f2228b4ae4654cf5a6385ad3310d0c22
Instruction ID: 4cf84cce321bba1c0d4f0abd150b1401a76062b7e405c8618e7c3e4ef5af5ae1
Opcode Fuzzy Hash: 7f1a4dfe66e2ba8e484290e25efab0b0f2228b4ae4654cf5a6385ad3310d0c22
Instruction Fuzzy Hash: 80611871900209EBDF10AFA4DC85AEEBBB9FF04314F148169E916EB291DB319A05DF70

Function 00DD762D Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00DD76A2
CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 00DD76AE
CreateCompatibleDC.GDI32(?), ref: 00DD76BA
SelectObject.GDI32(00000000,?), ref: 00DD76C7
StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00DD771B
GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00DD7757
GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00DD777B
SelectObject.GDI32(00000006,?), ref: 00DD7783
DeleteObject.GDI32(?), ref: 00DD778C
DeleteDC.GDI32(00000006), ref: 00DD7793
ReleaseDC.USER32(00000000,?), ref: 00DD779E

Strings

(, xrefs: 00DD7723

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 10d8ec26e79f6952b59eacf198f5d12184fec44b408bc3d0b0022a42bfe21d53
Instruction ID: b125d972d5cf9d06ea94a23ef5ffebe05230d35c13d1da83655015b3f90ef39f
Opcode Fuzzy Hash: 10d8ec26e79f6952b59eacf198f5d12184fec44b408bc3d0b0022a42bfe21d53
Instruction Fuzzy Hash: 3C513875904349EFCB15DFA8CC85EAEBBB9EF48710F14856EF94997310E731A9408B60

Function 00DCA0B5 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 156COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00DEFB78), ref: 00DCA0FC

Part of subcall function 00D67F41: _memmove.LIBCMT ref: 00D67F82

LoadStringW.USER32(?,?,00000FFF,?), ref: 00DCA11E
__swprintf.LIBCMT ref: 00DCA177
__swprintf.LIBCMT ref: 00DCA190
_wprintf.LIBCMT ref: 00DCA246
_wprintf.LIBCMT ref: 00DCA264

Strings

Line %d (File "%s"):, xrefs: 00DCA171, 00DCA18A
"%s" (%d) : ==> %s:%s%s, xrefs: 00DCA241
^ ERROR, xrefs: 00DCA1E8
"%s" (%d) : ==> %s:, xrefs: 00DCA25F
Error: , xrefs: 00DCA20E

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: LoadString__swprintf_wprintf$_memmove
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 311963372-2391861430
Opcode ID: 8bd87ea24926569b655840a72e5b2b42dca535f63f1295f29c58c85d28676f5d
Instruction ID: 1ffce856c6b68d43e4a4fca78d459289696ae682466ab4938b49e242f82df407
Opcode Fuzzy Hash: 8bd87ea24926569b655840a72e5b2b42dca535f63f1295f29c58c85d28676f5d
Instruction Fuzzy Hash: 1C513B3290021EABCF15EBE4CD86EEEB779EF04308F140265B505720A2EA316E59CB71

Function 00DC5217 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00DC521C

Part of subcall function 00D80719: timeGetTime.WINMM(?,753DB400,00D70FF9), ref: 00D8071D

Sleep.KERNEL32(0000000A), ref: 00DC5248
EnumThreadWindows.USER32(?,Function_000651CA,00000000), ref: 00DC526C
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00DC528E
SetActiveWindow.USER32 ref: 00DC52AD
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00DC52BB
SendMessageW.USER32(00000010,00000000,00000000), ref: 00DC52DA
Sleep.KERNEL32(000000FA), ref: 00DC52E5
IsWindow.USER32 ref: 00DC52F1
EndDialog.USER32(00000000), ref: 00DC5302

Strings

@U=u, xrefs: 00DC52BB, 00DC52DA
BUTTON, xrefs: 00DC5280

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: @U=u$BUTTON
API String ID: 1194449130-2582809321
Opcode ID: 0587a33c4a6cebdf222c501a5a646d7308fa59b9f1c5ec4ab34d1993744ff53d
Instruction ID: c66f4d0339befc77d7597ebde57a6dedd992f9606b6d8c999ff146b519332ac8
Opcode Fuzzy Hash: 0587a33c4a6cebdf222c501a5a646d7308fa59b9f1c5ec4ab34d1993744ff53d
Instruction Fuzzy Hash: 7721A771144746AFE7106B21FCC8F25BBAAEB55346F08142CF441D62B1CB71AD859B31

Function 00D66BEC Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON

Download Yara Rule

APIs

Part of subcall function 00D80B9B: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00D66C6C,?,00008000), ref: 00D80BB7

Part of subcall function 00D648AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00D648A1,?,?,00D637C0,?), ref: 00D648CE

SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00D66D0D
SetCurrentDirectoryW.KERNEL32(?), ref: 00D66E5A

Part of subcall function 00D659CD: _wcscpy.LIBCMT ref: 00D65A05

Part of subcall function 00D8387D: _iswctype.LIBCMT ref: 00D83885

Strings

Bad directive syntax error, xrefs: 00D9EBC6
Unterminated string, xrefs: 00D9EC0D
Error opening the file, xrefs: 00D9E866, 00D9E8E1
#include depth exceeded. Make sure there are no recursive includes, xrefs: 00D9E84A
AU3!, xrefs: 00D66CC1
EA06, xrefs: 00D9E87B
>>>AUTOIT SCRIPT<<<, xrefs: 00D9E8BF

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 537147316-1018226102
Opcode ID: 633af7fb79a683543711c7ff827ed57de1654f6409fe2f7d2d8693be5291dbec
Instruction ID: 0faff159e63f6c1197cc29c07dffd0f9144bccab9191d7f6ef29a95ed69a3967
Opcode Fuzzy Hash: 633af7fb79a683543711c7ff827ed57de1654f6409fe2f7d2d8693be5291dbec
Instruction Fuzzy Hash: C50258711083419FCB24EF24C891AAFBBE5EF99314F04491DF496972A2DB31D989CB72

Function 00D645DF Relevance: 19.7, APIs: 13, Instructions: 215windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00D645F9
GetMenuItemCount.USER32(00E26890), ref: 00D9D7CD
GetMenuItemCount.USER32(00E26890), ref: 00D9D87D
GetCursorPos.USER32(?), ref: 00D9D8C1
SetForegroundWindow.USER32(00000000), ref: 00D9D8CA
TrackPopupMenuEx.USER32(00E26890,00000000,?,00000000,00000000,00000000), ref: 00D9D8DD
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00D9D8E9

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 2751501086-0
Opcode ID: 9618d1e2d9ff7534c5c179ce9f40052c10e13a8fc300af38b67a2b26270c29d6
Instruction ID: 25aeee2d6e8e366ec36a0280e1ebd41ded37ed8206e4d7f81b1c5c6a8deb241e
Opcode Fuzzy Hash: 9618d1e2d9ff7534c5c179ce9f40052c10e13a8fc300af38b67a2b26270c29d6
Instruction Fuzzy Hash: ED71D470640245BFEF219FA4DC89FAABF66FF05364F240216F515AA1E1C7B1A810DBB0

Function 00DEC27C Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00D62612: GetWindowLongW.USER32(?,000000EB), ref: 00D62623

Part of subcall function 00D62344: GetCursorPos.USER32(?), ref: 00D62357
Part of subcall function 00D62344: ScreenToClient.USER32(00E267B0,?), ref: 00D62374
Part of subcall function 00D62344: GetAsyncKeyState.USER32(00000001), ref: 00D62399
Part of subcall function 00D62344: GetAsyncKeyState.USER32(00000002), ref: 00D623A7

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?), ref: 00DEC2E4
ImageList_EndDrag.COMCTL32 ref: 00DEC2EA
ReleaseCapture.USER32 ref: 00DEC2F0
SetWindowTextW.USER32(?,00000000), ref: 00DEC39A
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00DEC3AD
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?), ref: 00DEC48F

Strings

@U=u, xrefs: 00DEC3AD
@GUI_DRAGFILE, xrefs: 00DEC424
pr, xrefs: 00DEC3FD
pr, xrefs: 00DEC438
@GUI_DROPID, xrefs: 00DEC3E1

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID$@U=u$pr$pr
API String ID: 1924731296-1447258140
Opcode ID: 541feb461eb37e649db616645be021108bd07cc9dcadbc127a550fd0a977f56b
Instruction ID: a5cc3759dd1c21e9281b4cbc209b3758d53d8305f54ed0aefe6c864251f9ff61
Opcode Fuzzy Hash: 541feb461eb37e649db616645be021108bd07cc9dcadbc127a550fd0a977f56b
Instruction Fuzzy Hash: 3751AD70204384AFD714EF25DC96F6A7BE5EB88310F044A2DF5959B2E1DB30A949CB72

Function 00DE10A5 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,00DE0038,?,?), ref: 00DE10BC

Strings

HKEY_CLASSES_ROOT, xrefs: 00DE114F
HKCC, xrefs: 00DE118A
HKEY_LOCAL_MACHINE, xrefs: 00DE1125
HKLM, xrefs: 00DE113A
HKEY_USERS, xrefs: 00DE11BD
HKEY_CURRENT_CONFIG, xrefs: 00DE1179
HKU, xrefs: 00DE11CE
HKCU, xrefs: 00DE11AC
HKEY_CURRENT_USER, xrefs: 00DE119B
HKCR, xrefs: 00DE1164

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 3964851224-909552448
Opcode ID: b84adecf500e360f89fc96f9c4e570d4ae8b46588da2aade58b0298481e28b2b
Instruction ID: ac8a151d78e1120fb2a42012eebf62fd678082dbd6dac58f7a0f6cbde905a0ad
Opcode Fuzzy Hash: b84adecf500e360f89fc96f9c4e570d4ae8b46588da2aade58b0298481e28b2b
Instruction Fuzzy Hash: EB41353435028E9BCF10FF91DC92AEE3B29EF55300F544454ED916B692DB30A99ACBB0

Function 00DE772A Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00DE77CD
CreateCompatibleDC.GDI32(00000000), ref: 00DE77D4
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00DE77E7
SelectObject.GDI32(00000000,00000000), ref: 00DE77EF
GetPixel.GDI32(00000000,00000000,00000000), ref: 00DE77FA
DeleteDC.GDI32(00000000), ref: 00DE7803
GetWindowLongW.USER32(?,000000EC), ref: 00DE780D
SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 00DE7821
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 00DE782D

Strings

static, xrefs: 00DE7765
@U=u, xrefs: 00DE77E7

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: @U=u$static
API String ID: 2559357485-3553413495
Opcode ID: 8c2846c5dd6f9ee96322bb5afca453f2b667d29f30f8eb1aa71ee4ed029fe72b
Instruction ID: c699014577d58ce932fe4f402ed865e62a5caf712d0cb6d0dd65808c1d0d23c7
Opcode Fuzzy Hash: 8c2846c5dd6f9ee96322bb5afca453f2b667d29f30f8eb1aa71ee4ed029fe72b
Instruction Fuzzy Hash: 45318C31105295BBDF12AF65DC88FDA3B69EF09320F150225FA55E62A0C731D811DBB4

Function 00DC5569 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON

Download Yara Rule

APIs

Part of subcall function 00D67D2C: _memmove.LIBCMT ref: 00D67D66

Part of subcall function 00D67A84: _memmove.LIBCMT ref: 00D67B0D

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00DC55D2
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00DC55E8
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00DC55F9
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00DC560B
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00DC561C

Strings

open , xrefs: 00DC5581
alias PlayMe, xrefs: 00DC55AB
play PlayMe wait, xrefs: 00DC5606
close PlayMe, xrefs: 00DC55E3, 00DC5610
play PlayMe, xrefs: 00DC5617
status PlayMe mode, xrefs: 00DC55CD

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: SendString$_memmove
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2279737902-1007645807
Opcode ID: 100be22d59cf4fa2def8f8fab5597971832968ebb9476f6c5831e61f2f30644d
Instruction ID: 9a584bb06f525142fafa138db6f1f69c1d53afb3e2454fc41011d75b93f4f39e
Opcode Fuzzy Hash: 100be22d59cf4fa2def8f8fab5597971832968ebb9476f6c5831e61f2f30644d
Instruction Fuzzy Hash: 6511B63099125E7AD720F6A1DC49EFFBB7CEF91B04F440429B415A30D6DE601D85C5B1

Function 00DC48F3 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00DC490E
gethostname.WSOCK32(?,00000100), ref: 00DC4928
gethostbyname.WSOCK32(?), ref: 00DC4935
_wcscpy.LIBCMT ref: 00DC495D
_memmove.LIBCMT ref: 00DC4970
inet_ntoa.WSOCK32(?), ref: 00DC497B
_strcat.LIBCMT ref: 00DC4989
_wcscpy.LIBCMT ref: 00DC49A0
WSACleanup.WSOCK32 ref: 00DC49AE
_wcscpy.LIBCMT ref: 00DC49BC

Strings

0.0.0.0, xrefs: 00DC4957

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 208665112-3771769585
Opcode ID: d37a50710777e887072876cfe1aa37152fe2c659dc65f0d6287df24225195857
Instruction ID: 28c776739835ac3291c83a66eb60355959798c5d12cc7aacce980e8597b99302
Opcode Fuzzy Hash: d37a50710777e887072876cfe1aa37152fe2c659dc65f0d6287df24225195857
Instruction Fuzzy Hash: E511C371904226ABCB20BB649C86FEE77ACDF40710F1401BDF544D7191EF709A818B71

Function 00DCD7F8 Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON

Download Yara Rule

APIs

Part of subcall function 00D69997: __itow.LIBCMT ref: 00D699C2
Part of subcall function 00D69997: __swprintf.LIBCMT ref: 00D69A0C

CoInitialize.OLE32(00000000), ref: 00DCD855
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00DCD8E8
SHGetDesktopFolder.SHELL32(?), ref: 00DCD8FC
CoCreateInstance.OLE32(00DF2D7C,00000000,00000001,00E1A89C,?), ref: 00DCD948
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00DCD9B7
CoTaskMemFree.OLE32(?,?), ref: 00DCDA0F
_memset.LIBCMT ref: 00DCDA4C
SHBrowseForFolderW.SHELL32(?), ref: 00DCDA88
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00DCDAAB
CoTaskMemFree.OLE32(00000000), ref: 00DCDAB2
CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 00DCDAE9
CoUninitialize.OLE32(00000001,00000000), ref: 00DCDAEB

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
String ID:
API String ID: 1246142700-0
Opcode ID: 76c3c0ff3fb68ec98588f3a2f5fd990c23dacf063197ba16104299685db67028
Instruction ID: 5096cfb6a25b075836d94815033b694cd6b68f18d7f0c6619109e35c69b36183
Opcode Fuzzy Hash: 76c3c0ff3fb68ec98588f3a2f5fd990c23dacf063197ba16104299685db67028
Instruction Fuzzy Hash: B9B1EC75A00209AFDB04DF65CC98EAEBBF9EF48314B148469F509EB251DB30ED45CB60

Function 00DC052C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00DC05A7
SetKeyboardState.USER32(?), ref: 00DC0612
GetAsyncKeyState.USER32(000000A0), ref: 00DC0632
GetKeyState.USER32(000000A0), ref: 00DC0649
GetAsyncKeyState.USER32(000000A1), ref: 00DC0678
GetKeyState.USER32(000000A1), ref: 00DC0689
GetAsyncKeyState.USER32(00000011), ref: 00DC06B5
GetKeyState.USER32(00000011), ref: 00DC06C3
GetAsyncKeyState.USER32(00000012), ref: 00DC06EC
GetKeyState.USER32(00000012), ref: 00DC06FA
GetAsyncKeyState.USER32(0000005B), ref: 00DC0723
GetKeyState.USER32(0000005B), ref: 00DC0731

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 7637d625bee832bad3e8184dccfdd5f2cd3d6ddadff5e94532faaa48727049d3
Instruction ID: f154d2da9fa280733755609dfb77f270935c5839a6845d609e9b317b6ce01f9f
Opcode Fuzzy Hash: 7637d625bee832bad3e8184dccfdd5f2cd3d6ddadff5e94532faaa48727049d3
Instruction Fuzzy Hash: CD51E920A0879A6AFB35DBA08454FEABFB49F12380F0C459DD5C25B1C2DA649B4CCF71

Function 00DBC72A Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00DBC746
GetWindowRect.USER32(00000000,?), ref: 00DBC758
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 00DBC7B6
GetDlgItem.USER32(?,00000002), ref: 00DBC7C1
GetWindowRect.USER32(00000000,?), ref: 00DBC7D3
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 00DBC827
GetDlgItem.USER32(?,000003E9), ref: 00DBC835
GetWindowRect.USER32(00000000,?), ref: 00DBC846
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 00DBC889
GetDlgItem.USER32(?,000003EA), ref: 00DBC897
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00DBC8B4
InvalidateRect.USER32(?,00000000,00000001), ref: 00DBC8C1

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: dcdfad36d5b5eb9f349556d17e205a4d18e5ef0edfe016d87d05b9db14f3a635
Instruction ID: 1411e70f183550562fb3fed2948c7f9b6e105c921c0e0a084f627f4991c06462
Opcode Fuzzy Hash: dcdfad36d5b5eb9f349556d17e205a4d18e5ef0edfe016d87d05b9db14f3a635
Instruction Fuzzy Hash: 54514075B10205AFDB18DF69DD89AAEBBBAFB88311F14812DF51AD7290D7709D008B60

Function 00D6201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00D61B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00D62036,?,00000000,?,?,?,?,00D616CB,00000000,?), ref: 00D61B9A

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 00D620D3
KillTimer.USER32(-00000001,?,?,?,?,00D616CB,00000000,?,?,00D61AE2,?,?), ref: 00D6216E
DestroyAcceleratorTable.USER32(00000000), ref: 00D9BEF6
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00D616CB,00000000,?,?,00D61AE2,?,?), ref: 00D9BF27
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00D616CB,00000000,?,?,00D61AE2,?,?), ref: 00D9BF3E
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00D616CB,00000000,?,?,00D61AE2,?,?), ref: 00D9BF5A
DeleteObject.GDI32(00000000), ref: 00D9BF6C

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: af2e41fce5e790b33f15fa743efec74e93bfcd5435ea2321c4607038a4f83bac
Instruction ID: 48b4b17a7fd7230f03ebdb61f72653e03eaa175bdeff7c9efb9c0b64faad52e9
Opcode Fuzzy Hash: af2e41fce5e790b33f15fa743efec74e93bfcd5435ea2321c4607038a4f83bac
Instruction Fuzzy Hash: 91616A31104B90DFCB39AF15ED88B39B7B1FF40312F184629E582AAA60C775A895DF70

Function 00D621A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON

Download Yara Rule

APIs

Part of subcall function 00D625DB: GetWindowLongW.USER32(?,000000EB), ref: 00D625EC

GetSysColor.USER32(0000000F), ref: 00D621D3

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 785d649107d964f254886b9aaab122489bcb88ba31e55539f5c1e651f1452eb5
Instruction ID: 0e56aa6c882ac05f593745357ee6c4417e0e8568c8713606917932e502c367c1
Opcode Fuzzy Hash: 785d649107d964f254886b9aaab122489bcb88ba31e55539f5c1e651f1452eb5
Instruction Fuzzy Hash: 5641A331000A849FDB25AF68DC98BB93765EB0A331F188265FD65DE2E6C7318D42DB35

Function 00DCAB12 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00DEF910), ref: 00DCAB76
GetDriveTypeW.KERNEL32(00000061,00E1A620,00000061), ref: 00DCAC40
_wcscpy.LIBCMT ref: 00DCAC6A

Strings

network, xrefs: 00DCABD4
unknown, xrefs: 00DCAC01
all, xrefs: 00DCAB7C
fixed, xrefs: 00DCABBE
removable, xrefs: 00DCABA8
cdrom, xrefs: 00DCAB92
ramdisk, xrefs: 00DCABEA

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: BuffCharDriveLowerType_wcscpy
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2820617543-1000479233
Opcode ID: 80ae7393d7c4ca061b78f26f7ca6a8bccc239ceaa3aa1ad82f75ab1d4187fb8f
Instruction ID: 4585288f89e8f7923d736c5ba89bd964f7001bcfef55bb816b9048056e46fccd
Opcode Fuzzy Hash: 80ae7393d7c4ca061b78f26f7ca6a8bccc239ceaa3aa1ad82f75ab1d4187fb8f
Instruction Fuzzy Hash: 455184351083069BC710EF18C991EAEB7AAEF84714F54482DF496572A2DB31ED49CB73

Function 00DE88B4 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 168COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00DE896E

Strings

@U=u, xrefs: 00DE89A4

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: InvalidateRect
String ID: @U=u
API String ID: 634782764-2594219639
Opcode ID: 19df19926ad371367a95fd5cd6c9aa31f4ca1194b3e591a4a31231b8e4e04fe7
Instruction ID: f5cff812b8de31a29a8c12c37722a0e06aede0b1baaa680a6f68de97be8e66ed
Opcode Fuzzy Hash: 19df19926ad371367a95fd5cd6c9aa31f4ca1194b3e591a4a31231b8e4e04fe7
Instruction Fuzzy Hash: 3651A230900284BFDB20BF26DC85B697B65FB04310F644626F959E66E1DF71E980AB71

Function 00D62B72 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 161windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 00D9C547
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00D9C569
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00D9C581
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 00D9C59F
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00D9C5C0
DestroyIcon.USER32(00000000), ref: 00D9C5CF
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00D9C5EC
DestroyIcon.USER32(?), ref: 00D9C5FB

Part of subcall function 00DEA71E: DeleteObject.GDI32(00000000), ref: 00DEA757

Strings

@U=u, xrefs: 00D9C5C0, 00D9C5EC

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
String ID: @U=u
API String ID: 2819616528-2594219639
Opcode ID: 28d9f813781f04b3e240234a233f7c31e27c11ad30ff1d4e6959a3ef0fb2b570
Instruction ID: 46f6ce9ce1978651969f16d05798a5a8a8ce1c59a2ac34eb10eb017740c2c153
Opcode Fuzzy Hash: 28d9f813781f04b3e240234a233f7c31e27c11ad30ff1d4e6959a3ef0fb2b570
Instruction Fuzzy Hash: E3514870610649AFDB24EF29CC85FAA37B5EB58350F144528F942E72A0DB70ED90DB70

Function 00D69997 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON

Download Yara Rule

APIs

__itow.LIBCMT ref: 00D699C2
__swprintf.LIBCMT ref: 00D69A0C
__i64tow.LIBCMT ref: 00D9FA0F

Strings

True, xrefs: 00D9F9D0
False, xrefs: 00D9F9D7
0x%p, xrefs: 00D9F9F1
%.15g, xrefs: 00D69A06

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: __i64tow__itow__swprintf
String ID: %.15g$0x%p$False$True
API String ID: 421087845-2263619337
Opcode ID: e8a27588768d90c2faebd08e6c4120c821f13a6a01b5c54935a5c1e13fcd1019
Instruction ID: 141c9f9780f45c7b579a95faabc42982aad0f6e069c26d4f342dcc19e593933a
Opcode Fuzzy Hash: e8a27588768d90c2faebd08e6c4120c821f13a6a01b5c54935a5c1e13fcd1019
Instruction Fuzzy Hash: 9441C271604205AFDF24AB78DC42E7AB7E8EF44310F28446EE589D7295EA71D942CF31

Function 00DE73C1 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00DE73D9
CreateMenu.USER32 ref: 00DE73F4
SetMenu.USER32(?,00000000), ref: 00DE7403
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00DE7490
IsMenu.USER32(?), ref: 00DE74A6
CreatePopupMenu.USER32 ref: 00DE74B0
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00DE74DD
DrawMenuBar.USER32 ref: 00DE74E5

Strings

F, xrefs: 00DE74D1
0, xrefs: 00DE73CF

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
String ID: 0$F
API String ID: 176399719-3044882817
Opcode ID: 71e8b74e6b71cce7524a982ac9a2f64be2c72db5fcaad6bf079852e9e6f8f92b
Instruction ID: fbaec91edf19d6ba18615c9f4c93dd565a9fcbd0faa767ebf31fe0b584205cec
Opcode Fuzzy Hash: 71e8b74e6b71cce7524a982ac9a2f64be2c72db5fcaad6bf079852e9e6f8f92b
Instruction Fuzzy Hash: 12415A75A00285EFDB24EF65D884A9ABBB5FF49300F144029E955A7390D731A910DF60

Function 00DB9471 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 82windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00D67F41: _memmove.LIBCMT ref: 00D67F82

Part of subcall function 00DBB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00DBB0E7

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00DB94F6
GetDlgCtrlID.USER32 ref: 00DB9501
GetParent.USER32 ref: 00DB951D
SendMessageW.USER32(00000000,?,00000111,?), ref: 00DB9520
GetDlgCtrlID.USER32(?), ref: 00DB9529
GetParent.USER32(?), ref: 00DB9545
SendMessageW.USER32(00000000,?,?,00000111), ref: 00DB9548

Strings

ListBox, xrefs: 00DB94B3
@U=u, xrefs: 00DB9548
ComboBox, xrefs: 00DB947E

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: @U=u$ComboBox$ListBox
API String ID: 1536045017-2258501812
Opcode ID: 49f72fd5f1f2824638a42a04fe670c774b60952ff3e5658ed7d6a6bcf9555ce7
Instruction ID: 2c8c692261e49b8c6259b145a7a09debbf5297ba0a3a1a90261a338ba93486a8
Opcode Fuzzy Hash: 49f72fd5f1f2824638a42a04fe670c774b60952ff3e5658ed7d6a6bcf9555ce7
Instruction Fuzzy Hash: 8F21D670A00248BBCF05AB64CCD5EFEBBB5EF45310F104119B662972E2DB759919DB30

Function 00DB955C Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 81windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00D67F41: _memmove.LIBCMT ref: 00D67F82

Part of subcall function 00DBB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00DBB0E7

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 00DB95DF
GetDlgCtrlID.USER32 ref: 00DB95EA
GetParent.USER32 ref: 00DB9606
SendMessageW.USER32(00000000,?,00000111,?), ref: 00DB9609
GetDlgCtrlID.USER32(?), ref: 00DB9612
GetParent.USER32(?), ref: 00DB962E
SendMessageW.USER32(00000000,?,?,00000111), ref: 00DB9631

Strings

ListBox, xrefs: 00DB959E
@U=u, xrefs: 00DB9631
ComboBox, xrefs: 00DB9569

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: @U=u$ComboBox$ListBox
API String ID: 1536045017-2258501812
Opcode ID: f86d441ee2cb537d1898661b5eb15e4b9df22a283c4fb2a203296d9d81fa60c5
Instruction ID: 764f6c0d986d8e3b1e46d7677640769edd6742c9f24e5d12c2eacf13e73f5ed1
Opcode Fuzzy Hash: f86d441ee2cb537d1898661b5eb15e4b9df22a283c4fb2a203296d9d81fa60c5
Instruction Fuzzy Hash: AA21F870A00244BBDF00AB64CCD5EFEBB75EF44300F104019F552972A6DB759959DB30

Function 00DB9645 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 72windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00DB9651
GetClassNameW.USER32(00000000,?,00000100), ref: 00DB9666
_wcscmp.LIBCMT ref: 00DB9678
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00DB96F3

Strings

details, xrefs: 00DB96A1
@U=u, xrefs: 00DB96F3
largeicons, xrefs: 00DB9687
SHELLDLL_DefView, xrefs: 00DB9672
smallicons, xrefs: 00DB96BB
list, xrefs: 00DB96D5

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: ClassMessageNameParentSend_wcscmp
String ID: @U=u$SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1704125052-1428604138
Opcode ID: b5c76a4c7ab5452ce3df8000b25e81de4dd2948105990a76d1ce3347b06a9da6
Instruction ID: 12d0c1ac669689b8f0f42f78bb91fc70f7264593251b2add2bf0693736c58ac0
Opcode Fuzzy Hash: b5c76a4c7ab5452ce3df8000b25e81de4dd2948105990a76d1ce3347b06a9da6
Instruction Fuzzy Hash: 31110676248787FAFA053621DC2BDE6B79CDB05B60B200026FA05F50D2FEA1A9504A78

Function 00D87040 Relevance: 16.8, APIs: 11, Instructions: 258COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00D8707B

Part of subcall function 00D88D68: __getptd_noexit.LIBCMT ref: 00D88D68

__gmtime64_s.LIBCMT ref: 00D87114
__gmtime64_s.LIBCMT ref: 00D8714A
__gmtime64_s.LIBCMT ref: 00D87167
__allrem.LIBCMT ref: 00D871BD
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00D871D9
__allrem.LIBCMT ref: 00D871F0
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00D8720E
__allrem.LIBCMT ref: 00D87225
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00D87243
__invoke_watson.LIBCMT ref: 00D872B4

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
Instruction ID: 452fb8d038f79101638c2fb313bf0a524c3f9b9a941846e28786850a61b61368
Opcode Fuzzy Hash: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
Instruction Fuzzy Hash: 3071C671A04716ABEB14BE79CC82B6AB3B8FF15724F24422AF514E7681E770D94087B4

Function 00DC2A16 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00DC2A31
GetMenuItemInfoW.USER32(00E26890,000000FF,00000000,00000030), ref: 00DC2A92
SetMenuItemInfoW.USER32(00E26890,00000004,00000000,00000030), ref: 00DC2AC8
Sleep.KERNEL32(000001F4), ref: 00DC2ADA
GetMenuItemCount.USER32(?), ref: 00DC2B1E
GetMenuItemID.USER32(?,00000000), ref: 00DC2B3A
GetMenuItemID.USER32(?,-00000001), ref: 00DC2B64
GetMenuItemID.USER32(?,?), ref: 00DC2BA9
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00DC2BEF
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00DC2C03
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00DC2C24

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: 5089224cd58b1df7c88fbfd632752456406edd29e3acda80515d6741d838a4fb
Instruction ID: 451fb7ffc3479dc1a03aa9a70db144058166f0a01f3bda200e048c5ed81e22a3
Opcode Fuzzy Hash: 5089224cd58b1df7c88fbfd632752456406edd29e3acda80515d6741d838a4fb
Instruction Fuzzy Hash: D0617DB190038AAFDB21DFA4C988EBE7BB9EB41304F18055DE841E7251D731AE45DB31

Function 00DE7192 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00DE7214
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00DE7217
GetWindowLongW.USER32(?,000000F0), ref: 00DE723B
_memset.LIBCMT ref: 00DE724C
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00DE725E
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00DE72D6

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID:
API String ID: 830647256-0
Opcode ID: 982238d2f2c40a923e67c5479e1618b268b0d407ef98e06ba4f7ea5559679210
Instruction ID: d14cab884d020408ffc11faf311e7b1a21154b592acc4cc895a6fb9d5e6a01e5
Opcode Fuzzy Hash: 982238d2f2c40a923e67c5479e1618b268b0d407ef98e06ba4f7ea5559679210
Instruction Fuzzy Hash: AE615B75A00288AFDB20EFA5CC81EEE77F8EB09714F14015AFA15A72A1D770AD45DB60

Function 00DB710E Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00DB7135
SafeArrayAllocData.OLEAUT32(?), ref: 00DB718E
VariantInit.OLEAUT32(?), ref: 00DB71A0
SafeArrayAccessData.OLEAUT32(?,?), ref: 00DB71C0
VariantCopy.OLEAUT32(?,?), ref: 00DB7213
SafeArrayUnaccessData.OLEAUT32(?), ref: 00DB7227
VariantClear.OLEAUT32(?), ref: 00DB723C
SafeArrayDestroyData.OLEAUT32(?), ref: 00DB7249
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00DB7252
VariantClear.OLEAUT32(?), ref: 00DB7264
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00DB726F

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: bf720b97ff61650f57325ed56b58be1b60664ba33b6ef5458e3d915f678e6bf2
Instruction ID: a3ba097241c3f7dce86a37eb00f75f36c5aa0b74fd0324d89f13c06a2b849c17
Opcode Fuzzy Hash: bf720b97ff61650f57325ed56b58be1b60664ba33b6ef5458e3d915f678e6bf2
Instruction Fuzzy Hash: 5F410E75A04219DFDB00EFA4D8849EEBBB9EF48354B048065F956EB361DB30A945CBB0

Function 00DED74C Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 257windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00D62612: GetWindowLongW.USER32(?,000000EB), ref: 00D62623

GetSystemMetrics.USER32(0000000F), ref: 00DED78A
GetSystemMetrics.USER32(0000000F), ref: 00DED7AA
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 00DED9E5
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00DEDA03
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00DEDA24
ShowWindow.USER32(00000003,00000000), ref: 00DEDA43
InvalidateRect.USER32(?,00000000,00000001), ref: 00DEDA68
DefDlgProcW.USER32(?,00000005,?,?), ref: 00DEDA8B

Strings

@U=u, xrefs: 00DEDA03, 00DEDA24

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID: @U=u
API String ID: 1211466189-2594219639
Opcode ID: 52cda812c2e8cf0514d7a163c901a893711f63734f8166adf976c26f2671f594
Instruction ID: 287676fa62e674fcd55f8241251cd2461c40d350b6f27c4c8ee528c11fc3c517
Opcode Fuzzy Hash: 52cda812c2e8cf0514d7a163c901a893711f63734f8166adf976c26f2671f594
Instruction Fuzzy Hash: 6EB17A715002A5AFDF18EF6AC9C57BD7BB2FF44701F088179EC489A295DB34AA50CB60

Function 00D62E26 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 186windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00D62EAE

Part of subcall function 00D61DB3: GetClientRect.USER32(?,?), ref: 00D61DDC
Part of subcall function 00D61DB3: GetWindowRect.USER32(?,?), ref: 00D61E1D
Part of subcall function 00D61DB3: ScreenToClient.USER32(?,?), ref: 00D61E45

GetDC.USER32 ref: 00D9CF82
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00D9CF95
SelectObject.GDI32(00000000,00000000), ref: 00D9CFA3
SelectObject.GDI32(00000000,00000000), ref: 00D9CFB8
ReleaseDC.USER32(?,00000000), ref: 00D9CFC0
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00D9D04B

Strings

U, xrefs: 00D9CF20
@U=u, xrefs: 00D9CF95

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: @U=u$U
API String ID: 4009187628-4110099822
Opcode ID: aad507132ff2b06b3644ff749024799d49316f5665c6145dda36ac7df69f6247
Instruction ID: 20aa593e346b5dea49412fcfc49e68887bd3cf0f73d964afdf448d46031641d4
Opcode Fuzzy Hash: aad507132ff2b06b3644ff749024799d49316f5665c6145dda36ac7df69f6247
Instruction Fuzzy Hash: 1B71B231500205DFCF259F64C884ABA7BB6FF49354F18426AFD999A2A6C731CC42DB70

Function 00DD5A45 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00DD5AA6
inet_addr.WSOCK32(?,?,?), ref: 00DD5AEB
gethostbyname.WSOCK32(?), ref: 00DD5AF7
IcmpCreateFile.IPHLPAPI ref: 00DD5B05
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00DD5B75
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00DD5B8B
IcmpCloseHandle.IPHLPAPI(00000000), ref: 00DD5C00
WSACleanup.WSOCK32 ref: 00DD5C06

Strings

Ping, xrefs: 00DD5B29

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 2311b217dcf003350110d38c4a9fb7ecbe46e7f9706bf3d01e2f9e69563ca08e
Instruction ID: f3aaa488d33247d2a0bf95a44d1ea30f236ec041c0eb9c4fe258b8a3203c885e
Opcode Fuzzy Hash: 2311b217dcf003350110d38c4a9fb7ecbe46e7f9706bf3d01e2f9e69563ca08e
Instruction Fuzzy Hash: 48517C316047019FDB10AF24EC85B2AB7E4EF48710F19892BF59ADB3A5DB70E944CB61

Function 00DCB72E Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00DCB73B
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00DCB7B1
GetLastError.KERNEL32 ref: 00DCB7BB
SetErrorMode.KERNEL32(00000000,READY), ref: 00DCB828

Strings

UNKNOWN, xrefs: 00DCB7E0
INVALID, xrefs: 00DCB7FA
READY, xrefs: 00DCB801
READONLY, xrefs: 00DCB7F3
NOTREADY, xrefs: 00DCB7E7

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: c13456efc4412bc21797e989be974b87b2f5577257bfffaf3dc8114c6da9ec3b
Instruction ID: f9cca97c0f91bb1dc59f015fa6e2cd1091a6ef5219bb7b1ede0361afe282af6e
Opcode Fuzzy Hash: c13456efc4412bc21797e989be974b87b2f5577257bfffaf3dc8114c6da9ec3b
Instruction Fuzzy Hash: C3312135A0030AAFDB14EF68D886FBA7BB8EF54720F18402AE905DB291D771D942C671

Function 00DE6442 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00DE645A
GetDC.USER32(00000000), ref: 00DE6462
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00DE646D
ReleaseDC.USER32(00000000,00000000), ref: 00DE6479
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00DE64B5
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00DE64C6
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00DE9299,?,?,000000FF,00000000,?,000000FF,?), ref: 00DE6500
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00DE6520

Strings

@U=u, xrefs: 00DE64C6, 00DE6520

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID: @U=u
API String ID: 3864802216-2594219639
Opcode ID: 56742a9d60ebad83919f5b3b10759f3e7e936192d9585e29d8398f131d665efd
Instruction ID: f64be2b8bb51b27b313fea3c0083b1bc8a88d0bd3cd05d4b8ac1d2a9d3f0cacc
Opcode Fuzzy Hash: 56742a9d60ebad83919f5b3b10759f3e7e936192d9585e29d8398f131d665efd
Instruction Fuzzy Hash: E0318B72200294BFEB11AF51CC8AFEA3FA9EF19761F084065FE08DE295C6759841CB70

Function 00DD8BC0 Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00DD8BEC
CoInitialize.OLE32(00000000), ref: 00DD8C19
CoUninitialize.OLE32 ref: 00DD8C23
GetRunningObjectTable.OLE32(00000000,?), ref: 00DD8D23
SetErrorMode.KERNEL32(00000001,00000029), ref: 00DD8E50
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,00DF2C0C), ref: 00DD8E84
CoGetObject.OLE32(?,00000000,00DF2C0C,?), ref: 00DD8EA7
SetErrorMode.KERNEL32(00000000), ref: 00DD8EBA
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00DD8F3A
VariantClear.OLEAUT32(?), ref: 00DD8F4A

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
String ID:
API String ID: 2395222682-0
Opcode ID: 88d342d8dc7484211f418b506bb6bddb708792e5e7141b8b06d916c2f4e49fd8
Instruction ID: 653003d27a0f8f329646709d883dadc07fb8e78b5119253dc94c79e7aa73eeff
Opcode Fuzzy Hash: 88d342d8dc7484211f418b506bb6bddb708792e5e7141b8b06d916c2f4e49fd8
Instruction Fuzzy Hash: D6C103B1604305AFC701EF68C88492AB7E9FF89748F04495EF58A9B351DB71ED05CB62

Function 00DC4189 Relevance: 15.1, APIs: 10, Instructions: 108windowCOMMON

Download Yara Rule

APIs

__swprintf.LIBCMT ref: 00DC419D
__swprintf.LIBCMT ref: 00DC41AA

Part of subcall function 00D838D8: __woutput_l.LIBCMT ref: 00D83931

FindResourceW.KERNEL32(?,?,0000000E), ref: 00DC41D4
LoadResource.KERNEL32(?,00000000), ref: 00DC41E0
LockResource.KERNEL32(00000000), ref: 00DC41ED
FindResourceW.KERNEL32(?,?,00000003), ref: 00DC420D
LoadResource.KERNEL32(?,00000000), ref: 00DC421F
SizeofResource.KERNEL32(?,00000000), ref: 00DC422E
LockResource.KERNEL32(?), ref: 00DC423A
CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 00DC429B

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
String ID:
API String ID: 1433390588-0
Opcode ID: c40309a00784ac0d040052d1b776a12f3967649225ad334df05eee6b5cc26a0c
Instruction ID: 488348317f5bd9cdeec072a5ae89f007578563cd3d5995762ba1d0c6e50596c9
Opcode Fuzzy Hash: c40309a00784ac0d040052d1b776a12f3967649225ad334df05eee6b5cc26a0c
Instruction Fuzzy Hash: C7319F7160224BAFCB11AF60DC95EBFBBA8EF08301F044529F905EB150D770DA518BB8

Function 00DC16DE Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00DC1700
GetForegroundWindow.USER32(00000000,?,?,?,?,?,00DC0778,?,00000001), ref: 00DC1714
GetWindowThreadProcessId.USER32(00000000), ref: 00DC171B
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00DC0778,?,00000001), ref: 00DC172A
GetWindowThreadProcessId.USER32(?,00000000), ref: 00DC173C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00DC0778,?,00000001), ref: 00DC1755
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00DC0778,?,00000001), ref: 00DC1767
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00DC0778,?,00000001), ref: 00DC17AC
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00DC0778,?,00000001), ref: 00DC17C1
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00DC0778,?,00000001), ref: 00DC17CC

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 26b70f41d13986bafba57a6650fa6328ca31b060132cfa0096be4bcc6d3f717d
Instruction ID: 79d3ea6a9a267321721df9bbaa65d0bb61ca2e37d3e183d972c8f2d96d174202
Opcode Fuzzy Hash: 26b70f41d13986bafba57a6650fa6328ca31b060132cfa0096be4bcc6d3f717d
Instruction Fuzzy Hash: F831DF79208315FFEB21AF11DD84F693BA9AB46711F24802CF800DB2E1D7B09D448B70

Function 00DBA693 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,00DBAA64), ref: 00DBA9A2

Strings

NAME, xrefs: 00DBA7D4
INSTANCE, xrefs: 00DBA8B0
REGEXPCLASS, xrefs: 00DBA767
TEXT, xrefs: 00DBA8D9
CLASS, xrefs: 00DBA721
CLASSNN, xrefs: 00DBA744

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: ChildEnumWindows
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 3555792229-1603158881
Opcode ID: b275548001cd11c9a0f8c4aa8671fed4fc0dd998bc19cae6a242ab3624b921c5
Instruction ID: 8aa519c9c059195aac0555101edf4c3e2835fe890ec011f2f43cc39b665c5f14
Opcode Fuzzy Hash: b275548001cd11c9a0f8c4aa8671fed4fc0dd998bc19cae6a242ab3624b921c5
Instruction Fuzzy Hash: 6F919170A00206EBDF18EF68C482BE9FB75FF04304F548119D89AA7541DF30AA99DBB1

Function 00DEB60B Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 199windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(008D56F0), ref: 00DEB6A5
IsWindowEnabled.USER32(008D56F0), ref: 00DEB6B1
SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 00DEB795
SendMessageW.USER32(008D56F0,000000B0,?,?), ref: 00DEB7CC
IsDlgButtonChecked.USER32(?,?), ref: 00DEB809
GetWindowLongW.USER32(008D56F0,000000EC), ref: 00DEB82B
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00DEB843

Strings

@U=u, xrefs: 00DEB795, 00DEB7CC, 00DEB843

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID: @U=u
API String ID: 4072528602-2594219639
Opcode ID: 05198a8540d5e2ffceabf716914f0e12c61e9c3ff27ef3f95ec200eb28c749d7
Instruction ID: fec5bc0bef5d342dced471e3de0c82693a3122f20f183bd9b1834ff74019e42f
Opcode Fuzzy Hash: 05198a8540d5e2ffceabf716914f0e12c61e9c3ff27ef3f95ec200eb28c749d7
Instruction Fuzzy Hash: 4C715E34600384AFDB24BF56C8D4FAB7BA9FB49320F18445EE9459B261C731B951CB70

Function 00DE6FEF Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 143windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00DE7093
SendMessageW.USER32(?,00001036,00000000,?), ref: 00DE70A7
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00DE70C1
_wcscat.LIBCMT ref: 00DE711C
SendMessageW.USER32(?,00001057,00000000,?), ref: 00DE7133
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00DE7161

Strings

@U=u, xrefs: 00DE7093, 00DE70A7
SysListView32, xrefs: 00DE7065

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: MessageSend$Window_wcscat
String ID: @U=u$SysListView32
API String ID: 307300125-1908207174
Opcode ID: 60594d6ff8e3f8505249edb4eeee969e4da4c5c2d01e4e46fb93bec27bd7964f
Instruction ID: da5c3b71ec9f97e616e806ccd03a4fbf34bdc2761c073f4c0edd7ed92afab130
Opcode Fuzzy Hash: 60594d6ff8e3f8505249edb4eeee969e4da4c5c2d01e4e46fb93bec27bd7964f
Instruction Fuzzy Hash: D041A371A04388AFEB21AF65CC85BEE77B8EF08350F14052AF584E7292D7719D848B70

Function 00DE653C Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00DE655B
GetWindowLongW.USER32(008D56F0,000000F0), ref: 00DE658E
GetWindowLongW.USER32(008D56F0,000000F0), ref: 00DE65C3
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00DE65F5
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00DE661F
GetWindowLongW.USER32(00000000,000000F0), ref: 00DE6630
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00DE664A

Strings

@U=u, xrefs: 00DE655B, 00DE65F5, 00DE661F

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID: @U=u
API String ID: 2178440468-2594219639
Opcode ID: bf60723e67e670369170c0a8435769e102ff58271fd5d776663214d6c6f27632
Instruction ID: c47036bfb2c545dbea7eec8868b406283b3534c2dada52560d6345b10849f083
Opcode Fuzzy Hash: bf60723e67e670369170c0a8435769e102ff58271fd5d776663214d6c6f27632
Instruction Fuzzy Hash: 6031E130704290AFDB24AF1ADC89F553BE1FB6A790F1902A8F511DF2B5CB61E8449B61

Function 00DD8F5B Relevance: 13.9, APIs: 9, Instructions: 438COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,00DEF910), ref: 00DD903D
FreeLibrary.KERNEL32(00000000,00000001,00000000,?,00DEF910), ref: 00DD9071
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00DD91EB
SysFreeString.OLEAUT32(?), ref: 00DD9215

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: Free$FileLibraryModuleNamePathQueryStringType
String ID:
API String ID: 560350794-0
Opcode ID: 8961344238ecd0328180cb16d2a6def6d7c3338bfb1ad7e38675a07110525065
Instruction ID: cd191d9dd78d6a0bef2d47d23bf7a955b9f271e0c0f13a2271826cd8c264ffca
Opcode Fuzzy Hash: 8961344238ecd0328180cb16d2a6def6d7c3338bfb1ad7e38675a07110525065
Instruction Fuzzy Hash: F2F13C71A00209EFDF14DF94C898EAEB7B9FF49314F14805AF515AB250DB32AE46CB60

Function 00DDF9A8 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00DDF9C9
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00DDFB5C
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00DDFB80
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00DDFBC0
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00DDFBE2
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00DDFD5E
GetLastError.KERNEL32(00000000,00000001,00000000), ref: 00DDFD90
CloseHandle.KERNEL32(?), ref: 00DDFDBF
CloseHandle.KERNEL32(?), ref: 00DDFE36

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
String ID:
API String ID: 4090791747-0
Opcode ID: 4afd2888613e52917817a6c476aa5a15bf73d09934a7a9e3c4b96da084f0d212
Instruction ID: 67431190e51afce8b81a93aa0fe85cd6f8b993e563d1fe620ab701e57f77183e
Opcode Fuzzy Hash: 4afd2888613e52917817a6c476aa5a15bf73d09934a7a9e3c4b96da084f0d212
Instruction Fuzzy Hash: 47E162312043419FC714EF24C891A6ABBE5EF85354F18856EF89A9B3A2DB31DC45CB72

Function 00DC4F63 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00DC48AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00DC38D3,?), ref: 00DC48C7

Part of subcall function 00DC48AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00DC38D3,?), ref: 00DC48E0

Part of subcall function 00DC4CD3: GetFileAttributesW.KERNEL32(?,00DC3947), ref: 00DC4CD4

lstrcmpiW.KERNEL32(?,?), ref: 00DC4FE2
_wcscmp.LIBCMT ref: 00DC4FFC
MoveFileW.KERNEL32(?,?), ref: 00DC5017

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
String ID:
API String ID: 793581249-0
Opcode ID: 45763192ba5ab94b9d26d3baf2110fdbf3d5a7fb7dc37aa196b880d292e03ed5
Instruction ID: 6f9739b33aa0b06a38f511bd27fe969f63affccc3302423fdac75256fb64d8e2
Opcode Fuzzy Hash: 45763192ba5ab94b9d26d3baf2110fdbf3d5a7fb7dc37aa196b880d292e03ed5
Instruction Fuzzy Hash: 115152B20087859BC724EB90D891EDFB3ECEF85301F14492EB589D7151EE74B2888776

Function 00DB8E03 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,00DB8A84,00000B00,?,?), ref: 00DB8E0C
HeapAlloc.KERNEL32(00000000,?,00DB8A84,00000B00,?,?), ref: 00DB8E13
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00DB8A84,00000B00,?,?), ref: 00DB8E28
GetCurrentProcess.KERNEL32(?,00000000,?,00DB8A84,00000B00,?,?), ref: 00DB8E30
DuplicateHandle.KERNEL32(00000000,?,00DB8A84,00000B00,?,?), ref: 00DB8E33
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00DB8A84,00000B00,?,?), ref: 00DB8E43
GetCurrentProcess.KERNEL32(00DB8A84,00000000,?,00DB8A84,00000B00,?,?), ref: 00DB8E4B
DuplicateHandle.KERNEL32(00000000,?,00DB8A84,00000B00,?,?), ref: 00DB8E4E
CreateThread.KERNEL32(00000000,00000000,00DB8E74,00000000,00000000,00000000), ref: 00DB8E68

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 0b9b3ee9eb04b21690877260d0ec2846ef00ceef710b22409ad7b64db7930c95
Instruction ID: daf5585819477b6d1b813863609be27aa9ba619088edef645f4a0c7aac74784c
Opcode Fuzzy Hash: 0b9b3ee9eb04b21690877260d0ec2846ef00ceef710b22409ad7b64db7930c95
Instruction Fuzzy Hash: 9F0154B5640348FFE610ABA5DC89F6B7BACEB89711F418421FA05DF2A1CA759804DA70

Function 00DD9428 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 263COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00DD947C
VariantInit.OLEAUT32(?), ref: 00DD954D
VariantInit.OLEAUT32(?), ref: 00DD964E
VariantClear.OLEAUT32(?), ref: 00DD9658
VariantClear.OLEAUT32(?), ref: 00DD96B5

Strings

Null Object assignment in FOR..IN loop, xrefs: 00DD94DD, 00DD960B, 00DD96C3
Incorrect Object type in FOR..IN loop, xrefs: 00DD9631

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: Variant$ClearInit$_memset
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2862541840-625585964
Opcode ID: 9bbfeb127d962e4362e0efd4d5d2d45d67a6507986ff2dc8f93ccbd7cb18e036
Instruction ID: 1d508fde0d40e8299a922e8df030eaff06fec74535106173e9c53a84b754f775
Opcode Fuzzy Hash: 9bbfeb127d962e4362e0efd4d5d2d45d67a6507986ff2dc8f93ccbd7cb18e036
Instruction Fuzzy Hash: C291AD70A00219ABDF20DFA5D864FAEBBB8EF45710F14816AF515AB280D771E945CFB0

Function 00DD9A72 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

Part of subcall function 00DB7652: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00DB758C,80070057,?,?,?,00DB799D), ref: 00DB766F
Part of subcall function 00DB7652: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00DB758C,80070057,?,?), ref: 00DB768A
Part of subcall function 00DB7652: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00DB758C,80070057,?,?), ref: 00DB7698
Part of subcall function 00DB7652: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00DB758C,80070057,?), ref: 00DB76A8

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 00DD9B1B
_memset.LIBCMT ref: 00DD9B28
_memset.LIBCMT ref: 00DD9C6B
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 00DD9C97
CoTaskMemFree.OLE32(?), ref: 00DD9CA2

Strings

NULL Pointer assignment, xrefs: 00DD9CF0

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
String ID: NULL Pointer assignment
API String ID: 1300414916-2785691316
Opcode ID: 3e4b2b90270524b0c870d48e9821bf4cdb0326b670a3313ceb54685c035e9290
Instruction ID: b7fbf921dff78c6bedd70ca3159bd0dbe8f40f564b34b4522e98bc8df21934b3
Opcode Fuzzy Hash: 3e4b2b90270524b0c870d48e9821bf4cdb0326b670a3313ceb54685c035e9290
Instruction Fuzzy Hash: C8911771D00219EBDB10DFA5DC95ADEBBB9EF08710F20416AF519A7281DB71AA44CFB0

Function 00DDEC47 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

Part of subcall function 00DC3E91: CreateToolhelp32Snapshot.KERNEL32 ref: 00DC3EB6
Part of subcall function 00DC3E91: Process32FirstW.KERNEL32(00000000,?), ref: 00DC3EC4
Part of subcall function 00DC3E91: CloseHandle.KERNEL32(00000000), ref: 00DC3F8E

OpenProcess.KERNEL32(00000001,00000000,?), ref: 00DDECB8
GetLastError.KERNEL32 ref: 00DDECCB
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00DDECFA
TerminateProcess.KERNEL32(00000000,00000000), ref: 00DDED77
GetLastError.KERNEL32(00000000), ref: 00DDED82
CloseHandle.KERNEL32(00000000), ref: 00DDEDB7

Strings

SeDebugPrivilege, xrefs: 00DDECD6

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 6b1903575d92af4fb5b783288a1f6e6eaf971fe97ceaff280ad0eaf90f0d941c
Instruction ID: 01826327a31e07fe8a3c2f923ecb553dad878ae630351b472899c953f4586142
Opcode Fuzzy Hash: 6b1903575d92af4fb5b783288a1f6e6eaf971fe97ceaff280ad0eaf90f0d941c
Instruction Fuzzy Hash: 54417B712002019FDB24EF24C8A5FADB7A5EF84714F088459F8469F3D2DB75A804CBB5

Function 00DEB958 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 109windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(00E267B0,00000000,008D56F0,?,?,00E267B0,?,00DEB862,?,?), ref: 00DEB9CC
EnableWindow.USER32(00000000,00000000), ref: 00DEB9F0
ShowWindow.USER32(00E267B0,00000000,008D56F0,?,?,00E267B0,?,00DEB862,?,?), ref: 00DEBA50
ShowWindow.USER32(00000000,00000004,?,00DEB862,?,?), ref: 00DEBA62
EnableWindow.USER32(00000000,00000001), ref: 00DEBA86
SendMessageW.USER32(?,0000130C,?,00000000), ref: 00DEBAA9

Strings

@U=u, xrefs: 00DEBAA9

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID: @U=u
API String ID: 642888154-2594219639
Opcode ID: befc18eb0a702dc0202ec99c58a6374dfc6faaf5f46d56cba518d81babb80a4c
Instruction ID: 3f2a56c419adc522ab4f4f6225089579e568b90108f0a50770b34308b336725c
Opcode Fuzzy Hash: befc18eb0a702dc0202ec99c58a6374dfc6faaf5f46d56cba518d81babb80a4c
Instruction Fuzzy Hash: 6E413534500681AFDB25EF55C889BA67BE1FB05324F1C41BAEA488F663C771A845CF61

Function 00DC3226 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 00DC32C5

Strings

info, xrefs: 00DC3266
blank, xrefs: 00DC3247
warning, xrefs: 00DC32AE
question, xrefs: 00DC327E
stop, xrefs: 00DC3296

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: ae5e7dab66a4f676f9fec64cf197220da011b638737804ff4563e0e8ec338102
Instruction ID: e243bf71397a3d6e66c54ef49c7786abda1665aa0f1963407000613f62909367
Opcode Fuzzy Hash: ae5e7dab66a4f676f9fec64cf197220da011b638737804ff4563e0e8ec338102
Instruction Fuzzy Hash: A611EB31209747BAAF056B54EC42EAAF39CDF19B70F24402EF504A7181D6B59B4046B9

Function 00DC4534 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00DC454E
LoadStringW.USER32(00000000), ref: 00DC4555
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00DC456B
LoadStringW.USER32(00000000), ref: 00DC4572
_wprintf.LIBCMT ref: 00DC4598
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00DC45B6

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00DC4593

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: 93d64dc2dbeb792079a35d90cce09c6560e5c68c55b2c994b5ffd9b2dfbcbda6
Instruction ID: 3e3f8df4b3f05b82a168fdadc3dd4a299ba275ad94eb44108e0f5054d295fcdb
Opcode Fuzzy Hash: 93d64dc2dbeb792079a35d90cce09c6560e5c68c55b2c994b5ffd9b2dfbcbda6
Instruction Fuzzy Hash: 060162F2900348BFE721B7A4DD89EFB776CD708301F0005A9BB49E6151EA749E858B70

Function 00D62A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00D9C417,00000004,00000000,00000000,00000000), ref: 00D62ACF
ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,00D9C417,00000004,00000000,00000000,00000000,000000FF), ref: 00D62B17
ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,00D9C417,00000004,00000000,00000000,00000000), ref: 00D9C46A
ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00D9C417,00000004,00000000,00000000,00000000), ref: 00D9C4D6

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 99f59eb2338f3385d67583f56e78b3062c2f4eb34a67a344ddcb29d107382534
Instruction ID: d89c27f4a4225e120d0f65c1969ba18b5052fd7ca01edb3e0df6fb6c30b634b9
Opcode Fuzzy Hash: 99f59eb2338f3385d67583f56e78b3062c2f4eb34a67a344ddcb29d107382534
Instruction Fuzzy Hash: A241F830714BC09BCB399B689CD8B7A7BA2EB55310F1C891DE0C786661C6B5E841E730

Function 00DC7368 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 00DC737F

Part of subcall function 00D80FF6: std::exception::exception.LIBCMT ref: 00D8102C
Part of subcall function 00D80FF6: __CxxThrowException@8.LIBCMT ref: 00D81041

ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00DC73B6
EnterCriticalSection.KERNEL32(?), ref: 00DC73D2
_memmove.LIBCMT ref: 00DC7420
_memmove.LIBCMT ref: 00DC743D
LeaveCriticalSection.KERNEL32(?), ref: 00DC744C
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 00DC7461
InterlockedExchange.KERNEL32(?,000001F6), ref: 00DC7480

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 256516436-0
Opcode ID: 4a672b540e5ee65ee6e460eb4c6d9b9c1a33fac3300d8090c2aebdaa89fd6c74
Instruction ID: 32c6e29feb7c08cf6c6de4b17e61bb426e208c783c066b0b7a3aa20f4d76d08c
Opcode Fuzzy Hash: 4a672b540e5ee65ee6e460eb4c6d9b9c1a33fac3300d8090c2aebdaa89fd6c74
Instruction Fuzzy Hash: 51318F35904245EBCF10EF65DC85EAE7BB8EF44710F1481A9FA04EB256DB309A15CBB4

Function 00DBC072 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 00DBC087
_memcmp.LIBCMT ref: 00DBC0A9
_memcmp.LIBCMT ref: 00DBC0C1
_memcmp.LIBCMT ref: 00DBC0D4
_memcmp.LIBCMT ref: 00DBC0EE
_memcmp.LIBCMT ref: 00DBC101
_memcmp.LIBCMT ref: 00DBC119
_memcmp.LIBCMT ref: 00DBC134

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 930ccd88c4ed9174af68b203690c1d49bee0d7318277fd9904787afa55f4affc
Instruction ID: ae1cffbfbde8f9ab2b644cb6d84ca055a17114d3bd11fc955e3eb97b3fe363d4
Opcode Fuzzy Hash: 930ccd88c4ed9174af68b203690c1d49bee0d7318277fd9904787afa55f4affc
Instruction Fuzzy Hash: 8C218075652209FB9614B6259D43FFB239CFE103E4B085020FE4AA6282F751DE1A82B5

Function 00DCED8E Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON

Download Yara Rule

APIs

Part of subcall function 00D69997: __itow.LIBCMT ref: 00D699C2
Part of subcall function 00D69997: __swprintf.LIBCMT ref: 00D69A0C

Part of subcall function 00D7FEC6: _wcscpy.LIBCMT ref: 00D7FEE9

_wcstok.LIBCMT ref: 00DCEEFF
_wcscpy.LIBCMT ref: 00DCEF8E
_memset.LIBCMT ref: 00DCEFC1

Strings

X, xrefs: 00DCEFFE

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X
API String ID: 774024439-3081909835
Opcode ID: 0f4b9ddb85dd7eccf872f41338f3b6c66b5fc95deff2ec6b3d31a8e4cff84bde
Instruction ID: 00b9a0e131df41e74cb878a503d8e45fb78e33d8bfcb25212bb5283fd3e30a68
Opcode Fuzzy Hash: 0f4b9ddb85dd7eccf872f41338f3b6c66b5fc95deff2ec6b3d31a8e4cff84bde
Instruction Fuzzy Hash: 21C16A715083419FC724EF24D891EAAB7E5EF84314F14492DF8999B2A2DB30ED45CBB2

Function 00DD6E17 Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00DD6F14
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00DD6F35
WSAGetLastError.WSOCK32(00000000), ref: 00DD6F48
htons.WSOCK32(?,?,?,00000000,?), ref: 00DD6FFE
inet_ntoa.WSOCK32(?), ref: 00DD6FBB

Part of subcall function 00DBAE14: _strlen.LIBCMT ref: 00DBAE1E
Part of subcall function 00DBAE14: _memmove.LIBCMT ref: 00DBAE40

_strlen.LIBCMT ref: 00DD7058
_memmove.LIBCMT ref: 00DD70C1

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
String ID:
API String ID: 3619996494-0
Opcode ID: aea5c1d01ded27db783d3a04c293ae7c8b3caab721297f4e2220f7887dcd1d19
Instruction ID: 20005718b9c481ce17b70dc8a1e581677b02a2c810fddaa0f893318bc8380986
Opcode Fuzzy Hash: aea5c1d01ded27db783d3a04c293ae7c8b3caab721297f4e2220f7887dcd1d19
Instruction Fuzzy Hash: F381CF71508300ABD710EB24CC92E6BB7E9EF84714F14891EF5559B2E2EA71ED05CBB2

Function 00D61424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad0ddeedebff67877b843c3fa9e123e848949ba36cfb708d2f3ffcc018a6eb42
Instruction ID: dbe563fc7fe917aded68dbdd15bd6d63d15861d8c2e4bc63d9a7e76b6abaff85
Opcode Fuzzy Hash: ad0ddeedebff67877b843c3fa9e123e848949ba36cfb708d2f3ffcc018a6eb42
Instruction Fuzzy Hash: F0713834900209EFDB14DF98C889AAEBB79FF85324F188159F915AB251C734AA51CBB4

Function 00DDF732 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00DDF75C
_memset.LIBCMT ref: 00DDF825
ShellExecuteExW.SHELL32(?), ref: 00DDF86A

Part of subcall function 00D69997: __itow.LIBCMT ref: 00D699C2
Part of subcall function 00D69997: __swprintf.LIBCMT ref: 00D69A0C

Part of subcall function 00D7FEC6: _wcscpy.LIBCMT ref: 00D7FEE9

GetProcessId.KERNEL32(00000000), ref: 00DDF8E1
CloseHandle.KERNEL32(00000000), ref: 00DDF910

Strings

@, xrefs: 00DDF839

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
String ID: @
API String ID: 3522835683-2766056989
Opcode ID: e7983371607d3bdb3888078d910aa7064432c786d1b84bdd4c50436d01391666
Instruction ID: b7945a75168aa8cecea3f948af634295804f9475c7592391a4b97c8402d99153
Opcode Fuzzy Hash: e7983371607d3bdb3888078d910aa7064432c786d1b84bdd4c50436d01391666
Instruction Fuzzy Hash: 6E614D75A006199FCB14EF64C5919AEBBF5FF48310B14846AE85AAB351CB30AD41CFB1

Function 00DC145D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00DC149C
GetKeyboardState.USER32(?), ref: 00DC14B1
SetKeyboardState.USER32(?), ref: 00DC1512
PostMessageW.USER32(?,00000101,00000010,?), ref: 00DC1540
PostMessageW.USER32(?,00000101,00000011,?), ref: 00DC155F
PostMessageW.USER32(?,00000101,00000012,?), ref: 00DC15A5
PostMessageW.USER32(?,00000101,0000005B,?), ref: 00DC15C8

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 0ffdc426750ec78153d6e06a958c662f40320826705c5823ac38d1403d1ed3f4
Instruction ID: 895cec3fd2a55ea8173c4954abcd8d610ccd91df9b69058b7b31cfc84f8d3509
Opcode Fuzzy Hash: 0ffdc426750ec78153d6e06a958c662f40320826705c5823ac38d1403d1ed3f4
Instruction Fuzzy Hash: CF51D2A46587E73EFB3656248C45FBA7EA95B47304F0C858DE1D58B8C3C2A8D888D770

Function 00DC1276 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00DC12B5
GetKeyboardState.USER32(?), ref: 00DC12CA
SetKeyboardState.USER32(?), ref: 00DC132B
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00DC1357
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00DC1374
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00DC13B8
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00DC13D9

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 4de2cfe76d3006e6e46ab4dd1c37f283ef852f8db30b94f3efd413ba5865a115
Instruction ID: 867ae27de32bc4950055fdf0d41445164650138de344a478e196bba7d2a45d39
Opcode Fuzzy Hash: 4de2cfe76d3006e6e46ab4dd1c37f283ef852f8db30b94f3efd413ba5865a115
Instruction Fuzzy Hash: 5A51BFA45086E679FB3697248C45F7ABEA99B07304F0C858DE1D48B8C3D295AC98D770

Function 00DC589F Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00DC58AC
_wcsncpy.LIBCMT ref: 00DC58E1
_wcsncpy.LIBCMT ref: 00DC5913
_wcsncpy.LIBCMT ref: 00DC5946
_wcsncpy.LIBCMT ref: 00DC5988
_wcsncpy.LIBCMT ref: 00DC59C2
_wcsncpy.LIBCMT ref: 00DC59F1

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: _wcsncpy$LocalTime
String ID:
API String ID: 2945705084-0
Opcode ID: 7e7b986397a83b9e75d036bbb5363524867ffb6ca70e94cc8f9cd8a0dbf6fb20
Instruction ID: c90c61dc68a850ee5d711708bd083b584585a27cb3d7fcf0648b8ad5d0f863f2
Opcode Fuzzy Hash: 7e7b986397a83b9e75d036bbb5363524867ffb6ca70e94cc8f9cd8a0dbf6fb20
Instruction Fuzzy Hash: 50419065C20619B6CB11FBB89C8AACFB3B8DF04710F508556F918E3122EA34E755C7B9

Function 00DEA2C5 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 130COMMON

Download Yara Rule

Strings

@U=u, xrefs: 00DEA3BE

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID:
String ID: @U=u
API String ID: 0-2594219639
Opcode ID: 01da5b8e4369bc07fbf6a9b84ab92a5fec7ffcd86b27fdffbcc5e9254280b00c
Instruction ID: caca7a9782f014a0aae2daea8279071d12ac19dd677dc3fd86936097d15e6910
Opcode Fuzzy Hash: 01da5b8e4369bc07fbf6a9b84ab92a5fec7ffcd86b27fdffbcc5e9254280b00c
Instruction Fuzzy Hash: 2B41F335900296AFC724FBADCC88FA9BBA4EB09310F184265F855E72E1C770BD41DA71

Function 00DC38AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00DC48AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00DC38D3,?), ref: 00DC48C7

Part of subcall function 00DC48AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00DC38D3,?), ref: 00DC48E0

lstrcmpiW.KERNEL32(?,?), ref: 00DC38F3
_wcscmp.LIBCMT ref: 00DC390F
MoveFileW.KERNEL32(?,?), ref: 00DC3927
_wcscat.LIBCMT ref: 00DC396F
SHFileOperationW.SHELL32(?), ref: 00DC39DB

Strings

\*.*, xrefs: 00DC3969

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
String ID: \*.*
API String ID: 1377345388-1173974218
Opcode ID: d40a9c5b0f9c34de96b4cd88e68395c9f732f89e3be8d03c8b86aec905d4daf3
Instruction ID: 35cbe48342d6f417175e9492df6aa556a971a4331eb46aa5e0771f88bd2c2e5a
Opcode Fuzzy Hash: d40a9c5b0f9c34de96b4cd88e68395c9f732f89e3be8d03c8b86aec905d4daf3
Instruction Fuzzy Hash: 7B416CB15093859AC756EF64C481EEBB7E8EF88340F04492EF499C3161EA74D688CB72

Function 00DE7500 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00DE7519
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00DE75C0
IsMenu.USER32(?), ref: 00DE75D8
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00DE7620
DrawMenuBar.USER32 ref: 00DE7633

Strings

0, xrefs: 00DE750D

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert_memset
String ID: 0
API String ID: 3866635326-4108050209
Opcode ID: b45e93904b81e9c9a2666703b7d3afdcd2db206ce328bdcb11445078115e9dec
Instruction ID: d7b460b0c8819a076d3f5950a157bd21467adf1985a5415f5d0ba568cca1fa4c
Opcode Fuzzy Hash: b45e93904b81e9c9a2666703b7d3afdcd2db206ce328bdcb11445078115e9dec
Instruction Fuzzy Hash: 4C415A75A04688EFDB60EF55D884EAABBF8FF44314F088129E955AB250D730ED50CFA0

Function 00DE122D Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 00DE125C
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00DE1286
FreeLibrary.KERNEL32(00000000), ref: 00DE133D

Part of subcall function 00DE122D: RegCloseKey.ADVAPI32(?), ref: 00DE12A3
Part of subcall function 00DE122D: FreeLibrary.KERNEL32(?), ref: 00DE12F5
Part of subcall function 00DE122D: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00DE1318

RegDeleteKeyW.ADVAPI32(?,?), ref: 00DE12E0

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: EnumFreeLibrary$CloseDeleteOpen
String ID:
API String ID: 395352322-0
Opcode ID: 81fa4da75c5ac9ce8afe22b0bb800198412471d6606e0553a98bd06c3ba26c85
Instruction ID: fd00f98cd6637edf0308926ddf0d7b0e574d790a8c292acb9bbf3c3d5ad3166f
Opcode Fuzzy Hash: 81fa4da75c5ac9ce8afe22b0bb800198412471d6606e0553a98bd06c3ba26c85
Instruction Fuzzy Hash: 4D314DB5A01259BFDB15EF91DC89AFEB7BCEF08300F00016AE501E2251DA749F459AB0

Function 00DD6486 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00DD80A0: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00DD80CB

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00DD64D9
WSAGetLastError.WSOCK32(00000000), ref: 00DD64E8
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00DD6521
connect.WSOCK32(00000000,?,00000010), ref: 00DD652A
WSAGetLastError.WSOCK32 ref: 00DD6534
closesocket.WSOCK32(00000000), ref: 00DD655D
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00DD6576

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
String ID:
API String ID: 910771015-0
Opcode ID: b7e876b0fe9205ea8ac11b8061176df0d54643a12f9f990c4b1bb87b95e56393
Instruction ID: 2a5defb21b89f013108e64a81a8c9dad1af4e3bd2d9d3aeede130622bd9c1d5e
Opcode Fuzzy Hash: b7e876b0fe9205ea8ac11b8061176df0d54643a12f9f990c4b1bb87b95e56393
Instruction Fuzzy Hash: 44319E71600218ABEB10AF64DC85BBE7BADEB44710F04806AF945DB391DB74ED44CAB1

Function 00DB9372 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 94windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00D67F41: _memmove.LIBCMT ref: 00D67F82

Part of subcall function 00DBB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00DBB0E7

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00DB93F6
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00DB9409
SendMessageW.USER32(?,00000189,?,00000000), ref: 00DB9439

Part of subcall function 00D67D2C: _memmove.LIBCMT ref: 00D67D66

Strings

ListBox, xrefs: 00DB93B5
@U=u, xrefs: 00DB93F6, 00DB9409, 00DB9439
ComboBox, xrefs: 00DB9380

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: MessageSend$_memmove$ClassName
String ID: @U=u$ComboBox$ListBox
API String ID: 365058703-2258501812
Opcode ID: 38d5499b0db69bf45261bc4ba13933ba6d9c4e7c25f56a69492364be384b1ece
Instruction ID: b68a5ab99e9eb4803910c691248cac45204fe2782a67e5c24f987ffcbd3f1351
Opcode Fuzzy Hash: 38d5499b0db69bf45261bc4ba13933ba6d9c4e7c25f56a69492364be384b1ece
Instruction Fuzzy Hash: B321E171900248ABDB14ABB0DC96CFFB768DF05360B144529FA26A72E1DB354A4A9A30

Function 00DBE0B5 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00DBE0FA
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00DBE120
SysAllocString.OLEAUT32(00000000), ref: 00DBE123
SysAllocString.OLEAUT32 ref: 00DBE144
SysFreeString.OLEAUT32 ref: 00DBE14D
StringFromGUID2.OLE32(?,?,00000028), ref: 00DBE167
SysAllocString.OLEAUT32(?), ref: 00DBE175

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 1628a1ec8836755f2801f5cda5d6b9fe8b4b9db9c5c0526c81d202ffc465dc9a
Instruction ID: 0ef10217fc5c674b969184ea927f8ab9416663e27d300d3f4a11da3ac0b4a28c
Opcode Fuzzy Hash: 1628a1ec8836755f2801f5cda5d6b9fe8b4b9db9c5c0526c81d202ffc465dc9a
Instruction Fuzzy Hash: 5C216D75605318EF9B10AFACDC88CEB77ECEB097A0B148125F956CB2A0DA70DC418B74

Function 00DBB6AF Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00DBB6C7
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00DBB6E4
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00DBB71C
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00DBB742
_wcsstr.LIBCMT ref: 00DBB74C

Strings

@U=u, xrefs: 00DBB6E4, 00DBB71C

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
String ID: @U=u
API String ID: 3902887630-2594219639
Opcode ID: 912c299da93a1e6a70cd753a2bf4b317c6f79966067f5af28614840052ea26c2
Instruction ID: f8298c44bd3495b497ee6e4cd3511118878532816c61eb8464f4cabbaff4cf20
Opcode Fuzzy Hash: 912c299da93a1e6a70cd753a2bf4b317c6f79966067f5af28614840052ea26c2
Instruction Fuzzy Hash: E521C531604344FBEB256B799C49EBB7B98DF89720F14406AF806CA2A1EFA1DC419770

Function 00DB97E9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00DB9802

Part of subcall function 00D67D2C: _memmove.LIBCMT ref: 00D67D66

SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00DB9834
__itow.LIBCMT ref: 00DB984C
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00DB9874
__itow.LIBCMT ref: 00DB9885

Strings

@U=u, xrefs: 00DB9802, 00DB9834, 00DB9874

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: MessageSend$__itow$_memmove
String ID: @U=u
API String ID: 2983881199-2594219639
Opcode ID: cef5fe718856c9074c4d1375e78d7b6caebb63217fc4ad4888a0c41838bb3859
Instruction ID: e07a2185ceeb4d7514cee8de0de52c2369e96229bc10927271660cae4fa91c2c
Opcode Fuzzy Hash: cef5fe718856c9074c4d1375e78d7b6caebb63217fc4ad4888a0c41838bb3859
Instruction Fuzzy Hash: 91210A75B00388EBDB10AB618C96EEEBBA8DF49710F080028FE05DB251D671CD4587F1

Function 00DE783C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00D61D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00D61D73
Part of subcall function 00D61D35: GetStockObject.GDI32(00000011), ref: 00D61D87
Part of subcall function 00D61D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00D61D91

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00DE78A1
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00DE78AE
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00DE78B9
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00DE78C8
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00DE78D4

Strings

Msctls_Progress32, xrefs: 00DE7872

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: c755190d807e3ead944bbb76f99888c79370453611a7a4aa32b9cb4693aeee2f
Instruction ID: e41ea8c06890d9efcb43636c0c0f94f05de7fae1c36afd1037a3777868fbed2a
Opcode Fuzzy Hash: c755190d807e3ead944bbb76f99888c79370453611a7a4aa32b9cb4693aeee2f
Instruction Fuzzy Hash: A51160B2550219BFEF159F61CC85EEB7F6DEF08768F014115BA04A6190C772AC21DBB4

Function 00D841C9 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,00D84292,?), ref: 00D841E3
GetProcAddress.KERNEL32(00000000), ref: 00D841EA
EncodePointer.KERNEL32(00000000), ref: 00D841F6
DecodePointer.KERNEL32(00000001,00D84292,?), ref: 00D84213

Strings

combase.dll, xrefs: 00D841DE
RoInitialize, xrefs: 00D841D2

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoInitialize$combase.dll
API String ID: 3489934621-340411864
Opcode ID: 149444caea31f1588e3d76915f366ae17c07016adc60e6c17e01d8237b5ad1c6
Instruction ID: ad28c0adf21c32877cd0fff64f97b09f54f32c21da394f962e58f15e6c890624
Opcode Fuzzy Hash: 149444caea31f1588e3d76915f366ae17c07016adc60e6c17e01d8237b5ad1c6
Instruction Fuzzy Hash: 7AE012F0591745DEDB207B71EC4DB143594B760B02F518434F551E91E0D7B540AA8F24

Function 00D8429E Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00D841B8), ref: 00D842B8
GetProcAddress.KERNEL32(00000000), ref: 00D842BF
EncodePointer.KERNEL32(00000000), ref: 00D842CA
DecodePointer.KERNEL32(00D841B8), ref: 00D842E5

Strings

combase.dll, xrefs: 00D842B3
RoUninitialize, xrefs: 00D842A7

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 3489934621-2819208100
Opcode ID: 9b919d5578a5401f6cdfb1e8cc8560ea11fd910a63e2da9191f7e00fc6efe672
Instruction ID: a33555ab6edcc7eb7873b1a99de7760d925cb9a9f24838a1aafe64f42e3cd090
Opcode Fuzzy Hash: 9b919d5578a5401f6cdfb1e8cc8560ea11fd910a63e2da9191f7e00fc6efe672
Instruction Fuzzy Hash: 2FE0B6B8686745AFEB20AB61EC4DB153AA4B724742F158028F511E92E0CBB44559DB38

Function 00DC675A Relevance: 9.2, APIs: 6, Instructions: 205COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00DC68AD
_memmove.LIBCMT ref: 00DC67E8

Part of subcall function 00D69997: __itow.LIBCMT ref: 00D699C2
Part of subcall function 00D69997: __swprintf.LIBCMT ref: 00D69A0C

_memmove.LIBCMT ref: 00DC685B
_memmove.LIBCMT ref: 00DC6942
_memmove.LIBCMT ref: 00DC695B
_memmove.LIBCMT ref: 00DC6977

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: _memmove$__itow__swprintf
String ID:
API String ID: 3253778849-0
Opcode ID: 03b96fe320414c51c1165a25205fb8119775fc53f4435a157207cad85c62af19
Instruction ID: a3928ae6b372e5c1b9a9ca804bb4d17a99bdc7b52607680672fe395c8bb2eef0
Opcode Fuzzy Hash: 03b96fe320414c51c1165a25205fb8119775fc53f4435a157207cad85c62af19
Instruction Fuzzy Hash: F861793050065AABCF11EF64CC92FFE77A8EF04308F084519F95A5B292DA34E946CB71

Function 00DE046F Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00D67F41: _memmove.LIBCMT ref: 00D67F82

Part of subcall function 00DE10A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00DE0038,?,?), ref: 00DE10BC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00DE0548
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00DE0588
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00DE05AB
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00DE05D4
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00DE0617
RegCloseKey.ADVAPI32(00000000), ref: 00DE0624

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
String ID:
API String ID: 4046560759-0
Opcode ID: d9ecc88ca14a1716d42f3ab07067f753a147573ac3aa4d8540a9ea25b5cc9d8f
Instruction ID: 637f66fca935d5ced9c07edd951bdbdfc30aef5e4f0c207400b2a40dd6fbd34f
Opcode Fuzzy Hash: d9ecc88ca14a1716d42f3ab07067f753a147573ac3aa4d8540a9ea25b5cc9d8f
Instruction Fuzzy Hash: D2514831208340AFCB14EB65D885E6EBBE8FF88314F04491DF5859B2A2DB71E945CB72

Function 00DBF3DD Relevance: 9.2, APIs: 6, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00DBF3F7
VariantClear.OLEAUT32(00000013), ref: 00DBF469
VariantClear.OLEAUT32(00000000), ref: 00DBF4C4
_memmove.LIBCMT ref: 00DBF4EE
VariantClear.OLEAUT32(?), ref: 00DBF53B
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00DBF569

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType_memmove
String ID:
API String ID: 1101466143-0
Opcode ID: de4760cb8935fdecea635d540e809fcedfcbe20cfc88bdde39449edd7a22d3f6
Instruction ID: eb5d8fe6bf733cd8b542b7f2431191be25240cd806528f8e9ceb8f667d8bcea5
Opcode Fuzzy Hash: de4760cb8935fdecea635d540e809fcedfcbe20cfc88bdde39449edd7a22d3f6
Instruction Fuzzy Hash: 3E5168B5A00209EFCB20DF58D880EAAB7F8FF4C314B158569E95ADB340D730E911CBA0

Function 00DC26F9 Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00DC2747
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00DC2792
IsMenu.USER32(00000000), ref: 00DC27B2
CreatePopupMenu.USER32 ref: 00DC27E6
GetMenuItemCount.USER32(000000FF), ref: 00DC2844
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00DC2875

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: a8540570d0d777d4b9f885d1aa7eb8d91e9dc58fe2245d78dd81be23d2cd4e51
Instruction ID: ce13c9091888d66c80095397ee9cf05d221564f0e9b52ff2e76a4acbbecf0dce
Opcode Fuzzy Hash: a8540570d0d777d4b9f885d1aa7eb8d91e9dc58fe2245d78dd81be23d2cd4e51
Instruction Fuzzy Hash: 42517770A0034AEBDB25DFA8D888FBEBBF5AF44314F18426DE8519B290D7708904CB71

Function 00D61765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00D62612: GetWindowLongW.USER32(?,000000EB), ref: 00D62623

BeginPaint.USER32(?,?,?,?,?,?), ref: 00D6179A
GetWindowRect.USER32(?,?), ref: 00D617FE
ScreenToClient.USER32(?,?), ref: 00D6181B
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00D6182C
EndPaint.USER32(?,?), ref: 00D61876

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectScreenViewport
String ID:
API String ID: 1827037458-0
Opcode ID: bbc5a7584f539e50b9b8c7f00e68ac3246993294db0d7a961289193bfcf8b5b8
Instruction ID: 41d632c9d7d53bdc47e4ccb82bce199b89eb8a9cbad74ee526de80aff3eee2f3
Opcode Fuzzy Hash: bbc5a7584f539e50b9b8c7f00e68ac3246993294db0d7a961289193bfcf8b5b8
Instruction Fuzzy Hash: DC41AC74100340AFDB21EF25DC85BBA7BE8EB49724F080629F995DB2A1C7709849DB71

Function 00DD73B1 Relevance: 9.1, APIs: 6, Instructions: 97COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,?,?,00DD5134,?,?,00000000,00000001), ref: 00DD73BF

Part of subcall function 00DD3C94: GetWindowRect.USER32(?,?), ref: 00DD3CA7

GetDesktopWindow.USER32 ref: 00DD73E9
GetWindowRect.USER32(00000000), ref: 00DD73F0
mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00DD7422

Part of subcall function 00DC54E6: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00DC555E

GetCursorPos.USER32(?), ref: 00DD744E
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00DD74AC

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: 6d594707654dec70927898e8c188b209818076686cb56ae0ce32dc23976d3b79
Instruction ID: bc5097a73d9fcc2a69edbc68e1eacbbc9738154b0f94c2de07006e650e7eccaf
Opcode Fuzzy Hash: 6d594707654dec70927898e8c188b209818076686cb56ae0ce32dc23976d3b79
Instruction Fuzzy Hash: 0931D472508346ABD720EF14D849F5BBBA9FF88314F00491AF588D7291D670E948CBA2

Function 00DB8D5B Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00DB85F1: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00DB8608
Part of subcall function 00DB85F1: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00DB8612
Part of subcall function 00DB85F1: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00DB8621
Part of subcall function 00DB85F1: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00DB8628
Part of subcall function 00DB85F1: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00DB863E

GetLengthSid.ADVAPI32(?,00000000,00DB8977), ref: 00DB8DAC
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00DB8DB8
HeapAlloc.KERNEL32(00000000), ref: 00DB8DBF
CopySid.ADVAPI32(00000000,00000000,?), ref: 00DB8DD8
GetProcessHeap.KERNEL32(00000000,00000000,00DB8977), ref: 00DB8DEC
HeapFree.KERNEL32(00000000), ref: 00DB8DF3

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 2315d5b5c70ced50301803ac291fb78fa091e1d4699cafdf403affb21d05524c
Instruction ID: 1ca366d669e7dbde36ae9f856698cbbf6975f4ebd3f47f1f2bfa87c521c94854
Opcode Fuzzy Hash: 2315d5b5c70ced50301803ac291fb78fa091e1d4699cafdf403affb21d05524c
Instruction Fuzzy Hash: 45119D31500705EFDB109B64CC49BEE77ADEB55316F14402AE886D7290DB359900EB70

Function 00DB8AF9 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00DB8B2A
OpenProcessToken.ADVAPI32(00000000), ref: 00DB8B31
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00DB8B40
CloseHandle.KERNEL32(00000004), ref: 00DB8B4B
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00DB8B7A
DestroyEnvironmentBlock.USERENV(00000000), ref: 00DB8B8E

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: b8c5a33803e7f6aca0de72c68007f0cbf11c22eda140afee1da39ee35c5826b1
Instruction ID: ff4fca1b77a5af6798ffc3e956578d8d2b71871903cde407ab039de750d7826d
Opcode Fuzzy Hash: b8c5a33803e7f6aca0de72c68007f0cbf11c22eda140afee1da39ee35c5826b1
Instruction Fuzzy Hash: EF114AB2501249EBDB019FA4ED49FDA7BADEF48304F084064FA05A6160C7719E61EB70

Function 00DEC19A Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00D612F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00D6134D
Part of subcall function 00D612F3: SelectObject.GDI32(?,00000000), ref: 00D6135C
Part of subcall function 00D612F3: BeginPath.GDI32(?), ref: 00D61373
Part of subcall function 00D612F3: SelectObject.GDI32(?,00000000), ref: 00D6139C

MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 00DEC1C4
LineTo.GDI32(00000000,00000003,?), ref: 00DEC1D8
MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 00DEC1E6
LineTo.GDI32(00000000,00000000,?), ref: 00DEC1F6
EndPath.GDI32(00000000), ref: 00DEC206
StrokePath.GDI32(00000000), ref: 00DEC216

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 5a11893c648747a1f22d54687cb5bf1a97dd68d04e2d0927feb059edeb5d7ee5
Instruction ID: b0182c43ae3053219c032125482831998304ee4d3d6cefac1e1e60b1f8be5b93
Opcode Fuzzy Hash: 5a11893c648747a1f22d54687cb5bf1a97dd68d04e2d0927feb059edeb5d7ee5
Instruction Fuzzy Hash: 03111B7640024CFFDF11AF91DC88FAA7FADEB08354F048025BA189A2A1C7719E55DBB0

Function 00D803A2 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00D803D3
MapVirtualKeyW.USER32(00000010,00000000), ref: 00D803DB
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00D803E6
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00D803F1
MapVirtualKeyW.USER32(00000011,00000000), ref: 00D803F9
MapVirtualKeyW.USER32(00000012,00000000), ref: 00D80401

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 559052c12ed2dcb63aeb33b53ffccba72822ec5d8d1ebc32149156ad39394627
Instruction ID: 4288d540b486ef8e77742535c19bf700f2b6a00401594a8e5f6f6de17ec513dc
Opcode Fuzzy Hash: 559052c12ed2dcb63aeb33b53ffccba72822ec5d8d1ebc32149156ad39394627
Instruction Fuzzy Hash: ED016CB09017597DE3009F5A8C85B52FFA8FF19354F00411FA15C8BA41C7F5A864CBE5

Function 00DC568B Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00DC569B
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00DC56B1
GetWindowThreadProcessId.USER32(?,?), ref: 00DC56C0
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00DC56CF
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00DC56D9
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00DC56E0

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 29e6d5402ef38255712ff795f23771c170fe7f6a2512f75005bda22fd6c65dca
Instruction ID: 90bf0cc252fc4249418994f2208423781361c6197df0804e98d7b4403b01cf1e
Opcode Fuzzy Hash: 29e6d5402ef38255712ff795f23771c170fe7f6a2512f75005bda22fd6c65dca
Instruction Fuzzy Hash: BFF03032241299BBE7216BA2EC4DEEF7B7CEFC6B11F00016DFA04D5190D7A12A0186B5

Function 00DC74D2 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 00DC74E5
EnterCriticalSection.KERNEL32(?,?,00D71044,?,?), ref: 00DC74F6
TerminateThread.KERNEL32(00000000,000001F6,?,00D71044,?,?), ref: 00DC7503
WaitForSingleObject.KERNEL32(00000000,000003E8,?,00D71044,?,?), ref: 00DC7510

Part of subcall function 00DC6ED7: CloseHandle.KERNEL32(00000000,?,00DC751D,?,00D71044,?,?), ref: 00DC6EE1

InterlockedExchange.KERNEL32(?,000001F6), ref: 00DC7523
LeaveCriticalSection.KERNEL32(?,?,00D71044,?,?), ref: 00DC752A

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: e0d3b45fac91ce108f3da4bfaba6f726caa5f72c3b630d91ab1bfaeea4318cb9
Instruction ID: 67672444a591cbb4d8307a0e3ec67f84f44ed26c497eebd9c32ac40929f6121a
Opcode Fuzzy Hash: e0d3b45fac91ce108f3da4bfaba6f726caa5f72c3b630d91ab1bfaeea4318cb9
Instruction Fuzzy Hash: A5F03A7A540752ABDB112B64EC88AEA772AEF45302B450536F242D91A0CB755901CA74

Function 00DB8E74 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00DB8E7F
UnloadUserProfile.USERENV(?,?), ref: 00DB8E8B
CloseHandle.KERNEL32(?), ref: 00DB8E94
CloseHandle.KERNEL32(?), ref: 00DB8E9C
GetProcessHeap.KERNEL32(00000000,?), ref: 00DB8EA5
HeapFree.KERNEL32(00000000), ref: 00DB8EAC

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: cd897c66e5c094733ca84f6b1ccbc445a5a9be7b0e2f39121e32b95186cab40d
Instruction ID: 9c42a55ee32d88906e4f3e4aae06974493f03e15b4ec3b26c952cb8c2b2ddbd1
Opcode Fuzzy Hash: cd897c66e5c094733ca84f6b1ccbc445a5a9be7b0e2f39121e32b95186cab40d
Instruction Fuzzy Hash: B5E0C236004245FBDA012FE1EC4C90ABB69FB99322B508230F219C92B0CB32A461DB70

Function 00DD8902 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00DD8928
CharUpperBuffW.USER32(?,?), ref: 00DD8A37
VariantClear.OLEAUT32(?), ref: 00DD8BAF

Part of subcall function 00DC7804: VariantInit.OLEAUT32(00000000), ref: 00DC7844
Part of subcall function 00DC7804: VariantCopy.OLEAUT32(00000000,?), ref: 00DC784D
Part of subcall function 00DC7804: VariantClear.OLEAUT32(00000000), ref: 00DC7859

Strings

Incorrect Parameter format, xrefs: 00DD8960, 00DD8B22
AUTOIT.ERROR, xrefs: 00DD8A3D

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: 981400260b40cde4f1a422d28d6cf264787a4a0e5982bd337f3dc23ad170f4f7
Instruction ID: 24d54211f94fcd74a9077d9fdeda21109f044e5949c07dd7148a632e06141ef2
Opcode Fuzzy Hash: 981400260b40cde4f1a422d28d6cf264787a4a0e5982bd337f3dc23ad170f4f7
Instruction Fuzzy Hash: 09917E71608301DFC710EF24C49596ABBE4EF89714F08896EF89A8B361DB31E945CB72

Function 00DC2F86 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00D7FEC6: _wcscpy.LIBCMT ref: 00D7FEE9

_memset.LIBCMT ref: 00DC3077
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00DC30A6
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00DC3159
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00DC3187

Strings

0, xrefs: 00DC3063

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: ItemMenu$Info$Default_memset_wcscpy
String ID: 0
API String ID: 4152858687-4108050209
Opcode ID: 77ba718d7f9f986d41e46c652609f93870e763e42586f2638c6675d7e54b4c29
Instruction ID: 2fe2f1bf0bfecaaaec8d307d1c24326ce659b44449102a7d20676e9a79eb49c7
Opcode Fuzzy Hash: 77ba718d7f9f986d41e46c652609f93870e763e42586f2638c6675d7e54b4c29
Instruction Fuzzy Hash: CB51A1716083029ED725AF28D845F6B77E4EF55320F0C8A2DF895D3191DB70CA4597B2

Function 00DE9A63 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 140COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(008DE4F8,?), ref: 00DE9AD2
ScreenToClient.USER32(00000002,00000002), ref: 00DE9B05
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 00DE9B72

Strings

@U=u, xrefs: 00DE9BCD

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID: @U=u
API String ID: 3880355969-2594219639
Opcode ID: 57c1499be5afdf3c86d50c8c3e345a478e01af31470b8e225be7eff7525242f7
Instruction ID: 37284010f212ff942f218ecba1e72b780a9e088585f633e69f14431e17e2ed9f
Opcode Fuzzy Hash: 57c1499be5afdf3c86d50c8c3e345a478e01af31470b8e225be7eff7525242f7
Instruction Fuzzy Hash: FB515234A01289EFCF24EF69D8D19AEBBB5FF54320F148269F8159B290D730AD41CB60

Function 00DBDA5D Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00DBDAC5
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00DBDAFB
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00DBDB0C
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00DBDB8E

Strings

DllGetClassObject, xrefs: 00DBDB01

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: f03f6bd153c5484880eb9071f497a24ba0a46ea2b5e81c536f0826cdfccdb569
Instruction ID: 803d9f6cedd475faed4fb673cbb0cbdfce875ff0d6e6477513f905a7f8c44bcf
Opcode Fuzzy Hash: f03f6bd153c5484880eb9071f497a24ba0a46ea2b5e81c536f0826cdfccdb569
Instruction Fuzzy Hash: AE4151B1600708DFDB15CF54C884ADA7BBAEF48350F1580A9AD0ADF205E7B5D944CBB4

Function 00DC2C42 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00DC2CAF
GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00DC2CCB
DeleteMenu.USER32(?,00000007,00000000), ref: 00DC2D11
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00E26890,00000000), ref: 00DC2D5A

Strings

0, xrefs: 00DC2CA4

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: f5abe12e61b1eeba19e3acd5ed153da5fb6b37b714f9f0f3913bac7e96981a43
Instruction ID: 89c7e76f72eb2d3f4f5cf28e2aa30a8ac8b44f63c291dc244117c3ecdb5b2c09
Opcode Fuzzy Hash: f5abe12e61b1eeba19e3acd5ed153da5fb6b37b714f9f0f3913bac7e96981a43
Instruction Fuzzy Hash: 9C4181702043429FD720DF24C885F6AB7E8EF95320F18466DF9A697291D770E904CBB2

Function 00DE8AC0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 109COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00DE8B4D

Strings

@U=u, xrefs: 00DE8B9C

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: InvalidateRect
String ID: @U=u
API String ID: 634782764-2594219639
Opcode ID: 6c1755e66c5c55e1fd994a2ecea634c9843cb8766b0cb04374da1b664d2727df
Instruction ID: e82a9e6db7a67835ec5680e01184f9f1fe87adc2614789904a4b596716cc36e7
Opcode Fuzzy Hash: 6c1755e66c5c55e1fd994a2ecea634c9843cb8766b0cb04374da1b664d2727df
Instruction Fuzzy Hash: 5C31B474600384BFEB24BB1ACC85FAD37A5EB05310F284616FA59D62E0CE31E940A771

Function 00DDDAB9 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00DDDAD9

Part of subcall function 00D679AB: _memmove.LIBCMT ref: 00D679F9

Strings

stdcall, xrefs: 00DDDB5B
cdecl, xrefs: 00DDDB30
winapi, xrefs: 00DDDB4A
none, xrefs: 00DDDBB4

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: BuffCharLower_memmove
String ID: cdecl$none$stdcall$winapi
API String ID: 3425801089-567219261
Opcode ID: 117368c4f20166c7886721dde2bc5fe2a787c85626f26e37caff17f16921c5c4
Instruction ID: 4447bccb5db78196fa4914252b86765a4ad65f87608ec0cd2f507baaa4aefe83
Opcode Fuzzy Hash: 117368c4f20166c7886721dde2bc5fe2a787c85626f26e37caff17f16921c5c4
Instruction Fuzzy Hash: 9831A370600619EFCF10EF54CC919EEB7B5FF45314B11862AE865AB791CB31A905CBB0

Function 00DE6656 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00D61D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00D61D73
Part of subcall function 00D61D35: GetStockObject.GDI32(00000011), ref: 00D61D87
Part of subcall function 00D61D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00D61D91

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00DE66D0
LoadLibraryW.KERNEL32(?), ref: 00DE66D7
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00DE66EC
DestroyWindow.USER32(?), ref: 00DE66F4

Strings

SysAnimate32, xrefs: 00DE66AB

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: b851d67c742a4b0e88643ba8a09e1b531d2b608d585fea46e2e7996862589490
Instruction ID: 77617d39aa858164fd877e2cc88c608a661b69458136abf428488aa8a6c3d98b
Opcode Fuzzy Hash: b851d67c742a4b0e88643ba8a09e1b531d2b608d585fea46e2e7996862589490
Instruction Fuzzy Hash: 0C21CD71210286AFEF106F76EC80EBB37ADEB693A8F180629FA10D6190C771CC419770

Function 00DC703E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00DC705E
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00DC7091
GetStdHandle.KERNEL32(0000000C), ref: 00DC70A3
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00DC70DD

Strings

nul, xrefs: 00DC70D8

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: e50b469452d4819f6340402a294cb842f3c0893eaa079e164842796145048a6d
Instruction ID: 26cc0be4b504a1bffa3aff1c94463e6b026184671e136ce92c96a76025c5fb97
Opcode Fuzzy Hash: e50b469452d4819f6340402a294cb842f3c0893eaa079e164842796145048a6d
Instruction Fuzzy Hash: E2214C7450430AABDB209F69D845F9A7BB8BF44720F248A2DFDA1D72D0EB7098509F71

Function 00DC710C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00DC712B
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00DC715D
GetStdHandle.KERNEL32(000000F6), ref: 00DC716E
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00DC71A8

Strings

nul, xrefs: 00DC71A3

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 5a74fc0cd3dad26e58a8f8d4ae9d3b01b2c7a8cb03284828e9e58909fc604968
Instruction ID: 1880d4cf9368c453576ac73c4c82b6362e82ac002d3848bea081db9ac862816c
Opcode Fuzzy Hash: 5a74fc0cd3dad26e58a8f8d4ae9d3b01b2c7a8cb03284828e9e58909fc604968
Instruction Fuzzy Hash: A321AF7560430BABDB209F689C44FAAB7A8AF55720F280A1DFDA0D72D0DB7098418F70

Function 00DCAEAB Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00DCAEBF
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00DCAF13
__swprintf.LIBCMT ref: 00DCAF2C
SetErrorMode.KERNEL32(00000000,00000001,00000000,00DEF910), ref: 00DCAF6A

Strings

%lu, xrefs: 00DCAF26

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: 6d7e92975aca41012fc9ad37e449470dda2cfa9799a69132c487f3d84f066ae1
Instruction ID: 71934b535758a2e1c2dadf28d32639eba7990b66e6f77476879e3adafe96823e
Opcode Fuzzy Hash: 6d7e92975aca41012fc9ad37e449470dda2cfa9799a69132c487f3d84f066ae1
Instruction Fuzzy Hash: F7214435A00249AFCB10EF65CD85EEEB7B8EF49704B144069F509EB251DB31EA45CB71

Function 00DBA52F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00D67D2C: _memmove.LIBCMT ref: 00D67D66

Part of subcall function 00DBA37C: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00DBA399
Part of subcall function 00DBA37C: GetWindowThreadProcessId.USER32(?,00000000), ref: 00DBA3AC
Part of subcall function 00DBA37C: GetCurrentThreadId.KERNEL32 ref: 00DBA3B3
Part of subcall function 00DBA37C: AttachThreadInput.USER32(00000000), ref: 00DBA3BA

GetFocus.USER32 ref: 00DBA554

Part of subcall function 00DBA3C5: GetParent.USER32(?), ref: 00DBA3D3

GetClassNameW.USER32(?,?,00000100), ref: 00DBA59D
EnumChildWindows.USER32(?,00DBA615), ref: 00DBA5C5
__swprintf.LIBCMT ref: 00DBA5DF

Strings

%s%d, xrefs: 00DBA5D9

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf_memmove
String ID: %s%d
API String ID: 1941087503-1110647743
Opcode ID: f93ed5a14c55b9385825d24667b9741486406ce2208f5fdf2c573caeb70cfb56
Instruction ID: 3dcc0ca86f0649b551af8fd3cf5f988725830aaea6058101d4dce524e478b897
Opcode Fuzzy Hash: f93ed5a14c55b9385825d24667b9741486406ce2208f5fdf2c573caeb70cfb56
Instruction Fuzzy Hash: E5118471600309FBDF11BFA8DC85FEA37B8DF49700F044079BA19AA152DA7099458B75

Function 00DC2017 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00DC2048

Strings

KEYS, xrefs: 00DC205F
EXISTS, xrefs: 00DC2070
APPEND, xrefs: 00DC2081
REMOVE, xrefs: 00DC204E

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 3964851224-769500911
Opcode ID: 21cf55a30a70e2306018b2ba988a61066245cc8b3757c516cad4c00ee78b3998
Instruction ID: d2f034596618a21b03605061274a675f9fa37026f771c33ebaa53f9cf240953e
Opcode Fuzzy Hash: 21cf55a30a70e2306018b2ba988a61066245cc8b3757c516cad4c00ee78b3998
Instruction Fuzzy Hash: 12117970A0110A9FCF00EFA4D8819FEB7B4FF15304B548469D851AB252EB32690ADB70

Function 00DDEE69 Relevance: 7.7, APIs: 5, Instructions: 247COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00DDEF1B
GetProcessIoCounters.KERNEL32(00000000,?), ref: 00DDEF4B
GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 00DDF07E
CloseHandle.KERNEL32(?), ref: 00DDF0FF

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: Process$CloseCountersHandleInfoMemoryOpen
String ID:
API String ID: 2364364464-0
Opcode ID: f8cd891a1e4b6e2879fb42c3fdaa5aee4a0758c12c2b8ecd392b9031faa36212
Instruction ID: 8334fe227409d9afb6f2c2a6391d691be8d8931474358af3d23d8a92b963f22f
Opcode Fuzzy Hash: f8cd891a1e4b6e2879fb42c3fdaa5aee4a0758c12c2b8ecd392b9031faa36212
Instruction Fuzzy Hash: 858140B16443019FD720EF28C896B6AB7E9EF48710F14891DF59ADB392DB71AC408B71

Function 00DE02C2 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00D67F41: _memmove.LIBCMT ref: 00D67F82

Part of subcall function 00DE10A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00DE0038,?,?), ref: 00DE10BC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00DE0388
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00DE03C7
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00DE040E
RegCloseKey.ADVAPI32(?,?), ref: 00DE043A
RegCloseKey.ADVAPI32(00000000), ref: 00DE0447

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
String ID:
API String ID: 3440857362-0
Opcode ID: cb8f8ed3a9d5cd939803b42d868b3a695c914995e33ba49b0dd1bdd3539e2a49
Instruction ID: 7aa5a98d4d9a75c7d2dcffc63faed2899fe8fe52955a1c053c55ce03957dbf8e
Opcode Fuzzy Hash: cb8f8ed3a9d5cd939803b42d868b3a695c914995e33ba49b0dd1bdd3539e2a49
Instruction Fuzzy Hash: 0F513B31208244AFD704EF65D891F6EBBE8FF84304F44892DB59587292DB70E945CB72

Function 00DCE7DC Relevance: 7.6, APIs: 5, Instructions: 135COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00DCE88A
GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 00DCE8B3
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00DCE8F2

Part of subcall function 00D69997: __itow.LIBCMT ref: 00D699C2
Part of subcall function 00D69997: __swprintf.LIBCMT ref: 00D69A0C

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00DCE917
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00DCE91F

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: cfcd7604ce0d7e925da4a28c22f491c9a8dae2f66ca111c97f5e22870b9728ea
Instruction ID: 396e23691e2e51d8fa71def6cddf621b6593d3aa34b792c16ef8bde722f19524
Opcode Fuzzy Hash: cfcd7604ce0d7e925da4a28c22f491c9a8dae2f66ca111c97f5e22870b9728ea
Instruction Fuzzy Hash: 9F51FA75A00205DFCB01EF64C991AADBBF5EF48310B188099E949AB361CB31ED51DF71

Function 00D62344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00D62357
ScreenToClient.USER32(00E267B0,?), ref: 00D62374
GetAsyncKeyState.USER32(00000001), ref: 00D62399
GetAsyncKeyState.USER32(00000002), ref: 00D623A7

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 9a49d2e24c4f2bdeb924ad997315485ee3fb9b2fe47728a49166303a6ab5156f
Instruction ID: e7550031c7c0e27876a011b736ac4c814550e43228c2170aa2f1dac56cd97fdf
Opcode Fuzzy Hash: 9a49d2e24c4f2bdeb924ad997315485ee3fb9b2fe47728a49166303a6ab5156f
Instruction Fuzzy Hash: 1141C231504259FBDF159FA8C844AFDBB74FB05364F24436AF86896290C7319950DFB1

Function 00DB6920 Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00DB695D
TranslateAcceleratorW.USER32(?,?,?), ref: 00DB69A9
TranslateMessage.USER32(?), ref: 00DB69D2
DispatchMessageW.USER32(?), ref: 00DB69DC
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00DB69EB

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: Message$PeekTranslate$AcceleratorDispatch
String ID:
API String ID: 2108273632-0
Opcode ID: fc73f4c7569c6dcfe4d4cbc0b218b912dff86ae0398bab5025ae70854f71665b
Instruction ID: 035ad32cfa3f1e92a3b9c5ea1c39efb836a11deb63c2c3f23bb3a2ba545aef14
Opcode Fuzzy Hash: fc73f4c7569c6dcfe4d4cbc0b218b912dff86ae0398bab5025ae70854f71665b
Instruction Fuzzy Hash: DA31B031900246EFDF209F759C84BF67BA8AB01704F184269E422E61A1D738D88ADBB0

Function 00DB8F01 Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00DB8F12
PostMessageW.USER32(?,00000201,00000001), ref: 00DB8FBC
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00DB8FC4
PostMessageW.USER32(?,00000202,00000000), ref: 00DB8FD2
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00DB8FDA

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: cccf5b61e8e07aa3251617da09220fa13bfcc967805c2ba3c5e107749d24fa7e
Instruction ID: 1ecba34f9de5235d1b61fedd61b930f0e2c6ff9bc8443b5f612403d25e46fa41
Opcode Fuzzy Hash: cccf5b61e8e07aa3251617da09220fa13bfcc967805c2ba3c5e107749d24fa7e
Instruction Fuzzy Hash: 4531D171500219EBDF00CF68D948AEE7BBAEF48315F104229F925EB2D0C770D914DB60

Function 00DEB405 Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 00D62612: GetWindowLongW.USER32(?,000000EB), ref: 00D62623

GetWindowLongW.USER32(?,000000F0), ref: 00DEB44C
SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 00DEB471
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00DEB489
GetSystemMetrics.USER32(00000004), ref: 00DEB4B2
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00DD1184,00000000), ref: 00DEB4D0

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID:
API String ID: 2294984445-0
Opcode ID: fee8dcddfa16f3841af9d0a145596700204e224630930b2290c2074fa09f8da8
Instruction ID: aaa7010897052950aa1eb3ce7873beabab88e3c235b7c1da40ed4057de0844ca
Opcode Fuzzy Hash: fee8dcddfa16f3841af9d0a145596700204e224630930b2290c2074fa09f8da8
Instruction Fuzzy Hash: 8121D631510295AFCB24AF3ADC44A6B37A4FB05734F18473AF926D72E1E730A810DB60

Function 00D612F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00D6134D
SelectObject.GDI32(?,00000000), ref: 00D6135C
BeginPath.GDI32(?), ref: 00D61373
SelectObject.GDI32(?,00000000), ref: 00D6139C

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 0c212145e38b3f60b79857ec27b73f11f43ed74053a9a041f2fac6ba9df8cc38
Instruction ID: 08cd9d03d9dc2c59c449627700ee8a6abc5e18899ff8acd505d4d88fc4aef685
Opcode Fuzzy Hash: 0c212145e38b3f60b79857ec27b73f11f43ed74053a9a041f2fac6ba9df8cc38
Instruction Fuzzy Hash: 24219874800304DFDB299F66ED457697BF8FB00321F184326F411AA2A0D371999ADFB0

Function 00DBC161 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 00DBC176
_memcmp.LIBCMT ref: 00DBC194
_memcmp.LIBCMT ref: 00DBC1A7
_memcmp.LIBCMT ref: 00DBC1BF
_memcmp.LIBCMT ref: 00DBC1D7

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: ce2f2c91f605fa63f8530d41e63209df9f3ff090673502aac90f6a7f0c4dcd9c
Instruction ID: ad2d9c5840dd4ba57e2038f1e0a1ced264ef1b538f4d9ae7fb66627a8f64370d
Opcode Fuzzy Hash: ce2f2c91f605fa63f8530d41e63209df9f3ff090673502aac90f6a7f0c4dcd9c
Instruction Fuzzy Hash: F20192B161530ABBE214B7295C42EFB635CEF213D4B488021FE46B6283F650DE1A82F1

Function 00DC4D35 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00DC4D5C
__beginthreadex.LIBCMT ref: 00DC4D7A
MessageBoxW.USER32(?,?,?,?), ref: 00DC4D8F
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00DC4DA5
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00DC4DAC

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
String ID:
API String ID: 3824534824-0
Opcode ID: ec82c2f798147cf26159e1361ce02d465c61c4bcc60651e1ffde64cddad66afb
Instruction ID: 4222508761647e5e6bc3704c9a20aa6c5d1c7d975b51f7afa86e53df67d8651b
Opcode Fuzzy Hash: ec82c2f798147cf26159e1361ce02d465c61c4bcc60651e1ffde64cddad66afb
Instruction Fuzzy Hash: 2611E572904349BFC711ABA89C44F9B7BACEB45320F144369F916D73A0D6718D4487B0

Function 00DB874A Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00DB8766
GetLastError.KERNEL32(?,00DB822A,?,?,?), ref: 00DB8770
GetProcessHeap.KERNEL32(00000008,?,?,00DB822A,?,?,?), ref: 00DB877F
HeapAlloc.KERNEL32(00000000,?,00DB822A,?,?,?), ref: 00DB8786
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00DB879D

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 54ed75d4ff8f8852cfb3ffd68cd81eb13c21d23e93ae34010c0a681d5ecb6b3b
Instruction ID: baa87b4516a6c48cdd5700de3dc7fbbecd2e98d1f24f129353574b0f1c775cb2
Opcode Fuzzy Hash: 54ed75d4ff8f8852cfb3ffd68cd81eb13c21d23e93ae34010c0a681d5ecb6b3b
Instruction Fuzzy Hash: 22014B71200348EFDB205FA6DC88DAB7BACEF8A3597200429F84AC6260DA318C00DA70

Function 00DC54E6 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00DC5502
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00DC5510
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00DC5518
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00DC5522
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00DC555E

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: abacabc670eda49336c0940f7dc34ba574bca8cad19fb118423e66a46052529e
Instruction ID: ada3cec1f047ca17f149ce3df065831806711c4e48f841863e337ab4bfccbd31
Opcode Fuzzy Hash: abacabc670eda49336c0940f7dc34ba574bca8cad19fb118423e66a46052529e
Instruction Fuzzy Hash: CC013935D14A1EDBCF00AFE9E888AEDBB78BB09711F44005AE941F6244DB30A59487B1

Function 00DB7652 Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00DB758C,80070057,?,?,?,00DB799D), ref: 00DB766F
ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00DB758C,80070057,?,?), ref: 00DB768A
lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00DB758C,80070057,?,?), ref: 00DB7698
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00DB758C,80070057,?), ref: 00DB76A8
CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00DB758C,80070057,?,?), ref: 00DB76B4

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 03d310ccfb710df263e1173f47a10d73ae4eb6498f5503be3fb3da432965fbd0
Instruction ID: 90648fe5eac32db02355b944b5f65fb67b11c94b773bebf3d54c3a5c0ee901a9
Opcode Fuzzy Hash: 03d310ccfb710df263e1173f47a10d73ae4eb6498f5503be3fb3da432965fbd0
Instruction Fuzzy Hash: 870171B2601704EBDB115F58DC84AAA7BADEB84751F144028FD05D6321E731DE409BB0

Function 00DB85F1 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00DB8608
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00DB8612
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00DB8621
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00DB8628
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00DB863E

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 0a222aabc0139c56caad2ed2e0b24050b6ab3a157bb116f4e8e4eff2cd432d33
Instruction ID: f1fa65ce832ca886846669e0af9df3c5c16c0e573e0ce18691382b5e06e3fd6c
Opcode Fuzzy Hash: 0a222aabc0139c56caad2ed2e0b24050b6ab3a157bb116f4e8e4eff2cd432d33
Instruction Fuzzy Hash: 5AF04431201344EFD7101FA5DCC9FAB3BACEF86B54B484425F545C6250CB619C41DA70

Function 00DB8652 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00DB8669
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00DB8673
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00DB8682
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00DB8689
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00DB869F

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 1b2d8a052137234349d816d57305e245cdf2d0f86fdc72a8c84452ff196f2dec
Instruction ID: 8045ddf3d748397113a1903fefe669cac7235b0b4ee3c0d5677c5a050fa8e80f
Opcode Fuzzy Hash: 1b2d8a052137234349d816d57305e245cdf2d0f86fdc72a8c84452ff196f2dec
Instruction Fuzzy Hash: C1F06871200344EFD7112F65DCC9EA73BACEF85754B140025F545C6260DB71DD41DA70

Function 00DBC6A6 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00DBC6BA
GetWindowTextW.USER32(00000000,?,00000100), ref: 00DBC6D1
MessageBeep.USER32(00000000), ref: 00DBC6E9
KillTimer.USER32(?,0000040A), ref: 00DBC705
EndDialog.USER32(?,00000001), ref: 00DBC71F

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: b976901b5bd02213b131745c307fa015f18432200a503b189e66f98b611f125d
Instruction ID: 58ed314f7b4a9cd3091d023e4569eb25b89f0ae9974cb46b73bddb9b4996b984
Opcode Fuzzy Hash: b976901b5bd02213b131745c307fa015f18432200a503b189e66f98b611f125d
Instruction Fuzzy Hash: FE014B30510708ABEB21AB20DD8EFA677B8FB00705F04166DB686E55E1DBE0A9548EA0

Function 00D613B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 00D613BF
StrokeAndFillPath.GDI32(?,?,00D9BAD8,00000000,?), ref: 00D613DB
SelectObject.GDI32(?,00000000), ref: 00D613EE
DeleteObject.GDI32 ref: 00D61401
StrokePath.GDI32(?), ref: 00D6141C

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 2d535cd904e57046869764af55b393092667af2768239db9717c9fade4d5d13f
Instruction ID: 857f5ae2b172ade3aef85b057bdd76697a94a483aa6f07a6db15d9a0b3d9ec23
Opcode Fuzzy Hash: 2d535cd904e57046869764af55b393092667af2768239db9717c9fade4d5d13f
Instruction Fuzzy Hash: C6F0C934004348EFDB296F26EC4D7683BA5A701326F08C325E469991F1C731999ADF60

Function 00DCC602 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00DCC69D
CoCreateInstance.OLE32(00DF2D6C,00000000,00000001,00DF2BDC,?), ref: 00DCC6B5

Part of subcall function 00D67F41: _memmove.LIBCMT ref: 00D67F82

CoUninitialize.OLE32 ref: 00DCC922

Strings

.lnk, xrefs: 00DCC631, 00DCC659, 00DCC663

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_memmove
String ID: .lnk
API String ID: 2683427295-24824748
Opcode ID: 3bafe91165f31164aa3548a7ae860c388afc67b89782ad3f75893cb85a9164bc
Instruction ID: 276010934462d494dcbfddf63144c4619cca24dc7289e940afcb367fbae3c118
Opcode Fuzzy Hash: 3bafe91165f31164aa3548a7ae860c388afc67b89782ad3f75893cb85a9164bc
Instruction Fuzzy Hash: ADA12B71108205AFD700EF54C891EABB7ECEF98714F04495DF1969B2A2DB70EA49CB72

Function 00D72E5B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON

Download Yara Rule

APIs

Part of subcall function 00D80FF6: std::exception::exception.LIBCMT ref: 00D8102C
Part of subcall function 00D80FF6: __CxxThrowException@8.LIBCMT ref: 00D81041

Part of subcall function 00D67F41: _memmove.LIBCMT ref: 00D67F82

Part of subcall function 00D67BB1: _memmove.LIBCMT ref: 00D67C0B

__swprintf.LIBCMT ref: 00D7302D

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00D72EC6

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 1943609520-557222456
Opcode ID: cdbe9149de2b126b884cb320559dcd014bdadd904f0d7a9a0a8578e01f223526
Instruction ID: 41891a49f0bb346fb1dcc5431d902e72983315994d8cad0a35bf8ff2dd13684a
Opcode Fuzzy Hash: cdbe9149de2b126b884cb320559dcd014bdadd904f0d7a9a0a8578e01f223526
Instruction Fuzzy Hash: 2B915C711083059FC728EF28D895C6EB7A8EF95750F08491DF496972A1EA70EE44CB72

Function 00D8524D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00D852DD

Part of subcall function 00D90340: __87except.LIBCMT ref: 00D9037B

Strings

pow, xrefs: 00D852B5, 00D852D2

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: ede74e7907fe2ce374179df9b3b22c30d2099c53dc9fd15d2e7054a8ddfd9ab5
Instruction ID: aae41a50127a818fe9e971ba128c6b1b9528973112ebef7712c4f8404b6533c8
Opcode Fuzzy Hash: ede74e7907fe2ce374179df9b3b22c30d2099c53dc9fd15d2e7054a8ddfd9ab5
Instruction Fuzzy Hash: AD512821A0DA019BCF11B728F9413BA2F94DB40750F288968E5D5862EDEE74CCD4DBB6

Function 00D8023B Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON

Download Yara Rule

Strings

+, xrefs: 00D80277
#, xrefs: 00D80280

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID:
String ID: #$+
API String ID: 0-2552117581
Opcode ID: 553613149baeba17cc7b2cec01f0657f767e4a5093bbd90f1336377a943ef8a4
Instruction ID: 565670769af44b03d63b86a186fcb80377c9fd80566d9c1c68006987ea521cd9
Opcode Fuzzy Hash: 553613149baeba17cc7b2cec01f0657f767e4a5093bbd90f1336377a943ef8a4
Instruction Fuzzy Hash: 01512175104646CFDF25EF28E488BFA7BA4EF2A310F184155E8929B2A4D7349C86CB70

Function 00D762F2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 143COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00D763A8
_memmove.LIBCMT ref: 00D76446
_memset.LIBCMT ref: 00D7646A

Strings

ERCP, xrefs: 00D76313

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: _memset$_memmove
String ID: ERCP
API String ID: 2532777613-1384759551
Opcode ID: 59fe95ffc63942ce652e93abfd5be189ede9d0025493b42d84826f1040fcf5d3
Instruction ID: 09e167ec2360d56a3213548830d1ef68afa34fa7d4bedc25997dac0206aff8a9
Opcode Fuzzy Hash: 59fe95ffc63942ce652e93abfd5be189ede9d0025493b42d84826f1040fcf5d3
Instruction Fuzzy Hash: C651AD719047099BCB248F65C8817AABBE8EF04314F28856EE54EDA241F771D584CB60

Function 00DE7648 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00DE76D0
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00DE76E4
SendMessageW.USER32(?,00001002,00000000,?), ref: 00DE7708

Strings

SysMonthCal32, xrefs: 00DE769B

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 1dc4ed51f0e98fbd2dec62357e6ab6a69a62d7c7bb9838c52a42e008223ef7a2
Instruction ID: 710ad965779b1e6a12811edd09358de2fe7b5c1a2daca0e65fef664a6557a224
Opcode Fuzzy Hash: 1dc4ed51f0e98fbd2dec62357e6ab6a69a62d7c7bb9838c52a42e008223ef7a2
Instruction Fuzzy Hash: 8121A132500259BBDF11EF65CC86FEA3B69EF48724F150218FE15AB1D0D6B1A8918BB0

Function 00DE6F1F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00DE6FAA
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00DE6FBA
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00DE6FDF

Strings

Listbox, xrefs: 00DE6F77

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 41498ad70c1039ad337e54423fa5fe6f5afbda0974a4750cfbe07cd0874dab1c
Instruction ID: 55aa217a08e572bc0adee42fcd62df4b9bfbea12e8d9d6109d13c0ffb8b6f207
Opcode Fuzzy Hash: 41498ad70c1039ad337e54423fa5fe6f5afbda0974a4750cfbe07cd0874dab1c
Instruction Fuzzy Hash: 6721C232610158BFDF11AF55DC85FAB3BAAEF997A0F058124F9049B190CA71EC518BB0

Function 00DB912D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 79windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00DB914F
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00DB9166
SendMessageW.USER32(?,0000000D,?,00000000), ref: 00DB919E

Strings

@U=u, xrefs: 00DB919E

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: c3afc1de2f30da501c51f10188c81fe557fd52421589da5b5a27480a0685f856
Instruction ID: 099d7808bb07d205ad5d67fae0b3c63baf402d1a7db1148047560959ed372214
Opcode Fuzzy Hash: c3afc1de2f30da501c51f10188c81fe557fd52421589da5b5a27480a0685f856
Instruction Fuzzy Hash: 4C218371900249FBDB10DB6DDC459EEF7BDEF44390F11045AE605E7290DA71A9449B70

Function 00DD60EC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 69windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000402,00000000,00000000), ref: 00DD613B
SendMessageW.USER32(0000000C,00000000,?), ref: 00DD617C
SendMessageW.USER32(0000000C,00000000,?), ref: 00DD61A4

Strings

@U=u, xrefs: 00DD613B, 00DD617C, 00DD61A4

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: a6b5b89f72b41bc15b58587877e987b7b521fc42e2328567a212cb6b4f779d28
Instruction ID: f3ca0937058e7b896f4e0d986ec5f5d42b4185f2342e5b5114af0bb0df46a893
Opcode Fuzzy Hash: a6b5b89f72b41bc15b58587877e987b7b521fc42e2328567a212cb6b4f779d28
Instruction Fuzzy Hash: CC210635201601EFDB20AB24DD95D2AB7EAFB49310B058559F9099B772CB31FC51CBA0

Function 00DE797D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00DE79E1
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00DE79F6
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00DE7A03

Strings

msctls_trackbar32, xrefs: 00DE79B8

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: c2f1c532e20fc985240f9ecd68b295b32b2001c4621ee03c83ea768e03bf9981
Instruction ID: e09461439ae9963f6034118957070ef6efc8e3188ef4b78bd6e960e66dc8d418
Opcode Fuzzy Hash: c2f1c532e20fc985240f9ecd68b295b32b2001c4621ee03c83ea768e03bf9981
Instruction Fuzzy Hash: AA11E372244288BBEF20AF61CC45FEB37A9EF89764F050629FA45A6091D271E851DB70

Function 00DE6B8F Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 00DE6C11
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00DE6C20

Strings

@U=u, xrefs: 00DE6C20
edit, xrefs: 00DE6BF5

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: @U=u$edit
API String ID: 2978978980-590756393
Opcode ID: 1e29e5ad65968dabff17ae7fbb83c6991d38fef1370f8fac428d8750bab67bda
Instruction ID: 80b4e6ae376d15244f013140e0dfeb255bc4026d12f9da43d84c2fe221ef7036
Opcode Fuzzy Hash: 1e29e5ad65968dabff17ae7fbb83c6991d38fef1370f8fac428d8750bab67bda
Instruction Fuzzy Hash: D911BC71100288AFEB10AF65DC81AEB3B69EB243B8F244724F9A1D71E0C731DC919B70

Function 00DB92E7 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00D67F41: _memmove.LIBCMT ref: 00D67F82

Part of subcall function 00DBB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00DBB0E7

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00DB9355

Strings

ListBox, xrefs: 00DB931F
@U=u, xrefs: 00DB9355
ComboBox, xrefs: 00DB92F4

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: @U=u$ComboBox$ListBox
API String ID: 372448540-2258501812
Opcode ID: cbef73d81d411f3f0b0db77a5e2566f012ebba8e99d7d200bfa9c7f3f860f0c7
Instruction ID: ffbf05dfb93a78517591f7ce87c62d2e25b73324cc7b4f2202e5818f0d9931de
Opcode Fuzzy Hash: cbef73d81d411f3f0b0db77a5e2566f012ebba8e99d7d200bfa9c7f3f860f0c7
Instruction Fuzzy Hash: 93019E71A45218AB8B04FBA4CCA1CFEB7A9FF06320B140619B973673D2DA3169088670

Function 00DB91DF Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00D67F41: _memmove.LIBCMT ref: 00D67F82

Part of subcall function 00DBB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00DBB0E7

SendMessageW.USER32(?,00000180,00000000,?), ref: 00DB924D

Strings

ListBox, xrefs: 00DB9217
@U=u, xrefs: 00DB924D
ComboBox, xrefs: 00DB91EC

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: @U=u$ComboBox$ListBox
API String ID: 372448540-2258501812
Opcode ID: 5ae7fdddbb64c0211f3652e5b99f7d348eaabd02b811b7e41457b60ae8d35f99
Instruction ID: 51fdde69797630ac42ed60e3a55d8b617568bcf4dd40bf05544e3f5e61a91e83
Opcode Fuzzy Hash: 5ae7fdddbb64c0211f3652e5b99f7d348eaabd02b811b7e41457b60ae8d35f99
Instruction Fuzzy Hash: C5018471E41208BBCB04EBA0C9A2EFFB7A9DF05310F540019BA53672D2EA116F189671

Function 00DB9264 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00D67F41: _memmove.LIBCMT ref: 00D67F82

Part of subcall function 00DBB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00DBB0E7

SendMessageW.USER32(?,00000182,?,00000000), ref: 00DB92D0

Strings

ListBox, xrefs: 00DB929C
@U=u, xrefs: 00DB92D0
ComboBox, xrefs: 00DB9271

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: @U=u$ComboBox$ListBox
API String ID: 372448540-2258501812
Opcode ID: be8a665a5e6e6a20d88b360c280ab1ef1591f078657972182e1a9a14a5958c1e
Instruction ID: c305ec8043f64cbf4918d906d4a3490c1e5e9ea106a507278ad3956ac2f546d2
Opcode Fuzzy Hash: be8a665a5e6e6a20d88b360c280ab1ef1591f078657972182e1a9a14a5958c1e
Instruction Fuzzy Hash: 39018F71E81208B7CB04EBA0C9A2EFEB7A8DF11310F640115B95273282DA219E089275

Function 00DEAF89 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45windowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,00E267B0,00DEDB17,000000FC,?,00000000,00000000,?,?,?,00D9BBB9,?,?,?,?,?), ref: 00DEAF8B
GetFocus.USER32 ref: 00DEAF93

Part of subcall function 00D62612: GetWindowLongW.USER32(?,000000EB), ref: 00D62623

Part of subcall function 00D625DB: GetWindowLongW.USER32(?,000000EB), ref: 00D625EC

SendMessageW.USER32(008DE4F8,000000B0,000001BC,000001C0), ref: 00DEB005

Strings

@U=u, xrefs: 00DEB005

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: Window$Long$FocusForegroundMessageSend
String ID: @U=u
API String ID: 3601265619-2594219639
Opcode ID: f2d644306cc2a63b94d51f6e3ebd81f416ec50b577a2d4918570e672a3c0d988
Instruction ID: e2d86b1b5ad6c15299c816bcc65147657b15d231779c8db530f7e8706deee8c3
Opcode Fuzzy Hash: f2d644306cc2a63b94d51f6e3ebd81f416ec50b577a2d4918570e672a3c0d988
Instruction Fuzzy Hash: 8E0156312016909FC725AB29D8D4A6777E5EB8A324B18066DE426D73A1CB317C47CB60

Function 00D761C3 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00D7619A: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00D761B1

SendMessageW.USER32(?,0000000C,00000000,?), ref: 00D761DF
GetParent.USER32(?), ref: 00DB111F
InvalidateRect.USER32(00000000,?,00D73BAF,?,00000000,00000001), ref: 00DB1126

Strings

@U=u, xrefs: 00D761DF

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: MessageSend$InvalidateParentRectTimeout
String ID: @U=u
API String ID: 3648793173-2594219639
Opcode ID: 8d5b2eaca76736600122f0e544661fd955a936d6556ee2c54b45e4bed263dfe5
Instruction ID: 81ca0aea510526725c8a2be7547a20959f8eb0e2a1258c34ae9c9356f8987992
Opcode Fuzzy Hash: 8d5b2eaca76736600122f0e544661fd955a936d6556ee2c54b45e4bed263dfe5
Instruction Fuzzy Hash: D9F0A035101384FBEF202F60DC4DFD17B68AB15340F649439F9859A1A2E6A2D850AB70

Function 00D64C95 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00D64C2E), ref: 00D64CA3
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00D64CB5

Strings

kernel32.dll, xrefs: 00D64C9E
GetNativeSystemInfo, xrefs: 00D64CAF

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: 8ad0dda2cf756ef46b9bdb101d78bde56595f162b66f1aab0eddbd17df346506
Instruction ID: 16da972c888a84c0beee1af7d73df96b7204c714d7a2ebf0a3122d3ec955493e
Opcode Fuzzy Hash: 8ad0dda2cf756ef46b9bdb101d78bde56595f162b66f1aab0eddbd17df346506
Instruction Fuzzy Hash: 69D05E31910B67CFD720AF32DE5860676E5AF05791B16C87ED886DA350EB70D880CA70

Function 00D64D94 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00D64CE1,?), ref: 00D64DA2
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00D64DB4

Strings

kernel32.dll, xrefs: 00D64D9D
Wow64RevertWow64FsRedirection, xrefs: 00D64DAE

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: da81c175b4880616bb07e15dbff78d6632a558a6dae4aa009888ea26c539d093
Instruction ID: 9645f0bd4efc1d3d38efe18918a3b241427ec8ea2496f931bc5d95274e79af01
Opcode Fuzzy Hash: da81c175b4880616bb07e15dbff78d6632a558a6dae4aa009888ea26c539d093
Instruction Fuzzy Hash: C2D05E71950B13CFD720AF31D848A8676E4AF09765B15C83ED8C6DA250EB70D8C0CA70

Function 00D64D61 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00D64D2E,?,00D64F4F,?,00E262F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00D64D6F
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00D64D81

Strings

kernel32.dll, xrefs: 00D64D6A
Wow64DisableWow64FsRedirection, xrefs: 00D64D7B

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: fda8ede67f70790eab81e1b6b1d335a929be98ee803bf9be94996578c743268c
Instruction ID: a9981a1af608cf3b0bf557f4ae893e9030356246444afcf0172c6f333f7f49fd
Opcode Fuzzy Hash: fda8ede67f70790eab81e1b6b1d335a929be98ee803bf9be94996578c743268c
Instruction Fuzzy Hash: 29D01731910B53CFD720AF31D84865676E8AF15792B19C83E9486DA290E670D880CE70

Function 00DE1072 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,00DE12C1), ref: 00DE1080
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00DE1092

Strings

RegDeleteKeyExW, xrefs: 00DE108C
advapi32.dll, xrefs: 00DE107B

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: a0b877d5902becb98b7650b8d3c37d785d78c605eb3d354c2f905e9cb7681a78
Instruction ID: 6abd8ae333f734affbfee243363e8f904a1b106cbc2fea3b025a22484e56c922
Opcode Fuzzy Hash: a0b877d5902becb98b7650b8d3c37d785d78c605eb3d354c2f905e9cb7681a78
Instruction Fuzzy Hash: 78D01235510752CFD7206F35D85865676E4AF45351B158C3DA489DA260D7B0C4C0C660

Function 00DD93F5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000001,00DD9009,?,00DEF910), ref: 00DD9403
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00DD9415

Strings

GetModuleHandleExW, xrefs: 00DD940F
kernel32.dll, xrefs: 00DD93FE

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 2574300362-199464113
Opcode ID: 072631e11a15592cd225ffc7fd831cae0d05c0891d8f834f6968cd1a6976e53f
Instruction ID: 59f200411160e2130fde6312d38018bce00b90b61b4e180923264193b9e89907
Opcode Fuzzy Hash: 072631e11a15592cd225ffc7fd831cae0d05c0891d8f834f6968cd1a6976e53f
Instruction Fuzzy Hash: 87D01775610B57CFD720AF31D958647B6E5AF05351B19C83EA486EA651E670C880CA70

Function 00DB76C5 Relevance: 6.3, APIs: 4, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07eab9a2a3aff4b233273e9e88283ca2ec1a0510aa6301795e4b2625982345e9
Instruction ID: 5263f7cd0a578a2d411ba49c041a6eb32fcff10da835e9c9999d01e924bacfa6
Opcode Fuzzy Hash: 07eab9a2a3aff4b233273e9e88283ca2ec1a0510aa6301795e4b2625982345e9
Instruction Fuzzy Hash: 6FC16075A04216EFCB14CF94C884EAEB7F5FF88714B158599E846EB251D730DE81CBA0

Function 00DDE33E Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00DDE3D2
CharLowerBuffW.USER32(?,?), ref: 00DDE415

Part of subcall function 00DDDAB9: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00DDDAD9

VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 00DDE615
_memmove.LIBCMT ref: 00DDE628

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: BuffCharLower$AllocVirtual_memmove
String ID:
API String ID: 3659485706-0
Opcode ID: be237ed2f8f731a2642670d47e6a9416bb22251a19ee98126200840ddc5bf027
Instruction ID: cde8a04d2638823a7ce435a34256fcf374082d21dab270139bbc2e629401ac34
Opcode Fuzzy Hash: be237ed2f8f731a2642670d47e6a9416bb22251a19ee98126200840ddc5bf027
Instruction Fuzzy Hash: DDC16B716083019FC714EF28C49096ABBE4FF88718F18896EF8999B351D731E945CFA2

Function 00DD83A8 Relevance: 6.3, APIs: 4, Instructions: 267COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00DD83D8
CoUninitialize.OLE32 ref: 00DD83E3

Part of subcall function 00DBDA5D: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00DBDAC5

VariantInit.OLEAUT32(?), ref: 00DD83EE
VariantClear.OLEAUT32(?), ref: 00DD86BF

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
String ID:
API String ID: 780911581-0
Opcode ID: 35f28d0093f90b19b8705c81ac33e524e9eed54cd7d9dcca9910c325fd631432
Instruction ID: 5d4b1bab2bf7b90f391a9432b77b55d3c0ec71ec63e1257c355d487001e3e773
Opcode Fuzzy Hash: 35f28d0093f90b19b8705c81ac33e524e9eed54cd7d9dcca9910c325fd631432
Instruction Fuzzy Hash: D1A128752047019FCB11EF64C491B2AB7E5FF88324F18845AF99A9B3A1CB30ED04DB62

Function 00DB7A78 Relevance: 6.2, APIs: 4, Instructions: 231COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00DF2C7C,?), ref: 00DB7C32
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00DF2C7C,?), ref: 00DB7C4A
CLSIDFromProgID.OLE32(?,?,00000000,00DEFB80,000000FF,?,00000000,00000800,00000000,?,00DF2C7C,?), ref: 00DB7C6F
_memcmp.LIBCMT ref: 00DB7C90

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 8bdb8add645516b28ea708f17c1f7024208dcfd528604a0dfba951b441fdb935
Instruction ID: 69b0faf8d9f08f8f48712ad2f676a77188ca4416220478eeb70f0721c1ab6c91
Opcode Fuzzy Hash: 8bdb8add645516b28ea708f17c1f7024208dcfd528604a0dfba951b441fdb935
Instruction Fuzzy Hash: 3081F975A00209EFCB04DF94C984EEEB7B9FF89315F244598F516AB250DB71AE06CB60

Function 00DB6DF3 Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00DB6E04
SysAllocString.OLEAUT32(00000000), ref: 00DB6EAD
VariantCopy.OLEAUT32 ref: 00DB6EDC
VariantClear.OLEAUT32(?), ref: 00DB6F03

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: faca6bb9cf9019b44fe203c266a643b584d9302388a1ad487e70ffb99d2a7600
Instruction ID: 5c0136f97f87f69b502b06c67173e5927823f5e34dee7b52827bfc86fa1bf14b
Opcode Fuzzy Hash: faca6bb9cf9019b44fe203c266a643b584d9302388a1ad487e70ffb99d2a7600
Instruction Fuzzy Hash: 83518120608302DBDB24AF65D891ABAB3F5EF88310F24981FF597CB691DA74D8409B31

Function 00DC97E5 Relevance: 6.2, APIs: 4, Instructions: 155COMMON

Download Yara Rule

APIs

Part of subcall function 00D65045: _fseek.LIBCMT ref: 00D6505D

Part of subcall function 00DC99BE: _wcscmp.LIBCMT ref: 00DC9AAE
Part of subcall function 00DC99BE: _wcscmp.LIBCMT ref: 00DC9AC1

_free.LIBCMT ref: 00DC992C
_free.LIBCMT ref: 00DC9933
_free.LIBCMT ref: 00DC999E

Part of subcall function 00D82F95: RtlFreeHeap.NTDLL(00000000,00000000,?,00D89C64), ref: 00D82FA9
Part of subcall function 00D82F95: GetLastError.KERNEL32(00000000,?,00D89C64), ref: 00D82FBB

_free.LIBCMT ref: 00DC99A6

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID:
API String ID: 1552873950-0
Opcode ID: d9ae0c5d453641694606f69828c3ed73b5fd5779769f00272cc49afe01aba135
Instruction ID: 2470e334829470d7cd7e228e8e0cc4c3988988bc563089c27d574a26824f9572
Opcode Fuzzy Hash: d9ae0c5d453641694606f69828c3ed73b5fd5779769f00272cc49afe01aba135
Instruction Fuzzy Hash: B7514FB1904219AFDF249F64DC45BAEBB79EF48310F1404AEB649A7241DB715A80CF68

Function 00DD6CBD Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00DD6CE4
WSAGetLastError.WSOCK32(00000000), ref: 00DD6CF4

Part of subcall function 00D69997: __itow.LIBCMT ref: 00D699C2
Part of subcall function 00D69997: __swprintf.LIBCMT ref: 00D69A0C

#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00DD6D58
WSAGetLastError.WSOCK32(00000000), ref: 00DD6D64

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: ErrorLast$__itow__swprintfsocket
String ID:
API String ID: 2214342067-0
Opcode ID: d7ea5199e761d65ee09d504e6db88651e9d6abf71abe0f5dd62e321779fd7174
Instruction ID: 0b7cd339eb719ab914a1bf6e533b3b9190b6d31ebf4168b28616b0339a990ce9
Opcode Fuzzy Hash: d7ea5199e761d65ee09d504e6db88651e9d6abf71abe0f5dd62e321779fd7174
Instruction Fuzzy Hash: E3418F74740200AFEB20AF24DC96F3A77E9DB08B10F448119FA599B3D2DA759D018BB1

Function 00DD672D Relevance: 6.1, APIs: 4, Instructions: 116COMMON

Download Yara Rule

APIs

#16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,00DEF910), ref: 00DD67BA
_strlen.LIBCMT ref: 00DD67EC

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: _strlen
String ID:
API String ID: 4218353326-0
Opcode ID: f2d12b97a539141cd17a2daefb7a1eaad2fcfa7c3ba7181acbe43998a86c5f12
Instruction ID: f7b73232180982caca2c425af40b0802e15cdd5ca1e130c5f9b9f7ecf568c301
Opcode Fuzzy Hash: f2d12b97a539141cd17a2daefb7a1eaad2fcfa7c3ba7181acbe43998a86c5f12
Instruction Fuzzy Hash: F2417531A00104ABCB14FBA5DCD5EAEB7A9EF48710F148156F51697392DB30ED44DBB0

Function 00DCBA5F Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00DCBB09
GetLastError.KERNEL32(?,00000000), ref: 00DCBB2F
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00DCBB54
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00DCBB80

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 66e3a2298ffb4c5a36146b416ca467dedcf08aafbec77ef790ef4f38bb2737aa
Instruction ID: cdd450a5be34f3c1f76069c68d6f9d48798f2e6cf66bc70fa83ec0f6f154dfac
Opcode Fuzzy Hash: 66e3a2298ffb4c5a36146b416ca467dedcf08aafbec77ef790ef4f38bb2737aa
Instruction Fuzzy Hash: 9E412639600651DFCB10EF25C595A5DBBE6EF99320B098499E84A9B362CB34FD01CBB1

Function 00DEADF1 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 00DEAE1A
GetWindowRect.USER32(?,?), ref: 00DEAE90
PtInRect.USER32(?,?,00DEC304), ref: 00DEAEA0
MessageBeep.USER32(00000000), ref: 00DEAF11

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 86b7f7aa25e1513f53087a01ef326aecc5dffa0bf89743b0ee67960c0941a81b
Instruction ID: f505802eeba47e6267083114961c19c583045728efd0139234c65aa8569490c4
Opcode Fuzzy Hash: 86b7f7aa25e1513f53087a01ef326aecc5dffa0bf89743b0ee67960c0941a81b
Instruction Fuzzy Hash: 7B417E70600296DFCB25EF6EC884A697BF5FF49740F1881A9F814DB251D730E802CB62

Function 00DC0FE6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00DC1037
SetKeyboardState.USER32(00000080,?,00000001), ref: 00DC1053
PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 00DC10B9
SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 00DC110B

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 447c62d63d8bf362a97a7610812550e9392e26164a66742a830afa258bdb4aa1
Instruction ID: b33da5edb54696f271123529414cdcca9fb3395bad15961dfdc183c1b4c566d3
Opcode Fuzzy Hash: 447c62d63d8bf362a97a7610812550e9392e26164a66742a830afa258bdb4aa1
Instruction Fuzzy Hash: F9312A34A446A9AEFF309B658C05FF9BBA5AB47310F1C421EE580971D2C37489C5A771

Function 00DC1121 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,753DC0D0,?,00008000), ref: 00DC1176
SetKeyboardState.USER32(00000080,?,00008000), ref: 00DC1192
PostMessageW.USER32(00000000,00000101,00000000), ref: 00DC11F1
SendInput.USER32(00000001,?,0000001C,753DC0D0,?,00008000), ref: 00DC1243

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: a1667774b842d4a6cad17a072ed0074c322b0dc343a88d51099a02e7947d1c4c
Instruction ID: f3824e7dca096f6a82fe30cc7d7ba4029f4330bc1ee8df098e3d01a88fa7ab01
Opcode Fuzzy Hash: a1667774b842d4a6cad17a072ed0074c322b0dc343a88d51099a02e7947d1c4c
Instruction Fuzzy Hash: E4314B389403699AEF309B65CC09FFABB69AB47310F0C431EF580931D2C33889559775

Function 00D96415 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00D9644B
__isleadbyte_l.LIBCMT ref: 00D96479
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00D964A7
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00D964DD

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 4fc50574a53328ab765dd3246835c3bff50af84d28770f249e6aee0863f6a5c8
Instruction ID: 67173d719a7cf022df4c4857763e8682c9197b641e07b4dc2c9973fd2eb306bb
Opcode Fuzzy Hash: 4fc50574a53328ab765dd3246835c3bff50af84d28770f249e6aee0863f6a5c8
Instruction Fuzzy Hash: 7A31AF3160824AAFDF219FB5CC45BAA7BA5FF41710F194429E8558B1A1EB31D850DBB0

Function 00DE5175 Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00DE5189

Part of subcall function 00DC387D: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00DC3897
Part of subcall function 00DC387D: GetCurrentThreadId.KERNEL32 ref: 00DC389E
Part of subcall function 00DC387D: AttachThreadInput.USER32(00000000,?,00DC52A7), ref: 00DC38A5

GetCaretPos.USER32(?), ref: 00DE519A
ClientToScreen.USER32(00000000,?), ref: 00DE51D5
GetForegroundWindow.USER32 ref: 00DE51DB

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: db2e3a5f0ee63db9563314a3b6c00a9faef8d7f8581202ca265a5352155482bc
Instruction ID: 9d3d787083ae0cee0aca1f1a3fe7390708b3e99f4ea325062a433bc181865171
Opcode Fuzzy Hash: db2e3a5f0ee63db9563314a3b6c00a9faef8d7f8581202ca265a5352155482bc
Instruction Fuzzy Hash: BD31F871900208ABDB00EFA5C895AEFB7FDEF98304B10406AE415E7241EA75AA45CBB1

Function 00DEC788 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00D62612: GetWindowLongW.USER32(?,000000EB), ref: 00D62623

GetCursorPos.USER32(?), ref: 00DEC7C2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00D9BBFB,?,?,?,?,?), ref: 00DEC7D7
GetCursorPos.USER32(?), ref: 00DEC824
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00D9BBFB,?,?,?), ref: 00DEC85E

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: d56252513b4ce818fddf2a2875f0f9cdf2bf48be8f96f9fea146dcd5ded66654
Instruction ID: b7d9fc35714bf69d03448b6221f4710f4a4ce27bf96e108c7e4232232a8ccf27
Opcode Fuzzy Hash: d56252513b4ce818fddf2a2875f0f9cdf2bf48be8f96f9fea146dcd5ded66654
Instruction Fuzzy Hash: 61318D35600198AFCB25EF5AC8D8EEE7BB6FB49310F084169F9059B261C7319952DFB0

Function 00D80BD0 Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

APIs

__setmode.LIBCMT ref: 00D80BF2

Part of subcall function 00D65B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00DC7B20,?,?,00000000), ref: 00D65B8C
Part of subcall function 00D65B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00DC7B20,?,?,00000000,?,?), ref: 00D65BB0

_fprintf.LIBCMT ref: 00D80C29
OutputDebugStringW.KERNEL32(?), ref: 00DB6331

Part of subcall function 00D84CDA: _flsall.LIBCMT ref: 00D84CF3

__setmode.LIBCMT ref: 00D80C5E

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
String ID:
API String ID: 521402451-0
Opcode ID: 59988ec60cdc7d4126897b4a33844a749cd50acd3ff02e3756139ef13227744a
Instruction ID: d395dda41129b1d43ac0a78e9021aadf3cd50e4c5c97c118b5e97a943b18bb23
Opcode Fuzzy Hash: 59988ec60cdc7d4126897b4a33844a749cd50acd3ff02e3756139ef13227744a
Instruction Fuzzy Hash: FE11E432904209AFCB15BBB4AC42EBEBB6DDF45320F18011AF20497192DE355D8697B5

Function 00DB8B9E Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00DB8652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00DB8669
Part of subcall function 00DB8652: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00DB8673
Part of subcall function 00DB8652: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00DB8682
Part of subcall function 00DB8652: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00DB8689
Part of subcall function 00DB8652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00DB869F

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00DB8BEB
_memcmp.LIBCMT ref: 00DB8C0E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00DB8C44
HeapFree.KERNEL32(00000000), ref: 00DB8C4B

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 976a4d66ef133304344635738bf1e8ff0029def6443aed0b7c9c843c6f9b4e77
Instruction ID: 71ceccec91a0ba2abc43e390b798d8954518b388c6eecc7cadc5df68123bed95
Opcode Fuzzy Hash: 976a4d66ef133304344635738bf1e8ff0029def6443aed0b7c9c843c6f9b4e77
Instruction Fuzzy Hash: 7D217CB1E01209EFDB10DFA4C945BEEBBB8EF44355F184059E455AB240DB31AA06DB70

Function 00DD1A5B Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00DD1A97

Part of subcall function 00DD1B21: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00DD1B40
Part of subcall function 00DD1B21: InternetCloseHandle.WININET(00000000), ref: 00DD1BDD

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: Internet$CloseConnectHandleOpen
String ID:
API String ID: 1463438336-0
Opcode ID: 1bdd16ba706610592659484e431f635487e1f6e245d86d024969cba911ecc3ed
Instruction ID: 9cf7fb2227d60aadce601d71e79c01807b1e3569f89ba16e791f15dc628c6348
Opcode Fuzzy Hash: 1bdd16ba706610592659484e431f635487e1f6e245d86d024969cba911ecc3ed
Instruction Fuzzy Hash: 8B219F3A200A01BFDB11AF608C01FBAB7A9FF95701F15401BFA5196751EB71E8119BB0

Function 00DBE1AF Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00DBF5AD: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,00DBE1C4,?,?,?,00DBEFB7,00000000,000000EF,00000119,?,?), ref: 00DBF5BC
Part of subcall function 00DBF5AD: lstrcpyW.KERNEL32(00000000,?), ref: 00DBF5E2
Part of subcall function 00DBF5AD: lstrcmpiW.KERNEL32(00000000,?,00DBE1C4,?,?,?,00DBEFB7,00000000,000000EF,00000119,?,?), ref: 00DBF613

lstrlenW.KERNEL32(?,00000002,?,?,?,?,00DBEFB7,00000000,000000EF,00000119,?,?,00000000), ref: 00DBE1DD
lstrcpyW.KERNEL32(00000000,?), ref: 00DBE203
lstrcmpiW.KERNEL32(00000002,cdecl,?,00DBEFB7,00000000,000000EF,00000119,?,?,00000000), ref: 00DBE237

Strings

cdecl, xrefs: 00DBE22E

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 510202c8576d2d651a6ae64d8d4328d14e2c40128660be8767ed888bea962caf
Instruction ID: 2fb53800346dd1b4e5143a4deb711a90c8063ecc2e89640cd595a607bfdede62
Opcode Fuzzy Hash: 510202c8576d2d651a6ae64d8d4328d14e2c40128660be8767ed888bea962caf
Instruction Fuzzy Hash: BC11BE3A200345EFCB25AF64DC459BA77A8FF85310B44802AE806CB2A0EB71985187B4

Function 00D95332 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00D95351

Part of subcall function 00D8594C: __FF_MSGBANNER.LIBCMT ref: 00D85963
Part of subcall function 00D8594C: __NMSG_WRITE.LIBCMT ref: 00D8596A
Part of subcall function 00D8594C: RtlAllocateHeap.NTDLL(008C0000,00000000,00000001,00000000,?,?,?,00D81013,?), ref: 00D8598F

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 341f5ee57ff9f0ae22d501839fb85e4b26d50668bd95f0715b58d021bc8f40b1
Instruction ID: 573c48dac620deb5aa690f2ca677f0f16b742f32c2c13bfd132c63aa6659a1f5
Opcode Fuzzy Hash: 341f5ee57ff9f0ae22d501839fb85e4b26d50668bd95f0715b58d021bc8f40b1
Instruction Fuzzy Hash: D411A372504A15AFCF323F70BC4566D3798DF107A0B14453AF9499A195DEB1CD4197B0

Function 00D64531 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00D64560

Part of subcall function 00D6410D: _memset.LIBCMT ref: 00D6418D
Part of subcall function 00D6410D: _wcscpy.LIBCMT ref: 00D641E1
Part of subcall function 00D6410D: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00D641F1

KillTimer.USER32(?,00000001,?,?), ref: 00D645B5
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00D645C4
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00D9D6CE

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: 1d2043cdc78fc062320c814a31c9af104a14a6a127d72ff058ebbc2bb63bbc35
Instruction ID: 3134fcead76ce35813c0854993e141ea9d1c0772e2fe180bc9c5981db1ad6845
Opcode Fuzzy Hash: 1d2043cdc78fc062320c814a31c9af104a14a6a127d72ff058ebbc2bb63bbc35
Instruction Fuzzy Hash: B421C971904788AFEB329B34DC55BE7BBED9F01308F04009DE69E96281C7745A89CB71

Function 00DD667C Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00D65B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00DC7B20,?,?,00000000), ref: 00D65B8C
Part of subcall function 00D65B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00DC7B20,?,?,00000000,?,?), ref: 00D65BB0

gethostbyname.WSOCK32(?,?,?), ref: 00DD66AC
WSAGetLastError.WSOCK32(00000000), ref: 00DD66B7
_memmove.LIBCMT ref: 00DD66E4
inet_ntoa.WSOCK32(?), ref: 00DD66EF

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
String ID:
API String ID: 1504782959-0
Opcode ID: 2164186dfd55e2056af54cc8f03c31a830659381fa8f7698ef702e18937737f6
Instruction ID: a625a121c14ab9ea64826f0877cde2fec5111de747c46dda63830d636f51386e
Opcode Fuzzy Hash: 2164186dfd55e2056af54cc8f03c31a830659381fa8f7698ef702e18937737f6
Instruction Fuzzy Hash: FA114975500509AFCB00FBA4ED96DEEB7B8EF18310B144066F506AB261DB30AE44DBB1

Function 00DB9023 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00DB9043
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00DB9055
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00DB906B
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00DB9086

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 67aa3e1189786999dc164638d3a7b455f91980bf486826313586e1ab86a003d8
Instruction ID: 68b34073e9c36837850b74d0e16ba97a0f915ef86a9893ef71c9146834e19437
Opcode Fuzzy Hash: 67aa3e1189786999dc164638d3a7b455f91980bf486826313586e1ab86a003d8
Instruction Fuzzy Hash: FB114C79900218FFDB10EFA5C884EDDFB74FB48310F2040A5EA05B7250D6716E10DBA0

Function 00D61290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

Part of subcall function 00D62612: GetWindowLongW.USER32(?,000000EB), ref: 00D62623

DefDlgProcW.USER32(?,00000020,?), ref: 00D612D8
GetClientRect.USER32(?,?), ref: 00D9B84B
GetCursorPos.USER32(?), ref: 00D9B855
ScreenToClient.USER32(?,?), ref: 00D9B860

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 70eb62312a2b59697f5b4410b5157a3cfff07b63a40eb119d06c098596b9fe34
Instruction ID: 880649c8866d1bcd00e9f669db91420d1fda7b35deba28bb93b0d52de6dbdccb
Opcode Fuzzy Hash: 70eb62312a2b59697f5b4410b5157a3cfff07b63a40eb119d06c098596b9fe34
Instruction Fuzzy Hash: CE114C79900159AFCF10EF98D8969FE77B8FB09301F044456F941E7250C730BA518BB9

Function 00DC1652 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00DC01FD,?,00DC1250,?,00008000), ref: 00DC166F
Sleep.KERNEL32(00000000,?,?,?,?,?,?,00DC01FD,?,00DC1250,?,00008000), ref: 00DC1694
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00DC01FD,?,00DC1250,?,00008000), ref: 00DC169E
Sleep.KERNEL32(?,?,?,?,?,?,?,00DC01FD,?,00DC1250,?,00008000), ref: 00DC16D1

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 718cdaff3e62a3847895613ec2ad18adcbba13caba2765a9ef8f7e7b44e741cd
Instruction ID: 48196c97d4526b4cb82dba3132b568e9de53c18b452a9f983d5699d6bffc2c3f
Opcode Fuzzy Hash: 718cdaff3e62a3847895613ec2ad18adcbba13caba2765a9ef8f7e7b44e741cd
Instruction Fuzzy Hash: 5B113035C4062ED7CF00AFA5D984BEEBB78FF1A751F054059D981B7241CB3095508BB5

Function 00D97207 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 00D9722B

Part of subcall function 00D97912: __fltout2.LIBCMT ref: 00D9793B

__cftog_l.LIBCMT ref: 00D97251
__cftoe_l.LIBCMT ref: 00D97283

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: 737d6af978992e229bc973b4117f681b6fecf2f3ae5871a257b1fb346f574d12
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: 3101493606818ABBCF125F84CC018EE3F62FF69355F588615FA1859031D237C9B1ABA9

Function 00DEB57F Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00DEB59E
ScreenToClient.USER32(?,?), ref: 00DEB5B6
ScreenToClient.USER32(?,?), ref: 00DEB5DA
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00DEB5F5

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 386a70d58fd19dd55b07104827c10358675bf67a9e175a5ebc2ed08d16006d76
Instruction ID: e04f61ff5433b483e0d282fbfa236cc375eea545688f374b1cc4d559c1738860
Opcode Fuzzy Hash: 386a70d58fd19dd55b07104827c10358675bf67a9e175a5ebc2ed08d16006d76
Instruction Fuzzy Hash: 3E1146B5D00249EFDB41DF99D4849EEFBB5FB08310F108166E954E3620D735AA558F60

Function 00DEB8EF Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00DEB8FE
_memset.LIBCMT ref: 00DEB90D
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00E27F20,00E27F64), ref: 00DEB93C
CloseHandle.KERNEL32 ref: 00DEB94E

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID:
API String ID: 3277943733-0
Opcode ID: 5e17d066af355eee406d450ad7cf6341beda3ead8482428c7c1fae4562b725ca
Instruction ID: 2b5954bb37111e2a484c0e903e08070d299c4a095b0616ba78923faf1414ce1b
Opcode Fuzzy Hash: 5e17d066af355eee406d450ad7cf6341beda3ead8482428c7c1fae4562b725ca
Instruction Fuzzy Hash: 72F05EB264C3507FF2203B62AD46FBB3A5CEB09754F000021FB48E92A6D771590587B8

Function 00DC6E7C Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 00DC6E88

Part of subcall function 00DC794E: _memset.LIBCMT ref: 00DC7983

_memmove.LIBCMT ref: 00DC6EAB
_memset.LIBCMT ref: 00DC6EB8
LeaveCriticalSection.KERNEL32(?), ref: 00DC6EC8

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: CriticalSection_memset$EnterLeave_memmove
String ID:
API String ID: 48991266-0
Opcode ID: 95a71a36bc6f439eb5d43db818e1c4749125e4ad6de8c990d745ad5b4d5ef2bc
Instruction ID: fd30922ac94ae75d8c62a8cd4b7d43b72ab30db597215f265bb239ff38767111
Opcode Fuzzy Hash: 95a71a36bc6f439eb5d43db818e1c4749125e4ad6de8c990d745ad5b4d5ef2bc
Instruction Fuzzy Hash: E6F05E3A200200ABCF017F55DC85F8ABB2AEF45320B14C065FE089F22ACB31A911DFB4

Function 00DEC00C Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00D612F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00D6134D
Part of subcall function 00D612F3: SelectObject.GDI32(?,00000000), ref: 00D6135C
Part of subcall function 00D612F3: BeginPath.GDI32(?), ref: 00D61373
Part of subcall function 00D612F3: SelectObject.GDI32(?,00000000), ref: 00D6139C

MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 00DEC030
LineTo.GDI32(00000000,?,?), ref: 00DEC03D
EndPath.GDI32(00000000), ref: 00DEC04D
StrokePath.GDI32(00000000), ref: 00DEC05B

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: bf1d68f49b47a08873059951c639c29c6298be24b9676f822b21933b85a26378
Instruction ID: 07542177e1b644fe4467186c2ba20b529f3bbf2ad1487eaca3c9bde4de7f312b
Opcode Fuzzy Hash: bf1d68f49b47a08873059951c639c29c6298be24b9676f822b21933b85a26378
Instruction Fuzzy Hash: E9F05E32001399FBDB227F55AC0AFCE3F59AF05311F084100FA11A51E287755666CBB5

Function 00DBA37C Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00DBA399
GetWindowThreadProcessId.USER32(?,00000000), ref: 00DBA3AC
GetCurrentThreadId.KERNEL32 ref: 00DBA3B3
AttachThreadInput.USER32(00000000), ref: 00DBA3BA

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: ea43c7da61b1dd9c824b124f2d82fc61b7a181767e26e7cd545e1b8fe3103c1a
Instruction ID: 2ee38adafd2aedcf554ea01285e0baa4e59cf5a7098836aabc610d4626982052
Opcode Fuzzy Hash: ea43c7da61b1dd9c824b124f2d82fc61b7a181767e26e7cd545e1b8fe3103c1a
Instruction Fuzzy Hash: DCE01531141368BBDB202BA2DC4CEDB3E5CEF167A1F448028B509C81A0C67185408BB0

Function 00D62218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00D62231
SetTextColor.GDI32(?,000000FF), ref: 00D6223B
SetBkMode.GDI32(?,00000001), ref: 00D62250
GetStockObject.GDI32(00000005), ref: 00D62258
GetWindowDC.USER32(?,00000000), ref: 00D9C0D3
GetPixel.GDI32(00000000,00000000,00000000), ref: 00D9C0E0
GetPixel.GDI32(00000000,?,00000000), ref: 00D9C0F9
GetPixel.GDI32(00000000,00000000,?), ref: 00D9C112
GetPixel.GDI32(00000000,?,?), ref: 00D9C132
ReleaseDC.USER32(?,00000000), ref: 00D9C13D

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: 1dda962339571b432d7e505770532ab5784b705a080117f6147db756e3961419
Instruction ID: 580a63e90b2e06c7428ab118f5426f25f1a6ce0a329623a0ebb252014fbe3af8
Opcode Fuzzy Hash: 1dda962339571b432d7e505770532ab5784b705a080117f6147db756e3961419
Instruction Fuzzy Hash: B3E03932100388EAEF216FA4EC497D83B24AB15332F048366FA69981E187714A80DB31

Function 00DB8C5A Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00DB8C63
OpenThreadToken.ADVAPI32(00000000,?,?,?,00DB882E), ref: 00DB8C6A
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00DB882E), ref: 00DB8C77
OpenProcessToken.ADVAPI32(00000000,?,?,?,00DB882E), ref: 00DB8C7E

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: b5014834e77ee1c85882fe6a5d0e969c91b3d67713e905895cbc43f191bfe3d6
Instruction ID: 725f929b6b416f7db826a3f1ed0fadd143d7f708f76180aa46da996aea82ae17
Opcode Fuzzy Hash: b5014834e77ee1c85882fe6a5d0e969c91b3d67713e905895cbc43f191bfe3d6
Instruction Fuzzy Hash: 05E08676642351DBD7206FB06D4CB963BACEF50792F094828F246CD040DA348441DB71

Function 00DA2187 Relevance: 6.0, APIs: 4, Instructions: 20COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00DA2187
GetDC.USER32(00000000), ref: 00DA2191
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00DA21B1
ReleaseDC.USER32(?), ref: 00DA21D2

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 8e1b6207c2126cb283aecc059c68a15e8a1845a8d0cf1a70a0afc6ff03685965
Instruction ID: a164f0e2fb4fbe3a680a81b923978ce4e0f21670087eb0ce9ecc07d5987ce0da
Opcode Fuzzy Hash: 8e1b6207c2126cb283aecc059c68a15e8a1845a8d0cf1a70a0afc6ff03685965
Instruction Fuzzy Hash: 53E0E575800304EFDB01AFA0C848AAD7BF5EB4C350F10C429F99ADB320CB7881419F60

Function 00DA219B Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00DA219B
GetDC.USER32(00000000), ref: 00DA21A5
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00DA21B1
ReleaseDC.USER32(?), ref: 00DA21D2

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 3f9ce6426789adfaa0b0d5c3fd3aab679634250a32911015a93a88aa053c3ea0
Instruction ID: 3ae88624cc9c34938eaec2df009b4388c4afe6343c757e7cec615a136126c025
Opcode Fuzzy Hash: 3f9ce6426789adfaa0b0d5c3fd3aab679634250a32911015a93a88aa053c3ea0
Instruction Fuzzy Hash: 2AE0E575800304AFDB01AFA0C84869D7BE5EB4C310F108029F95ADB320CB7891419F60

Function 00DDB1B7 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 313COMMON

Download Yara Rule

APIs

__itow_s.LIBCMT ref: 00DDB2C3

Strings

xr, xrefs: 00DDB325
xr, xrefs: 00DDB2F9

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: __itow_s
String ID: xr$xr
API String ID: 3653519197-2528877900
Opcode ID: 17f102ebdfa1e1cf7bc875ad00b3e40faebac30f1f5c1de04be9f3766dba86c2
Instruction ID: 639307fa913bce5cfd0843d6ee52ae355cd191caf4fcc31859a06c38cdf5fbd6
Opcode Fuzzy Hash: 17f102ebdfa1e1cf7bc875ad00b3e40faebac30f1f5c1de04be9f3766dba86c2
Instruction Fuzzy Hash: BDB18D71A00209EFCB14DF54D891EAABBB9EF58318F19805BF9459B352DB31E941CB70

Function 00DBB7B6 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 241comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 00DBB981

Strings

AutoIt3GUI, xrefs: 00DBB8F9
Container, xrefs: 00DBB8FE

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: ContainedObject
String ID: AutoIt3GUI$Container
API String ID: 3565006973-3941886329
Opcode ID: 988f0d25f40affd69cfbc16aede1f814ad2b6c8c6cc4e5a807c668dd13ec6541
Instruction ID: 5c1f8869b096048f055c419ba887d2280bff3d06d301f43f15260ba176e0092d
Opcode Fuzzy Hash: 988f0d25f40affd69cfbc16aede1f814ad2b6c8c6cc4e5a807c668dd13ec6541
Instruction Fuzzy Hash: 15916D74600201DFDB64DF24C885AAABBF8FF48710F14856EF94ADB291DBB1E840CB60

Function 00DCB217 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00D7FEC6: _wcscpy.LIBCMT ref: 00D7FEE9

Part of subcall function 00D69997: __itow.LIBCMT ref: 00D699C2
Part of subcall function 00D69997: __swprintf.LIBCMT ref: 00D69A0C

__wcsnicmp.LIBCMT ref: 00DCB298
WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 00DCB361

Strings

LPT, xrefs: 00DCB292

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
String ID: LPT
API String ID: 3222508074-1350329615
Opcode ID: 02ccbfea39cce63a6cd3a7170f151076b8c76dbe3c10e8a79af891509592490b
Instruction ID: 034f51abdd901a5c45f03664396e44eca69e3f45e67b088dd8b1adfcd7abd019
Opcode Fuzzy Hash: 02ccbfea39cce63a6cd3a7170f151076b8c76dbe3c10e8a79af891509592490b
Instruction Fuzzy Hash: D0614F75A04215AFCB14EB94C896EAEB7B4EB08320F15405EF946AB291DB70EE44CB70

Function 00D72AB7 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00D72AC8
GlobalMemoryStatusEx.KERNEL32(?), ref: 00D72AE1

Strings

@, xrefs: 00D72AD5

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: ff613da295991147d950d5f713256f0c5d235ec651044c7ae66ce0b454690788
Instruction ID: e60eefbb4665851628bd62ad62dd39f0aba1a6030ff9e4d54d613fe0be870734
Opcode Fuzzy Hash: ff613da295991147d950d5f713256f0c5d235ec651044c7ae66ce0b454690788
Instruction Fuzzy Hash: 435147B24187449BD320AF50DC96BAFBBECFF84310F42885DF2D9511A5DB318569CB26

Function 00DC99BE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00D6506B: __fread_nolock.LIBCMT ref: 00D65089

_wcscmp.LIBCMT ref: 00DC9AAE
_wcscmp.LIBCMT ref: 00DC9AC1

Strings

FILE, xrefs: 00DC99FA

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: 2d4496c842b1ae73aabb71072cdc4f95e93377100906ffe9373d880931a483bf
Instruction ID: 89358864e25b9849292a70c9a829fc591570b852b6d73ee3b03934847e55c852
Opcode Fuzzy Hash: 2d4496c842b1ae73aabb71072cdc4f95e93377100906ffe9373d880931a483bf
Instruction Fuzzy Hash: A641D571A4060ABBDF209AA0DC86FEFBBB9DF45710F040069B900A7185DA759E4587B1

Function 00DA099E Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 115COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00DA09A9

Strings

Dt, xrefs: 00D6A477
Dt, xrefs: 00D6A2B1

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: ClearVariant
String ID: Dt$Dt
API String ID: 1473721057-4168040075
Opcode ID: aa20e236c98628d2b0ee4a74cda0065adc3dd76775ace9c622545dd012160ecb
Instruction ID: f8c60d2c6e13b239f76ace30b77b1bbe2759a5b9aaf8f23ca3964768d9828bab
Opcode Fuzzy Hash: aa20e236c98628d2b0ee4a74cda0065adc3dd76775ace9c622545dd012160ecb
Instruction Fuzzy Hash: B951F378608341CFC764CF19C590A1ABBE1BB99344F68985DE9C5AB321D731EC85CFA2

Function 00DD2882 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00DD2892
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00DD28C8

Strings

|, xrefs: 00DD2899

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: CrackInternet_memset
String ID: |
API String ID: 1413715105-2343686810
Opcode ID: 7e330a11a0672b1dc93932b6e8a3a3b2bbd71332ea32e2d05be2171a46f6fe07
Instruction ID: 1a89e174a7dc7bc942816fa9a1bedc044ef6c93e4671400a3d4093e46ff3317a
Opcode Fuzzy Hash: 7e330a11a0672b1dc93932b6e8a3a3b2bbd71332ea32e2d05be2171a46f6fe07
Instruction Fuzzy Hash: 8031F971800119AFCF01AFA1DC85EEEBFB9FF18314F14406AF815A6265DA315A56DB70

Function 00DE6CD2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00DE6D86
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00DE6DC2

Strings

static, xrefs: 00DE6D22

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: b23fb4f2a3c6a683c1213ff6825fe4d3bade71bd08f0e5303ca32ed312a06c20
Instruction ID: da7f30db71afe49b91899d34d412f436d4896d12e90bb8dca526ac776cd02773
Opcode Fuzzy Hash: b23fb4f2a3c6a683c1213ff6825fe4d3bade71bd08f0e5303ca32ed312a06c20
Instruction Fuzzy Hash: 11319E71200644AEDB10AF65CC80AFB77A9FF58760F548619F8A5D7190CA31EC91CB70

Function 00DC2D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00DC2E00
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00DC2E3B

Strings

0, xrefs: 00DC2DF9

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 97240e7a71e3eb2234e566289a5b0f985e4770a7f451bf0c9f9bfd88715c0237
Instruction ID: 7aa43ab2533f57eef6245ce276c0be240869899fd11f6ec3121480303c3965a3
Opcode Fuzzy Hash: 97240e7a71e3eb2234e566289a5b0f985e4770a7f451bf0c9f9bfd88715c0237
Instruction Fuzzy Hash: 4131A03160030AABEB249F58D885FBEBBADEF05350F18402DF985A71A0D7709945CB70

Function 00DBAFDC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 82windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00D7619A: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00D761B1

SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00DBB03B
_strlen.LIBCMT ref: 00DBB046

Strings

@U=u, xrefs: 00DBB03B

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: MessageSend$Timeout_strlen
String ID: @U=u
API String ID: 2777139624-2594219639
Opcode ID: cf804269de8078151581e0e63631b71a2ec8c4548d9675ac530c4cfdb24f3b9a
Instruction ID: e9acd74bba03a1ce2937c794b69a3414e4253835b261d80e3bef072aae3e7bef
Opcode Fuzzy Hash: cf804269de8078151581e0e63631b71a2ec8c4548d9675ac530c4cfdb24f3b9a
Instruction Fuzzy Hash: 8011C331204209ABCB14BA789CC2AFF7BA9DF46720F04006FFA179A193DEA5D9458770

Function 00DE6AD4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 76windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00DC589F: GetLocalTime.KERNEL32 ref: 00DC58AC
Part of subcall function 00DC589F: _wcsncpy.LIBCMT ref: 00DC58E1
Part of subcall function 00DC589F: _wcsncpy.LIBCMT ref: 00DC5913
Part of subcall function 00DC589F: _wcsncpy.LIBCMT ref: 00DC5946
Part of subcall function 00DC589F: _wcsncpy.LIBCMT ref: 00DC5988

SendMessageW.USER32(?,00001002,00000000,?), ref: 00DE6B6E

Strings

@U=u, xrefs: 00DE6B6E
SysDateTimePick32, xrefs: 00DE6B2C

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: _wcsncpy$LocalMessageSendTime
String ID: @U=u$SysDateTimePick32
API String ID: 2466184910-2530228043
Opcode ID: dd3ff8bd0f32ac614e97e2b4faca95f8bcbb3c965c7bc93254b9688133396ef7
Instruction ID: f9430b7042d4b7e34f8363bbca7690555d46a0cbab86686ed06507723e0f8bb7
Opcode Fuzzy Hash: dd3ff8bd0f32ac614e97e2b4faca95f8bcbb3c965c7bc93254b9688133396ef7
Instruction Fuzzy Hash: 9721D6313402496FEF21AE54DC82FEE7369EB547A4F144519F950EB1D0D6B1EC9187B0

Function 00DB9707 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00DB9720

Part of subcall function 00DC18EE: GetWindowThreadProcessId.USER32(?,?), ref: 00DC1919
Part of subcall function 00DC18EE: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00DB973C,00000034,?,?,00001004,00000000,00000000), ref: 00DC1929
Part of subcall function 00DC18EE: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00DB973C,00000034,?,?,00001004,00000000,00000000), ref: 00DC193F

Part of subcall function 00DC19CC: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00DB9778,?,?,00000034,00000800,?,00000034), ref: 00DC19F6

SendMessageW.USER32(?,00001073,00000000,?), ref: 00DB9787

Part of subcall function 00DC1997: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00DB97A7,?,?,00000800,?,00001073,00000000,?,?), ref: 00DC19C1

Strings

@U=u, xrefs: 00DB9720, 00DB9787

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: Process$MemoryMessageSend$AllocOpenReadThreadVirtualWindowWrite
String ID: @U=u
API String ID: 1045663743-2594219639
Opcode ID: 2861a262ffff8823f72cec993cefc5cba5d2bdd6dbc9b7195f7a24fed3184f0c
Instruction ID: 25135d2efb52a312469ed371578b0508926c824f44d0b38eb332e362a6f850d0
Opcode Fuzzy Hash: 2861a262ffff8823f72cec993cefc5cba5d2bdd6dbc9b7195f7a24fed3184f0c
Instruction Fuzzy Hash: E4217C35901129ABEF11ABA4CC85FD9BBB8FF09350F1001A9F648A7191EE705A44CFB0

Function 00DE6943 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00DE69D0
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00DE69DB

Strings

Combobox, xrefs: 00DE699D

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: feec4c41a8dda64b1325fe5da4c991acd3b8c7ce66d459c4b72bcb1227d13a71
Instruction ID: e2cc47ac15223c38c9c31c9cb2c54d4b958fdde7e16d2fccf8f04ca3c66145d7
Opcode Fuzzy Hash: feec4c41a8dda64b1325fe5da4c991acd3b8c7ce66d459c4b72bcb1227d13a71
Instruction Fuzzy Hash: B311C4717002486FEF11AF25CC80EFB376AEBA93E4F150225F9589B291D671EC518BB0

Function 00DE9962 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

@U=u, xrefs: 00DE99E7, 00DE9A10

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID:
String ID: @U=u
API String ID: 0-2594219639
Opcode ID: ba2f5c7bc20f1c199cbd8380ba0fd8f744ac347cdf2c869cb253afb2d974d97b
Instruction ID: c7531f5db46e699f9625f78ad75bb4548984c12c5de2f34881eb6272eac329c9
Opcode Fuzzy Hash: ba2f5c7bc20f1c199cbd8380ba0fd8f744ac347cdf2c869cb253afb2d974d97b
Instruction Fuzzy Hash: 7621B471105298BFDB10AF56CC61FBAB7A4EB09310F044169FA52EB1D1D670DE50DB70

Function 00DE6E76 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00D61D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00D61D73
Part of subcall function 00D61D35: GetStockObject.GDI32(00000011), ref: 00D61D87
Part of subcall function 00D61D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00D61D91

GetWindowRect.USER32(00000000,?), ref: 00DE6EE0
GetSysColor.USER32(00000012), ref: 00DE6EFA

Strings

static, xrefs: 00DE6EBD

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 4e3f15e280149d355b08c8945a51deef1ea4dd052235a0e990b9ad6ab29a2c62
Instruction ID: 10e0d017b8164551fe3d9ff49f6ae6bfcefa330cf9234fcfebd06a90f3935ee3
Opcode Fuzzy Hash: 4e3f15e280149d355b08c8945a51deef1ea4dd052235a0e990b9ad6ab29a2c62
Instruction Fuzzy Hash: B321863261024AAFDB04EFB8CC45AEA7BB8FB08354F044629F955E3241E630E8619B60

Function 00DC2E9E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00DC2F11
GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00DC2F30

Strings

0, xrefs: 00DC2F07

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 23d5f93d3e5bacf39baa08d0b14a05a387b1c56482e006d5b1acf64d29e7736c
Instruction ID: b186660f5631e46d975e5fcc4799bca3ed8fdc95811981eccfdda63581d595cb
Opcode Fuzzy Hash: 23d5f93d3e5bacf39baa08d0b14a05a387b1c56482e006d5b1acf64d29e7736c
Instruction Fuzzy Hash: C511BE3190121AABCB24DB59DC44FB973B9EF01310F1801ADF884B72A0D7B0ED0487B1

Function 00DD24CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00DD2520
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00DD2549

Strings

<local>, xrefs: 00DD2511

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: cb8869db03e9c93392abb9ca7f14ae005b2daa34bf86f7a0a2c9fa1a8e48c42d
Instruction ID: f65bb06c2599ee27824f9a499e309998e25a5b3caab7e3049365e60b7a506ae1
Opcode Fuzzy Hash: cb8869db03e9c93392abb9ca7f14ae005b2daa34bf86f7a0a2c9fa1a8e48c42d
Instruction Fuzzy Hash: 08110270101225BADB259F519C99EFBFF6CFF26361F10812BF94586240D270A981DAF0

Function 00DE8752 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,?,?), ref: 00DE879F

Strings

@U=u, xrefs: 00DE879F, 00DE87DB

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: c4d02dd3ac00826c1930dd8bd219e18ff463c0aebee179b05fe26dfebf68a7d2
Instruction ID: 9ad2691a5ab406854bae51b947f33f051a7e8764ecea0d4ced4aff953901ba83
Opcode Fuzzy Hash: c4d02dd3ac00826c1930dd8bd219e18ff463c0aebee179b05fe26dfebf68a7d2
Instruction Fuzzy Hash: CD21E479604249EF8B15EF98D8808AE7BB5FB4D340B144159FD05A7360DA31ED61EBA0

Function 00DE6825 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000401,?,00000000), ref: 00DE689B

Strings

@U=u, xrefs: 00DE689B
button, xrefs: 00DE6872

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: MessageSend
String ID: @U=u$button
API String ID: 3850602802-1762282863
Opcode ID: ddc70d13cf53d0d64ef85966c23d9d79b63357da13e218cc1b81d74ea460ba23
Instruction ID: ddfea75dadfdbd03a465b0785a38671f64499f6062141187fee538ecf7237a42
Opcode Fuzzy Hash: ddc70d13cf53d0d64ef85966c23d9d79b63357da13e218cc1b81d74ea460ba23
Instruction Fuzzy Hash: A4110432140245ABDF11AF61CC81FEA376AFF28364F150618FE90A71D0C772E8919B70

Function 00DE7AFB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000133E,00000000,?), ref: 00DE7B47

Strings

@U=u, xrefs: 00DE7B47

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: fb1942ab52bdcc79ee1e49fb5ed924307ffcc812ecd496f4375249e3d2d496a4
Instruction ID: f259b09e9b97f9f9bd2446a920c15894554208e13f37b2b336bd0b611d260a3c
Opcode Fuzzy Hash: fb1942ab52bdcc79ee1e49fb5ed924307ffcc812ecd496f4375249e3d2d496a4
Instruction Fuzzy Hash: 0711D030504784AFDB20EF34C891AE7B7E8FF05310F108A1DE9AA97391DB7169409B70

Function 00DD80A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00DD830B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,00DD80C8,?,00000000,?,?), ref: 00DD8322

inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00DD80CB
htons.WSOCK32(00000000,?,00000000), ref: 00DD8108

Strings

255.255.255.255, xrefs: 00DD80E3

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: ByteCharMultiWidehtonsinet_addr
String ID: 255.255.255.255
API String ID: 2496851823-2422070025
Opcode ID: b89717b2cd4182af18d2108c12791fdacc54c0396ae99da08d313f6d9d4d32d6
Instruction ID: 81123233cbe686b7049e4f82f6e08824ab9e67cb2250beec9802aa5ad3b70982
Opcode Fuzzy Hash: b89717b2cd4182af18d2108c12791fdacc54c0396ae99da08d313f6d9d4d32d6
Instruction Fuzzy Hash: 1911CE74200309ABCB20AFA4DC86FFDB364EF44320F10852BE9119B391DA32A84996B1

Function 00DB9989 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00DC19CC: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00DB9778,?,?,00000034,00000800,?,00000034), ref: 00DC19F6

SendMessageW.USER32(?,0000102B,?,00000000), ref: 00DB99EB
SendMessageW.USER32(?,0000102B,?,00000000), ref: 00DB9A10

Strings

@U=u, xrefs: 00DB99EB, 00DB9A10

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: MessageSend$MemoryProcessWrite
String ID: @U=u
API String ID: 1195347164-2594219639
Opcode ID: 23c3df2bbc8628207678031ff45cbe332cc954353e398bf48905d9a3ee25177c
Instruction ID: 64ee30bd6f4c1aee342f2552a28041c8a464017d3b28d66ac4101fc72187a9a7
Opcode Fuzzy Hash: 23c3df2bbc8628207678031ff45cbe332cc954353e398bf48905d9a3ee25177c
Instruction Fuzzy Hash: 2A01C832900219EBDB21AB64DC86FEABB78DB04320F10416EF955A7191DB70AD54CA70

Function 00D70A8D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00D63C26,00E262F8,?,?,?), ref: 00D70ACE

Part of subcall function 00D67D2C: _memmove.LIBCMT ref: 00D67D66

_wcscat.LIBCMT ref: 00DA50E1

Strings

c, xrefs: 00D70B0E

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: FullNamePath_memmove_wcscat
String ID: c
API String ID: 257928180-921687731
Opcode ID: fc7597844fd1515d72daaeb27989d720dd916cf6a8b84c08ccf12cc5134a434f
Instruction ID: 1f0cc6f0c3dea5df94cd1cde0394f80b9fe79837cef6c2e8462e20f6a1f4da3d
Opcode Fuzzy Hash: fc7597844fd1515d72daaeb27989d720dd916cf6a8b84c08ccf12cc5134a434f
Instruction Fuzzy Hash: 5011653590421CDB8B11FB74DC42E9977B9EF48354B0085A5B99CE7291EA70DB888B71

Function 00DB9AB7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000406,00000000,00000000), ref: 00DB9ADD
SendMessageW.USER32(?,0000040D,?,00000000), ref: 00DB9B10

Part of subcall function 00DC1997: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00DB97A7,?,?,00000800,?,00001073,00000000,?,?), ref: 00DC19C1

Part of subcall function 00D67D2C: _memmove.LIBCMT ref: 00D67D66

Strings

@U=u, xrefs: 00DB9ADD, 00DB9B10

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: MessageSend$MemoryProcessRead_memmove
String ID: @U=u
API String ID: 339422723-2594219639
Opcode ID: e8b1abc556e56746284b469ec6fa27e16373e03e1a35dbc331b07e6a4584722e
Instruction ID: 61839ae67c8372de14e37ce00a4b082961fa095ba3294c90566c714fb9225a21
Opcode Fuzzy Hash: e8b1abc556e56746284b469ec6fa27e16373e03e1a35dbc331b07e6a4584722e
Instruction Fuzzy Hash: 8B013971801128EFDB54EF60DC91EE977A8EB14340F4080AAB689A6151EE314E99CFB0

Function 00DEC86D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00D62612: GetWindowLongW.USER32(?,000000EB), ref: 00D62623

DefDlgProcW.USER32(?,0000002B,?,?,?,?,?,?,?,00D9BB8A,?,?,?), ref: 00DEC8E1

Part of subcall function 00D625DB: GetWindowLongW.USER32(?,000000EB), ref: 00D625EC

SendMessageW.USER32(?,00000401,00000000,00000000), ref: 00DEC8C7

Strings

@U=u, xrefs: 00DEC8C7

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: LongWindow$MessageProcSend
String ID: @U=u
API String ID: 982171247-2594219639
Opcode ID: 12225fdcedcd7c5f969340d21b89f8925f0155934a97b6ade9932832d2e346f2
Instruction ID: bbb428169d4c68e940bc89068937aeee2d74e3e1e9e7cccfa7f59520eff29c44
Opcode Fuzzy Hash: 12225fdcedcd7c5f969340d21b89f8925f0155934a97b6ade9932832d2e346f2
Instruction Fuzzy Hash: 0B01B531200294AFCB257F15DD85E6A3BA6FB85324F140528F9525B2A0C731A806EBB1

Function 00D86DAE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 00D86DD0
__calloc_crt.LIBCMT ref: 00D86DE9

Strings

@R, xrefs: 00D86E00

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: __calloc_crt
String ID: @R
API String ID: 3494438863-2347139750
Opcode ID: 4190d917fd60b7374d29f0e7a764bdd85ae15e1a3552fdbc7fd94e4b3c8e9d43
Instruction ID: db746a0e77d0a9a5bcfb9ae385d77d81a12030e31927962b4a49938706805ed7
Opcode Fuzzy Hash: 4190d917fd60b7374d29f0e7a764bdd85ae15e1a3552fdbc7fd94e4b3c8e9d43
Instruction Fuzzy Hash: 49F06272308616EFF738EF2ABD016A12795EB44730B144526F104EB2E0EF30C88697B0

Function 00DB9A1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00DB9A2E
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00DB9A46

Strings

@U=u, xrefs: 00DB9A2E, 00DB9A46

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: 2db6d644bfa9e53bec6b041c57a1dec9085af0e5b7787ad9de0af6653d230b90
Instruction ID: 065524ceaa12cb118db23b35ba3826bb407e8c8e5110816eb721bfa9757a5805
Opcode Fuzzy Hash: 2db6d644bfa9e53bec6b041c57a1dec9085af0e5b7787ad9de0af6653d230b90
Instruction Fuzzy Hash: 3AE09B353413D1F7F63056154C9EFD7AF59DB89B61F150039BB02991D1CAD14C4186B0

Function 00DBA1A8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00DBA1BA
SendMessageW.USER32(?,0000110A,00000000,00000000), ref: 00DBA1EA

Strings

@U=u, xrefs: 00DBA1BA, 00DBA1EA

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: 8aace175a2ca65bd146ae8a53aba08cd9a28511c1d98d77af9c36b679c0e70d8
Instruction ID: d7b9bd73b086b09cd3af14361bdb0c413f4ab6dfe88e4d78c1512803ab6d626c
Opcode Fuzzy Hash: 8aace175a2ca65bd146ae8a53aba08cd9a28511c1d98d77af9c36b679c0e70d8
Instruction Fuzzy Hash: 22F0A035240348FFEA126B98DC86FEA7B1DEF08BA1F000428F7469E1E1D9E25D4097B0

Function 00DBA327 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 30windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00DB9E2E: SendMessageW.USER32(?,0000110A,00000000,00000000), ref: 00DB9E47
Part of subcall function 00DB9E2E: SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 00DB9E81

SendMessageW.USER32(?,0000110B,00000005,00000000), ref: 00DBA34B
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00DBA35B

Strings

@U=u, xrefs: 00DBA34B, 00DBA35B

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: c7f299c417e7ec1ca6bb0f37f755d0dd14a0ff02d6a7743e4b22d03586fac64a
Instruction ID: 25d886b8aefb53a26e0dc741271dc6466bed82fbbb2f58cd3906e7582f03d9d2
Opcode Fuzzy Hash: c7f299c417e7ec1ca6bb0f37f755d0dd14a0ff02d6a7743e4b22d03586fac64a
Instruction Fuzzy Hash: 27E0D875208345BFF6251B659C8BED77B5CDB48751F110439B301451A0EEA2CC506530

Function 00DC51CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00DC51E8
_wcscmp.LIBCMT ref: 00DC51FA

Strings

#32770, xrefs: 00DC51F4

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: f6e09423933f502f78994b51e0a4ea1cc8a4fd02ef2350915579df5f4e45fc02
Instruction ID: 348ec48b8e85d172a0bbf65fee98e9e2af0994399ef82eff41c22f0300ec0fa5
Opcode Fuzzy Hash: f6e09423933f502f78994b51e0a4ea1cc8a4fd02ef2350915579df5f4e45fc02
Instruction Fuzzy Hash: 91E02B726003291BD320A695AC45FA7F7ACEB40721F00016AF914D3050E5709A4587F0

Function 00DB81BC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00DB81CA

Part of subcall function 00D83598: _doexit.LIBCMT ref: 00D835A2

Strings

Error allocating memory., xrefs: 00DB81C3
AutoIt, xrefs: 00DB81BE

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: Message_doexit
String ID: AutoIt$Error allocating memory.
API String ID: 1993061046-4017498283
Opcode ID: 64661a0a4b4e3967afe2fb482019b05dd8fbdd5c77b779f35bfa87958fe5aa59
Instruction ID: 82b1e38c2053fe6f1a1170d9255900153e2597c599f3e5476b51e1e0444ef9c7
Opcode Fuzzy Hash: 64661a0a4b4e3967afe2fb482019b05dd8fbdd5c77b779f35bfa87958fe5aa59
Instruction Fuzzy Hash: C1D05B363C536877D21433A96C07FD6764C8B05F56F044015BB08955D3CDD155C243F9

Function 00D9B511 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00D9B564: _memset.LIBCMT ref: 00D9B571

Part of subcall function 00D80B84: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00D9B540,?,?,?,00D6100A), ref: 00D80B89

IsDebuggerPresent.KERNEL32(?,?,?,00D6100A), ref: 00D9B544
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00D6100A), ref: 00D9B553

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00D9B54E

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3158253471-631824599
Opcode ID: 5ca19cf0d087b70edfd26633f08b721e1028acacf907b50a226ac3a7ab400bed
Instruction ID: e7a205a63590a53de4418500af162b3de8a1902f5523128ca7c003d8d66eed6a
Opcode Fuzzy Hash: 5ca19cf0d087b70edfd26633f08b721e1028acacf907b50a226ac3a7ab400bed
Instruction Fuzzy Hash: 6CE06D70200350CFD761EF29E5083427BE0AB00764F06892DE546C63A0D7B4E449CB71

Function 00DB98BF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00DB98CB
SendMessageW.USER32(00000000,00001200,00000000,00000000), ref: 00DB98D9

Strings

@U=u, xrefs: 00DB98CB, 00DB98D9

Memory Dump Source

Source File: 00000000.00000002.1532425154.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1532356871.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000DEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1534793788.0000000000E15000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535227321.0000000000E1F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1535252048.0000000000E28000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_PI-236031.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: ee70dd36b9fefd420410823b3a4b96a71dbacd4428ea60ab64d5d1376970c341
Instruction ID: 9fe93cc2a54711429d0671ea7c09189b8f8346a76abc46de26879c8377914fb7
Opcode Fuzzy Hash: ee70dd36b9fefd420410823b3a4b96a71dbacd4428ea60ab64d5d1376970c341
Instruction Fuzzy Hash: 96C002311412C0BBEA212B77AC4DD873E3DE7CAF52711056CB211D91B586650195D634

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report PI-236031.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\autE024.tmp

C:\Users\user\AppData\Local\Temp\autE083.tmp

C:\Users\user\AppData\Local\Temp\leucoryx

C:\Users\user\AppData\Local\Temp\seskin

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Windows Analysis Report
PI-236031.exe

Function 00D63B4C Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153
windowCOMMON

Function 00D64AFE Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Function 00D64FE9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Function 00DC93DF Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Function 00D63015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 73
windowregistryCOMMON

Function 00D63041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Function 00D671EB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 00D63A58 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Function 00D63778 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 267
COMMON

Function 00D63633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
windowtimeregistryCOMMON

Function 02F72640 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Function 00D6F8CF Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 168
comCOMMON

Function 00D639E7 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Function 02F72410 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 145
fileCOMMON

Function 00D6410D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre